HIPAA Administrative Simplification Regulations Explained
With “simplification” right there in the title, you’d think that HIPAA’s Administrative Simplification Regulations would be easy to understand. Instead, you get over a hundred pages of legalese that are so dense that they are impenetrable to many people.
Below, we’ll introduce you to HIPAA and each of its administrative simplification provisions to help you get a handle on this complex legislation.
THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA)
The Health Insurance Portability and Accountability Act, better known as HIPAA, was passed in 1996 to address several separate issues within U.S. health insurance.
HIPAA has five titles. Title I sets forth the HIPAA compliance requirements for Health Care Access, Portability, and Renewability. Among other things, it protects individuals from losing or being denied coverage due to job changes and preexisting conditions. Title III regulates pre-tax medical spending accounts, Title IV regulates group health plan coverage, and Title V regulates company-owned life insurance policies.
However, Title II has the provisions that most people think of when they say “HIPAA” – the administrative simplification regulations. It was designed to address problems that developed as medical billing became an electronic process, and these are the provisions we’ll focus on below.
HIPAA ADMINISTRATIVE SIMPLIFICATION REGULATIONS
Despite the name, HIPAA’s Administrative Simplification Regulations actually contain two components: administrative simplification and healthcare data protection.
The administration simplification provisions are intended to standardize electronic billing across the board and reduce the cost of administration, but also to prevent fraud and abuse.
The healthcare data protection provisions address privacy and security issues for protected health information (PHI).
TRANSACTION AND OPERATING RULES PROVISIONS
HIPAA’s Administrative Simplification Regulations standardizes all electronic exchanges of information between two parties that carry out financial or administrative activities related to healthcare.
The goal is to ensure that all industry-wide transaction records contain the same information in the same way, including:
- Payment and remittance advice
- Claim status
- Eligibility
- Coordination of benefits
- Claims and encounter information
- Enrollment and disenrollment
- Referrals and authorizations
- Premium payments
The adopted transaction format is Accredited Standards Committee (ASC) X12 version 1050, though certain pharmacy transactions use the National Council for Prescription Drug Programs (NCPDP) format instead.
There are also specific operating rules for each type of transaction to make the exchange of information more predictable and consistent across a wide range of existing technologies. These standards are authored by the Council for Affordable Quality Healthcare’s Committee on Operating Rules for Information Exchange (CAQH CORE).
CODE SET PROVISIONS
HIPAA also standardizes all sorts of medical information – some of which can be incredibly complex – under specific code sets to ensure everyone is on the same page about a patient’s history and treatment.
There are various code sets to classify medical information like diagnoses, procedures, diagnostic tests, treatments, and the medical equipment, supplies, and medications involved.
Uniform code sets under HIPAA include:
- International Classification of Diseases (ICD) for diagnoses and medical conditions
- Current Procedural Terminology (CPT) for medical procedures and services
- Healthcare Common Procedure Coding System (HCPCS) for items, supplies, and services not covered by CPT
- National Drug Codes (NDC) to specify medications and drugs
- Code on Dental Procedures and Nomenclature (CDT), specific to dental offices
UNIQUE IDENTIFIER PROVISIONS
To ensure that employers, healthcare providers, and other covered entities are always identifiable, HIPAA imposes a set of unique identifiers.
This includes:
- Employer Identification Numbers (EIN)
- National Provider Identifiers (NPI)
- Health Plan Identifier (HPID)
- Other Entity Identifier (OEID)
These identifying numbers must remain unchanged even when other identifying information changes, like the name or address of the entity.
PRIVACY RULE
The HIPAA Privacy Rule imposes restrictions on the sharing of Protected Health Information (PHI), including:
- Name
- Address
- Birth date
- Social security number
- Physical or mental health conditions
Obviously, the point of electronic health records is the sharing of PHI, but Privacy Rule compliance is about only sharing that information when and how HIPAA allows it.
In most cases, an individual’s permission is required for disclosure, whether that means sharing information with another provider or relaying that information to a patient’s friends or family.
There are twelve exceptions to the HIPAA Privacy Rule where permission for disclosure is not required, but there are conditions and limitations on each.
HIPAA’s Privacy Rule also gives individuals a right of access to their own information.
SECURITY RULE
While the Privacy Rule dictates how PHI can be shared within and by a covered entity, the Security Rule is about protecting PHI from being revealed to outside parties like hackers or employees’ families.
The Security Rule requires covered entities to safeguard the confidentiality, integrity, and availability of electronic PHI (or ePHI) with reasonable and appropriate measures. They’re required to identify and address anticipated threats to information security and integrity. This is why the implementation of the Security Rule is largely in the domain of IT departments and technological business associates who must plan for cyberattacks on their databases.
However, the Security Rule also requires covered entities to prevent impermissible use or disclosure of PHI, and here, implementation requires employees with PHI access to be trained on information security awareness and the best practices for HIPAA compliance.
ENFORCEMENT RULE
Regulations are just words on paper without someone to enforce them, which is why the HIPAA Enforcement Rule exists. These provisions dictate what happens when the privacy or security of PHI is violated.
Penalties depend on the type and extent of the violation, but the Office for Civil Rights (OCR) under the Department of Health and Human Services (DHHS) can impose:
- Civil penalties, from $100 apiece for individuals who are unaware they’re violating HIPAA to $50,000 if there’s willful neglect and a failure to fix the issue afterward.
- Criminal penalties, including up to 10 years in jail if an individual commits a violation for personal gain.
- Termination of employment
- Medical license revocation
In addition, it’s possible in some cases for patients to sue after a HIPAA violation.
STAY COMPLIANT WITH ONLINE HIPAA TRAINING
In order to ensure that both Security and Privacy Rule compliance is understood and taken seriously within covered organizations, HIPAA requires that people with access to PHI get annual training on HIPAA’s provisions. Reading a blog article doesn’t cut it – you need a formal course that checks your knowledge and comprehension.
Our online HIPAA courses are convenient, mobile-friendly, and self-paced. We have options targeted toward specific roles in the healthcare field, ranging from healthcare workers to business associates, call centers, and sales or service professionals. This ensures that your training is tailored toward your job and duties.
