When Was HIPAA Enacted?

How long has compliance with the Health Insurance Portability and Accountability Act (HIPAA) been necessary? When was HIPAA enacted and what were the compliance dates for the original act and its subsequent amendments?

When was HIPAA Enacted?

HIPAA was enacted on August 21, 1996 when President Bill Clinton added his signature and signed the legislation into law. One of the key aims of the legislation was to improve the portability health insurance coverage – Ensuring employees retained health insurance coverage when between jobs. HIPAA also made healthcare organizations accountable for health data and helped to ensure health information remains private and confidential.

HIPAA also combated wastage in healthcare and helped to prevent fraud and abuse in healthcare delivery and health insurance, while also simplifying the administration of healthcare.

HIPAA was enacted and signed into law in 1996, but there have been major updates to HIPAA legislation over the years, notably the introduction of the HIPAA Privacy Rule, The HIPAA Security Rule, the incorporation of HITECH Act requirements and the HIPAA Omnibus Rule.

These updates added many new provisions to HIPAA legislation and helped to ensure that patient privacy was protected, healthcare data was appropriately secured, patients and plan members were notified in the event of a breach of their protected health information, and business associates of HIPAA covered entities also had to comply with HIPAA Rules.

The introduction of the HIPAA Enforcement Rule in 2006 gave the Department of Health and Human Services’ Office for Civil Rights the power to enforce HIPAA. Since then, it has been possible for the HHS to pursue financial penalties for non-compliance with HIPAA Rules.

When was the HIPAA Privacy Rule Introduced?

The HIPAA Privacy Rule was first proposed on November 3, 1999 with the HIPAA Final Privacy Rule of HIPAA enacted on December 20, 2000, although corrections were made almost immediately. The most important date is April 14, 2003 when HIPAA-covered entities were required to comply with the HIPAA Privacy Rule.

The HIPAA Privacy Rule defined Protected Health Information (PHI) and regulated the use of PHI by HIPAA covered entities, stipulating to whom the information could be disclosed and under what circumstances.  The HIPAA Privacy Rule requires appropriate safeguards to be implemented to protect the privacy of patients. Patients were also given the right to obtain copies of the PHI held by HIPAA-covered entities.

When was the HIPAA Security Rule Introduced?

The HIPAA Security Rule was first proposed on August 12, 1998, with the final Security Rule of HIPAA enacted on February 20, 2003. Compliance with the HIPAA Security Rule became mandatory on April 21, 2006.

The HIPAA Security Rule is primarily concerned with the establishment of national standards for security to protect electronic protected health information. The HIPAA Security Rule requires administrative, physical, and technical safeguards to be implemented to ensure the confidentiality, integrity, and availability of PHI.  The HIPAA Security Rule also requires covered entities to conduct a risk analysis to identify risks to the confidentiality, integrity, and availability of PHI and to manage those risks and reduce them to a reasonable level.

When was the HITECH Act Incorporated into HIPAA?

The Health Information Technology for Economic and Clinical Health (HITECH) Act was signed into law on February 17, 2009. Certain elements of HITECH became effective the same month, such as increased penalties for violations of HIPAA Rules. Most of the provisions of the HITECH Act became effective and were enforceable from February 27, 2010.

The HITECH Act’s incorporation into HIPAA resulted in the creation of the HIPAA Breach Notification Rule which requires covered entities to notify individuals when PHI is exposed or compromised. HITECH also required business associates of HIPAA-covered entities to comply with HIPAA Rules and made them directly accountable for HIPAA violations.

The HIPAA Omnibus Rule of 2013 finalized and incorporated many provisions of the HITECH Act into HIPAA with the the HIPAA Omnibus Rule of HIPAA enacted on January 17, 2013. The compliance deadline was September 23, 2013.

Important Dates in the History of HIPAA

  • August 21, 1996 – HIPAA signed into law
  • December 20, 2000 – HIPAA Final Privacy Rule issued
  • February 20, 2003 – HIPAA Final Security Rule issued
  • April 14, 2003 – HIPAA Privacy Rule compliance deadline
  • April 21, 2006 – HIPAA Security Rule compliance deadline
  • March 16, 2006 – HIPAA Enforcement Rule becomes effective
  • February 17, 2009 – HITECH Act signed into law
  • February 27, 2010 – HITECH Act compliance deadline
  • January 17, 2013 – HIPAA Omnibus Final Rule issued
  • September 23, 2013 – Omnibus Rule compliance deadline

Further information on HIPAA

You can find out more about HIPAA compliance here, and for further information on landmarks in HIPAA take a look at our HIPAA history page and infographic.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.