HIPAA at 20: A Bipartisan Achievement

Twenty years ago, the summer games of the XXVI Olympiad had just ended in Atlanta.  We were dancing to the “Macarena,” the number one song on the radio.  The first cellular phones were just hitting the market. And on August 21, 1996, our nation committed to transforming health care coverage with the enactment of historic, bipartisan legislation called the Health Insurance Portability and Accountability Act of 1996, or HIPAA for short.

Many are familiar with HIPAA as a medical privacy and security law.  But it is that and so much more.  A key component of HIPAA’s initial purpose was to allow people to transfer and continue health insurance after they change or lose a job.  This was first made possible in 1985 by passage of health insurance continuation provisions in the Consolidated Omnibus Budget Reconciliation Act (COBRA). HIPAA then built upon these gains, and most recently, the Affordable Care Act (ACA) amended and expanded many of the original HIPAA consumer protections.

Prior to the passage of HIPAA, many people were afraid to change jobs out of fear that a preexisting medical condition would prevent them from receiving health insurance coverage. HIPAA addressed this concern through its portability provisions, which lessened the possibility that an individual would lose health care coverage for a preexisting condition when changing to a new employer’s group health plan or when seeking coverage in the individual market.  HIPAA also required group health plans to provide special enrollment periods for employees and their dependents who experience a qualifying event such as loss of other group coverage, birth of a child, or marriage.

HIPAA prohibited group health plans from discriminating based on health status against an employee or a dependent in terms of eligibility or cost of coverage. The ACA expanded this provision to certain individual health insurance policies.  HIPAA also mandated that all individual and group health insurance coverage, including small employers with 2-50 employees, be guaranteed renewable at the option of the individual or employer. The ACA continued this protection for both large and small employers, and most significantly,  to individuals and families purchasing individual market health insurance policies. 

Twenty years ago, a considerable portion of every health care dollar was spent on administrative overhead in processes that involved numerous paper forms and telephone calls, non-standard electronic commerce, and many delays in communicating information among different locations. This situation created difficulties and costs for health care providers, health plans, and consumers.

Under HIPAA, standards were developed to improve the way health care data is exchanged electronically.  HIPAA simplified and encouraged the electronic transfer of information by requiring the HHS to adopt standards for certain electronic transactions, and now 93.8% of all health care claims transactions today are conducted in standard form.  The HIPAA standards have helped pave the way for the interoperability of health data to enhance the patient and provider experience. 

HIPAA also enhanced privacy and security protections for consumer health data by establishing requirements for most health care providers, health plans and other entities that process health insurance claims, and their business associates to safeguard information.  HIPAA’s Privacy Rule gives individuals important rights to their health information, and sets rules for how the information can be accessed, used and disclosed.  For example, the HIPAA Privacy Rule gives individuals the right to a copy of their health information in the form and format that they request – including an electronic copy. 

The HIPAA Security Rule requires health care organizations to safeguard the electronic health information they hold.  Among the rule’s requirements, organizations covered by HIPAA must engage in comprehensive risk analyses and risk management to ensure that health information is secure. This includes implementing physical, technical, and administrative security measures sufficient to reduce risks in all physical locations and on all portable devices to a reasonable and appropriate level. Finally, HIPAA was modified in important ways, including the requirements that breaches of unsecured health information are reported to affected individuals, the Department of Health and Human Services, and in some cases the media. This requirement helps individuals know if something has gone wrong with the protection of their information and helps keep organizations accountable for privacy and security.

We have come a long way in 20 years, but our work is not yet done. Every day, we are seeing breakthroughs in mobile health, including many more consumer-facing health apps with the patient at the center of the conversation.  We are seeing improvements in health care delivery, with many solutions tied to improvements in health care-related systems. Health care innovation is increasingly not about individual solutions capturing data at the point of care, but rather how information can be applied and shared across systems for the good of the population as a whole. HIPAA has been a blue print for health care reform, paving the way for the future by making health care delivery more efficient and expanding coverage to more Americans. Together, we celebrate 20 years of this historic legislation.