Health Insurance Portability and Accountability Act of 1996 (HIPAA)
Privacy, Security, and Electronic Transactions and Code Sets Regulations adopted under the Health Insurance Portability and Accountability Act of 1996
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) led to the adoption of federal regulations that had a major effect on physician practices. These regulations include the HIPAA Privacy Rule, Security Rule, Electronic Transactions and Code Sets Rule. These rules are subject to frequent change and expansion by the U.S. Department of Health and Human Services.
The AMA has developed numerous resources designed to help you stay abreast of, and maintain compliance with, these rules.
The HIPAA Privacy Rule
The Privacy Rule restricts covered entities’ and business associates’ use and disclosure of an individual’s "protected health information" (PHI). "Protected health information" means information that would identify an individual and that is held or transmitted by a covered entity or business associate in any form or media—whether electronic, paper, or oral, that relates to the past, present, or future physical or mental health of an individual, health care services, or payment for health care.
The HIPAA Security Rule
The HIPAA Security Rule became effective in 2005. The Security Rule requires physician practices to implement a number of administrative, technical, and physical safeguards to ensure the confidentiality, integrity, and availability of electronic PHI.
"Electronic PHI" refers to all individually identifiable health information a covered entity or business associate creates, receives, maintains or transmits in electronic form. The Security Rule does not apply to PHI transmitted orally or in writing.
The HIPAA Transactions and Code Sets Final Rule
HIPAA also required the U.S. Department of Health and Human Services (HHS) to adopt regulations for unique health identifiers, and electronic transactions and code sets. The Transactions and Code Sets Final Rule became effective in 2003. The Transactions and Code Sets Final Rule named standard administrative transactions with which covered entities must comply when performing those transactions electronically. These include:
- Health claims or equivalent encounter information (837);
- Enrollment and disenrollment in a health plan (834);
- Eligibility for a health plan (270/271);
- Health care payment and remittance advice (835);
- Health plan premium payments (820);
- Health claim status (276/277); and
- Referral Certification and Authorization (278).