What is HIPAA?

HIPAA is an acronym for the Health Insurance Portability and Accessibility Act of 1996. The purpose of this federal legislation is to improve the efficiency and effectiveness of the health care system by standardizing the electronic data interchange of certain administrative and financial transactions, and protect the security and privacy of transmitted information. HIPAA required the Department of Health and Human Services (DHHS) to develop standards in three major areas: Electronic Data, including electronic transactions, code sets, and unique identifiers (individual, employer, provider, and health plan); Privacy of health information; and Administrative, physical, and technical security.

It has taken several years for the federal government to adopt the administrative rules to implement this legislation, and most of the rules have now been adopted and compliance dates for implementation have been issued. All health care providers that choose to electronically transmit any of the covered transactions (such as electronic billing) are required to implement all of the HIPAA provisions. DHHS has defined case management as an "atypical health care service." Another category of "atypical health care service" are rehabilitation services, such as home and community based services.

What Does This Mean?

The federal government is developing standard identification numbers, standard transaction codes, and billing forms that will replace the multiple code sets and forms used by health plans, both private and public. Therefore, the Department of Human Services should notify all Medicaid providers of the changes in billing forms, billings codes and provider numbers by October 16, 2002, the date they are required to comply with this provision.

The Privacy provisions Under the HIPAA rules defines who is authorized to access information and the right of individuals to keep information about themselves from being disclosed. There are five basic principles of the HIPAA privacy provision. They are:

1. CONSUMER CONTROL: There are new rights to consumers to control the release of medical information.
2. BOUNDARIES: Health information should be used for health purposes only (i.e. treatment and payment) with few exceptions.
3. PUBLIC RESPONSIBILITY: The balance of privacy protections with the public responsibility to support national priorities.
4. SECURITY: Organizations are responsible to protect health information against misuse and disclosure.
5. ACCOUNTABILITY: There will be federal penalties if a patient’s right to privacy is violated.

DHHS has not completed the final rules for the security provisions and therefore there is no date set for compliance. Generally they have been giving two years following the effective date of the administrative rules.