The Health Insurance Portability and Accountability Act
(HIPAA), better known as Kassebaum-Kennedy, after the two senators who
spearheaded the bill. Passed in 1996 to help people buy and keep health
insurance, even when they have serious health conditions, the law sets basic
requirements that health plans must meet. Since states can and have modified
and expanded upon these provisions, consumers' protections vary from state to
state.
Within 18 months of enactment, the Secretary of HHS is required to adopt
standards from among those already approved by private standards developing
organizations for certain electronic health transactions, including claims,
enrollment, eligibility, payment, and coordination of benefits. These standards
also must address the security of electronic health information systems.
Providers and health plans are required to use the standards for the specified
electronic transactions 24 months after they are adopted. Plans and providers
may comply directly, or may use a health care clearinghouse. Certain health
plans, in particular workers compensation, are not covered.
The Secretary is required to recommend privacy standards for health information
to Congress 12 months after enactment. If Congress does not enact privacy
legislation within 3 years of enactment, the Secretary shall promulgate privacy
regulations for individually identifiable electronic health information.
The bill supersedes state laws, except where the Secretary determines that the
State law is necessary to prevent fraud and abuse, to ensure appropriate state
regulation of insurance or health plans, addresses controlled substances, or
for other purposes. If the Secretary promulgates privacy regulations, those
regulations do not pre-empt state laws that impose more stringent requirements.
These provisions do not limit a State's ability to require health plan
reporting or audits.
The bill imposes civil money penalties and prison for certain violations.