Your partner to navigate the complexity of an evolving regulatory environment.

HIPAA Compliance, Made Easy.

HIPAA has changed a lot since it was first introduced in 1996, and one would only anticipate this trend will continue. We offer full HIPAA compliance consulting and have training programs for small physicians, hospitals, and health insurance providers. Most importantly, we try to make understanding HIPAA fun and easy in our training programs.

Contact us for a consultation, complimentary compliance check, and ensure your organization is HIPAA compliant.

Continue reading below for a quick historical review.


1996 - Hello HIPAA

Healthcare Insurance Portability and Accountability Act, or HIPAA, was signed with the objective to improve the accountability of health insurance coverage and combat waste, fraud, and abuse. Notably the act also introduced tax breaks on the use of medical savings accounts, provided coverage for employees with pre-existing medical conditions, and aimed to simply the administration of health insurance.

2000 - Privacy Rule

Once in law, HIPAA set about creating the first Privacy and Security rules. The Privacy Rule defines Protected Health Information (PHI) which is defined as "any information held by a covered entity which concerns health status, the provision of healthcare, or payment for healthcare that can be linked to an individual."

The Privacy rule defined how Protected Health Information (PHI) should be shared and disclosed, permission is required by the patient before any information may be used for research, and patients have the right to withhold any information about their healthcare from insurance providers if their treatment is privately funded.

2003 - Security Rule

The security rule defined three security safeguards, administrative, physical, and technical - that must be adhered to fully comply with HIPAA. The safeguards are as follows:

  1. Administrative – to create policies and procedures designed to clearly show how the entity will comply with the act.
  2. Physical – to control physical access to areas of data storage to protect against inappropriate access
  3. Technical – to protect communications containing PHI when transmitted electronically over open networks

2006 - Enforcement Rule

The failure of many covered entities to fully comply with the HIPAA Privacy and Security Rules resulted in the introduction of the Enforcement Rule. The Enforcement Rule essentially gave the Department of Health and Human Services the power to investigate covered entities for failing to comply with the Privacy rule, as well as fine covered entities for avoidable breaches of electronic Protected Health Information (PHI) due to not following safeguards in the Security Rule.

The Department’s Office for Civil Rights was also given the power to bring criminal charges against persistent offenders who fail to introduce corrective measures within 30 days. Further, individuals now have the right to pursue civil legal action against the covered entity if their personal healthcare information has been disclosed without their permission.

2009 - ARRA and HITECH

The American Recovery and Reinvestment Act of 2009, ARRA, was a stimulus package that included 155 billion for healthcare, the biggest beneficiaries were Medicaid 86.8 billion, and HITECH 25.9 billion.

Health Information Technology for Economic and Clinical Health Act, HITECH, primary goal was to accelerate all healthcare entities to adopt Electronic Healthcare Record software, and introduced the Meaningful Use incentive program. Also introduced was the Breach Notification Rule - which stipulates any breach of Protected Health Information (PHI) affecting more than 500 individuals must be reported to the Department of Health and Human Services’ Office for Civil Rights.

2013 Omnibus Final Rule

The Final Omnibus Rule hardly introduced new legislation, but rather filled in the gaps in existing HIPAA and HITECH regulations, for example specifying the encryption standards that need to be applied to Protected Health Information (PHI) in order to render information undecipherable in the event of a breach. Many definitions were amended to clear up grey areas, most notably relate to the expansion of HIPAA requirements to include business associates, where only covered entities had originally been required to uphold HIPAA regulations.

Privacy and Security rules were amended, notably patient’s health information may be held indefinitely (previous legislations stipulated it be held fifty years), and new procedures were written into the Breach Notification Rule. New penalties were also applied, as dictated by HITECH, to covered entities that violated the HIPAA Enforcement Rule.

Amendments were made for technological advances, most notably covering the use of mobile devices. Healthcare professionals often use their mobile devices to access and communicate Protected Health Information (PHI), the Final Omnibus Rules includes procedures and policies to covering this scenario and others not foreseen in 1996.



Our compliance program will help your organization achieve full HIPAA compliance and covers a comprehensive list of HIPAA elements including

Setup a free onsite HIPAA review for your organization