HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

What Are THE 3 Major Things Addressed in the HIPAA Law?

Articles discussing the 3 major things addressed in the HIPAA law often tend to focus on the Administrative, Physical, and Technical Safeguards of the Security Rule. However, although the Safeguards of the Security Rule are 3 things in the HIPAA law, they are not THE 3 major things addressed in the HIPAA law.

When Congress passed the Health Insurance Portability and Accountability Act in 1996, it addressed three major things – the reform of the health insurance industry, the prevention of abuse and fraud in the health care industry, and the failure of the Clinton administration to deliver on an election campaign pledge to pass legislation that would provide universal health care for all Americans.

Had HIPAA not addressed these issues, subsequent events in HIPAA history may never have happened. For example:

  • Had the health insurance industry been allowed to continue operating as it did prior to HIPAA, tens of millions of Americans would be excluded from health plan benefits.
  • Had the level of abuse and fraud in the healthcare industry been allowed to continue, tens of billions of dollars would have been lost to unscrupulous actors.
  • Had the momentum to improve health care not been given a kickstart by HIPAA, subsequent health care initiatives may never have happened.

Consequently, although the Health Insurance Portability and Accountability Act did ultimately improve the privacy and security of health care data, increase patients´ rights, and help the healthcare industry become more efficient by streamlining the flow of information, none of these 3 things would have happened without THE 3 major things addressed in the HIPAA law.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The Reform of the Health Insurance Industry

The Need to Reform

Prior to HIPAA, the health insurance industry can be best described as complex. As the industry had evolved, many jurisdictions had interpreted the provision of indirect access to healthcare service as the “unlicensed practice of medicine”. This led to multiple states enacting legislation so that businesses could offer health care benefits to employees as a tax-free perk of the job.

Different states enacted different legislation, and this affected how much was charged for health insurance, who was eligible for health insurance, and whether or not it was possible to carry health insurance across state lines. Health insurance companies didn´t help matters by introducing exclusions for pre-existing conditions and limitations on portability between employments.

The differences between state laws, and the business practices of health insurance companies, made it difficult for small businesses to negotiate affordable group health care plans, and meant that many people could either not get insurance, or – if they did – were locked into a job because health benefits might not be available to them if they left and went to work for a different employer.

The Kassebaum-Kennedy Act

The Health Insurance Reform Act was introduced into Congress in 1995 by Senators Kassebaum and Kennedy. Its objective was “To provide increased access to health care benefits, to provide increased portability of health care benefits, to provide increased security of health care benefits, to increase the purchasing power of individuals and small employers, and for other purposes.”

Nothing in the Act (S.1028) suggested improved privacy and security of health care data, increased patients´ rights, or streamlining the flow of information. It was only when the provisions of a companion bill (HR.3103) were integrated into it, that the Kassebaum-Kennedy Act bore any resemblance to the final version of the Health Insurance Portability and Accountability Act.

However, when HIPAA was passed, the standards governing health care data, patients´ rights, and the flow of information were still several years away. It was not until 2002 that the Privacy Rule was published, and 2003 that the Security Rule was published. Furthermore, it could also be argued that neither Rule was effectively enforced until the Omnibus Final Rule was published in 2013.

How HIPAA Addressed Health Insurance Reform

The first of 3 major things addressed in the HIPAA law occurred because HIPAA introduced a federal floor of standards that health insurance companies were required to comply with. The Act prohibited the exclusion of individuals with certain pre-existing conditions and prevented the automatic termination of coverage when employees changed jobs or had a break in employment.

The Act also overruled any state laws prohibiting businesses from grouping together to negotiate better insurance rates in order to increase the purchasing power of small employers. However, there were concerns about the financial consequences of complying with HIPAA due to the cost of health care for higher-risk individuals and the reduced premiums from small businesses.

To overcome concerns that the increased costs to health insurance companies would be passed onto business and individuals in the form of increased premiums, provisions were included in HIPAA to increase the efficiency of claims processing (i.e., the Transactions and Code Sets Rule) and address abuse and fraud in the health care industry to reduce costs to health insurance providers.

Abuse and Fraud in the Health Care Industry

$7 Billion Lost Each Year to Fraud

In March 1996, Rep. Ted Archer – the Congressman responsible for introducing HR.3103 – presented a Congressional Report to the House Ways and Means Committee. The report revealed the scale of abuse and fraud in the health care industry, claiming that “as much as 10% of all total health care costs are lost to fraudulent or abusive practices by unscrupulous health care providers”.

At the time, health care costs were approximately $70 billion per year, and the abuse and fraud were not only attributable to health care providers charging too much for services or for services they hadn´t provided. Some health care providers performed unnecessary surgeries or accepted kickbacks from pharmaceutical companies to purchase medications at a higher cost than necessary.

The report also raises concerns that the loss to abuse and fraud in the health care industry could be far greater that estimated. It was noted that only a fraction of cases was investigated due to a lack of resources, that there was no coordination between law enforcement agencies at state and federal levels, and that the penalties for health care abuse and fraud were inadequate deterrents.

How HIPAA Addressed Abuse and Fraud

The passage of HIPAA led to the development of a Health Care Fraud and Abuse Program jointly administered by the Department of Health and Human Services and the Department of Justice. The Program was given sufficient funding to identify, investigate, and prosecute entities who commit fraud or abuse the system, and was launched in January 1997 with the following objectives:

  1. Coordinate federal, state, and local law enforcement programs to control fraud and abuse with respect to health plans.
  2. Conduct investigations, audits, evaluations, and inspections relating to the delivery of and payment for health care.
  3. Facilitate the enforcement of the civil, criminal, and administrative statutes applicable to health care in the United States.
  4. Provide industry guidance, including advisory opinions, safe harbors, and special fraud alerts relating to fraudulent health care practices.
  5. Establish a national data bank to receive and report final adverse actions against health care providers.

Additionally, a program was set up to educate the public about abuse and fraud in the health care system in order to mitigate the risk of consumers being unwitting victims of overpayments, false charges, and unnecessary surgery; and – somewhat ahead of its time – protocols were established to protect personally identifiable information used in fraud investigations.

How Effectively was Abuse and Fraud Addressed?

Prior to HIPAA, the Department of Justice had the resources to investigate an average of 21 non qui tam (non-whistle blower) cases per year under the False Claims Act and recovered less than $60 million per year in fines and settlements. In 2021, 97 non qui tam cases were investigated and $3.59 billion recovered relating to Medicare fraud alone. The total recovered in 2021 exceeded $5 billion.

While these statistics indicate there is a still a high level of fraud and abuse, the Department of Justice believes increasing enforcement action acts as a deterrent to potentially unscrupulous actors who might attempt to cheat the system at the expenses of the taxpayer. The Department also believes its efforts protect patients from medically unnecessary and potentially harmful actions.

What is also noticeable in the latest report is the increasing number of qui tam cases investigated each year. Due to the whistle blower protections in HIPAA, the number of investigations into employee tip-offs has increased from an average of 44 per year in the ten years prior to HIPAA to a ten-year average of 456 up to and including 2021 – a ten-fold increase in whistle blower tip-offs.

The Momentum to Improve Health Care

The Pledge of Universal Health Care

To fully appreciate the third of our 3 major things addressed in the HIPAA law, you have to go back to the election of President Clinton in 1992. Two of President Clinton´s key campaign pledges were health care reform and universal health care for all Americans; and, as soon as he took office, President Clinton established a top-level task force to deliver on his pledge.

However, the proposed Health Security Act of 1993 was strongly lobbied against due to concerns about it being overly bureaucratic, restricting patients choices, and forcing employers to provide health insurance coverage for all employees and their families. The American Medical Association also opposed the Act due to concerns it put financial interests ahead of medical interests.

Ultimately, the Act – and a subsequent compromise Act – failed to get the support it needed to pass the Democrat-controlled Congress. The failure of the Clinton administration to deliver on its election pledge contributed to the Democrat Party losing control of Congress in the 1994 mid-terms and losing the momentum towards health care reform and universal health care for all Americans.

How HIPAA Kickstarted the Momentum

HIPAA was the next big test of the Clinton administration´s health care reform plans, but this too had its opponents. Concerns were raised that the Act contained “vague provisions for federal regulation of the health insurance market – a responsibility traditionally left to the states – and that it gives the Secretary of Health and Human Services disturbingly broad powers in this area”.

The Act was also criticized for failing to provide tax equity for individuals and families outside an employer setting and for not allowing the self-employed to claim 100% tax relief on insurance premiums. Nonetheless, the provisions of HIPAA had bi-partisan support and passed the House by a large majority before being unanimously approved in the Senate.

Reporting on the signing of HIPAA, Paul Starr – a Professor of Sociology and Public Affairs at Princeton University – commented that the sentiment among advocates of health reform was “better than nothing”, but that it could serve as a stimulus to get more done in this area. As it turned out, the passage of HIPAA kickstarted the momentum that led to subsequent health care initiatives.

Subsequent Health Care Initiatives

President Clinton´s re-election in 1996 gave him a mandate to pursue further health care initiatives. With the momentum back, the Clinton administration pushed through budget reforms that assured the future of the Medicare Trust Fund, enacted legislation to help young people leaving foster care keep their health benefits, and addressed the issue of tax equity for non-employer health plans.

During his second term of office, President Clinton was also the driving force behind a successful child immunization program, introduced measures to reduce the number of foodborne illnesses, and enacted the Breast and Cervical Cancer Prevention and Treatment Act – an Act that has potentially saved millions of lives through the provision of federally-sponsored screening programs.

However, the biggest health care initiative of the second Clinton presidency was the Children´s Health Insurance Program (CHIP) which provided health care benefits for children of working families who do not qualify for Medicaid. In many states, the Program also provides prenatal care for pregnant women to reduce complications during pregnancy and prevent problems during delivery.

These are THE 3 Major Things Addressed in the HIPAA Law

When sources suggest the 3 major things addressed in the HIPAA law were the Safeguards of the Security Rule, it is important to remember that the Safeguards occupied less than half a line of text in the HIPAA law (see §1173(d) – Security Standards for Health Information), were not published until seven years after the passage of HIPAA, and were not effective until two years later.

However, without the reform of the health insurance industry, the prevention of abuse and fraud in the healthcare industry, and the continued momentum to improve health care, the health insurance and health care industries would look a lot different than they do today – at the likely cost to the health of tens of millions taxpaying Americans and their families.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.