The Health Insurance Portability and Accountability Act (HIPAA)
Privacy regulation adopted under HIPAA imposed substantial burdens on all sectors of the healthcare industry, healthcare providers, health plans and healthcare clearinghouses. Congress implicitly set the framework for the development of privacy and security regulations. The key provisions of the Administrative Simplification provisions of HIPAA (the Act) are:
Definitions. The definitions of the Act identify the scope of the Act's coverage and provide a focal point for the regulation of medical privacy.
Requirements for the Adoption of Standards. The Act identifies the types of transactions that must be standardized and the requirements for unique health identifiers.
Secuirity Standards for Health Information. Incidental to the development of technical standards, HIPAA requires the Secretary of HHS to adopt security standards "to ensure the integrity and confidentiality of any [protected health] information." The Act also called for the development of standards for "electronic transmission and authentication of signatures with respect to the standard transactions."
Penalties. The Act originally distinguished between general failures to comply with the Act and the "wrongful disclosure of individually identifiable health information." In the HITECH Act of 2009, Congress increased penalties and established a three-tiered approach that distinguishes among "unknowing" violations, violations with "reasonable cause," and "willful neglect." The later is punishable by fines up to $250,000.00 and 10 years in prison.
Privacy. The Act requires the Secretary of HHS to recommend to Congress standards with respect to privacy of individually identifiable health information within 12 months. Thereafter, if Congress failed to act privacy legislation within three years of passage of the Act, the Secretary of HHS would be obligated to promulgate final regulations withing the next six months.
The foundation for implementation of the Administration Simplification provisions of HIPAA are standard formats and codes for transactions that are common elements of EDI (i.e., Electronic Data Interchange) healthcare claim and payment systems. EDI using a standard format between "trading partners," can substantially reduce the cost of processing health claims and eliminate inefficiencies associated with paper transactions. HIPAA mandated standards for a variety of transactions common to processing of health claims. Those transactions and an additional standard transaction adopted by HHS include the following:
Health claims or equivalent encounter information (837).
Eligibility for a health plan (270).
Referral certification and authorization (278).
Health claim status inquiry (276).
Enrollment and dis-enrollment in a health plan (834).
Health plan premium payments (820).
Coordination of Benefits.
Medicaid Pharmacy Subrogation.
First Injury Report.
Health claims attachments.
HIPAA also adopted specific code sets for diagnosis and procedures to be used in all transactions. The HCPCS (Ancillary Services/Procedures), CPT-4 (Physician Procedures), CDT (Dental Terminology), ICD-9 (Diagnosis and hospital inpatient Procedures), ICD-10 (as of October 01, 2013) and NDC (National Drug Codes), codes with which providers and health plans have become familiar over the years, were adopted as the code sets for procedures, diagnoses, and drugs. Finally, HIPAA adopted standards for unique identifiers for Employers and Providers, which must also be used in all transactions, as required by standard.
All "covered entities" must comply with HIPAA. Covered entities include private sector health plans, such as managed care organizations and self-insured ERISA health and welfare plans and government health plans, healthcare clearinghouses, and healthcare providers that choose to submit or receive any of these transactions electronically.
Kolah Law, P.C. has experience in dealing with the multi-complex issues relating to HIPAA and arising out of HIPAA. Please call for a consultation today.