Health and Human Services
Health Insurance Portability & Accountability Act (HIPAA)
GOAL: The goal of HIPAA is to improve healthcare system effectiveness, efficiency, privacy, and security.
The Health Insurance Portability & Accountability Act of 1996 places comprehensive new security requirements on the healthcare industry. HIPAA imposes sweeping standards for the privacy and protection of all electronic health information that can be linked to individuals. Final HIPAA regulations now being promulgated affect virtually every area within the nation's health-related organizations, from the one-physician office to multi-entity health systems, HMO's, healthcare support services and others. Compliance is required in most cases by 2002; noncompliance will carry stiff civil and criminal penalties.
Offices, clinics and agencies will have to determine what needs to be done within each organization to become compliant with HIPAA regulations. The State Office of Medical Assistance Programs, The State Mental Health Division, and LaneCare are all being pro-active in adapting systems to prepare for compliance. It is the responsibility of each LaneCare contractor to assure that their organization is fully compliant with HIPAA regulations.
This rule proposes standards to protect the privacy of individually identifiable health information maintained or transmitted in connection with certain administrative and financial transactions. The rules, which would apply to health plans, health care clearinghouses, and certain health care providers, propose standards with respect to the rights individuals, procedures for the exercise of those rights, and the authorized and required uses and disclosures of this information.
Privacy regulations only pertain to "covered entities," which include healthcare providers, health plans, and healthcare clearinghouses. Covered entities are required to have contracts with their business partners that would limit the business partner's uses and disclosures of the protected health information to those permitted by the contract.
Only "protected information", individually identifiable health information, is covered. When information becomes "protected" by being stored or transmitted electronically, the protections would apply even after it is printed, discussed orally, or otherwise changed in form. The protections also apply to the original paper version of information once it is transmitted electronically.
The proposed privacy rule creates only a basic set of provisions. Organizations in states whose laws have more stringent requirements would still have to comply with those laws. As a result, organizations in some states will have to follow dual privacy practices. Vendors, enterprises that cross state boundaries, and potentially those exchanging information across states will have to address these issues as well.
The security and privacy provisions aim to safeguard the confidentiality of private information and protect the integrity of health data while also ensuring its availability for care. It is important to understand, however, that the proposed security standards and the proposed privacy standards are two different things. The security standards deal with measures organizations need to take to keep their information safe. The privacy standards deal with things patients may expect from organizations in terms of the way their health information is used.
Security and Electronic Signature
This rule proposes standards for the security of individual health information and electronic signature use by health plans, health care clearinghouses, and health care providers. The health plans, health care clearinghouses, and health care providers would use the security standards to develop and maintain the security of all electronic individual health information. The electronic signature standard is applicable only with respect to use with the specific transactions defined in the Health Insurance Portability and Accountability Act of 1996, and when it has been determined that an electronic signature must be used.
This rule adopts standards for eight electronic transactions and for code sets to be used in those transactions. It also contains requirements concerning the use of these standards by health plans, health care clearinghouses, and certain health care providers.
Today many healthcare providers and plans use EDI, Electronic Data Interchange or the digital exchange of standard business documents and data. DHHS estimates that 400 formats are used in the US today for health care claims processing. In order to perform EDI using a common interchange and data structure, widely adopted use of standards is required. As part of the Healthcare Insurance Portability and Accountability Act, DHHS was directed to issue standards for electronic data transactions used in the administration of health care data and claims. The use of industry-wide standards is expected to eliminate the need for software adaptation for multiple formats required to meet the demand of proprietary variations, now in use by providers and plans. Operational efficiencies with long term savings is the result.
The HIPAA Standard EDI format requires standardization of the data content by specifying uniform definitions of the data elements that will be exchanged in each type of electronic transaction and identification of the specific codes or values that are valid for each data element. Payers are required by law to have the capability to send/receive all HIPAA transactions.
The EIN is currently the employer identifier in most widespread use in the health claim, the enrollment and disenrollment in a health plan, the eligibility for a health plan, and the health plan premium payment transactions. Each health plan, health care clearinghouse, health care provider, and employer must be identified with the national employer identifier number in any standard transaction. If they conduct administrative health transactions electronically, health care providers, health care clearinghouses, and health plans would have to obtain and use the EIN on all electronic transactions that require an employer identifier. The Internal Revenue Service maintains the process for assigning EINs.
Two years after adoption of this standard (3 years for small health plans) the EIN must be used as the employer identifier in the health-related financial and administrative transactions that require an employer identifier. The approved uses of the EIN are detailed in 26 U.S.C. 6109.
Examples of approved uses included in this proposed rule are:
- Health care providers submitting health claims to health plans electronically would use the EIN to identify the employers of the participants in the health plan.
- Employers would use their EINs to identify themselves in electronic transactions making health plan premium payments to health plans on behalf of their employees.
- Employers and health care providers would use the EIN to identify the employer as the source or receiver of information about eligibility.
- Employers would use their EINs to identify themselves in electronic transactions to enroll or disenroll their employees in a health plan.