The Health Insurance Portability and Accountability Act (HIPAA) was signed into law by President Bill Clinton on August 21, 1996. The act introduced measures to improve the portability and accountability of health insurance coverage and prevent job lock, a scenario in which employees would stay in a job to avoid losing health benefits.
HIPAA also aimed to combat fraud and abuse in the healthcare industry and simplify the administration of health insurance transactions. To this end, the Secretary of Health and Human Services (HHS) was instructed to develop standards to safeguard health information when it was maintained or transmitted electronically.
The first proposed Privacy Rule was published in November 1999, but the final Privacy Rule was not published until August 2002. The Security Rule took even longer to progress from proposed to final, with the final Rule published in February 2003.
Characteristics | Values |
---|---|
Date HIPAA was signed into law | 21st August 1996 |
Date of initial Privacy Rule publication | 20th December 2000 |
Date of enactment of modified Privacy Rule | 15th October 2002 |
Date of enactment of Security Rule | 21st April 2003 |
Date of HIPAA Privacy Rule compliance deadline | 14th October 2004 |
Date of HIPAA Security Rule compliance deadline | 21st April 2005 |
Date of enactment of Enforcement Rule | 16th March 2006 |
Date of enactment of Breach Notification Rule | 24th August 2009 |
Date of publication of Final Omnibus Rule | 17th January 2013 |
Date of Final Omnibus Rule compliance deadline | 23rd September 2013 |
What You'll Learn
The Privacy Rule
The HIPAA Privacy Rule is a federal standard that protects individuals' health information and other identifying information by limiting the use and disclosure of such information by "covered entities" and "business associates" without authorization. It also gives individuals the right to control how their health information is used and disclosed, to request copies of information maintained about them, and to request corrections when omissions or errors exist.
To ensure compliance with the Privacy Rule, covered entities and business associates must formulate and enforce privacy policies and procedures, appoint a privacy official, and provide regular training to workforce members. They must also inform individuals about their privacy rights and the potential use of their information through a Notice of Privacy Practices, which must be readily available to anyone requesting it.
Breaches of unsecured PHI must be reported to the individuals affected, the Secretary of Health and Human Services, and in certain circumstances, to the media. Covered entities and business associates must also establish safeguards to deter unauthorized PHI access, including physical, technical, and administrative measures.
The Legislative Process: Federal Bill to Law
You may want to see also
The Security Rule
Administrative Safeguards:
- Training and procedures for employees, including authorization, supervision, and sanctions for non-compliance.
- Designation of a security official responsible for developing and implementing security policies and procedures.
- Limiting access to facilities and electronic media while ensuring authorized access.
Physical Safeguards:
- Protecting ePHI and computer systems from unauthorized access.
- Using physical access controls to secure devices that maintain ePHI.
- Implementing data backup and secure data and device disposal procedures.
Technical Safeguards:
- Role-based access controls to allow only authorized persons to access ePHI.
- Audit controls to record and examine access and activities in information systems containing ePHI.
- Integrity controls to ensure ePHI is not improperly altered or destroyed.
- Transmission security measures to guard against unauthorized access to ePHI during electronic transfer.
Covered entities must conduct a risk assessment to identify threats to ePHI and implement measures to mitigate these threats. This includes evaluating the likelihood and impact of potential risks, implementing appropriate security measures, documenting chosen security measures, and maintaining continuous security protections.
The Bill of Rights: Enshrined in Law
You may want to see also
The Breach Notification Rule
There are three exceptions to the definition of a breach. The first is when a workforce member or person acting under the authority of a covered entity or business associate unintentionally acquires, accesses, or uses PHI in good faith and within the scope of authority. The second is when a person authorised to access PHI at a covered entity or business associate inadvertently discloses it to another person authorised to access PHI at the covered entity or business associate, or organised healthcare arrangement in which the covered entity participates. In both cases, the information cannot be further used or disclosed in a manner not permitted by the Privacy Rule. The third exception applies if the covered entity or business associate has a good faith belief that the unauthorised person to whom the impermissible disclosure was made would not have been able to retain the information.
Covered entities must notify affected individuals, the Secretary of the Department of Health and Human Services (HHS), and, in certain circumstances, the media, following a breach of unsecured PHI. This individual notice must be provided in writing by first-class mail or email if the affected individual has agreed to receive such notices electronically. If the covered entity has insufficient or out-of-date contact information for 10 or more individuals, substitute individual notice must be provided by posting the notice on the homepage of its website for at least 90 days or by providing the notice in major print or broadcast media where the affected individuals likely reside. The covered entity must include a toll-free phone number that remains active for at least 90 days where individuals can learn if their information was involved in the breach. If the covered entity has insufficient or out-of-date contact information for fewer than 10 individuals, the covered entity may provide substitute notice by an alternative form of written notice, by telephone, or other means. These individual notifications must be provided without unreasonable delay and no later than 60 days following the discovery of a breach.
In addition, business associates must notify covered entities if a breach occurs at or by the business associate without unreasonable delay and no later than 60 days from the discovery of the breach. The business associate should provide the covered entity with the identification of each individual affected by the breach, as well as any other available information required for the covered entity's notification to affected individuals.
Covered entities that experience a breach affecting more than 500 residents of a state or jurisdiction are required to notify prominent media outlets serving the state or jurisdiction in addition to notifying affected individuals and HHS. This media notification must be provided without unreasonable delay and no later than 60 days following the discovery of a breach.
Covered entities must notify the Secretary of breaches of unsecured PHI without unreasonable delay and no later than 60 days following a breach if it affects 500 or more individuals. If the breach affects fewer than 500 individuals, the covered entity may notify the Secretary of such breaches on an annual basis, with reports due no later than 60 days after the end of the calendar year in which the breaches are discovered.
Tyranny and Law: A Dangerous Dance
You may want to see also
The Enforcement Rule
The HIPAA Enforcement Rule details the procedures for investigating violations of HIPAA and the penalties that the HHS Office for Civil Rights can impose on Covered Entities and Business Associates for failing to comply with the Privacy, Security, and Breach Notification Rules. The rule also expanded the compliance and investigation provisions to all of the HIPAA Rules, rather than just the Privacy Rule. The authority to investigate complaints related to the Privacy and Security Rules (and later the Breach Notification Rule) was delegated to the OCR, while the authority to investigate complaints related to the Administrative Requirements (Part 162) was delegated to the HHS's Centers for Medicare and Medicaid Services (CMS).
The rule codifies the procedures for investigating HIPAA violations and explains how civil penalties will be imposed. At the time of its enactment, the maximum penalty for willful violations of HIPAA was $100 per violation, with civil penalties capped at $25,000 per year per violation type. However, the passage of the HITECH Act in 2009 and the Omnibus Final Rule in 2013 introduced a new four-tier penalty structure for HIPAA violations, with tougher civil penalties.
The HIPAA Enforcement Rule also addresses the issues that led to thousands of complaints remaining unresolved. Despite receiving more than 13,000 complaints in the first two years, the Office for Civil Rights failed to bring a single enforcement action, giving Covered Entities the impression that HIPAA compliance was optional rather than mandatory. To overcome this impression, the 2003 Interim HIPAA Enforcement Rule increased the volume of the General Administrative Requirements related to compliance and investigations and introduced a new section related to the procedures for the investigation.
Theoretical Evolution: From Idea to Law
You may want to see also
The Final Omnibus Rule
The Privacy and Security Rules were also amended to allow patients' health information to be held indefinitely (the previous legislation stipulated it be held for fifty years). New procedures were written into the Breach Notification Rule, and new penalties were applied to covered entities that fell afoul of the HIPAA Enforcement Rule.
The Omnibus Rule expands an individual's right to receive an electronic copy of their PHI. It also implements HITECH's requirement that providers follow patient requests that their PHI not be disclosed to a health plan for payment or health care operations purposes if the disclosure is not required by law and relates solely to items or services for which the patient paid out of pocket in full.
The Omnibus Rule expands the definition of a "business associate" to include all entities that create, receive, maintain, or transmit PHI on behalf of a covered entity. This change extends HIPAA's requirements to a broader group of businesses that handle and have the capability to access identifiable health data, including health information organizations and patient safety organizations.
The Omnibus Rule also tightens the approach to using PHI for marketing activities. PHI may no longer be used in most marketing activities without patient authorization if the covered entity is compensated for the communication by a third party (e.g. a pharmaceutical company) promoting its own product.
The Omnibus Rule has simplified HIPAA's consent requirements for research participation. Some studies involving PHI that previously required the use of multiple consent forms will now be permitted to use a single form, which may prove less confusing to participants.
The Omnibus Rule was released by the U.S. Department of Health and Human Services (HHS) on January 17, 2013, and became effective on March 26, 2013. It combined and replaced four previously issued proposed and interim final rules.
Understanding the Process: Bills to Laws
You may want to see also
Frequently asked questions
The Health Insurance Portability and Accountability Act (HIPAA) was signed into law on August 21, 1996.
HIPAA established federal standards to protect sensitive health information from disclosure without a patient's consent. It also introduced measures to make health insurance more accessible, portable, and renewable, and enforced changes to reduce fraud and abuse in the healthcare and health insurance industries.
The HIPAA Privacy Rule defines Protected Health Information (PHI), stipulates permissible uses and disclosures, lists the circumstances in which an authorization is required, and gives individuals rights over their PHI.
The HIPAA Privacy Rule became effective on April 14, 2003, for most organizations. Small health plans were given an extension until April 2004.