Many answers to the question what does HIPAA stand for tend to focus on patient privacy and data security. However, there is much more to the Act than that – including the reasons why the standards relating to patient privacy and data security exist.
The acronym HIPAA stands for the Health Insurance Portability and Accountability Act – an Act with the primary purpose of increasing health insurance portability between jobs to address the issue of “job lock” in which employees remained in unsuitable jobs in order to avoid losing benefits.
The Act also addressed the issue of employees being denied coverage due to a pre-existing condition and eliminated inconsistencies between federally regulated employer-sponsored and individually purchased health plans, and state regulated commercial for-profit group health plans.
The Link to Patient Privacy and Data Security
During the preparation of the Act, concerns were raised that the cost of the portability and accountability measures may be passed onto employers and consumers by health insurance companies in the form of higher premiums or higher co-pays.
To counter these concerns, Congress added a second Title to the Act which assigned resources to counter claims fraud in the healthcare industry and sought to increase the efficiency of the claims process by standardizing transactions and simplifying the administration of claims.
In this second Title, the Secretary of Health and Human Services (HHS) was instructed to develop standards for electronically transmitted transactions (the Administrative Requirements), and security standards to ensure the confidentiality of data when transmitted electronically between health plans, health care clearinghouses, and healthcare providers (the Security Rule).
In a relatively small section of the text of HIPAA (sec. 264), the Secretary is also instructed to submit recommendations for the privacy of health information. These recommendations were to become the Privacy Rule due to Congress failing to pass alternative legislation governing the privacy of individually identifiable health information within three years of the passage of HIPAA.
HIPAA Standards Evolve over Time
The standards and recommendations were not effective immediately due to the requirements to consider stakeholder views. Consequently, although a proposed Privacy Rule was published in 1999, it was not until 2003 that a Final Privacy Rule became effective. It has since been amended in 2013 (Final Omnibus Rule), 2014 (CLIA amendments), and 2016 (to allow criminal background checks).
A proposed Security Rule was published even earlier (1998), but the Final Security Rule did not take effect until 2004. The Security Rule was also amended in the Final Omnibus Rule of 2013 to account for amendments mandated by the HITECH Act of 2009 – the HITECH Act being responsible for the introduction of the HIPAA Breach Notification Rule.
Even the Administrative Requirements did not have an easy evolution. The original Transactions and Code Set standards were published in 2000 but have been modified frequently ever since (another change is effective in 2023), while the Employer Identifier and Provider Identifier Standards were not effective until 2002. Patient identifier Standards required by HIPAA have never been published.
In addition to these Rules, HHS published an Enforcement Rule in 2005 which explains how complaints and breaches are investigated. The authority to enforce the Privacy, Security, and Breach Notification Rules was delegated to HHS´ Office for Civil Rights, and the authority to enforce the Administrative Requirements was delegated to the Centers for Medicare and Medicaid Services.
What Does HIPAA Stand for Now?
More than a quarter of a century since the passage of HIPAA, most people would answer the question what does HIPAA stand for by referring to patient privacy and data security – and they are not wrong. However, as was mentioned in the instruction, there is more to the Act than that – including what has changed as a result of HIPAA.
HIPAA set a federal floor for privacy standards which many states have built on in the development of their own subsequent privacy and security laws. Indeed, whereas HIPAA was once the standard for privacy and data security, some states now have far more stringent laws than HIPAA – some of which cross state boundaries to protect citizens wherever they are in the U.S.
Possibly more importantly, without the security standards of HIPAA, there may not have been a Meaningful Use program introduced in the HITECH Act. The Meaningful Use program revolutionized healthcare in the United States by incentivizing the adoption of health IT technology which has improved the quality, safety, and efficiency of healthcare delivery.