HIPAA has changed a lot in 20 years

September 9, 2016 GMT

SIOUX CITY | The Health Insurance Portability and Accountability Act (HIPAA) recently marked its 20th year as a law.

Signed by President Bill Clinton on Aug. 21, 1996, HIPAA was designed to help workers keep their health insurance benefits as they changed jobs. Other provisions within the law address administrative simplification, fraud and abuse, waste in health care and the enforcement of laws, rules and regulations.

“It really started out as a bare-bones law and then more and more was added onto it at later dates,” said Johnny Tureaud, director of patient access and financial services for Mercy Medical Center. “Later in about 2003 was really when the HIPAA privacy rules really came into place.”


As the health care industry began to transition from paper to electronic health records, security and technology provisions expanded the requirements under HIPAA. Those provisions were added in 2005 and 2009.

The law is complex and still very confusing to many. Tureaud answered the following frequently asked questions about HIPAA:

Question: Why was HIPAA instituted?

Answer: “There’s a perception there’s a lot of waste in health care. The way we did billing and follow-up and all kinds of things back in those days was largely paper-based. HIPAA wanted to promote electronic exchange of information -- that was really one of the strong intentions of it. They went through a lot of standardization of claim formats, of information that goes on health care bills, codes that are used. All with the intent of really reducing waste or reducing re-work that occurs on the back end within health care, while at the same time promoting the use of electronic medical records.”

Q: What information does HIPAA protect?

A: “In general it addresses what’s called protected health information or PHI. Protected health information is anything that’s individually identifiable about a patient and their health. The easiest way to explain this is anything that can identify an individual like you or I and the care that we receive at a provider or through the insurance payment process.”

Q: Who must comply with HIPAA?

A: “Anybody that’s a covered entity. Under HIPAA a covered entity is generally defined as a provider, a physician in a hospital or a dentist; an insurer, anybody that’s paying for health care; and clearing houses, which are those that really move information from payers to insurers.”

Q: What happens if a provider/health care professional doesn’t comply with HIPAA?


A: “Civil penalties are usually along the lines of financial penalties with the intent of moving you towards correcting your process to be in compliant with what HIPAA requires. ... The criminal penalties went into place in June of 2005. Those are more serious in nature where they’re receive a higher fine level and also potential jail time associated with it. In the worse cases, it looks like it’s up to 5 years.”

Q: What does a patient need to do get their health care information?

A: “They just really need to contact the appropriate release of information portion of whatever provider they’re working with, so their medical records department, their office administrator. Fill out whatever paperwork they require so that we can confirm that we’re releasing your information to you.”

Q: What information can be released without a patient’s consent?

A: “Underneath HIPAA privacy, there are different releases of information, so when something is pertinent and pertaining to treatment, payment or general health care operations, those don’t require a specific authorization from the patient to release information. If in the course of that we’re releasing information to someone to work on our behalf, say a billing company, it doesn’t require an authorization from the patient, but it will require a business associate agreement between us and that outside agent to handle that protected health information. The rules and regulations of HIPAA won’t necessarily pertain to that third party that we do business with. The business associate agreement makes sure that they follow the same and rules and regulations that we follow as a covered entity.”

Q: What challenges do providers face today with HIPAA considering technological advances?

A: “Trying to promote the security and really the use of patient information on portable devices themselves. Where you’re expanding internet usage you’re providing remote access to patients to their information like patient portals etc., so you have an expanded security requirement now to make sure your patient’s information doesn’t become vulnerable to an outside hack attack like what recently happened with the Democratic National Convention. It’s a reality of the world we’re in.”