The HIPAA Privacy Rule Simplified

Published 12/2/2021, 1:30pm

The HIPAA Privacy Rule has been relatively unchanged  since the regulation was established on April 14, 2003. The Privacy Rule started in 1996 as a limited effort, but the current version has been consistent since 2003. The rule defined how all Covered Entities (CE) secured and could use Protected Health Information (PHI).

Was this the start of HIPAA? No, it was not. HIPAA was started to ensure that employees could carry their health coverage when they changed jobs. As we know now, the focus of HIPAA is on privacy rather than the original thought of “portability.” When the original Health Insurance Portability and Accountability Act of 1996 (HIPAA) became a requirement via Public Law 104-191, on August 21, 1996, it was not about security, but rather usability. This rule was about allowing citizens to be able to use their insurance and not lose coverage between jobs.

In December 2000, the Privacy Rule was finalized and published by the U.S. Department of Health and Human Services (HHS). This was the final rule at that time and defined the requirements, though it was not required at the time.  The rule was then updated in August 2002 but still was not required of businesses. 

On April 14, 2003, the requirement of compliance with the HIPAA Privacy Rule was published and became mandated for all Covered Entities. Before this rule, the requirement was optional for all healthcare companies. By the time this law was enacted, the requirement for securing healthcare data was under consideration but was not required. Privacy was one aspect of security, but how to secure the data was not.

The Final Security Rule was enacted in 2003 as part of the HIPAA Omnibus Rule (see The Evolution of HIPAA Part 1 and Part 2). In 2006, HHS came out with the enforcement rule that detailed how they would enforce and fine based on HIPAA Privacy and Security rules violations. Unfortunately, these rules were vague, are not well defined to allow the same set of rules to be used by companies of all sizes, and have been enforced as such ever since. We will provide a more in-depth look at each HIPAA Privacy and Security rule at a later date that will document the expectations of the OCR for how to implement these rules. While the HIPAA rules are vague, there have been multi-million-dollar fines since the implementation; many are not due to spelled-out rules, but to the expectation of the OCR for how these rules should be implemented.

In 2009, the privacy and security rules were combined via the HITECH Act. The newly defined requirements applied not only to covered entities, but also to anyone that was considered a Business Associate of a covered entity.  This extended the requirements of HIPAA to anyone that provided services to a company subject to HIPAA – including anyone that stored, processed, or transmitted PHI.

In 2013, the Final Omnibus rule was passed. This is the most recent rule/requirement of HIPAA that was passed. This final rule implemented some requirements that were a little more defined. The encryption standard and other security rules were passed, but not many Privacy rules were passed or defined. 

Privacy requirements are extremely strict and are well-defined in the Privacy Rule. The requirements mainly address processes for informing patients of how their information is used, and how patients can control their own data. The rule is not vague like the Security Rule, but is very defined and lays out how PHI can be used. The Privacy Rule is very much document-based, and companies need to look at the rule and define their policies and procedures around the rules. The nice thing about the HIPAA Privacy Rule, unlike the HIPAA Security Rule, is that if the company follows exactly what is in the rule, the development and implementation of policies and procedures will allow them to be compliant.