When Did HIPAA Take Effect?

The Health Insurance Portability and Accountability Act was a landmark piece of legislation that was originally intended to simplify the administration of healthcare, eliminate wastage and prevent healthcare fraud, and to ensure insurance coverage was not lost when employees were between jobs.

When Did HIPAA Take Effect?

HIPAA was signed into law by President Clinton on August 21, 1996, although HIPAA has been updated several times over the past 20 years and many new provisions have been incorporated to improve privacy protections and security to ensure health information remains confidential.

The main updates to HIPAA are summarized below.

The HIPAA Privacy Rule

The HIPAA Privacy Rule was a major update to HIPAA and introduced many of the aspects for which HIPAA is known today. The HIPAA Privacy Rule defined ‘Protected Health Information (PHI), patients were given the right to obtain copies of their protected health information from HIPAA covered entities, and strict rules were introduced on the allowable uses and disclosures of PHI.

When did the Privacy Rule of HIPAA Take Effect? The HIPAA Privacy Rule took effect on April 14, 2003, although small health plans were given an additional year to comply and had a compliance date of April 14, 2004.

The HIPAA Security Rule

While the HIPAA Privacy Rules was concerned with defining protected health information and putting rules in place to protect the privacy of patients and health plan members, the HIPAA Security Rules was concerned with ensuring administrative, physical, and technical safeguards were introduced to protect healthcare data and ensure its confidentiality, integrity, and availability.

When did the Security Rule of HIPAA Take Effect? The HIPAA Security Rule took effect on April 21, 2005 for most HIPAA covered entities. Small health plans were allowed another year and their date for compliance with the Security Rule was April 21, 2006.

The HIPAA Enforcement Rule

The HIPAA Enforcement Rule was introduced in March 2006. While this addition to HIPAA did not involve any new provisions for covered entities, it did have a major impact. The HIPAA Enforcement Rule allowed the Department of Health and Human Services’ Office for Civil Rights to investigate complaints and data breaches and pursue civil and criminal charges for HIPAA violations.

HITECH Act and the Breach Notification Rule

The Health Information Technology for Economic and Clinical Health (HITECH) Act was signed into law on February 17, 2009 and was intended to promote the adoption of electronic health records by offering incentives to healthcare organizations for switching to electronic health records. The HITECH Act also introduced new requirements for the disclosure of breaches and saw the Breach Notification Rule added to HIPAA. The Breach Notification Rule requires individuals to be notified of breaches within 60 days of discovery of the breach.  The HITECH Act also required business associates of HIPAA covered entities to comply with HIPAA Rules.

The HIPAA Omnibus Final Rule

While the HIPAA Omnibus Final Rule did not introduce much in the way of new legislation, it did involve considerable updates to HIPAA to plug some gaps in HIPAA and the HITECH Act and to clear up some gray areas which HIPAA-covered entities were struggling to understand. The HIPAA Omnibus Final Rule further clarified certain regulations to take technological advances into consideration, such as the rise in use of mobile devices.

Patients were given the right to obtain copies of their PHI in electronic form, and the maximum penalties for HIPAA violations were increased.

When did the Omnibus Final Rule of HIPAA Take Effect? The HIPAA Omnibus Final Rule came into effect on March 26, 2013 with a compliance date of September 23, 2013

A Brief History of HIPAA

Our HIPAA history page provides further information on notable amendments and updates to HIPAA Rules, which have also been summarized in the infographic below.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.