We’ve already seen that HIPAA was a regulatory backlash that took cues from widespread banking fraud that plagued the financial industry in the 1980s. Read through the major milestones in the 20-year trek toward healthcare information regulation that began back in the summer of 1996. Can you spot the two trends?
Dowload our full HIPAA Timeline info-graphic below!
Or read on to see how HIPAA has changed over 20 years.
August, 1996: HIPAA Introduced
When Congress passed the Health Insurance Portability and Accountability Act, the process of modernizing information exchange in healthcare began in earnest. HIPAA also ensured that workers would not lose health insurance coverage when changing jobs.
August, 1998: Security Rule proposed
New legislation to improve security standards to better protect individual health information in the hands of health plans, healthcare clearinghouses and healthcare providers.
November, 1999: Privacy Rule proposed
Proposed to improve privacy standards and restrict the disclosure of PHI, the Privacy Rule also fostered better health data access for patients.
December, 2000: Proposed Privacy Rule issued
The Office for Civil Rights is assigned the responsibility for policing HIPAA.
March, 2002: Privacy Rule modified
DHHS-mandated changes are designed to clarify the Privacy Rule and ease the administrative burden on healthcare providers.
February, 2003: Security Standards Final Rule issued
With the issuance of the Final Rule, Covered Entities are required to implement appropriate Administrative, Physical and Technical safeguards to protect PHI.
April, 2003: Deadline for Privacy Rule compliance
With the Privacy Rule in place, Covered Entities are required to allow patients to access their PHI on request. The Rule limits how, when and to whom health information is disclosed.
April, 2005: HIPAA Enforcement Rule proposed
The Enforcement Rule paves the way for OCR investigations and financial penalties for HIPAA violations.
April, 2005: HIPAA Security Rule compliance deadline
All Covered Entities must comply with Security Rule requirements and implement more stringent controls for safeguarding health records. The OCR is empowered to issue civil penalties for violations.
March, 2006: Enforcement Rule goes into effect
The OCR is expected to start issuing financial penalties for any Covered Entity that fails to implement the requirements of the Privacy and Security Rules.
February, 2009: HITECH Act signed into law
Health Information Technology for Economic and Clinical Health Act - HITECH - is introduced as part of the American Recovery and Reinvestment Act. Incentives are provided to speed the adoption of electronic health record systems.
August, 2009: Breach Notifications Interim Regulations issued
DHHS introduces new regulations covering data breaches; regulations that were promulgated by HITECH. Covered Entities are required to report breaches to OCR and notify potential victims.
October, 2009: HITECH Act Enforcement Interim Rule issued
The Interim Rule introduces a new tiered structure of financial penalties for HIPAA violations with four categories of culpability. Fines for violations are significantly increased to $1.5 million.
January, 2010: First OCR Settlement for HIPAA Violations
CVS Pharmacy Inc. is ordered to pay $2.25 Million for improperly dumping patient records.
February, 2010: HITECH Enforcement begins
New financial penalties for HIPAA violations now apply; the healthcare industry is warned that ‘compliance will be robustly enforced.’
July, 2010: First AG HIPAA fine issued
The Connecticut Attorney General fines Health Net Inc. $250,000 for loss of an unencrypted hard drive which contained PHI for 1.5 Million patients.
November, 2011: OCR begins HIPAA compliance audits
The OCR begins a ‘pilot round’ of just 115 audits of Covered Entities to determine the state of HIPAA compliance. Only 11% pass.
March, 2012: Omnibus Final Rule
Omnibus modifies HIPAA Privacy, Security, Enforcement and Breach Notification Rules. Changes include changes to a number of HITECH provisions and major updates to HIPAA.
January, 2013: Omnibus Final Rule issued
Incorporating changes to HIPAA required by HITECH four years earlier, Omnibus aims to improve data security, further restrict PHI access and prevent use of PHI for marketing.
March, 2013: Omnibus Rule in force
The healthcare industry is given 6 months to comply before Omnibus is enforced. Breach notification rules are updated and Business Associates can be held liable for breaches.
April, 2016: OCR begins second round of HIPAA compliance audits
The second round of HIPAA compliance audits were originally scheduled for late 2014, delayed until 2015 and finally begun in April, 2016.
From this timeline, we see two trends: First, lawmaking lags being burgeoning technology by several years. Second, enforcement of HIPAA has been sporadic at best.
The OCR has been roundly criticized for failure to ‘robustly enforce’ patient privacy law. While it’s certainly true that the OCR has taken a considerable amount of time to learn how to audit practices and other Covered Entities, it’s also true that the majority of Covered Entities – nearly 90 percent – have failed to catch up to health information privacy requirements. What’s the point of continuing to audit when most offices fail?
The inevitable result, for the OCR and Covered Entities alike, is a rather depressing need to “get back to the basics” and find new ways to secure ever-expanding amounts of patient data against determined fraudsters, thieves and cyber-criminals. The typical practice approach to healthcare data security may have become more comprehensive over the past two decades, but studies and audits continue to show that there’s still a long way to go.
HIPAA @ 20: A FIVE-PART SERIES
In this five-part series, we’re taking a close look at HIPAA@20 … examining what’s changed, what remains the same, and why small practices remain at risk. We’ll also look ahead to the next decade and make some educated guesses about what the future holds for patient privacy regulation, data safeguards, and the threats practitioners and patients will face.
For the entire five-part series, HIPAA @ 20, register here.
If you found this information useful please help us spread the word by clicking below to share it with your friends!