Administrative Simplification Under HIPAA: National Standards for Transactions, Security and Privacy

October 15, 2002

Overview: To improve the efficiency and effectiveness of the health care system, the Health Insurance Portability and Accountability Act (HIPAA) of 1996 included a series of "administrative simplification" provisions that required the Department of Health and Human Services (HHS) to adopt national standards for electronic health care transactions. By ensuring consistency throughout the industry, these national standards will make it easier for health plans, doctors, hospitals and other health care providers to process claims and other transactions electronically. The law also requires the adoption of security and privacy standards in order to protect personal health information. HHS is issuing the following major regulations:

• Electronic health care transactions (final rule issued);
• Health information privacy (final rule issued);
• Unique identifier for employers (final rule issued);
• Security requirements (proposed rule issued; final rule in development);
• Unique identifier for providers (proposed rule issued; final rule in development);
• Unique identifier for health plans (proposed rule in development); and
• Enforcement procedures (proposed rule in development).

Although the HIPAA law also called for a unique health identifier for individuals, HHS and Congress have indefinitely postponed any effort to develop such a standard.

Under HIPAA, most health plans, health care clearinghouses and health care providers who engage in certain electronic transactions have two years from the time the final regulation takes effect to implement each set of final standards. More information about the HIPAA standards is available at http://aspe.hhs.gov/admnsimp/ and http://www.cms.gov/hipaa.

Background

Today, health plans, hospitals, pharmacies, doctors and other health care entities use a wide array of systems to process and track health care bills and other information. Hospitals and doctor's offices treat patients with many different types of health insurance and must spend time and money ensuring that each claim contains the format, codes and other details required by each insurer. Similarly, health plans spend time and money to ensure their systems can handle transactions from various health care providers and clearinghouses.

Enacted in August 1996, HIPAA included a wide array of provisions designed to make health insurance more affordable and accessible. With support from health plans, hospitals and other health care businesses, Congress included provisions in HIPAA to require HHS to adopt national standards for certain electronic health care transactions, codes, identifiers and security. HIPAA also set a three-year deadline for Congress to enact comprehensive privacy legislation to protect medical records and other personal health information. When Congress did not enact such legislation by August 1999, HIPAA required HHS to issue health privacy regulations.

Security and privacy standards can promote higher quality care by assuring consumers that their personal health information will be protected from inappropriate uses and disclosures.

In addition, uniform national standards will save billions of dollars each year for health care businesses by lowering the costs of developing and maintaining software and reducing the time and expense needed to handle health care transactions.

Covered Entities

In HIPAA, Congress required health plans, health care clearinghouses, and those health care providers who conduct certain financial and administrative transactions electronically (such as eligibility, referral authorizations and claims) to comply with each set of final standards. Other businesses may voluntarily comply with the standards, but the law does not require them to do so.

Compliance Schedule

In general, the law requires covered entities to come into compliance with each set of standards within two years following adoption, except for small health plans, which have three years to come into compliance. For the electronic transaction rule only, Congress in 2001 enacted legislation allowing a one-year extension for most covered entities provided that they submit a plan for achieving compliance. As a result, covered entities that qualify for the extension will have until Oct. 16, 2003 to meet the electronic transaction standards instead of the original Oct. 16, 2002 deadline. (Small health plans must still meet the Oct. 16, 2003 compliance date and are not eligible for an extension under the new law.) The legislative extension does not affect the compliance dates for the health information privacy rule, which remains April 14, 2003 for most covered entities (and April 14, 2004 for small health plans).

Developing Standards

Under HIPAA, HHS must adopt recognized industry standards when appropriate. HHS works with industry standard-setting groups to identify and develop consensus standards for specific requirements. For each set of standards, HHS first develops proposed requirements to obtain public feedback. After analyzing public comments, HHS makes appropriate changes before issuing a final set of standards. The law also allows HHS to propose appropriate changes to the HIPAA regulations to ensure that the standards can be implemented effectively and be maintained over time to continue to meet industry needs.

Electronic Transaction Standards

In August 2000, HHS issued final electronic transaction standards to streamline the processing of health care claims, reduce the volume of paperwork and provide better service for providers, insurers and patients. The new standards establish standard data content, codes and formats for submitting electronic claims and other administrative health care transactions. By promoting the greater use of electronic transactions and the elimination of inefficient paper forms, these standards are expected to provide a net savings to the health care industry of $29.9 billion over 10 years. All health care providers will be able to use the electronic format to bill for their services, and all health plans will be required to accept these standard electronic claims, referral authorizations and other transactions.

In December 2001, Congress adopted legislation that allows most covered entities to obtain a one-year extension to comply with the standards, from Oct. 16, 2002 to Oct. 16, 2003. To qualify for the extension, the covered entity must submit a plan for achieving compliance by the new deadline. (The legislation did not change the compliance date for small health plans, which remains Oct. 16, 2003.) HHS' Centers for Medicare & Medicaid Services (CMS) has issued a model compliance plan that covered entities may use to obtain an extension. The model plan is available at http://www.cms.gov/hipaa.

Privacy Standards

In December 2000, HHS issued a final rule to protect the confidentiality of medical records and other personal health information. The rule limits the use and release of individually identifiable health information; gives patients the right to access their medical records; restricts most disclosure of health information to the minimum needed for the intended purpose; and establishes safeguards and restrictions regarding disclosure of records for certain public responsibilities, such as public health, research and law enforcement. Improper uses or disclosures under the rule are subject to criminal and civil sanctions prescribed in HIPAA.

After considering public comment on the final rule, HHS Secretary Tommy G. Thompson allowed it to take effect as scheduled, with compliance for most covered entities required by April 14, 2003. (Small health plans have an additional year.) In March 2002, HHS proposed specific changes to the privacy rule to ensure that it protects privacy without interfering with access to care or quality of care. After considering public comments, HHS issued a final set of modifications on Aug. 14, 2002. Detailed information about the privacy rule is available at http://www.hhs.gov/ocr/hipaa.

Employer Identifier

In May 2002, HHS issued a final rule to standardize the identifying numbers assigned to employers in the health care industry by using the existing Employer Identification Number (EIN), which is assigned and maintained by the Internal Revenue Service. Businesses that pay wages to employees already have an EIN. Currently, health plans and providers may use different ID numbers for a single employer in their transactions, increasing the time and cost for routine activities such as health plan enrollments and health plan premium payments. Most covered entities must comply with the EIN standard by July 30, 2004. (Small health plans have an additional year to comply.)

Additional Standards

Led by CMS, HHS is currently developing other administrative simplification standards. HHS has published proposed regulations for three other major standards - security standards, national identifiers for health care providers and modifications to the original transaction rule - and is now reviewing public comments and preparing final regulations. HHS also is working to develop other proposed standards, including a national health plan identifier and additional electronic transaction standards. In addition, HHS is developing regulations related to enforcement of the adopted standards. The status of key standards required under HIPAA follows:

Security standards. In August 1998, HHS proposed rules for security standards to protect electronic health information systems from improper access or alteration. In preparing final rules for these standards, HHS is considering substantial comments from the public, as well as new laws related to these standards and the privacy regulations. HHS expects to issue final security standards shortly.

National provider identifier. In May 1998, HHS proposed standards to require hospitals, doctors, nursing homes, and other health care providers to obtain a unique identifier when filing electronic claims with public and private insurance programs. Providers would apply for an identifier once and keep it if they relocated or changed specialties. Currently, health care providers are assigned different ID numbers by each different private health plan, hospital, nursing home, and public program such as Medicare and Medicaid. These multiple ID numbers result in slower payments, increased costs and a lack of coordination.

National health plan identifier and other HIPAA regulations. HHS is working to propose standards that would create a unique identifier for health plans, making it easier for health care providers to conduct transactions with different health plans. HHS is also working to develop additional transaction standards for attachments to electronic claims and for a doctor's first report of a workplace injury. In addition, HHS is developing a proposed rule on enforcement of the HIPAA requirements. As with other HIPAA regulations, HHS will first consider public comment on each proposed rule before issuing any final standards.

Personal identifier on hold. Although HIPAA included a requirement for a unique personal health care identifier, HHS and Congress have put the development of such a standard on hold indefinitely. In 1998, HHS delayed any work on this standard until after comprehensive privacy protections were in place. Since 1999, Congress has adopted budget language to ensure no such standard is adopted without Congress' approval. HHS has no plans to develop such an identifier.