The Health Insurance Portability & Accountability Act of 1996, Public Law104-191.
Title II includes a section, Administrative Simplification, requiring:
1. Improved efficiency in healthcare delivery by standardizing electronic data interchange and
2. Protection of confidentiality and security of health data through setting and enforcing standards.
More specifically, HIPAA calls for:
All healthcare organizations are covered entities. This includes health care providers, health plans, employers, public health authorities, life insurers, and clearinghouses, billing agencies, information system vendors, service organizations and universities.
A health plan, health care clearinghouse or health care provider who maintains and transmits any health information.
Information that is a subset of health information, including demographic information collected from an individual and
1. is created or received from a health care prov9ider, health plan, employer or health care clearinghouse and
2. relates to the past, present or future physical or mental health or condition of an individual; the provision of health care to an individual; and
3. that identifies the individual or there is reasonable basis to believe the information can be used to identify the individual.
All individually identifiable health information (IHII) transmitted or maintained by a covered entity, regardless of form. Protected health information excludes IIHI in education records. The following individually identifiable data elements are deemed protected health information under the Privacy Rule:
§ Geographic subdivisions smaller than a state
§ Birth date (except Year)
§ Telephone number
§ E-Mail address
§ Social Security number
§ Medial record number
§ Health plan beneficiary number
§ Account number
§ Certificate / license numbers
§ Vehicle identifiers & serial numbers
§ Device identifiers & serial numbers
§ Uniform Resource Locators (URLs)
§ IP address numbers
§ Biometrics identifiers
§ Full faces photograph
§ Any other unique identifying number, characteristic or code.
The federal government enacted the Health Insurance Portability Act of 1996 (HIPAA) with the intent to assure health insurance portability, reduce healthcare fraud and abuse, guarantee security and privacy of health information, and enforce standards for health information.
Title II, Subtitle F of this act mandates regulations in five areas:
1. National standards for electronic data transmission
2. Unique health identifiers for providers, employers, plans and individuals
3. Security standards to protect electronically maintained health information
4. Privacy and confidentiality provisions for individually identifiable health care data.
Transaction and Code Sets 10/16/2002
10/16/2003 if an extension is filed before 10/16/2002
Privacy Standards 4/14/2003
Security Rule (Proposed) Final rule expected in 8/2002
Compliance will be 2 years after final rule is published.
§ Individuals have the right to file complaints with the Secretary of HHS, and covered entities are required to provide a complaint mechanism
§ The following is a summary of penalties for failure to comply with requirements and for wrongful disclosure of individually identifiable health information:
General Penalty for Failure to Comply
Maximum penalty for all violations of an identical requirement
May not exceed $25,000
Failure to comply due to reasonable cause and not with willful neglect must be corrected within 30 days, and may be extended by the Secretary of HHS.
Wrongful disclosure of Individually Identifiable Health Information
Wrongful disclosure offense
$50,000, imprisonment of not more than 1 year, or both
Offense under false pretenses
$100,000, imprisonment of not more than 5 years, or both
Offense committed with intent to sell information
$250,000, imprisonment of not more than 10 years, or both
§ Non-compliance could lead in exclusion from participating in federally funded programs
A single standard is established to replace hundreds of forms and formats for claims and other administrative and financial transactions.
The rules cover specified transactions in any electronic form. The specified transaction standards include those developed by the American National Standards Institute’s (ANSI) Accredited Standards Committee (ASC), and for pharmacy claims, the National Council for Prescription Drug Programs (NCPDP). Each of these organizations have developed implementation guides for their standard, the specifications of which are included in the final rule.
These require standard data content for each transaction. Standard content refers to Code Sets for both medical and non-medical data.
ICD-9-CM, CPT-4, CDT-3 (dental) and NDC (National Drug Codes) are required for transaction standards for medical data. CDT-2 and NDC will replace “D” and “J” codes respectively in HCPA Level 3, which will be modified to eliminate duplications and overlap. Official Coding guidelines, published through HHS National Center for Health Statistics (NCHS), are required to guide implementation
Four types of identifiers were targeted for standardization under HIPAA:
§ National Provider Identifier (NPI) - issued to each healthcare provider
§ Employer Identification Number (EIN) administered by the IRS
§ Standard identifiers for health plans
§ Unique identifier for individuals – highly controversial, consideration deferred.
The proposed security regulations consist of administrative procedures, physical safeguards, and technical security mechanisms that a health care entity must address in order to safeguard the integrity, confidentiality, and availability of its electronic data.What are the Privacy Standards?
The regulation requires
Creation of a set of fair information practices to inform people of how their information is used and disclosed, ensure that they have access to information about them, require health plans and providers to maintain administrative and physical safeguards to protect the confidentially of health information and protect against unauthorized access
Technological advancements have impacted the electronic transmission of health data including:
§ Rapid growth of health care Internet and intranet applications to transmit and share patient information such as diagnoses, radiological images, lab tests, and prescriptions.
§ Advancements in the computerization of patient medical records.
§ Increasing use of electronic prior authorizations for services, as well as claims submission and payments
§ Use of e-mail as a communication tool between caregivers and their patients
§ Lack of standardization for the collection, storage and transmission of health data which results in increased administrative costs, with an accompanying decrease in the use of data.
§ Increasing health care costs, a demand for uniform healthcare data to evaluate coverage and treatment approaches.
§ Public concerns about privacy bring demands for greater security.
§ Assessment and implementation will take time, planning, resources and change in attitude and behavior.
§ Security and privacy are primary consumer concerns. Failure to address them proactively will result in loss of trust, credibility and potential revenue.
§ Noncompliance will result in ineligibility to participate in Medicare and other federal funded programs.
§ We have to develop and disseminate a Notice of Privacy Practices.
§ Patients must be educated regarding their rights.
§ All members of the workforce must be educated about HIPAA
§ We must review all policies and procedures; revise and develop policies where appropriate to be compliant with HIPAA.
§ The Institutional Review Board would have an increased role in the evaluation and monitoring of all research projects.
§ Electronic transactions for claims to payers including Medicare, must meet HIPAA standards