HIPAA-What Does It Mean To You?

What is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 includes a wide array of provisions designed to make health insurance more accessible. Additionally, with support from health plans, hospitals and other health care businesses, Congress included provisions in HIPAA to require HHS ( United States Department of Health and Human Services) to adopt national standards for certain electronic health care transactions. HIPAA also set a three-year deadline for Congress to enact comprehensive privacy legislation to protect medical records and other personal health information. When Congress did not enact such legislation by August 1999, HIPAA required HHS to issue health privacy regulations. More information about the HIPAA standards is available at www.aspe.hhs.gov/admnsimp .

 The following section briefly describes the components of the new HIPAA regulations for Administrative Simplification. This article does not address the rules for portability of insurance. GE Medical Systems believes that it is the Administrative Simplification rules that will have a direct and significant impact upon our customers and the way that they will conduct their businesses in the future.

Electronic Transaction Standards. In August 2000, HHS issued final electronic transaction standards to streamline the processing of health care claims, reduce the volume of paperwork and provide better service for providers, insurers and patients. The new standards establish standard data content, codes and formats for submitting electronic claims and other administrative health care transactions. This regulation includes the following transaction types:

• 837 Health care claims or equivalent encounter information.
• 835 Health care payment and remittance advice
• 837 Coordination of benefits.
• 276/277 Health care claim status
• 834 Enrollment and disenrollment in a health plan
• 270/271 Eligibility for a health plan
• 820 Health plan premium payments
• 278 Referral certification and authorization
• Standards for the first report of injury and claims attachments (also required by HIPAA) will be adopted at a later date.

Code Sets.
Under HIPAA, a "code set" is any set of codes used for encoding data elements, such as tables of terms, medical concepts, medical diagnosis codes, or medical procedure codes. Medical data code sets used in the health care industry include coding systems for diseases, impairments, other health related problems, and their manifestations; causes of injury, disease, impairment, or other health-related problems; actions taken to prevent, diagnose, treat, or manage diseases, injuries, and impairments; and any substances, equipment, supplies, or other items used to perform these actions. Code sets for medical data are required for data elements in the administrative and financial health care transaction standards adopted under HIPAA for diagnoses, procedures, and drugs.

The following code sets have been adopted as HIPAA standards:

• CD-9-CM Diagnosis codes
• CPT-4 Procedure codes
• HCPCS Procedure codes
• CDT Dental procedure codes
• NDC Drug Codes (On 5/31/2002 HHS proposed to repeal the NDC codes as the standard code set to refer to drugs).

Privacy Standards.
In December 2000, HHS issued a final rule to protect the confidentiality of medical records and other personal health information. The Privacy Rule for the first time creates national standards to protect individuals' medical records and other personal health information.

• It gives patients more control over their health information.
• It sets boundaries on the use and release of health records.
• It establishes appropriate safeguards that health care providers and others must achieve to protect the privacy of health information.
• It holds violators accountable, with civil and criminal penalties that can be imposed if they violate patients' privacy rights.
• And it strikes a balance when public responsibility requires disclosure of some forms of data - for example, to protect public health.

Security Standards.
In August 1998, HHS proposed rules for security standards to protect electronic health information systems from improper access or alteration. The new security standards include provisions for

• Assessment of potential risks and vulnerabilities.
• Protection against threats to information security or integrity, and against unauthorized use or disclosure.
• Implementation and maintenance of security measures appropriate to their needs, capabilities and circumstances.
• Assurance of compliance with these safeguards by all staff.

National Employer Identifier.
On May 31, 2002, HHS announced the final regulations to standardize the identifying numbers assigned to employers in the health care industry by using the existing Employer Identification Number (EIN) already assigned by the Internal Revenue Service. Businesses that pay wages to employees already have an EIN.

National Provider Identifier.
In May 1998, HHS proposed standards to require hospitals, doctors, nursing homes, and other health care providers to obtain a unique identifier when filing electronic claims with public and private insurance programs. Providers would apply for an identifier once and keep it if they relocated or changed specialties. Currently, health care providers are assigned different ID numbers by each different private health plan, hospital, nursing home, and public program such as Medicare and Medicaid. These multiple ID numbers result in slower payments, increased costs and a lack of coordination.

National Health Plan Identifier.
HHS is working to propose standards that would create a unique identifier for health plans, making it easier for health care providers to conduct transactions with different health plans.

Unique Personal Health Identifier.
Although HIPAA included a requirement for a unique personal health care identifier, HHS and Congress have put the development of such a standard on hold indefinitely. In 1998, HHS delayed any work on this standard until after comprehensive privacy protections were in place. Since 1999, Congress has adopted budget language to ensure no such standard is adopted without Congress' approval. HHS has no plans to develop such an identifier.

Enforcement Procedures.
Although a rule on enforcement is not required by HIPAA, HHS is developing a proposed rule in order to clarify the enforcement process for covered entities.

Do the new HIPAA regulations apply to you?
If you are a health plan, health care clearinghouse, or a health care provider who conducts certain financial and administrative transactions electronically (such as eligibility, referral authorizations and claims) you are a covered entity and are required to comply with each set of final standards.

Are you in compliance of the electronic transaction standards if you use a clearinghouse to send and receive electronic transactions?
The transaction standards will apply only to electronic data interchange (EDI) -- when the data is transmitted electronically between health care providers and health plans as part of a standard transaction. Data may be stored in any format as long as it can be translated into the standard transaction when required. To comply with the transaction standards, health care providers and health plans may exchange the standard transactions directly, or they may contract with a clearinghouse to perform this function. Clearinghouses may receive non-standard transactions from a provider, but they must convert these into standard transactions for submission to the health plan. Similarly, if a health plan contracts with a clearinghouse, the health plan may submit non-standard transactions to the clearinghouse, but the clearinghouse must convert these into standard transactions for submission to the provider.

When must you comply with the new regulations?
In general, the law requires covered entities to come into compliance with each set of standards within two years following adoption, except for small health plans, which have three years to come into compliance. For the electronic transaction standards the compliance deadline is Oct. 16, 2002. For the security standards, compliance for most covered entities is required by April 14, 2003.

Can you obtain an extension if you will not be ready?
For the electronic transaction rule only, Congress in 2001 enacted legislation allowing a one-year extension for most covered entities provided that they submit a plan for achieving compliance. As a result, covered entities that qualify for the extension will have until Oct. 16, 2003, to meet the electronic transaction standards instead of the original Oct. 16, 2002, deadline. (Small health plans must still meet the Oct. 16, 2003, compliance date and are not eligible for an extension under the new law.) The legislative extension does not affect the compliance dates for the health information privacy rule, which remains April 14, 2003, for most covered entities (and April 14, 2004, for small health plans). Detailed information and instruction for obtaining this extension is available at www.cms.hhs.gov/hipaa/hipaa2/ASCAForm.asp.

As seen in Millbrook Today, to request a copy, send your Practice
name and full mailing address to Marketing@Millbrook.com.

Request a Demo or More Information
about Millbrook Practice Management solutions.