The Health Insurance Portability and Accountability Act, originally known as the Kennedy-Kassebaum Bill, is a set of regulations that became law in 1996. Its purpose is to help people carry their health insurance from one company to the next, as well as streamline the movement of medical records from one health care institution to another. In addition, HIPAA created a system to recognize and enforce the rights of patients to protect the privacy of their medical records. HIPAA is a series of laws that have required health care organizations to invest time and money into training for strict compliance. Although this can be a lengthy and arduous effort for those in the healthcare industry, for patients it creates a beneficial level of security. By learning some of HIPPA’s background, people can better understand what it is and how it can benefit them and their families.
History of HIPAA
The roots of HIPAA stem from the early 1990s, when it first became apparent that the medical care industry would become more efficient by computerizing medical records. In addition, the industry also needed new standards regarding the management of health care data. These standards included rules regarding the portability of medical information as well as the establishment and protection of a patient’s right to medical privacy. There was also the issue of ensuring that people could keep their health care coverage when they left their jobs. HIPAA, the law that resulted from efforts to address these concerns, was passed by Congress and signed by President Bill Clinton. While the law itself was passed in 1996, the actual details of the law were left to future specifications by Congress, as well as the Secretary of Health and Human Services. The Privacy Rule was the first aspect of HIPAA to be finalized in 1999. Next came the Transaction and Code Sets Final Rule, in 2000, followed by the Security Rule and the National Provider Identifier, or Unique Identifiers, rule. The Enforcement Rule specification was, as of 2006, the last part of HIPAA to be finalized in detail.
- American Medical Association – HIPAA 101: How it Started and What’s Next (PDF)
- State of Tennessee: History of HIPAA Timeline (PDF)
- University of Chicago: HIPAA Background
- Office of HIPAA Privacy and Security: About HIPAA
- Why Did HIPAA Come About?
HIPAA is a series of regulations governing the transfer of medical information, particularly its modernization by implementing electronic records. In addition, HIPAA also addresses the issues of health insurance portability and patient privacy rights. The law is broken up into Title I and Title II, the latter of which is also broken up into separate Rules. Title I is called “Health Care Access, Portability, and Renewability” and it deals with health care plans and policies. Title I regulates the amount of “exclusion” period, or time that health insurers can delay coverage for pre-existing conditions, and also allows ways for policy holders to reduce the exclusion period. Title I also enables people to carry their insurance from one job to the next. Title II of the HIPAA law is called “Preventing Health Care Fraud and Abuse” and it is made up of five separate Rules: the Privacy Rule, Transactions and Code Sets Rule, Security Rule, Unique Identifiers or National Provider Rule, and the Enforcement Rule.
- WebMD: HIPAA Rules Explained
- HIPAA Regulations
- Indiana State Department of Health: What is Required by the Regulations
- HIPAA Privacy Regulations (PDF)
- Health Insurance Portability and Accountability Act – Three Primary Regulation Areas
- HIPAA an Overview
HIPAA Requirements for Compliance
To comply with HIPAA regulations, there are a number of steps that health care providers and insurance companies must take. For one, the law requires that a company must have a HIPAA Compliance Officer who has taken a training course in HIPAA compliance. This person will be the one who is ultimately responsible for staying on top of HIPAA requirements and ensuring that the organization is following the law. Employees will also need to be kept up to date on HIPAA policies that pertain to the organization. This may also require ongoing training for the staff. Most importantly, HIPAA requires organizations to safeguard patient data against unauthorized access and disclosure. This involves implementing a number of security measures that are adequate to prevent physical and network-based intrusions. In the event of a security breach, organizations are required by law to report the incident and to inform those patients and clients whose information may be affected.
- HIPAA Privacy Rules
- Final HIPAA Privacy and Security Regulations (PDF)
- The New HIPAA Rule Expands Patient Privacy
- Summary of the HIPAA Privacy Rule (PDF)
- Overview of the HIPAA Final Privacy Regulations
HIPAA Complaints and Violations
In the event of a violation of the HIPAA law, patients are given options to seek recourse. This primarily involves contacting the Office for Civil Rights (OCR). The OCR has the authority to investigate allegations of HIPAA violations and to enforce the law, particularly the Privacy Rule. Affected parties are required to file a written and detailed complaint either on paper, through the U.S. Mail, via email or by fax within 180 days of the incident, although some deadline exceptions may be granted. HIPAA also forbids retaliation against, or harassment of, those who file complaints. Punishments for HIPAA violations can include hefty fines, or in the case of willful or egregious violations, imprisonment. HIPAA allows for additional punishments to be administered at the state level. For instance, California allows for additional fines, such as $250,000 for disclosure of a person’s medical information for financial gain, and also allows affected parties to file a civil lawsuit.