HIPAA History Timeline

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) exists in very different form in 2019 than it did in 1996. The law and its implementing regulations have been amended a number of times in 23 years. The HIPAA history timeline is presented below, which outlines the history of HIPAA.

What is the HIPAA History Timeline?

On August 21, 1996, in the midst of his re-election campaign, President Bill Clinton signed HIPAA into law. The U.S. Congress generally does not, when legislating, consider much of the finer or granular details of how a law should work, logistically. Instead, it delegates creation of regulations fleshing out the law to an administrative agency. 

HIPAA History Timeline

The text of the HIPAA law specifically tasked the Secretary of Health and Human Services (HHS) to develop privacy and security standards, in the form of regulations, to regulate covered entities, health plans, and healthcare clearinghouses.

HIPAA History Timeline: What is the History of the Security Rule and the Privacy Rule?

The HIPAA history timeline had its next notable event 2 years later. HHS took up the delegation charge by proposing a Security Rule in August of 1998. The purpose of the Security Rule was to better protect individual health information shared by health plans, healthcare clearinghouses, and healthcare providers. Five years later, the Security Rule was finalized. According to the history of HIPAA, the rule required covered entity compliance by April of 2005.

In 1999, HHS proposed the Privacy Rule. The proposed rule sought to improve privacy standards and to restrict the disclosure of PHI and personal identifiers to unauthorized individuals. The rule also sought to give patients better access to their health data.  On December 28, 2000 – weeks before the inauguration of President George W. Bush, the Privacy Rule was finalized. 

The next day, HHS made some technical corrections to the law. A notable correction created a requirement mandating that OCR enforce HIPAA. The technical corrections became effective in early 2001, when George W. Bush was President. The Bush administration decided to seek further input on the Privacy Rule. In other words, as part of the rulemaking process, HHS allowed the public to make comments on what modifications, if any, should be made to the Privacy Rule. HHS took note of the comments received and issued a Proposed Modified Privacy Rule in 2002. The proposed modified rule contained provisions designed to reduce administrative burdens on healthcare providers. Finally, in 2003, the Privacy Rule was finalized. Covered entity compliance was required by April 14 of 2003.

HIPAA History Timeline: What is the HIPAA Enforcement Rule?


In March of 2006, the HIPAA Enforcement Rule went into effect, heralding, essentially, the beginning of HIPAA compliance enforcement. OCR is given the authority to enforce the HIPAA Rules by imposing financial penalties against non-compliant entities. Two years pass without OCR issuing a single fine against entities that failed to implement the HIPAA Privacy and Security Rules. OCR only investigates one quarter of the cases brought to it between 2006 and 2008.

HIPAA History Timeline: Another Change in Power

When the Obama administration came into power in 2009, HIPAA-related legislation was promptly passed. In 2009, President Obama signed the Health Information Technology for Economic and Clinical Health Act (nicknamed the “HITECH” Act). This act was introduced as part of a larger piece of legislation known as the American Recovery and Reinvestment Act, or ARRA. ARRA is commonly referred to as “the bailout.” The HITECH Act introduced incentives to improve technology infrastructure and to encourage providers to switch to electronic health record (EHR) platforms.

The same year, the third substantive HIPAA Rule (after the Privacy Rule and the Security Rule) was finally issued. This rule, known as the Breach Notification Rule, requires covered entities to report data breaches to OCR, and to provide notice of a breach to individuals affected by the breach.

An October, 2009 HITECH Act Enforcement Rule is then issued, providing for a tiered financial penalty system. The maximum fine for a violation is increased to $1.5 million per violation.

HIPAA History Timeline: OCR Imposes Its First Monetary Penalty


In a watershed moment for HIPAA, on February 17, 2010, the HITECH Act becomes enforceable, and the tiered penalties can now be assessed. The following year, OCR begins its first round of HIPAA compliance audits (audits are held again in 2015).

HIPAA History Timeline: The HIPAA Omnibus Rule


The HIPAA Omnibus Rule, containing modifications to the Privacy, Security, Breach Notification, and Enforcement Rule, is finalized in 2012. The final Omnibus Rule becomes effective in 2013, and contains modifications to improve data security and confidentiality. Notably, under the Omnibus Rule, business associates are directly liable for HIPAA violations. Under the Omnibus Rule, business associate compliance with the Privacy Rule and the Security Rule becomes mandatory.

HIPAA Compliance Software

Learn How Simple Compliance Can Be