During the 1990’s, concerns arose due to the safety of patient records as more and more practices were turning to computerized methods of storing medical records. Another common concern was whether or not people should have the ability to keep their health insurance when they lose their job. The bill was introduced into congress as the Kennedy-Kassebaum Act, after Ted Kennedy and Nancy Kassebaum, the act’s two leading sponsors. The name was changed to the Health Insurance Portability and Accountability Act (HIPAA) and was passed August 21, 1996. The act required the Secretary of Health and Human Services (HSS) to create standards that would protect individual health information by August 21st, 1997.
On September 11th 1997, the Secretary of HSS submitted a report for review by congress with a deadline of August 21, 1999. Congress failed to meet that deadline, and the Secretary published the proposed standards in the Federal Register on November 3, 1999.
By August of 2000, the Transaction and Code Sets Final Rule was Published, creating industry-wide standards for health data so that if data was exchanged, the same codes and identifiers would be used across the board. In December of that same year, the Privacy Final Rule was published. The Privacy Rule protected all information relating to an individual related to health, including (but not limited to): name, address, demographic, health plan numbers, photographs, social security numbers and email addresses. The act also requires the patient’s signature to release any information except for treatment, payment and health care operations. Compliance for the Transaction and Code Sets Final rule was set to October 15, 2002 (unless an extension was requested for 2003). Compliance for the Privacy standards was set for April 14, 2003.
Each violation of HIPAA can cost from $100-$50,000 depending on whether the violation occurred due to mistakes that would have been fixed had the party known their mistakes, or if it was due to willful neglect. Criminal penalties are also inflicted if a party knowingly violates HIPAA, from $50,000 and one year in prison for minor infractions, up to $250,000 and 10 years in prison if the information was intended to be sold, transferred, or used for personal gain or harm.
In February 2009, an additional provision was addend as part of the American Recovery and Reinvestment Act (ARRA). The Health Information Technology for Economic and Clinical Health (HITECH) made it necessary for entities to disclose when a breach occurred to those whom the breach affected. It also gave a hospital or practice 60 days to notify individuals of the breach.