Laws | Glossary | FAQs | NOPP | Tutorials | Policies | Links | Enforcement
FAQs sites from DHHS:
Employer Identifier Standard FAQs
National Provider Identifier Standard FAQs
Security and Electronic Signature Standards FAQs
Electronic Transactions Standards FAQs
Code Sets FAQs
Protecting the Privacy of Patient's Health Information (8/21/02)
FAQs about HIPAA Privacy Rule (10/2/02)
FAQs about the Minimum Necessary Standards
Frequently Asked Questions
What is HIPAA?
The Health Insurance Portability & Accountability Act of 1996, Public Law104-191.
Title II includes a section, Administrative Simplification, requiring:
- Improved efficiency in healthcare delivery by standardizing electronic data interchange and
- Protection of confidentiality and security of health data through setting and enforcing standards.
More specifically, HIPAA calls for:
- Standardization of electronic patient/ health, administrative and financial data
- Unique health identifiers for individuals, employers, health plans and health care providers
- Security standards to provide physical, technical and administrative safeguards to protect the integrity, availability and confidentiality of health information.
- Privacy standards to ensure administrative and physical safeguards to protect the privacy and confidentiality of health information, and to protect against unauthorized access.
What are the objectives of HIPAA?
- Group and Individual Insurance Reform. It allows portability and continuity of health insurance, place limits on pre-existing exclusion provisions.
- Accountability – It reduces the potential for waste, fraud and abuse. New penalties and sanctions will be imposed.
- Administrative Simplification – It requires application of uniform standards to electronic data transactions in a confidential and secure environment. Its goal is to improve the effectiveness and efficiency of the health care system.
Who is affected?
All healthcare organizations are covered entities. This includes health care providers, health plans, employers, public health authorities, life insurers, and clearinghouses, billing agencies, information system vendors, service organizations and universities.
What is a Covered Entity?
A health plan, health care clearinghouse or health care provider who maintains and transmits any health information.
What is “Individually Identifiable Health Information (IIHI)?
Information that is a subset of health information, including demographic information collected from an individual and
- is created or received from a health care prov9ider, health plan, employer or health care clearinghouse and
- relates to the past, present or future physical or mental health or condition of an individual; the provision of health care to an individual; and
- that identifies the individual or there is reasonable basis to believe the information can be used to identify the individual.
What is Protected Health Information (PHI)?
All individually identifiable health information (IHII) transmitted or maintained by a covered entity, regardless of form. Protected health information excludes IIHI in education records. The following individually identifiable data elements are deemed protected health information under the Privacy Rule:
- Geographic subdivisions smaller than a state
- Birth date (except Year)
- Telephone number
- E-Mail address
- Social Security number
- Medial record number
- Health plan beneficiary number
- Account number
- Certificate / license numbers
- Vehicle identifiers & serial numbers
- Device identifiers & serial numbers
- Uniform Resource Locators (URLs)
- IP address numbers
- Biometrics identifiers
- Full faces photograph
- Any other unique identifying number, characteristic or code.
What exactly does HIPAA mandate?
The federal government enacted the Health Insurance Portability Act of 1996 (HIPAA) with the intent to assure health insurance portability, reduce healthcare fraud and abuse, guarantee security and privacy of health information, and enforce standards for health information.
Title II, Subtitle F of this act mandates regulations in five areas:
- National standards for electronic data transmission
- Unique health identifiers for providers, employers, plans and individuals
- Security standards to protect electronically maintained health information
- Privacy and confidentiality provisions for individually identifiable health care data.
What are the compliance deadlines?
Transaction and Code Sets: 10/16/2002 (10/16/2003 if an extension is filed before 10/16/2002)
Privacy Standards: 4/14/2003
Security Rule (Proposed): Final rule expected in 8/2002 (Compliance will be 2 years after final rule is published.)
Unique Identifier: No target Date
Are there penalties? Why comply?
- Individuals have the right to file complaints with the Secretary of HHS, and covered entities are required to provide a complaint mechanism
- Non-compliance could lead in exclusion from participating in federally funded programs
- The following is a summary of penalties for failure to comply with requirements and for wrongful disclosure of individually identifiable health information:
| General Penalty for Failure to Comply |
|Each violation ||$100 |
|Maximum penalty for all violations of an identical requirement ||May not exceed $25,000 |
| ||Failure to comply due to reasonable cause and not with willful neglect must be corrected within 30 days, and may be extended by the Secretary of HHS. |
|Wrongful Disclosure of Individually Identifiable Health Information |
|Wrongful disclosure offense ||$50,000, imprisonment of not more than 1 year, or both |
|Offense under false pretenses ||$100,000, imprisonment of not more than 5 years, or both |
|Offense committed with intent to sell information ||$250,000, imprisonment of not more than 10 years, or both |
What are the Electronic Transaction Standards?
(Compliance 10/16/2002 or 10/16/2003 with extension)
A single standard is established to replace hundreds of forms and formats for claims and other administrative and financial transactions.
The rules cover specified transactions in any electronic form. The specified transaction standards include those developed by the American National Standards Institute’s (ANSI) Accredited Standards Committee (ASC), and for pharmacy claims, the National Council for Prescription Drug Programs (NCPDP). Each of these organizations have developed implementation guides for their standard, the specifications of which are included in the final rule.
What are the Code Set Standards?
(Compliance 10/16/2002 or 10/16/2003 with extension)
These require standard data content for each transaction. Standard content refers to Code Sets for both medical and non-medical data.
ICD-9-CM, CPT-4, CDT-3 (dental) and NDC (National Drug Codes) are required for transaction standards for medical data. CDT-2 and NDC will replace “D” and “J” codes respectively in HCPA Level 3, which will be modified to eliminate duplications and overlap. Official Coding guidelines, published through HHS National Center for Health Statistics (NCHS), are required to guide implementation.
What are the Identifier Standards?
Four types of identifiers were targeted for standardization under HIPAA:
- National Provider Identifier (NPI) - issued to each healthcare provider
- Employer Identification Number (EIN) administered by the IRS
- Standard identifiers for health plans
- Unique identifier for individuals – highly controversial, consideration deferred.
What are the Security Standards?
(Final Rule due in 8/2002; Compliance 24 months later)
The proposed security regulations consist of administrative procedures, physical safeguards, and technical security mechanisms that a health care entity must address in order to safeguard the integrity, confidentiality, and availability of its electronic data.
What are the Privacy Standards?
The regulation requires
Creation of a set of fair information practices to inform people of how their information is used and disclosed, ensure that they have access to information about them, require health plans and providers to maintain administrative and physical safeguards to protect the confidentially of health information and protect against unauthorized access.
Why was this legislation necessary?
Technological advancements have impacted the electronic transmission of health data including:
- Rapid growth of health care Internet and intranet applications to transmit and share patient information such as diagnoses, radiological images, lab tests, and prescriptions.
- Advancements in the computerization of patient medical records.
- Increasing use of electronic prior authorizations for services, as well as claims submission and payments
- Use of e-mail as a communication tool between caregivers and their patients
- Lack of standardization for the collection, storage and transmission of health data which results in increased administrative costs, with an accompanying decrease in the use of data.
- Increasing health care costs, a demand for uniform healthcare data to evaluate coverage and treatment approaches.
- Public concerns about privacy bring demands for greater security.
How will we be affected?
- Assessment and implementation will take time, planning, resources and change in attitude and behavior.
- Security and privacy are primary consumer concerns. Failure to address them proactively will result in loss of trust, credibility and potential revenue.
- Noncompliance will result in ineligibility to participate in Medicare and other federal funded programs.
- We have to develop and disseminate a Notice of Privacy Practices.
- Patients must be educated regarding their rights.
- All members of the workforce must be educated about HIPAA
- We must review all policies and procedures; revise and develop policies where appropriate to be compliant with HIPAA.
- The Institutional Review Board would have an increased role in the evaluation and monitoring of all research projects.
- Electronic transactions for claims to payers including Medicare, must meet HIPAA standards
What are our plans?
A HIPAA Steering Committee is assigned to oversee activities that will ensure compliance with HIPAA regulations. Several Task Teams were formed and are presently doing some of the background work to revise or develop policies and procedures where appropriate.
We plan to develop the HIPAA section on the Compliance website, to keep you up to date.
I can be reached at X1345 or by email at email@example.com.
Useful HIPAA Resources