HIPAA: Health Insurance Portability and Accountability Act
To improve the efficiency and effectiveness of the health care system, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, included Administrative Simplification provisions that required the Department of Health and Human Services (HHS) to adopt national standards for electronic health care transactions and code sets, unique health identifiers, and security. At the same time, Congress recognized that advances in electronic technology could erode the privacy of health information. Consequently, Congress incorporated into HIPAA provisions that mandated the adoption of Federal privacy protections for individually identifiable health information.
Following the passage of HIPAA, two additional laws have been enacted that add requirements to HIPAA and strengthen various aspects of administrative simplification. These laws are:
- Health Information Technology for Economic and Clinical Health Act (HITECH) enacted as part of the American Recovery and Reinvestment Act of 2009 (ARRA)
Subtitle D of the HITECH Act addresses the privacy and security concerns associated with the electronic transmission of health information, in part, through several provisions that strengthen the civil and criminal enforcement of the HIPAA rules. - Patient Protection and Affordable Care Act of 2010 (ACA)
ACA builds upon HIPAA with new and expanded provisions, including requirement to adopt operating rules for each of the HIPAA covered transactions; a unique, standard Health Plan Identifier; and a standard for electronic funds transfer. ACA requires that health plans certify their compliance with the standards and operating rules, and increases penalties for noncompliance.
AMA Advocates for Administrative Simplification
Because physician practices can save significant time and money through a streamlined and automated claims process, the AMA diligently advocates for continued administrative simplification. Review AMA-developed whitepapers and AMA testimonials about administrative simplification, to address the ongoing problems in the claims revenue cycle—problems which contribute to increased complexity and expense.
The following are highlights of some of the HIPAA-related topics. Click on the links for more information.
The HIPAA Privacy Rule provides federal protections for personal health information held by physicians and gives patients an array of rights with respect to that information. At the same time, the Privacy Rule is balanced so that it permits the disclosure of personal health information needed for patient care and other important purpose
The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.
Increasingly, physicians are using smart phones, tablets, laptops, and other mobile devices to access protected patient information. Information on how physicians can secure these devices to avoid inappropriate access and disclosure of patient information can be found below.
Resources
HHS website on mobile device privacy and security
HHS security guidance on mobile devices
AM News Articles
Smartphones blamed for increasing risk of health data breaches
The Transactions and Code Sets Final Rule, as required by HIPAA, was issued in August 2000 by HHS and named standard transactions to be used by "covered entities," defined as health care providers (including physicians), payers, and clearinghouses, when conducting specific administrative transactions electronically. For the compliance date for the first version of HIPAA standards, Version 4010, was October 2003 for most HIPAA covered entities. In 2009, HHS adopted Version 5010 to replace Version 4010, which was implemented by the industry on January 1, 2012.
ACA requires the Secretary of HHS to adopt operating rules for each HIPAA transaction. Operating rules are defined as "...the necessary business rules and guidelines for the electronic exchange of information that are not defined by a standard or its implementation specifications..." There are various deadlines associated with the different operating rules.
To ensure streamlined transitions to operating rule and standard transaction updates, unlike the previous move from the 4010 to 5010 version of HIPAA transactions, AMA has long advocated for pre-pilot testing of the future versions of the Health Insurance Portability and Accountability Act (HIPAA) standard transactions and operating rules prior to adoption. Such testing is crucial to ensure minimal physician practice disruption. As a result of AMA's effective advocacy, the Centers for Medicare and Medicaid Services (CMS) awarded a grant to the National Government Services to develop and pilot an end-to-end testing process through the End-to-End Testing Industry Collaborative Partner (ICP) work group, in which AMA participates. This process is intended to be used for all future operating rule and standard system updates, as well as the pending ICD-10-CM update.
The ICP over the past four months has reviewed end-to-end testing documents for use by payers, vendors and providers. Your feedback is requested on these documents. Access the CMS End-to-End Testing Web page at to provide feedback or obtain more information.
In addition, CMS has awarded a contract to Emdeon to perform pilot testing on the 6020 version of the Accredited Standards Committee X12 (ASC X12) standard transactions to determine the impact to the healthcare industry of moving to new standards. During this pilot testing, deficiencies or areas for potential transmission disruption will be identified and fixed, prior to adoption of the next version of standard transactions.
The adoption of a health plan identifier (HPID) was named in HIPAA in 1996. ACA now calls for HHS to implement the HPID. The deadline for using an HPID in HIPAA transactions is November 7, 2016.
On February 16, 2006, HHS published a final rule that details the procedures for imposing civil money penalties on covered entities that violate any of the HIPAA Administrative Simplification Rules, including security, privacy, transactions, and code sets. Failure to comply with the requirements will result in criminal and monetary penalties. ARRA strengthened these penalties.
