Health Insurance Portability and Accountability Act of 1996

Health Insurance Portability and Accountability Act of 1996
U.S. Government · Public domain · source
Name	Health Insurance Portability and Accountability Act of 1996
Enacted by	104th United States Congress
Effective date	April 14, 2003
Public law	Public Law 104–191
Signed by	Bill Clinton
Affected areas	United States Code

Contents

Health Insurance Portability and Accountability Act of 1996 is a United States federal statute enacted during the administration of Bill Clinton by the 104th United States Congress to reform aspects of insurance and to establish national standards for electronic health care information. The Act created administrative simplifications, privacy protections, and portability rules affecting Medicare, Medicaid, private insurers like UnitedHealth Group, Aetna, and Cigna, and providers such as Mayo Clinic, Johns Hopkins Hospital, and Kaiser Permanente. Its implementation involved federal agencies including the Department of Health and Human Services, the Office for Civil Rights (United States Department of Health and Human Services), and the Centers for Medicare & Medicaid Services.

Background and enactment

Proposals leading to the Act occurred amid debates involving Senator Ted Kennedy, Senator Orrin Hatch, Representative Nancy Johnson, and legislative staff from committees like the House Ways and Means Committee and the Senate Finance Committee, as advocates from American Medical Association, American Hospital Association, and Blue Cross Blue Shield Association lobbied for reform. The legislative process reflected disputes among stakeholders such as AFL–CIO, Chamber of Commerce (United States), Kaiser Family Foundation, and policy analysts at Brookings Institution, Heritage Foundation, and Urban Institute over issues including portability of employee benefits and protections for HIPAA-covered entities like Harvard Medical School, Stanford Health Care, and Cleveland Clinic. Hearings featured testimony by representatives from Georgetown University Medical Center, Columbia University Medical Center, and advocates connected to Families USA.

The Act contains several titles: Title I addressed continuity and portability for group health plans affecting employers from General Motors to Walmart, and Title II established administrative simplifications including transactions and code sets, unique identifiers, and privacy and security rules affecting providers such as Massachusetts General Hospital, insurers like Blue Cross Blue Shield Association, and clearinghouses such as Optum. Title III modified tax treatment linked to Internal Revenue Service, Title IV addressed group health plan requirements intersecting with Employee Retirement Income Security Act of 1974, and Title V covered revenue offsets involving Social Security Administration. Provisions introduced standards for electronic data interchange that influenced vendors like Epic Systems Corporation, Cerner Corporation, McKesson Corporation, and billing companies such as GE Healthcare.

Title II privacy and security standards—developed through rulemaking by the Department of Health and Human Services—created national rules for protected health information, affecting covered entities including Veterans Health Administration, community clinics such as Planned Parenthood Federation of America, and academic centers like University of California, San Francisco Medical Center. The rules required administrative, physical, and technical safeguards and interoperated with standards promulgated by organizations like National Institute of Standards and Technology, American National Standards Institute, and Health Level Seven International. The Privacy Rule and Security Rule influenced compliance programs at institutions such as Yale New Haven Hospital, Duke University Hospital, and insurers including Anthem Inc., while sparking litigation involving parties like Aetna Inc. and Humana Inc..

Enforcement authority was delegated to the Office for Civil Rights (United States Department of Health and Human Services), with civil monetary penalties established under statutes administered with input from the Department of Justice, Federal Trade Commission, and Office of Inspector General (United States Department of Health and Human Services). Penalties range from civil fines to criminal prosecution pursued by offices such as United States Attorney's Office in high-profile cases involving breaches at entities like Community Health Systems and incidents reported by entities such as ProPublica and The New York Times. Audits and compliance reviews were coordinated with agencies including Government Accountability Office and Office of Management and Budget.

The Act materially changed privacy practices at hospitals and insurer organizations including Mount Sinai Health System, Sutter Health, and large employers like AT&T, IBM, and Walmart. Supporters such as American Medical Association and American Hospital Association cite improved data protection and administrative efficiency, while critics from Electronic Frontier Foundation, ACLU, and academics at Harvard Law School, Stanford Law School, and Georgetown University Law Center argue that complexity, costs, and weak enforcement limit effectiveness. Health information technology companies including Epic Systems Corporation and Cerner Corporation adapted products to meet standards, and large data breaches at firms like Anthem Inc. and Premera Blue Cross prompted further debate involving investigative outlets such as The Wall Street Journal and Reuters.