Connected Health · Compliance
Since the advent of medicine, patient privacy has played an indispensable role in healthcare. For 25 years, HIPAA has governed the flow of healthcare information and protections for personal health data in the United States. The Hippocratic Oath — written over 2,000 years ago — established confidentiality as a cornerstone of medicine: "Whatever I see or hear in the lives of my patients... I will keep secret."
In 1996, Congress passed the Health Insurance Portability and Accountability Act (HIPAA) — initially focused on ensuring workers could maintain insurance coverage between jobs. HIPAA also included patient privacy provisions, though enforcement was initially weak; HHS only issued its first civil monetary penalty in 2011, fifteen years after passage.
| Year | Regulation | Key Provision |
|---|---|---|
| 1996 | HIPAA Enacted | Insurance portability; initial privacy framework |
| 2003 | Privacy & Security Rules | National standards for PHI; e-PHI security requirements |
| 2006 | Enforcement Rule | OCR authority to investigate and pursue civil action |
| 2009 | HITECH Act | EHR adoption stimulus; Breach Notification Rule |
| 2013 | Final Omnibus Rule | Encryption provisions; business associate liability |
| 2020 | COVID-19 Waivers | Expanded telehealth flexibility; relaxed sanctions |
As telehealth and digital health platforms proliferate, HIPAA's importance has grown significantly. The Privacy Rule details national standards protecting patient medical records. The Security Rule specifies administrative, technical, and physical security procedures for covered entities handling electronic protected health information (e-PHI). The Breach Notification Rule requires timely disclosure of data breaches affecting 500 or more individuals.
During the pandemic, HHS issued new guidance to help covered entities navigate privacy standards in a public health crisis. In March 2020, HHS Secretary Alex Azar announced a limited waiver of sanctions for covered hospitals failing to comply with the HIPAA Privacy Rule. HHS also relaxed enforcement regarding remote telehealth communications, extending flexibility not only to COVID-related care, but to all telehealth communications regardless of reason.
HIPAA ensures patient privacy is safeguarded in an age of cloud technology and mobile devices while streamlining communication between providers. As healthcare becomes increasingly digital, we expect HHS to release additional guidelines helping covered entities adopt new digital technologies — including AI-driven diagnostics and blockchain-based health records — within the HIPAA framework.