The History of HIPAA: How This Act Came to Be

When you think of HIPAA, you probably think of patient privacy and confidentiality. And that is a major part of the legislation.

It dictates who can and cannot talk about your care, with whom they can talk about it, and how much they are allowed to reveal. Its passage was a victory for patient privacy in the United States.

But there is more to HIPAA than just doctor/patient confidentiality. HIPAA also governs how medical records move between health care providers, as well as helping employees keep their health insurance from one employer to the next.

It’s a multi-faceted and vital part of the American health care system.

But how did this landmark piece of legislation come to be? Let’s take a look at the history of HIPAA.

What Is HIPAA?

HIPPA stands for Health Insurance Portability and Accountability Act and was passed in 1996. According to the California Department of Health Care Services, it does the following:

  • Provides the ability to transfer and continue health insurance coverage for millions of American workers and their families when they change or lose their jobs
  • Reduces health care fraud and abuse
  • Mandates industry-wide standards for healthcare information on electronic billing and other processes; and
  • Requires the protection and confidential handling of protected health information

HIPAA is composed of five sections or titles.

Title 1 states that group health plans may not deny coverage based on pre-existing conditions or set lifetime coverage caps. It also allows employees to maintain their health insurance should they lose or leave their job.

Title 2 instructs the Department of Health and Human Services to establish and maintain a national standard for electronic transactions between healthcare facilities. It also states that electronic storage of records by healthcare facilities must meet certain privacy requirements.

Title 3 deals with the tax considerations that come with health care and insurance.

Title 4 expands on Title 1 and makes provisions for those who wish to continue their coverage and those with pre-existing conditions.

Title 5 deals with life insurance and non-citizens.

Like most laws, it is complex but necessary. Let’s take a look into the history of this vital bill.

Before HIPAA

Many military families (or others who moved frequently) may remember that one of the last steps before leaving a duty station was to stop by the military hospital records department.

They would be handed a colored folder containing the entirety of their medical records, for each member of the family. They would then transport this folder with them during their move and hand it off to the military hospital at their next duty station.

Now, remember, this is just transportation between facilities in the same network, to say nothing of transferring files between non-connected facilities.

Suffice to say, the system was a mess. Waste, mishandling of records, and privacy violations abounded. It was time to clean up the records system.

Passage of HIPAA

HIPAA was introduced on March 18, 1996, by Texas Congressman Bill Archer. It passed the house on March 28 by a vote of 267 – 151.

After unanimously passing the Senate on April 23, the bill headed to joint committee.

This time, it passed both the House and the Senate nearly unanimously. On August 2, it landed on the desk of President Bill Clinton. He signed the bill into law on August 21, 1996.

Now, the bill existed, but there were still holes to be filled. Over the next several years, Congress would continue to tweak and add to the law, closing loopholes and shortcomings.

This started with the development of the Security and Privacy Rules.

Security Rule

HIPAA continued to develop over the next few years, and in 1998, the Security and Electronic Standards Security Rule was introduced.

It wasn’t passed until 2003, but it was developed alongside the Privacy rule.

The Security Rule was implemented to protect Electronic Protected Health Information or EPHI.

The rule states that insurance companies and other entities must protect all EPHI using three security standard types: Physical, administrative, and technical.

Under those three standards, the rule provides implementation guidelines.

Privacy Rule

The privacy rule was developed alongside the security rule, and its compliance deadline was April 14, 2003.

The essence of the rule is to control who may reveal personal medical information about a patient, and to whom that information may be revealed. This information is called Protected Health Information.

This is probably the part of HIPAA that the everyday person is most familiar with. You sign a piece of paper at every new doctor’s office acknowledging your rights to privacy under HIPAA. Chances are, you’ve signed dozens of these without really looking at what they mean.

Essentially, the privacy law states that your information is yours, and is not to be sold or shared with other entities by your insurance company or health providers.

There are some exceptions to this, such as certain law enforcement situations, but for the most part, the Privacy Rule ensures that your medical information stays private.

Enforcement Rule

In 2006, Congress passed the last addendum to the law that addressed enforcement. After all, while we take the provisions in HIPAA for granted today, there was a time when many healthcare providers and insurance companies found them to be an undue burden.

The Enforcement Rule allowed the federal government to ensure that insurance companies and health providers were not only following the law but gave them a course of action to penalize those that were not.

As of 2013, nearly 20,000 cases of non-compliance had been processed and resolved.

History of HIPAA and Its Future

HIPAA is a staple in modern medical care and one that many Americans don’t remember ever doing without.

It protects the American people from invasions of privacy in regards to medical information and ensures that sensitive information is kept safe in medical and insurance databases.

The history of HIPAA is also a reminder that the American political system can, sometimes, work well, producing good laws that affect the American people well, without the gridlock and partisan bickering we have come to know so well in recent years.

For more on HIPAA compliance and how to keep your patients records safe, take a look at our services today!

HIPAA Security Reminders


HIPAA Security Suite has developed a weekly HIPAA Security Reminder series that’s FREE for all of us who are responsible for, or engaged in, the use and protection of PHI.

Pursuant to Section 164.308(a)(5) of the HIPAA Security Rule, the Standard states: Implement a security awareness and training program for all members of its workforce (including management).

This standard is part of our Best Practices Recommendations for HIPAA Security Suite users, but it’s available for FREE to anyone who wants to comply with HIPAA using the easiest, best tools available.

Sign Up

Scroll to Top