HIPAA Background & History

There have been numerous federal initiatives aimed at protecting the privacy of sensitive personal information over the past several decades. In 1965, the House of Representatives created a Special Subcommittee on Invasion of Privacy. In 1973, this Department's predecessor agency, the Department of Health, Education and Welfare issued "The Code of Fair Information Practice Principles" establishing an important baseline for information privacy in the U.S. These principles formed the basis for the federal Privacy Act of 1974, which: regulates the government's use of personal information by limiting the disclosure of personally-identifiable information, allows consumers access to information about them, requires federal agencies to specify the purposes for collecting personal information, and provides civil and criminal penalties for misuse of information.

In 1997, a Presidential advisory commission, the Advisory Commission on Consumer Protection and Quality in the Health Care Industry, recognized the need for patient privacy protection in its recommendations for a Consumer Bill of Rights and Responsibilities (November 1997). In 1997, Congress enacted the Balanced Budget Act (Public Law 105-34), which added language to the Social Security Act (18 U.S.C. 1852) to require Medicare to establish safeguards for the privacy of individually identifiable patient information. Similarly, the Veterans Benefits section of the U.S. Code provides for confidentiality of medical records in cases involving drug abuse, alcoholism or alcohol abuse, HIV infection, or sickle cell anemia (38 U.S.C. 7332).

In the early 1990s, the Bush Administration called a group of healthcare industry leaders together to discuss how healthcare administrative costs could be reduced. This group concluded that this could be done best by increasing the use of electronic data interchange (EDI) within the industry. This advisory group later organized as the Workgroup for Electronic Data Interchange (WEDI), which was initially co-chaired by the Presidents of the Blue Cross and Blue Shield Association (BCBSA) and the Health Insurance Association of America (HIAA), which represents commercial insurers.

WEDI conducted a number of studies to determine how this might be accomplished, and eventually recommended that Federal legislation be passed to ensure that a consistent set of standards could be used across all states. Many of WEDI's recommendations were included in the Clinton Health Plan, which failed to pass, and similar provisions were included in other draft legislation. The Health Insurance Portability and Accountability Act (HIPAA) was finally signed into law by President Clinton on August 21, 1996.

The Act called on Congress to enact a medical privacy statute and asked the Secretary of Health and Human Services to provide Congress with recommendations for protecting the confidentiality of healthcare information. The Congress further recognized the importance of such standards by providing the Secretary with authority to promulgate regulations on health care privacy in the event that lawmakers were unable to act within the allotted three years.

For the standards adoption process, the DHHS consulted with the National Uniform Claims Committee (NUCC), the National Uniform Billing Committee (NUBC), the American Dental Association, and the WEDI. DHHS also received and considered advice from the National Committee on Vital and Health Statistics (NCVHS) and representatives of the healthcare industry who testified before the subcommittee. The end result was the adoption of the ASC ANSI X12N standards version 4010 for all transactions with the sole exception of pharmacy claims. The standards maintained by the National Council for Prescription Drug Programs (NCPDP) are already in widespread use as far as the pharmacy claims are concerned and hence were selected as the de facto HIPAA standard for pharmacy claims.

In keeping with the mandate, the DHHS submitted recommendations to Congress on the Privacy Standards on September 11, 1997, and when legislation was not enacted by the deadline, issued a draft regulation on November 3, 1999 and final regulation on December 28, 2000. This is the second of nine final regulations (rules) to be issued. The first was the Standards for Electronic Transactions, issued on August 17, 2000. The final HIPAA privacy rule was published in the Federal Register on December 28, 2000. The remaining regulations were passed throughout 2001 and 2002, with compliance dates in 2003, and the last deadline in 2004 for the Privacy rules.

Here is the timeline:
August 21, 1996: Congress enacted the Health Insurance Portability and Accountability Act (HIPAA.) It required the Secretary of Health and Human Services (HHS) to propose standards protecting the privacy of individually identifiable health information by August 21, 1997.

September 11, 1997: The Secretary submitted a report to Congress recommending and urging comprehensive privacy legislation by August 21, 1999. If Congress failed to act by that date, the Secretary was directed to finalize regulations containing proposed standards relating to the electronic transfer of medical information by February 21, 2000.

August 21, 1999: Congress was unable to reach consensus on comprehensive privacy legislation. The Secretary of HHS took action to finalize regulations.

October 29, 1999: The Clinton Administration announced proposed rules.

November 3, 1999: Proposed privacy standards were published in the Federal Register.

January 3, 2000: Initial deadline for the 60-day comment period on proposed privacy standards ends. This deadline was extended to February 17, 2000.

August 17, 2000: Transaction and Code Sets Final Rule published.

December 20, 2000: The Secretary released the final regulations setting a compliance deadline of February 26, 2003. This deadline was later extended to April 14, 2003.

December 28, 2000: Privacy Final Rule published in the Federal Register.

July 6, 2001: HHS issued first guidance on privacy protections.

December 27, 2001: H.R. 3323, the Administrative Simplification Compliance Act (now known as Public Law 107-105), was signed into law by President Bush. It provided for a one-year extension for complying with the standard transactions and code set requirements.

March 27, 2002: Proposed changes to the privacy standards were published in the Federal Register.

October 16, 2002: Compliance deadline for Transaction and Code Sets unless request for extension and compliance plan filed with DHHS by October 15, 2002.

April 14, 2003: Compliance deadline for Privacy standards for all covered entities except small health plans.

October 16, 2003: Compliance deadline for Transaction and Code Sets.

April 14, 2004: Compliance deadline for Privacy standards for small health plans with less than $5 million in annual receipts.

All information provided in this web site is believed to be accurate and up to date; however, the Geomar Computers assumes no responsibility for the use of this information. This web site links to web sites maintained by other entities. Reasonable precautions are taken to link only to web sites which are appropriate, accurate and maintained by reputable organizations. However, those web pages are not under Geomar Computers control. Geomar Computers is not responsible for the information or opinions expressed in those linked sites. The recommendations and analyses on this site are intended simply to provide assistance and guidance. They may not be relied upon as authority for compliance with legal requirements, nor as a source of legal advice. It is up to you to seek out legal counsel and official government documentation to protect your rights.