HIPAA – A Brief History And Summary

In response to the HIPAA mandate, the Department of Health & Human Services (HHS) published a final regulation in the form of the Privacy Rule in December 2000, which became effective on April 14, 2001. The HIPAA Privacy Rule for the first time creates national standards to protect individuals’ medical records and other personal health information. It effectively gives patients more control over their health information and sets boundaries on the use and release of health records.

Under the Privacy Rule, covered entities must:

1. Implement administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of Protected Health Information (PHI)
2. Limit the use and disclosure of PHI to only the minimum necessary to accomplish a specified purpose
3. Obtain written authorization from individuals before using or disclosing their PHI, except in certain circumstances such as for treatment, payment, and healthcare operations
4. Provide individuals with a notice of their privacy rights and how their PHI will be used and disclosed
5. Allow individuals to access, review, and obtain a copy of their PHI, and to request that any errors or omissions be corrected
6. Notify individuals in the event of a breach of their unsecured PHI.

The Privacy Rule applies to covered entities, which include healthcare providers, health plans, and healthcare clearinghouses. Business associates, such as third-party vendors and contractors that handle PHI on behalf of covered entities, are also subject to the Privacy Rule. Failure to comply with the Privacy Rule can result in significant financial penalties and other legal consequences.

The HIPAA Security Rule is a federal law that establishes national standards for the security of electronic protected health information (ePHI) in the United States. The Security Rule is a companion to the Privacy Rule, which governs the privacy of personal health information (PHI). Both the Privacy Rule and Security Rule are concerned with protecting PHI, the Privacy Rule covers data in all formats, including printed documentation; where the Security Rule is specifically for data maintained in an electronic state.

HHS published a final Security Rule in February 2003. This Rule sets national standards for protecting the confidentiality, integrity, and availability of electronic protected health information (ePHI). Compliance with the Security Rule was required as of April 20, 2005 (April 20, 2006 for small health plans).

The Security Rule requires covered entities to implement administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of ePHI. These safeguards must be appropriate for the size, complexity, and capabilities of the covered entity, as well as the nature of the ePHI that it creates, receives, maintains, or transmits.

The Security Rule requires covered entities to:

1. Conduct a risk analysis to identify potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI
2. Implement security measures to reduce identified risks and vulnerabilities to a reasonable and appropriate level
3. Train workforce members on security policies and procedures
4. Establish contingency plans in the event of a disaster or emergency
5. Regularly review and update security measures to ensure that they remain effective
6. Maintain documentation of all security policies and procedures
7. Provide notification in the event of a security breach.

The Security Rule applies to covered entities, which include healthcare providers, health plans, and healthcare clearinghouses. Business associates, such as third-party vendors and contractors that handle ePHI on behalf of covered entities, are also subject to the Security Rule.

Compliance with the Security Rule is mandatory, and failure to comply can result in significant financial penalties and other legal consequences.

Although the HSS already had the authority to investigate complaints against Covered Entities for failing to comply with the Privacy Rule, the Enforcement Rule of March 2006 explained how the agency would conduct investigations and issue civil monetary penalties if a suitable resolution could not be achieved by voluntary compliance.

The Enforcement Rule also expanded the compliance and investigation provisions to all the HIPAA Rules, rather than just the Privacy Rule. The authority to investigate complaints related to the Privacy and Security Rules (and later the Breach Notification Rule) was delegated to HHS´ Office for Civil Rights (OCR), while the authority to investigate complaints related to the Administrative Requirements (Part 162) was delegated to HHS´ Centers for Medicare and Medicaid Services (CMS).

The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, was signed into law on February 17, 2009, to promote the adoption and meaningful use of health information technology. Subtitle D of the HITECH Act addresses the privacy and security concerns associated with the electronic transmission of health information, in part, through several provisions that strengthen the civil and criminal enforcement of the HIPAA rules.

Prior to the HITECH Act, the Secretary could not impose a penalty of more than $100 for each violation or $25,000 for all identical violations of the same provision. A covered healthcare provider, health plan or clearinghouse could also bar the Secretary’s imposition of a civil money penalty by demonstrating that it did not know that it violated the HIPAA rules. Section 13410(d) of the HITECH Act strengthened the civil money penalty scheme by establishing tiered ranges of increasing minimum penalty amounts, with a maximum penalty of $1.5 million for all violations of an identical provision. A covered entity can no longer bar the imposition of a civil money penalty for an unknown violation unless it corrects the violation within 30 days of discovery.

The HITECH Act had the primary goal of incentivizing healthcare providers to implement Electronic Health Records (EHRs) by introducing the Meaningful Use incentive program. Stage one of Meaningful Use was rolled out the following year and continued until 2018, when it was replaced with the Promoting Interoperability Program.

With the incentive program also came an extension of HIPAA Rules to Business Associates and third-party suppliers to Covered Entities, and the introduction of the Breach Notification Rule – a Rule that stipulated all breaches of ePHI affecting more than 500 individuals must be reported to the Department of Health and Human Services’ Office for Civil Rights. The criteria for reporting breaches of ePHI were subsequently extended in the Final Omnibus Rule of March 2013.

The most recent act of legislation in HIPAA history was the Final Omnibus Rule of 2013. The rule introduced little new legislation but filled gaps in existing HIPAA standards – for example, specifying the encryption standards that need to be applied in order to render ePHI unusable, undecipherable, and unreadable in the event of a breach.

Many definitions were amended or added to clear up grey areas – for example the definition of “workforce” was changed to make it clear that the term includes employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a Covered Entity or Business Associate, is under the direct control of the Covered Entity or Business Associate.

The Privacy and Security Rules were also amended to allow patient´s health information to be held indefinitely (the previous legislation had stipulated it be held for fifty years), while new procedures were written into the Breach Notification Rule. New penalties were also applied – as dictated by HITECH – to Covered Entities that fell afoul of the HIPAA Enforcement Rule.

Consequences of the Final Omnibus Rule

What the Final Omnibus Rule achieved more than any previous legislation was to make Covered Entities more aware of the mandated HIPAA requirements. To better comply with the HIPAA regulations, many hospitals implemented a range of measures, including secure messaging solutions for internal communications with clinical and support staff, installing web filters, and the use of encryption. However, these fell short of full compliance to the existing Privacy and Security Rules, as certain aspects were not enforced, such as use of a single login for multiple users, or provisions that prevent the viewing of onscreen PHI should a member of staff be called away or a workstation being in a public area.

The financial penalties subsequently issued for data breaches – along with the colossal costs of issuing breach notifications, providing credit monitoring services, and conducting damage mitigation – makes investment in new technology to protect data appear cheap by comparison.