The acronym HIPAA refers to a federal law called the Health Insurance Portability and Accountability Act of 1996. HIPAA is a term that most people hear about in clinic waiting rooms or hospital front desks, or read about in their health plan documents. Although professionals in the health care industry may have greater familiarity with HIPAA, the law is less understood in the general American business world. In this article, we'll pull back the curtain on HIPAA compliance by introducing HIPAA's requirements and the role that law firms may play in advising clients that are HIPAA-covered entities or business associates.
HIPAA's origins date to the early 1990s as medical records first began being transmitted in electronic form. The law was passed by Congress and signed by President Bill Clinton in 1996. After HIPAA's enactment, the U.S. Department of Health and Human Services (HHS) was tasked with issuing regulations to implement the statute. In general, HIPAA's portability requirements were intended to promote greater continuity of health plan coverage, while its privacy and security rules govern how individuals' health information (referred to as "protected health information" (PHI)) is used and disclosed.
The HIPAA statute has been amended over the years and has been the topic of numerous sets of implementing regulations and related guidance. For example, in 2009 the Health Information Technology for Economic and Clinical Health (HITECH) Act added breach notification requirements for covered entities and expanded how HIPAA's privacy and security requirements apply to business associates. In 2010, the Affordable Care Act (ACA) made significant changes affecting HIPAA's portability requirements. In 2013, HHS issued comprehensive regulations that updated HIPAA's privacy, security, and enforcement rules to reflect the HITECH Act.