By Kara Gainer
Did you know HIPAA (Health Insurance Portability and Accountability Act) recently celebrated its 20th anniversary? As you may recall, President Bill Clinton signed HIPAA into law on Aug. 21, 1996. After having noticed various media outlets reporting on HIPAA’s 20th anniversary, I was prompted to look more closely at the law whose acronym we all are at least somewhat familiar with.
Now, I think we all know that HIPAA protects patients’ health information. But what else does the law do? Who does it cover? HIPAA is much more than a medical privacy and security law. For example, HIPAA allows patients to ask for a copy of their electronic medical record in an electronic form; further, it reduces burden by streamlining individuals’ abilities to authorize the use of their health information for research purposes1.
To fully appreciate HIPAA, it is important to understand the general evolution of HIPAA. Prior to the enactment of HIPAA, there were no generally accepted standards or requirements for protecting health information. However, as the digital revolution progressed, the health care industry began to transition away from using paper forms and non-electronic correspondence to more efficient forms of communication through electronic methods.
Overview of HIPAA
The initial intent of HIPAA was to set standards for transmitting electronic health data and allow people to transfer and continue health insurance after they change or lose a job. Title I of HIPAA protected health insurance coverage for employees and their families when they change or lose employment. Title II contained Administrative Simplification provisions, which required the Secretary of Health and Human Services (HHS) to adopt national standards for electronic transactions for health care providers, health care insurers, and employers, aka HIPAA-covered entities.
What are Covered Entities?
Covered entities are individuals and organizations, including health plans, health care clearinghouses, and health care providers who conduct electronic transactions. If you are curious who specifically qualifies as a covered entity, the Centers for Medicare and Medicaid Services (CMS) has developed a nifty, easy-to-use covered entity guidance tool.
As mentioned above, HIPAA included Administrative Simplification provisions, which required HHS to establish national standards (or rules) for electronic transactions to improve the efficiency and effectiveness of the nation's health care system. In its implementation of the Administrative Simplification Standards, HHS issued and adopted five rules: the Privacy Rule, Transactions and Code Sets Rule, Security Rule, Unique Identifiers Rule, and Enforcement Rule. The HIPAA Enforcement Rule provides standards for the enforcement of all the Administrative Simplification Rules2. Also of significance is the National Provider Identifier (NPI) Standard. The NPI was adopted through regulations and as of May 2008, all HIPAA-covered entities are required to utilize the NPI in administrative transactions covered by HIPAA3.
CMS administers and enforces several of the Administrative Simplification rules, including the Transactions and Code Set Standards, Employer Identifier Standard, and NPI Standard. Of all of these rules, people tend to be most familiar with the HIPAA Privacy and Security Rules, which are administered by the HHS Office of Civil Rights.
- HIPAA Privacy Rule: Published in December 2000 and modified in 2002, the rule establishes national standards for the protection of certain health information held or maintained by covered entities and describes how protected information can be utilized and disclosed4.
- HIPAA Security Rule: Published in February 2003, the rule establishes national security standards for protecting certain health information that is held or transferred in electronic form by covered entities.
 The Privacy Rule defines protected health information (PHI) as individually identifiable health information, held or maintained by a covered entity or its business associates acting for the covered entity that is transmitted or maintained in any form or medium. https://privacyruleandresearch.nih.gov/pr_07.asp