HIPAA Medical Privacy Rule: Information for NC Public Agencies

What is HIPAA?

The Health Insurance Portability and Accountability Act of 1996 (HIPAA), Pub. L. No. 104-191, made significant changes in several areas related to health care and health insurance. The provisions of the statute that received the most attention at the time of enactment related to the creation of new health insurance protections for workers who changed jobs and the modification of certain health insurance fraud and abuse enforcement tools. For example, HIPAA applied new restrictions to health insurers regarding conditioning benefits on an insured individual's preexisting conditions. Local governments, as employers, have been complying with many of these health insurance-related requirements for several years.

The subtitle of HIPAA that we are focusing on right now is entitled "Administrative Simplification," 42 U.S.C. § 1171 et seq. This subtitle includes several different provisions that require the U.S. Department of Health and Human Services (DHHS) to publish regulations relating to electronic data interchange of health information and data protection. DHHS has issued two Administrative Simplification regulations in final form (Transactions and Code Sets ; Privacy ) and several more are in process (Security, Provider Identifier, Plan Identifier, Employer Identifier, Claims Attachments and Enforcement).

Prior to HIPAA, the health care industry used a wide variety of different electronic formats to exchange information - primarily for billing purposes. This variety resulted in inefficiencies and increased administrative burden. The Administrative Simplification provisions of HIPAA are intended to standardize many of these electronic transactions so that health care providers and health plans will all "speak the same language," thereby reducing administrative costs.

HIPAA directs DHHS to develop several different regulations in order to achieve this standardization.

• Transactions and code sets:The transactions and code sets regulations are at the heart of Administrative Simplification. These regulations require health plans, health care providers and health care clearinghouses to use standardized formats for several different types of administrative and financial health care transactions and communications. For example, the transactions regulation identifies standard formats for health claims and health plan eligibility verifications and enrollment. The code sets regulation identifies standard sets of codes that are used to communicate medical information, such as diagnoses or medical procedures.
• Identifiers:HIPAA requires the development of several different unique identifiers - specifically for health plans, health care providers, employers and individuals. The individual identifier has been put "on hold" indefinitely and is not likely to be developed anytime in the near future.
• Claims attachments:When a health plan requests additional information from a provider in support of a claim for benefits, the provider may submit an "attachment" to the claim that includes specific information about the patient's condition or treatment.

Recognizing that the standardization of health care transactions will make it faster and easier to share personal health information, Congress included provisions in HIPAA to protect the privacy and security of that health information. Specifically, HIPAA directs DHHS to develop two separate regulations - one relating to privacy and one relating to security.

• Privacy: The privacy regulation provides a comprehensive framework of rules for the protection of identifiable health information in any form or medium (including paper, electronic and oral). A covered entity may only use and disclose health information as provided in the regulation and subject to all of the limitations and requirements specified in the regulation. The regulation also creates a series of new individual rights that all patients will have with respect to their health information - such as the right to a notice of privacy practices, the right to inspect, copy and amend health information and the right to a disclosure history. The privacy regulation has been finalized and most covered entities are required to comply with all of the requirements by April 2003. Small health plans must be in compliance by April 2004.
• Security: Security means ensuring that confidential information is not disclosed inappropriately, that the integrity of the information is maintained and that the information is available when necessary. The security regulation, therefore, will require covered entities to implement a series of administrative, technical and physical safeguards for health information. The regulation will also include a new standardized electronic signature to be used with HIPAA transactions. The security regulation has been finalized and most covered entities are required to comply with the requirements by April 2005. Small health plans must be in compliance by April 2006.

This website is dedicated exclusively to the training needs of public agencies in North Carolina who are working to come into compliance with HIPAA's privacy regulation. Public agencies should consult with other resources regarding compliance with the other HIPAA regulations described above.