August 21, 2017, marks the 21st anniversary of the signing of the Healthcare Insurance Portability and Accountability Act (HIPAA), by former President Bill Clinton. Now that this legislative milestone has reached the age of majority, it’s instructive to look back at its legacy and its impact on the health care industry.
More Than Mere Privacy
The law started as the “Kennedy-Kassebaum Act,” named for then-senators Ted Kennedy of Massachusetts and Nancy Kassebaum of Kansas. Though it has come to be associated with the concept of patient privacy, the act was originally conceived as a mechanism for maintaining health insurance coverage when an individual changed jobs. The second major goal of the act was to streamline the process of transferring medical records from one provider or medical facility to another. Like many large pieces of legislation, this one was phased-in over time. The so-called “privacy rule” wasn’t implemented until 2003.
For the health insurance industry, the act has had a substantial impact that persists to this day. According to Cornell Law, the act enjoins health insurers writing group plans from excluding individuals with pre-existing conditions diagnosed more than six months before enrollment in a plan. The law permits the exclusion period to last up to 12 months after enrollment, or up to 18 months for a late-enrollee. The purpose of the pre-existing condition provision was to protect patients from denial of benefits and to protect payers from excess losses due to adverse selection.
Electronic Health Records
Anticipating the soon-to-be-universal practice of electronic health insurance claims submission and processing, HIPAA prescribed creation of a number of industry standards that are now fixtures in the health care economy. The first of these is the national provider identifier for every provider and institution. Next came standards for electronic data interchange, which standardized the mechanisms for transmission of claims data to payers and payments to providers, according to EDI Basics.
Though the word “privacy” doesn’t appear in the title of the act, privacy provisions have become synonymous with the act itself. Indeed, the home page of the government’s HIPAA site is devoted entirely to privacy. The law’s original definition of protected health information remains in force today, according to HIPAA. The act places defined restrictions upon the transfer of health information without patient consent and imposes stiff penalties for violation of those restrictions. The law defined the “floor” parameters but didn’t define the ceiling; states were free to impose stiffer penalties for violations than federal law prescribed.
Though the architects of the act brilliantly anticipated the imminent digital revolution, they can’t construct a system impermeable to 21st century hackers. Modern Healthcare noted there were 106 significant breaches of protected health information in 2016, compromising the records of approximately 13.5 million individuals. Despite the best efforts of health care system participants, cybersecurity remains a problem for HIPAA compliance.
It’s difficult to imagine what the world of health care would look like had the law never been enacted. For certain, there were consequences that the crafters of the legislation couldn’t anticipate, such as the advent of the hacker. Nevertheless, HIPAA was a significant piece of legislation, not only because of its broad scope but for its anticipation of the completely computerized world that health care now occupies. Ironically, the piece for which it is most well-known — the privacy rule — remains the act’s greatest challenge.
David E. Williams is president of Health Business Group, a strategy consulting firm serving clients in technology-enabled health care services, pharmaceuticals, biotech, medical devices and software. He is frequently quoted in the media on the business of health care and is the author of the Health Business Blog. David sits on the board of both private health care companies and nonprofits.