Does the Repeal of the Patient Protection and Affordable Care Act Impact HIPAA's Privacy Rule?

The HIPAA Privacy Rule, effective on April 14, 2003, regulates the use and disclosure of protected health information (PHI) by covered entities.

The Health Insurance Portability and Accountability Act (HIPAA) was signed into law by President Bill Clinton on August 21, 1996. Under HIPAA there are 5 divisions including Title II: Preventing Health Care Fraud and Abuse, Administrative Simplification; Medical Liability Reform. Under Title II, there are 5 subdivisions including: the Privacy Rule, the Transaction and Code Set Rule, the Security Rule, the Unique Identifiers Rule and the Enforcement Rule.

The HIPAA Privacy Rule, effective on April 14, 2003, regulates the use and disclosure of protected health information (PHI) by covered entities. Covered entities include health care providers, health care clearinghouses, health care insurers, and, most recently, business associates. Business associates are independent contractors who may use PHI from a covered entity in conducting business operations. The Privacy Rule provides many protections for patients including: disclosure of PHI to the patient within 30 days at a reasonable cost, and written authorization from the patient when disclosing PHI outside the protected exceptions (including use of PHI in treatment, health care operations and payment) and must only disclose the minimum necessary to achieve its purpose. Also, patients are allowed to correct inaccurate PHI and all patients must be notified if their PHI is breached in anyway without their knowledge. Currently, fines for HIPAA violations committed by covered entities start at $100 - $50,000 per violation.

The Patient Protection and Affordable Care Act (ACA) was a federal statute enacted by President Barack Obama on March 23, 2010, designed to increase access to healthcare to the uninsured through the implementation of individual mandates, subsidies, and insurance exchanges. The ACA provisions include: insurance for patients with pre-existing conditions, coverage for dependents under the age of 26, and expanded coverage to individual children who did not have current coverage. The ACA was created to improve health care for Americans through establishing benefits including: providing additional preventive care and screenings, establishing minimum standard benefits for the “typical employer plan,” and the elimination of the annual and lifetime coverage caps on essentials benefits, amongst other provisions.

On January 20th, 2017, President Donald Trump began the repeal of the ACA by signing an executive order titled: “Minimizing the Economic Burden of the Patient Protection and Affordable Care Act Pending Appeal.” The executive order is vague, however it does state under Section 2 that the Secretary of HHS and the heads of all other executive departments and agencies shall “exercise all authority and discretion available to them to waive, defer, grant exemptions from, or delay the implementation of any provision or requirement of the Act that would impose a fiscal burden on any State or a cost, fee, tax, penalty, or regulatory burden on individuals, families, healthcare providers, health insurers, patients, recipients of healthcare services, purchasers of health insurance, or makers of medical devices, products, or medications.”

If this language is restricted to the ACA, HIPAA privacy should remain enforceable. If this burden is expanded to any fiscal or regulatory burden on covered entities, including healthcare providers and healthcare insurers, HIPAA enforcement can jeopardized with the removal of the monetary penalties. Without further government guidance, the removal of HIPAA fiscal penalties may be on the horizon if the ACA repeal is upheld.