This paper examines the Health Insurance Portability and Accountability Act (HIPAA) of 1996, tracing its legislative origins and the development of its Privacy and Security Rules under the Department of Health and Human Services. The paper covers the initial resistance from healthcare organizations, enforcement milestones, and the steps required for effective implementation. It also analyzes the major flaws identified in HIPAA's privacy protections, the act's broad impact on healthcare providers, patients, IT infrastructure, and society at large, and concludes with a forward-looking assessment of national health information privacy legislation in the United States.
Some hope was given for the current legal environment to become better defined for healthcare providers when the Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996. HIPAA is a monumental act that attempts to address and incorporate all three issues — privacy, confidentiality, and security — within one law. When HIPAA was passed, many applauded the portability aspects of the act, which allowed for continuing healthcare coverage for individuals who lost their jobs and attendant health insurance. Few in 1996, however, anticipated the dramatic impact that HIPAA would later have on the privacy and security of patients' health information in the United States.
HIPAA legislation was passed in 1996. Title I of the regulation dealt with the health insurance coverage of the public and their immediate family members when they lost their jobs. Title II of HIPAA concerned "administrative simplification," which required Congress in future years to establish standards and rules for the electronic transmission of health information, as well as for the privacy and security of that information, before 1999 (HIPAA, 1996). Within the legislation itself, Congress imposed a deadline on itself to provide for health privacy and security under the administrative simplification provisions. Because Congress did not act in a timely manner, HIPAA included a fallback provision whereby authority to create such rules would eventually transfer to the United States Department of Health and Human Services (HHS). In 1999, HHS was charged through HIPAA with creating broad federal rules to protect health information privacy and security. Consequently, on December 28, 2000, HHS issued proposed rules for healthcare privacy in America, referred to as the HIPAA Privacy Rules.
The new proposed HIPAA Privacy Rules were initially met with heated resistance from the healthcare provider community. The American Hospital Association claimed that the rules would be burdensome and would increase costs and paperwork in the form of consents, authorizations, and other compliance requirements (HIPAA, 1996). The American Association of Physicians and Surgeons filed a federal lawsuit in Houston, Texas, to block the implementation of the Privacy Rules, arguing that the rules would impose undue hardship on physicians and physician practices and increase costs with no real benefit. Eventually, after significant revision to the proposed Privacy Rules, the lawsuits and lobbying efforts ceased, and attention turned toward reluctant compliance. Compromises were reached with HHS, revisions were made to the Privacy Rules, and a new compliance date was set for April 14, 2003. The Security Rules went into effect on April 21, 2005 (Erikson & Miller, 2005).
HIPAA changed the way patient information is documented, retained, stored, and shared among healthcare professionals (HIPAA, 1996). The regulation also modified the way people are insured and compensated. HIPAA legislation was intended to:
HHS designated the Office for Civil Rights (OCR) as the enforcer of the HIPAA Privacy Rules. OCR quickly indicated that it would emphasize assisting providers in moving toward voluntary compliance rather than immediately imposing penalties for violations. Within one year of enactment, over 4,755 complaints were filed with OCR for privacy violations. A year later, that number had grown to over 10,785 complaints. HHS noted that the majority of complaints related to impermissible use of patient health information.
Other than certain high-profile cases, HIPAA privacy enforcement was relatively low-key during the first six years of the Privacy Rules (Buckovich, 2000). Over time, most healthcare providers in the United States fully embraced the HIPAA Privacy and Security Rules, and HIPAA has generally been recognized as a key law for the protection of patients. The initial reluctance to comply has largely been replaced with a desire for full HIPAA compliance — even as a public relations tool to foster goodwill with patients. As new healthcare providers have entered the workforce, however, some HIPAA compliance programs have gathered dust or have not been adhered to as strongly as before, particularly given the relatively mild enforcement record of the Privacy and Security Rules to date (Wills, 2002).
That trend appears to be changing. More and more providers have become aware that HIPAA privacy and security compliance is more important than ever, especially in light of changes introduced through the HITECH Act and the proliferation of electronic health records (EHRs).
"Unresolved issues and requirements for effective implementation"
"Key flaws identified in HIPAA's privacy protections"
"Effects on providers, patients, and information technology"
Healthcare providers have come a long way in protecting PHI, and it is likely through the advent of EHRs that healthcare providers will have to continue to be diligent in enforcing their HIPAA compliance plans. Eventually, healthcare providers will realize that patients value their privacy, and that efforts to maintain privacy protocols through the HIPAA Privacy and Security Rules actively promote the sound delivery of healthcare amid ongoing technological change.
You’re 33% through this paper. Sign up to read the remaining 3 sections.
Sign Up Now — Instant Access Already a member? Log inAlways verify citation format against your institution’s current style guide requirements.