HIPAA started as a relatively narrow law in 1996, focused mainly on insurance portability and standardizing electronic health transactions. Since then, a series of major rules have been layered on top of it, transforming HIPAA into the broad health privacy and security framework it is today. Here’s what was added and when.
The Privacy Rule (2003)
The first major addition was the Privacy Rule, which took effect in 2003 and created national standards for protecting health information. Before this rule, there was no consistent federal requirement governing who could see your medical records or what they could do with them.
The Privacy Rule covers all “individually identifiable health information” held by a covered entity (health plans, health care providers, and health care clearinghouses) or their business associates. That includes anything in electronic, paper, or spoken form. Protected health information, or PHI, encompasses demographic data, records about past, present, or future physical or mental health conditions, the health care you received, and how it was paid for. If any of that data identifies you or could reasonably be used to identify you, it’s protected.
The rule gave patients specific rights for the first time: the right to access your own records, the right to request corrections, and the right to know who your information has been shared with. It also set limits on how covered entities can use or disclose PHI without your authorization.
The Security Rule (2005)
While the Privacy Rule addressed who can access health information, the Security Rule addressed how to keep electronic health information safe. It took full effect in 2005 and established three categories of required safeguards.
Administrative safeguards are the policies and procedures an organization must have in place. These include conducting a formal risk analysis, training employees on security awareness, creating a sanction policy for workforce members who violate rules, maintaining a contingency plan with data backup and disaster recovery procedures, and establishing clear processes for granting and revoking access to health information when employees are hired or leave.
Physical safeguards govern the actual buildings and devices where health data lives. Organizations need facility access controls, rules for workstation use and security, and protocols for disposing of or reusing devices and media that contained health information.
Technical safeguards deal with the technology itself. Each user must have a unique login. Systems need audit controls that track who accessed what and when. Transmission security, including encryption, protects data sent over networks. The rule distinguishes between “required” safeguards that every covered entity must implement and “addressable” ones where an organization can adopt the measure, implement an equivalent alternative, or document why neither is necessary based on its risk analysis.
The Enforcement Rule (2006)
HIPAA’s original enforcement mechanisms were weak. The 2006 Enforcement Rule gave the Office for Civil Rights (OCR) a formal framework for investigating complaints, seeking voluntary compliance, and imposing financial penalties when needed.
Under this rule, OCR can review an organization’s policies, procedures, and practices when a complaint is filed. The process starts cooperatively. If an investigation reveals noncompliance, OCR first tries to resolve it informally through corrective action plans or other agreements. Financial penalties come into play when informal resolution fails.
The rule lists specific factors that determine how large a penalty can be: the nature and severity of the violation, how long it lasted, whether it caused physical or financial harm, whether it was intentional or accidental, the organization’s compliance history, and even its financial condition and size. This tiered approach means a small clinic that makes an honest mistake faces very different consequences than a large insurer that ignores known problems.
The HITECH Act and Breach Notification Rule (2009)
The HITECH Act, passed as part of the 2009 economic stimulus package, was the single biggest expansion of HIPAA’s reach. It strengthened enforcement, increased penalties dramatically, and for the first time required organizations to tell people when their health information had been compromised.
The Breach Notification Rule created a tiered reporting system based on how many people are affected. All breaches require notifying the affected individuals within 60 days of discovery. If a breach hits 500 or more residents of a single state, the organization must also alert prominent local media outlets within that same 60-day window and report to the Secretary of Health and Human Services immediately. Breaches affecting fewer than 500 people can be reported to the Secretary annually, with reports due within 60 days after the end of the calendar year.
HITECH also extended HIPAA’s requirements directly to business associates, the vendors and contractors that handle health data on behalf of covered entities. Before HITECH, business associates were only bound by their contracts with covered entities. After it, they became directly liable for HIPAA violations.
The Omnibus Rule (2013)
The 2013 Omnibus Rule implemented many of the changes HITECH had called for and tidied up several gaps. It strengthened the definition of a breach, making it harder for organizations to avoid reporting by claiming a low probability of harm. It expanded restrictions on using health information for marketing and fundraising without patient authorization. It also reinforced patient rights, including the right to request electronic copies of records maintained electronically and to ask that information not be shared with a health plan if you paid for a service out of pocket in full.
Reproductive Health Privacy Protections (2024)
A final rule that took effect in 2024 added protections specifically for reproductive health care records. It prohibits covered entities and their business associates from using or disclosing PHI to support investigations into, or impose liability on, any person for seeking, obtaining, providing, or facilitating lawful reproductive health care.
The rule applies when the reproductive health care was lawful in the state where it was provided, or when it is protected, required, or authorized by federal law including the U.S. Constitution. For health care provided by someone other than the entity receiving the request for records, there is a built-in presumption that the care was lawful. That presumption holds unless the entity has actual knowledge the care was unlawful or receives factual information demonstrating a substantial basis that it was not.
Before disclosing reproductive health information for health oversight, law enforcement, or judicial proceedings, regulated entities must now obtain a signed attestation from the requester stating that the information will not be used for a prohibited purpose.
Substance Use Disorder Record Alignment (2024)
Also in 2024, a final rule aligned the longstanding federal protections for substance use disorder (SUD) treatment records with HIPAA. Previously, these records operated under a completely separate set of regulations known as 42 CFR Part 2, with stricter consent requirements that often made it difficult to coordinate care for patients in addiction treatment.
The new rule allows a single patient consent to cover all future uses and disclosures of SUD records for treatment, payment, and health care operations. Once records are shared under that consent, HIPAA covered entities can redisclose them under normal HIPAA rules. Patients gained new rights that mirror HIPAA’s existing protections: the right to an accounting of disclosures and the right to request restrictions on certain disclosures.
Penalties for Part 2 violations were also brought in line with HIPAA, replacing the old criminal-only penalties with the same civil and criminal enforcement framework. Breach notification requirements now match HIPAA’s as well. One notable addition is a new category of “SUD counseling notes,” analogous to psychotherapy notes under HIPAA. These are a clinician’s separate notes analyzing what happened in an SUD counseling session. They cannot be disclosed under a broad treatment-payment-operations consent and require specific, separate authorization from the patient.