Home
Home
Store
Site Map
Contact Us
HIPAA Initiatives Forums Data & Research Members Consortium

General Information

Identifiers

Privacy

Security

Transactions & Code Sets

Education

Services by Members

Resources

General Info

Transactions & Code Sets

Identifiers

Privacy

Security

General Info

HIPAA Overview and Summary

An Overview of the Health Insurance Portability and Accountability

Act of 1996 (PL 104-191)

Administrative Simplification Provisions

Legislative Background - The "Kassebaum-Kennedy Act"

The Kennedy-Kassebaum Bill, H.R. 3103, was originally sponsored by Representative William Archer (R-Texas) and introduced in Congress on March 18, 1996. The original title of the Bill was the Health Coverage Availability and Affordability Act of 1996. This bill also contained Subtitle F-Administrative Simplification, which was similar but not identical in content to the final law. A major difference was a proposal to create a Health Information Advisory Committee, a 15-person committee appointed by the President and Congress. In the final version of the bill, the existing National Committee for Vital and Health Statistics (NCVHS) was chosen to advise the Secretary of DHHS.

There was a Senate amendment to H.R. 3103, titled the Health Insurance Reform Act of 1996. This amendment did not contain a section on Administrative Simplification.

The Health Coverage Availability and Affordability Act of 1996 passed the House on August 1, 1996. It quickly moved to the Senate, where it was sponsored by Senators Nancy Kassebaum (R-Kansas) and Edward Kennedy (D-Massachusetts). It passed the Senate by a nearly unanimous vote on August 2, 1996. The engrossed version of the Health Insurance Portability and Accountability Act of 1996 was presented to the President on August 9, 1996, and signed into law on August 21.

The Bill's purpose is as follows:

    To amend the Internal Revenue Code of 1986 to improve the portability and continuity of health insurance coverage in the individual and group markets, to combat fraud and abuse in health insurance and health care delivery, to promote the use of medical savings accounts, to improve access to long-term care services and coverage, to simplify the administration of health insurance, and for other purposes.


Definition of Terms

Part C of the legislation defines eight terms that are needed to carry out the provisions. Following are the definitions of the terms, sans "legalese":

Code set - Used for encoding data elements. Examples include tables of terms, medical concepts, medical diagnosis codes, and medical procedure codes

Health care clearinghouse - An entity that processes or helps process nonstandard data elements of health information into standard data elements

Health care provider - A provider of medical or other health services or supplies

Health information - Any oral or recorded information in any form or medium that is created or received relating to the past, present, or future health or condition of an individual or payment for the provision of health care to an individual

Health plan - An individual or group plan that provides or pays the cost of medical care, including group health plans, health insurance issues, health maintenance organizations, Medicare, Medicaid, long-term care policies, nursing home fixed indemnity policies, employee welfare benefit plans, military health care programs, Veteran's health care programs, CHAMPUS, Indian Health Services Program, and the Federal Employees Health Benefit Plan

Individually identifiable health information - Any information that is created or received by a health care provider, plan, employer, or clearinghouse that relates to the past, present, or future health or condition of an individual that identifies the individual or can be used to identify the individual.

Standard - Any data element or transaction that meets each of the standards and implementation specifications adopted or established by the Secretary

Standard setting organization - An organization accredited by the American National Standards Institute to develop information transactions or data elements for health plans, clearinghouses, and/or providers

Following are the definitions of the transactions required for adoption by the Secretary. These definitions are excerpted from ANSI ASC X12 Electronic Data Interchange Standards, which was published December 1996:

Health claims or equivalent encounter information - Used to submit health care claim billing information and/or encounter information from providers to payers; can also be used to transmit health care claims and billing payment information where coordination of benefits is required

Health claims attachments - Used to communicate individual patient information requests and patient information (demographic, clinical, and other supporting data) between separate health care entities

Enrollment or disenrollment in a health plan - Used to establish communication between the sponsor of the insurance product and the payer to establish the data contents for benefit enrollment and maintenance

Eligibility for a health plan - Used to inquire about the eligibility, coverage, or benefits associated with a benefit plan, employer, plan sponsor, subscriber, or dependent under the subscriber's policy

Health care payment and remittance advice - Used to make a payment and/or send an explanation of benefits remittance advice from a health insurer to a health care provider either directly or via a financial institution

Health plan premium payments - Used to make a payment and/or send a remittance advice, including an order to a financial institution to make a payment to a payee

Health claim status - Used by a health care payer or authorized agent to notify a provider, recipient, or authorized agent regarding the status of a health care claim or encounter or to request additional information from the provider regarding a health care claim or encounter

Referral certification and authorization - Used to transmit health care service information, such as subscriber, patient, demographic, diagnostic, or treatment data for the purpose of a request for review, certification, notification, or reporting the outcome of a health care services review

Coordination of benefits - Used to transmit claims and billing payment information between payers with different payment responsibilities

Other definitions are provided within the HIPAA legislation, including the following:

Unique health identifier - A standard unique health identifier for each individual, employer, health plan, and health care provider for use in the health care system

Security - Reasonable and appropriate administrative, technical, and physical safeguards to ensure the integrity and confidentiality of the information and to protect against any reasonably anticipated threats or hazards

Wrongful disclosure - A person who knowingly and in violation of the law uses or causes a unique identifier to be used, obtains individually identifiable health information relating to an individual, or discloses individually identifiable health information to another person

Electronic signature - Electronic transmission and authentication of signatures

Small health plans - Status determined by the Secretary


Explanation of Regulations, Expectations, and Penalties for Non-Compliance

The Secretary of the Department of Health and Human Services must adopt standards for the following electronic transactions - health claims attachments, enrollment or disenrollment in a health plan, eligibility in a health plan, health care payment and remittance advice, health plan premium payments, first report of injury, health claim status, referral certification and authorization, and coordination of benefits. In addition, the Secretary must adopt identifier standards for providers, payers, and patients, code sets, electronic signatures, and privacy and security of health information.

The standards that are adopted must be ones that are developed by a standards development organization accredited by the American National Standards Institute or are ones that will substantially reduce administrative costs to health care providers and plans compared with existing alternatives. If a standard does not exist, then the Secretary shall consult with standards development organizations (the ones specifically named in the law are the National Uniform Billing Committee, the National Uniform Claim Committee, the Workgroup for Electronic Data Interchange, and the American Dental Association) and appropriate federal and state agencies and private organizations. Once a standard is adopted, the Secretary may review and adopt modifications to the standard, but not more frequently than once every 12 months.

After the Secretary adopts the standards, all health care providers, plans, and clearinghouses that exchange information electronically will be given until February 2000 to comply. Health plans may comply with the standard by either directly transmitting and receiving standard data elements or submitting non-standard data elements to a clearinghouse for transmission as standard data elements, and receiving standard data elements through the clearinghouse.

This law supersedes any contrary provisions of existing state laws. One example provided in the legislation is that HIPAA will supersede any state law that requires medical or health records to be maintained or transmitted in written rather than electronic format. Stringent penalties exist for non-compliance with the law, as the following chart illustrates:

Monetary Penalty

Imprisonment Term

Offense

$100

N/A

Single violation of a provision

Up to $25,000

N/A

Multiple violations of an identical requirement or prohibition made during a calendar year

Up to $50,000

Up to one year

Wrongful disclosure of individually identifiable health information

Up to $100,00

Up to five years

Wrongful disclosure of individually identifiable health information committed under false pretenses

Up to $250,000

Up to 10 years

Wrongful disclosure of individually identifiable health information committed under false pretenses with intent to sell, transfer, or use for commercial advantage, personal gain, or malicious harm

However, there is a Failures Due to Reasonable Cause clause that states, "if the failure to comply was due to a reasonable cause and not to willful neglect," and the "Secretary determines that a person failed to comply because the person was unable to comply, the Secretary may provide technical assistance to the person. Such assistance shall be provided in any manner determined appropriate by the Secretary."


Proposed Work Plan and Timeline for Implementation

The two subcommittees of the NCVHS - the Subcommittee on Health Data Needs, Standards, and Security and the Subcommittee on Privacy and Confidentiality - met regularly in a series of public forums to assist the Secretary in the standards selection process. Hundreds of experts from the public and private sector have given testimony and presented their views. Although the HIPAA legislation laid out a stringent timeline for standards to be adopted by February 1998 for the Secretary, by February 2000 for the industry, and by 2001 for small plans - the process has taken longer than originally anticipated. The HHS contends that "administrative simplification . . . is a deliberate process designed to achieve consensus within HHS and across other federal departments. The process is important because the final rules will have the force of federal law. Questions and concerns within the government must be answered and resolved before the NPRM's (Notices of Proposed Rulemaking) can be published for public comment" (http://aspe.os.dhhs.gov/admnsimp).

The approach for standards adoption and implementation includes the following:

  • Identifying existing standards and performing fact finding and consultation

  • Analyzing existing standards

  • Identifying gaps and conflicts found in existing standards

  • Presenting findings to the NCVHS and the DHHS

  • Developing recommendations for standards to be adopted

  • Presenting recommendations to NCVHS and the DHHS

  • Submitting draft regulations to the Secretary of HHS, the HHS Data Council's Committee on Health Data Standards, and to the Office of Management and Budget for initial review

  • Publishing Notices of Proposed Rulemaking (NPRMs) outlining the standards in the Federal Register for 60-day public comment period

  • Analyzing comments and preparing and publishing Final Rules outlining the adopted standards in the Federal Register, which signifies adoption of the standards by the Secretary of HHS

  • Distributing adopted standards and preparing and distributing implementation guides

  • Use of the standards by most plans is mandated within 24 months after adoption by the Secretary

  • Use of the standards by small plans is mandated within 36 months after adoption by the Secretary


Ramifications for Health Care Organizations and Individuals

Before the Health Insurance Portability and Accountability Act of 1996, organizations could collect, store, and transmit health care information in whatever format they wished. They could buy off-the-shelf management information software, customize existing software, or design a completely new application tailored to their own specifications. Data field designs were left up to the individual organization, and the designs even varied in many institutions from one department to the next. For example, the billing department may have used "name" in its program while the referrals department may have used "patient name" in its program. Organizations relied heavily on clearinghouses to communicate with their trading partners, but there would still be tremendous confusion and errors due to inconsistencies in data elements, coding, and identifiers.

Even if forward-thinking organizations had already adopted standards for health care transactions, the lack of uniformity among existing standards made it difficult for communication to occur. One organization may have used an ANSI ASC X12 3041 standard while another used a 3051 standard. Even if they were using the same version of the same standard, they may have followed a different implementation guide or altered the standard through the inclusion of propriety data elements.

HIPAA mandates that all providers, plans, and clearinghouses adhere to the same standard. At the time that this report is published, it is highly likely that the majority of standards adopted by the Secretary will be selected from the ANSI ASC X12 4010 version, with implementation guides freely distributed through Washington Publishing Company (at http://www.wpc-edi.com). It is also highly likely that the Health Care Financing Administration's National Provider Identifier (NPI) will be selected as the unique provider identifier, and HCFA's PAYERID will be selected as the unique payer identifier. No recommendations have been issued as of the writing of this paper for a national individual health identifier (it was recommended at NCVHS's meeting on November 10, 1997, that the selection of a personal health identifier should not be made until privacy legislation is in place).

What can organizations do now to prepare for compliance by 2000? A good way to start is to become as knowledgeable about HIPAA, standards, and the administrative simplification process as possible. Bookmark the Websites provided later in this paper (see the section titled Currently Available Resources for Additional HIPAA Information) and access them regularly to become familiar with the regulation and track the latest developments. All NCVHS Subcommittee meetings are open to the public as well as available at no cost in real time through live audio.

There are many opportunities for individuals and organizations to become involved at the local and national levels. The Affiliated Health Information Networks of New England project of the Massachusetts Health Data Consortium has always played a leading role in assisting organizations as they adopt standards. Even before HIPAA was signed into law, the efforts of the Affiliated Networks toward the goal of health data standardization throughout the region met with great success. Participants of the project meet with one another to understand and analyze standards, share success and "war"stories, formulate the procedures and technical strategies needed for implementation, and receive training and guidance to institute the standards at an organizational level. These efforts mean that participants in the Affiliated Networks will be among the best prepared in the nation to facilitate standards implementation.

The Massachusetts Health Data Consortium also supplies timely and relevant resources and educational opportunities about HIPAA, standards, and administrative simplification to the entire health care industry. Through the Minnesota Health Data Institute, the Consortium sponsored a series of ANSI ASC X12 EDI training seminars. These seminars, which commenced in January 1998 and will continue throughout the year, provide a general EDI overview as well as detailed tutorials on specific transactions mandated by HIPAA, such as eligibility. The Consortium's newsletter, called Health Data News, published a series of expert opinion articles looking at HIPAA from a variety of standpoints, such as provider, payer, and employer. Information about the training and the newsletter are both available on the Consortium's Website at http://www.mahealthdata.org, or interested parties can inquire at (781) 890-6040.

In October 1997, the Consortium launched a HIPAA Awareness Campaign, using its Website as a dissemination vehicle. Information from this report will be posted there. Each NPRM will be annotated and analyzed, and links will also be provided to the actual NPRMs. This Website will provide an opportunity for New England organizations to comment on the legislation and send their feedback directly to DHHS via e-mail. It is vital that the creators of the law understand the issues, concerns, and recommendations of the health information professionals who are responsible for implementation and management at the local level. The Consortium will serve as that conduit, facilitating communication between the region's participants and the federal government to ensure the following:

  • Participants have a clear understanding of the legislation and its relevant components for individual institutions

  • Specific needs can be introduced during this review period and incorporated into the final legislation

  • Users have an expedient method to find solutions to all inquiries regarding HIPAA.

National health care organizations - such as the National Association of Health Data Organizations (NAHDO - http://www.nahdo.org), Data Interchange Standards Association, Inc. (DISA - http://www.disa.org), and Healthcare Open Systems and Trials (HOST - http://www.hostnet.org) - have initiated HIPAA user groups and listserves to facilitate communication on a large-scale level. National conferences such as the one planned for April 1998, titled Step Toward Compliance: Understanding the Complexities of Administrative Simplification (sponsored by AHIMA, AMIA, CPRI, CHIM, CHIME, and HIMSS), detail exactly what the new regulations are and provide essential instructions on developing an action plan toward compliance.

Organizations need to begin planning for HIPAA compliance as soon as possible. If their systems are not EDI compatible, it would be prudent to address that issue now. Useful sources of information about EDI implementation include the following:

  • Affiliated Health Information Networks of New England EDI Business Transaction Work Group. A Guide to Implementing Electronic Data Interchange for Organizations in the Health Care Industry. (Waltham, MA: Massachusetts Health Data Consortium, 1997) - This comprehensive guide includes tutorials and work sheets on implementation planning, staffing considerations, system evaluation, work process redesign, and more. It is available at http://www.mahealthdata.org, or by contacting the Consortium at (781) 890-6040.

  • Moynihan, James J. and Marcia L. McLure, Ph.D. EDI: A Guide to Electronic Data Interchange and Electronic Commerce Applications in the Healthcare Industry. (Irwin, 1996) This guide provides a thorough look at EDI in the health care industry. The chapter titled "Organizing for EDI" discusses the development of an EDI organizational strategy, allotting resources for EDI, adopting an EDI strategy and plan, and more.

  • Join the Work Groups of the Affiliated Health Information Networks of New England. Numerous resources and presentations about electronic data interchange are shared with members throughout the year. The Massachusetts Health Data Consortium Research Library, which is available to Work Group members, contains a wealth of sources for information on health data standardization and EDI implementation.

Complying with HIPAA standards and security measures may mean changes in hardware, software, connectivity, and other technical approaches for health care organizations. Organizations will want to work closely with their vendors to determine what the vendors' strategies are for HIPAA implementation. It will be easier and more worthwhile to work with vendors whose products are already compatible with the standards that are most likely to be adopted by the Secretary than those that are producing their own data formats. Top-notch consultants who specialize in standards for EDI can ease the integration process as well.

A two-year timetable for compliance provides ample time for entities to reengineer their systems and train their staff, if their approach is well organized, realistic, and thorough. The DHHS intends to supply the necessary technical guidance that organizations will need to comply with the law. There will be challenges ahead: technical, financial, and societal, but none of the barriers will be insurmountable. Through careful planning and ongoing liaisons and communication with groups like the Affiliated Health Information Networks of New England that facilitate HIPAA compliance, every provider, payer, and other health care entity that communicates electronically will be able to profit from the enormous benefits of administrative simplification.