HIPAA Home > HIPAA Basics > Overview Help 
Contact Us 
 Print-Friendly Version
Basics - Overview

HIPAA For Healthcare Providers

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) has had a significant impact on many aspects of the healthcare industry. HIPAA was initially best known for its provisions related to the portability of health insurance and expanded resources for Medicare fraud and abuse enforcement. In 2002, however, attention turned to another portion of the law, the Administrative Simplification section, that focuses on improving the efficiency of financial and administrative processes in healthcare.

The intent of the Administrative Simplification provisions is to reduce costs and burdens in healthcare by requiring the use of standardized formats and codes for administrative and financial transactions transmitted electronically. The provisions also mandated the development of security and privacy standards to protect the confidentiality of healthcare information.

The Department of Health and Human Services (HHS) was charged under HIPAA with drafting the standards for electronic transactions and security. When Congress failed to meet a self-imposed deadline to enact privacy standards, this task also fell to HHS.

The promulgation of the HIPAA regulations has been a slow process, with HHS taking the time to work collaboratively with the healthcare industry and solicit diverse input about the goals and impact of the regulations. Many providers have been taking a "wait and see" approach, hoping for absolute certainty about all of the final requirements before investing any resources in HIPAA readiness. Several of the regulations are now final, however, and the compliance clock is ticking. Even though the requirements will continue to evolve, healthcare providers should be actively engaged in HIPAA implementation now.

Who is Covered by HIPAA?

Entities subject to the HIPAA regulations ("Covered Entities") are:

  • Health plans
  • Healthcare clearinghouses
  • Healthcare providers who transmit covered transactions in electronic form (or who use another entity to transmit transactions electronically on their behalf)

Almost all providers are Covered Entities under HIPAA, either because they submit electronic transactions directly, or because they use a clearinghouse or billing service to translate and submit transactions for them.

Core HIPAA Components

HIPAA called for HHS to issue regulations in four key areas: electronic transactions and code sets, standard identifiers, security, and privacy.

  • Electronic Transactions and Code Sets
       
    Currently, hundreds of different formats are used to submit and pay claims, do health plan enrollments, check claims status, and conduct other basic healthcare administrative transactions. Under HIPAA, a single national format will be implemented.

    Uniform codes for the data elements included in healthcare transactions have also been issued under HIPAA. All parties to electronic transactions will have to use and accept (either directly or through a clearinghouse) the same coding systems to document medical conditions, their cause, and the treatment provided. The codes adopted by HHS are already in common use, which should help ease the transition to the new transaction requirements.

    Format standards for eight transactions have been finalized. Providers who submit these transactions electronically must either be in compliance with these standards by October 16, 2002, or submit a compliance plan to HHS detailing how they will come into compliance by October 15, 2003.

    The regulations designating the standard code sets are also final; their use in electronic transactions must also be achieved by October 16, 2002, or October 16, 2003, depending on whether a compliance plan has been submitted.
      
  • Standard Identifiers

    A standard identification system will be created under HIPAA to identify healthcare providers, payers, employers, and patients. The IRS Employer Identification Number (EIN) has been adopted as the identifier for employers. A final rule has been issued for development and implementation of the provider identifier. No proposals have yet been issued for standard identifiers for health plans or patients.
       
  • Security of Health Information

    The Security standards are intended to ensure the integrity, confidentiality, and appropriate availability of healthcare information. They call for administrative, physical, and technical safeguards and delineate implementation specifications for security systems. The standards do not, however, require specific technologies to be used. They are intended to be scalable and allow providers to tailor their security safeguards to their own unique needs and technical capabilities.

    The Security regulations have been proposed, but are not yet final. No compliance date has been established.
       
  • Privacy of Health Information

    The Privacy standards define who has access to personally identifiable health information and the purposes for which such information can appropriately be used. They establish new federal rights for patients to access their health information and control how it is used. The rules also create several administrative requirements for healthcare providers to enhance privacy protections. The Privacy regulations establish a new federal floor of protection; individual states may impose stricter requirements.

    Like the Security regulations, the methods used to implement the Privacy regulations are intended to be scalable and tailored to each unique healthcare setting.

    HHS has issued final privacy regulations. Compliance is required by April 14, 2003.

Penalties for Noncompliance

The language of the HIPAA law and regulations suggests that HHS will focus on providing compliance assistance, rather than on heavy enforcement activities. However, the law does provide for both civil and criminal sanctions for noncompliance.

Civil fines of up to $100 per violation, with an annual maximum of $25,000 for violations of the same requirement, may be imposed.

Criminal penalties for violations related to using or disclosing individually identifiable health information may be as high as $250,000 and 10 years in prison if the violation occurred with the intent to use the information for commercial advantage, personal gain, or malicious harm.

Benefits

HIPAA readiness will require up-front investment and organization-wide involvement for most healthcare providers. The benefits of HIPAA implementation, however, will be great. The Transaction and Code Set standards will lead to more efficient handling of transactions and, in turn:

  • Significant administrative cost savings
  • Improved productivity
  • Improved data accuracy due to one-time data entry
  • Shorter revenue cycle time

Implementation of the Security and Privacy regulations will contribute to:

  • Improved integrity of patient information
  • More consistent availability of patient information at the time of need
  • Improved patient trust in the confidentiality of their health information
  • Reduced risk of lawsuits or administrative sanctions for breaches of patient confidentiality

Revised: March 2004