History of HIPAA: How the Standard Has Evolved Since 1996

  • March 21, 2023

Anna Fitzgerald

Senior Content Marketing Manager at Secureframe


Jonathan Leach

Manager of Customer Success and Former Senior Compliance Manager at Secureframe

The Health Insurance Portability and Accountability Act (HIPAA) is landmark legislation that changed the US healthcare industry by modernizing how private patient data is collected, stored, accessed, and shared. 

Below, we dive into the history of HIPAA, including who created it, why, when it became a law, and how it has evolved in the past decades.

What is HIPAA law?

HIPAA is a US federal law that establishes information security standards that all healthcare providers, health plans, healthcare clearinghouses, and business associates of HIPAA-covered entities must adhere to. 

Complying with the HIPAA law requires covered entities to put safeguards in place to secure and protect sensitive patient data, known as protected health information (PHI).

The Ultimate Guide to HIPAA

A lot has changed since HIPAA first became law in 1996. Here’s everything you need to know about becoming compliant fast.

When did HIPAA become law?

HIPAA was signed into law on August 21, 1996.

Who created HIPAA?

The United States Congress and President Bill Clinton passed the Health Insurance Portability and Accountability Act (HIPAA) in 1996. 

The original legislation has significantly evolved since then. Starting in 2000, the US Department of Health and Human Services (HHS) has issued several rules to help healthcare organizations and their business associates implement the requirements of HIPAA. These include:

  • Privacy Rule regulates the use and disclosure of patient information
  • Security Rule establishes physical, technical, and administrative security measures
  • Breach Notification Rule establishes guidelines for how and when to report violations 
  • Enforcement Rule provides instruction for regulating liability and imposing penalties for violations
  • Omnibus Rule outlines how business associates should handle PHI

Where does HIPAA apply?

HIPAA applies to all covered entities (healthcare providers, health plans, and healthcare clearinghouses) and their business associates operating in the US.

There are circumstances where it can apply internationally as well. When a business that operates outside of the US works with companies that have access to the health information of US residents, HIPAA can apply.

Why was HIPAA created?

HIPAA was created to improve the portability and accountability of health insurance coverage. 

  • Portability refers to ensuring health insurance coverage for employees who are between jobs. Without HIPAA, individuals in this situation could be left without access to health insurance and potentially unable to pay for necessary healthcare. 
  • Accountability refers to preventing healthcare fraud and abuse by keeping PHI secure. HIPAA rules and requirements hold healthcare organizations accountable for the data they store, handle, access, and transfer.

HIPAA History Timeline

Since HIPAA was passed in 1996, the legislation has evolved to keep up with new technologies, the exponential growth of health data, and increasingly sophisticated cyber threats. Below, we dive into the timeline of HIPAA since its creation. 

  • August 1996: President Bill Clinton signed HIPAA into law.
  • November 1999: HHS released a proposal of the HIPAA Privacy Rule for public comment. 
  • December 2000: HHS published a final Privacy Rule. 
  • August 2002: HHS published modifications to the Privacy Rule. 
  • February 2003: HHS published a final Security Rule.
  • April 2003: Enforcement of the Privacy Rule began for most HIPAA covered entities. Small health plans received an additional year to comply.
  • April 2003: HHS issued the Enforcement rule as an interim final rule to explain how HHS would conduct investigations into complaints against HIPAA covered entities.
  • April 2005: Enforcement of the Security Rule began for most HIPAA covered entities. Small health plans received an additional year to comply.
  • February 2006: HHS published a final Enforcement Rule.
  • February 2009: The HITECH Act was enacted under Title XIII of the American Recovery and Reinvestment Act to strengthen the privacy and security protections of health information established by HIPAA.
  • April 2009: HHS requested public comment for the breach notification provisions of the HITECH Act. 
  • July 2009: HHS’ Office for Civil Rights became responsible for enforcing the Security Rule as well as the Privacy Rule.
  • August 2009: HHS published a final Breach Notification Rule.
  • July 2010: HHS proposed modifications to the Privacy, Security, and Enforcement rules under HITECH.
  • January 2013: HHS published modifications to the Privacy, Security, Breach Notification, and Enforcement rules under HITECH. These modifications collectively became known as the Omnibus rule. 
  • September 2013: Covered entities and business associates must comply with the Omnibus Rule. 
  • January 2021: HHS proposed modifications to the Privacy Rule to improve coordinated care. The comment period was extended to May 2021. These modifications are still under review at the time of this publication. 

Additional Standards that Supplement HIPAA

Over the years, HHS and other organizations have released additional standards that expand on HIPAA or help covered entities meet HIPAA requirements and regulations. 


The Health Information Technology for Economic and Clinical Health Act (HITECH Act) was enacted under Title XIII of the American Recovery and Reinvestment Act (ARRA) of 2009. It was designed to promote the widespread adoption and standardization of health information technology. To support this goal, it included amendments designed to strengthen the privacy and security protections of health information established by HIPAA as well as incentives for covered entities to implement electronic health records.


In 2007, the Health Information Trust (HITRUST) Alliance was formed to provide clarity and consistency for organizations that need to comply with several data privacy and security laws including HIPAA, ISO 27001, NIST, and PCI DSS, among others. In 2009, they published a common security framework (HITRUST CSF) to help healthcare organizations and their providers demonstrate their security and compliance in a consistent and streamlined manner.

While it was developed to supplement HIPAA, HITRUST CSF has been globally adopted by organizations in nearly every industry.

How Secureframe can help you stay HIPAA compliant

Just as HIPAA history shows, the future of compliance will continue to evolve along with new technologies and cyber threats. 

Companies like Secureframe can help ensure your business is staying up to date with the latest HIPAA rules and regulations.

With on-staff HIPAA experts, you’ll be alerted to any HIPAA updates that might affect you. Secureframe’s automatic evidence collection will also send real-time alerts for any non-conformities so you’re able to maintain HIPAA compliance with less stress on your team.