The Health Insurance Portability and Accountability Act of 1996 (Aug. 21), Public Law 104-191, amends the Internal Revenue Service Code of 1986. It is also known as the Kennedy-Kassebaum Act.
HIPAA calls for:
The bottom line: sweeping changes in most health care transaction and administrative information systems.
All health care organizations are affected. This includes all health care providers, even one-physician offices, health plans, employers, public health authorities, life insurers, clearinghouses, billing agencies, information systems vendors, service organizations and universities.
Broadly and deeply. Required compliance responses aren't standard, because organizations aren't. For example, an organization with a computer network will be required to implement one or more security authentication access mechanisms—user-based, role-based, and context-based access—depending on its network environment.
Effective compliance requires organization wide implementation.
Specifics can, for many of us, cause more confusion than clarity. Let's try to make administrative simplification simple!
HIPAA’s administrative simplification provision is composed of four parts, each of which have generated a variety of rules and standards. All the rules and standards were made final by VVRMC by the end of 2000.
Electronic health transactions includes health claims, health plan eligibility, enrollment and disenrollment, payments for care and health plan premiums, claim status, first injury reports, coordination of benefits, and related transactions.
Today health providers and plans use many different electronic formats. Implementing a national standard will mean we will all use one format, thereby simplifying and improving transaction efficiency nationwide. The proposed rule requires use of specific electronic formats developed by ANSI, the American National Standards Institute, for most transactions except claims attachments and first reports of injury. Proposed regulations for these exceptions are not yet out.
Virtually all health plans will have to adopt these standards, even if a transaction is on paper or sent by phone or fax. Providers using nonelectronic transactions are not required to adopt the standards; although if they don't, they will have to contract with a clearinghouse to provide translation services.
Health organizations also must adopt standard code sets to be used in all health transactions. For example, coding systems that describe diseases, injuries and other health problems—as well as their causes, symptoms and actions taken must become uniform. All parties to any transaction will have to use and accept the same coding. Again, in the long run, this is intended to reduce mistakes, duplication of effort and costs. Fortunately, the code sets proposed as HIPAA standards are already used by many health plans, clearinghouses and providers, which should ease the transition.
The current system allows us to have multiple ID numbers when dealing with each other, which HIPAA sees as confusing, conducive to error and costly. It is expected that standard identifiers will reduce these problems.
The final security rule was published on Feb. 20, 2003, and provides a uniform level of protection of all health information that is housed or transmitted electronically and that pertains to an individual. The security standard mandates safeguards for physical storage and maintenance, transmission, and access to individual health information. It applies not only to the transactions adopted under HIPAA but to all individual health information that is maintained or transmitted. However, the electronic signature standard applies only to the transactions adopted under HIPAA.
The security standard does not require specific technology to be used; solutions will vary from business to business, depending on the needs and technology in place. Also, no transactions adopted under HIPAA currently require an electronic signature.
The final rule for privacy was published just as President Bill Clinton was leaving office, on Dec. 28, 2000. A paperwork glitch delayed notification of Congress, so the Congressional Review period didn't begin until February, pushing the effective date of the rule until April 14, 2001. HHS Secretary Tommy Thompson used the time to solicit additional comments during March. HHS received more than 11,000 comments and plans to issue guidelines and clarification of the final rule in response. Compliance will be required on April 14, 2003, for most covered entities.
In general, privacy is about who has the right to access personally identifiable health information. The rule covers all individually identifiable health information in the hands of covered entities, regardless of whether the information is or has been in electronic form.
The new regulation reflects the five basic principles outlined at that time: