The Evolution of HIPAA: Part 1

The Health Information Portability and Accountability Act (HIPAA) is a Federal law that governs the requirements of healthcare companies (“Covered Entities”) and service providers (“Business Associates”) and how they must handle Protected Healthcare Information (PHI). HIPAA was originally passed in 1996 and was more focused on the ability of employees to transfer their healthcare data from employer to employer and provider to provider.  The requirements of this law were privacy of the data as it flowed through systems, as employees were moving jobs more often and needed a way to move their data and keep it private. The requirements were extremely basic and governed how the data could be shared and required the accountability of who accessed the data. Upon original passage, the law did not say very much about the security needed in today’s electronic age.

HIPAA first updated the security rule to govern the electronic use of PHI in February 2003. This is the first time the requirements for Electronic Protected Heath Information (ePHI) were established. The requirements were very vague and were still focused on physical storage of PHI. This vagueness was on purpose, as the Internet and electronic storage were still relatively new, and it was almost impossible to  lay out specific requirements for security. Additionally, the size of the companies affected by this law varied widely (from 1-10,000+ records of PHI held by the companies). Changes in the law were limited through legislative action after the passage of this update.

On July 14, 2010, rules were implemented enforcing the Health Information Technology for Economic and Clinical Health (HITECH) Act. These rules included many additional requirements describing how to handle ePHI, including many of the requirements of HIPAA we see today. This update included the requirement that all entities dealing with PHI adhere to the requirements, not just Covered Entities. This amendment also encouraged healthcare entities to update to Electronic Healthcare Records (EHRs). As such, this required additional steps to ensure privacy and security of this information for these healthcare entities. With this encouragement, incentives were added for healthcare entities to adopt electronic records, but additional penalties were adopted for non-compliance as well. This is the act that implemented the Meaningful Use portion of HIPAA.

Breach notification rules were also implemented by the HITECH Act. Many requirements for reporting were established for reporting and use of EHRs at this point, but almost all were removed due to issues around the electronic adoption of this rule.

The HIPAA Omnibus Rule was passed on January 25, 2013. This is the latest requirement of HIPAA law that has been passed as of this writing. The Omnibus Rule enacted laws that require Business Associates (BAs) to be as responsible for the security and privacy of ePHI as the Covered Entities have been for years. Changes in the Rule required that any breach affecting more than 500 records must be reported immediately and increased reporting requirements, such as reporting to the media and to those affected.

HIPAA requirements have changed, but the requirements are still not prescriptive. HIPAA has both “Required” and “Addressable” components, as well as documented Guidance, which is also used by the government to assess HIPAA compliance in addition to the actual laws themselves. 

Part 2 of this series will speak to the fluidity of HIPAA and the corresponding challenges to achieving and maintaining HIPAA compliance as a result.