HIPAA was created to address scenarios in which employees could temporarily lose health insurance coverage when they changed jobs or be excluded from coverage due to a preexisting health condition. HIPAA also introduced measures that allowed individuals to maintain health insurance coverage as an individual when they left an employer’s plan.
Many sources discussing why was HIPAA created omit the background to the Act and focus on the privacy and security protections afforded by the Administrative Simplification Regulations. While the privacy and security protections are a consequence of the Health Insurance Portability and Accountability Act, they are not the reasons why HIPAA was created and did not happen until some years after the passage of HIPAA.
Indeed, to answer the question of why was HIPAA created, you have to go back to the 1920s and the origins of group health plans. Back then, the vice president of Baylor University´s health care facilities in Dallas devised a program that guaranteed teachers twenty-one days of hospital care for $6 per year. The “Blue Cross” program – as it became known – spread to other groups of workers in Texas, and then nationwide.
How Group Health Plans Evolved
The success of Blue Cross program was attributable to all policy holders paying a flat rate regardless of their health. However, this payment model meant healthy workers were subsidizing unhealthy workers; and, when commercial insurers entered the healthcare insurance market, many healthy workers – and employers providing health benefits – were better suited to the “experience rate” payment model in which premiums are based on the likelihood of claiming health benefits.
The consequence of the experience rate payment model was that it became very expensive for some small businesses and employees with preexisting conditions to get health coverage. To reduce the premiums, some commercial insurers started offering insurance with exclusions for preexisting conditions or with limited portability – meaning employees could be locked into jobs because they could not take their health benefits with them when they changed employers.
In addition, the provision of healthcare insurance by for-profit companies was interpreted in some states as the “unlicensed practice of medicine” because commercial insurers were considered to be providing indirect access to medical services. To overcome this issue, several states introduced legislation to license healthcare insurance companies – some states prohibiting small businesses getting together to negotiate better deals from insurers.
The Clinton Health Plan and Health Insurance Reform
When Bill Clinton won the presidential election in 1992, one of the reasons for his success was a campaign promise to reform the healthcare system and the health insurance industry. At the time, most Americans had private health insurance, were covered by Medicare, or covered by a combination of the two. Of those that had private health insurance, around 60% were covered by an employer’s health plan, but there were issues with the way in which the plans worked.
According to a report submitted to the Senate Committee on Labor and Human Resources, it was estimated that 43 million Americans each year could temporarily lose health insurance coverage when they changed jobs due to wait periods on new health insurance policies. In addition, a further 81 million Americans were likely to find it difficult, expensive, or impossible to qualify for health insurance when moving jobs if they had a preexisting health condition.
Within months of taking office, President Clinton set up a Health Plan Task Force to deliver on his campaign promise; and, in September 1993, the Health Security Act (S.1757) was introduced into Congress. The Act never made it past a second reading due to opposition from employers’ groups and the health insurance industry, and due to concerns that healthcare alliances proposed in the Health Plan represented too much “big government”.
Why Was HIPAA Created after the Failure of the Health Plan?
Following the failure of the Clinton Health Plan, elements of the plan were isolated and introduced into Congress as separate Acts. One of these Acts was the Health Insurance Reform Act (S.1028) which was introduced in 1995 by Senators Nancy Kassebaum and Ted Kennedy – the two Senators often credited for the creation of HIPAA. However, it was actually a different Act that evolved into the Health Insurance Portability and Accountability Act.
In March 1996, Rep. Bill Archer introduced a companion bill into the House of Representatives entitled the Health Coverage Availability and Affordability Act of 1996 (HR.3103). This bill was adopted by the Senate because – unlike the Kassebaum-Kennedy Act – it included provisions to eliminate abusive and fraudulent practices by healthcare organizations and increase efficiency in the health insurance industry by standardizing and simplifying health insurance transactions.
The theory behind Archer’s provisions was that, if transactions between healthcare providers and health plans were standardized and conducted electronically, the savings made by health plans would mitigate the cost of complying with proposed measures to “port” health insurance coverage between jobs, allow employees with preexisting conditions to extend their coverage until they became eligible for Medicare, and increase the purchasing power of small employers.
Bill Passes and Process of Administration Simplification Begins
Archer´s bill passed under a revised title – the Health Insurance Portability and Accountability Act – in August 1996. For the Act to achieve its objective of administrative simplification, the Secretary for Health & Human Services (HHS) was tasked with standardizing transactions and code sets for the healthcare and health insurance industries. As the transactions were to be conducted electronically, the Secretary was also tasked with adopting security standards to ensure the integrity and confidentiality of data and protect data against “threats or hazards”.
The instruction to protect against threats or hazards included “unauthorized uses or disclosures of the information” and – in the original, introduced version of the bill – this was immediately followed by a section (§ 1173 (e)) instructing the Secretary to adopt Privacy Standards for Health Information. This section was replaced in the final version of HIPAA with an instruction to make “recommendations with respect to privacy of certain health information” (Sec. 264).
Complying with the instructions was an immense challenge. Different healthcare providers and different insurance carriers used different transaction codes for the same services, diagnoses, treatments, prescription drugs, and medical supplies. Developing security standards for health information was even more complicated due to the speed at which technology was evolving (the dot.com bubble was just reaching its peak) and the prospect of future technologies.
With regards to the recommendations for privacy standards, the standards could only be promulgated into a Rule if Congress did not pass its own federal privacy legislation within three years. This was because there were still bills under consideration that, like HIPAA, had been introduced as isolated elements of the failed Clinton Health Plan. The Secretary made her recommendations in 1997; and, when the deadline for Congress to pass federal privacy legislation elapsed, the first version of the Privacy Rule was published in 2000.
“Healthcare HIPAA” Takes Shape
HIPAA is now most commonly associated with the privacy of health information, but it took a long time for “healthcare HIPAA” to take shape. Due to the complexity of the first version of the Privacy Rule, a revised version was published in 2002. The Security Rule was not finalized until a year later due to the volume of comments from concerned stakeholders, and neither Rule was enforced until after the publication of the Enforcement Rule in 2005.
The Enforcement Rule gave HHS’ Office for Civil Rights (OCR) the authority to impose civil monetary penalties for violations of HIPAA attributable to willful neglect. However, OCR rarely exercised its authority – issuing just eight civil monetary penalties between 2008 and 2011. This was to change when new enforcement measures passed in the HITECH Act were adopted into HIPAA by the Final Omnibus Rule in 2013. Since 2013, OCR has imposed more than 130 fines.
Healthcare HIPAA is continuing to take shape almost thirty years after the Act passed. Recent changes to HIPAA include measures to more closely align the confidentiality requirements for SUD patient records (Part 2) with the Privacy Rule and to better protect reproductive health information. Proposed future changes include new Security Rule standards and settlement sharing – a proposal that will likely increase the number of penalties for HIPAA violations.
As compliance with the new Security Rule standards may also become a condition for participation in Medicare and Medicaid, and as the proposals for settlement sharing may increase the number of enforcement actions, it will be more important than ever than covered entities are HIPAA compliant. It will also be more important than ever workforces are trained on HIPAA policies and procedures to prevent avoidable violations of HIPAA.
