HIPAA Regulations on Privacy, Electronic Transactions, and Security
By John M.
Ms. Kate Casagrande
November 15, 2002
Congress established several legislative mandates as part
of the Health Insurance Portability and Accountability Act of 1996 (HIPAA)
related to health insurance reform and consumer protections.
The Act is separated into four sections, covering the following:
Title I – health care access, portability, and renewability; Title II
– preventing health care fraud and abuse, administrative simplification, and
medical liability reform; Title III – tax-related health provisions; and
Title IV – application and enforcement of group health plan requirements.
Because of the far-reaching impact on health care
providers, much of the focus of HIPAA is on the administrative simplification
section of HIPAA, which has resulted in two sets of Final Regulations related
to protecting the Privacy of personal health information and
standardizing the use of Electronic Transactions that involve health
information. The Department of
Health and Human Services (HHS) recently approved modifications to the privacy
rules in response to voluminous comments from the industry and privacy
advocacy groups and is scheduled to finalize its proposed rule on Security
of health information by the end of this year.
In addition to the three main standard sets relating to
privacy, security and electronic transactions and code sets, there are also
standards relating to National Identifiers.
This would require all payors to use the same provider number for each
provider; as it stands now, it is all too common for one provider to have more
than 30 payor-assigned provider identifiers.
The final regulations on this standard have not yet been released.
The Administrative Simplification provisions will change how health care providers practice, and has been referenced as the most complex federal legislation since the creation of Medicare. While many of the provisions of this section will make things easier and more efficient for providers in the long run, the privacy and security regulations promoting patients’ rights regarding their personal health information place a much greater responsibility on providers, which will require a considerable amount of time, effort and resources to accomplish.
The goals of the Administrative Simplification provisions are three-fold:
To improve the efficiency of health care delivery by standardizing
the electronic data interchange (EDI) of certain administrative and financial
transactions (billing, admissions, discharge, etc.) between provider and payors
and by specifying the medical and administrative code sets to be used uniformly
with the standard transactions;
1. To improve the efficiency of health care delivery by standardizing the electronic data interchange (EDI) of certain administrative and financial transactions (billing, admissions, discharge, etc.) between provider and payors and by specifying the medical and administrative code sets to be used uniformly with the standard transactions;
2. To protect the privacy of health care information by setting standards for privacy and security of individually identifiable information; and
To empower patients with new rights related to their individually
identifiable health information. 
3. To empower patients with new rights related to their individually identifiable health information. 
Not only have there been original rules, proposed changes
and final modifications to many of the regulations, but also a generous number
of comments and concerns that have resulted in various interpretations of the
law. The Department of Health and
Human Services has continuously issued press releases regarding HIPAA, in
addition to providing updated answers to frequently asked questions regarding
interpretation and implementation of the regulations.
Overall, there has been a recognized indication that the HIPAA
regulations, as they were originally introduced, created many problems in the
implementation stage. While in
theory and on paper these regulations provided ideal rights to patients and
efficient exchange of electronic information for providers, in reality the
regulations have required excessive resources (both in time and money) and have
created impossible requirements. As
a result, it is clear that HIPAA will continue to change to address the
practical concerns that were not contemplated when the law was passed.
Because these overall goals have resulted in rules that are both complex
and extensive, it is important to break down the Administrative Simplification
provisions into the three main areas of Privacy, Electronic Transactions, and
The Privacy Regulations apply to "covered entities" and, to a limited extent, to their "business associates". Covered entities include all health plans, including Medicare and state Medicaid programs, all healthcare clearinghouses, and all health care providers that choose to submit transactions electronically. Self-insured health plans are included within the definition of a health plan. In addition, portions of the Privacy Regulations may also extend to individuals and businesses that may receive protected health information from a covered entity. While these individuals and businesses may not be covered entities, they will be required to comply with many provisions of the Privacy Regulations as "business associates".
The key phrase in the Privacy Regulations is “protected
health information,” which any information that is individually identifiable
and that is maintained or transmitted by a covered entity in any form, whether
in oral, written or electronic form. The
Privacy Regulations pertain to all protected health information and will require
covered entities to change their policies, procedures and practices with regard
to this information is handled. Compliance
with all the changes required by the Privacy Regulations must be done by
This transformation will include education to patients about their rights in respect to their protected health information in the form of a privacy notice, as well as making such health information available to patients for viewing, releasing, and even amending. Changes to existing policies and procedures, as well as the incorporation of new policies and procedures will need to be made in order to comply with HIPAA. The Privacy Notice is one of the key provisions of the Privacy Regulations as it will be given to every patient and must include information regarding the patient’s rights, as well as the provider’s uses, disclosures and legal responsibilities with respect to protected health information (PHI).
As mentioned previously, the business associates is another key provision of the Privacy Regulations, as it creates one of the most far-reaching pieces of legislation with regard to a patient’s PHI. This provision requires non-medical, non-covered entities to abide by the same set of standards as covered providers, just because they may receive protected health information from a covered entity. HIPAA specific language will need to be added to every contract that providers have if protected health information may be disclosed. In some cases where the business relationship does not have an existing contract, one will need to be implemented. This provision extends to attorneys, transcriptionists, accountants, answering services and more.
The Privacy Regulations also include making physical changes to protect the security of personal health information. Policies and procedures may need to be created regarding how protected health information is kept, from how and where files are kept to who has access to what information. Some of this, however, is covered under the Security regulation described below.
HIPAA requires that all providers designate a privacy
official who will be responsible for implementing the privacy policies and
procedures. In many cases, this
person may be responsible for all of HIPAA implementation.
In addition, this person will continue to monitor adherence to the rules
once they are in place and will be the contact for when complaints and concerns
regarding HIPAA violations occur.
The Department of Health and Human Services has designed
the Office of Civil Rights to enforce the provisions of the Privacy Rule.
Penalties for violations of HIPAA’s requirements have been established,
although there is no plan in place at this time for how enforcement will be
You should also be aware of another regulation released on
You should also be aware of another regulation released on
The Transaction regulation became
The Transaction regulations are the portion of HIPAA that truly relates to Administrative Simplification. These regulations have received support throughout the industry in creating a more efficient process for processing information in the following areas: health care claims and equivalent encounter information; health care payment and remittance advice; coordination of benefits; health claim status request and response; health plan enrollments and disenrollments; health care eligibility benefit inquiries and responses; health plan premium payments, payment order and remittance advice; and referral certification and authorization.
These standards apply only when
these transactions are transmitted electronically, not when the same
transactions are completed using paper. However,
Medicare will be requiring all providers to submit claims electronically as of
The Security regulations apply to those same entities
covered by the privacy rules. The
Security regulations require covered entities to develop policies, procedures,
and systems, with same goal as the Privacy regulations, to protect the
patient’s individually identifiable health information.
These measures refer only to electronic maintenance of protected health
information and will need to include policies for preventing staff without a
need to access patient information from viewing this information on computers or
installing appropriate firewalls to prevent outsiders from accessing protected
The Security regulations apply to those same entities covered by the privacy rules. The Security regulations require covered entities to develop policies, procedures, and systems, with same goal as the Privacy regulations, to protect the patient’s individually identifiable health information. These measures refer only to electronic maintenance of protected health information and will need to include policies for preventing staff without a need to access patient information from viewing this information on computers or installing appropriate firewalls to prevent outsiders from accessing protected information.
The Security regulations require the appointment of a security official. This person should be someone with at least minimal IT experience. Covered entities will also be required to undergo a gap analysis of their security systems currently in place to determine where the current standards fall short of HIPAA’s requirements.
The Security regulations are scalable.
This means that the Department of Health and Human Services would not
expect a small home health agency to spend $150,000 on a computer software
program like a hospital might. The
programs and systems put into place must be reasonable and provide particular
assurances that the protected information is safe.
These regulations are still in proposed form, but agencies should start developing policies and procedures as well as looking at computer systems. We do not anticipate that the final rules will be promulgated and a compliance date set before the end of this year.
 Taken from Field Guide to HIPAA Implementation, written by Jan Root, et al., and published by the American Medical Association.