|
|
The Road to Compliance
The Health Insurance Portability and Accountability Act (HIPAA)
of 1996 is a complicated and multifaceted law. Fortunately this web site has a couple thousand
pages containing the text of the regulations, explanations of their
meaning and significance, information on how to become compliant,
FAQs, opinions, news articles, and much, much more.
Here are links to parts of the site most useful to those new
to HIPAA:
- HIPAAregs:
The full text of both the proposed and final HIPAA regulations,
and articles that explain them.
- HIPAAprimer:
Learn more about HIPAA in plain English.
- HIPAAction:
Information on the necessary planning and implementation required
to make an organization HIPAA-compliant.
- HIPAAFAQs:
Frequently Asked Questions on HIPAA, organized by topic, plus an
extensive glossary of common terms and acronyms.
- HIPAAnews:
The latest news of significance to the HIPAA community.
- HIPAAtech:
Technologies for electronic privacy and security.
In addition, the HIPAAdvisory web site sponsors two email
lists:
- HIPAAlive
is a busy two-way discussion list with nearly 5,000 professionals
exchanging ideas and answering each others questions on HIPAA.
- HIPAAlert is a monthly email newsletter with news headlines, compliance
tips, and a summary
of what's new on the HIPAAdvisory web site.
And don't forget our HIPAAstore
with information on our upcoming audio conferences, tapes of
past audio conferences, and books on understanding and complying
with HIPAA.
OK, so there's a ton of useful information on HIPAAdvisory.com,
but you're still looking for a basic understanding of what HIPAA
is? Read on . . .
Administrative Simplification Under HIPAA:
National Standards for Transactions, Security, and Privacy
Updated April 2006
Overview: To improve the efficiency and effectiveness of
the healthcare system, the Health Insurance Portability and Accountability
Act (HIPAA) of 1996 included a series of "administrative simplification"
provisions that required the Department of Health and Human Services
(HHS) to adopt national standards for electronic healthcare transactions.
By ensuring consistency throughout the industry, these national
standards will make it easier for health plans, doctors, hospitals
and other healthcare providers to process claims and other transactions
electronically. The law also requires the adoption of security and
privacy standards in order to protect personal health information.
HHS is issuing the following major regulations:
- Electronic healthcare transactions (final rule issued);
- Health information privacy (final rule issued);
- Unique identifier for employers (final rule issued);
- Security requirements (final rule issued);
- Unique identifier for providers (final rule issued);
- Unique identifier for health plans (proposed rule in development);
and
- Enforcement procedures (final rule issued).
- Although the HIPAA law also called for a unique health identifier
for individuals, HHS and Congress have indefinitely postponed
any effort to develop such a standard.
Under HIPAA, most health plans, healthcare clearinghouses and
healthcare providers who engage in certain electronic transactions
have two years from the time the final regulation takes effect to
implement each set of final standards. More information about the
HIPAA standards is available here on HIPAAdvisory.com, HHS' Administrative Simplification web site, and CMS'
HIPAA web site. 
Background
Today, health plans, hospitals, pharmacies, doctors and other healthcare entities use a wide array of systems to process and track healthcare bills and other information. Hospitals and doctor's offices
treat patients with many different types of health insurance and
must spend time and money ensuring that each claim contains the
format, codes and other details required by each insurer. Similarly,
health plans spend time and money to ensure their systems can handle
transactions from various healthcare providers and clearinghouses.
Enacted in August 1996, HIPAA included a wide array of provisions
designed to make health insurance more affordable and accessible.
With support from health plans, hospitals and other healthcare
businesses, Congress included provisions in HIPAA to require HHS
to adopt national standards for certain electronic healthcare transactions,
codes, identifiers and security. HIPAA also set a three-year deadline
for Congress to enact comprehensive privacy legislation to protect
medical records and other personal health information. When Congress
did not enact such legislation by August 1999, HIPAA required HHS
to issue health privacy regulations.
Security and privacy standards can promote higher quality care
by assuring consumers that their personal health information will
be protected from inappropriate uses and disclosures.
In addition, uniform national standards will save billions of dollars
each year for healthcare businesses by lowering the costs of developing
and maintaining software and reducing the time and expense needed
to handle healthcare transactions.
Covered Entities
In HIPAA, Congress required health plans, healthcare clearinghouses,
and those healthcare providers who conduct certain financial and
administrative transactions electronically (such as eligibility,
referral authorizations and claims) to comply with each set of final
standards. Other businesses may voluntarily comply with the standards,
but the law does not require them to do so.
To determine if a natural person, business, or government agency
is a covered entity, the Centers for Medicare and Medicaid Services
(CMS) provides a Covered
Entity Decision Tree to guide you in determining whether
you are a covered entity under the Administrative Simplification
provisions of HIPAA. Many terms used in the tools are defined terms
or have a special meaning. The definitions or special meanings will
appear as footnotes on the relevant questions' pages to assist you.
Compliance Schedule
In general, the law requires covered entities to come into compliance
with each set of standards within two years following adoption,
except for small health plans, which have three years to come into
compliance. For the electronic transaction rule only, Congress in
2001 enacted legislation allowing a one-year extension for most
covered entities provided that they submit a plan for achieving
compliance. As a result, covered entities that qualified for the extension
had until October 16, 2003 to meet the electronic transaction
standards instead of the original October 16, 2002 deadline. (Small
health plans were still required to meet the October 16, 2003 compliance date and
were not eligible for an extension under the new law.) The legislative
extension did not affect the compliance dates for the health information
Privacy Rule of April 14, 2003 for most covered entities
(and April 14, 2004 for small health plans).
Developing Standards
Under HIPAA, HHS must adopt recognized industry standards when
appropriate. HHS works with industry standard-setting groups to
identify and develop consensus standards for specific requirements.
For each set of standards, HHS first develops proposed requirements
to obtain public feedback. After analyzing public comments, HHS
makes appropriate changes before issuing a final set of standards.
The law also allows HHS to propose appropriate changes to the HIPAA
regulations to ensure that the standards can be implemented effectively
and be maintained over time to continue to meet industry needs.
Electronic Transaction Standards
In August 2000, HHS issued final electronic transaction standards
to streamline the processing of healthcare claims, reduce the volume
of paperwork and provide better service for providers, insurers
and patients. HHS adopted modifications to some of those standards
in final regulations published on February 20, 2003. Overall, the standards establish standard data content, codes and formats for
submitting electronic claims and other administrative healthcare
transactions. By promoting the greater use of electronic transactions
and the elimination of inefficient paper forms, these standards
are expected to provide a net savings to the healthcare industry
of $29.9 billion over 10 years. All healthcare providers will be
able to use the electronic format to bill for their services, and
all health plans will be required to accept these standard electronic
claims, referral authorizations and other transactions.
Privacy Standards
In December 2000, HHS issued a final rule to protect the confidentiality
of medical records and other personal health information. The rule
limits the use and release of individually identifiable health information;
gives patients the right to access their medical records; restricts
most disclosure of health information to the minimum needed for
the intended purpose; and establishes safeguards and restrictions
regarding disclosure of records for certain public responsibilities,
such as public health, research and law enforcement. Improper uses
or disclosures under the rule are subject to criminal and civil
sanctions prescribed in HIPAA.
After considering public comment on the final rule, HHS Secretary
Tommy G. Thompson allowed it to take effect as scheduled, with compliance
for most covered entities required by April 14, 2003. (Small health
plans had an additional year.) In March 2002, HHS proposed specific
changes to the Privacy Rule to ensure that it protects privacy without
interfering with access to care or quality of care. After considering
public comments, HHS issued a final set of modifications on August
14, 2002. Detailed information about the Privacy Rule is available
here on HIPAAdvisory.com and OCR's
web site.
Security Standards
In February 2003, HHS adopted final regulations for security standards
to protect electronic health information systems from improper access
or alteration. Under the security standards, covered entities must
establish procedures and mechanisms to protect the confidentiality,
integrity and availability of electronic protected health information.
The rule requires covered entities to implement administrative,
physical, and technical safeguards to protect electronic protected
health information in their care. The standards use many of the
same terms and definitions as the Privacy Rule to make it easier
for covered entities to comply. Most covered entities must comply
with the security standards by April 21, 2005, while small health
plans as defined by HIPAA have an additional year to come into
compliance.
Employer Identifier
In May 2002, HHS issued a final rule to standardize the identifying
numbers assigned to employers in the healthcare industry by using
the existing Employer Identification Number (EIN), which is assigned
and maintained by the Internal Revenue Service. Businesses that
pay wages to employees already have an EIN. Currently, health plans
and providers may use different ID numbers for a single employer
in their transactions, increasing the time and cost for routine
activities such as health plan enrollments and health plan premium
payments. Most covered entities must comply with the EIN standard
by July 30, 2004. (Small health plans have an additional year to
comply.)
Provider Identifier
In January 2004, HHS issued a final rule to require hospitals, doctors, nursing homes, and other healthcare providers to obtain a unique identifier when filing electronic claims with public and private insurance programs. Providers can apply for an identifier once and keep it if they relocate or change specialties. Currently, healthcare providers are assigned different ID numbers by each different private health plan, hospital, nursing home, and public program such as Medicare and Medicaid. These multiple ID numbers result in slower payments, increased costs and a lack of coordination. Most covered entities must comply with the National Provider Identifier (NPI) standard
by May 23, 2007. (Small health plans have an additional year to
comply.)
Additional Standards
On February 16, 2006, HHS issued a final rule on enforcement of the HIPAA requirements. HHS is working to develop
other standards, including a national health plan identifier
and additional electronic transaction standards. The status of key standards required under HIPAA follows:
The National Health Plan Identifier and Other HIPAA Regulations
HHS is working to propose standards that would create a unique
identifier for health plans, making it easier for healthcare providers
to conduct transactions with different health plans. HHS is also
working to develop additional transaction standards for attachments
to electronic claims and for a doctor's first report of a workplace
injury. As with other HIPAA regulations, HHS
will first consider public comment on each proposed rule before
issuing any final standards.
Personal Identifier on Hold
Although HIPAA included a requirement for a unique personal healthcare identifier, HHS and Congress have put the development of such
a standard on hold indefinitely. In 1998, HHS delayed any work on
this standard until after comprehensive privacy protections were
in place. Since 1999, Congress has adopted budget language to ensure
no such standard is adopted without Congress' approval. HHS has
no plans to develop such an identifier.
Modifications to Standards
HIPAA mandates that the Secretary of Health and Human Services
review the standards, and adopt modifications as appropriate, no
more often than once every 12 months and in a manner that minimizes
disruption and cost. The Secretary may not make any modifications
during the 12 months following the effective date of a particular
rule, unless the Secretary "determines that the modification
is necessary in order to permit compliance."
Sanctions and Penalties
Penalties established for non-compliance with HIPAA's requirements
are:
- Personal liability: individuals may be liable for up to 10 years
in prison and $250,000 in fines for intentional misuse of protected
health information
- Organizational liability: Healthcare organizations are liable
for up to $25,000 in fines for each standard violated
| Monetary Penalty |
Imprisonment Penalty |
HIPAA Offense |
| $100 |
N/A |
Single violation of a provision |
| Up to $25,000 |
N/A |
Multiple violations of an identical requirement or prohibition
made during a calendar year |
| Up to $50,000 |
Up to one year |
Wrongful disclosure of individually identifiable health information |
| Up to $100,00 |
Up to five years |
Wrongful disclosure of individually identifiable health information
committed under false pretenses |
| Up to $250,000 |
Up to 10 years |
Wrongful disclosure of individually identifiable health information
committed under false pretenses with intent to sell, transfer,
or use for commercial advantage, personal gain, or malicious
harm |
- Accreditation: Accreditation organizations such as JCAHO are
expected to require compliance in the future
- Federal Programs: Noncompliance is also expected to result in
exclusion from federal programs such as Medicare
Relationship to State Laws
HIPAA preempts state law except:
- where the state law is necessary to prevent fraud and abuse,
- to ensure state insurance or health plan regulation,
- to address controlled substances or for certain other purposes,
and
- when state law is more stringent than HIPAA requirements.
Impact to Organizations
Organizations need to consider a variety of issues when analyzing
the impact of HIPAA on the organizations. These issues include:
- Purpose of HIPAA: In addition to ensuring patient privacy and
information security, HIPAA is about improving the efficiency
and cost-effectiveness of the healthcare system
- Limited resources, both in terms of dollars, staffing, and time
-- but which are necessary to implement these regulations
- Costs associated with implementation are currently difficult
to assess; analysis of ROI is limited -- but imperative -- when
analyzing various implementation strategies
- Convergence of e-health strategies and HIPAA objectives, which
are clearly connected in the areas of standardization and technical
security measures.
- Constraining effects of legacy systems within industry, which
add to cost of compliance as well as ongoing dependency on vendors
HIPAA will have a profound impact on overall healthcare industry
electronic communications and transactions. Implementation of the
information security and privacy features in HIPAA will pave the
way for increasingly sophisticated e-health and other healthcare
e-commerce and communications applications -- as well as for new
uses of evolving technologies, such as hand-held devices and wireless
access. In order to realize these potential benefits -- and to ensure
that official compliance deadlines are met -- healthcare organizations
should begin immediately to assess their current information environment
and develop strategies for HIPAA implementation.
Next Steps to Understanding HIPAA!
To learn more about HIPAA in plain English, read our HIPAA primer.
If you then have specific questions, read through these FAQs
or perform a key
word search on this site to find the answers. Chances are
that they are answered in the wealth of HIPAA information we offer
online. Also consider subscribing free to our very busy email discussion
list, HIPAAlive, and posing
your question there. The focus of HIPAAlive is to consider and discuss
new HIPAA questions every day. Once you join, you can search the
list archives; your question may've already been addressed on the
list. (You may want to initially receive the digest version of the
list so that you can view the archives, but not be inundated with
the large volume of daily messages.)
Lastly, here again are links to parts of the HIPAAdvisory site
most useful to those new to HIPAA:
- HIPAAregs:
The full text of both the proposed and final HIPAA regulations
and articles that explain them.
- HIPAAction:
Information on the necessary planning and implementation required
to make an organization HIPAA compliant.
- HIPAAFAQs:
Frequently asked questions on HIPAA organized by topic plus an
extensive glossary of common terms and acronyms.
- HIPAAnews:
The latest news of significance to the HIPAA community.
- HIPAAtech:
Technologies for electronic privacy and security.
|
 |
 |
