The actual answer to the question why was HIPAA created may surprise many people who believe the Act´s sole purpose was to safeguard Protected Health Information (PHI). Indeed, the Privacy and Security Rules developed to protect PHI were only by-products of the Act´s original objectives.
Although worker´s accident insurance dates back to the 1850s, group health plans as they are known today originate from the 1920s. Back then, the vice president of Baylor University´s health care facilities in Dallas devised a program that guaranteed teachers 21 days of hospital care for $6 per year. The “Blue Cross” program spread to other groups of workers in Texas, and then nationwide.
The success of Blue Cross program was attributable to all policy holders paying a flat rate regardless of their health. However, this payment model meant healthy workers were subsidizing unhealthy workers; and, when commercial insurers entered the healthcare insurance market, healthy workers – and businesses providing health benefits as a perk – were often more suited to the “experience rate” payment model in which premiums were based on the likelihood of claiming health benefits.
The consequence of the experience rate payment model was that it became very expensive for small businesses and employees with preexisting conditions to get health insurance coverage. To reduce the premiums, some insurance started offering insurance with exclusions for preexisting conditions or with limited portability – meaning that employees could be locked into their jobs because they could not take their health benefits with them when they changed employers.
In addition, the provision of healthcare insurance by for-profit companies was interpreted in some states as the “unlicensed practice of medicine” because the insurance companies were providing indirect access to medical services. To overcome this issue, a number of states introduced their own legislation to license healthcare insurance companies – some states prohibiting small businesses getting together in order to negotiate better deals from insurance companies.
What Does This Have to Do with Why Was HIPAA Created?
HIPAA was created to reform the health insurance industry. At the time the first version of HIPAA was introduced by Senators Kassebaum and Kennedy in 1995, most employer-sponsored and individually-purchased health plans were governed by federal laws such as ERISA and COBRA, while business group plans were subject to the laws of whatever state the business was located in.
Consequently, millions of Americans could not get access to health insurance or could not take the benefits with them when they changed jobs; and, in some states, many small businesses were priced out of offering health insurance as an employee benefit. Indeed, the long title of the first version of HIPAA – the Health Insurance Reform Act of 1995 (S.1028) – state the bill´s objective as:
To provide increased access to health care benefits, to provide increased portability of health care benefits, to provide increased security of health care benefits, to increase the purchasing power of individuals and small employers, and for other purposes.
Nothing in this bill suggested individually identifiable health information would be protected, or that organizations would have to comply with Administrative, Physical, and Technical Safeguards to protect data. All of this came much later due to concerns that insurance companies would pass the cost of complying with the Health Insurance Reform Act onto consumers as higher premiums.
How the Health Insurance Reform Act Evolved into HIPAA
Strictly speaking, the Health Insurance Reform Act didn´t evolve into HIPAA. In March 1996, Rep. Bill Archer introduced a companion bill into the House of Representatives entitled the Health Coverage Availability and Affordability Act of 1996 (HR.3103). This bill was adopted by the Senate because – unlike the Kassebaum-Kennedy bill – it included provisions to increase efficiency in the health insurance industry and eliminate abusive and fraudulent practices by healthcare organizations.
The theory behind Archer´s provisions were that, if transactions between healthcare providers and health plans were standardized and conducted electronically, the savings made by health plans would compensate for the increased costs of compliance. Additionally, the standardization of transactions and code sets would make it harder for unscrupulous healthcare organizations to claim payments for treatments in excess of what had been provided – or that had not been provided.
Archer´s bill was passed as the Health Insurance Portability and Accountability Act in August 1996. In order for the Act to achieve its primary objectives, the Secretary for Health & Human Services (HHS) was tasked with standardizing transactions and code sets for the healthcare and health insurance industries; and, as the transactions were to be conducted electronically, develop security standards to ensure the integrity and confidentiality of data and protect data against “threats or hazards”.
The instruction to protect against threats or hazards included “unauthorized uses or disclosures of the information” and – in the original, introduced version of the bill – this was immediately followed by a section (§ 1173 (e)) instructing the Secretary to adopt Privacy Standards for Health Information. This instruction has a familiar ring to it inasmuch as the Privacy Standards had to account for allowable uses and disclosures and the rights of individuals subject of such information.
However, being adjacent to the instructions relating to code sets and security standards implies the Privacy Standards were originally intended to only protect information exchanged electronically between healthcare organizations and health insurance companies. This section was moved in the final version of the Act (to § 264) and the Privacy Standards for Health Information (aka the HIPAA Privacy Rule) now apply to all individually identifiable health information.
Why Was HIPAA Created and then Amended to Safeguard PHI?
There is no indication among any of the congressional reports relating to HR.3103 as to why HIPAA was created to reform the health insurance industry and then amended to safeguard PHI in all formats. However, two years previously, the Clinton administration had attempted to fulfil an election campaign pledge to reform the health care industry. The reforms were too controversial for the health care industry at the time and the proposals failed.
Whether or not there is a connection between the failure of the Clinton-backed Health Security Act and the passage of HIPAA is a matter of conjecture, but there are many elements of the health care reform initiative that appear in HIPAA. Therefore, although the answer to the question why was HIPAA created is to reform the health insurance industry, it is understandable that some people attach different objectives to the question why was HIPAA created.