Understanding HIPAA
The Health Insurance Portability and Accountability Act (HIPAA) is a health reform initiative whose primary intent is to help secure your health information, make it easier for your records to follow you when you change jobs and to make it more efficient to process medical information. HIPAA is comprised of four areas of regulation:
The HIPAA privacy regulation is a "use and disclosure" set of requirements enacted in 2003 that defines how the Service Benefit Plan can use and share your confidential medical information. The regulation limits the use and disclosure of Protected Health Information (PHI). PHI includes any individually identifiable health information, such as your demographic and clinical information as well as related business and insurance data.
The regulation asserts that privacy is a "fundamental right." This has transformed the way Americans view their right to control their medical information and medical services. You are now in the driver's seat on how your confidential medical information is used and disclosed.
BCBSA compliance
Some of the basic steps we have implemented to comply with privacy regulations include:
- Adopting policies and procedures to protect the privacy of protected health information
- Adopting policies and procedures that give individuals specific rights to their health information, including the rights to
- access and copy health information
- be informed of certain disclosures
- request corrections/amendments
- request limits on disclosures your office makes
- receive confidential communication
- Creating a written notice describing how the BCBSA and the local BlueCross BlueShield Plans use and disclose your PHI information and provide you a copy of the notice document
- Designating a privacy official to handle complaints and questions about the notice of privacy practices
- Providing policies and procedures training for personnel
- Implementing appropriate safeguards to protect member information from improper disclosure
- Establishing a reporting and response system for privacy violations
- Developing a sanctions policy for the discipline of privacy violations by employees
While the privacy regulation pertains to all PHI - paper or electronic, the HIPAA security regulation, enacted in 2005, deals specifically with Electronic Protected Health Information (ePHI). It states that we must:
- Protect confidentiality, integrity and availability of all electronic protected health information that we create, receive, maintain, or transmit
- Protect against any reasonably anticipated threats or hazards to the security or integrity of such information
- Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under the privacy part of the HIPAA regulations
- Ensure compliance of the HIPAA security regulations by our employees
Confidentiality means that your PHI is not made available or disclosed to unauthorized persons or processes. Integrity means that your PHI has not been altered or destroyed in an unauthorized manner. Availability means that your PHI is accessible or usable upon demand by an authorized person. The regulation also asserts that we maintain strong and up-to-date security controls on all electronic files that contain your PHI.
Physical security is a major component of the regulation. The law mandates the protection of equipment and information from damage and environmental threats, such as floods and fires, and physical threats such as unauthorized access to information.
BCBSA compliance
There are a number of steps that we have taken to implement these security regulations including:
- Designating a security officer to handle security complaints and security breaches to the PHI
- Developing a contingency plan and disaster recovery plan to continue operations after a storm or other event out of BCBSA's control
- Maintaining strong access control and securing the physical facility
- Adopting and training our employees on HIPAA security policies and procedures
Physical security is a major component of HIPAA security. It protects equipment and information from damage and environmental and human threats and offers control of, and protection within, a facility.
- Environmental threats include water, fire, humidity and power surges.
- Physical threats include door access, escorting guests within the secure areas, equipment in a secure area, and ventilation duct access.
- Human threats include personnel screening before hiring, access to secure areas restricted and personnel trained in security needs and actions.
The regulation asserts that and BCBSA has strong and up to date security controls must be in place on all electronic files that contain your PHI.
Information Transactions and Code Sets
In October of 2003, standardized transactions and code sets were implemented to improve the effectiveness and efficiency of Medicare, Medicaid, and other federal programs, as well as the healthcare industry in general. These new transactions and code sets were designed to simplify the administration within the healthcare system and enable efficient electronic transmission of certain health information through Electronic Data Interchange (EDI).
What is EDI?
EDI is the electronic transfer of information in a standard format between trading partners. EDI allows entities within the healthcare system to exchange medical, billing and other information and to process transactions in a manner which is fast and cost effective. EDI substantially reduces the handling and processing time of information as well as the risk of losing paper documents.
The HIPAA Claim Form
In the early 1990s the health care industry asked the Department of Health and Human Services (DHHS) to help the industry create one, and only one, claim form. The industry had previously tried to create one claim form and did not succeed. Designed to streamline the administration of healthcare, the HIPAA claim form has replaced approximately 400 various claim forms for medical services, 200 claims forms for dental services and the previously used pharmacy claim form.
Electronic Transactions and Code Sets
In addition to a standard claim form this rule also established standards and specific code sets to be used for the following eight electronic transactions:
- Health care claims or equivalent encounter information
- Eligibility for a health plan
- Referral certification and authorization
- Health care claim status
- Enrollment and disenrollment in a health plan
- Health care payment and remittance advice
- Health plan premium payments
- Coordination of benefits
The medical data codes sets include:
International Classification of Diseases, 9th Edition, Clinical Modification, (ICD—9—CM), Volumes 1 and 2
International Classification of Diseases, 9th Edition, Clinical Modification, Volume 3 Procedures
Code on Dental Procedures and Nomenclature, as maintained and distributed by the American Dental Association, for dental services
The Health Care Financing Administration Common Procedure Coding System (HCPCS)
Healthcare clearinghouses, health plans and other healthcare insurance companies plus providers who submit the administrative transactions in electronic format must use these standard electronic formats and code sets.
The final component of HIPAA is national identifies regulation. The uniform identifiers permit your doctors and hospital providers, dentists, plus pharmacists to spend much less time dealing with the bureaucracy of getting paid.
There are three HIPAA National Identifiers:
- Employer ID Number (EIN)
- National Provider Identifier (NPI)
- National Health Plan Identifier
Both the EIN and the NPI have been implemented. The HIPAA EIN is the IRS federal tax number of a healthcare business. The EIN is necessary on some of the healthcare transactions outlined above under the transactions and code set area. It has been used on these transactions since 2004.
The National Provider Identifier (NPI) was implemented in May 2008 and requires that all providers completing electronic transactions, health plans, and healthcare clearinghouses, use only to identify covered healthcare providers on the standard HIPAA transactions outlined above. This means that today, the claim form your doctor and hospital uses to process your medical, or dental, or pharmacy services uses the one NPI as opposed multiple identifiers. Again, this allows a more efficient, streamlined processing of transactions.
When the National Health Plan Identifier HIPAA regulation is released, it will add to this efficiency by again going from many identifiers to one identifier.
The uniform identifiers permit your doctors and hospital providers, dentists, plus pharmacists to spend much less time dealing with the bureaucracy of getting paid.
Page last updated: December 16, 2011