HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) was signed into federal law in 1996 (PL 104-191). The purpose of this law is to improve the portability and continuity of health insurance coverage using national standards for electronic data interchange for certain administrative and financial transactions. HIPAA also mandates strict standards for ensuring the privacy, confidentiality and security of health care information utilized in such transactions.

What are the Standards?

Transaction and Code Sets:  The following transactions, when performed electronically, must adopt the HIPAA standards.

• Submitting claims for payment and remittance
• Enrolling and dis-enrolling an individual in a health plan
• Paying health care premiums
• Checking eligibility for health care benefits and coverage
• Requesting authorization for services
• Responding to requests for additional information to support a claim.
• Coordinating the processing of a claims across different insurance companies
• Notifying the provider about the payment of a claim.

The medical code sets that must be used for the transactions listed above are:

• International Classification of Diseases (ICD-9-CM), for reporting diagnosis and inpatient hospital procedures.
• Health Care Financing Administration Common Procedure Coding System (HCPCS) and the Current Procedure Terminology (CPT-IV), for provider and other medical services including outpatient hospital procedures.
• National Drug Codes (NDC) for drugs and biologics
• The American Dental Association’s Codes on Dental Procedures and Nomenclature for dental services

Privacy: The Privacy Rule establishes standards to protect the confidentiality of personal health information. These standards set specific parameters in regards to:

• The use and disclosure of health information.
• Individual’s rights to access their health information
• Disclosure of health information to the minimum needed for the intended purpose
• Penalties for intentionally disclosing health information or obtaining information under false pretenses.

Security: The proposed security rule establishes standards based on best business practices for safeguarding and protecting electronic health information systems from improper access or alteration. These practices include:

• Development, implementation and enforcement of security policies and procedures.
• Documentation of security management processes.
• Certification and internal audit of system security
• Implementation of physical access and audit controls

Unique Identifiers: HIPAA establishes national identification numbers for:

• Employer Identifier Number: Adopts the existing Employer Identification Number (EIN) assigned by the Internal Revenue Service for employers in the health care industry as a unique identifier when conducting transactions for health plan enrollments/premium payments.
• National Provider Identifier: Proposes use of a standard identifier for hospitals, doctors, nursing homes, and other health care providers when filing electronic claims with public and private insurance programs.
• National Health Plan Identifier: Proposes a unique identifier for health plans, making it easier for health care providers to conduct transactions with different health plans.

• HIPAA Law Basics
  • Understanding the HIPAA Law
  • Privacy Rule Booklet
• HHS.gov Health Information Privacy
  • Submit a notice of breach to HHS-OCR
• Department of Justice, California Attorney General
  • Submit Data Security Breach to DOJ-OAG
• California Office of Health Information Integrity (CalOHII)
  • Privacy Rules
  • Federal Regulations
  • Statewide Health Information Policy Manual