What is the Definition of HIPAA?
The definition of HIPAA is that the Health Insurance Portability and Accountability Act 1996 was passed by Congress to reform the health insurance industry and ensure workers could maintain health coverage when they change or lose their jobs. “Healthcare HIPAA” resulted from efforts to mitigate the cost of the reforms and prevent a decline in tax revenues.
To best understand the definition of HIPAA, it is helpful to understand the background to HIPAA and what its original objectives were. The background to HIPAA is that, in the early 1990s, around 86% of Americans were covered by private health insurance, public health insurance (i.e., Medicare), or a combination of both. Of those covered by private health insurance, around 60% of Americans were covered by an employer’s health plan.
However, because of the way in which many employer health plans worked, when a worker changed jobs there was a “wait period” and a gap in coverage before the new health plan took effect. It was also the case that if a worker developed a health condition while in one job and then changed jobs, they may not qualify for enrollment in their new employer’s health plan due to the pre-existing condition or the coverage would be more expensive.
According to a 1991 report referenced in a submission to the Senate Committee on Labor and Human Resources, it was estimated that wait periods resulted in gaps in coverage for 43 million Americans each year. It was also estimated a further 81 million Americans would find it difficult, expensive, or – in some cases – impossible to qualify for a new employer’s health insurance plan due to a health condition acquired in a previous job.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The Evolution of HIPAA
The evolution of HIPAA started with an ambitious plan by President Bill Clinton to reform the healthcare industry. His Health Security Act (S.1757) not only included proposals to develop nationwide healthcare alliances similar to modern Integrated Delivery Networks, but also proposals for mandatory health coverage for all workers and limits on how much health plans could increase premiums each year.
Due to widespread industry opposition to the proposals, the Health Security Act did not progress beyond a second reading. However, some elements of the Act were extracted and presented as separate bills. One of the separate bills was the Health Insurance Reform Act (S.1028), which is also known as the Kennedy-Kassebaum Act due to being introduced by Senators Ted Kennedy and Nancy Kassebaum.
The Kennedy-Kassebaum Act resolved the issues of wait periods and pre-existing conditions, but failed to account for increased premiums to cover the cost of compliance. Concerns were raised that 40% of Americans with employer insurance plans would be paying more for their health insurance; and, as insurance premiums are tax-deductible expenses, the measures proposed in the Act would result in a decline in tax revenues.
To address the concerns, the reforms in the Kennedy-Kassebaum Act were integrated into a companion bill – the Health Coverage Availability and Affordability Act (HR. 3103). This Act included measures to reduce health insurance fraud and simplify the administration of healthcare transactions, thus neutralizing the cost of compliance. The combined bills were renamed as the Health Insurance Portability and Accountability Act.
The Definition of HIPAA In Healthcare
While many of the measures to reform the health insurance industry were effective immediately, it was some years before the HIPAA Administrative Simplification Regulations were published. This was primarily due to the number of different code sets that were being used in healthcare transactions at the time and the potential for separate healthcare privacy bills being passed by Congress following the failure of the Health Security Act.
For most people, the definition of HIPAA in healthcare started in 2000 with the publication of the Standards and Code Sets for Electronic Transactions and the original HIPAA Privacy Rule (which was subsequently modified and republished in 2002). The Final HIPAA Security Rule was published in 2003 following significant amendments to the proposed Security Rule published in 1998. Enforcement of these Rules started in 2005.
Further events that shaped the definition of HIPAA in healthcare occurred in 2009 with the passage of the HITECH Act, and in 2013 with the publication of the HIPAA Omnibus Rule. The first of these events raised awareness of HIPAA via the Breach Notification Requirements, while the second of these events extend liability for HIPAA compliance to business associates. They also led to an increase in enforcement of the HIPAA Rules.
Since 2013, the definition of HIPAA in healthcare has come to mean the protection of individuals’ health data, and the rights of individuals to control how their Protected Health Information (PHI) is used and to whom it is disclosed. However, due to misinterpretations of the HIPAA definition of PHI, many sources fail to explain what PHI is and when personally identifiable information (PII) does not qualify as PHI.
The HIPAA Definition of PHI
The HIPAA definition of PHI is that Protected Health Information is any information relating to an individual’s health condition, treatment for the condition, or payment for the treatment that is created, received, maintained, or transmitted by a HIPAA covered entity or business associate. Any information that could identify the subject of PHI also assumes protected status when it is maintained in the same designated record set as Protected Health Information.
However, because of the Information Access Requirements of the Security Rule (§164.308(a)(4)) there are many circumstances in which information that could identify the subject of PHI is not maintained in the same designated record set as PHI and does not assume protected status. Examples include details about individuals maintained in a marketing database or other database not used for healthcare operations.
The reason why misunderstandings exist about the HIPAA definition of PHI is that §164.514(b) of the Privacy Rule lists eighteen “identifiers” that have to be removed from a designated record set before any health information remaining in the designated record set can be considered de-identified and no longer protected. This has been interpreted (incorrectly) to mean that these identifying elements are PHI under all circumstances.
It is important for all members of the workforce to receive training on the (correct) HIPAA definition of PHI in order to ensure information that must be protected is protected and to prevent scenarios in which workforce members are unable to access non-health information in order to do their jobs. Healthcare organizations and other covered entities unsure about the difference between PHI and PII should seek professional compliance advice.
