Child pages:
- - - - - - - -
General
Interest:
VPHS
HUBNET
UBIT
DCC
UB
UB Wings
UBEDirectory
UBWired (software)
| |
HIPAA Sections Overview
The rules proposed to address Public Law 104-191 (HIPAA)
are currently comprised of several pieces referred to here as Transactions,
Code Sets, Privacy, Security, and Identifiers. Each piece has
separate rules and implementation deadlines. This page documents the status of
each of the pieces that have been addressed (some have not yet been addressed
and so do not appear here). It also contains information on review entities
relevant to the Healthcare profession that are incorporating HIPAA into their
operations.
Quick jump to: Transactions & Code Sets, Privacy,
Security & Electronic Signature, Identifiers and Other
Entities
| Adoption status
| Final Rule published in the Federal Register on August 17, 2000 |
| Vol. 65, No. 160, "45 CFR Parts 160 and 162 Health Insurance
Reform: Standards for Electronic Transactions; Announcement of
Designated Standard Maintenance Organizations; Final Rule and
Notice" |
|
| Legal Implementation deadline
| Compliance date is October 16, 2002 (2003 for small health plans*). |
|
| Summary
| This rule addresses 11 areas of electronic transactions and adopts
standards for eight of them as well as for code sets to be used in those
transactions. It also contains requirements concerning the use of these
standards by health plans, health care clearinghouses, and certain
health care providers, and the specific code sets (data exchange
formats) to be utilized in those transactions. The eleven transactions (first eight have
standards specified) are:
| (1) Health care claims or equivalent encounter information. |
| (2) Health care payment and remittance advice. |
| (3) Coordination of benefits. |
| (4) Health care claim status. |
| (5) Enrollment and disenrollment in a health plan. |
| (6) Eligibility for a health plan. |
| (7) Health plan premium payments. |
| (8) Referral certification and authorization. |
| (9) First report of injury. |
| (10) Health claims attachments. |
| (11-?) Other transactions that the Secretary may prescribe by
regulation. |
|
|
| Primer (HTML, PDF) |
| Source material
|
| Enforcement mechanisms |
| Penalties for non-compliance |
| Adoption status
| Final Rule published in the Federal Register on December 28, 2000. |
| Vol 65, No. 250, "45 CFR Parts 160 and 164 Standards for Privacy
of Individually Identifiable Health Information; Final Rule" |
|
| Legal Implementation deadline
| Compliance date is April 14, 2003 (2004 for small health plans*). |
|
| Summary
| As required by HIPAA, the final regulation covers health plans, health
care clearinghouses, and those health care providers who conduct certain
financial and administrative transactions (e.g., electronic billing and
funds transfers) electronically. The rule applies to all medical
records and other individually identifiable health information held or
disclosed by a covered entity in any form, whether communicated
electronically, on paper, or orally. Sections of this rule
also specifically address research (whether related to health care or in
pursuit of general knowledge) and interaction of this rule with IRBs.
Health information means any information that
| (1) Is created or received by a health care provider, health plan,
public health authority, employer, life insurer, school or
university, or health care clearinghouse; and |
| (2) Relates to the past, present, or future physical or mental
health or condition of an individual; the provision of health care
to an individual; or the past, present, or future payment for the
provision of health care to an individual. |
Individually identifiable health information is information
that is a subset of health information, including demographic
information collected from an individual, and
| (1) Is created or received by a health care provider, health plan,
employer, or health care clearinghouse; and |
| (2) Relates to the past, present, or future physical or
mental health or condition of an individual; the provision of health
care to an individual; or the past, present, or future payment for
the provision of health care to an individual; and
| (i) That identifies the individual; or |
| (ii) With respect to which there is a reasonable basis to
believe the information can be used to identify the individual. |
|
| Individually identifiable health information includes (but is not
limited to)
| (A) Names; |
| (B) All geographic subdivisions smaller than a State,
including street address, city, county, precinct, zip code, and
their equivalent geocodes, except for the initial three digits
of a zip code if, according to the current publicly available
data from the Bureau of the Census: (1) The geographic
unit formed by combining all zip codes with the same three
initial digits contains more than 20,000 people; and (2)
The initial three digits of a zip code for all such geographic
units containing 20,000 or fewer people is changed to 000. |
| (C) All elements of dates (except year) for dates directly
related to an individual, including birth date, admission date,
discharge date, date of death; and all ages over 89 and all
elements of dates (including year) indicative of such age,
except that such ages and elements may be aggregated into a
single category of age 90 or older; |
| (D) Telephone numbers; |
| (E) Fax numbers; |
| (F) Electronic mail addresses; |
| (G) Social security numbers; |
| (H) Medical record numbers; |
| (I) Health plan beneficiary numbers; |
| (J) Account numbers; |
| (K) Certificate/license numbers; |
| (L) Vehicle identifiers and serial numbers, including license
plate numbers; |
| (M) Device identifiers and serial numbers; |
| (N) Web Universal Resource Locators (URLs); |
| (O) Internet Protocol (IP) address numbers; |
| (P) Biometric identifiers, including finger and voice prints; |
| (Q) Full face photographic images and any comparable images;
and |
| (R) Any other unique identifying number, characteristic, or
code; |
|
|
|
| Primer (HTML, PDF) |
| Source material
|
| Related material
| IRB "Common Rule" (CODE OF FEDERAL REGULATIONS, TITLE
45
PUBLIC WELFARE, DEPARTMENT OF HEALTH AND HUMAN SERVICES NATIONAL
INSTITUTES OF HEALTH OFFICE FOR PROTECTION FROM RESEARCH RISKS, PART 46
PROTECTION OF HUMAN SUBJECTS). This is not part of HIPAA, but is
referenced in the Privacy component of HIPAA that addresses roles of
IRBs. http://ohrp.osophs.dhhs.gov/humansubjects/guidance/45cfr46.htm |
|
| Enforcement mechanisms
| Delegation of Authority to the Office for Civil Rights, HHS, published
in the Federal Register December 28, 2000 (Volume 65, Number 250) |
| Law Enforcement |
|
| Penalties for non-compliance
| Civil penalties. Health plans, providers and clearinghouses that
violate these standards would be subject to civil liability. Civil money
penalties are $100 per incident, up to $25,000 per person, per year, per
standard. |
| Federal criminal penalties. There would be federal criminal penalties
for health plans, providers and clearinghouses that knowingly and
improperly disclose information or obtain information under false
pretenses. Penalties would be higher for actions designed to generate
monetary gain. Criminal penalties are up to $50,000 and one year in
prison for obtaining or disclosing protected health information; up to
$100,000 and up to five years in prison for obtaining protected health
information under "false pretenses"; and up to $250,000 and up
to 10 years in prison for obtaining or disclosing protected health
information with the intent to sell, transfer or use it for commercial
advantage, personal gain or malicious harm. |
|
Security and Electronic Signature
| Adoption status
| Proposed Rule published in the Federal Register on August 12, 1998. |
| Vol. 63, No. 155, "45 CFR Part 142 Security and Electronic
Signature Standards; Proposed Rule" |
|
| Legal Implementation deadline
| Not yet established |
|
| Summary
| No existing standard provides uniform, comprehensive protection of
individual health information. HIPAA mandates new security
standards to protect an individual’s health information, while
permitting the appropriate access and use of that information by health
care providers, clearinghouses, and health plans. HIPAA also
mandates that a new electronic signature standard be used where an
electronic signature is employed in the transmission of a HIPAA standard
transaction. The proposed rule addresses both security standards
and an electronic signature standard and has been developed to protect
the confidentiality, integrity, and availability of individual health
information. The security standard applies to individual health
information that is maintained or transmitted and mandates safeguards
for physical storage and maintenance, transmission, and access to
individual health information. The security standard has a much
broader reach than the specific transactions defined in other HIPAA
related law. The electronic signature standard applies only to
the transactions adopted under HIPAA and then only to any health care
provider, health care clearinghouse, or health plan that employs an
electronic signature in the transmission of one of the transactions
adopted under HIPAA. None of the transactions adopted under HIPAA
requires an electronic signature at this time. The security
standard does not specify specific technologies to be used in
meeting it. |
|
| Primer (HTML, PDF) |
| Source material
|
| Enforcement mechanisms |
| Penalties for non-compliance |
| Adoption status
| National Provider ID: Proposed Rule published in the Federal Register
on May 7, 1998 (Vol. 63, No. 88, "45 CFR Part 142 National Standard
Health Care Provider Identifier") |
| National Employer ID: Proposed Rule published in the Federal Register
on June 16, 1998 (Vol. 63, No. 115, "45 CFR Part 142 Health
Insurance Reform: National Standard Employer Identifier") |
| National Health Plan ID: under development; not yet available |
| National Individual ID: not yet available |
|
| Legal Implementation deadline
| Not yet established |
|
| Summary |
| Primer (HTML, PDF) |
| Source material
|
| Enforcement mechanisms |
| Penalties for non-compliance |
This is an incomplete list of other entities which are "comparing their
current standards and survey processes and modifying them to address HIPAA
requirements".
| Joint Commission on Accreditation of Healthcare Organizations (JCAHO) |
| Commission on Accreditation of Rehabilitation Facilities (CARF) |
| National Committee for Quality Assurance (NCQA) |
* Small Health Plans are health plans with annual receipts of $5
million or less
Content last edited: 04/11/2001
|