Health Insurance Portability and Accountability Act of 1996
The most prominent aspects of the Health Insurance Portability and Accountability Act (HIPAA) that affect almost everyone in the health care industry are described in detail here.
Administrative simplification is broken down into several sections:
- Electronic health transaction standards and code sets The implementation of a national standard for transmitting health data electronically and using standard code sets to describe diseases, injuries and other health problems
- Unique identifiers* A system that uses one identification number per employer, health plan or payer and health care provider to simplify administration
- Security Safeguarding the storage of, access to and transmission of electronic patient information
- Privacy Generally limiting the use or disclosure of protected health information to a minimum necessary standard. It also gives patients the right to see and get copies of their records, request amendments to their records and learn details of certain disclosures of their records.
*Denotes a proposed rule that may vary from its original specifications and is not yet final.
HIPAA calls for a standard in the way health information is transferred and in the use of standard codes to identify each disease, illness and other health problems. The following standard formats are currently in version 005010:
- 270/271: Health Care Eligibility Benefit Inquiry and Response
- 276/277: Health Care Claim Status Request and Response
- 278: Health Care Services Review
- 835: Health Care Claim Payment/Advice
- 837: Health Care Claim Professional
- 837: Health Care Claim Dental
- 837: Health Care Claim Institutional
- 820: Payroll Deducted and Other Group Premium Payment for Insurance Products
- 834: Benefit Enrollment and Maintenance
In conjunction with HIPAA's Administrative Simplification efforts, the Centers for Medicare & Medicaid Services (CMS) proposed four unique identifiers for the purpose of standardizing the identification numbers for providers, employers and plans to ensure future consistency and ease of use.
- The Standard Unique Employer Identifier is the standard employer identification number (EIN) that appears on an employee's federal Internal Revenue Service (IRS) Form W-2, Wage and Tax Statement received from their employer.
The EIN will be used to identify an entity acting in an employer role in standard HIPAA transactions. It will not identify the patient's health plan or insurance coverage and will not replace the group number, account number, policy number or subscriber number.
The regulations do not require employers to use the EIN or submit standard transactions; however, when an employer elects to use electronic HIPAA transactions, the EIN will be used in those transactions initiated by the employer itself, such as the enrollment in a health plan standard transaction (X12N 005010 834 transaction).
In all standard electronic transactions conducted by the health care provider, the employer identifier is not used or is situational. In the instances when an EIN could be used by a health care provider to identify an employer, its usage is contingent upon the health care provider's ability to obtain the EIN from the employer. If a health care provider is unable to obtain the EIN, then the situational data condition has not been met and its use is not required.
Health plans and clearinghouses that engage in electronic commerce are required to use the EIN to identify the employer in standard electronic health transactions that require an employer identifier. Health plans are permitted, as part of their business arrangements with employers, to require employers to use the standard transactions and to provide their EINs for this purpose.
- The National Provider Identifier (NPI) is a unique identification number for covered health care providers. Covered health care providers and all health plans and health care clearinghouses must use NPIs in the administrative and financial transactions adopted under HIPAA. The NPI is a 10-position, intelligence-free numeric identifier (10-digit number). This means that the numbers do not carry other information about health care providers, such as the state in which they live or their medical specialty. The NPI must be used in lieu of legacy provider identifiers in the HIPAA standards transactions.
As outlined in the Federal Regulation, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), covered providers must also share their NPIs with other providers, health plans, clearinghouses and any entity that may need it for billing purposes.
- The Health Plan Identifier (HPID) is a standard, unique health plan identifier required by the Health Insurance Portability & Accountability Act of 1996 (HIPAA). On September 5, 2012 the Department of Health and Human Services (HHS) published the final rule which adopts a unique identifier (HPID) for Health Plans. Although the requirement to obtain HPIDs is currently on hold, Highmark has obtained the necessary HPIDs for their existing business entities. No additional information is available at this time regarding the usage of the HPIDs.
- The National Individual Identifier is no longer being pursued, as the government is not allotting funding for its development. The concept of an individual identifier has been discarded, as there is much controversy as to how it can be implemented without compromising individual privacy.
The final security regulation adopts national standards that covered entities and their business associates must meet to safeguard the confidentiality, integrity and availability of electronic protected health information (ePHI). The scope of the HIPAA security rule applies only to health information in electronic form.
The security standards were developed to be comprehensive, scalable and technology-neutral in order to apply to many organizational sizes and types. The implementation requirements will vary business by business and can be implemented regardless of what computer systems the company uses. Anyone who transmits or maintains electronic health information must at least conduct a risk assessment and develop a security plan to protect this information.
In order to achieve these goals, Covered Entities are required to utilize three categories of security safeguards:
- Administrative safeguards are administrative actions, policies and procedures to manage the selection, development, implementation and maintenance of security measures to safeguard electronic protected health information and manage the conduct of the covered entity's workforce in relation to the protection of that information.
- Physical safeguards are physical measures, policies and procedures to protect a covered entity's electronic information systems and related buildings and equipment, from natural and environmental hazards and unauthorized intrusion.
- Technical safeguards are the technology, policy and procedures for its use that safeguard electronic protected health information and control access to ePHI.
Enforcement of the security standards will be addressed in future regulations.
HIPAA's privacy standards refer to all medical records and other individually identifiable health information in any format, whether communicated electronically, on paper or orally.
Patient rights include:
- Receipt of a written explanation of how their health information may be used, kept and disclosed
- The right to see and get copies of their health records and request changes
- Limitation of the use or disclosure of protected health information
- An accounting of uses or disclosures for other than treatment, payment or health care operations