HHS answered by proposing a privacy regulation that was finalized in 2000.
Looking back, the past 10 years have demonstrated, much to the surprise of many, the enduring nature of the basic cornerstones of HIPAA.
Some were concerned that HIPAA wouldn’t provide meaningful privacy protection.
Others worried that HIPAA would be redundant with state health privacy laws and would not add much value.
The challenge of protecting privacy and security of health information was staggering in 1996, as it can be today.
Countless people must have access to a person’s health data: doctors, nurses, technicians, clerical workers, and administrative staff, as well as the third party personnel in entities involved in healthcare such as health plans, medical supply companies, billing and coding companies, pharmacies, and researchers.And the balance of the [HIPAA] Privacy and Security protections have paved the way to real benefits for consumers through greater access to quality care.Enforcement has matured along with industry knowledge and capacity to meet the standards.These common sense standards were intended to provide a scalable, flexible framework so that all organizations across the industry-large and small, provider and health plan-could find their way toward compliance.Whereas many thought HIPAA would “bankrupt” healthcare, shut down research, and otherwise paralyze the industry, instead the industry has learned the benefits of the transaction and code set standards through the ease of electronic transactions.It would soon be followed by the HIPAA Security Rule-which was published in 2003 and became effective in 2005-and eventually by the HIPAA Enforcement Rule and the Breach Notification Rule as well.HIPAA’s length compares to that of a Tolstoy novel-since it contains some of the most detailed and comprehensive requirements of any privacy and data security law.Since the 1970s, Congress had been passing a number of privacy statutes that protected driver license records, cable TV records, school records, and phone records.There was even a federal law regulating the privacy of video rental records-but not one regulating the privacy of health records.People questioned whether HIPAA would really make an impact, and if any impact would be for the better or the worse.Ten years later these questions have largely been answered.