Back to Home Page

Understanding HIPAA:
An Overview of Administrative Simplification

Among the multiple priorities and constraints facing the healthcare industry, healthcare providers and other organizations can expect a new tidal wave of change brought on by the Health Insurance Portability and Accountability Act (HIPAA). President Clinton signed HIPAA (also known as the Kennedy-Kassebaum bill) into law in August 1996. The intent of the legislation was to improve the portability and continuity of health benefits, to ensure greater accountability in the area of health care fraud, and to simplify the administration of health insurance. In Title II of the Act, a subsection entitled Administrative Simplification has resulted in new regulations mandating compliance with a wide range of health information management, security and privacy standards.

Administrative Simplification

The Administrative Simplification section was included in HIPAA with the intent to standardize specific electronic transactions and identifiers used in healthcare business processes such as billing, claims, and other interactions between providers, clearinghouses, and health plans. It is expected that by making business practices more uniform, costs due to duplication of effort, modifications of procedures, errors and delays will be substantially reduced. The framers of HIPAA anticipated that these improvements would encourage the use of electronic data interchange (EDI) in healthcare, and result in the eventual replacement of paper-based transactions. They also recognized that healthcare's growing reliance on EDI necessitates the use of strong protections to ensure patient privacy and the security, integrity, and authenticity of health information. Central to this concern was the concept of protecting "individually identifiable health information" — any information, including demographic information, that refers to an individual's past, present or future health, and identifies an individual, or that could be useful in identifying an individual.

The Administrative Simplification section of HIPAA mandated the following:

• Adoption of standards for electronic transmission of nine designated health care transactions and related code sets
• Establishment of unique national identifiers of employers, health plans, health providers and individuals
• Adoption of security standards to protect health information
• Enactment by Congress of privacy legislation — or, failing this — promulgation of privacy standards by the Department of Health and Human Services (DHHS)

Electronic Transactions and Code Sets Standards

If EDI is employed in conducting healthcare business, the following nine transactions require the use of HIPAA standards for encoding the data elements defined by the transactions. If healthcare organizations are not conducting business via electronic transactions, use of these standards is not required.

1. Health claims or equivalent encounter information
2. Health claims attachments
3. Enrollment and disenrollment
4. Eligibility for a health plan
5. Payment and remittance advice
6. Health plan premium payments
7. First report of injury
8. Health claims status
9. Referral certification and authentication

In addition, HIPAA gave the Secretary of Health and Human Resources the option to adopt other financial and administrative transactions standards, "consistent with the goals of improving the operation of the health care system and reducing administrative costs."

Administrative Simplification also included provisions requiring that DHHS establish standards for code sets that would be used in the standard transactions. The Secretary was directed to find efficient, low-cost means for distributing code sets and any future modifications to them.

The final Transactions Rule, detailing each standard, was published in August of 2000, with compliance required by October of 2002.

Unique Health Identifiers

The Secretary of Health and Human Services was also required to adopt standards that would provide for unique, national identifiers for providers, employers, health plans and individuals to be used within the healthcare system. Provider and Employer Identifier Standards (NPRMs) were proposed in 1998, and DHHS has indicated that final rules will be published in 2001. A proposed rule for Health Plan Identifier is also expected in 2001. The Individual Identifier, the subject of intense public scrutiny and controversy, is "on hold," according to DHHS.

Security Standards for Health Information

HIPAA also mandates that DHHS establish health information security regulations. As it applies to HIPAA, "security" refers to the means by which organizations and people ensure the privacy and confidentiality of health care information. Security addresses "how" information is to be protected from inappropriate use. "What" data is to be considered private and confidential is broader than the information used in standard HIPAA transactions. It applies to any and all individually identifiable health information that is maintained or transmitted electronically by healthcare entities.

HIPAA specifically charged the Secretary with taking into account the costs of security measures, the technical capabilities of record systems used, the need for training those with access to health information, the value of audit trails, and "the needs and capabilities of small and rural healthcare providers." Safeguards were mandated in order to ensure the integrity and confidentiality of information, to protect against security threats and unauthorized uses or disclosures of the information, and to ensure that all healthcare workers and managers comply with the standards.

A draft of the Security Rule (NPRM) was published in August 1998. According to DHHS, the final rule will be released before the end of 2001, and is expected to be substantially the same as the proposed rule. In its security proposal, DHHS' draft regulations were presented in the following four categories, as required by HIPAA:

• Administrative procedures
• Physical safety guidelines
  
• Technical security services
• Technical security mechanisms

The Security regulations have been developed as guidelines that set a baseline for compliance. Requirements are focused on outcomes rather than specific technologies or methodologies, because of the variety of healthcare operations and the changing nature of technology as a whole. Organizations are expected to assess their individual security vulnerabilities and risks, and implement programs and protocols they deem appropriate, for their organization, to meet all the security requirements.

Electronic Signature

As required by the Administrative Simplification section of HIPAA, the proposed Security Rule included standards for the uses of electronic transmission and authentication of signatures. DHHS has announced that the final Security Rule will not include these provisions, and that work is underway to develop final electronic signature standards in the next year. It should be noted that neither the Act nor the proposed Security Rule requires the use of electronic signatures. The intent has been to standardize their use if an organization is employing them.

Privacy

HIPAA mandated that Congress pass health privacy legislation, but Congress was unable to meet its August 1999 deadline. Therefore, as provided in the Act, DHHS issued draft privacy regulations via an NPRM in November 1999. The final Privacy Rules was published in December 2000 and went into effect in April 2001. Compliance is required in April 2003.

The purpose of the Privacy Rule is to protect the rights and control of individuals with respect to their individually identifiable health information. HIPAA specifically noted that the Privacy Rule should, at a minimum, address the nature of these individual rights, procedures for exercising them, and which uses and disclosures by healthcare entities should be authorized or required. The final Privacy Rule identifies who has access to what health care data, clarifies patients' rights of control over their health care data, offers definitions of inappropriate access and use, and determines accountability for protecting patient privacy. Areas covered include:

• Authorization and consent processes for accessing personal health data
• The right of a patient to inspect his/her medical record and request amendments to it
• Delineation of direct patient care use of information from non-patient care use
  
• Increased requirements to notify patients as to how their information is being used
• Requirements to maintain an accurate history of access to a patient's health information in the event of a disclosure

Who is Affected by HIPAA?

In general, all healthcare organizations, including health plans, providers, and clearinghouses that electronically transmit or store individually identifiable health information are covered by HIPAA. In addition, employers and healthcare vendors are affected. For specific applicability of each HIPAA rule, refer to the text of the respective rule.

Compliance Timetable

Covered entities must be in compliance with each of HIPAA's rules no later than 24 months after the date the rule went into effect. However, in the case of small health plans that have fewer than 50 members, the compliance deadline is extended to 36 months after the effective date.

Additions and Modifications to Standards

HIPAA mandates that the Secretary of Health and Human Services review the standards, and adopt modifications as appropriate, no more often than once every 12 months and in a manner that minimizes disruption and cost. The Secretary may not make any modifications during the 12 months following the effective date of a particular rule, unless the Secretary "determines that the modification is necessary in order to permit compliance."

Sanctions and Penalties

Penalties established for non-compliance with HIPAA's requirements are:

• Personal liability: individuals may be liable for up to 10 years in prison and $250,000 in fines for intentional misuse of protected health information
• Organizational liability: Healthcare organizations are liable for up to $25,000 in fines for each standard violated

• Accreditation: Accreditation organizations such as JCAHO are expected to require compliance in the future
• Federal Programs: Noncompliance is also expected to result in exclusion from federal programs such as Medicare

Relationship to State Laws

HIPAA preempts state law except:

• where the state law is necessary to prevent fraud and abuse,
• to ensure state insurance or health plan regulation,
• to address controlled substances or for certain other purposes, and
• when state law is more stringent than HIPAA requirements.

Impact to Organizations

Organizations need to consider a variety of issues when analyzing the impact of HIPAA on the organizations. These issues include:

• Purpose of HIPAA: In addition to ensuring patient privacy and information security, HIPAA is about improving the efficiency and cost-effectiveness of the healthcare system
• Limited resources, both in terms of dollars, staffing, and time -- but which are necessary to implement these regulations
• Costs associated with implementation are currently difficult to assess; analysis of ROI is limited — but imperative — when analyzing various implementation strategies
• Convergence of e-health strategies and HIPAA objectives, which are clearly connected in the areas of standardization and technical security measures.
• Constraining effects of legacy systems within industry, which add to cost of compliance as well as ongoing dependency on vendors

HIPAA will have a profound impact on overall healthcare industry electronic communications and transactions. Implementation of the information security and privacy features in HIPAA will pave the way for increasingly sophisticated e-health and other healthcare e-commerce and communications applications — as well as for new uses of evolving technologies, such as hand-held devices and wireless access. In order to realize these potential benefits — and to ensure that official compliance deadlines are met — healthcare organizations should begin immediately to assess their current information environment and develop strategies for HIPAA implementation.

Covered entities will face the following challenges as they begin to prepare for compliance:

• Developing policies and procedures to determine the minimum necessary information each department or job needs. You cannot use or share a patient’s entire medical record without specific justification.
• Obtaining and tracking patient consent. With a few limited exceptions, you must obtain prior consent to use or disclose PHI for treatment, payment, or other health care operations. This consent may be combined with other types of legal permission, such as informed consent for treatment or consent to assignment of benefit forms, if the PHI disclosure consent is visually and organizationally separate from the rest of the information on the form and is separately signed.
• Obtaining authorization forms and assuring compliance with particular authorizations. The Privacy Standards require the patient to authorize all PHI uses and disclosures unconnected to treatment, payment, or health care operations.
• Reconciling multiple consent/authorization forms. A patient may end up signing multiple consent forms, particularly in situations where several providers in one setting treat him or her. If you are part of an organized health care arrangement, you may obtain a joint consent for use and disclosure of PHI. In cases of conflicting consents, use the more restrictive consent.
• Monitoring business associate relationships. The Privacy Standards require that covered entities ensure that their business associates (those who receive PHI in the course of providing services in the assistance to a covered entity) use appropriate safeguards by including requirements on how PHI will be handled in contracts with associates. Examples of business associates include consultants, auditors, and attorneys. You may need to review multiple relationships and monitor your business associates’ compliance with the contract’s requirements to protect your business.
• Changing medical records maintenance. The Privacy Standards may alter how you maintain your medical records so that you can document compliance with the standards’ minimum necessary information, PHI use disclosure, and patient access requirements.
• Providing privacy policy notice. If you have a direct treatment relationship with a patient, you must notify the patient of your company’s privacy practices in "plain language" by the date of the first service delivery (including services delivered electronically). The notice must also be available at the service delivery site for distribution upon request and posted in a prominent location.
• Meeting overall training requirements. You must complete training of your workforce on the Privacy Standards by April 14, 2003, the standards’ compliance date.
• Responding to individual rights. Your patients have three basic rights under the standards.

They are:

1. Accessing. They may request access to their PHI whenever it appears in a designated record set, and you must grant or deny the request within 30 days.
2. Amending. They may request their PHI be amended, and you must either make the change or provide a basis for the denial.
3. Accounting. They may request an accounting of their PHI disclosures for a period of up to 6 years from the date of the request, and you must furnish the accounting within 60 days.

Back to Home Page