Home Company Products Services Partners Resource Center Contact Us Customer Login

HIPAA FAQ

What is HIPAA?
HIPAA - Health Insurance Portability and Accountability Act - was signed into law by President Bill Clinton in 1996, and represents the largest government action in healthcare since Medicare. The key components of HIPAA are the Administrative Simplification section that sets the requirements for electronic healthcare standardization and the Patent Privacy and Security Standards.

What is HIPAA supposed to do?
 HIPAA is designed to reduce administrative costs and burdens and increase the level of security for healthcare information.

Who must comply with HIPAA?
Basically, any healthcare organization, healthcare provider, clearinghouse, or payer that electronically processes medical-related data must be in compliance.  Any healthcare provider that electronically transmits claims, claim inquiries, remittances, or certifications must comply with the HIPAA regulations.  Additionally, healthcare organizations that electronically store or transmit medical information whose usage can be traced to a specific person must comply with HIPAA's security regulations.

Other organizations that do business with these entities and use protected health information in the course of their business are also affected.

Can you give a brief explanation of the HIPAA provisions?
There's actually two main provisions in HIPAA: HIPAA Health Insurance Reform (Title I) and HIPAA Administrative Simplification (Title II).  The Administrative Simplification provision is the one most associated with healthcare IT.  Here's a brief breakdown of this provision:

Electronic Healthcare Transactions and Code Sets
Compliance deadline: October 16, 2003
Testing deadline: April 16, 2003 (all covered entities must have started software and systems testing)

The Electronic Healthcare and Code Sets provisions establishes ANSI ASC X12 as the national standard for electronic healthcare transactions. HIPAA does not require healthcare providers to conduct transactions electronically, but it does require that health plans accept electronic transactions sent in a HIPAA-compliant format. Examples of electronic healthcare transactions include insurance claims; health plan eligibility, enrollment and disenrollment; payments for healthcare; insurance premiums; claim status checks; and coordination of benefits.
 
This provision also mandates the adoption of a standard set of codes for diagnoses and services involved in healthcare transactions. Code set would be used to describe injuries and illnesses, identifying the cause of the problems, and defining the remedies administered.

Privacy and Confidentiality Standards
Compliance deadline: April 14, 2003 (all covered entities except small health plans)
Compliance deadline: April 14, 2004 (small health plans)

The privacy provisions establish a national standard for the collection, use and disclosure of individually identifiable health information. This rule defines a patient's control of their medical records; places restrictions on the uses and disclosures of patient information; establishes sanctions for violations of patient confidentiality; and requires an administrative infrastructure to implement and manage these standards.

Unique Identifiers
Compliance deadline: July 30, 2004 (all covered entities except small health plans)
Compliance deadline: August 1, 2005 (small health plans)

HIPAA regulations specify that four identifiers be used in healthcare transactions to identify employers, health plans, providers, and patients. The identifiers will be unique for each healthcare organization, and will be assigned and administered using a centralized system.

Employer Identifier - The nine-digit IRS-issued employer identification number is scheduled to be used as the HIPAA employer identifier.
 
Health Plan Identifier - Health plan identifiers have not been issued.
 
Provider Identifier - Eight-digit provider identifiers have yet to be assigned to healthcare providers
 
Patient Identifier - Codes to identify an individual patient have not been determined.

Security and Electronic Signature Standards
Compliance deadline: April 21, 2005 (covered providers, claims clearinghouses and most payers)
Compliance deadline: April 21, 2006 (small payers with annual receipts below $5 million)
The security regulations specify the technical requirements and operational procedures to ensure the security of patient data stored or transmitted electronically. This provision is broken down into two parts: organizational procedures and technical procedures.
 
Organizational Policies, Practices and Procedures - Defines the administrative procedures and physical safeguards that a healthcare organization must take to protect stored information. This includes documenting the procedures for access and usage of patient information, and defining the processes that protect the storage equipment from physical access and environmental hazards.
 
Technical Policies, Practices and Procedures - Identifies the technical security services and mechanisms for limiting access to patient information. Among the things covered are processes that control and monitor access to information as well as procedures that prevent unauthorized access to electronically transmitted data.

When do organizations have to comply with the standards?
In December 2001, The Administrative Simplification Compliance Act (ASCA) extended the deadline for compliance from October 16, 2002 to October 16, 2003 for all covered entities – described as any healthcare provider, insurance plan or clearinghouse.  In order to qualify for this extension, covered entities must submit a compliance plan by October 15, 2002.

The Patient Privacy and Security Standards go into effect April 2003.

Is there a difference between being HIPAA ready and HIPPA compliant?
Yes.  HIPAA ready typically refers to a company that is not required to adhere to the HIPAA regulations, but offers products used by covered entities (healthcare providers, insurance plans and clearinghouses).  These products are often referred as HIPAA ready, meaning they comply with the published guidelines.  HIPAA compliant refers to the covered entities themselves being in full HIPAA compliance.  Such compliance extends beyond the information systems, and includes the way in which patient records are handled physically.

HIPAA makes numerous references to electronic transactions.  What can be classified as an electronic transaction?
 "Electronic transactions" refers to any communication that is stored or transmitted electronically, or that has been stored or transmitted electronically in the past.  Examples of the data covered include databases, tapes and disks.  Among the transmission methods covered are the Internet and office networks.  Specific transaction types include claims, claim status, remittance, eligibility, referrals and authorizations.

My office is not computerized.  Do I have to buy a computer?
HIPAA covers electronic transmissions and does not require practices to purchase a computer.  However, more and more healthcare service providers are beginning to move to electronic transactions, so you may want to consider purchasing a computer.

What are the penalties for non-compliance?
The HIPAA provisions detail the penalties for violating any of the various provisions.  The following is a brief overview of some of these penalties, taken directly from Subtitle F (Administrative Simplification) of HIPAA:

  • General Penalty for Failure to Comply With Requirements and Standards - "...impose on any person who violates a provision of this part a penalty not more than $100 for each violation, except that the total amount imposed on the person for all violations of an identical requirement of prohibition during a calendar year may not exceed $25,000."
     
  • Wrongful Disclosure of Individually Identifiable Health Information - "A person who knowingly and in violation of this part (1) uses or causes to be used a unique health identifier; (2) obtains individually identifiable health information relating to an individual; or (3) discloses individually identifiable health information to another person shall be punished as provided...
  1. to be fined not more than $50,000, imprisoned not more than one year, or both;
  2. if the offense is committed under false pretenses, be fined not more than $100,000, imprisoned not more than five years, or both;
  3. if the offense is committed with the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, be fined not more than $50,000, imprisoned not more than one year, or both."

What happens if I fail to comply, but it wasn't my fault?
If the reason you are not in compliance was due to what HIPAA refers to as a "reasonable cause," you will not be penalized.  However, you must be able to prove that the problem was beyond your control and not willful neglect.  You also must correct the problem within 30 days of detecting the problem.  If you are unable to correct the problem in that time, you must file for an extension or be subject to the non-compliance penalties.