HIPAA

The Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, is a federal law seeking simplification and easing burdens in health care transactions through uniform rules affecting electronic transactions, code sets, security of electronic transactions and uniform identifiers for parties involved in electronic health care transactions and the health care delivery system. HIPAA also seeks uniformity in the privacy practices of HIPAA covered-entities and assurances of certain rights that individuals enjoy relative to their medical records. While HIPAA's statutory provisions were passed by Congress and signed by the President in 1996, regulations implementing the law came much later and at staggered times.

HIPAA has four (4) parts:

  • privacy;
  • electronic transactions and code sets;
  • security, and
  • uniform identifiers for employers, providers, patients, and health plans.

The Department of Health and Human Services (HHS) is the federal agency responsible for HIPAA implementation, education and enforcement. HHS' Centers for Medicare and Medicaid Services (CMS) is the HIPAA enforcement agency for electronic transactions and code sets, security of electronic transactions, and national identifiers. HHS' Office of Civil Rights is the HIPAA enforcement agency for the Privacy Rule.

HIPAA is complex, technical, and governed in large measure by its own definitions and terms of art. This web page is not a tutorial on HIPAA. Rather, it provides links to resources that may be helpful to IMS member practices that either are new to HIPAA or continue to have HIPAA-related questions.

Are You A HIPAA Covered Entity?

HIPAA regulations are binding upon those health care providers conducting certain electronic transactions, health plans, and health clearinghouses that are "covered entities" within the definitional meaning of that term under HIPAA.

CMS provides "Covered Entity Decision Tools" on its Web site at http://new.cms.hhs.gov/apps/hipaa2decisionsupport/.

HIPAA FAQs and Advisories

CMS and the OCR provide answers to frequently-asked questions (FAQs) about HIPAA on their websites. The FAQs are an excellent source of information and guidance. Periodically, CMS and the OCR will release issue-specific HIPAA advisories which also are very helpful.

HIPAA Privacy Rule

The Office of Civil Rights' (OCR) web site is a comprehensive resource center on the HIPAA Privacy Rule.

Go to www.hhs.gov/ocr/hipaa/ and search the site.

HIPAA Electronic Transactions and Code Set (TCS) Rule

The HIPAA transactions standard applies to the following electronic transactions: health claim or encounter information; payment and remittance advice; claim status; enrollment/disenrollment in a plan; plan eligibility; health plan premium payments; referral certification/authorization; first report of injury; health claim attachments; and coordination of benefits (COB). HIPAA-recognized code sets include ICD-9M, CPT-4, and HCPCS; local codes are prohibited.

The final Transactions/Code Sets (TCS) standards were published on August 17, 2000. The compliance deadline (with exceptions) for covered entities that applied for extensions as authorized by Congress was October 16, 2003. For information on the HIPAA TCS standards, go to http://www.cms.hhs.gov/hipaa/hipaa2/default.asp.

CMS has issued notice that effective October 1, 2005, it will not process incoming electronic claims that fail to meet the requirements of HIPAA's TCS standards. Any non-HIPAA compliant electronic Medicare claim submitted for payment after that date will be returned to the filer for re-submission as a compliant claim. With this announcement, CMS terminated its contingency plan whereby it accepted non-HIPAA compliant claims under Medicare fee-for-service. Please note: Medicare's contingency plan for noncompliant submission of other HIPAA transactions remains in effect; the remittance advice transaction is the next HIPAA transaction for which CMS will end its contingency plan. For additional information, search the CMS Medlearn site, http://new.cms.hhs.gov/MedlearnNetworkGenInfo/

On November 21, 2005, CMS extended the comment period on its proposed rule (September 23, 2005 Federal Register) recommending industry-wide adoption of two X12N transaction standards to facilitate the electronic exchange of clinical and administrative data to further improve the claims attachment adjudication process when addition documentation is required. Comments now are due January 23, 2006. For additional information, go to http://www.cms.hhs.gov/hipaa/hipaa2/default.asp

On November 25, 2005, CMS issues a final rule clarifying those instances in which an electronic claim is not required in order to receive Medicare payment consistent with the requirements of the Administrative Simplification Compliance Act (ASCA). The ASCA, a federal law separate from but related to HIPAA, requires Medicare providers and suppliers to submit claims electronically to Medicare and those claims must be compliant with the HIPAA TCS rule. The final rule outlines exceptions for small providers as well as for direct submissions by Medicare beneficiaries lacking electronic access.

HIPAA Security Rule

The final Security rule was published in the Federal Register on February 20, 2003. The compliance deadline for the Security rule was April 21, 2005 (April 21, 2006 for small health plans). The CMS Web site is a first line resource on the HIPAA Security Rule. Go to http://www.cms.hhs.gov/hipaa/hipaa2/default.asp and search the site.

Please note: HIPAA covered entities must also comply with the security provisions of the HIPAA Privacy Rule.

HIPAA National Provider Identifier (NPI) Rule

HIPAA anticipates the adoption of national identifiers for employers, providers, health plans, and patients. The employer identifier is the IRS employer identification Number (EIN); compliance with that rule was July 31, 2004. The health plan identifier and the individual patient identifier have not yet been adopted.

The final rule for implementing the national provider identifier (NPI) was published on January 23, 2004. The NPI is required on all electronic billing claims no later than May 23, 2007 (May 23, 2008 for small health plans). CMS has issued guidance to providers on how to request an NPI. Go to www.cms.hhs.gov/hipaa/hipaa2/npi_provider.asp. Physician practices may also contact the enumerator (the contractor charged by CMS with administering the NPI application process) at (800) 465-3203 or go to https://nppes.cms.hhs.gov.

Medical practices can learn about Medicare processes for transitioning to the NPI by going to the CMS MedLearn Matter site: http://new.cms.hhs.gov/MedlearnMattersArticles/2005MMA/List.asp and searching for SE0528.

WEDI SNIP

The Workgroup for Electronic Data Interchange (WEDI) is a voluntary national initiative of noted expertise in the field of healthcare electronic transactions. WEDI was an active advisor to Congress and the federal regulatory agencies on HIPAA-related issues. WEDI also established a nationwide Strategic National Implementation Project (SNIP) to assist health care providers, health plans, employers and others with HIPAA implementation.

WEDI SNIP developed many helpful white papers of guidance on HIPAA-related issues. Go to http://wedi.org/snip/ and search the site for SNIP work products.

Iowa HIPAA SNIP

The Iowa Medical Society, Iowa Hospital Association, the Iowa Federation of Insurers, and several other named parties affected by HIPAA formed a voluntary cooperative initiative to assist HIPAA covered entities with implementation of HIPAA in its various phases. The Iowa HIPAA SNIP is a regional affiliate of the nationwide WEDI SNIP initiative (Above).

Many resources, including forms, were developed through the Iowa HIPAA SNIP initiative and were available on the Iowa HIPAA SNIP website. However, that web site is no longer operational. IMS is working with the Iowa HIPAA SNIP to obtain access to materials once on the HIPAA SNIP web site and still of assistance to medical practices.

Iowa HIPAA Statutory Preemption Report

The HIPAA Privacy Rule was adopted in addition to the myriad of state laws and rules affecting confidentiality of health care information (generally defined as protected health information (PHI) under the HIPAA Privacy Rule). The Privacy Rule sets forth a process for determining in cases of conflict between a HIPAA Privacy requirement and state law, which law should prevail and govern. A voluntary workgroup of Iowa attorneys well-versed in health law conducted a HIPAA preemption analysis on Iowa law.

Please note: The report only addresses statutory law and not regulations. However, the workgroup subsequently conducted a review of supporting regulations and identified no HIPAA preemption issues. Any person with a regulatory preemption question is best advised to contact that agency of state government with the rule that is the subject of the preemption question.

Iowa HIPAA Preemption Analysis (PDF 198KB)

Iowa Medical Society - HIPAA Resources

Manuals
The Illinois State Medical Society made two of its HIPAA manuals available for use by IMS members. Those manuals were authored by a nationally-recognized HIPAA educator and spokesperson who also held key positions with WEDI. The manuals were adapted by IMS to reflect appropriate references to Iowa law.

  • Health Insurance Portability and Accountability Act - Model Privacy and Security Policies and Procedures, October 2002, adapted and released by IMS, January 2003.
  • Health Insurance Portability and Accountability Act - Model Security Policies and Procedures, revised July 2004

These manuals are available only to identified IMS physician members by contacting .

HIPAA and Legal Process - Guidance Document
IMS convened an informal workgroup of attorneys as well as representatives of medical practice and hospitals to discuss challenges faced by both providers and attorneys in obtaining medical record (protected health information (PHI)) under HIPAA.

The IMS guidance document, HIPAA - Responding to Legal Process, (PDF 40KB) was developed with input from the above noted representatives.

Iowa Medicine

IMS Advocate
Physician members of IMS receive the IMS Advocate by e-mail or mail weekly during the General Assembly session and monthly when the legislature is not in session. HIPAA updates often are included in the Advocate.