While it helps to know how HIPAA developed, it is more important to realize that all phases are now active. By understanding the cumulative effect of all of the privacy and security laws on your practice you can avoid costly fines and penalties.
Where Did These Laws Come From?
Most of the fines dealing with the loss of control of Protected Health Information are an effect of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The original HIPAA rules were upgraded in 2006, sometimes called the HIPAA Administration Simplification (AS) or HIPAA II. HIPAA was upgraded again in 2009, with the introduction of the Health Information Technology for Economic and Clinical Health Act (HITECH Act).
HIPAA Title I mandated protection for health insurance coverage for workers and their families when they change or lose their jobs.
HIPAA Title II, called Administrative Simplification (AS):
- Mandated national standards for electronic health care transactions;
- Required national identifiers for providers (NPI numbers), health insurance plans, and employers;
- Mandated the security and privacy of health data.
A major thrust of HIPAA was to encourage the widespread use of electronic data interchange in the U.S. health care system, in order to improve its efficiency and effectiveness.
The American Recovery and Reinvestment Act of 2009 contained a strong adjunct to HIPAA called the Health Information Technology for Economic and Clinical Health Act (HITECH Act). Subtitle D of HITECH addresses the privacy and security concerns that are part of the electronic transmission of health information. From the providers’ perspective, HITECH adds teeth to HIPAA, and extends the privacy and security provisions of HIPAA beyond the providers to the Business Associates of Covered Entities. HITECH also introduced stiff penalties for data breaches, including provisions that require a covered entity to notify CMS and patients if a loss of data occurs.
HIPAA Then vs HIPAA Now
The reach and scope of HIPAA laws are expanding. Once they were an “inside the office, email or electronic file transfer” thing. Now they guard Protected Health Information (PHI) from initial visit through record storage, and beyond. This table shows the change in HIPAA rules between their inception and the present: