HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

What Does HIPAA Stand For?

Many articles discussing what does HIPAA stand for fail to give a complete answer. Most state that HIPAA is an acronym of the Health Insurance Portability and Accountability Act of 1996 and that it led to the development of standards for the privacy of Protected Health Information. However, few articles discussing what does HIPAA stand for explain how a bill with the objective of reforming the health insurance industry evolved into an act of legislation that now controls how healthcare data is safeguarded.

To best fully explain what does HIPAA stand for, it is a necessary to look at the state of the health insurance industry prior to 1996. The industry had grown from a handful of companies offering accident insurance in the 1850s – and employer-sponsored disability insurance from 1911 onwards – into a multi-billion dollar business by the end of the twentieth century. However, at the time, the healthcare insurance industry was governed by a hotchpotch of federal and state legislation.

The reason for the hotchpotch of legislation was that, in the early days, many commercial for-profit health insurance providers were considered to be “unlicensed practitioners of medicine” because they indirectly provided medical services to policy holders and were subsequently banned. To overcome this gray area of law, many states enacted legislation that enabled commercial providers to operate – the legislation stipulating how providers operated and what services they could offer.

Consequently, by 1995, federal laws such as the Employee Retirement Income Security Act of 1974 (ERISA) and the Consolidated Omnibus Budget Reconciliation Act of 1985 (COBRA) governed most employer-sponsored and individually-purchased health plans, while the operations of commercial for-profit group health plans were governed by state laws – leading to numerous issues relating to access to health insurance and health care benefits, and insurance portability between jobs.

Please see the HIPAA Journal Privacy Policy

What Does HIPAA Stand for and the Issues HIPAA Aimed to Resolve

Group health insurance as we know it today started in the 1920s with the Baylor University in Texas guaranteeing teachers twenty-one days of hospital care for $6 per year. This scheme was extended under the name of “Blue Cross” – initially to other employee groups in Dallas, and then nationwide. However, the community-rating system of charging a flat rate regardless of policy holders´ health meant low-risk individuals were subsidizing the healthcare costs of high-risk individuals.

To address this issue, insurers introduced an “experience rating” which charged according to the level of risk. To prevent pricing small businesses out of the market, they also introduced exclusions for individuals with pre-existing conditions and limitations on when health insurance coverage could be carried from one employer to another. This had the impact of creating a “job-lock” scenario in which employees would not change jobs for fear of losing their health insurance benefits.

HIPAA aimed to resolve these issues by prohibiting the exclusion of individuals with certain types of pre-existing conditions and the termination of coverage when employees changed jobs or had a break in employment. The federal legislation would pre-empt state laws where state laws allowed insurance providers to be selective about who they insured or the portability of coverage. However, the prohibition of these restrictive practices would incur costs for the healthcare insurance industry.

Tackling the Cost Implications of HIPAA

When discussing what does HIPAA stand for, many articles suggest the Health Insurance Reform Act of 1995 (S.1028) introduced by Senators Nancy Kassebaum and Ted Kennedy was the forerunner of HIPAA, but it wasn´t. The Health Insurance Reform Act of 1995 never passed; for although it addressed the issues HIPAA aimed to resolve, it didn´t account for the costs that would be incurred by the healthcare insurance industry complying with the provisions.

Keen to avoid a scenario in which insurance companies passed the cost of compliance onto consumers in the form of increased premiums, Congress adopted HR.3103 – a bill introduced by Representative Bill Archer which more closely aligns with what HIPAA means today. The bill included provisions to tackle the cost implications of HIPAA by standardizing the administration of health insurance claims in order to increase efficiency, and to tackle abuse and fraud.

The scale of abuse and fraud at was time was astounding. According to a Congressional Report, fraudulent and abusive insurance practices by unscrupulous healthcare organizations accounted for 10% of total health spending (around $7 billion). The objective of standardizing the administration of health insurance claims was to eliminate the abuse and fraud, save insurance companies money, and prevent the cost of complying with HIPAA being passed onto consumers.

How HR.3103 Evolved into What HIPAA Means Today

The route from the introduction of HR.3103 to what HIPAA means today is a little convoluted. This is because, in order to standardize the administration of health insurance claims, the Secretary of the Department of Health & Human Services (HHS) had to develop standards for electronic transactions (which evolved into the Transactions and Code Sets Rules) and security safeguards to ensure the integrity and confidentiality of data. The provision requiring the availability of data came later.

In the context of HR.3103, the security safeguards were intended to protect claims related to data in transit between health care providers, health plans, and – where appropriate – health care clearinghouses. However, by the time the HIPAA Security Rule was published, the provisions had been expanded to “all electronic protected health information the covered entity or business associate creates, receives, maintains, or transmits” – i.e., data in transit and at rest (§164.306).

It is also noticeable that, in the original text of HR.3103, the requirement for HHS to develop privacy standards for health information follow on directly from where HHS is tasked with developing security standards. This was later moved to a separate section of the bill to prevent any confusion that the privacy standards might only relate to covered electronic transactions; and, when HIPAA was passed, led to the HIPAA Privacy Rule (which applies to PHI in any format).

What the Acronym HIPAA Means to Healthcare Organizations

Although the original objectives of HIPAA were mostly to reform the health insurance industry, the biggest impact has been felt by healthcare organizations. Nearly all healthcare-related transactions are governed by the provisions of the Privacy and Security Rules, plus patients now have more rights over healthcare data inasmuch as they can request access to it, request corrections are made when data is incorrect or incomplete, and request a record of who their data has been disclosed to.

The acronym HIPAA also places a considerable administrative overhead on healthcare organizations. Although HIPAA has enhanced the efficiency of the healthcare system by facilitating the secure flow of information, HIPAA Covered Entities are required to develop policies for all types of foreseeable events that could impact the confidentiality, integrity, and availability of electronic PHI, train members of the workforce on the policies, and document both the policies and the training.

Training even has to be provided to members of the workforce who are unlikely to encounter PHI in the execution of their duties. For example, all members of a Covered Entity´s workforce are required to participate in a security and awareness training program. This means a hospital´s environmental services team has to undergo security and awareness training even though access controls should be in place to prevent members of the team logging into systems containing electronic PHI.

What Does HIPAA Stand for to Patients and Healthcare Workers?

For patients, HIPAA stands for the protection of their personally identifiable information. It is important that patients trust their personally identifiable information is being protected because trust is the most important part of a patient-physician relationship. Patients tell their physicians and other healthcare workers intimate details about themselves that they may not even share with partners and family members. Consequently, it is important the trust is upheld.

For healthcare workers, when patients trust their personally identifiable information is being protected and share intimate details, it enables the provision of more accurate and more appropriate health care. Better health care results in better patient outcomes, which raises morale and contributes towards more rewarding work experiences. For this reason, compliance with a healthcare facility´s HIPAA policies should not be seen as a barrier to “getting the job done”.

Finally, it is important to be aware many articles discussing what does HIPAA stand for tend to focus on HIPAA as if it is the only rule governing the privacy of Protected Health Information. However, federal regulations such as the Privacy Act and the Family Educational Rights and Privacy Act can impact the application of HIPAA in specific circumstances, while state laws such as the Texas Medical Records Privacy Act (HB300) preempt HIPAA because of having more stringent privacy protections.

What Does HIPAA Stand For? FAQs

Is the correct acronym HIPAA or HIPPA?

The correct acronym for the Healthcare Insurance Portability and Accountability Act is HIPAA. However, according to Wikipedia, HIPAA is sometimes incorrectly referred to as the “Health Information Privacy and Portability Act”, for which the acronym would be HIPAA.

Who has to comply with HIPAA?

All health plans and healthcare clearinghouses are required to comply with HIPAA as are healthcare providers that perform HIPAA-covered transactions – which most do. These organizations are collectively referred to as HIPAA Covered Entities,

Does HIPAA apply to employers?

There are circumstances in which employers are subject to “partial compliance” if they act as an administrator for a self-insured health plan or as an intermediary between employees, healthcare providers, and health plans. For a fuller explanation, please see “Does HIPAA Apply to Employers”.

What other state laws preempt HIPAA?

Most states have laws that provide greater protections for data or more patients´ rights – albeit these laws may relate to one specific area of healthcare practice (i.e., genetics). Organizations unsure about their obligations under state law should peak with a compliance professional.

What was the Health Coverage Availability and Affordability Act of 1996?

The Health Coverage Availability and Affordability Act was the original short title of HB.3103 when it was introduced into the House of Representatives. At one point it was nearly renamed the Health Insurance and Long-Term Care Affordability Act before the HIPAA acronym was agreed upon.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.