Unique identifiers* — A system that uses one identification number per employer, health plan or payer and health care provider to simplify administration
Security — Safeguarding the storage of, access to and transmission of electronic patient information
Privacy — Generally limiting the use or disclosure of protected health information to a minimum necessary standard. It also gives patients the right to see and get copies of their records, request amendments to their records and learn details of certain disclosures of their records.
*Denotes a proposed rule that may vary from its original specifications and is not yet final.
Electronic Health Transaction Standards and Code Sets
HIPAA calls for a standard in the way health information is transferred and in the use of standard codes to identify each disease, illness and other health problems. The following standard formats are currently in version 005010:
270/271: Health Care Eligibility Benefit Inquiry and Response
276/277: Health Care Claim Status Request and Response
278: Health Care Services Review
835: Health Care Claim Payment/Advice
837: Health Care Claim — Professional
837: Health Care Claim — Dental
837: Health Care Claim — Institutional
820: Payroll Deducted and Other Group Premium Payment for Insurance Products
834: Benefit Enrollment and Maintenance
In conjunction with HIPAA's Administrative Simplification efforts, the Centers for Medicare & Medicaid Services (CMS) proposed four unique identifiers for the purpose of standardizing the identification numbers for providers, employers and plans to ensure future consistency and ease of use.
The Standard Unique Employer Identifier is the standard employer identification number (EIN) that appears on an employee's federal Internal Revenue Service (IRS) Form W-2, Wage and Tax Statement received from their employer.
The EIN will be used to identify an entity acting in an employer role in standard HIPAA transactions. It will not identify the patient's health plan or insurance coverage and will not replace the group number, account number, policy number or subscriber number.
The regulations do not require employers to use the EIN or submit standard transactions; however, when an employer elects to use electronic HIPAA transactions, the EIN will be used in those transactions initiated by the employer itself, such as the enrollment in a health plan standard transaction (X12N 005010 834 transaction).
In all standard electronic transactions conducted by the health care provider, the employer identifier is not used or is situational. In the instances when an EIN could be used by a health care provider to identify an employer, its usage is contingent upon the health care provider's ability to obtain the EIN from the employer. If a health care provider is unable to obtain the EIN, then the situational data condition has not been met and its use is not required.
Health plans and clearinghouses that engage in electronic commerce are required to use the EIN to identify the employer in standard electronic health transactions that require an employer identifier. Health plans are permitted, as part of their business arrangements with employers, to require employers to use the standard transactions and to provide their EINs for this purpose.
The National Provider Identifier (NPI) is a unique identification number for covered health care providers. Covered health care providers and all health plans and health care clearinghouses must use NPIs in the administrative and financial transactions adopted under HIPAA. The NPI is a 10-position, intelligence-free numeric identifier (10-digit number). This means that the numbers do not carry other information about health care providers, such as the state in which they live or their medical specialty. The NPI must be used in lieu of legacy provider identifiers in the HIPAA standards transactions.
As outlined in the Federal Regulation, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), covered providers must also share their NPIs with other providers, health plans, clearinghouses and any entity that may need it for billing purposes.
The Health Plan Identifier (HPID) is a standard, unique health plan identifier required by the Health Insurance Portability & Accountability Act of 1996 (HIPAA). On September 5, 2012 the Department of Health and Human Services (HHS) published the final rule which adopts a unique identifier (HPID) for Health Plans. Although the requirement to obtain HPIDs is currently on hold, Highmark has obtained the necessary HPIDs for their existing business entities. No additional information is available at this time regarding the usage of the HPIDs.
The National Individual Identifier is no longer being pursued, as the government is not allotting funding for its development. The concept of an individual identifier has been discarded, as there is much controversy as to how it can be implemented without compromising individual privacy.
The final security regulation adopts national standards that covered entities and their business associates must meet to safeguard the confidentiality, integrity and availability of electronic protected health information (ePHI). The scope of the HIPAA security rule applies only to health information in electronic form.
The security standards were developed to be comprehensive, scalable and technology-neutral in order to apply to many organizational sizes and types. The implementation requirements will vary business by business and can be implemented regardless of what computer systems the company uses. Anyone who transmits or maintains electronic health information must at least conduct a risk assessment and develop a security plan to protect this information.
In order to achieve these goals, Covered Entities are required to utilize three categories of security safeguards:
Administrative safeguards are administrative actions, policies and procedures to manage the selection, development, implementation and maintenance of security measures to safeguard electronic protected health information and manage the conduct of the covered entity's workforce in relation to the protection of that information.
Physical safeguards are physical measures, policies and procedures to protect a covered entity's electronic information systems and related buildings and equipment, from natural and environmental hazards and unauthorized intrusion.
Technical safeguards are the technology, policy and procedures for its use that safeguard electronic protected health information and control access to ePHI.
Enforcement of the security standards will be addressed in future regulations.
HIPAA's privacy standards refer to all medical records and other individually identifiable health information in any format, whether communicated electronically, on paper or orally.
Patient rights include:
Receipt of a written explanation of how their health information may be used, kept and disclosed
The right to see and get copies of their health records and request changes
Limitation of the use or disclosure of protected health information
An accounting of uses or disclosures for other than treatment, payment or health care operations
All references to “Highmark” in this document are references to the Highmark company that is providing the member’s health benefits or health benefit administration and/or to one or more of its affiliated Blue companies.
This website is operated by Highmark, Inc. and is not the Health Insurance Marketplace website. It also does not display all Qualified Health Plans available through the Health Insurance Marketplace website. To see all available Qualified Health Plan options, go to the Health Insurance Marketplace website at HealthCare.gov.
Highmark Blue Cross Blue Shield or Highmark Blue Shield are Medicare Advantage HMO, PPO, and/or Part D plans with a Medicare contract. Enrollment in these plans depends on contract renewal.
®Blue Cross, Blue Shield and the Cross and Shield symbols are registered service marks of the Blue Cross Blue Shield Association, an association of independent Blue Cross and Blue Shield plans. Benefits and/or benefit administration may be provided by or through the following entities, which are independent licensees of the Blue Cross Blue Shield Association: Western and Northeastern PA: Highmark Inc. d/b/a Highmark Blue Cross Blue Shield, Highmark Choice Company, Highmark Health Insurance Company, Highmark Coverage Advantage Inc., Highmark Benefits Group Inc., First Priority Health, First Priority Life or Highmark Senior Health Company. Central and Southeastern PA: Highmark Inc. d/b/a Highmark Blue Shield, Highmark Benefits Group Inc., Highmark Health Insurance Company, Highmark Choice Company or Highmark Senior Health Company.
PA: Your plan may not cover all your health care expenses. Read your plan materials carefully to determine which health care services are covered. For more information, call the number on the back of your member ID card or, if not a member, call 866-459-4418.
Delaware: Highmark BCBSD Inc. d/b/a Highmark Blue Cross Blue Shield.
West Virginia: Highmark West Virginia Inc. d/b/a Highmark Blue Cross Blue Shield, Highmark Health Insurance Company or Highmark Senior Solutions Company. Visit our website to view the Access Plan required by the Health Benefit Plan Network Access and Adequacy Act. You may also request a copy by contacting us at the number on the back of your ID card.
Western NY: Highmark Western and Northeastern New York Inc. d/b/a Highmark Blue Cross Blue Shield.
Northeastern NY: Highmark Western and Northeastern New York Inc. d/b/a Highmark Blue Shield.
Enter your ZIP code so we can show you personalized information.