HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

HIPAA History

HIPAA History

When was HIPAA Established?

Our HIPAA history lesson starts on August 21, 1996, when the Healthcare Insurance Portability and Accountability Act (HIPAA) was signed into law, but why was the HIPAA act created? HIPAA was created to “improve the portability and accountability of health insurance coverage” for employees between jobs. Other objectives of the Act were to combat waste, fraud and abuse in health insurance and healthcare delivery. The Act also contained passages to promote the use of medical savings accounts by introducing tax breaks, provides coverage for employees with pre-existing medical conditions and simplifies the administration of health insurance.

The procedures for simplifying the administration of health insurance became a vehicle to encourage the healthcare industry to computerize patients´ medical records. This particular part of the Act spawned the Health Information Technology for Economic and Clinical Health Act (HITECH) in 2009, which in turn lead to the introduction of the Meaningful Use incentive program – described by leaders in the healthcare industry as “the most important piece of healthcare legislation to be passed in the last 20 to 30 years”.

The HIPAA Privacy and Security Rules Take Shape

Once HIPAA had been signed into law, the US Department of Health and Human Services set about creating the first HIPAA Privacy and Security Rules. The Privacy Rule had an effective compliance date of April 14, 2003, and it defined Protected Health Information (PHI) as “any information held by a covered entity which concerns health status, the provision of healthcare, or payment for healthcare that can be linked to an individual”.

Instructions were issued on how PHI should be disclosed and that permission should be sought from patients before using their personal information for marketing, fundraising or research. It also gave patients the right to withhold information about their healthcare from health insurance providers when their treatment is privately funded.

Please see the HIPAA Journal Privacy Policy

The HIPAA Security Rule came into force two years after the original legislation on April 21, 2005. Dealing specifically with electronically stored PHI (ePHI), the Security Rule laid down three security safeguards – administrative, physical and technical – that must be adhered to in full in order to comply with HIPAA. The safeguards had the following goals:

  • Administrative – to create policies and procedures designed to clearly show how the entity will comply with the act.
  • Physical – to control physical access to areas of data storage to protect against inappropriate access
  • Technical – to protect communications containing PHI when transmitted electronically over open networks

When Did HIPAA Become Effective?

In what year was HIPAA signed into law? HIPAA was signed into law on August 21, 1996, but there have been major additions to HIPAA over the past 25 years: The introduction of the Privacy Rule, Security Rule, Breach Notification Rule, and the Omnibus Final Rule.

The most important effective dates are: April 14, 2003 for the HIPAA Privacy Rule, although there was an extension of one year for small health plans, that were required to comply with the HIPAA Privacy Rule provisions by April 14, 2004.

The effective compliance date for the HIPAA Security Rule was April 21, 2005. As was the case with the HIPAA Privacy Rule, small health plans were given an additional year to comply with the provisions of the HIPAA Security Rule and had an effective compliance date of April 21, 2006.

The HIPAA Breach Notification Rule became effective on September 23, 2009 and the Omnibus Final Rule became effective on March 26, 2013.

The Introduction of the Enforcement Rule

The failure of many covered entities to fully comply with the HIPAA Privacy and Security Rules resulted in the introduction of the Enforcement Rule in March 2006. The Enforcement Rule gave the Department of Health and Human Services the power to investigate complaints against covered entities for failing to comply with the Privacy Rule, and to fine covered entities for avoidable breaches of ePHI due to not following the safeguards laid down in by the Security Rule.

The Department´s Office for Civil Rights was also given the power to bring criminal charges against persistent offenders who fail to introduce corrective measures within 30 days. Individuals also have the right to pursue civil legal action against the covered entity if their personal healthcare information has been disclosed without their permission if it causes them to come to “serious harm”.

HITECH 2009 and the Breach Notification Rule

HIPAA history continued in 2009 with the introduction of the Health Information Technology for Economic and Clinical Health Act (HITECH). HITECH had the primary goal of compelling healthcare authorities to implement the use of Electronic Health Records (EHRs) and introduced the Meaningful Use incentive program. Stage one of Meaningful Use was rolled out the following year, incentivizing healthcare organizations to maintain the Protected Health Information of patients in electronic format, rather than in paper files.

With the incentive program also came an extension of HIPAA Rules to Business Associates and third-party suppliers to the healthcare industry, and the introduction of the Breach Notification Rule – which stipulated that all breaches of ePHI affecting more than 500 individuals must be reported to the Department of Health and Human Services’ Office for Civil Rights. The criteria for reporting breaches of ePHI were subsequently extended in the Final Omnibus Rule of March 2013.

The Final Omnibus Rule of 2013

The most recent act of legislation in HIPAA history was the Final Omnibus Rule of 2013. The rule barely introduced any new legislation, but filled gaps in existing HIPAA and HITECH regulations – for example, specifying the encryption standards that need to be applied in order to render ePHI unusable, undecipherable and unreadable in the event of a breach.

Many definitions were amended or added to clear up grey areas – for example the definition of “workforce” was changed to make it clear that the term includes employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity or Business Associate, is under the direct control of the covered entity or Business Associate.

The Privacy and Security Rules were also amended to allow patient´s health information to be held indefinitely (the previous legislation had stipulated it be held for fifty years), while new procedures were written into the Breach Notification Rule. New penalties were also applied – as dictated by HITECH – to covered entities that fell afoul of the HIPAA Enforcement Rule.

Amendments were also included to account for changing work practices brought about by technological advances, covering the use of mobile devices in particular. A significant number of healthcare professionals are now using their own mobile devices to access and communicate ePHI, and the Final Omnibus Rule included new administrative procedures and policies to account this, and to cover scenarios which could not have been foreseen in 1996. The full text of the Final Omnibus Rule can be found here.

After multiple delays, the deadline for the United States to use Clinical Modification ICD-10-CM for diagnosis coding and Procedure Coding System ICD-10-PCA for inpatient hospital procedure coding was finally set at October 1, 2015. All HIPAA covered entities must use ICD-10-CM. Another requirement is these of EDI Version 5010.

Key Dates in HIPAA History

  • August 1996 – HIPAA Signed into Law by President Bill Clinton.
  • April 2003 – Effective Date of the HIPAA Privacy Rule.
  • April 2005 – Effective Date of the HIPAA Security Rule.
  • March 2006 – Effective Date of the HIPAA Breach Enforcement Rule.
  • September 2009 – Effective date of HITECH and the Breach Notification Rule.
  • March 2013 – Effective Date of the Final Omnibus Rule.

In certain circumstances, CEs and BAs were given a period of time to comply with the provisions of each Rule. For example, although the effective date of the Final Omnibus Rule was March 2013, CEs and BAs were allowed 180 days to comply. Further key dates in HIPAA History can be found in our infographic below.

Consequences of the Final Omnibus Rule

What the Final Omnibus Rule achieved more than any previous legislation was to make covered entities more aware of HIPAA safeguards that they had to adhere to. Many healthcare organizations – who had been in breach of HIPAA for almost two decades – implemented a number of measures to comply with the regulations, such as using data encryption on portable devices and computer networks, implementing secure messaging solutions for internal communications with care teams, installing web filters and taking more care to archive emails securely.

The financial penalties now being issued for data breaches along with the colossal costs of issuing breach notifications, providing credit monitoring services and conducting damage mitigation makes investment in new technology to protect data appear cheap by comparison.


The HIPAA Compliance Audit Program

In 2011, the Office for Civil Rights commenced a series of pilot compliance audits to assess how well healthcare providers were implementing HIPAA Privacy and Security Rules. The first found of audits was completed in 2012 and highlighted the dire state of healthcare compliance.

Audited organizations registered numerous violations of the HIPAA Breach Notification Rule, Privacy Rule and Security Rule, with the latter resulting in the highest number of violations. The OCR issued action plans to help those organizations achieve compliance; however for the second round of audits it is not expected to be as lenient.

Audits are expected to target the specific areas which proved problematic for so many healthcare providers, while a permanent audit plan is being planned to ensure continued HIPAA compliance. The age of lax security standards has now passed and the healthcare industry, like the financial industry before it, must raise standards to ensure confidential data remains private.

Any covered entity that does not implement the required controls faces financial penalties, sanctions, potential loss of license and even criminal proceedings for failing to secure ePHI.

How to Achieve Full HIPAA Compliance

Our “HIPAA Compliance Checklist” covers the elements of the Health Insurance Portability and Accountability Act relating to the storage, transmission and disposal of electronic Protected Health Information, the actions organizations must take in response to a breach and the policies and procedures which must be adopted to achieve full compliance.

HIPAA regulations may be strict, yet covered organizations are allowed some flexibility on the privacy and security safeguards used to protect data. Data encryption, for instance, must be addressed but not necessarily implemented if other controls provide the necessary protection.

Some of the main technical safeguards used to protect and control ePHI actually help to streamline communication and information flow, and organizations which have adopted secure communications channels and implemented data controls have benefited from improved efficiency, faster response times and have improved patient outcomes, while ensuring that patient health data remains fully protected at all times.

Technical Safeguards to Secure ePHI and Personal Identifiers

Data Encryption

The use of laptop computers and other mobile devices for storing or accessing ePHI inevitably results in a HIPAA breach if those devices are lost, stolen or improperly recycled. Password protection of devices and the data they contain is a reasonable step to prevent unauthorized access, but alone it is insufficient to provide the necessary protection for health data. Passwords can easily be cracked by hackers and do not provide a sufficiently high level of security.

Data encryption involves the conversion of data into indecipherable symbols termed cipher text by complex algorithms, that require a security key to convert the data back into its original form. Data encryption ensures privacy, but can offer other security benefits such as verification of users, access logging, the prevention of record changes and non-repudiation of access and/or theft.

The level of security can be adjusted as appropriate based on the sensitivity of the data it is used to protect. Data can be encrypted with single security key access or with separate keys for encryption and decryption (symmetric and asymmetric data encryption).

If a mobile device is lost or stolen or if computer networks are hacked, while this will be considered a security breach, it would not be a HIPAA violation unless the access key is also disclosed.

Secure Messaging

The healthcare industry and the pager appear almost inseparable, yet this is about to change. The focus on HIPAA compliance currently centers on Smartphones and wearable technology, yet the pager is not HIPAA compliant. All mobile devices transmit data over unsecured networks and therefore rely on the users not sending ePHI.

BYOD schemes have now been introduced by many healthcare providers, although modern mobile devices have even greater potential to cause HIPAA violations due to the ease at which personal HIPAA identifiers and ePHI can be sent. Policies and procedures may be put in place to control how these devices are used, although surveys suggest that in practice many medical professionals are still using the devices to communicate ePHI.

Secure messaging solutions prevent this. They work by maintaining ePHI on a secure database and then allowing authorized medical professionals to access the data via downloadable secure messaging apps. Communications are channeled through a secure messaging platform which has administrative controls in place to monitor the activity of the authorized personnel. They also compliance officers to produce risk assessments, as required by HIPAA and Office for Civil Rights’ auditors.

Many healthcare organizations have reported that the implementation of secure messaging solutions has increased productivity by streamlining communications, increasing message accountability and accelerating response times. According to studies conducted in HIPAA-compliant medical facilities, efficiency has also increased, resulting in a higher standard of healthcare being delivered to patients.

Please see the HIPAA Journal Privacy Policy

Compliant Cloud Storage

The move from physical health records to electronic data formats has required considerable investment in IT infrastructure. The demands placed on healthcare organizations to continually upgrade servers and networks, and employ the staff to manage data centers, can be considerable. In addition to the hardware, space must be devoted to storing the equipment and physical controls must be used to control access.

The computer equipment now required to run large networks and store healthcare data requires cooling systems to be installed to dissipate the heat the equipment generates. The most cost effective solution for many healthcare providers is to outsource data storage and take advantage of the cloud to store data. HIPAA-compliant cloud hosting employs the appropriate controls to secure all stored data with encryption. By outsourcing, healthcare organizations can comply with HIPAA regulations without having to invest so heavily in IT infrastructure.

Compliant Mobile Platforms (App Development)

Mobile health apps are popular with patients for tracking and monitoring health and fitness, and wearable devices have potential to revolutionize home healthcare. They can be used in conjunction with e-visits to provide home care services to patients at a fraction of the healthcare center visits.

Patient portals similarly have great potential and improve interaction between care providers and patients, and cut down on unnecessary costs while helping to improve patient outcomes. The development of HIPAA compliant mobile apps frameworks, compliant storage and HIPAA compliant web solutions means healthcare providers can take advantage of the benefits of new technology without jeopardizing the privacy and security of patient data.

More technical safeguards to secure ePHI and personal identifiers are no doubt in the planning stage now and will impact HIPAA history in the future. In the meantime, here is a brief HIPAA history timeline.


HIPAA Compliance Infographics

HIPAA History FAQs

Who Created HIPAA?

There is some dispute about who created HIPAA. While many sources refer to the Act as the Kennedy-Kassebaum Act after Ted Kennedy and Nancy Kassebaum – the two leading sponsors of a proposed “Health Insurance Reform Act” (S.1028) – the bill passed by Congress was S.1028´s companion bill HR.3103, introduced into the House of Representatives by Bill Archer with the original title of the “Health Coverage Availability and Affordability Act”.

Why was HIPAA created?

The original intention of HIPAA was to reform the health insurance market. According to a report by the Senate Labor and Human Resources Committee, the health insurance market at the time provided too little protection for individuals and families with pre-existing health problems. Many small businesses also found it difficult to obtain health coverage for employees at a fair price.

The reason why HIPAA was created (with its original intention) was to prevent health plans refusing coverage to people in poor health, to make it easier for people who change their jobs or lose their jobs to maintain adequate coverage, and to increase the purchasing power of small businesses. The General Accounting Office estimated these measures would help at least 25 million Americans.

Why was the HIPAA law created with additional privacy provisions?

One of the issues that could have prevented the passage of HIPAA was the costs health insurance companies would incur by complying with it. To sweeten the pill, a second Title was added to the bill with the intention of preventing health care fraud and abuse – estimated to be costing health insurance companies around $7 billion per year due to fraudulent health care providers.

Title II of HIPAA created a national health care fraud and abuse plan based on standards for the electronic transmission of certain health information. To ensure health information transmitted electronically remained secure, the Secretary of Health and Human Services was tasked with establishing security standards; and in order to determine what data was subject to the standards, additional privacy provisions were established in the form of the Privacy Rule.

When was HIPAA enacted?

As HIPAA had multiple objectives, different sections of the Act were enacted at different times. Some were applied retrospectively (i.e., changes to the Employee Retirement Income Security Act), while others were enacted within 30 days of HIPAA being passed (i.e., changes to the Internal Revenue Code in respect of Medical Savings Accounts). The majority were enacted within a year.

However, the section of HIPAA that had the biggest impact on organizations in the healthcare and health insurance industries – the Administrative Simplification provisions – was a new addition to the Social Security Act and was enacted in stages. The first Privacy Rule was published in 2000 (with a modified version published in 2002), and the Security Rule published in 2003.

Why did regulators add new standards after HIPAA´s initial implementation?

When the original Privacy Rule was published in December 2000, it attracted complaints from stakeholders and the public about the complexity of the Rule. Concerned that misunderstandings and confusion could unintentionally restrict patients´ rights and the quality of care, the Department of Health and Human Services modified the requirements and issued a second Final Rule in 2002.

In the preamble to the second Final Rule, there are multiple explanations of why new standards have been added, and existing standards modified or removed. The majority of the changes related to the Minimum Necessary Standard, obtaining patient consent, Notices of Privacy Practices, marketing health-promoting activities, and disclosing limited data sets for research purposes.