Does HIPAA law change when a majority of one party or another leads Congress? Or when a Republican is elected President following a Democrat, or vice versa? The short answer is “no”. The Health Information Portability and Accountability Act (HIPAA) is a bipartisan issue and has gradually been updated to keep pace with changing technology, and strengthened since 1996 when HIPAA was first passed, under leadership of both major political parties.
History of HIPAA
The importance of keeping personal health information confidential between a patient and a health care provider has been understood for thousands of years. In ancient Greece Hippocrates included this principle in the Hippocratic Oath – the famous health care code of ethics. Patients must share deeply personal, intimate details with health care providers for the provider to diagnose and treat them effectively.
In the modern world patients receive health care from a wide variety of specialized providers who are linked by information networks. Private and public health plans assist in payment for health care, and businesses have access to health information to perform services to health care providers and health plans. By the late 20th century, the Hippocratic Oath for close physician–patient relationships became outdated. But patients still must be assured their personal health information will kept private and confidential.
In 1977 a landmark report to the President and Congress explained, “Patients would be reluctant to tell their physicians certain types of information which they need to know in order to render appropriate care, if patients did not feel that such information would remain confidential.” Health information rights recommended in the 1977 report became Federal law as a result of 1996 legislation commonly called “HIPAA” – the legal foundation for protecting individually identifiable health information in the United States. HIPAA Rules require safeguards to protect the privacy and security of Protected Health Information (PHI) and enforce confidentiality. PHI cannot be made available or disclosed to anyone other than the patient, unless authorized.
From 1993 to 2020, Republicans and Democrats Have Protected Health Privacy
HIPAA has been updated and enforced under both Republican and Democratic administrations. Before HIPAA, no generally accepted security standards or general requirements for protecting health information existed in the health care industry, but over the last twenty-seven years Congress and four Administrations have collaborated to strengthen HIPAA.
Although the list below mentions Presidents, there were fourteen different Congresses during these 27 years, since Congress changes every two years.
1993 to 2001 – Bill Clinton
- The first HIPAA law was passed in 1996.
- The HIPAA Privacy Rule was signed into law on December 28, 2000, although modifications were made and the final rule was published on August 14, 2002. The HIPAA Privacy Rule introduced standards for the privacy of individually identifiable health information, stipulated the allowed uses and disclosures of health information, and gave patients the right to obtain copies of their health data. The HIPAA Privacy Rule also required business associates of covered entities to sign business associate agreements and agree to comply with certain provisions of the HIPAA Privacy Rule.
2001 to 2009 – George W. Bush
- The HIPAA Security Rule was signed into law on February 20, 2003 and had a compliance deadline of April 21, 2005. The main aim of the HIPAA Security Rule was to set standards for protecting electronic personal health information that is created, received, used, maintained or transmitted by HIPAA covered entities. The HIPAA Security Rule required a Risk Analysis to be conducted and a range of physical, technical, and administrative safeguards to be implemented.
- Under the Bush administration, the U.S. Department of Health and Human Services (HHS) wrote the HITECH Act, although the law was not passed until the first month of the Obama administration. HITECH stands for Health Information Technology for Economic and Clinical Health.
2009 to 2017 – Barack Obama
- Barack Obama was inaugurated on January 20, 2009 and on February 17, 2009, the HITECH Act was signed into law as part of an economic stimulus package known as the American Recovery and Reinvestment Act of 2009. This stimulus act amended HIPAA with the HITECH Act; strengthened the enforcement of the Privacy and Security rules; created a new Breach Notification Rule; extended liability for HIPAA compliance to Business Associates; and established financial incentives for providers and hospitals that adopted electronic health records (EHRs).
2017 to present – Donald Trump
- Under the Office for Civil Rights (OCR) Director Roger Severino, HIPAA enforcement has been strong during the Trump administration. The two largest settlements in the history of HIPAA enforcement were the Anthem payment of $16 million, announced in October 2018, and Premera Blue Cross, for $6.85 million, announced in September 2020.
- OCR has actively pursued non-complying health care organizations and business associates of all sizes and types, and in 2019 started a Right of Access Initiative, to underscore the importance of making patient records available to patients without delay at little or no cost. Nine investigations under the Right of Access Initiative have been settled as of October 2020.
HIPAA Can Be Flexible, and CMS and OCR Can Help
HIPAA has flexibility built in. HIPAA has always balanced privacy with appropriate uses and disclosures. For example, protected health information may be used or shared for treatment purposes, for public health activities, and to family and friends, without individual authorization. PHI may also be shared with or by first responders under certain circumstances.
In addition to the built in flexibility, professional administrators in the government in the last three decades have proven they can respond to solve problems. During the COVID pandemic this year, the Centers for Medicare & Medicaid Services (CMS) and OCR, both within HHS, reacted quickly to modify rules on a temporary basis to deal with COVID. One positive outcome has been that telehealth has been proven effective for treatment, and helps social distancing. Unfortunately telehealth has also created new opportunities for cyber criminals who have found ways to break in to video communication over the internet. In spite of that, most agree that telehealth is here to stay and the rules and regulations must evolve to fit the way we work today.
Technology continues to evolve and criminals are mounting an increasing threat to privacy and security of all kinds of information, including health information. We now need elected leaders and professional administrators at HHS to continue this good work to shore up regulations to reduce hacking and intercepting opportunities during telehealth. Whether they report to a Republican or a Democrat, we have faith that the professionals will come through.