HIPAA was enacted on August 21, 1996, when President Bill Clinton signed the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, creating federal statutory requirements that later became the HIPAA Administrative Simplification provisions for health information standards, privacy, and security.
The 1996 enactment date refers to the date the statute became law, not the date that all operational compliance obligations applied to regulated organizations. HIPAA directed the Department of Health and Human Services to issue standards for electronic transactions and code sets, identifiers, and protections for individually identifiable health information when Congress did not pass separate privacy legislation within the timeframe set by the statute.
Most workforce training and compliance programs align with the effective and compliance dates of the HIPAA regulations issued by the Department of Health and Human Services. The HIPAA Privacy Rule was finalized in 2000 and required compliance by April 14, 2003 for most Covered Entities and by April 14, 2004 for small health plans. The HIPAA Security Rule was finalized in 2003 and required compliance by April 21, 2005 for most Covered Entities and by April 21, 2006 for small health plans.
HIPAA obligations also expanded through later federal legislation and rulemaking. The Health Information Technology for Economic and Clinical Health Act, enacted in 2009, added breach notification requirements for unsecured protected health information and increased enforcement authorities and penalties, including direct compliance duties for Business Associates through rule changes adopted after 2009. For compliance documentation, the enactment date remains August 21, 1996, while policy effective dates and training scope should track the applicable compliance dates for the HIPAA Privacy Rule, HIPAA Security Rule, and HIPAA Breach Notification Rule requirements that apply to the organization’s functions and systems.