25% off all training courses Offer ends May 8, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 8, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

When Did HIPAA Take Effect?

Posted By on Sep 7, 2023

HIPAA took effect in various stages following the passage of the Health Insurance Portability and Accountability Act in 1996, with some changes enacted by HIPAA taking effect immediately, most taking effected 90 days after the passage of HIPAA, and those relating to the privacy and security of healthcare data taking up to ten years to take effect. Even then, HIPAA was not effectively enforced until after the HIPAA Omnibus Final Rule took effect in September 2013.

When Did HIPAA Take Effect?

HIPAA was signed into law by President Clinton on August 21, 1996, although HIPAA has been updated several times over the past 27 years and many new provisions have been incorporated to improve privacy protections and security to ensure health information remains confidential.

The main updates to HIPAA are summarized below.

The HIPAA Privacy Rule

The HIPAA Privacy Rule was a major update to HIPAA and introduced many of the aspects for which HIPAA is known today. The HIPAA Privacy Rule defined ‘Protected Health Information (PHI), patients were given the right to obtain copies of their protected health information from HIPAA covered entities, and strict rules were introduced on the allowable uses and disclosures of PHI.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

When did the Privacy Rule of HIPAA Take Effect? The HIPAA Privacy Rule took effect on April 14, 2003, although small health plans were given an additional year to comply and had a compliance date of April 14, 2004.

The HIPAA Security Rule

While the HIPAA Privacy Rules was concerned with defining protected health information and putting rules in place to protect the privacy of patients and health plan members, the HIPAA Security Rules was concerned with ensuring administrative, physical, and technical safeguards were introduced to protect healthcare data and ensure its confidentiality, integrity, and availability.

When did the Security Rule of HIPAA Take Effect? The HIPAA Security Rule took effect on April 21, 2005 for most HIPAA covered entities. Small health plans were allowed another year and their date for compliance with the Security Rule was April 21, 2006.

The HIPAA Enforcement Rule

The HIPAA Enforcement Rule was introduced in March 2006. While this addition to HIPAA did not involve any new provisions for covered entities, it did have a major impact. The HIPAA Enforcement Rule allowed the Department of Health and Human Services’ Office for Civil Rights to investigate complaints and data breaches and pursue civil and criminal charges for HIPAA violations.

HITECH Act and the Breach Notification Rule

The Health Information Technology for Economic and Clinical Health (HITECH) Act was signed into law on February 17, 2009 and was intended to promote the adoption of electronic health records by offering incentives to healthcare organizations for switching to electronic health records. The HITECH Act also introduced new requirements for the disclosure of breaches and saw the Breach Notification Rule added to HIPAA. The Breach Notification Rule requires individuals to be notified of breaches within 60 days of discovery of the breach.  The HITECH Act also required business associates of HIPAA covered entities to comply with HIPAA Rules.

The HIPAA Omnibus Final Rule

While the HIPAA Omnibus Final Rule did not introduce much in the way of new legislation, it did involve considerable updates to HIPAA to plug some gaps in HIPAA and the HITECH Act and to clear up some gray areas which HIPAA-covered entities were struggling to understand. The HIPAA Omnibus Final Rule further clarified certain regulations to take technological advances into consideration, such as the rise in use of mobile devices.

Patients were given the right to obtain copies of their PHI in electronic form, and the maximum penalties for HIPAA violations were increased.

When did the Omnibus Final Rule of HIPAA Take Effect? The HIPAA Omnibus Final Rule came into effect on March 26, 2013 with a compliance date of September 23, 2013

A Brief History of HIPAA

Our HIPAA history page provides further information on notable amendments and updates to HIPAA Rules, which have also been summarized in the infographic below.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist