HIPAA Security Regulations

The "Administrative Simplification of HIPAA" is composed of four parts:

1. Electronic Health Transactions Standards

Includes health claims, health plan eligibility, enrollment, de-enrollment, payments for plan premiums, claim status, coordination of benefits, and related transactions. Health providers and plans use many different electronic formats. This rule requires use of specific electronic formats developed by the American National Standards Institute, for most transactions except claims attachments and first reports of injury. All health plans will have to adopt these standards, even if a transaction is on paper or by phone or FAX. Providers using non-electronic transactions are not required to adopt the standards; although if they don't, they will have to contract with a clearinghouse to provide translation services. Electronic data information ("EDI") formats are used by various payers. HIPAA will change this practice by requiring payers to accept the following transaction standards for EDI:

• Claims/encounters, eligibility verification, enrollment, and related transactions: American National Standards Institute (ANSI)
• Pharmacy transactions: National Council for Prescription Drug Programs (NCPDP)
• Diagnoses and inpatient hospital services: International Classification of Diseases, 9th edition, Clinical Modification (ICD-9-CM). The standard will migrate to ICD-10 in 2001 or 2002, whenever the new system is ready for adoption.
• Procedures: ICD-9-CM Volume 3 and HCFA Common Procedural Coding System (HCPCS)
• Physician services: Current Procedural Terminology (CPT)
• Dental services: Current Dental Terminology (CDT)

View the new standards and code sets for electronic healthcare transactions in their entirety, (Federal Register publication). The regulations can be downloaded from Dept. of Health and Human Services’ website at:

2. UNIQUE IDENTIFIERS

The current system allows us to have multiple ID numbers when dealing with each other, which HIPAA sees as confusing, conducive to error and costly. It is expected that standard identifiers will reduce these problems.

The unique identifier for providers is the National Provider Identifier, which was developed by HCFA for use in the Medicare system. It will probably have 10 numeric positions with a check digit as the tenth digit. Implementation of this standard will require DHHS to establish a system to assign the identifiers, and this may be Web-based.

The health plan identifier has been drafted to apply the work that HCFA did for a Medicare PayerID to all health plans nationwide. It is expected to have 10 numeric positions with a check digit in the tenth position

The employer identifier is based on the de facto standard, the Internal Revenue Service assigned Employer Identification Number (EIN). The EIN has nine numeric positions.

The employer identifier is based on the de facto standard, the Internal Revenue Service assigned Employer Identification Number (EIN). The EIN has nine numeric positions.

The patient identifier is on hold pending privacy legislation. This is the most controversial of the proposed identifiers. Industry experts speculate that the identifier will consist of approximately ten numeric digits with a check digit. You can review the proposed regulations in their entirety as published in the Federal Register: National Provider Identifier: May 7, 1998

3. SECURITY OF HEALTH INFORMATION & ELECTRONIC SIGNATURE STANDARDS

Despite years of work by standards development organizations (SDO’s), there is no recognized single standard for the security of health information that includes all of the components required by HIPAA. So, the Department of Health and Human Services (DHHS) developed a security standard with input from SDO’s and business interests. Published in August 1998, this proposed standard is technology neutral and scaleable for the size and complexity of healthcare organizations.

At a minimum, all health plans, clearinghouses, and healthcare providers that transmits or maintains electronic health information must conduct a risk assessment and develop a security plan to protect this information. They must also document these measures, keep them current, and train their employees on appropriate security procedures.

4. PRIVACY AND CONFIDENTIALITY

Privacy is about who has the right to access personally identifiable health / medical information. The rule covers all individually identifiable health information in the hands of covered entities, regardless of whether the information is or has been in electronic form.

The Privacy standards:

• limit the non-consensual use and release of private health information.
• give patients new rights to access their medical records and to know who else has accessed them.
• restrict most disclosure of health information to the minimum needed for the intended purpose.
• establish new criminal and civil sanctions for improper use or disclosure.
• establish new requirements for access to records by researchers and others.

The five basic principles:

• Consumer Control: HIPAA provides consumers with new rights to control the release and use of their medical information.
• Boundaries: An individual's health care information should be used for health purposes only, including treatment and payment.
• Accountability: Under HIPAA, for the first time, there will be specific federal penalties if a patient's right to privacy is violated.
• Public Responsibility: The new standards reflect the need to balance privacy protections with the public responsibility to support such national priorities as protecting public health, conducting medical research, improving the quality of care, and fighting health care fraud and abuse.
• Security: Organizations that are trusted with medical information are responsible to protect that information against deliberate or inadvertent misuse or disclosure.