When Was HIPAA Enacted?
HIPAA was enacted at various stages following the passage of the Health Insurance Portability and Accountability Act in 1996, with some measures effective immediately, others enacted within 90 days, and those relating to the privacy and security of health information taking several years.
There are several reasons for there being different dates when HIPAA was enacted. The first is that HIPAA covered more than just the privacy and security of individually identifiable health information. It introduced measures to make health insurance more accessible, portable, and renewable, and enforced changes on the healthcare and health insurance industries to reduce fraud and abuse.
Additionally, HIPAA was not an entirely new law. In order to (for example) make health insurance more accessible, portable, and renewable, it was necessary to amend existing laws such as the Employee Retirement Income Security Act (ERISA) and the Social Security Act. Some amendments to these laws were enacted immediately, while others took effect sixty or ninety days later.
Most of the new provisions in HIPAA were enacted within a year; but, due to the complexity of the Administrative Simplification Regulation – the Regulation that would ultimately evolve into the Privacy, Security, Enforcement, and Breach Notification Rules – Congress instructed the Secretary of Health and Human Services (HHS) to promulgate the Rules over periods ranging between 12 and 30 months.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
However, with regards to Rules relating to the security and privacy of individually identifiable health information, these were enacted much later than other provisions of HIPAA. This was partly due to a clause in the original text of HIPAA instructing HHS to wait 36 months before promulgating Privacy and Security Rules in order to allow Congress the opportunity to pass its own Rules.
When was the HIPAA Privacy Rule Introduced?
Congress passed on the opportunity to pass its own Privacy and Security Rules, and an initial Proposed Privacy Rule was published on November 3, 1999. A year later a Final Privacy Rule was published in the Federal Register. However, due to strict limits on the permissible uses and disclosures of individually identifiable health information, concerns were raised that the privacy protections might harm some patients´ access to health care or quality of health care.
As the effective date of the initial Privacy Rule was December 2002 (December 2003 for small Covered Entities), the initial Privacy Rule was never truly enacted. Instead, HHS made technical corrections, published a request for comments, and hosted multiple hearings. A much-modified Proposed Privacy Rule was published in March 2002, and the Final Privacy Rule of HIPAA enacted in October 2002 with new effective dates for large and small Covered Entities.
When was the HIPAA Security Rule Introduced?
The Security Rule of HIPAA – enacted in April 2003 – did not have such a troubled passage due to General Rules of the Security Standards (§164.306) stating Covered Entities and Business Associates could adopt a flexible approach to implementing the Security Standards depending on:
- The size, complexity, and capabilities of the Covered Entity or Business Associate.
- The Covered Entity’s or the Business Associate’s technical infrastructure, hardware, and software security capabilities.
- The costs of security measures.
- The probability and criticality of potential risks to electronic protected health information.
Additional flexibility was afforded by some of the implementation specifications being “addressable” rather than “required”. This meant that Covered Entities and Business Associates could implement an alternative measure if it could be demonstrated that the addressable implementation specification was “inappropriate and/or unreasonable” in the circumstances and provided that the alternative measure was at least as effective as the addressable implementation specification.
When was the HIPAA Enforcement Rule Introduced?
One of the provisions enacted at the same time as HIPAA was an amendment to the Social Security Act concerning the civil and criminal penalties for the “wrongful disclosure of individually identifiable health information”. As the Privacy and Security Rules had not yet been promulgated, there was no clear understanding of what “wrongful” entailed. Consequently, although HHS received more than 13,000 complaints about HIPAA violations by 2005, no enforcement action had been taken.
The Enforcement Rule of HIPAA – enacted in March 2006 – addressed the issues that had led to thousands of complaints remaining unresolved, codified the procedures for investigating HIPAA violations, and explained how civil penalties would be imposed. At the time, the maximum penalty for willful violations of HIPAA was $100 per violation, with civil penalties capped at $25,000 per year per violation type. This was to change with the passage of the HITECH Act and the Omnibus Final Rule.
The HITECH Act of 2009
The Health Information Technology for Economic and Clinical Health Act (HITECH) was part of the American Recovery and Reinvestment Act of 2009 enacted to help the country recover from the economic depression of 2008. The key area of HITECH was the Meaningful Use program which incentivized the use of EHRs; but conscious that the increased use of technology may also increase the risks to the confidentiality, integrity, and availability of electronic Protected Health Information (ePHI), a series of measures were introduced to increase the security of ePHI.
Among these measures were a new four-tier penalty structure for HIPAA violations, tougher civil penalties for HIPAA violations, a reversal of the “burden of proof” (to show that a data breach had/had not resulted in harm), and – for the first time – Business Associates were held directly liable for data breaches attributable to non-compliance with the Security Rule. While many of the measures were enacted several years later in the Omnibus Final Rule, the requirement to notify individuals and HHS´ Office for Civil Rights of a data breach became effective immediately.
When was the Breach Notification Rule Enacted?
Originally enacted as an Interim Rule in August 2009, the Breach Notification Rule requires Covered Entities and Business Associates to report breaches of unsecured ePHI and breaches involving physical copies of PHI to HHS´ Office for Civil Rights. Breaches involving 500 or more records must be notified to HHS´ Office for Civil Rights with 60 days of discovering the breach, while breaches involving fewer than 500 hundred records can be notified at the end of each calendar year.
In addition to notifying HHS´ Office for Civil Rights, Covered Entities and Business Associates must also notify individuals whose data has been exposed in a breach; and, if the breach involves 500 or more records, notify the local media. Covered Entities and Business Associates that fail to comply with the Breach Notification Rule can be fined for a willful violation of HIPAA in addition to any civil penalty imposed for the violation responsible for the breach.
The Omnibus Final Rule of HIPAA Enacted
The most recent major enactment of a HIPAA Rule occurred in 2013, when the Omnibus Final Rule of HIPAA was enacted. This Rule integrated most of the provisions passed in the HITECH Act, along with additional provisions attributable to Executive Order 13563 and the Genetic Information Nondiscrimination Act (GINA). Importantly, the Omnibus Final Rule implemented the significant civil penalties for violations of HIPAA passed in the HITECH Act.
Following the enactment of the Omnibus Final Rule, the civil penalties for violations started at a minimum of $100 per violation (rather than the previous maximum of $100 per violation) and increased to a minimum of $50,000 per violation (capped at $1.5 million per year per violation type) foe violations attributable to willful neglect that were not corrected within 30 days of discovery. The civil penalties have since been adjusted for inflation and are currently:
| Penalty Tier | Level of Culpability | Min. Penalty per Violation | Max. Penalty per Violation | Annual Penalty Limit |
| Tier 1 | Lack of Knowledge | $137 | $34,464 | $34,464 |
| Tier 2 | Reasonable Cause | $1,379 | $68,928 | $137,886 |
| Tier 3 | Willful Neglect | $13,785 | $68,928 | $344,638 |
| Tier 4 | Willful Neglect not Corrected within 30 days | $68,928 | $68,928 | $2,067,813 |
On What Dates Were the Rules of HIPAA Enacted?
- August 21, 1996 – HIPAA signed into law
- December 20, 2000 – Initial Privacy Rule published
- October 15, 2002 – Enactment date of Modified Privacy Rule
- April 21, 2003 – Enactment date of Security Rule
- October 14, 2004 – HIPAA Privacy Rule compliance deadline
- April 21, 2005 – HIPAA Security Rule compliance deadline
- March 16, 2006 – Enactment date of Enforcement Rule
- February 17, 2009 – HITECH Act signed into law
- August 24, 2009 – Enactment date of Breach Notification Rule
- January 17, 2013 – HIPAA Omnibus Final Rule published
- September 23, 2013 – Omnibus Rule compliance deadline
Further information on HIPAA
You can find out more about HIPAA compliance here, and for further information on landmarks in HIPAA take a look at our HIPAA history page and infographic.
When was HIPAA Enacted? FAQS
How did HIPAA evolve from an Act to reform health insurance to the privacy and security legislation that exists today?
The original objective of HIPAA was to increase the accessibility, portability, and renewability of health insurance to prevent individuals being excluded from health insurance due to a pre-existing condition and to eliminate “job lock” – in which employees were locked into a job because they would lose their health coverage if they changed employers.
As implementing measures to achieve this objective would have cost the insurance industry money, Title II of HIPAA was introduced to “balance the books” by reducing fraud and abuse in the healthcare industry. According to one Congressional Report, fraudulent practices by unscrupulous healthcare organizations accounted for 10% of total healthcare spending (around $7 billion).
To reduce fraud and abuse, the Administrative Simplification Regulation was introduced. This required HIPAA Covered Entities to adopt standardized code sets for electronic transactions; and as electronic transactions were being used more often, it was felt necessary to adopt standards for the security of individually identifiable health information being transmitted in transactions.
The HIPAA Rule with the most significant impact on healthcare operations – the Privacy Rule – initially started life as a recommendation that individuals should have rights over what information about them was being transmitted in HIPAA-covered transactions, and the permissible uses and disclosures of such information. This recommendation evolved into something much larger.
Why is HIPAA sometimes called the Kennedy-Kassebaum Act?
Prior to the passage of HIPAA, Senators Edward Kennedy and Nancy Kassebaum put a lot of effort into agreeing the core provisions of the Act with insurers, consumers, Governors, state regulators and employers, and forging a bipartisan consensus that enabled the passage of the Act. Consequently, even though their original bill (S 1028) was not adopted by the Senate (which opted for companion bill HR 3103) their names are often associated with the Act.
What is the “burden of proof” mentioned in the HITECH Act?
Prior to the HITECH Act, HHS´ Office for Civil Rights could only pursue enforcement action against a Covered Entity if it could be proven that an individual had suffered “harm” due to an impermissible use of disclosure of PHI or a breach of unsecured ePHI. Since HITECH and the Breach Notification Rule, Covered Entities and Business Associates have to prove no harm has occurred if not notifying an individual or HHS´ Office for Civil Right of a HIPAA violation or data breach.
Have no new HIPAA Rules been enacted since 2013?
No new HIPAA Rules have been enacted, but there have been some amendments to both HIPAA and HITECH. Most recently, an amendment to the HITECH Act enabled the HHS´ Office for Civil Rights to use discretion when issuing fines and enforcing Corrective Action Plans if a security-related HIPAA violation or data breach occurred despite a Covered Entity or Business Associate implementing a recognized security framework compatible with the provisions of the HIPAA Security Rule.
Does HHS´ Office for Civil Rights investigate HIPAA violations that are not data breaches?
HHS´ Office for Civil Rights is responsible for upholding all aspects of HIPAA law, not just violations of HIPAA that result in a data breach. Therefore, if – for example – a patient is denied their rights to access their medical records, transfer them to another provider, or receive an accounting of disclosures, HHS´ Office for Civil Rights will investigate any subsequent complaint from the patient and take appropriate action against the non-compliant entity when necessary.
Where did HIPAA originate from?
HIPAA as we know it today originated from a number of sources. The majority of health insurance reforms were introduced by Representative Bill Archer in HR 3103, but many of the provisions were extensions of existing laws such as the Employee Retirement Income Support Act 1974 and the Consolidated Omnibus Budget Reconciliation Act 1985.
With regards to the initial provisions in HIPAA to ensure the privacy and security of Protected Health Information, many of these had their origins in the Health Security Act 1993, which failed to pass Congress due to its complexity and cost. Subsequent provisions enacted via the HITECH Act were enabled to ensure the security of data during the adoption of the Meaningful Use program.
