HIPAA’s History and Violations: Why HIPAA Was Created

HIPAA history, compliance, and regulations

HIPPA was enacted in 1996 with the goal of making health care in America more streamlined, efficient, and secure. This article discusses the history of HIPAA, breaks the law down into its component parts, and gives insight into how to comply. Watch the video below or find the exact section you are interested in the transcript.

Video Transcription

Why HIPAA Was Created

HIPAA’s History

Originally known as the Kennedy-Kassebaum Bill, the Health Insurance Portability and Accountability Act, or HIPAA, is a set of regulations that became law in the mid-1990s.

Why HIPAA’s Important

HIPAA is a set of health care regulations with a two-pronged purpose:

  • Help patients’ health insurance move with them and streamline the transfer of medical records from one health care institution to another
  • Create standards for managing medical records to protect and enforce patient’s’ right to have their medical records and personal health information (PHI) kept private


HIPAA: When and Why

Why Healthcare Needed HIPAA

The roots of HIPAA stem from the 1990s when it first became apparent that the healthcare industry would become more efficient by computerizing medical records.

When HIPAA was passed in 1996, it included standards and rules that focused on regulating healthcare data management in terms of the portability of patient health information and the protection of a patient’s right to medical privacy.

HIPAA’s Timeline

    1. In 1996 HIPAA was enacted by Congress
    2. In 2000 the Transaction and Code Sets Rule was added
    3. In 2000 Congress passed the Privacy Rule
    4. In 2003 the Security Rule took effect
    5. In 2006 the Enforcement Rule was enacted
    6. In 2006 the National Provider Identifier (NPI) Rule was added

HIPAA Historical Timeline

The result of concerns for protecting patient privacy, HIPAA was passed by Congress and signed by President Bill Clinton in 1996.

HIPAA’s Regulations

Titles of HIPAA

HIPAA is a series of regulations governing the transfer of medical information—particularly its modernization with growing use of electronic health record (EHR) systems.

To specifically address the issues of privacy rights and health insurance portability for patients, HIPAA is broken up into multiple titles.


HIPAA Title I is known as “Health Care Access, Portability, and Renewability” and deals with health care plans and policies.

Title I regulates the amount of “exclusion period”, or time, that health insurers can delay coverage for pre-existing conditions, and gives options for policyholders to reduce the exclusion period.

Title I also enables people to carry their insurance from one job to the next.


Title II is the Administrative Simplification (AS) provisions and is otherwise known as “Preventing Health Care Fraud and Abuse.”

HIPAA rules and titlesIt’s made up of the five separate rules that have been added to HIPAA over time:

    • Privacy Rule
    • Transactions and Code Sets Rule
    • Security Rule
    • National Provider Identifiers Rule
    • Enforcement Rule

Privacy Rule

The HIPAA Privacy Rule regulates the use and disclosure of Protected Health Information (PHI) held by “covered entities” (examples include employer-sponsored health plans and health insurers).

As implied it sets requirements for covered entities for keeping PHI private, but with the Omnibus Rule update in 2013, HIPAA now applies to the independent contractors employed by covered entities, otherwise known as “business associates.”

Transactions and Code Sets Rule

HIPAA and the Transactions and Code Sets Rule was intended to improve the efficiency of the American healthcare system and by standardizing health care transactions.

By requiring all health plans to engage in healthcare transactions in a standardized way, this set of standards helps to simplify healthcare transactions across the industry.

Security Rule

Secure digital medical recordsThe HIPAA Security Rule goes hand-in-hand with the Privacy Rule in terms of protecting patient information.

The Privacy Rule covers both paper and electronic PHI, the Security Rule specifically addresses keeping Electronic Protected Health Information (EPHI) secure.

To comply with the Security Rule three types of EPHI security safeguards are required: administrative, physical, and technical.

National Provider Identifier Rule

The National Provider Identifier (NPI) Rule builds on other HIPAA rules for improving the efficiency of healthcare transactions.

Under NPI, all covered entities using electronic communications (such as physicians, hospitals, and health insurance companies) must use a single new NPI number that is unique to the provider.

With the NPI Rule, healthcare providers who complete electronic transactions and large health plans like Medicare are only allowed to use NPI numbers to identify covered providers.

Enforcement Rule

In 2006 the final HIPAA rule, the “Enforcement Rule”, was passed to address HIPAA enforcement by setting civil money penalties and investigation procedures for HIPAA violations.

Up till then, there had been relatively few violation prosecutions, but after the Enforcement Rule, this number has drastically increased. As of 2013, the HHS had investigated 19,306 noncompliance cases.

HIPAA Compliance

Medical Record Retention



Diagnostic Images (Adults) 5 Years
Diagnostic Images (Minors) 5 Years after age of majority
Patient Health/Medical Records (Adults) 10 years after latest encounter
Patient Health/Medical Records (Minors) Age of majority plus statute of limitations
Disease Index 10 years
Master Patient/Person Index Permanently
Operative Index 10 years
Physician Index 10 years
Fetal Heart Monitor Records 10 years after age of majority
Register of Births Permanently
Register of Deaths 50 years after death
Register of Surgical Procedures Permanently

Compliance Requirements

To comply with all of HIPAA’s different patient privacy regulations, there are several steps that healthcare providers and insurance companies have to take:

  • HIPAA Compliance ChecklistCompanies must have a HIPAA Compliance Officer who has taken a HIPAA compliance course. They will be the one who is responsible for staying on top of HIPAA requirements and company compliance.
  • Employees need to be kept up to date on policies that pertain to the organization. This may also require ongoing training for the staff.
  • To safeguard patient data against unauthorized access and disclosure, HIPAA requires implementing security measures that are adequate to prevent physical and network-based intrusions.
  • In the event of a security breach, organizations are required by law to report the incident and to inform those patients an individuals whose information may be affected.


HIPAA Non-Compliance

Pay the Price for Noncompliance




Unknowing violation $100 per violation with an annual maximum of $25,000 for repeat violations $50,000 per violation with an annual maximum of $1.5 million
Violation from reasonable cause $1,000 per violation with an annual maximum of $100,000 for repeat violations $50,000 per violation with an annual maximum of $1.5 million
Violation due to willful neglect $10,000 per violation with an annual maximum of $250,000 for repeat violations $50,000 per violation with an annual maximum of $1.5 million
Violation due to willful neglect – not corrected $50,000 per violation with an annual maximum of $1,000,000 for repeat violations $50,000 per violation with an annual maximum of $1.5 million

HIPAA Compliant Medical Record Storage: Top Options

There are several medical record storage and management options a practice can take to comply with HIPAA laws and regulations, including:

  • Medical Records Storage Complying with HIPAAOffsite Medical Records Storage: Records are kept at a pre-screened, HIPAA-compliant storage facility. All records are guarded and protected from fire and flood damage, and some facilities manage retention
  • Medical Record Scanning: A HIPAA and HITECH-compliant medical records imaging process scans and digitizes medical records and other files. Optical character recognition (OCR) and document redaction options are also available
  • Electronic Medical Record (EMR) Software: Electronic medical records replace patient records and charts. With digital copies, medical practices can more easily track, distribute, and organize records and streamline their day-to-day processes
  • Electronic Health Records (EHR) Systems: A server or cloud-based document management system for storing EMRs, EHRs are more general patient medical records that are designed to be shared with multiple providers in order to simplify tracking overall patient history and prevent miscommunications between providers


Need HIPAA-Compliant Medical Record Storage?

Find options for medical records storage, scanning, and EMR/EHR systems with a nationwide network of pre-screened providers with Record Nations. Call us today at (866) 385-3706 or fill out the form on the right for free quotes on medical records storage and scanning services in your area.

Get a FREE Quote!