HIPAA compliance is a moving target. To understand where HIPAA is moving, one first needs to understand why it began and subsequently how it has expanded.
The Healthcare Insurance Portability and Accountability Act was signed into law in 1996 HIPAA. to “improve the portability and accountability of health insurance coverage” for employees between jobs.
Other objectives of the Act were to combat waste, fraud and abuse in health insurance and healthcare delivery. The Act also contained passages to promote the use of medical savings accounts by introducing tax breaks, provided coverage for employees with pre-existing medical conditions and simplified the administration of health insurance.
The original act of 1996 eventually allowed the Department of Health and Human Services (HHS) to set standards for the safeguarding of identifiable health information which was later defined and expanded via the passage of the Privacy Rule, Security Rule, HITECH Act, and other expansions of the original HIPAA law.
Specifically, the US Department of Health and Human Services set about creating the first HIPAA Privacy and Security Rules. The Privacy Rule had an effective compliance date of April 14, 2003, and it defined Protected Health Information (PHI) as “any information held by a covered entity which concerns health status, the provision of healthcare, or payment for healthcare that can be linked to an individual”.
The HIPAA Security Rule came into force two years after the original legislation on April 21, 2005. Dealing specifically with electronically stored PHI (ePHI), the Security Rule laid down three security safeguards – administrative, physical, and technical – that must be adhered to in full to comply with HIPAA. The safeguards had the following goals:
- Administrative – to create policies and procedures designed to clearly show how the entity will comply with the act.
- Physical – to control physical access to areas of data storage to protect against inappropriate access.
- Technical – to protect communications containing PHI when transmitted electronically over open networks.
The failure of many covered entities to fully comply with the HIPAA Privacy and Security Rules resulted in the introduction of the Enforcement Rule in March 2006. The Enforcement Rule gave the Department of Health and Human Services the power to investigate complaints against covered entities for failing to comply with the Privacy Rule, and to fine covered entities for avoidable breaches of ePHI due to not following the safeguards laid down in the Security Rule.
HIPAA’s evolution continued in 2009 with the introduction of the Health Information Technology for Economic and Clinical Health Act (HITECH). HITECH had the primary goal of compelling healthcare authorities to implement the use of Electronic Health Records (EHRs) and introduced the Meaningful Use incentive program.
With the incentive program also came an extension of HIPAA Rules to Business Associates and third-party suppliers to the healthcare industry, and the introduction of the Breach Notification Rule – which stipulated that all breaches of ePHI affecting more than 500 individuals must be reported to the Department of Health and Human Services’ Office for Civil Rights.
The criteria for reporting breaches of ePHI were subsequently extended in the Final Omnibus Rule of March 2013. The Omnibus rule barely introduced any new legislation but filled gaps in existing HIPAA and HITECH regulations – for example, specifying the encryption standards that need to be applied in order to render ePHI unusable, undecipherable and unreadable in the event of a breach.
Many definitions were amended or added to clear up grey areas – for example the definition of “workforce” was changed to make it clear that the term includes employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity or Business Associate, is under the direct control of the covered entity or Business Associate.
HIPAA has been updated multiple times in its history and will see more in the future. These are just some of the changes that have occurred recently:
- HHS announced April 30th, 2019 that fines and penalties were updated, with the caps for total annual penalties for the first three tiers reduced from $1.5 million with annual caps set at $25,000 for Tier, $100,000 for Tier 2, and $250,000 for Tier 3.
- HHS has been increasing its enforcement efforts, which has led to massive increases in the fines levied for violations beginning in 2016, with 2018 seeing total penalties at $28 million.
- On March 17th 2020, HHS announced that it will suspend enforcement activities and waive penalties related to particular Security Rule provisions during the Covid-19 public health emergency. Specifically, the OCR is waiving penalties for using everyday communications technologies to provide healthcare services.
As information technologies improve, patient centered care settings become more important, and as patients increasingly monitor their own care through new digital tools, HIPAA will evolve. As a reminder, key dates in HIPAA history (HIPAA timeline) were:
- August 1996 – HIPAA Signed into Law by President Bill Clinton.
- April 2003 – Effective Date of the HIPAA Privacy Rule.
- April 2005 – Effective Date of the HIPAA Security Rule.
- March 2006 – Effective Date of the HIPAA Breach Enforcement Rule.
- September 2009 – Effective date of HITECH and the Breach Notification Rule.
- March 2013 – Effective Date of the Final Omnibus Rule.