Health Sciences Information Technology
University At Buffalo, The State University of New York

 

 

Child pages:

 - - - - - - - -
General
Interest:

VPHS
HUBNET
UBIT
DCC
UB
UB Wings
UBEDirectory
UBWired (software)

HIPAA Sections Overview

The rules proposed to address Public Law 104-191 (HIPAA) are currently comprised of several pieces referred to here as Transactions, Code Sets, Privacy, Security, and Identifiers.  Each piece has separate rules and implementation deadlines.  This page documents the status of each of the pieces that have been addressed (some have not yet been addressed and so do not appear here).  It also contains information on review entities relevant to the Healthcare profession that are incorporating HIPAA into their operations.

Quick jump to: Transactions & Code Sets, Privacy, Security & Electronic Signature, Identifiers and Other Entities

Transactions & Code Sets

bulletAdoption status
bulletFinal Rule published in the Federal Register on August 17, 2000
bulletVol. 65, No. 160, "45 CFR Parts 160 and 162 Health Insurance Reform: Standards for Electronic Transactions; Announcement of Designated Standard Maintenance Organizations; Final Rule and Notice"
bulletLegal Implementation deadline
bulletCompliance date is October 16, 2002 (2003 for small health plans*).
bulletSummary
bulletThis rule addresses 11 areas of electronic transactions and adopts standards for eight of them as well as for code sets to be used in those transactions. It also contains requirements concerning the use of these standards by health plans, health care clearinghouses, and certain health care providers, and the specific code sets (data exchange formats) to be utilized in those transactions.  The eleven transactions (first eight have standards specified) are:
bullet(1) Health care claims or equivalent encounter information.
bullet(2) Health care payment and remittance advice.
bullet(3) Coordination of benefits.
bullet(4) Health care claim status.
bullet(5) Enrollment and disenrollment in a health plan.
bullet(6) Eligibility for a health plan.
bullet(7) Health plan premium payments.
bullet(8) Referral certification and authorization.
bullet(9) First report of injury.
bullet(10) Health claims attachments.
bullet(11-?) Other transactions that the Secretary may prescribe by regulation.
bulletPrimer (HTML, PDF)
bulletSource material
bullethttp://aspe.os.dhhs.gov/admnsimp/bannertx.htm
bulletFinal Rule - from above link on 4/5/2001 (PDF - 473KB)
bulletEnforcement mechanisms
bulletPenalties for non-compliance

 

Privacy

bulletAdoption status
bulletFinal Rule published in the Federal Register on December 28, 2000.
bulletVol 65, No. 250, "45 CFR Parts 160 and 164 Standards for Privacy of Individually Identifiable Health Information; Final Rule"
bulletLegal Implementation deadline
bulletCompliance date is April 14, 2003 (2004 for small health plans*).
bulletSummary
bulletAs required by HIPAA, the final regulation covers health plans, health care clearinghouses, and those health care providers who conduct certain financial and administrative transactions (e.g., electronic billing and funds transfers) electronically.  The rule applies to all medical records and other individually identifiable health information held or disclosed by a covered entity in any form, whether communicated electronically, on paper, or orally.  Sections of this rule also specifically address research (whether related to health care or in pursuit of general knowledge) and interaction of this rule with IRBs.

Health information means any information that
bullet(1) Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and
bullet(2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.

Individually identifiable health information is information that is a subset of health information, including demographic information collected from an individual, and
bullet(1) Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and
bullet(2)  Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and
bullet(i) That identifies the individual; or
bullet(ii) With respect to which there is a reasonable basis to believe the information can be used to identify the individual.
bulletIndividually identifiable health information includes (but is not limited to)
bullet(A) Names;
bullet(B) All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census: (1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and (2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.
bullet(C) All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;
bullet(D) Telephone numbers;
bullet(E) Fax numbers;
bullet(F) Electronic mail addresses;
bullet(G) Social security numbers;
bullet(H) Medical record numbers;
bullet(I) Health plan beneficiary numbers;
bullet(J) Account numbers;
bullet(K) Certificate/license numbers;
bullet(L) Vehicle identifiers and serial numbers, including license plate numbers;
bullet(M) Device identifiers and serial numbers;
bullet(N) Web Universal Resource Locators (URLs);
bullet(O) Internet Protocol (IP) address numbers;
bullet(P) Biometric identifiers, including finger and voice prints;
bullet(Q) Full face photographic images and any comparable images; and
bullet(R) Any other unique identifying number, characteristic, or code;

bulletPrimer (HTML, PDF)
bulletSource material
bullethttp://aspe.os.dhhs.gov/admnsimp/bannerps.htm
bulletFinal Rule - from above link on 4/5/2001 (PDF - 1,956KB)
bulletTechnical Corrections to Final Rule (posted 1 day later on 12/29/2000) (PDF-117KB)
bulletRelated material
bullet IRB "Common Rule" (CODE OF FEDERAL REGULATIONS, TITLE 45
PUBLIC WELFARE, DEPARTMENT OF HEALTH AND HUMAN SERVICES NATIONAL INSTITUTES OF HEALTH OFFICE FOR PROTECTION FROM RESEARCH RISKS, PART 46 PROTECTION OF HUMAN SUBJECTS).  This is not part of HIPAA, but is referenced in the Privacy component of HIPAA that addresses roles of IRBs.  http://ohrp.osophs.dhhs.gov/humansubjects/guidance/45cfr46.htm
bulletEnforcement mechanisms
bulletDelegation of Authority to the Office for Civil Rights, HHS, published in the Federal Register December 28, 2000 (Volume 65, Number 250)
bulletLaw Enforcement
bulletPenalties for non-compliance
bulletCivil penalties. Health plans, providers and clearinghouses that violate these standards would be subject to civil liability. Civil money penalties are $100 per incident, up to $25,000 per person, per year, per standard.
bulletFederal criminal penalties. There would be federal criminal penalties for health plans, providers and clearinghouses that knowingly and improperly disclose information or obtain information under false pretenses. Penalties would be higher for actions designed to generate monetary gain. Criminal penalties are up to $50,000 and one year in prison for obtaining or disclosing protected health information; up to $100,000 and up to five years in prison for obtaining protected health information under "false pretenses"; and up to $250,000 and up to 10 years in prison for obtaining or disclosing protected health information with the intent to sell, transfer or use it for commercial advantage, personal gain or malicious harm.

 

Security and Electronic Signature

bulletAdoption status
bulletProposed Rule published in the Federal Register on August 12, 1998.
bulletVol. 63, No. 155, "45 CFR Part 142 Security and Electronic Signature Standards; Proposed Rule"
bulletLegal Implementation deadline
bulletNot yet established
bulletSummary
bulletNo existing standard provides uniform, comprehensive protection of individual health information.  HIPAA mandates new security standards to protect an individual’s health information, while permitting the appropriate access and use of that information by health care providers, clearinghouses, and health plans.  HIPAA also mandates that a new electronic signature standard be used where an electronic signature is employed in the transmission of a HIPAA standard transaction.  The proposed rule addresses both security standards and an electronic signature standard and has been developed to protect the confidentiality, integrity, and availability of individual health information.  The security standard applies to individual health information that is maintained or transmitted and mandates safeguards for physical storage and maintenance, transmission, and access to individual health information.  The security standard has a much broader reach than the specific transactions defined in other HIPAA related law.  The electronic signature standard applies only to the transactions adopted under HIPAA and then only to any health care provider, health care clearinghouse, or health plan that employs an electronic signature in the transmission of one of the transactions adopted under HIPAA.  None of the transactions adopted under HIPAA requires an electronic signature at this time.  The security standard does not specify specific technologies to be used in meeting it.
bulletPrimer (HTML, PDF)
bulletSource material
bullethttp://aspe.os.dhhs.gov/admnsimp/bannerps.htm#security
bulletProposed Rule (8/12/1998) from above link on 4/5/2001 (PDF - 256KB)
bulletEnforcement mechanisms
bulletPenalties for non-compliance

 

Identifier

bulletAdoption status
bulletNational Provider ID: Proposed Rule published in the Federal Register on May 7, 1998 (Vol. 63, No. 88, "45 CFR Part 142 National Standard Health Care Provider Identifier")
bulletNational Employer ID: Proposed Rule published in the Federal Register on June 16, 1998 (Vol. 63, No. 115, "45 CFR Part 142 Health Insurance Reform: National Standard Employer Identifier")
bulletNational Health Plan ID: under development; not yet available
bulletNational Individual ID: not yet available
bulletLegal Implementation deadline
bulletNot yet established
bulletSummary
bulletPrimer (HTML, PDF)
bulletSource material
bullethttp://aspe.os.dhhs.gov/admnsimp/bannerid.htm
bulletProvider ID Proposed Rule (May 7, 1998) from above link on 4/5/2001 (PDF - 256KB)
bulletEmployer ID Proposed Rule (June 16, 1998) from above link on 4/5/2001 (PDF - 156KB)
bulletEnforcement mechanisms
bulletPenalties for non-compliance

 

 

Other Entities

This is an incomplete list of other entities which are "comparing their current standards and survey processes and modifying them to address HIPAA requirements".

bulletJoint Commission on Accreditation of Healthcare Organizations (JCAHO)
bulletCommission on Accreditation of Rehabilitation Facilities (CARF)
bulletNational Committee for Quality Assurance (NCQA)

 

* Small Health Plans are health plans with annual receipts of $5 million or less

Content last edited: 04/11/2001

University at Buffalo, State University of New York
Health Professions Information Technology Partnership
174 Biomedical Education Building; 3435 Main Street Bldg. 22; Buffalo, NY 14214
(716) 829-3172 ; (716) 829-3456 FAX; hpitp-info@buffalo.edu
Site notes
 Privacy Policy