Health Insurance Portability and Accountability Act (HIPAA)
In August 1996, President Clinton signed into law the Health Insurance Portability and Accountability Act (HIPAA). The Administrative Simplification provisions of HIPAA define national standards for electronic data interchange and set national standards regarding security and privacy of a person's health information. These standards supersede state and local rules, unless states have more stringent security and privacy standards in place. The bill gives the government the authority to impose penalties for non-compliance.
All health insurers and payers must comply with the final rules within 24 months of their publication. The U.S. Department of Health and Human Services (DHHS) plans to issue HIPAA regulations on an ongoing basis. A time lag of 60 days between publication of the Notices of Proposed Rule Making (NPRM) and publication of the final rules is necessary for the large number of comments anticipated on the NPRMs. All of the standards, whether they are final rules in the Federal Register or proposed rules, can be accessed via the DHHS Administrative Simplification web site.
Transactions and code sets were the first regulations of the Administration Simplification portion of HIPAA to be published in the Federal Register on August 17, 2000. The regulations had to be implemented by covered entities no later than October 16, 2002*. The final rules for standard transactions and code sets set the standards for data elements, code sets and formats that must be used by health plans, health care clearinghouses and by each health care provider who transmits covered transactions electronically.
* Note: On December 27, 2001, President Bush signed into law H.R. 3323, the Administrative Simplification Compliance Act (now known as Public Law 107-105). This law provides a one-year extension of the date for complying with the HIPAA standard transactions and code set requirements (to October 16, 2003) for any covered entity that submitted to the Secretary of Health and Human Services a plan of how the entity will come into compliance with the requirements by October 16, 2003. Read the enrolled version of the bill (the version passed by Congress).
The transaction standards are:
|Transaction Type||Transaction Standard|
1. Health claims or equivalent encounter information
|2. Coordination of benefits claim||Same as health claims (above)|
|3. Health care payment and remittance advice||ASC X12N 835|
|4. Health claim status||ASC X12N 276/277|
|5. Health plan enrollment and disenrollment||ASC X12N 834|
|6. Health plan eligibility||ASC X12N 270/271|
|7. Health plan premium payment||ASC X12N 820|
|8. Health Care Services Review - Request for Review and Response||ASC X12N 278|
|9. Health claims attachments - patient information*||ASC X12N 275*|
*NPRM has not yet been published.
The code set standards include:
|Code Set Description**||Standard|
|1. Diseases, injuries, impairments and other health related problems||ICD-9-CM (volume 1)|
|2. Procedures - Physician Services||CPT (HCPCS level 1)|
|3. Procedures - Dental Services||Current Dental Terminology (CDT)|
|4. Procedures - Inpatient Hospital||ICD-9-CM (volume 3)|
|5. Other health-related services||HCPCS Alpha numeric codes|
|6. Retail drugs||FDA National drug codes|
|7. Other substances, equipment, supplies, other||HCPCS Alpha numeric codes|
** Please note that there are many additional non-diagnosis and procedure code sets required by the regulations.
The final privacy rules were issued by DHHS under HIPAA on December 28, 2000, and August 14, 2002, with a compliance date of April 14, 2003. As required by HIPAA law, most covered entities had two full years - until April 14, 2003 - to comply with the final rule's provisions. Revised guidance with changes to the final rules for privacy was issued on December 4, 2002.
The final regulation covers health plans, health care clearinghouses and those health care providers who conduct certain financial and administrative transactions (e.g., electronic billing and funds transfers) electronically. All medical records and other individually identifiable health information used or disclosed by a covered entity in any form, whether communicated electronically, on paper, or orally, is covered by the final regulation. A party electronically transmitting or maintaining, "protected health information" may not use or disclose the information except as permitted by federal regulation.
Patients have significant new rights to understand and control how their health information is used. With few exceptions, such as appropriate law enforcement needs, an individual's health information may only be used for health purposes. The final rule establishes the privacy safeguard standards that covered entities must meet, but it gives covered entities the flexibility to design their own policies and procedures to meet those standards. The requirements are flexible and scalable to account for the nature of each entity's business, and its size and resources.
The final rules for security were issued by DHHS under HIPAA on February 20, 2003 with a compliance date of April 20, 2005. The final regulation has been developed to protect the confidentiality, integrity, and availability of individual health information and will provide a standard level of protection in an environment where health information pertaining to an individual is housed electronically and/or is transmitted over telecommunications systems/networks. The standard mandates safeguards for physical storage and maintenance, transmission and access to individual health information. Entities required to comply with the standard include any health care provider, health care clearinghouse, or health plan that electronically maintains or transmits health information pertaining to an individual.
National identifiers include the National Provider Identifier (NPI), National Employer Identifier, National Health Plan Identifier and National Individual Identifier. NPRMs were published in 1998 for the NPI and the National Employer Identifier.
The final rule for the National Provider Identifier standards was issued by DHHS under HIPAA on January 23, 2004, with an effective date of May 23, 2005 and a compliance date of May 23, 2007. The final regulation has been developed to assign each health care provider with a standard National Provider Identification (NPI) number which all health plans must use. These standards and unique provider identifiers across plans now allow easier provider claims submissions and exchange of data between health plans when coordination of health care information is necessary. Entities required to comply with the standard include health plans, health care clearinghouse or any health care provider that electronically transmits health information.
A final rule for the Identifier for Employers was published on May 31, 2002, and the compliance date was July 30, 2004, for most covered entities (small health plans have until August 1, 2005 to comply with the rule). The National Employer Identifier standards adopt the Employer Identification Number (EIN), the taxpayer identifying number for employers that is assigned by the Internal Revenue Service. This identifier has nine digits with the first two digits separated by a hyphen, as follows: 00-0000000. The numbers are needed by employer groups to identify themselves in electronic transactions when they enroll or disenroll employees in a health plan or make premium payments to health plans on behalf of their employees. Employers and health care providers may need to identify an employer as the source or receiver of information about a participant's eligibility.
The National Health Plan Identifier and National Individual Identifier are currently on hold.
BCBSND is complying with each of the HIPAA regulation standards by their respective mandated implementation dates.
BCBSND has implemented the standard transactions and code sets and the national provider identifier regulations. BCBSND has implemented policies and procedures to adhere to the privacy and security regulations. Activities surrounding these standards include:
- Established a HIPAA Steering Committee comprised of senior executives.
- Established multiple workgroups implementing specifications to comply with the HIPAA regulations.
- Hired a Systems Security & Privacy Officer who is responsible to ensure the development, implementation, and management of BCBSND's privacy and security initiatives.
- Established ongoing technical training for BCBSND staff regarding the HIPAA regulations.
- Utilized external expertise via the Blue Cross Blue Shield Association to assist in interpretation of the final regulations and to assist in the development of Trading Partner Agreements and business associate agreements.
- Implemented HIPAA-compliant electronic translation software (M2 EDI software) with our trading partners (providers and employer groups).
- Converted existing provider DataTrac and MedTrac installations to PC-ACE, the HIPAA-compliant claims capture and transmit software.
- Secured Trading Partner Agreements (TPA) that define the electronic data interchange (EDI) standards and protocols so our computer systems can accept, process and generate HIPAA-compliant data.
- Developed and implemented policies and procedures to comply with privacy and security standards.
- Provided awareness and training to all BCBSND staff on privacy and security policies.
- Mailed Privacy Notice in April 2003 and continue to provide such notice to new enrollees.
- Implemented business associate contracts where necessary.
- Conduct ongoing risk analysis as measured against HIPAA regulations.
- Determine and implement modifications to systems, as deemed necessary by the risk analysis.
- Enhanced the Business Contingency and Continuity Plan
As we continue to address the regulations, further information about our status will be communicated through various mailings and medias including our web site and HealthCare News publications.