-
Security and Electronic Signature Standards Rule (Security Rule) Proposed
New legislation proposed to further improve security standards to better protect individual health information shared by health plans, healthcare clearinghouses and healthcare providers. Legislation also covers use of electronic signatures by HIPAA Covered Entities -
HIPAA Introduced
Congress passes the Health Insurance Portability and Accountability Act (HIPAA) which is signed by President Bill Clinton. Process of modernizing healthcare information exchange begins. Bill also ensures workers do not lose health insurance coverage when changing employment -
Period: to
HIPAA Implementation
-
Privacy Rule Proposed
Privacy Rule proposed to improve privacy standards and restrict disclosure of PHI and personal identifiers to unauthorized individuals. Patients will also be given better access to their health data. -
HIPAA Privacy Rule Issues
Privacy Final Rule issue only to receive technical corrections the following day. The corrections cover compliance dates and access PHI by the clergy. OCR delegated responsibility for policing HIPAA -
HIPAA delays
Privacy Final Rule technical corrections scheduled to go into effect on February 26 but Bush administration reopens comment period delaying introduction of new legislation -
Proposed Privacy Rule Modified
HHS makes changes to proposed Privacy Rule to clarify its provisions and to ease administrative burden on healthcare providers -
HIPAA Security Standards Final Rule Issued
Security Rule issued requiring CEs use appropriate administrative, physical, and technical safeguards to protect confidentiality, integrity, and security of ePHI -
HIPAA Privacy Rule Compliance Deadline
Privacy Rule comes into effect and requires all CEs to allow patients access to their health information on request, while limits places on how, when and to whom health records can be dislocsed -
Transactions and Code Sets Rule Deadline
Deadline for adopting new codes for transactions and electronic exchanges including new diagnosis and procedure codes. Change intended to increase standards and improve efficiencies in healthcare industry. -
HIPAA Enforcement Rule - Proposed Rule
Enforcement Rule proposed providing OCR control of investigations into HIPAA violations and issues financial penalties for HIPAA violations. Procedure for hearings introduced -
HIPAA Security Rule Compliance Deadline
Covered healthcare organizations must comply with new requirements of Security Rule and implement greater controls to keep health records secure and confidential. Allows OCR to issue civil penalties for violations -
Enforcement Rule Goes into Effect
Enforcement Rule goes into effect marking start of new phase in HIPAA compliance in which OCR can issue financial penalties for a CE failing to implement requirements of HIPAA Privacy and Security Rules -
OCR Critized for Lack of Enforcement
OCR criticized for apparent lack of enforcement of HIPAA Privacy and Security Rules. No fines to organizations imposed by this point in spite of over 33,000 complaints. 8,000 complaints investigated and no financial penalties issues. HHS urges OCR to get tough on offenders. -
First OCR Settlement for HIPAA Violations
OCR issues first financial penalty to CVS Pharmacy Inc which is ordered to pay $2.25 M for improperly dumping patient health records -
HITEC Act Signed
Health Information Technology for Economic and Clinical Health Act introduced as part of The American Recovery and Reinvestment Act of 2009 (ARRA). Introduces incentives to improve information technology infrastructure and encourage use of EHR systems -
Breach Notifications Interim Regulations Issued
HHS introduces regulations covering data breaches as required by HITECH Act. Requires CE to report data breaches to OCR and notify potential victims of incidents which expose personal and health information -
HITECH Act Enforcement Interim Rule Issued
HITECH Enforcement interim rule issued which includes new tiered structure of financial penalties for HIPAA violations based on 4 categories of culpability. Rule significantly increases fines for violations up to $1.5 million per identical violation -
HITECH Enforcement Begins
HITECH becomes enforceable with new financial penalities -
First Attorney General HIPAA Fine Issued
Connecticut Attorney General fines Health Net Inc. for failure to comply with HIPAA Privacy and Security Rules. Fined $250,000 for loss of unencrypted hard drive containing PHI of 1.5 million Americans. -
HIPAA Compliance Audits Begin with OCR
OCR performs 115 audits on health care organizations, healthcare clearing houses, and health plans in pilot round of audits -
Omnibus Final Rule Takes Effect
Modifications to HIPAA Privacy, Security, Enforcement, and Breach Notification Rules received for review by Whitehouse Office of Management and Budget. Includes updates to HIPAA and HITECH including breach notification and BA can be held liable for breaches and certain HIPAA violations -
Omnibus Rule Compliance Deadline
Omnibus Final Rule becomes enforceable after technical corrections made. BAs and their contractors subject to rule and may be imposed financial penalty of up to $1.5 M per violation.