Health Policy Monitor
Skip Navigation

HI Portability and Accountability Act, 1996

Partner Institute: 
Institute for Global Health (IGH), University of California Berkeley/San Francisco
Survey no: 
Health Policy Issues: 
System Organisation/ Integration, Political Context, Others, Access
Current Process Stages
Idea Pilot Policy Paper Legislation Implementation Evaluation Change
Implemented in this survey? no no no no yes no no
Featured in half-yearly report: Health Policy Developments Issue 2

Purpose of health policy or idea

HIPAA, The Health Insurance Portability and Accountability Act of 1996, provides legislation to protect workers who leave their jobs from losing their ability to be covered by health insurance (Portability), and to protect the integrity, confidentiality, and availability of electronic health information (Accountability). 

The enforcement of compliance standards for electronic transmissions marks a rare case where the national government has stepped in to enforce IT standards, a role normally left to the private sector.  The implementation deadline for the new compliance standards was October 16th 2002.  However, a survey of over 600 healthcare organization revealed that only 41% of providers and 60% of health insurance plans had implemented these standards as of August 2002; many filed for a one-year extension which requires compliance by October 2003.  Another key area of legislation under HIPAA is the Federal Health Privacy Act, which requires compliance for implementing standards to protect patient health data by April 14th 2003 (see Federal Health Privacy Act Survey).  The Blue Cross Blue Shield Association estimates that HIPAA compliance will cost the health industry close to $43 billion in IT and training expenses.

The specific rules associated with each provision are released and managed by the U.S. Department of Health and Human Services.  The Centers for Medicare & Medicaid Services (CMS) is responsible for implementing the various provisions of HIPAA. The regulations involving HIPAA consists of two key pieces of legislation, Title II being the most significant in terms of costs to the industry and changes to the status quo:

Title I: Health Insurance Reform

Title I of HIPAA protects health insurance coverage for workers and their families when they change or lose their jobs.   It amends the Employee Retirement Income Security Act of 1974 (ERISA) to add group health plan portability, access, and renewability requirements.  It also limits preexisting condition exclusion periods and mandates crediting periods of previous coverage.  This regulation prohibits discrimination against individual participants and beneficiaries based on health status, both in eligibility to enroll and in premium contributions.

Title II: Administrative Simplification

The Administrative Simplification provisions require the Department of Health and Human Services to establish national standards for electronic health care transactions and national identifiers for providers, health plans, and employers. It also addresses the security and privacy of health data. Adopting these standards are expected improve the efficiency and effectiveness of the nation's health care system by encouraging the widespread use of electronic data interchange in health care.  Most of the detailed regulations and code sets were published and modified from May of 1998 to July of 2001.  The initials standards for electronic transmission required a compliance date of October 16th, 2002, however certain small plans and requests for extensions have been granted until April 16th, 2003.  Final privacy rules were published in August 2002 and require compliance by April 14th, 2003.

There are four main provisions under the Administrative Simplification Act:

  •  National Standards for electronic transmission (compliance 10/16/02)
  •  Unique health identifiers for patients, providers, health plans, and employers (compliance 2004-2005)
  • Security standards for electronically maintained health data (compliance 4/21/05)
  • Privacy rule to protect individual health information (compliance 4/14/03)
  • The Administrative Simplification Provision applies to health plans, health care clearinghouses, and those health care providers who transmit health information in electronic form. This legislation's intent is to reduce the administrative costs of providing and paying for health care by requiring standards be adopted for electronic transactions, unique health identifiers, code sets, security and privacy of electronic health information, and electronic signatures.

Other provisions under HIPAA include

Title III: Tax-Related Health Provisions

This provision amends the Internal Revenue Code to allow a deduction for limited amounts paid to a medical savings account (MSA). "Medical savings account" is defined as a trust for paying the account holder's medical expenses. It also increases the deduction for medical insurance expenditures by self-employed individuals. 

Title IV: Application and Enforcement of Group Health Plan Requirements

Title IV prohibits a group health plan from refusing to enroll, subject to exceptions, an individual because of the individual's: (1) health status; (2) medical condition; (3) claims experience; (4) receipt of health care; (5) medical history; (6) genetic information; (7) evidence of insurability; or (8) disability.

Title V: Revenue Offsets

This law revises provisions prohibiting a deduction for interest on loans with respect to company-owned life insurance, including a revision which prohibits a deduction for interest on loans with respect to company-owned endowment or annuity contracts. FinesCongress prescribed penalties for noncompliance with any provision of the HIPAA mandates. This includes civil fines of up to $100 per occurrence, with a maximum of $25,000 per calendar year for each regulation violated. 

 Search help

Characteristics of this policy

Degree of Innovation traditional innovative innovative
Degree of Controversy consensual neutral highly controversial
Structural or Systemic Impact marginal rather fundamental fundamental
Public Visibility very low very high very high
Transferability strongly system-dependent rather system-neutral system-neutral

Political and economic background

HIPAA (1996) was signed into legislation by President Clinton in an effort to coordinate and standardize electronic transmissions in the health insurance industry.  The first move towards a establishing a national standard was the development and implementation of the Health Care Financing Administration (now the Centers for Medicare and Medicaid Services) claims forms in 1982.  HIPAA legislation was enacted in response to national concerns for the need for health care insurance reform and in a direct response to the failure of the Clinton Health Care proposals of 1994. HIPAA is also referred to as the Kassenbaum-Kennedy Act named after the original sponsors of the bill - Senators Nancy Kassenbaum (R-KS) and Edward Kennedy (D-MA).

Purpose and process analysis

Current Process Stages

Idea Pilot Policy Paper Legislation Implementation Evaluation Change
Implemented in this survey? no no no no yes no no

Origins of health policy idea

By 1990, several industries had embraced the use of standards-based electronic data interchange to facilitate the processing of routine business transactions, especially the insurance industry.  Committees established in the private sector, such as the X12 insurance subcommittee, developed the health industry's first transaction standards for claims, remittance advice and enrollment.  However, as momentum grew for the need of such standards to increase efficiency across all segments of the health care service chain, it became clear that a government mandate would be needed to require all players to adopt such standards.

Health and Human Services (HHS) Secretary Louis Sullivan announced in February 1991 the formation of the Workgroup for Electronic Data Interchange (WEDI), a coalition to cooperatively study Electronic Data Interchange (EDI) issues, publish recommendations and sponsor pilot projects.  The WEDI report estimated that if a standard electronic formats for claims and related transactions were implemented, it would result in $40 billion dollars in savings to the insurance industry in the first 6 years of adoption. 

The first piece of formal legislation related to HIPAA was Representative Pete Stark's 1992 proposal to develop a series of regional claims clearinghouses across the nation. EDI vendors formed the Association for Electronic Health Care Transactions and began lobbying for administrative simplification legislation.  In the 1995-96 congressional session, Congressman Hobson actively took on the role of trying to include administrative simplification in legislation that looked probable to pass through both houses (Senate and Assembly).  In the Senate, he worked with Senators Nancy Kassebaum and Edward Kennedy to push a health insurance portability bill through the Senate.  In 1996, the Kennedy-Kassebaum Act, which is now HIPAA, became law that had widespread support from providers, payers, and individuals since it included regulation for health information privacy at a time when sensitive issues such as HIV status disclosure was becoming a growing concern. 

In summary, the legislation for HIPAA was driven by three main forces:

  • Lack of standardization for the collection, storage, and transmission of data, which led to higher administrative costs and lower utility of the data.
  • Increasing health care costs which required uniform health care data in order to evaluate coverage and treatment strategies.

Privacy concerns on the part of patients as electronic transmission of personal health data became common practice in the industry.

Stakeholder positions

All health care organizations will be affected by this legislation. This includes all health care providers, health plans, employers, public health authorities, life insurers, clearinghouses, billing agencies, information systems vendors, service organizations, and universities.  Complying with HIPAA is expected to cost the industry nearly $43 billion, according to the Blue Cross Blue Shield Association, and $17.5 billion according to HHS. Not all that spending will go toward technology upgrades since training costs are considered to be significant for HIPAA compliance as well.  Initially, the policy had tremendous support by both providers and payers in the industry.  However, the significant costs incurred by providers, payers, and claims clearing houses to comply, as well as the aggressive deadlines and associated fines, have raised concerns among health care organizations about achieving the standards stipulated in the rules published by Health and Human Services.

Since HIPAA was signed into law in 1996, all stakeholders are mandated to comply with the regulation.  Several implementation guides and policy papers have been released by CMS, HHS, policy researchers, as well as by several private sector committees for specific stakeholders. As health care organizations began work to implement standard transactions, they found flaws in the HIPAA-mandated implementation guides and brought concerns to X12N and other standards organizations. The standards organizations fixed problems with transactions and modified the rules for code sets. However, by 2001, many in the industry realized they could not meet the Oct. 16, 2002, compliance deadline for the transactions rule. Led by the Blue Cross and Blue Shield Association, a coalition of payers and providers successfully lobbied Congress and the new administration of President George W. Bush for an extension. In late 2001 the Administrative Simplification Compliance Act extended the transactions rule deadline by one year (to October 16th, 2003) for entities that requested an extension and for small organisations.  However, the October 16th, 2002 deadline still holds for most health care organisations.

The final Privacy Rules for HIPAA were released in August 2002 by the Bush Administration, these rules mainly affects providers and patients.  The Bush Administration has loosened the original regulation proposed in the Clinton Administration, which as led several patient privacy advocate groups to demand a reformulation of the final rules.  Though no amendment to this provision has been released by HHS, questions still remain as to how rigorously the rules will be enforced and if more stringent regulation will be passed at a future date (See Federal Health Privacy Survey).

The final Privacy Rules for HIPAA were released in August 2002 by the Bush Administration, these rules mainly affects providers and patients.  The Bush Administration has loosened the original regulation proposed in the Clinton Administration, which as led several patient privacy advocate groups to demand a reformulation of the final rules.  Though no amendment to this provision has been released by HHS, questions still remain as to how rigorously the rules will be enforced and if more stringent regulation will be passed at a future date (See Federal Health Privacy Survey).

Influences in policy making and legislation

HIPAA was formally legislated by the federal government in 1996.  Several modifications have been made to the standards for electronic transmission and code sets for compliance through no fundamental changes have been made to the original legislation in these areas.  In the provision for patient privacy, some stakeholders feel that the final rules released by the Bush Administration in August, 2002 compromises the original proposal by not requiring written consent in several cases of data exchange as well as leaving loopholes for paper-based medical records to be shared without knowledge of the patient. 

Adoption and implementation

All health care companies are required to implement the HIPAA provisions or be faced with fines for non-compliance.  The Department of Health and Human Services has organized several workshops for providers and payers.  In addition, Several groups such as the Workgroup for Electronic Data Interchange (WEDI), the Government Information Value Exchange for States, National Committee on Vital Health Statistics, Association for Electronic Health Care Transactions, National Medicaid EDI HIPAA group (NMEH) are actively assisting stakeholders implement HIPAA.

In the coming year, CMS will assemble an enforcement staff, write an enforcement regulation that outlines the enforcement program, implement the enforcement system and begin accepting complaints as the agency responsible for overseeing the administrative simplification rule. HHS has given CMS a budget of $10 million for fiscal year 2004.  HHS's department for enforcement, The Office of Civil Rights, would receive $34 million for its overall budget.

Stakeholders are active participants not only as implementers of HIPAA but are also involved in the development of the final rules.  First, each proposed rule is approved from within the government. Then, the public is given the opportunity to comment on the proposal. Those comments are analyzed and considered in the development of each final rule.  Therefore, stakeholder consensus is necessary for the adoption of the specific regulations set by HIPAA.  Obstacles still remain in terms of assigning resources and shouldering the costs for becoming compliant on the part of the provider, payer, and clearinghouse organizations.  But because of the significant interest group participation and stakeholder presence in the formulation of this policy, HHS has been receptive to extending deadlines and modifying rules to achieve the best for all groups involved.

Based on a recent survey of healthcare organizations, providers have made the least progress toward HIPAA compliance. Only 41% of providers have begun implementing HIPAA-mandated electronic transactions and code sets. By comparison, more than 70% of clearinghouses are currently in some phase of

implementing transaction rule requirements, while 67% of payers and 60% of

technology vendors have also begun implementation.

This legislation provides a significant opportunity to technology companies (software, hardware, and IT services) who are the main vehicle for helping health care organization become compliant.  This can translate to tens of billions of dollars to the IT industry who have developed software packages and implementation services.

Monitoring and evaluation

This policy will be closely monitored by both the Centers for Medicare and Medicaid Services and the Health and Human Services federal agencies.  In addition, WEDI and other electronic standards committees mentioned in Section 5.4 will be reviewing standards and helping in the development of amendments or new rules. 

Expected outcome

The main objectives of HIPAA are as follows:

  • Improve efficiency of the national health system
  • Reduce administrative overhead costs
  • Reduce fraud and abuse
  • Protect patient rights and privacy of health data
  • Improve quality of care through continual access to coverage and data
  • Improve information available for decision-making
  • Improve security of Internet based technologies

 It seems likely that these goals will be achieved in the long run though current costs to implement HIPAA compliance are very high for health care organizations and the government (estimated by the private sector at $43 billion dollars).  Quality will be improved since data will be reliable and accessible.  However, due to changes in the privacy regulation, there may be loopholes for paper-based data and patient privacy due to these rules.  In addition, the high costs associated with implementing HIPAA may make it prohibitive for payers to offer lower coverage premiums to consumers. 


Suggested citation for this online article

. "HI Portability and Accountability Act, 1996". Health Policy Monitor, 20030501. Available at