HIPAA

The American Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a set of rules to be followed by health plans, doctors, hospitals and other health care providers. One key provision requires health plans and providers to use standard formats for electronic data interchange, such as electronic claims submission EDI.

The three rule sets in HIPAA

HIPAA Privacy

The HIPAA Privacy Rule took effect on April 14, 2003. Key privacy provisions include:

• Patients must be able to access their record and correct errors
• Patients must be informed of how their personal information will be used.
• Patient information can only be shared if needed to treat the patient. In particular, it cannot be used for marketing purposes without their explicit consent.
• Patients can ask their health plans and providers to take reasonable steps to ensure that their communications with the patient are confidential. For instance, a patient can ask to be called on his work number, instead of home or cell phone number.
• Patients can file formal privacy-related complaints to the HHS' Office for Civil Rights.
• Health plans or providers must document their privacy procedures, but they have discretion on what to include in their privacy procedure.
• Health plans or providers must designate a privacy officer and train their employees.

HIPAA Administrative Simplification

The purpose of the AS rule was to standardize how electronic medical transactions were conducted accross the entire spectrum of the US healthcare system. Key transactions are:

• 837: Medical claims with subtypes for Professional, Institutional, and Dental varities.
• 835: Electronic remittances
• 270/271: Eligibility inquiry and response
• 276/277: Claim status inquiry and response
• 278: Health Services Review request and reply

The transactions are based on EDI and specific Implementation Guides were developed and have been made available. The Implementation Guides are available for free from the Washington Publishing Company.

The HIPAA AS rule was originally set to go into effect October 16, 2003. Due to widespread confusion and difficulty in implementing the rule a one year extension was granted to all parties. As of October 16, 2004, full implementation was not achieved and the Centers for Medicare and Medicaid (the US government agency tasked with enforcement) began an open ended "contingency period" where penalties for non-compliance will not be levied, however all parties are supposed to be making a "good faith effort" to come into compliance.

HIPAA Security

The HIPAA Security rule went into effect April 20, 2005. Key provisions are:

• Physical Security - controlling physical access to PHI
• Technical Safegaurds - controlling access to computer systems

The security rule is largely complementary to the Privacy Rule.

Legislative Information

• House: 104 H.R. 3103, H. Rept. 104-469, Pt. 1, H. Rept. 104-736
• Senate: 104 S. 1028, 104 S. 1698, S. Rept. 104-156
• Law: Pub. L. 104-191, 110 Stat. 1936
• HHS Privacy Rule: 45 CFR 160, 45 CFR 164

External links

• Centers for Medicare and Medicaid - HIPAA Page
• Office for Civil Rights page on HIPAA
• HIPAA Compliance and Certification
• Full Text of the HIPAA Legislation
• Washington Publishing X12 Specifications for Electronic Data Interchange
• Inside HIPAA provides the latest HIPAA news, books, and resources. Includes RSS feed.