Widely known to most simply as HIPAA (or HIPPA for those who cannot spell), the Health Insurance Portability and Accountability Act was enacted on August 21, 1996, to help with the portability and accountability of health insurance information for employees transitioning between jobs. This act also sought to provide tax breaks for those using a medical savings account, as well as simplify the administrative burden of health insurance. But the act didn’t stop its development in 1996. The final Privacy Rule was published on December 28, 2000, and was officially enforced across the United States on April 14, 2003. Two years later, the Security Rule was eventually added on April 21, 2005. The Security Rule dealt specifically with electronic personal health information (ePHI) and contained three main security safeguards:
- Administrative (Policies & Procedures)
- Physical (Physical Access and Physical Storage)
- Technical (Communications and Electronic Transmission of Data)
Eventually, HIPAA added the Enforcement Rule in March 2006, which gave the Department of Health and Human Services (HHS) the ability to investigate complaints and violations of compliance.
By 2009, the Health Information Technology for Economic and Clinical Health Act (HITECH) was adopted, which encouraged companies to adopt electronic health records (EHR) of PHI. This also introduced the Meaningful Use incentive, which incentivized companies to keep information in electronic form over hard-copy form.
The Breach Notification Rule came next, requiring all breaches of ePHI affecting 500 individuals or more must be reported to the HHS Office for Civil Rights (OCR).
The final Omnibus Rule in 2013 extended the criteria for reporting breaches and also plugged some gaps existing in the original HIPAA and HITECH rules. This rule updated definitions, allowed for new penalties for non-compliance, and accounted for changing work practices brought about by changing technologies, such as the use of mobile devices to transmit ePHI.
Let’s refresh the key dates:
| Date | Description |
| August 21, 1996 | HIPAA signed into law by Bill Clinton |
| December 28, 2000 | HIPAA Privacy Rule final publishing |
| April 14, 2003 | Effective date of the HIPAA Privacy Rule |
| April 21, 2005 | Effective date of the HIPAA Security Rule |
| March 2006 | Effective date of the Breach Enforcement Rule |
| September 2009 | Effective date of the HITECH and Breach Notification Rules |
| March 2013 | Effective date of the Omnibus Rule |
So now that we know how this law came to be, let’s see who it applies to….
As I’m sure you’ve already guessed, this law applies to individuals, including you and me…
WRONG!!!!!!!
If not me or you, then who???
The HIPAA Rule does NOT apply to individuals (there are other laws for that we won’t get into related to fraud and abuse). This law explicitly applies to three different categories of entities:
- Covered Entities (CE)
- Business Associates (BA)
- Hybrid Entities (HE)
We won’t get into those today, but I wanted to make sure you were well aware that this regulation will not apply to you in any way. Let’s look at an example of someone getting it wrong… Ezekiel Elliott.
On June 15, 2020, information was leaked to the public that Ezekiel Elliott had tested positive for COVID-19. Or it was rumored at least. Anyway, he proceeded to take to Twitter, like all professional athletes, to voice his frustration with an area of society he disagrees with. In this case, it’s someone leaking his personal health information without his consent. In this case, the individual would not be at fault in any way for violating HIPAA rules, as there is not HIPAA rule that applies to any individual. However, if that individual worked at a clinic that was processing health information, such as a COVID-19 test, and it was leaked, the clinic would be in violation of not complying with the HIPAA Security Rule to safeguard ePHI. Zeke, like most of us, wouldn’t have known that HIPAA doesn’t apply to individuals because we simply aren’t taught that. He wanted the OCR to levy penalties against whoever leaked his test results, but they do not have the power to do that.
With all that said, I love Zeke and want him and the ‘Boys to get back to the Super Bowl and beat whoever they play. If Zeke ever reads this, I would be more than happy to consult privacy-related topics with him and his family. But until that day, I will continue providing my information however I can on this site. Keep eatin’ Zeke!
In a nutshell, we know that we, individuals, are not CE’s, BA’s, or HE’s. Therefore, HIPAA doesn’t apply to us. However, your actions, if you work for one of these, have big implications and you shouldn’t assume you are clear should you choose to violate this rule.
Another area we will cover in more detail later is PHI, or ePHI. This, simply put, is information about you and me, and is specific to you and me as individuals. For example, my height, weight, body fat percentage, name, and related medical conditions, would all fall into the bucket known as PHI, or personal health information if you didn’t remember from earlier. Once that information is digitized, it becomes electronic, or ePHI. These two acronyms may sound like just formalities, but they actually play a big role in determining what was breached and how. The Privacy rule originally only pertained to PHI and ePHI didn’t officially exist in 1996. But once the Security Rule was adopted almost 10 years later, ePHI became the commonly used way to store information. The Security Rule also was put into place in order to verify that safeguards are in place to specifically protect ePHI (and PHI by transition). We will see more examples as we go through different breaches from the HIPAA Wall of Shame, which is the unofficial name for the OCR’s running list of all companies who have experienced a breach of PHI at some point. If you’d like to check out the wall, go here.
We will go into more detail around who exactly does HIPAA apply to, what each rule says, some major breaches, and what can be done to defend against them. Since this rule doesn’t apply to you or me, I want you to think about being a privacy or security officer at a hospital and consider the different implications as we go through this regulation over the next few months together and break from the GDPR series for a little while.
[…] please visit the call for comments page. If you’d like to know more about HIPAA, see the introduction to the rule in the newsletters section of the website. Additionally, you may submit all comments to […]