HIPAA, the Health Insurance Portability and Accountability Act, is a critical legislative process enacting laws to protect information and deals with other elements of insurance options.
Physicians are challenged every day in every way to contain or reduce cost, improve access to care, and to maintain and improve the quality of the care that they give. Patients are now more informed than ever before because of their exposure to the Internet that brings information of all kinds with the click of a mouse. Privacy of personal information is a greater concern than ever before.
We are in an age of information and managing this information is a critical requirement for all businesses. Health care researchers have been gathering and disseminating vital, statistical information for years. De-identification of that data, coupled with the aggregation of the data has brought about increased awareness in trends and analyses of treatment plans and outcomes for patients. Protecting personal, private health care information is a must.
The HIPAA Act of 1996, Title II, is about Administrative Simplification. At first glance, the requirements seem overwhelming. Not only must electronic transaction standards be implemented, but must also have standards for code sets, identifiers, privacy and security. What impact do these new regulations have on physician private practice? What steps are to be followed to bring a practice into compliance?
If a provider performs or provides a service to perform electronic transactions, for eligibility, claims, coordination of benefits, remittance advice, and/or referral authorizations or notices, these transactions now have standards specified by the HIPAA Transaction and Code set rules and regulations.
The HIPAA rules and regulations for privacy cover all forms of data, paper and electronic, and require safeguards for the protection of personal health information. Although this is a federal regulation, individual states also have privacy rules that if more stringent than those of HIPAA, will supercede them.
The Notice of Privacy Practices informs patients how their Protected Health Information (PHI) may be used for Treatment, Payment and healthcare Operations (TPO). Patients will be able to make informed choices in seeking care and payment for that care based on how their personal health information may be used. Providers need to enhance privacy practices and train their employees on privacy policies. Those groups that provide services to the physician practice need to protect patient information (PHI) as well and provide safeguards for that data (billing agencies, insurance companies, etc.).
The security rules and regulations contain a set of safeguards with implementation specifications that are either required or addressable, based on the scope and size of the practice environment. Documentation of physical, administrative and technical safeguards are to be maintained to provide appropriate audit trails. Employee training is mandated in all areas relating to privacy and the steps involved require a compliance plan.
Explanation and Description of HIPAA
HIPAA is an acronym that represents:The Health Insurance Portability and Accountability Act of 1996, Public Law 104-191.
History and Enactment
HIPAA is a federal law that was passed and enacted on August 21, 1996. This law comprises two legislative actions: Health Insurance Reform and Administrative Simplification (AS). Portability provides continuity of health care coverage; providing limitations on preexisting conditions and prohibits discrimination based on health status.
The purpose of AS is to improve the efficiency and effectiveness of the health care system by standardizing the electronic data interchange of certain administrative and financial transactions while protecting the security and privacy of the transmitted information. Rules and regulations require transaction and code set standards, identifier standards, security and electronic signature standards, privacy standards and medical record standards.
HIPAA is made up of five titles, but Title II, Subsection F, is referred to as the Administrative Simplification A/S section and is the most relevant to health care organizations and providers. The A/S section of HIPAA required that the US Department of Health and Human Services (DHHS) mandate the use of specific electronic formats, and specify what administrative and medical coding schemes can be used within those formats. It also mandated the development and implementation of national identifiers for patients, providers, payers, and employers, and the adoption of security and privacy standards appropriate for the protection of individually identifiable health care information.
For decades the health care industry has struggled with confusing and demanding electronic data and form requirements for submitting and processing claims and reimbursement. Multiple standards and proprietary formats have complicated the transfer of data between parties and have driven up the cost of health care administration.
During the first Bush administration an advisory group began meeting to discuss the reduction of health care administrative costs. This group later organized as WEDI. The Workgroup for Electronic Data Interchange (WEDI) first met in the early 1990s to address the challenge to streamline health care administration by standardizing electronic communications across the industry, and published reports in 1992 and 1993 with its recommendations. AFEHCT, the Association for Electronic Health Care Transactions, was also formed in the early 1990s and made recommendations and supported WEDI initiatives. These reports included a recommendation to pass legislation so that consistent standards could be implemented throughout health care. Some of the recommendations were addressed in the 1993 proposed Clinton Health Plan that later failed to pass.
The Kennedy-Kassebaum Bill, known as K2, was introduced in March of 1996 and was passed in August 1996 as the Health Insurance Portability and Accountability Act of 1996 P.L. 104-191. The official title as introduced:
- “To amend the Internal Revenue Code of 1986 to improve portability and continuity of health insurance coverage in the group and individual markets, to combat waste, fraud, and abuse in health insurance and health care delivery, to promote the use of medical savings accounts, to improve access to long-term care services and coverage, to simplify the administration of health insurance, and for other purposes.”
The HIPAA privacy rules impose special requirements on covered entities (i.e., health care plans, providers, or clearinghouses) that disclose patient identifiable health information to third parties assisting the covered entity with its tasks. Covered entities must obtain ‘satisfactory assurances’ that such third parties will safeguard the information, through use of specific “business associate” obligations in their contracts.
How about Software and the HIPAA requirements?
Software, in and of itself, cannot make a practice compliant; however, software can be a compliance enabler. Software that has been modified to enable HIPAA transaction and code set processing is referred to as being “HIPAA Ready.” There are two ways to become transaction and code set compliance enabled: Clearinghouse Connectivity or Direct Modules. These are described as HIPAA Transaction standards.
Standard Code Sets
Code sets are those codes used to code data elements such as tables of terms, medical concepts, medical diagnoses or medical procedures. This includes coding systems for diseases, impairments, other health-related problems and manifestations, their causes, actions taken to prevent, diagnose, treat, or manage diseases, injuries and impairments, any substances, equipment, supplies, or other items used to perform actions. Codes specified by HIPAA are:
- Diagnoses and inpatient hospital services: ICD-9-CM – International Classification of Diseases, Clinical Modification (9 indicates 9th revision) which will migrate to the ICD-10-CM now mandated for use in 2014.
- Institutional services: ICD-9-CM Volume 3 and HCFA Common Procedural Coding System (HCPCS)
- CPT-4 – Current Procedural Terminology, Version 4
- CDT-2 – Dental – Code on Dental Procedures and Nomenclature
- NDC – National Drug Codes
- CDT-2 and NDC codes are to replace the D and J codes in HCPCS Level 3
Summary of Privacy Standards
The privacy rules provide federal protection for the privacy of health information. The privacy rule creates national standards to protect medical records and other personal health information. The rule:
- gives patients more control over their health information;
- sets boundaries on use and release of health records;
- establishes appropriate safeguards for that health information;
- holds violators accountable, with civil and criminal penalties that can be imposed if they violate patients’ privacy rights; and,
- strikes a balance when public responsibility requires disclosure of some forms of data to protect public health.
Patients can now make better, informed choices about their care and how their information is used. The rule:
- generally limits release of information to the minimum reasonably needed for the purpose of the disclosure; and
- gives patients the right to examine and obtain a copy of their own health records and request correction.
Providers must provide information about their patients’ privacy rights and how information may be used. Providers will need to adopt privacy policies and procedures and provide employee training on those privacy practices. An individual is to be designated to provide oversight and management of privacy processes and procedures.
Covered entities are to take reasonable steps to limit the use or disclosure of, and requests for protected health information (PHI) to the minimum necessary to meet the intended purpose. The minimum necessary requirements do not apply to the following:
- Disclosures to or requests by a health care provider for treatment purposes
- Disclosures to the individual who is the subject of the information
- Uses or disclosures required for compliance with the standard transactions
- Disclosures to the Department of Health and Human Services (HHS) when disclosure of information is required under the rule for enforcement purposes
- Uses or disclosures that are required by other law
Implementing these specifications requires a covered entity to develop and implement policies and procedures appropriate for its own operations. Policies and procedures are to reflect business practices and the work force component. Reasonable reliance is permitted when honoring requests made by public officials or agencies for a permitted disclosure, another covered entity, a professional who is a workforce member or business associate of the covered entity as holder of the information, and/or a researcher with appropriate documentation and authorization. - The Director of the Office of Civil Rights (OCR) has been delegated with the authority to impose civil monetary penalties for failure of a covered entity to comply with this regulation. Wrongful use of protected health information can result in penalties such as fines and/or imprisonment up to ten years.
Glossary of Terms
ANSI – American National Standards Institute, an organization that accredits various standards-setting committees, and monitors their compliance with the open rule-making process.
ASC – Accredited Standards Committee
BA – Business Associate: a person or organization that performs functions or activities on behalf of a covered entity.
CE – a Covered Entities are health plans, health care clearinghouses, and health care providers who transmit any health information in electronic form in connection with a standard transaction.
HCC: Health Care Clearinghouse: an entity that processes or facilitates the processing of information received from another entity in a nonstandard format or containing nonstandard data content into standard data elements or a standard transaction, or that receives a standard transaction from another entity and processes and facilitates the processing of that information into nonstandard format or nonstandard data content for a receiving entity.
IIHI – Individually Identifiable Information: Information that is a subset of health information, including demographic information collected from an individual, and is created or received by a healthcare provider, health plan, employer, or healthcare clearinghouse, and relates to the past, present or future physical or mental health condition of an individual, and that identifies or where there is a reasonable basis to believe the information can be used to identify an individual.
PHI – Protected Health Information: a subset of IIHI that relates to person/patient level information as specified by the HIPAA Privacy regulation
Email and facsimile transmissions:COMPLIANCE PLAN:
NOTE: For a sample of a Compliance Plan, click.