When Was HIPAA Enacted?

45 CFR § 164.530

HIPAA has been enacted in various stages since the passage of the Health Insurance Portability and Accountability Act, with some provisions of the Act being enacted immediately, while others took up to ten years to enact. Changes have since been made to HIPAA via the HITECH Act and Omnibus Final Rule, and further changes to HIPAA are currently under consideration.

When was HIPAA Enacted?

President Bill Clinton signed HIPAA into law on August 21, 1996. One of the primary goals of the legislation was to ensure portability health insurance coverage to allow employees to maintain health insurance coverage when they were between jobs. HIPAA additionally made healthcare organizations responsible for handling health data securely to ensure that health data is kept private and confidential.

HIPAA additionally helped to reduce wastage in the healthcare industry and helped to prevent fraud and abuse and streamlined the management of healthcare.

HIPAA became a law in 1996, but over the years, there have been significant revisions to HIPAA legislation, particularly the addition of the HIPAA Privacy Rule, the HIPAA Security Rule, the inclusion of HITECH Act requirements in the HIPAA Omnibus Rule.

These revisions put in numerous new terms into HIPAA legislation and helped to ensure the privacy of health data, ensured healthcare organizations implemented appropriate security measures, and ensured that in the event of a breach of protected health information, patients would be notified so they could take steps to reduce the potential for harm.

When was the HIPAA Privacy Rule Enacted?

The first proposal of HIPAA Privacy Rule was on November 3, 1999 and it was enacted on December 20, 2000, although changes were promptly made and there was a delay to the effective date. Compliance with the HIPAA Privacy Rule was not mandatory until April 14, 2003.


Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

The HIPAA Privacy Rule specified the definition of protected health information (PHI) and dictated how HIPAA covered entities could use PHI, to whom PHI could be disclosed, and the circumstances where disclosures were permitted without first obtaining authorizations from patients.

The HIPAA Privacy Rule also calls for the implementation of safety measures to protect patient privacy. The Privacy Rule also gave patients the right to get copies of their PHI from HIPAA-covered entities.

When was the HIPAA Security Rule Enacted?

The HIPAA Security Rule was initially proposed on August 12, 1998, and enacted on February 20, 2003. Its effective date was April 21, 2006.

The HIPAA Security Rule sets national security standards for safeguarding electronic protected health information (ePHI). The HIPAA Security Rule demands the implementation of administrative, technical and physical safeguards to ensure the confidentiality, availability and integrity of ePHI. The HIPAA Security Rule likewise necessitates covered entities to perform a risk analysis to identify risks to the confidentiality, availability and integrity of ePHI and to control those risks and ensure they are kept to a low and acceptable level.

When was the HITECH Act Integrated into HIPAA?

The Health Information Technology for Economic and Clinical Health (HITECH) Act became law on February 17, 2009. Particular aspects of the HITECH Act were put into effect the same month, for instance, higher penalties for HIPAA violations. The majority of the HITECH Act provisions became effective and enforceable on February 27, 2010.

With the integration of the HITECH Act into HIPAA, the HIPAA Breach Notification Rule was created, which required covered entities to inform individuals whose PHI has been exposed or stolen. The HITECH Act additionally mandated business associates of HIPAA-covered entities abide by HIPAA Rules and made them responsible for their own HIPAA violations.

The final HIPAA Omnibus Rule of 2013, which was enacted on January 17, 2013, integrated several HITECH Act provisions into HIPAA. Entities were required to comply with Omnibus Rule changes by September 23, 2013.

Important Dates in HIPAA History

  • August 21, 1996 – Signing of the HIPAA into law
  • December 20, 2000 – Issuance of the HIPAA Final Privacy Rule
  • February 20, 2003 – Issuance of the HIPAA Final Security Rule
  • April 14, 2003 – Compliance deadline of the HIPAA Privacy Rule
  • April 21, 2006 – Compliance deadline of the HIPAA Security Rule
  • March 16, 2006 – Effective date of the HIPAA Enforcement Rule
  • February 17, 2009 – The HITECH Act became law
  • February 27, 2010 – Compliance deadline of the HITECH Act
  • January 17, 2013 – Issuance of the HIPAA Omnibus Final Rule
  • September 23, 2013 – Compliance date of the HIPAA Omnibus Rule
About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/