News and Events

Celebrating 25 Years of HIPAA

Published: Aug. 25, 2021
HIPAA anniversary

It’s the 25th anniversary of the Kennedy-Kassebaum Act, also known as the Health Insurance Portability and Accountability Act of 1996 (HIPAA)! HIPAA was signed into law on Aug. 21, 1996, by President Bill Clinton. Originally promoted as a health insurance continuity and portability measure for workers losing or changing jobs, HIPAA also authorized the Department of Health and Human Services (HHS) to develop regulations protecting the privacy and security of personal health information (PHI) and electronic health or medical records.  


HIPAA History

Over the past two and a half decades, the three items that remain constant are preserving the confidentiality, integrity and availability of the patient’s protected health information. The following are key dates in HIPAA History.

April 2003: HIPAA Security Rule  (Administrative-Physical-Technical)

Requires all covered entities to allow patients access to their health information on request while limits are placed on how, when and to whom health records can be disclosed

March 2006: HIPAA Breach Enforcement Rule

Office of Civil Rights (OCR) starts issuing financial penalties to any covered entity that fails to implement the requirement of the HIPAA Privacy and Security Rule 

September 2009: Health Information Technology for Economic and Clinical Health (HITECH) Rule

Introduces incentives to improve information technology infrastructure and to encourage the use of electronic health records (EHR) systems

September 2009: Breach Notification Rule

Requires covered entities to report data breaches to the OCR and notify potential victims of incidents that exposed their personal and health information

March 2013: Omnibus Rule

Breach notification rules are updated, and business associates can be held liable for breaches and certain HIPAA violations


 What will the next 25 years bring in the life of HIPAA? The answer remains to be seen. 


Mitigating Risk

The legal and compliance department will continue to focus on identifying ways to educate and train employees on how to mitigate privacy risk. One way is to be familiar with the following key privacy policies. These policies will guide you during decision-making to ensure you are consistent. 

  • Accessing your own medical records
  • Accounting of disclosures
  • Breach notification
  • Minimum necessary
  • Patient confidentiality
  • Patient request to restrict uses and disclosures of PHI and alternative methods of communication
  • Patient’s right and responsibility 

You can find additional information regarding mitigating privacy risk at our newly revised HIPAA page: http://mhsintranet/Main/HIPAA.aspx



As we continue to improve our privacy program, please submit program enhancement ideas, training suggestions or privacy concerns to the health system privacy officer at You have until Tuesday, Aug. 31. Your input is important. To celebrate HIPAA’s birthday, we have three $25 gift cards for anyone who submits information. The gifts cards will be drawn at random. 


Anonymous Reporting

Report any compliance or privacy concerns by clicking here. Or, on the NMHS intranet, go to Resources > Compliance. Reports may also be made anonymously by calling the MHS Compliance Reporting Hotline at 877-640-0005 (English) or 800-216-1288 (Spanish).  



Contact MHS Privacy Officer Anita Patterson, MS, at (402) 354-6863 or