Health Insurance Portability and Accountability Act
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was enacted by the United States Congress and signed by President Bill Clinton in 1996. Its intended purpose was "to improve portability and continuity of health insurance coverage in the group and individual markets; to combat waste, fraud, and abuse in health insurance and health care delivery; to promote the use of medical savings accounts; to improve access to long-term care services and coverage; [and] to simplify the administration of health insurance."
In 1994, U.S. President Bill Clinton attempted to overhaul the national health care system but didn't receive the support he needed. In 1995, Senators Nancy Kassebaum (R-KS) and Edward Kennedy (D-MA) introduced a comparatively pared down proposal called the Health Insurance Reform Act of 1995 (S 11028), later referred to informally as the Kassebaum/Kennedy Bill. The proposal called for health insurance portability for employees, medical savings accounts, increased deductibility of health insurance for the self-employed, and tax breaks for long-term care insurance. The legislation successfully made it out of the Senate Labor and Human Resources Committee on August 2, 1995, only to be stalled "because of opposition from conservative senators who shared industry concerns over the group-to-individual portability provisions."
With desire to get some sort of health care reform legislation passed, Clinton referenced the stalled bill in his January 1996 State of the Union address on several occasions. Though some feared the ploy by Clinton would ultimately sink the bill, it inevitably resulted in bipartisan cooperation so no one side could take credit for the bill. On February 7, 1996, the two parties agreed to further discuss the legislation in the House and Senate. This resulted in several events: the House of Representatives created an alternative bill (HR 3103) that drew on characteristics of S 11028, passing on March 28; the Senate passed a version of the original S 11028 on April 23 but without controversial attachments like medical savings accounts. However, differences between the House and Senate bills caused problems. "The House bill, for example, included provisions allowing for medical savings accounts, a limit on monetary damages in medical malpractice lawsuits and a reduction in states' authority to regulate health insurance purchasing pools created by small businesses." Additionally, a provision on mental health coverage was found on the Senate bill that was omitted from the House version. It took several weeks of debating to make concessions on these topics.
A Republican-led compromise was offered on June 10, however debate raged on. It wasn't until a July 25 compromise between Kennedy and Ways and Means Committee Chairman Bill Archer (R-TX) on medical savings accounts that momentum shifted. Provisions on mental illness and medical malpractice were eventually dropped from the proposal on July 31, with both House and Senate agreeing on the final version on August 1 and August 2 respectively. On August 21, 1996, the legislation was signed into law by President Clinton and codified as Public Law 104-191, the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
The administrative simplification provisions in HIPAA meant more work had to be done in regards to the legislation. The U.S. Department of Health and Human Services (HHS) began work on the HIPAA Privacy Rule in 1999, "which set out detailed regulations regarding the types of uses and disclosures of personally identifiable health information that are permitted by the covered entities." However, large volumes of comments and Executive branch changes in 2000 slowed the process down. Several more years of corrections and requests for comments followed, culminating in the release of the Final Rule on August 14, 2002 as 45 CFR Part 160 and Subparts A and E of Part 164. Most health plans were expected to be in compliance by April 14, 2003, though some exceptions existed.
Despite the Privacy Rule, many still argued that the legislation wasn't suitable enough to prevent mishandling of personal health information and that it was impeding research. These concerns mixed with few incidents of enforcement in the first few years after the 2003 compliance date prompted additional review by the HHS. On February 16, 2006, HHS issued the Final Rule regarding HIPAA enforcement, to be effective March 16, 2006.
Additional updates to the enforcement rule came with the Health Information Technology for Economic and Clinical Health Act (HITECH) Act, enacted on February 17, 2009. The Act added "several provisions that strengthen the civil and criminal enforcement of the HIPAA rules" by adding categories of violations and tier levels of penalty amounts. HIPAA and the HITECH statutes were further revised in January 2013 (effective March 26, 2013) "to strengthen the privacy and security protection for individuals’ health information," update the Breach Notification Rule, "strengthen the privacy protections for genetic information," and revise other portions of HIPAA rules "to improve their workability and effectiveness."
HIPAA is divided into five titles, each with their own subtitles:
Title I: Health Care Access, Portability, and Renewability
- Subtitle A - Group Market Rules
- Subtitle B - Individual Market Rules
- Subtitle C - General and Miscellaneous Provisions
Title II: Preventing Health Care Fraud and Abuse; Administrative Simplification; Medical Liability Reform
- Subtitle A - Fraud and Abuse Control Program
- Subtitle B - Revisions to Current Sanctions for Fraud and Abuse
- Subtitle C - Data Collection
- Subtitle D - Civil Monetary Penalties
- Subtitle E - Revisions to Criminal Law
- Subtitle F - Administrative Simplification
- Subtitle G - Duplication and Coordination of Medicare-Related Plans
Title III: Tax-Related Health Provisions
- Subtitle A - Medical Savings Accounts
- Subtitle B - Increase in Deduction for Health Insurance Costs of Self-Employed Individuals
- Subtitle C - Long-Term Care Services and Contracts
- Subtitle D - Treatment of Accelerated Death Benefits
- Subtitle E - State Insurance Pools
- Subtitle F - Organizations Subject to Section 833
- Subtitle G - IRA Distributions to the Unemployed
- Subtitle H - Organ and Tissue Donation Information Included With Income Tax Refund Payments
Title IV: Application and Enforcement of Group Health Plan Requirements
- Subtitle A - Application and Enforcement of Group Health Plan Requirements
- Subtitle B - Clarification of Certain Continuation Coverage Requirements
Title V: Revenue Offsets
- Subtitle A - Company-Owned Life Insurance
- Subtitle B - Treatment of Individuals Who Lose United States Citizenship
- Subtitle C - Repeal of Financial Institution Transition Rule to Interest Allocation Rules
Title I of HIPAA contains three subtitles that protect health insurance coverage for workers and their families when they change or lose their jobs.
Title II of HIPAA contains seven subtitles. One of the most important for expanding HIPAA is Subtitle F, the Administrative Simplification (AS) provisions, requiring the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers. Title II also addresses the security and privacy of health data, with the intent of improving the efficiency and effectiveness of the nation's health care system by encouraging the widespread use of electronic data interchange in the U.S. health care system.
Title III of HIPAA modifies the Internal Revenue Code (IRC) to revise available tax deductions for health insurance, clarify how pre-tax money could be applied health payments, and regulate long-term care services and how they're contracted. Other tax-related issues like IRA distribution and organ donor tax refund payments are covered by this title, in total spread out over eight subtitles.
Title IV of HIPAA modifies both the IRC and the Public Health Service Act (PHSA) to describe requirements for and enforcement of how group health plans could legally manage and cover patients' pre-existing conditions as well as their continuation of coverage. This information is supplied over two subtitles.
Title V of HIPAA contains three subtitles that amend the IRC concerning miscellaneous issues such as interest deductions on loans related to company-owned life insurance, how individuals who lose their U.S. citizenship shall be treated tax-wise, and the removal of certain limitations on interest allocation.
On February 16, 2006, HHS issued the Final Rule regarding HIPAA enforcement. It became effective on March 16, 2006. The Enforcement Rule set civil money penalties for violating HIPAA rules and established procedures for investigations and hearings for HIPAA violations. Before the enforcement rule, the deterrent effects of the legislation seemed negligible, with few prosecutions for violations. Enforcement operations were ratcheted up further with the passage of the Health Information Technology for Economic and Clinical Health Act (HITECH) in 2009, which greatly increased the financial penalties that could be applied to entities in non-compliance.
By the end of 2014, the U.S. Department of Health and Human Resources (HHS) reported investigating 106,522 HIPAA complaints against national pharmacy chains, major health care centers, insurance groups, hospital chains and other small providers since April 2003. The HHS reported 23,314 of those cases had been resolved by requiring changes in privacy practice or by corrective action. 10,566 cases were investigated and found that HIPAA was followed correctly. Another 68,412 cases were found to be ineligible for enforcement because, for example, a violation occurred before HIPAA became effective, a case was withdrawn by the pursuer, or an activity did not actually violate the rules.
According to the HHS, the most commonly investigated compliance issue, by order of frequency, have been:
- incorrectly used or revealed protected health information (PHI);
- insufficient protection mechanisms for PHI;
- insufficient mechanisms for patients to access their PHI;
- insufficient administrative protections and tools for managing electronic PHI; and
- usage and disclosure of more PHI than minimally necessary.
The HHS also stated the entities most likely to be responsible for infractions, by order of frequency, have been:
- private practices;
- general hospitals;
- outpatient facilities;
- pharmacies; and
- health plans (group health plans and health insurance issuers).
The enactment of HIPAA caused major changes in the way physicians and medical centers operate. The complex legalities and potentially stiff penalties associated with HIPAA, as well as the increase in paperwork and the cost of its implementation, were causes for concern among physicians and medical centers. Many of those concerns were expressed in an August 2006 paper published in the journal Annals of Internal Medicine. It mentioned a University of Michigan study that demonstrated how the implementation of the HIPAA Privacy rule resulted in a drop from 96 percent to 34 percent in the proportion of follow-up surveys completed by study patients being followed after a heart attack.
By 2013, views on the impact of HIPAA were mixed. Leon Rodriguez, director of the HHS' Office for Civil Rights said of HIPAA:
Whereas many thought HIPAA would "bankrupt" healthcare, shut down research, and otherwise paralyze the industry, instead the industry has learned the benefits of the transaction and code set standards through the ease of electronic transactions. And the balance of the [HIPAA] Privacy and Security protections have paved the way to real benefits for consumers through greater access to quality care.
In an article for the Houston Chronicle, writer and business consultant Lisa Dorward stated the following for patients requesting personal health information:
Direct cost to patients is minimal; health care institutions can charge the patient only for copying and postage costs for delivery of the documents. On the other hand, costs to health care providers are high and can strain already overburdened budgets. Some clinics and hospitals have had to reconstruct or remodel existing registration areas to comply with HIPAA's privacy regulations.
Writing for the Loyola Consumer Law Review, attorney and legal writer Anna Colvert wrote:
Generally, HIPAA is considered a step in the right direction regarding patient privacy, and it has resulted in more descriptive and detailed privacy policies; however, it has not improved the online privacy practices of these organizations. While HIPAA is a solid foundation in protecting patients’ healthcare information there is more work to be done..."
A May 2013 Computerworld reported on a survey conducted by the Ponemon Institute that found 51 percent of respondents believed "HIPAA compliance requirements can be a barrier to providing effective patient care" and 59 percent "cited the complexity of HIPAA requirements as a major barrier to modernizing the healthcare system."
Audit guidelines and checklist
For those auditing computer systems and IT environments for their compliance with the Health Insurance Portability and Accountability Act and other regulations, a set of guidelines and checklist items may be useful.
Click the link above for the full set of guidelines and checklist items as they relate to HIPAA.
- "Public Law 104 - 191 - Health Insurance Portability and Accountability Act of 1996". U.S. Government Publishing Office. https://www.govinfo.gov/app/details/PLAW-104publ191.
- "S. 1028 (104th): Health Insurance Reform Act of 1995". GovTrack.us. Civic Impulse, LLC. https://www.govtrack.us/congress/bills/104/s1028.
- "Bill Makes Health Insurance ‘Portable’". CQ Almanac 1996 52: 6-28–6-39. 1997. https://library.cqpress.com/cqalmanac/document.php?id=cqal96-1092479.
- "Public Law 104 - 191 - Health Insurance Portability and Accountability Act of 1996". U.S. Government Publishing Office. https://www.govinfo.gov/app/details/PLAW-104publ191. Retrieved 15 April 2020.
- "Bill Makes Health Insurance ‘Portable’". CQ Almanac 1996 52: 6-28–6-39. 1997. http://library.cqpress.com/cqalmanac/document.php?id=cqal96-1092479. Retrieved 12 February 2015.
- "S. 1028 (104th): Health Insurance Reform Act of 1995". GovTrack.us. Civic Impulse, LLC. https://www.govtrack.us/congress/bills/104/s1028. Retrieved 12 February 2015.
- Hiebert-White, J. (September-October 1996). "Who Won What in the Kassebaum/Kennedy Struggle?" (PDF). Health Progress 77 (5). https://www.chausa.org/docs/default-source/health-progress/health-policy---who-won-what-in-the-kassebaumkennedy-struggle-pdf.pdf. Retrieved 12 February 2015.
- Starr, P. (22 August 1996). "The Signing of the Kennedy-Kassebaum Bill". The Electronic Policy Network. Archived from the original on 29 January 1998. https://web.archive.org/web/19980129180414/http://epn.org/library/signing.html. Retrieved 12 February 2015.
- Institute of Medicine (US) Committee on Health Research and the Privacy of Health Information: The HIPAA Privacy Rule (2009). Nass, S. J.; Levit, L. A.; Gostin, L. O.. ed. Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research. National Academies Press. Bookshelf ID NBK9576. https://www.ncbi.nlm.nih.gov/books/NBK9576/. Retrieved 12 February 2015.
- "The Privacy Rule". U.S. Department of Health and Human Services. https://www.hhs.gov/hipaa/for-professionals/privacy/index.html. Retrieved 15 April 2015.
- Stein, R. (5 June 2006). "Medical Privacy Law Nets No Fines". The Washington Post. https://www.washingtonpost.com/wp-dyn/content/article/2006/06/04/AR2006060400672.html. Retrieved 15 April 2020.
- "The HIPAA Enforcement Rule". U.S. Department of Health and Human Services. https://www.hhs.gov/hipaa/for-professionals/special-topics/enforcement-rule/index.html. Retrieved 15 April 2020.
- "HITECH Act Enforcement Interim Final Rule". U.S. Department of Health and Human Services. https://www.hhs.gov/hipaa/for-professionals/special-topics/hitech-act-enforcement-interim-final-rule/index.html. Retrieved 15 April 2020.
- Office for Civil Rights, Department of Health and Human Services (25 January 2013). "Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules" (PDF). Federal Register 78 (17). https://www.govinfo.gov/content/pkg/FR-2013-01-25/pdf/2013-01073.pdf. Retrieved 15 April 2020.
- Solove, D.J. (April 2013). "HIPAA Turns 10: Analyzing the Past, Present and Future Impact". Journal of AHIMA 84 (4): 22–28. https://library.ahima.org/doc?oid=106325. Retrieved 15 April 2020.
- "Enforcement Highlights". U.S. Department of Health and Human Services. 15 January 2015. Archived from the original on 11 February 2015. https://web.archive.org/web/20150211170207/http://www.hhs.gov/ocr/privacy/hipaa/enforcement/highlights/index.html. Retrieved 11 February 2015.
- Wilson, J.F. (2006). "Health Insurance Portability and Accountability Act Privacy Rule Causes Ongoing Concerns among Clinicians and Researchers". Annals of Internal Medicine 145 (4): 313–6. doi:10.7326/0003-4819-145-4-200608150-00019. PMID 16908928.
- "Potential Impact of the HIPAA Privacy Rule on Data Collection in a Registry of Patients With Acute Coronary Syndrome". Archives of Internal Medicine 165 (10): 1125–9. 2005. doi:10.1001/archinte.165.10.1125. PMID 15911725.
- Dorward, L.. "The Positive and Negative Effects of HIPAA Employment Laws". Houston Chronicle. Hearst Newspapers, LLC. https://smallbusiness.chron.com/positive-negative-effects-hipaa-employment-laws-18500.html. Retrieved 15 April 2020.
- Colvert, Anna (2013). "HIPAA'S Influence on Consumers: Friend or Foe?". Loyola Consumer Law Review 25 (4): 431–447. https://lawecommons.luc.edu/lclr/vol25/iss4/6/. Retrieved 15 April 2020.
- Mearian, L. (7 May 2013). "HIPAA rules, outdated tech cost U.S. hospitals $8.3B a year". Computerworld. Computerworld, Inc. https://www.computerworld.com/article/2496995/hipaa-rules--outdated-tech-cost-u-s--hospitals--8-3b-a-year.html. Retrieved 15 April 2020.