HIPAA at CDVA

What Is HIPAA?

Home

About Us

HIPAA

What Is HIPAA?

Warning: This site requires JavaScript to function correctly.

Health Insurance Portability and Accountability Act of 1996 (HIPAA)

Glossary of HIPAA Terms
Off-site link to the Centers for Medicaid and Medicare Services (CMS) a Federal agency within the U.S. Department of Health and Human Services. (The CMS HIPAA glossary should not be considered a legal document.)

What Is HIPAA?

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) HIPAA was signed into federal law in 1996 (Public Law 104-191). The intent of HIPAA is to improve the efficiency and effectiveness of the health care system through the establishment of standards and requirements for the electronic transmission of certain health information, by combating fraud, waste, and abuse and by establishing security and privacy standards.

One of the elements of HIPAA law, a provision called Administrative Simplification, is designed to simplify the administration of health insurance. The intent of this provision is to improve efficiency and cost effectiveness of the health care system by encouraging the development of standards for the electronic transmission of certain health information. The general approach is to accelerate the move of the health care industry from paper-based to electronic transactions through the establishment of national standards in the areas of privacy, security, and, transaction and codes.

In addition to CDVA providing and coordinating health care services and related health care data, CDVA is a recipient of medical information from covered entities and other business associates must be able to maintain its “chain of trust” relationships with associated medical providers. Therefore, all business associates will be expected to protect (protected health information) PHI in accordance with HIPAA rules and regulations.

While CDVA’s home operation is not an insurance plan, it does provide reimbursement for medical care directly to providers, in specific instances. Because CDVA receives and in many cases, creates PHI, CDVA is considered a covered entity under HIPAA regulations. CalOHI has concurred.

CDVA expects the medical providers who are identified as business associates to transition to the electronic transmission of data as required by HIPAA. To ensure the continued support and participation of these providers, CDVA must develop the capability to receive and transmit PHI in a HIPAA compliant format. Good business practices also influence CDVA to provide that option to both home claimants as well as to medical providers. If CDVA does not transition to the receipt and transmission of PHI in the electronic HIPAA format, it risks developing increasingly more inefficient processing of claims. This is likely to result in delayed payments to DI claimants, as well as increased health care costs, as providers pass on their administrative costs to their patients.

HIPAA is the single most significant Federal legislation affecting the health care industry since the creation of the Medicare and Medicaid programs in 1965. Title I of the Act improves the portability and continuity of health insurance coverage for millions of American workers and their families. Title II provides for administrative simplification that requires the development of standards for the electronic exchange of health care information.

Administrative simplification also requires rules to protect the privacy of personal health information and the establishment of security requirements to protect that information and the development of standard identifiers.

Privacy

The privacy regulation specifies how health care organizations and their business partners transfer, receive, handle, protect and disclose protected health information (PHI). The regulation applies to all forms of PHI, whether paper, oral or electronic. Health care organizations are required to create privacy conscious business practices and data systems, which include the requirement that only the minimum amount of health information necessary is used or disclosed to conduct business. Organizations are required to:

Ensure the internal protection of individual health information and implement physical and administrative safeguards.
Implement procedures that limit the use and disclosure of PHI to meet the "minimum necessary" standards.
Develop mechanisms for the accounting and auditing of all disclosures made for purposes other than treatment, payment or operations.
Establish policies and procedures to allow individuals to amend their health information.
Establish contracts and agreements with business associates that ensure the protection of PHI, which is shared or traded.
Provide privacy training to members of its workforce who have access to PHI.
Establish policies and procedures to allow individuals to log complaints about the entity's information practices.
Designate a privacy official.
Enforce penalties for misuse or inappropriate use of health information.
Create and make available documentation regarding the compliance with all the requirements of the regulation.

Important Privacy Update

The Department of Health and Human Services (HHS) released modifications to the HIPAA privacy rule on August 14th, 2002. These changes are summarized below:

New exclusion - The employee-employer relationship has been specifically referenced in the Final Privacy Rule. Consent - Consent is now optional for all covered entities.

Privacy Practices - Providers must make a good faith effort to obtain a written acknowledgement of receipt of the Notice of Privacy Practices at the first delivery of service, except in an emergency.

Disclosures - Covered entities are now allowed to share PHI for treatment and payment purposes without obtaining an authorization from the patient.

Incidental Uses and Disclosures - Incidental disclosures are permitted if they occur as a result of a permitted use or disclosure. However, reasonable and appropriate safeguards must be implemented.

Examples of permitted incidental disclosures include:

Using patient sign-in sheets, if they do NOT display medical information.
Calling a patient's name in the waiting room.
Placing charts outside an exam room, as long as reasonable and appropriate measures are taken to protect the patient's privacy. For example, ensuring that the areas are supervised, escorting non-employees in the area, placing the chart with the front cover facing the wall.
Displaying patients' names next to the door of the hospital rooms.
Informing clergy about parishioners, as long as the patient has been informed and does not object.

Example of violations include:

Providing unimpeded access of patient records to employees.
Faxing of records to the wrong number.
Conversations between an employee and neighbor

Note: The compliance date for the privacy regulation was April 14, 2003.

Security

The Final Rule adopting HIPAA standards for the security of electronic health information was published in the Federal Register on February 20, 2003. This final rule specifies a series of administrative, technical, and physical security procedures for covered entities to use to assure the confidentiality of electronic protected health information. The standards are delineated into either required or addressable implementation specifications.

Access the complete Security Rule as published in the Federal Register (PDF Format, 309 KB)

The security regulations will apply to the administrative procedures, technical and physical safeguards that ensure the integrity, confidentiality and availability of protected health information. The proposed security is divided into four categories:

Administrative Procedures: These are the documented, formal procedures for selecting and executing information security measures. The procedures also address staff responsibility for the protection of data.
Physical Safeguards: These safeguards protect the physical computer systems and related building and equipment from fire, and other environmental hazards, as well as intrusion.
Technical Security Data Issues: These include the process used to protect, control and monitor information access.
Technical Security Mechanisms: These include process used to prevent unauthorized access to data transmitted over a communications network.

For additional information, visit http://www.cms.gov/.

Transactions and Code Sets

The first HIPAA Final Rule, federal legislation issued in October 2000, adopts standards for eight electronic health transactions and for code sets to be used in those transactions. Health claims, health plan eligibility, enrollment and disenrollment in a health plan, payments for care and health plan premiums, claim status, referral certification and authorization, coordination of benefits, and related transactions, are all examples of electronic health transactions. Today, health providers and plans use many different electronic formats for these transactions. This rule requires everyone to use specific electronic formats for these transactions. Standards for the first report of injury and claims attachments will be adopted at a later date.

Use of standard code sets will also be required in all health transactions. Standards will be adopted for coding systems that describe diseases, injuries, and other health problems, as well as their causes, symptoms, and actions taken to prevent, diagnose, treat, or manage these diseases, injuries, and other health problems. Standards will be set for any substances, equipment, supplies, or other items used to perform these actions as well.

National standards for electronic health care transactions will encourage electronic business in the health care industry and simplify the processes involved. Standardization will improve the overall data quality, reduce handling and processing time, eliminate the risk of lost paper documents and inefficiencies of handling paper documents, and decrease administrative costs for providers.

Virtually all health plans will have to adopt these standards, even if a transaction is submitted by paper, phone or FAX. Providers using non-electric transactions are not required to adopt the standards; although if they don't, they will have to contract with a clearing-house to provide translation services.

Identifiers

Health care organizations are currently able to assign proprietary identifiers to identify health care providers, employers, health plans and individuals. This lack of standardization has lead to system incompatibilities, administrative inefficiencies and accuracy problems. These rules will eventually establish standards for unique identifiers for providers, plans, employer and individuals.

Under a proposed standard related to EDI (electronic data interchange) formats, National Provide Identifiers (NPI) would be assigned to all providers and used by both public and private health plans. As proposed in the Federal standard, NPIs would be used by all health organizations that conduct HIPAA-specific electronic transactions. The NPI was proposed as an 8-digit alphanumeric identifier. However, many of those who have commented on the proposed rule prefer a 10-digit numeric identifier. Finalization of the specifications are expected in the future.

Employers frequently also have to be identified in electronic health care transactions. The adoption of the Employer Identification Number (EIN) as the standard unique identifier for employers in the filing and processing of health care claims and other transactions becomes effective July 30, 2002. The EIN is issued and maintained by the Internal Revenue Service (IRS). Businesses that pay wages to employees already have EIN’s. The identifier has nine digits with the first two digits separated by a hyphen as follows: 00-0000000.