When Did HIPAA Become Law?

The Health Insurance Portability and Accountability Act (HIPAA) helped reform the healthcare industry, but when did HIPAA become law and what are the key dates in the history of HIPAA? In this post we give a short history of HIPAA, including key updates to the legislation over the past two decades.

When Did HIPAA Become Law?

HIPAA was signed into law by president Clinton on August 21, 1996; however, HIPAA has received several major updates over the following years. These were:

  • The HIPAA Privacy Rule
  • The HIPAA Security Rule
  • The HITECH Act
  • The HIPAA Breach Notification Rule
  • The HIPAA Omnibus Rule

When Did the HIPAA Privacy Rule Become Law?

The HIPAA Privacy Rule was signed into law on December 28, 2000, although modifications were made and the final rule was published on August 14, 2002. The HIPAA Privacy Rule introduced standards for the privacy of individually identifiable health information, stipulated the allowed uses and disclosures of health information, and gave patients the right to obtain copies of their health data. The HIPAA Privacy Rule also required business associates of covered entities to sign business associate agreements and agree to comply with certain provisions of the HIPAA Privacy Rule.

The compliance date for the HIPAA Privacy Rule was April 14, 2003, although small health plans were given an additional year to comply and had a compliance date of April 14, 2004. Small health plans are those with annual receipts of less than $5 million.

When Did the HIPAA Security Rule Become Law?

The HIPAA Security Rule was signed into law on February 20, 2003 and had a compliance deadline of April 21, 2005. The main aim of the HIPAA Security Rule was to set standards for protecting electronic personal health information that is created, received, used, maintained or transmitted by HIPAA covered entities. The HIPAA Security Rule required risk assessments to be conducted and a range of physical, technical, and administrative safeguards to be implemented.

When Did the HITECH Act Become Law?

The Health Information Technology for Economic and Clinical Health (HITECH) Act was signed into law on February 17, 2009 and was part of the American Recovery and Reinvestment Act of 2009. The main aim of the HITECH Act was to promote the adoption and meaningful use of health IT.

The HITECH Act amended the Social Security Act and from February 19, 2009, new penalties for HIPAA violations were introduced based on different levels of culpability. The maximum penalty was set at $1.5 million for all violations of a similar provision. The HITECH Act Enforcement Interim Final Rule became effective on November 30, 2009.

When Did the HIPAA Breach Notification Rule Become Law?

The HIPAA Breach Notification Rule came into effect on September 23, 2009. The Rule required notifications to be issued within 60 days of the discovery of a breach of protected health information if the breach impacted 500 or more individuals. The law required individual notices, media notices, and a notice to the secretary of the HHS in the event of a breach. Smaller breaches needed to be reported to the HHS within 60 days of the end of the year in which the breach was experienced.

When Did the HIPAA Omnibus Rule Become Law?

The HIPAA Omnibus Rule was published on January 17, 2013, had an effective date of March 26, 2013, and a compliance date of September 23, 2013. The HIPAA Omnibus Rule introduced a swathe of changes to HIPAA and implemented various provisions of the HITECH Act to strengthen privacy and security protections for health information.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.