What is HIPAA?

Congress enacted the Health Insurance Portability and Accountability Act (HIPAA) in August of 1996. On its road to passage, HIPAA became a vehicle to address multiple issues within the health care industry. As indicated by its name, the initial implementation of this law addressed the portability of health insurance coverage when employees move from one job to another.Administrative SimplificationAlso included in the HIPAA legislation was a subsection known as "Administrative Simplification." The stated goal of Administrative Simplification is to reduce the administrative burden and cost of healthcare by moving health care transactions from paper to electronic form.

Administrative Simplification called for the creation of:

1. National standards for transmission of health care data.
2. Standard codes for use in transaction sets.
3. Standard identifiers for providers, employers, payers and individuals.
4. Standard EDI Transaction Sets.

The first step in transitioning from paper to electronic format is the development of true standards for electronic transactions. The use of truly standard formats would eliminate the need to translate data to and from the more than 400 non-standard formats currently in use. To further alleviate the need to submit paper claims, Administrative Simplification also required development of standards for the data elements required for coordination of benefits (COB). This would not only allow providers to submit electronic claims to secondary payers, but would also allow direct payer to payer transmission of COB claim data.

The transaction sets mandated by HIPAA include:

• Claim and encounter submission (837).
• Claim payment and remittance advice (835).
• Claim status inquiry and response (276/277).
• Enrollments and disenrollments (834).
• Eligibility inquiry and response (270/271).
• Referral certification and authorizations (278).
• Premium payments (820).
• Claims attachments (in development - draft available).

First report of injury (in development)The vision of Administrative Simplification is that standardization of these transactions would enable electronic data interchange to thrive and dramatically reduce paper handling. However, bringing disparate systems from the world of physician, hospital, clearinghouse, and payer into compliance with a standard transaction format is no small task. The reality is that experts predict Administrative Simplification will impact the entire healthcare industry to a far greater extent and at a greater cost than did Y2K - perhaps by as much as a three times greater cost. Standard Code Sets Included in the standard transaction sets are specific codes that must be used with the transactions. These codes include not only the expected CPT-4, ICD-9 and HCPCS codes, but also miscellaneous code sets ranging from language codes to claim remark and adjustment codes. HIPAA does not allow the use of any nonstandard codes.

The Department of Health and Human Services (DHHS) will review the code sets, as well as the transaction sets as a whole, on an annual basis and will make any required changes. These changes will occur no more often than once a year and will allow a reasonable timetable for implementation.

Standard Identifiers.

HIPAA also mandated the adoption of national identifiers for providers, employers, health plans and individuals. DHHS expects to implement the standard identifiers for providers and employers first with an identifier for health plans coming later. Development of an identifier for individuals is on hold due to concerns in regard to patient privacy rights.

Security and Privacy Issues.

The issues of the security and privacy of health care information are also addressed in the legislation. While the use of electronic signatures is not mandated, standards are defined for electronic signatures if they are used in lieu of written signatures for health care transactions. The scope of the security enhancements, while predominantly involving administrative issues such as policies and procedures, suggest that implementation could require significant upgrades to the security features of health care systems. The security rule aims to be flexible and scalable but does require the use of such measures as auto logoff and access control. The rule deliberately does not dictate any specific technology to ensure that each entity can implement the rule using technology appropriate to its individual needs. Privacy issues will require that entities dealing with electronic healthcare data (even if it has been printed and is no longer strictly speaking electronic) meet strict standards for protecting identifiable patient information, most especially when using this data outside the normal scope of payment, treatment or normal health care operations.

HIPAA and the Legislative Process.

The first step in the implementation of provisions of the legislation involves the development and publication of a Notice of Proposed Rule Making (NPRM) in the Federal Register. Following the publication of a proposed rule, a 60-day comment period is provided to allow interested parties to respond to the provisions of the proposed rule. At the end of the comment period, the developing organizations review the comments and amend the rule as they deem necessary. These organizations include the following: American National Standards Institute (ANSI), National Uniform Billing Committee (NUBC), National Uniform Claim Committee (NUCC), the National Committee on Vital and Health Statistics (NCVHS), and the American Dental Association (ADA). Also involved in submitting comments on proposed rules and standards are the Workgroup for Electronic Data Interchange (WEDI) and the Data Interchange Standards Association (DISA).

When the rule is published in its final form in the Federal Register, compliance becomes mandatory 24 months following the rule's effective date (generally 60 days following the date of publication). The only exception is for small health plans (less than 50 members or $5 million dollars in annual revenue) which are allowed 36 months to comply. Note, the Standard Transaction Rule defines a small plan as one with less than 50 members. The Privacy rule defines a small plan as one with less than $5 million dollars in revenue during the year.

Excerpts from the Federal Register regarding HIPAA Legislation are available below in PDF format.

• Employer Identification Rules.
• Provider Identification Rules.
• Electronic Transaction Rules.

Who Must Comply?

The law applies to all health plans, all health care clearinghouses, and all providers who choose to submit data electronically. The only exceptions are self-administered groups with less than 50 participants, banks processing financial transactions, property and casualty insurers, work comp plans and case management agencies. Furthermore, health plans are responsible for assuring that their agents (e.g., TPAs, IPAs, MSOs, etc.) are fully compliant. Penalties for non-compliance include fines and even imprisonment for serious violations.