The most prominent aspects of the Health Insurance Portability and Accountability Act (HIPAA) that affect almost everyone in the health care industry are described in detail here.
Administrative simplification is broken down into several sections:
*Denotes a proposed rule that may vary from its original specifications and is not yet final.
HIPAA calls for a standard in the way health information is transferred and in the use of standard codes to identify each disease, illness and other health problems. The following standard formats are currently in version 005010:
In conjunction with HIPAA's Administrative Simplification efforts, the Centers for Medicare & Medicaid Services (CMS) proposed four unique identifiers for the purpose of standardizing the identification numbers for providers, employers and plans to ensure future consistency and ease of use.
The EIN will be used to identify an entity acting in an employer role in standard HIPAA transactions. It will not identify the patient's health plan or insurance coverage and will not replace the group number, account number, policy number or subscriber number.
The regulations do not require employers to use the EIN or submit standard transactions; however, when an employer elects to use electronic HIPAA transactions, the EIN will be used in those transactions initiated by the employer itself, such as the enrollment in a health plan standard transaction (X12N 005010 834 transaction).
In all standard electronic transactions conducted by the health care provider, the employer identifier is not used or is situational. In the instances when an EIN could be used by a health care provider to identify an employer, its usage is contingent upon the health care provider's ability to obtain the EIN from the employer. If a health care provider is unable to obtain the EIN, then the situational data condition has not been met and its use is not required.
Health plans and clearinghouses that engage in electronic commerce are required to use the EIN to identify the employer in standard electronic health transactions that require an employer identifier. Health plans are permitted, as part of their business arrangements with employers, to require employers to use the standard transactions and to provide their EINs for this purpose.
As outlined in the Federal Regulation, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), covered providers must also share their NPIs with other providers, health plans, clearinghouses and any entity that may need it for billing purposes.
The final security regulation adopts national standards that covered entities and their business associates must meet to safeguard the confidentiality, integrity and availability of electronic protected health information (ePHI). The scope of the HIPAA security rule applies only to health information in electronic form.
The security standards were developed to be comprehensive, scalable and technology-neutral in order to apply to many organizational sizes and types. The implementation requirements will vary business by business and can be implemented regardless of what computer systems the company uses. Anyone who transmits or maintains electronic health information must at least conduct a risk assessment and develop a security plan to protect this information.
In order to achieve these goals, Covered Entities are required to utilize three categories of security safeguards:
Enforcement of the security standards will be addressed in future regulations.
HIPAA's privacy standards refer to all medical records and other individually identifiable health information in any format, whether communicated electronically, on paper or orally.
Patient rights include: