When Was HIPAA Enacted, by Whom and Why?

  HIPAA has a lot of moving parts, but you may not think to learn when about HIPAA history. You may not know, when was HIPAA enacted? To explore this question, What is HIPAA Certification? It's a good question, and it can tell you a lot about the act's history and purpose. Keep reading to learn, when was HIPAA enacted?

HIPAA Origin

The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996. It started in Congress as the Kennedy-Kassebaum Bill, and it has two main goals. First, the act has allowed individuals to keep health insurance when going between jobs, and this is the portability part of the act. This part of HIPAA has been implemented and used successfully for over 20 years. The second portion of the act helps keep patient information and data confidential and secure. It holds health providers accountable for the data they use and transfer. This portion also has standards for electronic data transmission. The standards apply to health data as well as administrative and financial data as it relates to patient health information.

Why Was HIPAA Enacted?

Congress enacted HIPAA to secure protected health information (PHI). However, the act also carries out the objectives of simplifying administration and securing electronic records. Electronic records can include such things as electronic protected health information (ePHI). HIPAA provisions also protect individuals' access to health insurance after leaving a job. That way, people can keep their health coverage and know that their data is private and confidential. However, HIPAA does not protect de-identified health information. Because of this, providers can use de-identified information for research and public health purposes. The data also must only include the minimum necessary information. Anyone receiving such data also has to agree to a data use agreement so that they don't misuse the information.

Who Oversees HIPAA?

In 1996, the US Congress enacted HIPAA, and they gave oversight of the act to the Department of Health and Human Services (HHS). That way, the department can handle complaints and other issues surrounding HIPAA enforcement. Specifically, the Office for Civil Rights (OCR) within the HHS oversees and enforces HIPAA. OCR enforces both the HIPAA Privacy Rule and the Security Rule. The office will investigate complaints that people file regarding HIPAA. OCR can also review health care offices to make sure those offices are complying with HIPAA. Also, the OCR offers education and outreach to help with compliance. You can also take a HIPAA course to brush up on the legislation.

HIPAA Provisions

HIPAA includes multiple provisions, and some went into effect earlier than others. This makes it hard to answer when was HIPAA enacted in its current form? However, the different provisions are all essential to the act. They all help with patient protection and data security within health care. When studying HIPAA history, you should understand how each provision works. Consider what each does and when each provision became part of the act.


When HIPAA was enacted, Congress had another three years to enact privacy legislation. In 1999, the Secretary had to issue privacy regulations because Congress did not do so. The Secretary developed a privacy rule and released it to the public in November. Members of the public were allowed to comment on the rule, and over 52,000 responses came in. HHS published the Privacy Rule on December 28, 2000. A little over a year later, HHS released proposed changes to the rule in March 2002. The public made comments, and the Department published the changes in August of that year. Years later, the Privacy Rule has standards that you have to follow when working in health care. But it's not the only part of HIPAA.

National Provider Identifiers (NPI)

National Provider Identifiers (NPI) regulations focus on how health care providers can simplify administrative work. These standards aim to reduce costs, improve data accuracy, and manage billing and referrals. The Final Rule on this section came out on January 23, 2004, and health care providers had to apply for NPI assignments on May 23, 2005. Health care providers have to apply for NPI if they are a covered entity. Providers who aren't covered entities can also apply, but they don't have to. HIPAA covered entities have had to use NPIs since May 23, 2008, no matter the health plan size.


Security is another major component of HIPAA. The regulations in this section provide standards for how to protect and secure ePHI, and the standards began on April 21, 2005. Providers had to comply with security regulations by that date, except for small health plans that had until April 20, 2006. The standards for security fall into a few categories. First, there are administrative safeguards that focus on information access and security management. Health care providers should only have access to what they need. Technical safeguards limit access to electronic information. That way, only people who need to use the information can access it. Lastly, there are physical safeguards, such as protecting the desks, computers, and workstations with PHI and ePHI. Implementing each type of safeguard can help keep PHI confidential in the office.

Electronic Data Interchange (EDI)

The Transaction Code Set Standards regulate electronic data interchange (EDI). These rules standardize the electronic exchange of information between trading partners. Covered transactions include eligibility inquiry, claim status inquiry, health insurance premium payment, and beneficiary enrollment. The standards cover other transactions, like authorization requests and responses as well as a claim or encounter. HIPAA Code Set Regulations also list what code sets to use when seeing patients and documenting visits. You have to use code sets for diagnoses, procedures, supplies and devices, and additional clinical data. By standardizing EDI, HIPAA got rid of state-to-state codes, making it easier to work with providers in other states. And the standards can help maintain the security and privacy of patient information.

Who Has to Follow HIPAA?

You know the answers to when was HIPAA enacted and who enacted HIPAA? But now, you may be wondering if you have to follow it. HIPAA outlines covered entities that have to follow rules and regulations from the act. Most people in the health care field must follow HIPAA, even office staff. Still, it can help to consider whether you're a covered entity or not. If you are, you should brush up on your knowledge of HIPAA. And if you're not a covered entity, you should still know the basics.


Anyone providing health care services has to follow HIPAA. Providers include doctors, nursing assistants, and everyone in between. Dentists, psychologists, chiropractors, and nursing homes also must follow HIPAA. clinics and pharmacies also need to comply with the rules. Anyone else who submit HIPAA transactions, such as claims, are also covered entities. So if an administrator submits the claim, they must also comply with HIPAA. If you don't provide care directly, you should still consider if you are covered. That way, you can follow the law and take steps to protect and secure patient data.

Health Plans

Health plans are also covered entities under HIPAA, and that includes a variety of plans. Private health insurance companies, whether providing individual or employer coverage, have to follow HIPAA. Government programs, like Medicare and Medicaid, are also covered. The same is true of military and veterans' health programs. Health maintenance organizations (HMOs) also have to follow HIPAA. Even if you aren't a covered entity, communicating with a health plan means you need to follow the rules. That way, the health plan can stay in compliance.

Health Care Clearinghouses

A health care clearinghouse is an entity that facilities electronic transactions. If you need to send health information to an insurance company, for example, the clearinghouse can ensure it stays secure. However, that means the clearinghouse has to follow HIPAA rules and regulations. Health care clearinghouses process nonstandard health information and convert it to fit content or format standards. They work with different organizations and must have a secure system to protect all information that comes through. Examples of clearinghouses include community health management information systems and billing services.

Business Associates

Another type of covered entity you may not consider is business associates. While they don't provide care to patients, they do work with a lot of health information. A business associate refers to anyone working with a health care organization that isn't part of the covered entity itself. Associates may perform services such as billing, data analysis, and claims processing. Since those tasks require the use of patient data, business associates are covered entities and must comply with HIPAA. However, not all business associates are covered. If an associate does not deal with PHI, they do not have to follow HIPAA, but they also shouldn't have access to PHI.

What Do You Need to Give Patients?

When complying with HIPAA and its various rules, you should give patients certain information. That way, they can understand how you will use their health and personal information. A disclosure is essential for protecting your office, but that doesn't mean you can use the information in any way. You still need to keep PHI confidential and not provide access to those who don't need it. However, giving patients information on how you will use information can make them feel at ease. Then, you can provide the best care possible. Consider what you should give patients to help comply with HIPAA.

Disclosure Notice

You need to disclose with patients how you will use their information. In most cases, that will just be to diagnose and treat their condition. But you may also need to provide some information to their insurance company. After you give the disclosure, let your patient look over it, and give them a copy. Then, they can keep it for their records in case something happens later.

Patient or Parent Signature

When giving the disclosure, you should include it on a print form for your patient to sign. Their signature will prove they agree to the terms of the disclosure, so you can provide care to them. If you have patients under age 18, you should have the parent sign the form. Then, you can still take care of your patient and have consent from an adult to do so and to use the patient's information.

Notice of Privacy Practices

Along with a disclosure, you should give patients a copy of your privacy practices. You can include the processes you follow to protect their data. Their signature isn't necessary, but it can be good to discuss your practices if someone has a question. That way, you can make sure your patients are comfortable receiving care from your office.

When Can Providers Use Information Without Disclosure?

While HIPAA does require that you disclose your policies with patients, you don't have to disclose everything. It's important to consider what information you can use and how you can use patient information without disclosing it. You may use and disclose certain information to help with your medical office. In these cases, you're allowed to use PHI without a patient's permission.

The Patient

If you need to discuss a diagnosis or problem with the patient in question, you do not need their permission. Of course, most patients want to hear about their problems and treatment options. But you may still want to ask for permission to make sure your patient is ready to hear the information.


When treating a patient, you may need to coordinate or manage health care with other providers. If you need to refer a patient to a specialist or consult with another provider, it is okay to disclose PHI.


If you need to get premiums or reimbursement for health care, you can disclose PHI as necessary. As always, don't disclose more than you have to. Still, you can use the information to get the payment you need.

Health Care Operations

You can also use PHI when assessing your operations. You can use it to check the quality and find areas of your office to improve. That way, you can continue to provide the best care.

When Was HIPAA Enacted?

If you're a health care provider, you should know as much as you can about HIPAA. You may be wondering, when was HIPAA enacted? While it started in 1996, it has experienced a few changes over the years. The changes have helped keep patient information even more secure and confidential. Do you want to refresh your knowledge of HIPAA? Check out our courses and enroll in one today.