The HIPAA Privacy Rule: Overview and Issues (CRS Report for Congress)
| Release Date |
Sept. 10, 2024 |
| Report Number |
IF12759 |
| Report Type |
In Focus |
| Authors |
Amanda K. Sarata |
| Source Agency |
Congressional Research Service |
Summary:
The final HIPAA Privacy Rule (the Rule) was first issued in
December 2000, and a final modified rule was issued in
August of 2002, pursuant to authority in the Health
Insurance Portability and Accountability Act of 1996
(HIPAA, P.L. 104-191). HIPAA was enacted to improve
the availability and continuity of health insurance coverage;
promote long-term care insurance and the use of health
savings accounts; and combat waste, fraud, and abuse,
particularly in Medicare and Medicaid. HIPAA also
included a series of requirements under the subtitle
“Administrative Simplification” to improve the efficiency
of, and decrease costs within, the health care system by
supporting a transition to standardized electronic
administrative and financial transactions. Among these
requirements, the law directed the Department of Health
and Human Services (HHS) Secretary to promulgate
privacy standards should legislation addressing privacy of
personal health information not be enacted within a
specified timeframe. The HIPAA Privacy Rule established
for the first time a set of federal standards for the protection
of personal health information.
As part of Administrative Simplification [42 U.S.C.
§§1320d et seq.], HIPAA required promulgation of both
privacy and security standards in recognition of the
increased risk to health data posed by broadly promoting
electronic data use and exchange within the health care
system. More than a decade later, the Health Information
Technology for Economic and Clinical Health Act
(HITECH, P.L. 111-5) incentivized the shift away from
paper patient records to electronic patient records, building
on the earlier shift to standard electronic financial and
administrative transactions. These shifts—both on the
administrative and patient care side—were considered by
many to be a necessary precursor to broader health care
reform efforts that culminated in the Patient Protection and
Affordable Care Act of 2010 (ACA, P.L. 111-148, as
amended). Privacy (and security) of personal health data
was to some extent a second-order policy priority in service
of broader reform of the health care system.
The Privacy Rule applies to specific entities—covered
entities and their business associates—and to certain health
information, termed protected health information (PHI).
The requirements of the Rule primarily address (1) the use
and disclosure of PHI, (2) individual rights with respect to
PHI, and (3) administrative requirements (e.g., workforce
training, data safeguards). The Rule is interpreted and
enforced by the Office for Civil Rights (OCR) within HHS.
