HIPAA (Health Insurance Portability and Accountability Act of 1996) is United States legislation that provides data privacy and security provisions for safeguarding medical information. The act, which was signed into law by President Bill Clinton in August 1996, contains five sections, or titles:
HIPAA Title I protect health insurance coverage for individuals who lose or change jobs. It also prohibits group health plans from denying coverage to individuals with specific diseases and pre-existing conditions, and from setting lifetime coverage limits.
HIPAA Title II directs the U.S. Department of Health and Human Services to establish national standards for processing electronic healthcare transactions. It also requires healthcare organizations to implement secure electronic access to health data and to remain in compliance with privacy regulations set by HHS.
HIPAA Title III includes tax-related provisions and guidelines for medical care.
HIPAA Title IV further defines health insurance reform, including provisions for individuals with pre-existing conditions and those seeking continued coverage.
HIPAA Title V includes provisions on company-owned life insurance and treatment of those who lose their U.S. citizenship for income tax purposes.
In IT area, adhering to HIPAA Title II is what most people mean when they refer to HIPAA compliance. Title II includes the following HIPAA compliance requirements:
National Provider Identifier Standard:
Each healthcare entity, including individuals, employers, health plans and healthcare providers, must have a unique 10-digit national provider identifier number, or NPI.
Transactions and Code Sets Standards:
Healthcare organizations must follow a standardized mechanism for electronic data interchange (EDI) in order to submit and process insurance claims.
HIPAA Privacy Rule:
Officially known as the Standards for Privacy of Individually Identifiable Health Information, this rule establishes national standards to protect patient health information.
HIPAA Security Rule:
The Security Standards for the Protection of Electronic Protected Health Information sets standards for patient data security.
HIPAA Enforcement Rule:
This rule establishes guidelines for investigations into HIPAA compliance violations.
In 2013, the HIPAA Omnibus Rule was put in place by HHS to implement modifications to HIPAA in accordance with guidelines set in 2009 by the Health Information Technology for Economic and Clinical Health (HITECH) Act concerning the responsibilities of business associates of covered entities. The omnibus rule also increased penalties for HIPAA compliance violations to a maximum of $1.5 million per incident.
HIPAA violations can prove quite costly for healthcare organizations. First, the HIPAA Breach Notification Rule within the omnibus set of regulations requires covered entities and any affected business associates to notify patients following a data breach. In addition to the notification costs, healthcare organizations can encounter fines after HIPAA audits mandated by the HITECH Act and conducted by the Office for Civil Rights (OCR). Providers could also face criminal penalties stemming from violations of the HIPAA privacy and security rules.
What Are HIPAA Standard Transactions?
HIPAA standard transactions are exchanges involving the transfer of information between two parties for specific purposes. HIPAA regulations established the following standard transactions for Electronic Data Interchange (EDI) of healthcare data:
Claims and encounter information;
Coordination of benefits and premium payment;
Eligibility, enrollment, and dis-enrollment;
Payment and remittance advice; and
Referrals and authorizations.