History of HIPAA

The History of HIPAA – The issues that led to the legislation. A Timeline HIPAA History.

The Health Insurance Portability and Accountability Act (HIPAA) was enacted by Congress in 1996 in response to several issues facing health care coverage, privacy, security, and fraud in the United States.

The Need for Uniformity
Before HIPAA, rules and regulations lacked consistency, varied by state, and were fragmented among government organizations. There was confusion as to which regulations were applicable – the rules in the states where they were doing business or where the organization was based. There was also no uniformity between state and federal requirements.

With regard to privacy, there were numerous uncoordinated federal acts which addressed privacy in some form. Prior to HIPAA, there was no standard authority for enforcement of fraud and abuse that applied to state and federal health care programs.

Need for Privacy and Security Standards
Congress recognized the increased use of electronic technology, the potential for abuse or compromise, and the need to establish security and privacy standards for it. We have all heard news stories about electronic information being mistakenly lost, stolen, or inadvertently sent to the wrong place.

The risks were much higher if electronic patient information were compromised with the way information is frequently sent electronically in today’s world. There’s also the need to establish requirements for how and when a persons health information is disclosed – a HIPAA Privacy Standard.

The HIPAA Security Standard complements or is a sub-set of the Privacy Standard. It provides guidelines to how Protected Health Information is handled to prevent compromises to its security. This includes standards on administrative, physical, and technical safeguards for electronic health information.

Congress deferred the responsibility for implementing HIPAA regulations to the Department of Health and Human Services. DHHS established a schedule for implementation.

Implementation Cost
In the period just before the HIPAA Privacy and Security Acts was enacted, medical practices and centers were directed to become compliant. DHHS warned of potentially severe penalties for non compliance, many practices and turned to HIPAA consultants.

These consultants were very familiar with the history of HIPAA and the details of the requirements. They reviewed practice procedures and operations to make sure providers and staff were compliant. Not only do providers have to contend with the cost of updating their systems, they also have to deal with the legal burden of HIPAA when reimbursement from insurance payers is decreasing.

Here’s a Timeline History of HIPAA:

(For a definition of acronyms you don’t recognize on the History of HIPAA page, see the Medical Billing Terms page.)

January 1, 2012 – HIPAA X12 standards Version 5010 compliance date. These standards are for the electronic transmission of certain health care transactions. Health care providers, health plans, and clearinghouses are required to conform. These standards are necessary to prepare for the implementation of ICD-10-CM scheduled for October 1, 2013.

May 23, 2008 – National Provider Identifier Compliance Deadline for Small Health Plans and the end of NPI Contingency Period.

May 23, 2007 – National Provider Identifier Compliance Deadline.

April 21, 2005 – Security Compliance Deadline.

July 30, 2004 – Standard Unique Employer Identifier compliance deadline.

October 16, 2003 – Transaction and Code Sets – expected date of compliance for small health plans and covered entities that filed a compliance plan to delay implementation.

August 15, 2003 – Interim Final Rule: Electronic Submission of Medicare Claims published.

April 16, 2003 – Interim Final Rule: Civil Money Penalties Procedures published.

April 14, 2003 Privacy compliance deadline.

February 20, 2003 – Security Standards published.

February 20, 2003 – Modifications to Transactions and Code Sets Regulation and Implementation Guide Addenda Published.

October 16, 2002 – Transaction and Code Sets – expected date of compliance for covered entities that did not file a compliance plan to delay implementation.

August 14, 2002 – Final modifications to the Privacy Rule published.

May 31, 2002 – CMS announced the adoption of the EIN as the standard unique identifier for employers in the filing and processing of health care claims and other transactions.

December 28, 2000 – Privacy Final Rule Published.

August 17, 2000 – Transaction and Code Sets Final Rule Published.

February 21, 2000 – Deadline for DHHS Secretary to publish privacy standards for individually identifiable health information.

February 17, 2000 – Extended deadline for comment period on Privacy Standards for Individually Identifiable Health Information.

January 3, 2000 – 60 day comment period on Privacy Standards for Individually Identifiable Health Information ends.

November 3, 1999 – Privacy Standards for Individually Identifiable Health Information is published in Federal Register.

October 29, 1999 – Clinton Administration Announces Proposed Rules –Privacy Standards for Individually Identifiable Health Information.

August 21, 1999 – Deadline for Congress to enact legislation governing the privacy of individually identifiable health information standards. Because Congress failed to meet the deadline, HIPAA requires the Secretary of Health and Human Services to promulgate such standards by regulation.

November 3, 1999 – Privacy NRPM (Notice of Proposed Rule Making) published.

August 12, 1998 – Security NRPM published.

June 16, 1998 – National Employer Identifier NRPM published.

May 7, 1998 – National Provider Identifier NRPM publishedTransactions and Code Sets NRPM published.

Visit our HIPAA Laws page for more information on HIPAA.

Return from History of HIPAA to HIPAA Laws