Intro to The Health Insurance Portability and Accountability Act

The Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, was enacted to improve the efficiency and effectiveness of the U.S. healthcare system. A core component of HIPAA is the Administrative Simplification provisions, which required the Department of Health and Human Services (HHS) to adopt national standards for electronic health care transactions and code sets, unique health identifiers, and security.

Crucially, Congress recognized that the rise of electronic technology could jeopardize the privacy of health information, leading to the mandate for Federal privacy protections for individually identifiable health information.

HIPAA Rules & Their History

The key components of the HIPAA Rules include:

1. The Privacy Rule: This rule establishes national standards to protect individuals' medical records and other individually identifiable health information (known as protected health information, or PHI). The Privacy Rule sets limits on how PHI may be used and disclosed without an individual’s authorization and grants individuals rights, such as the right to examine and obtain copies of their health records.
   1. The proposed Privacy Rule was released on November 3, 1999.
   2. The final Privacy Rule was published on December 28, 2000, and later modified on August 14, 2002.
   3. Compliance was generally required by April 14, 2003 (April 14, 2004, for small health plans).
   4. The Office for Civil Rights (OCR) is responsible for enforcing the Privacy Rule.
2. The Security Rule: This rule sets national standards for protecting the confidentiality, integrity, and availability of electronic protected health information (ePHI). It requires covered entities (health plans, health care clearinghouses, and certain health care providers) and business associates to implement reasonable and appropriate administrative, physical, and technical safeguards.
   1. The final Security Rule was published on February 20, 2003.
   2. Compliance was generally required by April 20, 2005 (April 20, 2006, for small health plans).
3. The Enforcement Rule: This rule provides the standards for the imposition of civil money penalties for violations of the HIPAA Administrative Simplification Rules and outlines procedures for investigations and hearings.
4. The Breach Notification Rule: This rule, codified at 45 CFR §§ 164.400-414, requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information. This rule was finalized as part of the Omnibus Final Rule.
5. HITECH Act: HIPAA was significantly strengthened and expanded by the Health Information Technology for Economic and Clinical Health (HITECH) Act (enacted in 2009). HITECH provisions included extending the Security Rule safeguards and resulting civil and criminal liability directly to business associates.
6. The Omnibus Rule: finalized on January 25, 2013, the Omnibus Rule implemented a number of HITECH provisions, further strengthening the privacy and security protections and finalizing the Breach Notification Rule.

Governing Bodies

U.S. Department of Health and Human Services (HHS)

Website: https://www.hhs.gov/

The roles of the Department of Health and Human Services (HHS) and its Office for Civil Rights (OCR) are central to the administration and enforcement of the Health Insurance Portability and Accountability Act (HIPAA).

HHS is the cabinet-level federal department responsible for the establishment of the HIPAA Rules.

• Rule Adoption and Standards: HIPAA's Administrative Simplification provisions required the Secretary of HHS to adopt national standards for electronic health care transactions and code sets, unique health identifiers, and security.
• Rule Publication: HHS published the final Privacy Rule in December 2000 (later modified in August 2002). HHS also published the final Security Rule in February 2003.
• Enforcement Oversight: When an individual's protected health information (PHI) is used or disclosed, a covered entity must disclose that information to HHS when the Department is undertaking a compliance investigation, review, or enforcement action.
• Reporting: The Secretary of HHS is required by the HITECH Act to prepare and submit an annual report to Congress regarding compliance with the Privacy and Security Rules. The Secretary is also mandated to submit annual reports on the number and nature of breaches reported to him and the actions taken in response.
• Waiver Authority: In situations where the President declares an emergency or disaster and the Secretary of HHS declares a public health emergency, the Secretary may waive sanctions and penalties against a covered hospital that does not comply with certain Privacy Rule provisions, though the Rule itself remains in effect.

Office for Civil Rights (OCR)

Website: https://www.hhs.gov/ocr/index.html

The Office for Civil Rights (OCR) is the body within HHS that is primarily responsible for implementing and enforcing the core components of HIPAA.

• Primary Enforcement Role: OCR is responsible for administering and enforcing the Privacy Rule and the Security Rule. OCR's enforcement role for the Privacy Rule began on April 14, 2003, for most covered entities, and for the Security Rule on July 27, 2009.
• Enforcement Methods: OCR enforces the Privacy and Security Rules in several ways, including investigating complaints filed with the office, conducting compliance reviews to determine compliance, and performing education and outreach. OCR also seeks corrective actions and may impose civil money penalties (CMPs) for noncompliance.
• Audits: The OCR oversees the HIPAA Audit Program, which is a required part of OCR’s overall compliance activities. This program periodically audits covered entities and business associates for their compliance with the Privacy, Security, and Breach Notification Rules.
• Guidance and Support: OCR provides extensive guidance materials and technical assistance to the public regarding the HIPAA Rules. For example, OCR issued a proposed rule in late 2024 to update the HIPAA Security Rule to strengthen cybersecurity. OCR also provides resources for regulated entities to defend against cyberattacks, including video presentations, educational papers, and assistance tools.
• Other Delegated Authority: OCR has responsibilities related to enforcing patient safety confidentiality protections under the Patient Safety and Quality Improvement Act of 2005 (PSQIA), which includes enforcing confidentiality protections for "patient safety work product" and imposing civil monetary penalties for impermissible disclosures of that information.
• Delegation of Notifications: Covered entities are responsible for ensuring timely breach notification to affected individuals and the HHS Secretary, and OCR sets the guidelines for this reporting. Covered entities notify the Secretary by submitting a breach report form on the HHS website. OCR verifies these large breach reports before posting them on the HHS Breach Portal.

Additional Resources

• The Three Main Rules of HIPAA: Understand the Pilars | Blog
• The History of HIPAA: Complete Guide Since 1996 | Blog