Our review of HIPAA history begins on August 21, 1996, when the Healthcare Insurance Portability and Accountability Act (HIPAA) was enacted into law, but why was the HIPAA Act formulated?
The HIPAA Act was formulated to “improve the portability and accountability of health insurance coverage” for workers moving between jobs. Other objectives of the Act were to address waste, fraud and abuse in health insurance and healthcare delivery. The Act also included passages to encourage the use of medical savings accounts by creating tax breaks, provides coverage for employees with pre-existing medical conditions and streamlines the administration of health insurance.
The processes for simplifying the administration of health insurance became a way to encourage the healthcare industry to computerize patients’ medical records. This specific part of the Act spawned the Health Information Technology for Economic and Clinical Health Act (HITECH) in 2009, which then resulted in the introduction of the Meaningful Use incentive program – described by leaders in the healthcare sector as “the most important piece of healthcare legislation to be passed in the last 20 to 30 years”.
The HIPAA Privacy and Security Rules Begin to Evolve
Once HIPAA had been enacted into law, the US Department of Health and Human Services set about developing the first HIPAA Privacy and Security Rules. The Privacy Rule had an actual compliance date of April 14, 2003, and it referred to Protected Health Information (PHI) as “any information held by a covered entity which is related to health status, the provision of healthcare, or payment for healthcare that can be linked to an individual”.
Instructions were made available on how PHI should be shared and that permission should be received from patients before using their personal data for marketing, fundraising or research. It also gave patients the permission to withhold information about their healthcare from health insurance providers when their treatment is privately financed.
The HIPAA Security Rule became enforceable two years after the original legislation on April 21, 2005. Referring specifically to electronically stored PHI (ePHI), the Security Rule laid down three security measures – administrative, physical and technical – that must be complied with completely in order to comply with HIPAA. The security measures had these goals:
- Administrative – to develop policies and processes set up to clearly indicate how the entity will comply with the act.
- Physical – to manage physical access to areas of data storage to protect against improper access
- Technical – to safeguard communications including PHI when sent electronically across open networks
When Did HIPAA Become Enforceable?
In what year was HIPAA enacted into law? HIPAA was enacted into law on August 21, 1996, but there have been major amendments to HIPAA over the last 20 years: The introduction of the Privacy Rule, Security Rule, Breach Notification Rule, and the Omnibus Final Rule.
The most significant effective dates are: April 14, 2003 for the HIPAA Privacy Rule, although there was an extension of 12 months for small health plans, that were required to adhere with the HIPAA Privacy Rule provisions by April 14, 2004.
The effective compliance date for the HIPAA Security Rule was April 21, 2005. Similar to the HIPAA Privacy Rule, small health plans were given an extra year to adhere with the provisions of the HIPAA Security Rule and had an actual compliance date of April 21, 2006.
The HIPAA Breach Notification Rule became enforceable on September 23, 2009 and the Omnibus Final Rule became enforceable on March 26, 2013.
The Enactment of the Enforcement Rule
The failure of many covered outfits to fully adhere with the HIPAA Privacy and Security Rules lead to the introduction of the Enforcement Rule in March 2006. The Enforcement Rule gave the Department of Health and Human Services the power to look into complaints against covered entities for failing to comply with the Privacy Rule, and to fine covered outfits for avoidable breaches of ePHI due to not following the security measure laid down in by the Security Rule.
The Department’s Office for Civil Rights was also given the authority to bring criminal charges against repeat offenders who do not introduce corrective measures within 30 days. People also have the right to take a civil legal action against the covered entity if their personal healthcare information has been shared without their permission if it causes them to come to “serious harm”.
HITECH 2009 and the Breach Notification Rule
HIPAA history gathered pace in 2009 with the introduction of the Health Information Technology for Economic and Clinical Health Act (HITECH). HITECH had the main goal of compelling healthcare authorities to put in place the use of Electronic Health Records (EHRs) and enacted the Meaningful Use incentive program. Stage one of Meaningful Use was introduced the following year, incentivizing healthcare groups to maintain the Protected Health Information of patients in electronic format, instead of paper files.
With the incentive program also came an extension of HIPAA Rules to Business Associates and third-party suppliers to the healthcare sector, and the introduction of the Breach Notification Rule – which stated that all breaches of ePHI affecting more than 500 individuals must be made known to the Department of Health and Human Services’ Office for Civil Rights. The criteria for reporting breaches of ePHI were then extended in the Final Omnibus Rule of March 2013.
The Final Omnibus Rule of 2013
The last act of legislation in HIPAA history was the Final Omnibus Rule of 2013. The rule did not really introduce any new legislation, but addressed gaps in existing HIPAA and HITECH regulations – for example, specifying the encryption standards that need to be applied in order to make ePHI unusable, undecipherable and unreadable in the event of a breach occurring.
Many definitions were changed or extended to address grey areas – for example the definition of “workforce” was changed to make it clear that the term includes employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity or Business Associate, is under the direct management of the covered entity or Business Associate.
The Privacy and Security Rules were also changed to permit allow patient’s health information to be held indefinitely (the previous legislation had stated it be held for 50 years), while new procedures were added to the Breach Notification Rule. New penalties were also applied – as dictated by HITECH – to covered outfits that fell afoul of the HIPAA Enforcement Rule.
Amendments were also included to take in to account changing work practices brought about by technological advances, covering the use of mobile devices in particular. A major number of healthcare professionals are now using their own mobile devices to view and share ePHI, and the Final Omnibus Rule included new administrative procedures and policies to account for this, and to include scenarios which could not have been predicted in 1996. The complete text of the Final Omnibus Rule can be found here.
After a number of delays, the deadline for the United States to use Clinical Modification ICD-10-CM for diagnosis coding and Procedure Coding System ICD-10-PCA for inpatient hospital procedure coding was finally established as October 1, 2015. All HIPAA covered outfits must use ICD-10-CM. Another requirement is these of EDI Version 5010.
HIPAA History Significant Dates
- August 1996 – HIPAA Enacted by President Bill Clinton.
- April 2003 – Effective Date of the HIPAA Privacy Rule.
- April 2005 – Effective Date of the HIPAA Security Rule.
- March 2006 – Effective Date of the HIPAA Breach Enforcement Rule.
- September 2009 – Effective date of HITECH and the Breach Notification Rule.
- March 2013 – Effective Date of the Final Omnibus Rule.
Some CEs and BAs were given a period of time to adhere with the provisions of each Rule. For instance, despite the effective date of the Final Omnibus Rule being March 2013, CEs and BAs were given 180 days to comply.
Final Omnibus Rule Impact
What the Final Omnibus Rule accomplished more than any earlier legislation was to make covered entities more aware of HIPAA safeguards that they had to comply with. Many healthcare outfits – who had been in breach of HIPAA for almost 20 years – implemented a number of measures to comply with the regulations, such as using data encryption on portable devices and computer networks, using secure messaging solutions for internal communications with care teams, setting up web filters and taking more care to archive emails securely.
The financial penalties now being sanctioned for data breaches along with the huge costs of issuing breach notifications, providing credit monitoring services and conducting damage mitigation makes investment in new technology to safeguard data appear cheap by comparison.
The HIPAA Compliance Audit Program
In 2011, the Office for Civil Rights began a series of pilot compliance audits to review how well healthcare providers were complying with HIPAA Privacy and Security Rules. The first found of audits was finished in 2012 and highlighted the shocking state of healthcare compliance.
Audited groups recorded many violations of the HIPAA Breach Notification Rule, Privacy Rule and Security Rule, with the latter leading to the most violations. The OCR issued action plans to help those organizations achieve compliance; however for the second phase of audits it is not expected to be as lenient.
Audits are predicted to focus on specific areas which proved problematic for so many healthcare providers, while a permanent audit plan is being planned to ensure ongoing HIPAA compliance. The age of lax security standards has now passed and the healthcare arena, like the financial sector before it, must improve standards to ensure confidential data remains private.
Any covered entity that does not adapt the necessary controls faces financial penalties, sanctions, potential loss of license and even criminal convictions for failing to secure ePHI.
How to Ensure Full HIPAA Compliance
Our “HIPAA Compliance Checklist” covers the facets of the Health Insurance Portability and Accountability Act relating to the storage, transmission and disposal of electronic Protected Health Information, the actions outfits must take to address a breach and the policies and procedures which must be used to achieve full compliance.
HIPAA regulations may be stringent, yet covered outfits are allowed some flexibility on the privacy and security measures used to protect data. Data encryption, for example, must be addressed but not necessarily implemented if other controls allow for the required protection.