The original purpose of HIPAA was to reform the health insurance industry, but due to concerns the cost of the reforms would increase insurance premiums and reduce tax revenues, measures were also introduced to reduce fraud and simplify the administration of healthcare transactions. In order to support the cost reduction measures, the Secretary of Health and Human Services (HHS) was instructed to adopt standards for the privacy and security of individually identifiable health information.
HIPAA was enacted in 1996. In its initial form, HIPAA helped employees who were between jobs continue to get health insurance coverage. The legislation introduced new requirements to tackle the problem of healthcare fraud, and introduced new standards to improve the administration of healthcare, improve efficiency, and reduce waste. Those measures include the use of standard code sets for diseases, medical procedures, and medications, which have helped improve the efficiency of sharing healthcare data between healthcare providers and insurance companies, and has streamlined eligibility verifications, billing, payments, and other healthcare procedures.
HIPAA prohibits the tax-deduction of interest on life insurance loans, enforces group health insurance requirements, and standardizes how much may be saved in a pre-tax medical savings account. HIPAA also called for a national patient identifier to be introduced, although the national patient identifier has still not been implemented more than 2 decades after HIPAA became law.
HIPAA is a comprehensive piece of legislation, which has since incorporated the requirements of a number of other legislative acts such as the Public Health Service Act, Employee Retirement Income Security Act, and most recently, the Health Information Technology for Economic and Clinical Health (HITECH) Act.
HIPAA is now best known for safeguarding patient data, protecting the privacy of patients and health plan members, and giving individuals rights over their own healthcare data. These aspects of HIPAA were not present in the legislation in 1996, as they were added with the introduction of the HIPAA Privacy Rule of 2000 and the HIPAA Security Rule of 2003. The requirement to notify individuals of a the exposure or an impermissible disclosure of their protected health information was introduced in 2009 when the Breach Notification Rule was added to HIPAA.
The objective of the HIPAA Privacy Rule was to place limitations on uses and disclosures of PHI, stipulating when, with whom, and under what conditions, medical information may be used or shared. Generally speaking, the Privacy Rule limits uses and disclosures to those required for treatment, payment, or healthcare operations, with other uses and disclosures only permitted if prior authorizations are obtained from patients.
Another purpose of the HIPAA Privacy Rule was to provide individuals with easy access to their health information for only a reasonable, cost-based fee. Individuals can request a copy of their own healthcare data to inspect or share with others. They can check their records for errors and request that any errors are corrected.
The objective of the HIPAA Security Rule is principally to make sure electronic protected health information (ePHI) is adequately secured, access to ePHI is controlled, and an auditable trail of PHI activity is maintained.
So, to sum up, what is the purpose of HIPAA? To improve efficiency in healthcare, reduce waste, combat fraud, ensure the portability of medical health insurance, protect patient privacy, ensure data security, and to give patients low cost access to their healthcare data.