Wednesday, March 06, 2013
How well do you understand HIPAA? Do you need to learn more about it?
HIPAA is normally recognized as a patient information privacy law and electronic patient information security law when in fact it truly includes a number of regulations published by the federal government that instruct the health care industry on compliance with the law. HIPAA started out as an effort to provide portability of health insurance benefits to individuals who were no longer employed by a company providing group health insurance, thus the acronym HIPAA, or the “Health Insurance Portability and Accountability Act”.
HIPAA was enacted on August 21, 1996. Title I of HIPAA is intended for employees either changing or losing a job. Title II, or the Administrative Simplification provisions, required the deployment and implementation of national standards for electronic health care transaction as well as the usage of national identifiers by employers, providers and health insurance plans.
The Administrative Simplification (AS) provisions also requires the protection, security and privacy of health data, also known as protected health information (PHI) or individually identifiable health information (IIHI). The national standards are a means to improved efficiency and effectiveness of health care systems by promoting the widespread use of Electronic Data Interchange (EDI) throughout the national healthcare system.
Title I of HIPAA is intended to regulate the availability and expanse of group healthcare plans and some individual health insurance policies. It is also meant to limit restrictions on preexisting conditions. Title II of HIPAA is geared towards the implementation of procedures, policies as well as the development of guidelines intended to assist in the maintenance and security of PHI. Title II of HIPAA also defines offenses and associated penalties, both civil and criminal (which can be rather substantial), for violations resulting from failure to comply with federal regulations. Title II will be discussed in further detail with emphasis on the Privacy Rule, Security Rule, Electronic Transactions Rule, Code Sets Rule and Unique Identifiers Rule.
The Privacy Rule protects patients’ medical and health information while also affording individuals more control over the use and disclosure of PHI stored or transacted by covered entities. Covered entities include medical service providers engaging in certain transactions, health insurers, employer sponsored health plans and health care clearinghouses (third party provider’s and administrators). The Privacy rule also extends to business associates that include people or businesses that perform processes for a covered entity which may involve the disclosure or use of PHI or IIHI. A covered entity may disclose PHI (Protected Health Information) to facilitate treatment, payment, or health care operations without a patient's express written authorization. Any other disclosures of PHI (Protected Health Information) require the covered entity to obtain written authorization from the individual for the disclosure.
However, when a covered entity discloses any PHI, it must make a reasonable effort to disclose only the minimum necessary information required to achieve its purpose.
• The Privacy Rule gives individuals the right to request that a covered entity correct any inaccurate PHI.
• The Privacy Rule requires covered entities to notify individuals of uses of their PHI.
• An individual who believes that the Privacy Rule is not being upheld can file a complaint with the Department of Health and Human Services Office for Civil Rights (OCR).
The Security Rule compliments the Privacy Rule by specifically targeting Electronic Protected Health Information, or EPHI. There are three specific security safeguards required for compliance: administrative, physical and technical. For each of these categories, the Security Rule identifies various security standards, and for each standard, it lists both required and addressable implementation specifications. Required specifications must be adopted and administered as spelled out by the Rule. Addressable specifications are more flexible. Individual covered entities can evaluate their own situation and determine the best way to implement addressable specifications. The security safeguard are described as:
• Administrative – policies and procedures designed to clearly show how the entity will comply with the act
• Physical – controlling physical access to protect against inappropriate access to protected data
• Technical – controlling access to computer systems and enabling covered entities to protect communications containing PHI transmitted electronically over open networks from being intercepted by anyone other than the intended recipient
Electronic Transactions Rule
HIPAA is intended to optimize efficiency of the US health care system by introducing and requiring the use of standardized transactions. “Transactions” are defined as electronic exchanges of information between two parties to carry out financial or administrative activities. Under HIPAA, both providers who elect to use electronic transactions and health plans are required to use designated standard transaction formats for certain administrative electronic transactions, known as covered transactions. Providers and health plans are also required to use designated standard code sets for diagnoses, procedures, and drugs and biologics. Some of the standard transactions include:
• EDI Benefit Enrollment and Maintenance Set (834)
• EDI Health Care Claim Payment/Advice Transaction Set (835)
• EDI Health Care Claim Transaction set (837)
• EDI Payroll Deducted and other group Premium Payment for Insurance Products (820)
• EDI Health Care Eligibility/Benefit Inquiry (270)
• EDI Health Care Eligibility/Benefit Response (271)
• EDI Health Care Claim Status Request (276)
• EDI Health Care Claim Status Notification (277)
• EDI Health Care Service Review Information (278)
• EDI Implementation Acknowledgement Transaction Set (997)
Code Sets Rule
HIPAA requires the use of designated standard transaction code sets (TCS) and are a major component of each standard transaction. The HIPAA transactions and code set standards are rules to standardize the electronic exchange of patient-identifiable, health-related information. The TCS standards are specific to nine EDI transactions that are commonly used in billing, medical practice, third party processing, referral services and benefits coordination. Below are examples of commonly used code sets:
• International Classification of Diseases, Ninth Edition, Clinical Modification (ICD-9-CM) – used for diagnoses and hospital inpatient procedures
• Current Procedural Terminology, 4th Edition (CPT-4) and Health Care Financing Administration Common Procedure Coding System (HCPCS) – used for physician services, physical and occupational therapy services, radiology procedures, clinical laboratory tests, other medical diagnostic procedures, hearing and vision services and transportation services.
• HCPCS – used for supplies and equipment including medical supplies, orthotic and prosthetic devices and durable medical equipment. Also used for drugs and biologics.
• Current Dental Terminology, 2nd Edition (CDT-2) – used for dental services
Unique Identifiers Rule
An important part of HIPAA is the standardization of identifiers. Currently, many different identifiers are used, making it difficult to link healthcare records across health care settings and health plans. For example, a patient is assigned a different medical record number, account number or member number by every physician, hospital, home health agency, pharmacy, equipment supplier or health plan that provides services to that patient. Providers, too, have multiple identifiers, usually one for every health plan or organization with which the provider does business.
To make it easier to share healthcare information electronically, HIPAA mandates the use of unique identifiers for four groups:
• Health Plans
National Provider Identifier
The Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) mandated the adoption of a standard unique identifier for health care providers. The National Plan and Provider Enumeration System (NPPES) collect identifying information on health care providers and assign each a unique National Provider Identifier (NPI).
HIPAA covered entities such as providers completing electronic transactions, healthcare clearinghouses, and large health plans, must use only the National Provider Identifier (NPI) to identify covered healthcare providers in standard transactions.
All covered entities using electronic communications (e.g., doctors, medical facilities, health care insurance companies, and so forth) must use a single new NPI. The NPI replaces all other identifiers used by health care insurance companies, Medicare, Medicaid, and other government programs. However, the NPI does not replace a provider's DEA number, state license number, or TIN. The NPI is 10 digits (may be alphanumeric), with the last digit being a checksum. The NPI does not contain any embedded intelligence; in other words, the NPI is simply a number that does not itself have any additional meaning. The NPI is unique and national, never re-used, and except for institutions, a provider usually can have only one. An institution may obtain multiple NPIs for different "subparts" such as a free-standing cancer center or rehab facility.
If you’d like to learn more about how understanding HIPAA can help you manage your EDI, give us a call.