What is HIPAA?


Section 1. The Origin of HIPAA

HIPAA stands for the "Health Insurance Portability and Accountability Act", which was signed into law by then-President Bill Clinton in 1996. The act was the result of mounting concerns regarding patient access to insurance during unstable times, as well as concerns regarding the mass collection and storage of highly sensitive personal information by health insurance companies and medical establishments. HIPAA is divided into two components, Title 1 and Title 2.

Title 1: Health Coverage Access and Portability

The focus of Title 1 is on the portability of health coverage. This protects an individual's ability to maintain health coverage even when moving between jobs, and is especially important in the case of pre-existing conditions.

In the past, many employers denied health coverage to new employees if they could verify the existence of a pre-existing condition. Due to this, many people were afraid to leave their jobs, even if the work environment and compensation were poor. The risk of being unable to acquire health insurance for themselves and their families was one that few people were willing to take, especially in uncertain economic times.

According to the United States Department of Labor, HIPAA is a federal law that:

  • Limits the ability of a new employer plan to exclude coverage for pre-existing conditions
  • Provides additional opportunities to enroll in a group health plan if you lose other coverage, or experience certain life events
  • Prohibits discrimination against employees and their dependent family members based on any health factors they may have, including prior medical conditions, previous claims experience, and genetic information
  • Guarantees that certain individuals will have access to, and can renew, individual health insurance policies.


Under the protection of HIPAA, individuals and their dependents are more likely to receive coverage under a new employer due to a clause limiting what can be considered a pre-existing condition. Under the provisions of HIPAA, a new employer can only look at six months of historical data when determining exclusions based on pre-existing conditions. More specifically, it must be documented that the individual received a diagnosis, treatment, medical care, or advice for this specific ailment within the prior six months. If this does not exist, the patient cannot be denied coverage under HIPAA.

Interested in learning more? Why not take an online HIPAA Compliance course?

To illustrate this point, someone may have asthma, arthritis, or another condition for many years. However, they have never been to a doctor for treatment and have either suffered in silence, or found ways to manage the illness themselves. In this case, there are no diagnosis or treatment records, and the patient is fully eligible for coverage without exclusions.

HIPAA also provides assistance to those who do qualify for initial exclusion by placing a limit on the period of exclusion. Most plans will now limit blackout periods of 12 months to 18 months, and some even less than that. Also, some plans will further reduce the time frame if you can show prior coverage from a creditable insurance plan, with no more than 63 days in which you were not covered. Gaps in coverage exceeding 63 days may require an individual to observe the full exclusion period. It is important to note however, that there are some conditions that may be subject to elongated, or permanent, exclusion from the plan. In this case, treatment for just that specific illness would be denied, while coverage would continue for routine examinations and other illnesses.

Title 2: Developing the Administrative Simplification Provisions

The focus of Title 2, also known as the "Administrative Simplification" provisions, is to protect unique identifying information found in patient health records, insurance claims and many other types of health documents. Title 2 also encourages the use of electronic patient records systems and imposes penalties for breaches of patient privacy.

When the act was initially drafted, there was a mandate for the Administrative Simplification rules to be developed and ratified by Congress and publicized by the Secretary of the Department of Health and Human Services to the public within three years. In the absence of action by Congress, the Secretary of HHS was to take responsibility for drafting the legislation. As Congress failed to move on this initiative, the Secretary of HHS took over.

The Secretary created proposed legislation that governed the exchange, privacy, and security of personal health information. This proposal was released to the public for feedback and amended based on more than 52,000 comments that were received. The final version was released in December of 2000. The legislation was later revised and again vetted by the public, with the final version released in August of 2002.

The First Federal Medical Privacy Data Legislation

There were privacy laws on the books in the individual states, but they mainly focused on financial data, identity theft, and other types of fraud. The laws that dealt with medical information were not robust or clear enough to eliminate the many breaches of privacy that had occurred, or could occur. HIPAA provided a blanket set of expectations for medical data privacy that provided more security for patients and uniform direction for those who deal with medical data. The fact that the law included civil and criminal penalties also gave it more credibility.

Prior to the inception of HIPAA's privacy rule, there was a sense of organized chaos in the medical community. Clinics were burdened with increased administrative duties required by managed care companies, which included keeping up to date on procedure codes, billing requirements, and record maintenance. Also, there was no standard format for the establishments that maintained electronic patient records. One of the main goals of HIPAA was to streamline the process for maintaining and transmitting patient data electronically while limiting breaches in confidentiality.

The main benefits of the Standards for Privacy of Individually Identifiable Health Information ("Privacy Rule") are:

  • Specific rules regarding the disclosure of Protected Health Information (PHI)
  • Guidelines for transmitting patient data electronically
  • Limiting internal employee access to PHI to the minimum necessary to perform their jobs
  • Guidelines for health insurance companies and clearing houses that transmit PHI
  • The ability for patients to access their medical records and make amendments to their medical data if warranted
  • To require authorization from the individual to utilize or transmit PHI as part of any marketing communications

The privacy rule has gone through a few iterations. The original version was released in December of 2000. The privacy rule was later amended in August of 2002, and required compliance by February 14, 2003. Smaller health plans with fewer resources were required to be in compliance by April 14, 2004.

Food for Thought

Why do you think Congress initially failed to act on drafting the HIPAA legislation in a timely manner?
Have you or someone you know ever been excluded from health coverage?
Do you feel that your doctor and health plan take adequate measures to ensure your privacy?


HIPAA is legislation that ensures access and continuation of the health care coverage of Americans, including special provisions to help those with pre-existing conditions. In addition, the privacy rule included in HIPAA streamlined the accumulation, transmission, and storage of personally identifiable health information, along with ensuring patients access to their records, and allowing amendments as needed.