HIPPA Timeline

HIPAA Privacy Rule Compliance Timeline

Following is a chronology of key dates in the compliance continuum of the Health Care Portability and Accountability Act of 1996 (HIPAA; Pub.L. 104-191).

August 21, 1996 – HIPAA takes effect. Congress gives itself three years to pass comprehensive health privacy legislation; failing that, the Department of Health and Human Services (HHS) is directed to do so by regulation.

August 9, 1998 – HHS publishes a Notice of Proposed Rulemaking (NPRM) proposing national electronic data security standards and requests public comment.

August 21, 1999 – Congress fails to enacted comprehensive health privacy legislation by the close of the mandated period.

October 29, 1999 – HHS issues NPRM designed to guarantee patients new rights and protections against the misuse or inappropriate disclosure of their health records. This proposal becomes known as the “Privacy Rule.”

November, 1999 – December, 2000 – During its extended public comment period, HHS receives more than 52,000 individual public comments on the proposed rule. The Department of Health and Human Services estimates that the entire, 10-year implementation process will affect over 600,000 entities at a cost in excess of $17.6 billion, against a potential savings of $29.9 billion achieved by standardizing and automating health payment and data transactions.

August 17, 2000 – The final rule on Standards for Electronic Transactions is published.

December 28, 2000 – HHS publishes the final Privacy Rule, as required by Sections 261-264 of HIPAA, announces an effective date of March 30, 2001, and requests comments.

February 28, 2001 – The HHS Secretary publishes technical amendments to the final Privacy Rule and requests comments.

March 26, 2001 – ADA petitions HHS for a delay in the compliance date of the final Privacy Rule, pending requested changes.

March 30, 2001 – The period for public comments on the final Privacy Rule closes.

April 14, 2001 – The final Privacy Rule takes effect. Consistent with the enabling law, it establishes a two-year period during which “covered entities” must come into compliance with its provisions.

April – December, 2001 – The final Privacy Rule itself, and the final Transactions and Code Sets Rule’s compliance date of October 16, 2001, give rise to substantial concern among health care plans, institutions, and individual providers. H.R. 3323 is introduced for the purpose of delaying compliance deadlines and making statutory changes, if necessary. ADA provides formal comments on the final rule

July 6, 2001 – HHS releases a formal guidance on the final Privacy Rule, providing additional information on its provisions and their applicability. HHS announces that this guidance is the first in a planned series of several technical assistance releases; their frequency and detail will depend on ongoing public comment.

December 27, 2001 – President Bush signs H.R. 3323 into law. It provides for a delay of up to one year, if requested of and approved by the HHS Secretary, of the compliance deadline for the final Transactions and Code Sets Rule. The final deadline for compliance with the final Privacy Rule—April 14, 2003—is unaffected.

Winter – Spring, 2002 – ADA continues with its HIPAA compliance implementation plan including the development of HIPAA Privacy and Security Kits for members.

January 14, 2002 – HHS amends the first July 6th guidance to remove a Question & Answer concerning when an authorization would be required for uses and disclosures for treatment, payment, and health care operations. (NOTE: Illustrates that guidance development is an ongoing process.)

March 27, 2002 – HHS publishes proposed revisions to the Privacy Rule.

April 26, 2002 – Thirty-day public comment period ends on revisions to the Privacy Rule.

July, 2002 – ADA’s Council on Dental Practice begins accepting requests from states to schedule HIPAA updates.

Fall – Winter, 2002 – Tripartite members focus on HIPAA implementation and compliance issues at respective levels of influence. ADA continues to monitor developments and consult frequently with HHS representatives and provide appropriate updates and advice to constituent societies. CDA coordinates internal and external HIPAA compliance education and training and monitor of state legislative and regulatory processes to assure that federal compliance is not jeopardized by conflicting layers of regulation.

October 15, 2002 – Date that regulated entities (e.g., dentists) desiring the one-year extension on the compliance deadline for the Transactions and Code Sets Rule (to October 16, 2003) must have their applications for the extension to HHS.

February 20, 2003 – HHS issues final HIPAA Security Rule.

April 14, 2003 – All covered entities must be in compliance with the final HIPAA Privacy Rule or face imposition of federal penalties.

October 16, 2003 – All covered plans and institutions must be in compliance with the final Standardized Transactions and Code Sets Rule to avoid possible federal sanctions, including suspension from participation in Medicare.

April 14, 2004 – All small health plans (those with annual revenues of less than six million dollars) must be in compliance with the HIPAA Privacy Rule.

April 21, 2005 – All covered entities (except small health plans) must be in compliance with the final HIPAA Security Rule.

April 21, 2006 – All small health plans must be in compliance with the HIPAA Security Rule.

May 23, 2007 – All covered entities (except small health plans) must be in compliance with the National Provider Identification Rule.

May 23, 2008 – All small health plans must be in compliance with the HIPAA Provider Identification Rule.