The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996. On the occasion of its fifteenth anniversary,
The Privacy Advisor
takes a closer look.
The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996. As the name indicates, the law was focused on "accountability" and "portability" in the healthcare system, issues that had little or nothing to do directly with privacy or information security. These focuses—designed to "solve" various problems in the healthcare industry—drove the legislation and were passed with very broad support. Beyond these topics, Congress chose to build on this consensus by addressing other, largely unrelated topics in this legislation, affecting portions of the healthcare industry. For example, much of the healthcare fraud enforcement of the past 10 years was driven by various HIPAA proposals.
One of these "add-ons" was the idea (or oxymoron, depending on your perspective) of "Administrative Simplification"—the concept that standardizing certain critical healthcare transactions would improve efficiency and decrease costs. So, Congress mandated a process to develop the technology for these transactions, designed to push the healthcare industry towards a more electronic healthcare system. While there was widespread agreement on the desirability of these transactions, there was a general nervousness (remember, this is the beginning of the Internet era) about moving healthcare to an electronic environment. Accordingly, Congress also desired to encourage or require specific privacy and security concerns, but really didn't know what to do on these points. So, the HIPAA law itself says very little about privacy and security other than that there should be rules developed on privacy and security. Congress gave itself three years to pass new privacy and security laws (which it then failed to do) and created a fail-safe vehicle dictating that the Department of Health and Human Services (HHS) issue regulations on these points if Congress was unable to pass a privacy or security law.
That's how we ended up with the HIPAA Privacy and Security Rules, creating privacy and security standards for the healthcare industry. HHS was stuck with many of the jurisdictional components of the HIPAA law (for example, Congress decided who would be "covered entities" under any regulations, driven in part, for example, by entities that would be transmitting standard transactions (providers and health plans) and insurers who were connected to "portable" health coverage (health insurers rather than all insurers that have healthcare information).
So, the HIPAA statute itself did little specifically on privacy and security other than define the overall landscape of who would be covered. HHS did the rest, creating the broad regulatory structure for both privacy and security and (creatively) expanding the scope where it could apply these principles, primarily through the contractual obligations imposed on business associates.
Three key points to remember from this history: First, if someone says that the HIPAA law said something specific about privacy and security, they're probably wrong. Second, because of this history, the HIPAA statutory restrictions hindered the privacy rules somewhat by ensuring that the privacy rule would not be an overall medical privacy rule. Instead, the rule focuses on certain kinds of information when held by certain entities for certain purposes. Third—and for some, most important—despite more than a decade of constant errors, HIPAA is spelled with only one "p," standing for "portability."
