Who Created HIPAA?

HIPAA Compliance Guide

Some areas of HIPAA were created by the Clinton administration’s Health Plan Task Force, others were created by House Representative Bill Archer, and the areas of HIPAA most people associate with the Act were created by the Department of Health and Human Services.

To best explain who created HIPAA, it is necessary to go back to four years before the passage of the Act. At the time, most people in America were covered by private health insurance, Medicare, or a combination of the two. Of those covered by private health insurance, around 60% were covered by an employer’s health plan, but there were issues with the way in which employer systems worked.

The issues included that, when an employee changed job, a “wait period” before their new employer’s health plan started meant there would be a gap in coverage, employees that developed a health condition in their previous jobs may not be covered by their new employer’s plan, and small employers found it expensive to provide employee health cover due to a lack of purchasing power.

According to a report submitted to the Senate Committee on Labor and Human Resources, it was estimated that 43 million Americans would be without coverage each year due to wait periods when they changed jobs, while a further 81 million Americans would find it difficult, expensive, or – in some cases – impossible to find health insurance due to preexisting health conditions.

The Clinton Administration Health Plan Task Force

When Bill Clinton won the presidential election in 1992, one of the reasons for his success was a campaign promise to reform the healthcare system. In January 1993, President Clinton set up a Health Plan Task Force to deliver on his promise; and, in September 1993, the Task Force presented an ambitious plan to not only reform the healthcare system, but also the health insurance industry.

The plan – which was introduced into Congress as the Health Security Act (S. 1757) – was widely opposed. Many believed the proposed healthcare alliances represented too much “big government”,  employers’ groups opposed mandatory health insurance coverage for all employees, and the health insurance industry was unhappy about limits on insurance premium increases to control costs.


Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

The Act never progressed beyond a second reading, but attempts were made to pass elements of it in separate bills. One of these attempts was made by Senators Ted Kennedy and Nancy Kassebaum – often credited as the two Senators who created HIPAA – who extracted the parts of the Health Security Act relating to reforming the health insurance industry, and re-introduced them as the Health Insurance Reform Act of 1995 (S. 1028).

Kennedy-Kassebaum and the Archer Connection

The Health Insurance Reform Act resolved the issues of employer-funded insurance coverage, but assumed insurance carriers would not increase premiums to cover the cost of compliance. This assumption was contrary to an opinion given by the Secretary for Health and Human Services in 1993 – Donna Shalala – that claimed 40% of Americans with insurance would be paying more for their health care premiums under the measures proposed in the Clinton Health Plan.

To address concerns that the cost of compliance would not be passed onto employers and employees, or result in a reduction in tax revenues due to health insurance premiums being tax deductible, the measure in the Kennedy-Kassebaum Act to reform the health insurance industry were integrated into a companion bill – the Health Coverage Availability and Affordability Act (HR. 3103) – which had been introduced into the House by Representative Bill Archer.

What Archer’s bill had that the Kennedy-Kassebaum bill lacked were measures to reduce health insurance fraud and proposals to simplify the administration of healthcare transactions – thus saving health insurance carriers money and neutralizing the cost of compliance. The two bills were merged and renamed as the Health Insurance Portability and Accountability Act, the proposals were passed by the Senate and the House, and HIPAA was signed into law by President Clinton in August 1996.

Who Created HIPAA Thereafter?

While the Clinton administration, Senators Kennedy and Kassebaum, and Representative Archer each had roles to play in the creation of HIPAA, the version of HIPAA that passed in 1996 only sowed the seeds for how most people think of HIPAA today. Indeed, the phrases “Protected Health Information”, “covered entities”, and “business associates” are not included in the text of HIPAA at all.

What HIPAA did in terms of how most people think of HIPAA was to instruct the Secretary for Health and Human Services to adopt standards for electronic healthcare transactions and security standards for electronically transmitted or maintained health information to make the exchange of health information more efficient while maintaining the confidentiality and integrity of the information.

The Secretary was also instructed to make recommendations for the privacy of health information. Although this instruction was unrelated to the adoption of transaction and security standards, the privacy of health information and patients’ rights to have more control over their health information had been key principles in the Clinton administration’s Health Security Act.

The recommendations for the privacy of health information were delivered by HHS Secretary Donna Shalala in September 1997. As Congress did not pass its own privacy legislation in a self-imposed three year timeframe, the recommendations subsequently formed the basis of the Privacy Rule. A Notice of Proposed Rule Making for the Security Rule was published a year later, and the first transaction standards were announced in 2000.

Subsequent Changes to HIPAA

HIPAA – or more accurately, “healthcare HIPAA” – has experienced many changes since the first Rules were created by the Department for Health and Human Services. In addition to the transaction standards being frequently updated, the Privacy Rule was revised in 2002 to make it easier to understand, and updated in 2013 to incorporate changes required by the HITECH Act and the Genetic Information Nondiscrimination Act. Further updates followed in 2014 and 2016.

An Enforcement Rule was published in 2006 once it was acknowledged that voluntary HIPAA compliance was not working, and this was also updated in 2013 to incorporate changes required by the HITECH Act. A Breach Notification Rule was created in 2009; and, in the Omnibus Final Rule of 2013, business associates were made directly liable for HIPAA violations and data breaches. Further changes to HIPAA are currently being considered to accommodate CMS’ Interoperability Rule.

Who Created HIPAA? Conclusion

While several sources attribute the creation of HIPAA to Senators Ted Kennedy and Nancy Kassebaum or Congress as a whole, HIPAA was created over a number of years by a number of characters. It is important not to ignore the roles played by the Clinton Health Plan Task Force or Representative Bill Archer, nor disregard the input of Secretary Donna Shalal and those from the Department of Health and Human Services who contributed to the creation of HIPAA as we think of it today.