|
HIPAABridge® |
|
The HIPAA Compliant Transaction Bridge for 837 Professional Claims |
|
 |
|
|
What is HIPAA?
HIPAA is an acronym for the Health Insurance Portability & Accountability Act of 1996, Public Law 104-191, which amended the Internal Revenue Service Code of 1986. Also known as the Kennedy-Kassebaum Act, the Act includes a section, Title II, entitled Administrative Simplification, requiring improved efficiency in health care delivery by standardizing electronic data interchange, code sets, and protection of confidentiality and security of health data by setting and enforcing standards.
|
|
| |
|
|
|
|
|
|
More specifically, HIPAA called upon the Department of Health and Human Services (DHHS) to publish new rules that will ensure standardization of electronic patient health, administrative and financial data. These new rules must also address unique health identifiers for individuals, employers, health plans and health care providers. Security standards protecting the confidentiality and integrity of "individually identifiable health information" past, present or future were also are requirement. The bottom line is sweeping changes in most health care transaction and administrative information systems.
Who is affected?
Virtually all health care organizations – including all health care providers, health plans, public health authorities, health care clearinghouses, and self-ensured employers – as well as life insurers, information systems vendors, various service organizations, and universities.
Are there penalties for non-compliance?
HIPAA calls for severe civil and criminal penalties for non-compliance, including fines up to $25K for multiple violations of the same standard in a calendar year and fines up to $250K and/or imprisonment up to 10 years for malicious misuse of individually identifiable health information.
What are the compliance deadlines?
Most entities have 24 months from the effective date of the final rules to achieve compliance. Normally, the effective date is 60 days after a rule is published. The Transactions Rule was published on August 17, 2000; the compliance date for that rule is October 16, 2003. The Privacy Rule was published on December 28, 2000, but due to a minor glitch didn't become effective until April 14, 2001. Compliance with the Privacy Rule was required as of April 14, 2003. The final Security Rule was published April 21, 2003, with compliance required as of April 21, 2005. The final Standard Unique Employer Identifier was published on May 31, 2002. Compliance is required by July 30, 2004. Final standards for Provider and Health Plan Identifiers have not yet been published.
The Rules under HIPAA
HIPAA's Administrative Simplification provision is composed of four parts, each of which have generated a variety of rules promulgated by the Department of Health and Human Services. The four categories of Administrative Simplification are Electronic Transaction Standards, Unique Identifiers Standards, Security Standards and Privacy Standards.
Electronic Transaction Standards
The term Electronic Transaction includes health claims, health plan eligibility, enrollment, payments for care and health plan premiums, claim status, first injury reports, coordination of benefits, and other related transactions. In the past, health care providers and plans have used many different electronic formats to transact medical claims and related business. Implementing a national standard is intended to result in the use of only one format, thereby simplifying and improving transaction efficiency nationwide. Virtually all health plans must adopt these standards. Providers using non-electronic transactions are not required to adopt the standards for use with commercial health care payers. However, electronic transactions are required by Medicare, and all Medicare providers must adopt the standards for these transactions. If they don't, they will have to contract with a clearinghouse to provide translation services. Health care organizations also must adopt standard code sets to be used in all health care transactions. For example, coding systems that describe diseases, injuries, and other health problems, as well as their causes, symptoms and actions taken must become uniform. All parties to any transaction will have to use and accept the same coding, for the purpose of reducing errors and duplication of effort. Fortunately, the code sets proposed as HIPAA standards are already used by many health plans, clearinghouses and providers, which should ease transition to them.
Unique Identifiers Standards for Providers, Employers, and Health Care Plans
In the past, health care organizations have used multiple identification formats when conducting business with each other – a confusing, error-prone and costly approach. It is expected that standard identifiers will reduce these problems. The Employer Identifer Standard, published in 2002, adopts an employer's tax ID number or employer identification number (EIN) as the standard for electronic transactions. Final standards for Provider and Health Plan identifiers have not yet been published.
Security Standards
The final Security Rule was published on February 20, 2003 and provides for a uniform level of protection of all health information that is housed or transmitted electronically and that pertains to an individual. The Security Rule requires covered entities to ensure the confidentiality, integrity, and availability of all electronic
Protected Health Information (ePHI) the covered entity creates, receives, maintains, or transmits. It also requires entities to protect against any reasonably anticipated threats or hazards to the security or integrity of ePHI, protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required by the Privacy Rule, and ensure compliance by their workforce. Required safeguards include application of appropriate policies and procedures, safeguarding physical access to ePHI, and ensuring that technical security measures are in place to protect networks, computers and other electronic devices. The Security Standard is intended to be scalable; in other words, it does not require specific technologies to be used. Covered entities may elect solutions that are appropriate to their operations, as long as the selected solutions are supported by a thorough security assessment and risk analysis.
Privacy Standards
The Privacy Rule is intended to protect the privacy of all individually identifiable health information in the hands of covered entities, regardless of whether the information is or has been in electronic form. The rule establishes the first “set of basic national privacy standards and fair information practices that provides all Americans with a basic level of protection and peace of mind that is essential to their full participation in their care”.
The Privacy Standards:
- Give patients new rights to access their medical records, restrict access by others, request changes, and to learn how they have been accessed
- Restrict most disclosures of protected health information to the minimum needed for health care treatment and business operations
- Provide that all patients are formally notified of covered entities' privacy practices,
- Enable patients to decide if they will authorize disclosure of their protected health information (PHI) for uses other than treatment or health care business operations
- Establish new criminal and civil sanctions for improper use or disclosure of PHI
- Establish new requirements for access to records by researchers and others
- Establish business agreements between business partners that safeguard their use and disclosure of PHI.
- Implement a comprehensive compliance program, including
- Conducting an impact assessment to determine gaps between existing information practices and policies and HIPAA requirements
- Reviewing functions and activities of the organization's business partners to determine where Business Associate Agreements are required
- Developing and implementing enterprise-wise privacy policies and procedures to implement the Rule
- Assigning a Privacy officer to administer the organizational privacy program and enforce compliance
- Training all members of the workforce on HIPAA and organizational privacy policies
- Updating systems to ensure they provide adequate protection of patient data
HIPAA Related Links
American Medical Association - HIPAA Issues
CAL HIPAA - America's HIPAA Place
Center for Medicare & Medicaid Services (CMS)
Data Interchange Standards Association
Department of Health and Human Services
HIPAAComplete
The HIPAAdvisory
Washington Publishing Company
Workgroup for Electronic Data Interchange
|
|
|
medical, billing, health care, healthcare, hipaa, hipaa compliant, edi, electronic data interchange |
|
|
medical, billing, health care, healthcare, hipaa, hipaa compliant, edi, electronic data interchange |
|
|
This site is owned and operated by MedSystems Architects |
|
Copyright 2008 MedSystems Architects. All Rights Reserved |
|
|
|
