Overview of Privacy and Data Security
Health Insurance Portability and Accountability Act of 1996 (HIPAA)
The purpose of HIPAA is to improve the portability and continuity of health insurance coverage in the group and individual markets, to combat waste, fraud, and abuse in health insurance and health care delivery, to promote the use of medical savings accounts, to improve access to long-term care services and coverage, to simplify the administration of health insurance, and for other purposes. The University has appointed a HIPAA Privacy and Security Officer, who is responsible for developing University policies and procedures that implement the HIPAA standards.
The Privacy Standards
The privacy provisions HIPAA apply to health information created or maintained by health care providers who engage in certain electronic transactions, health plans, and health care clearinghouses. The Department of Health and Human Services (HHS) has issued the regulation,"Standards for Privacy of Individually Identifiable Health Information," applicable to entities covered by HIPAA. The Office for Civil Rights (OCR) is the Departmental component responsible for implementing and enforcing the privacy regulation.
The Security Standards
The Administrative Simplification provisions of HIPAA require the Department of Health and Human Services (HHS) to establish national standards for the security of electronic health care information. The final rule adopting HIPAA standards for security was published in the Federal Register on February 20, 2003. This final rule specifies a series of administrative, technical, and physical security procedures for covered entities to use to assure the confidentiality of electronic protected health information. The standards are delineated into either required or addressable implementation specifications.
The Standards for Transactions and Code Sets
Transactions are activities involving the transfer of health care information for specific purposes. Under HIPAA Administration Simplification, if a health care provider engages in one of the identified transactions, they must comply with the standard for that transaction. HIPAA requires every provider who does business electronically to use the same health care transactions, code sets, and identifiers. HIPAA has identified ten standard transactions for Electronic Data Interchange (EDI) for the transmission of health care data. Claims and encounter information, payment and remittance advice, and claims status and inquiry are several of the standard transactions. Code sets are the codes used to identify specific diagnosis and clinical procedures on claims and encounter forms. The CPT-4 and ICD-9 codes that you are familiar with are examples of code sets for procedure and diagnosis coding. Other code sets adopted under the Administrative Simplification provisions of HIPAA include codes sets used for claims involving medical supplies, dental services, and drugs.
The National Provider Identifier Standards
HIPAA mandated that the Secretary of Health and Human Services adopt a standard unique health identifier for health care providers. On January 23, 2004, the Secretary published a Final Rule that adopted the National Provider Identifier (NPI) as this identifier.
All HIPAA covered healthcare providers, whether they are individuals or organizations, must obtain an NPI for use to identify themselves in HIPAA standard transactions. Once enumerated, a provider's NPI will not change. The NPI remains with the provider regardless of job or location changes.
HIPAA covered entities such as providers completing electronic transactions, healthcare clearinghouses, and large health plans, must use only the NPI to identify covered healthcare providers in standard transactions by May 23, 2007. Small health plans must use only the NPI by May 23, 2008.