The Health Insurance Portability and Accountability Act or HIPAA was passed into legislature with Bill Clinton’s signature on August 21, 1996. Legislators initially created HIPAA to improve portability and continuity of health insurance coverage, especially for employees that were “between” jobs. Additionally, HIPAA standardized amounts that could be saved in pre-tax medical savings accounts, prohibited tax-deduction of interest on life insurance loans, enforced group health plan requirements, simplified the administration of healthcare with standard codes and practices, and introduced measures to prevent healthcare fraud. It remains to be one of the most important and comprehensive pieces of healthcare legislation ever created.
The fine details of HIPAA’s Rules took some time to be fully developed. Although they was passed into legislature in 1996, several years passed before HIPAA Rules became enforceable. Many changes and updates to HIPAA have since been passed. For example, in 2006-a decade since the introduction of HIPAA-the HIPAA Enforcement Rule was passed. This allows the Department of Health and Human Services’ Office for Civil Rights to impose financial penalties for noncompliance with HIPAA Rules. Despite the obvious importance of this rule, it faced many challenges in its development since it was first proposed; hence the delay into fully introducing it into HIPPA.
There have been several other important updates in the past two decades since HIPAA was originally passed. The most notable additions include the HIPAA Privacy Rule, HIPAA Security Rule, HIPAA Breach Notification Rule, and the HIPAA Omnibus Rule.
The HIPAA Privacy Rule introduced many provisions to better protect the privacy of patients. The Security Rule was primarily concerned with the security of electronic protected health information. The Breach Notification Rule ensures that all breaches of protected health information are reported, while the Omnibus Rule introduced a broad range of changes, including new requirements required by the Health Information Technology for Economic and Clinical Health (HITECH) Act.
Four key updates to HIPAA legislation are detailed below.
The Privacy Rule of HIPAA Passed into Legislature
The Privacy Rule of HIPAA was passed into legislature on December 28, 2000. The official name of the update to HIPAA is the “Standards for Privacy of Individual Identifiable Health Information.” The HIPAA Privacy Rule compliance date was April 14, 2003. The HIPAA Privacy Rule details the allowable uses and disclosures of protected health information without first obtaining consent from patients. Furthermore, it gives patients the right to obtain copies of their health data from HIPAA-covered entities.
The Security Rule
The Security Rule of HIPAA was passed into legislature on April 21, 2003, although the effective date was not until April 21, 2005. It complements the HIPAA Privacy Rule, as HIPAA Security Rule is primarily concerned with the creation, use, storage and transmission of electronic PHI. The HIPAA Security Rule requires administrative, physical, and technical safeguards to be introduced to keep PHI secure. The Security Rule also introduced requirements for when PHI is no longer required.
The Breach Notification Rule
The HIPAA Breach Notification Rule came from the Health Information Technology for Economic and Clinical Health (HITECH) Act, which was passed on February 17, 2009. The HIPAA Breach Notification Rule took effect from August 24, 2009.
The Breach Notification Rule requires HIPAA-covered entities to submit notifications of breaches of protected health information to the Secretary of the Department of Health and Human Services within 60 days of the discovery of a breach if the breach involved 500 or more records. Smaller breaches must still be reported, no later than 60 days after the end of the year in which the breach was discovered. The Breach Notification Rule also requires notifications of a breach to be sent to affected patients within 60 days of the discovery of the breach.
The Omnibus Rule
The HIPAA Omnibus Final Rule was issued on January 17, 2013. The HIPAA Omnibus Rule introduced several changes to the HIPAA Privacy, Security, and Breach Notification Rules.
This rule brought with it one of the most important changes affected HIPAA business associates. These are individuals or entities that are contracted to HIPAA-covered entities to provide services that require access to PHI.
Since the passing of the HIPAA Omnibus Rule, business associates of HIPAA-covered entities, and their subcontractors, must implement safeguards to protect ePHI as required by the HIPAA Security Rule. The Omnibus Rule states business associates of HIPAA-covered entities can be fined directly for HIPAA violations.
Another important update was the defining of what constitutes “significant harm”. Prior to the introduction of the Omnibus Rule, many covered entities failed to report breaches as there was determined to have been no “significant harm” caused to patients because of the breach. This ambiguity in wording left many breaches unknown to authorities. After the Omnibus Rule, covered entities must be able to prove there was no significant harm if they decide not to report a breach.