Health Insurance Portability and Accountability Act (HIPAA)
What is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) was signed into federal law in 1996 (Public Law 104-191). HIPAA requires the Secretary of the Department of Health and Human Services to adopt standards for electronic transactions, including data elements, standard code sets, unique health identifiers, security safeguards and privacy standards. The primary intent and purpose of this law is to protect health insurance coverage for workers and their families when they change or lose their jobs. It was recognized that this new protection would impose additional administrative burdens on health care providers, payers, and clearinghouses; and therefore, the law includes Section262. Administrative Simplification. This section is specifically designed to reduce the administrative burden associated with the electronic transfer of health information between organizations, and more generally, to increase the efficiency and cost-effectiveness of the United States health care system. This approach accelerates the move from certain paper-based administrative and financial transactions to electronic transactions through the establishment of national standards.
These standards are described in four final rules:
- The Transactions and Code Sets (TCS) Final Rule, for use by health plans, health care clearinghouses and certain health care providers, was published in the Federal Register on August 17, 2000, with a compliance date of October 16, 2002 (or October 16, 2003 for small health plans). On March 29, 2002, the Centers for Medicare and Medicaid Services (CMS) issued a model compliance plan that allowed health plans, health care clearinghouses and health care providers to receive a one-year extension to comply with the TCS rule. This extension, or Administrative Simplification Compliance Act (ASCA), if applied for, extended the TCS compliance date to October 16, 2003 (for all health plans regardless of size). The final rule adopting changes (also known as Addenda) to the TCS standard was published in the Federal Register on February 20, 2003. The compliance date for the TCS final rule including Addenda remains October 16, 2003.
- The Privacy Final Rule, for health information created or maintained by health care providers who engage in certain electronic transactions, was published in the Federal Register on December 28, 2000, with a compliance date of April 14, 2003 (or April 14, 2004 for small health plans). On August 14, 2002, the final modifications to the Privacy final rule were published in the Federal Register. The compliance date remains unchanged by the modifications.
- Individuals have the right to know what their privacy rights are and how protected health information may be used and disclosed. The Notice of Privacy Practices (NPP) provides individuals with this information.
- The Unique Employer Identifier. or National Employer Identification Standard for use in health care transactions, was published in the Federal Register on May 31, 2002, with a compliance date of July 30, 2004.
- The Security Final Rule. for electronic health information, was published in the Federal Register on February 20, 2003, with a compliance date of April 21, 2005 (or April 21, 2006 for small health plans).
HIPAA impacts every entity that exchanges claim and payment data such as health care providers, public and private health plans, vendors and clearinghouses. HIPAA Administrative Simplification (AS) standards significantly impact all providers conducting electronic transmission of medical data. Billing requirements, claim submission requirements, and possibly even office procedures will need to change to comply with the standard requirements.