HIPAA Articles of Interest

Standards for Privacy of Individually Identifiable Health Information

General Overview of the HIPAA Privacy Rule by HHS -- View the full article

HIPAA Compliance Q&A from Kathleen Lamb, J.D., General Counsel, POMCO

Q. What is HIPAA about?

A. HIPAA is about setting standards. The first standard is for automating the business procedure of claims and healthcare transactions. The second and third standards include providing for the security and confidentiality of health information.

Q. Who must comply with these standards?

A. Health plans, health care providers and health care clearinghouses. These entities are collectively called "covered entities" and are bound to the new standards even if they contract with others to perform some of their functions. The organizations that are contracted to the covered entities are called "business associates" and have separate requirements mandated by HIPAA.

Q. When will the covered entities have to comply with the standards?

A. The transaction code standard for automating the business procedures of claims and health care transactions had a compliance deadline of October 16, 2002 unless an extension had been filed with CMS, which extended the deadline to October 16, 2003. The privacy standard had a compliance deadline date of April 14, 2003. Finally, the security compliance deadline was April 21, 2005.

Q. What happens if the covered entities do not comply with the standards?

A. The government is very serious about protecting the personal health information that moves around hospitals, doctors’ offices, insurers or third party payers and other entities. They have mandated compliance and have set forth penalties ranging from monetary fines to prison sentences depending on the type and seriousness of the violation.

Q. Isn’t this just like Y2K compliance that ended up being much ado about nothing at great expense to organizations?

A. No. Y2K was a technology-specific problem whereas HIPAA involves information technology, business operations, and claims/bill processing among other areas that are involved with patient health information. Y2K was predominately an internal issue with optional compliance whereas HIPAA is industry-wide and affects everyone who handles health care information. HIPAA compliance is not optional in that it is federally mandated with fines and criminal sentences for violations. It is probably best likened to ERISA in that ERISA is a consumer protection regulation and HIPAA is a patient protection regulation.

Q. Please cite some examples of what the privacy regulation does?

A. The privacy standard gives the patient more control of their health care information. It sets boundaries on the use and release of health records. It establishes safeguards that health care providers and others must achieve to protect the privacy of health information. It holds violators accountable, with civil and criminal penalties, for violation of the patients’ privacy rights and it strikes a balance when public responsibility requires disclosure of some forms of patient health care information.

OCR HIPAA Privacy standards [45 CFR Parts 160-164]

The Privacy Rule: What Should You Be Doing To Achieve HIPAA Privacy Compliance?

As many of you know, HIPAA, which stands for the Health Insurance Portability and Accountability Act of 1996, has a provision named Title 1 that governs the pre-existing condition exclusions, the portability of insurance, and enrollment provisions that have been in existence for a number of years. A subdivision of the HIPAA rule is known as the Administrative Simplification provisions that contain standards for the protection and privacy of health information. This is the HIPAA section you have heard many of your colleagues referring to over the last few months. This section of HIPAA requires covered entities to comply with the privacy standards, the electronic data interchange standards and the security standards, among others. The privacy standard implementation date was April 14, 2003.

Q: Who is a covered entity?

A: Any of the following are considered to be covered entities: health plans, health care clearinghouses and health care providers.

Q: Are employers covered entities?

A: No. The Department of Health and Human Services does not have jurisdiction to regulate employers. However, they have the authority to regulate health plans. Since a health plan is usually nothing more than a document, it is the plan sponsor that must comply with HIPAA. Many times, the employer is the plan sponsor so, even though employers are not covered entities, they could be the entity that is responsible for complying with HIPAA in its role as the plan sponsor.

Q: What does a covered entity need to do?

A: All organizations, whether a covered entity or not, should be creating an atmosphere of confidentiality to protect patient health information. Regardless of the HIPAA regulations, there are, in many states, similar (or more stringent) state privacy laws already in effect that mandate an atmosphere of confidentiality. New York has very strict confidentiality statutes to protect health information. The HIPAA regulations reinforce this mandate by adding new standards. A covered entity must assess their current privacy practices, designate a privacy officer and complaint contact person (this may be the same person and may also be someone in Human Resources, for example), establish an internal process of administrative, physical and technical safeguards for people who have access to protected health information, how the information will be used by these individuals and when the protected health information will be disclosed to others outside the plan. These standards must be documented in a policy and procedure manual. A covered entity must train its staff in maintaining confidentiality and develop a system of sanctions for workforce members that violate the plan's policies. Finally, a covered entity must enter into business associate contracts with its business associates.

POMCO contact person: Kathleen Lamb, J.D. (315) 432-9171 x4462

Claim submission information: PGP Encryption Program utilized by POMCO; claims should be submitted, preferably, first, through WebMD clearinghouse, and, if not through WebMD, the claims can be submitted directly to POMCO. Payor ID number is 16111.

837 Compliance: Format will be both Institutional and Professional.

Test files from Providers: Can be submitted any time after August 1, 2003.

Adjustments and corrections: Will be made electronically.

Paper Remittance Advices: Paper remittance advices will no longer be sent after October 16, 2003. Remittance advices will be electronic via computer link. The clearinghouse, ABF, will be used for payments.

Implementation Date: October 16, 2003.

Testing ID Number: Tax identification number.

Please feel free to share this information with any providers that may ask you about EDI compliance.

© Copyright 2008 POMCO Group. All Rights Reserved.