What is HIPAA?

The Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA, Title II) require the Department of Health and Human Services (HHS) to establish national standards for electronic health care transactions and national identifiers for providers, health plans, and employers. It also addresses the security and privacy of health data. Adopting these standards will improve the efficiency and effectiveness of the nation’s health care system by encouraging the widespread use of electronic data interchange in health care.

HIPAA Overview:

The Health Insurance Portability and Accountability Act of 1996 Public Law 104-191 (HIPAA) was passed by Congress to reform the insurance market and simplify health care administrative processes.

  1. The administrative simplification part of HIPAA is aimed at reducing administrative costs and burdens in the health care industry by adopting and requiring the use of standardized, electronic transmission of administrative and financial data.
  2. HIPAA will have a significant impact on the healthcare industry over the next several years.
  3. HIPAA requires the Department of Health and Human Services (DHHS) to adopt national uniform standards for the electronic transmission of certain health information.


Who has to be HIPAA Compliant?

Virtually all healthcare organizations – including all healthcare providers, health plans, public health authorities, healthcare clearinghouses, and self-insured employers – as well as life insurers, information systems vendors, various service organizations, and universities.

Key Components of HIPAA Rule: The five specific areas of administrative simplification addressed by HIPAA are:

Standards for Electronic Transactions  The term “Electronic Health Transactions” includes health claims, health plan eligibility, enrollment and di-enrollment, payments for care and health plan premiums, claim status, first injury reports, coordination of benefits, and related transactions.

In the past, health providers and plans have used many different electronic formats to transact medical claims and related business. Implementing a national standard is intended to result in the use of one format, thereby “simplifying” and improving transactions efficiency nationwide.

Virtually all health plans must adopt these standards. Providers using non-electronic transactions are not required to adopt the standards for use with commercial healthcare payers. However, electronic transactions are required by Medicare, and all Medicare providers must adopt the standards for these transactions. If they don’t, they will have to contract with a clearinghouse to provide translation services.

Health organizations also must adopt standard code sets to be used in all health transactions. For example, coding systems that describe diseases, injuries, and other health problems, as well as their causes, symptoms, and actions that were taken must become uniform. All parties to any transaction will have to use and accept the same coding, for the purpose of reducing errors and duplication of effort. Fortunately, the code sets proposed as HIPAA standards are already used by many health plans, clearinghouses, and providers, which should ease the transition to them. Final Transactions Standard rule


Unique Identifiers for Providers, Employers, and Health Plans  In the past, healthcare organizations have used multiple identification formats when conducting business with each other – a confusing, error-prone, and costly approach. It is expected that standard identifiers will reduce these problems.

The Employer Identifier Standard, published in 2002, adopts an employer’s tax ID number or employer identification number (EIN) as the standard for electronic transactions. The NPI, published in 2004, requires hospitals, doctors, nursing homes, and other healthcare providers to obtain a unique identifier when filing electronic claims with public and private insurance programs. Providers can apply for an identifier once and keep it if they relocate or change specialties. A final standard for a Health Plan Identifier has not yet been published. More information on Employer ID


Security Rule – The final Security Rule was published on February 20, 2003, and provides a uniform level of protection of all health information that is housed or transmitted electronically and that pertains to an individual. The Security Rule requires covered entities to ensure the confidentiality, integrity, and availability of all electronic protected health information (ePHI) the covered entity creates, receives, maintains, or transmits.

It also requires entities to protect against any reasonably anticipated threats or hazards to the security or integrity of ePHI, protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required by the Privacy Rule, and ensure compliance by their workforce. Required safeguards include the application of appropriate policies and procedures, safeguarding physical access to ePHI, and ensuring that technical security measures are in place to protect networks, computers, and other electronic devices.

The Security Standard is intended to be scalable; in other words, it does not require specific technologies to be used. Covered entities may elect solutions that are appropriate to their operations, as long as the selected solutions are supported by a thorough security assessment and risk analysis.

Summary of HIPAA Security Rule
Final security rule
Information Security Risk Assessment Methodology
Contingency Plan document by NIST


Privacy Rule  The Privacy Rule is intended to protect the privacy of all individually identifiable health information in the hands of covered entities, regardless of whether the information is or has been in electronic form. The rule establishes the first “set of basic national privacy standards and fair information practices that provide all Americans with a basic level of protection and peace of mind that is essential to their full participation in their care”. 65 Fed. Reg. at 82464.

The Privacy Standards:

  1. Give patients new rights to access their medical records, restrict access by others, request changes, and learn how they have been accessed
  2. Restrict most disclosures of protected health information to the minimum needed for healthcare treatment and business operations
  3. Provide that all patients are formally notified of covered entities’ privacy practices
  4. Enable patients to decide if they will authorize the disclosure of their protected health information (PHI) for uses other than treatment or healthcare business operations
  5. Establish new criminal and civil sanctions for improper use or disclosure of PHI
  6. Establish new requirements for access to records by researchers and others
  7. Establish business associate agreements with business partners that safeguard their use and disclosure of PHI.
  8. Implement a comprehensive compliance program, including
    1. Conducting an impact assessment to determine gaps between existing information practices and policies and HIPAA requirements
    2. Reviewing functions and activities of the organization’s business partners to determine where Business Associate Agreements are required
    3. Developing and implementing enterprise-wise privacy policies and procedures to implement the Rule
    4. Assigning a Privacy Officer who will administer the organizational privacy program and enforce compliance
    5. Training all members of the workforce on HIPAA and organizational privacy policies
    6. Updating systems to ensure they provide adequate protection of patient data
  9. Final Privacy Rule
  10. Summary of HIPAA Privacy Rule


Benefits of HIPAA

Significant resources need to be invested over the next several years to achieve compliance with HIPAA legislation and to realize the long-term benefits.  The benefits of HIPAA include lowering administrative costs, enhancing the accuracy of data and reports, increasing customer satisfaction, reducing cycle time, and improving cash management.

Additional links to HIPAA Regulations

U.S. Department of Health and Human Services
Contains links to Transactions, Code Sets and Identifiers (EDI), Privacy, and Security final regulations. FAQs are also presented on this website. This is the general site for HHS descriptions for HIPAA Administrative Simplification.

Centers for Medicare and Medicaid Services (CMS)
Contains general HIPAA Administrative Simplification information and links to further information, including an FAQ section. CMS will be the authority for EDI regulation enforcement.

Office for Civil Rights (OCR)
The Office for Civil Rights is the enforcement agent for the Privacy regulations addressed by HIPAA Administrative Simplification. Included in this website are guidelines on HIPAA Privacy, instructions, and forms for reporting breaches of privacy and other health information privacy information.