LAW OFFICE OF BRIAN GARVES

The Health Insurance Portability and Accountability Act, passed in 1996, (42 U.S.C. 1320d-2) was to help people buy and keep health insurance, even when they have serious health conditions; the law sets basic requirements that health plans must meet. Congress used this platform to pass national minimum privacy requirements for personal health information.

Similar to the old fable about the mice agreeing that the cat needed a bell around his neck but having no idea how to do it, the idea of minimum privacy requirements was good, but how to do it was “a whole ‘nother issue”. Seven years passed, until April, 2003, before the government could get a set of regulations published to provide guidance to the hospitals, clinic, and doctors, for how they were to provide this confidentiality. Those seven years were filled with much rancor and turmoil, as seen by the fact that several sets of “final” regulations were published.

The end result is that HIPAA’s privacy provisions went into effect in April, 2003. Unfortunately, there was no budget for enforcement and thus the Office of Civil Rights(“OCR”), given enforcement responsibilities, had no way to enforce anything. Further, there are – as of yet – no interpretive guidelines for the OCR to use to actually enforce HIPAA, so, even if there was money for enforcement, there is no real idea of what is to be enforced.