HIPAA was created to reform the health insurance industry; but, because the reforms would incur costs and potentially reduce tax revenues, Congress introduced measures to neutralize the costs by reducing health insurance fraud and simplifying the administration of healthcare transactions.
The measures introduced to simplify the administration of healthcare claims led to the development of the Privacy and Security Rules. These Rules were followed by the Enforcement and Breach Notification Rules, and all four Rules were updated in the HIPAA Omnibus Final Rule – which also integrated provisions passed in the HITECT Act.
Some sources skip the real reason why was HIPAA created and claim it was to protect the privacy and security of individually identifiable health information. However, the privacy and security provisions many people now associate with HIPAA are a byproduct of the Act rather than the reason why was HIPAA created. This article explains more.
Why Was HIPAA Created? The Background
In 1992, Bill Clinton became the 42nd President of the United States following a strong election campaign that promised a reform of the health care system. The following year, the Clinton-backed Health Security Act (S.1757) was introduced into Congress – an ambitious bill that promised the universal entitlement to health benefits and the protection of consumer choice.
The bill was ultimately shelved due to opposition to the mandatory provision of health insurance to all employees. In addition, an advertising campaign funded by the anti-reform Health Insurance Association of America turned many people who had been in favor of the President’s proposals against it – despite the campaign misrepresenting the facts.
Instead of uniting behind the original proposal, some Democrats offered competing proposals of their own. Most of these proposals were versions of the Health Security Act that attempted to address elements of health care reform, rather than the whole package. One of these versions evolved into the Health Insurance Portability and Accountability Act.
Why Was HIPAA Created? The Legislation
The Health Insurance Portability and Accountability Act (HIPAA) was originally introduced into Congress as the Health Insurance Reform Act (S.1028). The Health Insurance Reform Act acknowledged that millions of Americans were at risk of becoming uninsured because of the way the health insurance industry operated; and, in its original form, the Act had seven objectives:
- To limit health insurance exclusions for preexisting conditions.
- To guarantee the renewability of health coverage as long as premiums continue to be paid.
- To prevent the temporary loss of health coverage when employees change jobs.
- To allow individuals leaving employer coverage to maintain coverage as an individual.
- To guarantee the availability of health coverage to employers with two or more employees.
- To support employer group purchasing by preempting state laws that banned the practice.
- To allow disabled employees to extend their coverage until they become eligible for Medicare.
The proposed legislation would apply to all employment-based health plans, to all group health plans sponsored by employers and unions, and to all self-insured plans. Furthermore, while preempting some state laws, the Health Insurance Reform Act allowed states to enact legislation that provided additional protections beyond those included in the Act.
Health Insurance Reform Act becomes HIPAA
At the time, the Health Insurance Reform Act was just one of a number of bills under consideration that tackled the threat of uninsured workforces. Although it was the most comprehensive, it failed to account for potential increases in insurance premiums and potential decreases in federal tax revenues due to increased insurance premiums being tax deductible.
Consequently, Congress adopted the reform measures, but transferred them to a companion bill – the Health Coverage Availability and Affordability Act (HR.3103). This bill included provisions to neutralize the cost of health insurance reform by addressing health insurance fraud and abuse, and simplifying the administration of healthcare transactions.
A new name was assigned to the bill – the Health Insurance Portability and Accountability Act – and, following several amendments, HIPAA was signed into law by President Bill Clinton on August 21, 1996. However, this explanation of why was HIPAA created still has some way to go until we arrive at the privacy and security of individually identifiable health information.
The Administrative Simplification Provisions
The Administrative Simplification provisions in Title II of HIPAA instruct the Secretary for Health and Human Service (HHS) to standardize the codes used in electronic healthcare transactions in order to make the processing of transactions such as eligibility checks, treatment authorizations, claims, and payments more efficient (thus saving costs for health insurance carriers).
Because a more efficient transaction system was likely to increase the volume of health information being communicated electronically, the Secretary was also instructed to adopt standards for the security of health information used in the transactions, and develop privacy standards to govern uses and disclosures of health information and the rights of individuals.
However, because there were still a number of bills being considered by Congress that were versions of the Health Security Act, and because many of these bills included privacy standards, the Secretary was instructed to make recommendations for the standards, but only to publish the standards if Congress did not pass federal privacy legislation within three years.
The HIPAA Rules Start to Emerge
Because the task of standardizing existing transaction codes was the simplest of the Administrative Simplification requirements, the Standards for Part 162 Transactions was the first HIPAA Rule to be finalized in August 2000. This was followed by the General Provisions and v1 of the Privacy Rule in December 2000 (the Privacy Rule was subsequently amended and republished in August 2002).
A proposed version of the Security Rule had been published in August 1998; but, because of the complexity of the proposals, it was scaled back and the Final Rule published in February 2003. The original Enforcement Rule was finalized in February 2006, with changes to the Enforcement Rule and an interim Breach Notification Rule published in August 2009 following the passage of HITECH.
The last major changes to HIPAA occurred in 2013, when the Omnibus Final Rule amended existing HIPAA Rules to account for increased patients’ rights, changes to permissible uses and disclosures, and business associate liability. Changes to the Enforcement Rule and the procedures for breach notifications were also included in the Omnibus Final Rule.
Why was HIPAA Created? Conclusion
The answer to why was HIPAA created is more than “to protect the privacy of individually identifiable health information”. HIPAA originated from an ambitious attempt several years earlier to reform the health care industry, and the standards to protect the privacy of individually identifiable health information did not appear until several years after the passage of HIPAA.
Even if you take the question why was HIPAA created out of context, it is more accurate to answer the question by stating it was to reform the health insurance industry and that the privacy and security protections we now associate with HIPAA are a byproduct of the reforms. With regards to the individual stages in which “healthcare HIPAA” was created, these are the dates that matter:
On What Date Did HIPAA Become Effective?
HIPAA was signed into law on August 21, 1996, and many of the measures to reform the health insurance industry were effective immediately or within 90 days of the passage of the Act. With regards to the dates on which “healthcare HIPAA” became effective, the publication dates, effective dates, and compliance dates of each Final Rule were:
|Publication Date||Effective Date||Compliance Date|
|HIPAA Privacy Rule (v2)||August 14, 2002||October 15, 2002||April 14, 2003|
|HIPAA Security Rule||February 2, 2003||April 21, 2003||April 21, 2005|
|HIPAA Enforcement Rule||February 16, 2006||March 16, 2006||N/A|
|Breach Notification Rule||August 24, 2009||September 23, 2009||February 22, 2010|
|Omnibus Final Rule||January 25, 2013||March 26, 2013||September 23, 2013|
Origins of HIPAA: FAQ
What is health insurance portability?
Health insurance portability allows you to move your health insurance coverage from one provider to another without any loss of benefits, health checks, or waiting periods. The initial purpose of HIPAA was to increase the portability of health insurance to reduce perceived “job lock” scenarios in which employees would stay in less-than-optimal jobs due to the fear of losing health benefits.
What is the difference between HIPAA and HITECH?
The difference between HIPAA and HITECH for healthcare providers is that HIPAA was responsible for creating a federal floor of privacy protections for individually identifiable health information, whereas HITECH incentivized the meaningful use of healthcare technologies. Through the Omnibus Final Rule, HITECH also amended areas of HIPAA relating to:
- Patients’ rights,
- Breach notifications,
- Business associate liability,
- Permissible uses and disclosures,
- Penalties for violations of HIPAA.
How does HIPAA define PHI?
HIPAA defines PHI as individually identifiable health information maintained or transmitted by a covered entity or business associate that relates to an individual’s past, present, or future health condition, treatment for the condition, or payment for the treatment. It is important to be aware that any identifying information maintained in the same designated record set as PHI assumes the same protections as PHI even if it is not related to an individual’s health.
What are the main HIPAA Rules?
The main HIPAA Rules are the Privacy, Security, Enforcement, and Breach Notification Rules. The HIPAA Final Omnibus Rule is sometimes regarded as a main HIPAA Rule as it updated or finalized the preceding Rules. Additionally, covered entities and business associates – depending on their functions - have to comply with any HIPAA General Provisions that apply in Part 160, 162, and 164 of the HIPAA Administrative Regulations.