HIPAA Simplified {Part 1 – Timeline & Overview}

Having worked in the healthcare industry for almost a year now, I feel compelled to simplify the requirements of HIPAA compliance. I hope this and the upcoming articles in the series will help you to better understand these requirements.

The purpose of this series is to give an introduction to the HIPAA (Health Insurance Portability & Accountability Act) including the timeline, patient rights, regulatory rules, dealing with HIPAA violations, steps for HIPAA compliance, etc.

Timeline

  • Aug 21, 1996 – US Congress passes the HIPAA Act
  • Apr 14, 2003 – HIPAA Privacy Rule is enforced that requires all Covered Entities (CE) to allow patients access to their health information on request, simultaneously limits are placed on How, When and To Whom the health records can be disclosed.
  • Apr 2005 – HIPAA Security Rule comes into effect that requires greater controls on keeping the healthcare records secure and confidential.
  • Mar 2006 – HIPAA Enforcement Rule comes into effect. The Office for Civil Rights (OCR) starts issuing financial penalties for entities that fail to implement the requirements of the HIPAA Privacy & Security Rule.
    • Jan 2009 – First fine was issued by the OCR for HIPAA violation
  • Feb 17, 2009 – The Health Information Technology for Economic & Clinical (HITECH) Act was introduced as part of the American Recovery & Reinvestment Act.
  • Aug 24, 2009 – Breach Notifications interim regulations were issued. The Health & Human Services (HHS) introduced new regulations covering data breaches as demanded by the HITECH Act, that required CEs to report data breaches to the OCR and notify potential victims of incidents that exposed their personal and protected health information (PHI).
  • Feb 2010 – The HITECH Act was enforced. Financial penalties applied.
  • Jul 2011 – HIPAA Privacy complaint filed with the OCR resulted in Federal Criminal prosecution.
  • Mar 26, 2013 – Final Omnibus Rule comes into effect, which requires all HIPAA CEs to comply with the new legislation.

But, what is HIPAA?

HIPAA is an acronym for the Health Insurance Portability & Accountability Act. The US Healthcare and Insurance industries are required to comply with HIPAA to protect the protected health information and patient rights. Essentially, HIPAA affects nearly every employee working in the healthcare industry.

What is the purpose of HIPAA?

Though HIPAA protects patient information by introducing a number of industry-wide standards for data security, the original intention of HIPAA was to ensure the portability of health insurance for individuals moving between jobs. Since then, it has evolved to include:

  • reducing healthcare fraud
  • gathering information about diseases that can be used for research
  • improve overall efficiency and patient experience in the healthcare industry
  • provides patients more rights over their personal data

To whom does HIPAA apply?

HIPAA comprises of several rules that a Covered Entity (CE) & Business Associates (BA) must follow.

Covered Entities are Healthcare Provider, Health Plan, or Healthcare Clearinghouse.

Business Associates are third-party service providers to the healthcare and insurance industries.

The most important HIPAA rules are the Privacy Rule and the Security Rule. HIPAA applies to all personally identifiable health information that includes paper and electronic records. HIPAA requires Physical, Administrative, & Technical safeguards to be in place to protect the data. These safeguards are outlined in the Security Rule.

Where does HIPAA apply?

HIPAA applies to all personally identifiable patient information held by HIPAA-covered entities in the United States and its territories. Unlike GDPR which deals only with the information of the EU citizens, HIPAA covers all healthcare information collected in the US, including the data of non-US citizens.

P.S. – Part 2 will cover the definitions and lexicons in detail.