Last month, HIPAA turned 20 years old. When the Health Insurance Portability and Accountability Act (HIPAA) was signed into law on August 21, 1996, its goals were extensive.
The Act sought to "improve portability and continuity of health insurance coverage in the group and individual markets, to combat waste, fraud, and abuse in health insurance and health care delivery, to promote the use of medical savings accounts, to improve access to long-term care services and coverage, to simplify the administration of health insurance, and for other purposes."
Now, two decades later, HIPAA has certainly evolved and grown even more complex. Here's a brief look at what has changed and where we stand today.
The introduction of HIPAA in 1996 was just the start of a steady stream of legislative change. In 2000, the HIPAA Privacy Rule was passed to extend greater protection to patients and their personal health information (PHI). It outlined how covered entities could use and disclose PHI.
In 2003, the adoption of the HIPAA Security Rule created national standards regarding the creation, use, and transmission of patients' electronic PHI. These standards required the implementation of administrative, physical, and technical safeguards to ensure secure and confidential handling of ePHI.
The Health Information Technology for Economic and Clinical Health (HITECH) Act was introduced in 2009 to encourage the meaningful use of health information technology. It also expanded on the privacy and security standards, making them applicable to business associates of covered entities. A tiered system of civil and criminal penalties for HIPAA violations was outlined as well, based on increasing levels of culpability. Finally, covered entities were required to begin reporting data breaches to affected individuals, the media, and the U.S. Department of Health and Human Services (HHS), though reporting obligations varied based on the size of the breach. Business associates were required to begin reporting breaches directly to the covered entity.
In early 2013, the Final Omnibus Rule was passed, representing the most significant changes to the HIPAA Privacy and Security Rules since they were first implemented. Business associates, including contractors and subcontractors, became subject to additional guidelines while penalties for non-compliance were increased to a maximum of $1.5 million per violation. The Omnibus Rule provided additional ways for patients to protect their PHI as well. For example, patients paying for medical services with cash would now be able to instruct their provider not to share treatment information with their health plan.
HIPAA Today and Beyond
Overall, these incremental changes have strengthened our ability to protect PHI, improving patient privacy along with data and system security. Despite all of the regulations though, HIPAA still doesn't provide a hard and fast, step-by-step path to achieve compliance.
And living in the digital age, we remain incredibly vulnerable to breaches, particularly from cyberattacks and the loss or theft of mobile devices. That's why completing an annual HIPAA risk assessment — at a minimum — is imperative. A thorough assessment can identify those organizational weaknesses that may make you a prime target for an attack and resulting data breach. Not to mention, it can save you thousands or even millions in fines.
HIPAA has undergone tremendous change over the past 20 years. Its evolution is likely to continue as our healthcare landscape transforms in the years to come.
Follow Logan Solutions on LinkedIn and never miss a post.
Which HIPAA regulatory change has impacted your practice or facility the most? Please join the conversation below.