UC Home Maps A-Z Index Web Search People Search UC Tools  
University of Cincinnati - UCit   University of Cincinnati - Home
 
 

Laws - Health Insurance Portability and Accountability Act (HIPAA)



This page has four (4) sections:


An Introduction to HIPAA Security

HIPAA stands for the Health Insurance Portability and Accountability Act, an act that was enabled in 1996. In fact, portability is exactly what HIPAA is all about. HIPAA is the way that you and your family can have a continuity of health insurance even through job changes and perhaps even unemployment. Just as employees are portable, so should be health insurance, thanks to HIPAA.
A few decades ago, people stayed in one or two jobs throughout a whole career. In those days people had no need for HIPAA, because their jobs were stable. But today, in a time when jobs and even careers are constantly changing, HIPAA can make a big difference in your personal welfare, or even the welfare of your family.
If you really want to understand HIPAA, you have to understand what HIPAA is not. HIPAA is not a guarantee that you will have health insurance, or that you will keep health insurance after a job change. But HIPAA provisions may help you keep insurance during transitions, and they may help you get other insurance if you lose the insurance coverage that was provided by a previous employer.

How Does INFOSEC Relate to HIPAA?

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a law that charges the Department of Health and Human Services to establish regulations for the handling of certain types of health information (HI), collectively known as “protected health information.”
HIPAA itself does not establish the regulations, but provides the framework for regulations (generally known as “rules”) in four areas: transactions and code sets, identifiers, privacy, and security.

  • Transactions and code sets - Deals with the correct and complete transfer of information between health care entities. The idea is that electronic data interchange (EDI) will be made easier by having industry-wide standards for interchange codesets. Rather than needing to negotiate data interchange code sets each time that two entities establish a relationship, the entities can simply refer to a particular HIPAA transaction code set.

 

  • Identifiers - Is the specification for uniquely identifying entities in the health care system. Health care providers, clearing houses, and insurers are all given unique identifiers within the U.S. health care system to ease the identification of those entities.

 

  • Privacy - Is the rule that provides guidelines intended to protect the confidentiality of health information. Standards for identification and authentication of people and organizations requesting HI are enumerated in this rule.

 

  • Security - Is the rule that deals largely with the technical measures used to enforce the organization's information-handling policy. Certain provisions of the Privacy Rule will require implementation of the Security Rule for enforcement.

For UC, the Privacy Rule and Security Rule are most important.

Privacy is best defined as “informational self-determination.” HIPAA's Privacy Rule helps to support large-scale privacy by providing policy guidelines, basically spelling out who may share what with whom. The Privacy Rule goes a step further, actually providing additional requirements that deal with the risk of accidental exposure. Thus, operational procedures are also impacted.
Security, when defined broadly as the “enforcement of policy,” is achieved through both operational requirements and technical requirements of systems that deal with protected HI. To this end, HIPAA helps covered organizations to achieve security by providing a clear standard as to what minimum protection must be offered. The benefit that this provides is uniform protection of HI, and helps covered organizations to understand just where they are expected to draw the lines between functionality and security.  Information security is one of the goals of HIPAA. Through its Rules, clear and consistent standards have been established that will help covered entities to understand:

  • Which kinds of information are critical (through the definition of protected health information);
  • How to support confidentiality of information (through the policy framework articulated in the Privacy Rule);
  • How to support integrity (through the interchange standards in the Transactions and Code Sets Rule, uniquely-identified entities in the Identifiers Rule, and the technical data integrity standards established in the Security Rule);
  • How to support availability (through provisions in the Security and Privacy Rules).

UC is building an information assurance program that not only adheres to the letter of each of the rules, but supports the spirit and higher-order goals of HIPAA will not only help avoid regulatory compliance problems. Supporting the security of health information will also help the U.S. health care system to be worthy of its patients' trust.

HIPAA Standards and Procedures Checklist

Executive Summary of HIPAA Provisions


Background

Law: Public Law 104-191
Signed: August 21, 1996
Effective date of the law: July 1, 1997

Overview

In short, HIPAA was designed to:

  • Improve the portability of health insurance coverage in the group and individual markets.
  • Limit healthcare fraud and abuse.
  • Promote the use of medical savings accounts.
  • Improve access to long-term care services and coverage.
  • Simplify the administration of health insurance.

Of these five, the last – administrative simplification – is perhaps the most critical for healthcare information managers. Specifically, HIPAA aims to achieve this administrative simplification by:

  • Establishing standardized code sets for financial and clinical electronic data interchange (EDI) transactions to enable information flow;
  • Mandating adoption of security standards to preserve the confidentiality of patient records; and
  • Creating unique identifiers for the four constituents in healthcare — payers, providers, patients and employers — to simplify the administrative challenge of maintaining and transmitting clinical data across disparate episodes of patient care.


Key Provisions

Pre-existing conditions: Limits group insurers´ rights to deny or limit enrollment on the basis of pre-existing medical conditions, which should improve the portability of health insurance coverage.
Eliminated pregnancy as a pre-existing condition:

  • Mandated coverage of newborns or newly adopted children enrolled within 30 days of birth or adoption.
  • Set maximum amount of time (12-months) that group health insurance plans, HMOs or self-insured plans (ERISA plan) could bar someone on the basis of a pre-existing condition. This exclusion period is reduced by the amount of time a person previously had continuous coverage through other private insurance or public insurance programs.
  • Allowed insurers to charge more for groups containing several persons with pre-existing conditions.
  • Allowed the Internal Revenue Service (IRS) to penalize health plans $100 per day for each enrollee affected by failure to comply with the new law's portability, anti-discrimination and guaranteed renewability provisions.

Small group protection: Insurers cannot deny coverage to small employers (two to 50 workers) but may charge for groups with higher health costs.
Group-to-individual coverage protection: Insurers must offer individual coverage to a person losing group coverage if the individual:

  • Had 18 continuous months of prior coverage under a group health plan;
  • Has exhausted COBRA coverage; or
  • Is ineligible for coverage through government programs such as Medicare or Medicaid.

Non-discrimination: Group health plans and employers cannot deny coverage for an individual and his/her dependents on the basis of health status, physical or mental medical condition, claims experience, genetic information, disability or domestic violence.

Guaranteed renewability: Insurers must offer to renew group and individual policies except for non-payment of premiums, fraud or because the plan no longer offers coverage in a geographic area.

Limited liability for volunteer health workers: Healthcare providers serving gratis in such facilities are deemed to be employees of the U.S. Public Health Service, thereby limiting their professional liability exposure. This is a good-Samaritan type of protection for volunteer work in non-profit, free health clinics.

Fraud and abuse control program: The HHS Inspector General and U.S. Attorney General will issue written advisory opinions and special fraud alerts to provide guidance to healthcare providers on whether or not proposed conduct breaks the law. These advisory opinion requests must be answered with 60 days of receipt, and the Secretary may charge a fee to cover the cost of preparing the opinion. The advisory opinions shall cover proposed actions applicable to most government health programs, not just Medicare and Medicaid, and include proposals to form physician-sponsored networks.

The HHS Secretary will establish a program to coordinate federal, state, and local programs to control health plan fraud and abuse. A Health Care Fraud and Abuse Control Account, financed by fines, civil penalties, assessments, forfeitures, criminal penalties and damages imposed in healthcare cases, will be established in the Medicare Part A Trust Fund to support activities of the new program. Congress authorized an additional $104 million in Fiscal Year 1997 for the fraud and abuse account, this amount to increase 15 percent annually through Fiscal Year 2003.

In most federal fraud and abuse cases, civil monetary penalties are raised from $2,000 to $10,000. New practices are added to the list of outlawed activities, such as engaging in a pattern of upcoding to obtain higher payment. A physician who falsely certifies a person as eligible for home healthcare will be fined up to $5,000. Criminal penalties will be imposed for knowingly and willfully defrauding any health benefits program.

The HHS Secretary will establish a fraud and abuse data collection system for reporting final, adverse actions against healthcare providers, suppliers, or practitioners. Final adverse action includes civil judgments, a federal or state criminal conviction for a health offense, or actions by agencies responsible for medical licensing or certification. The term does not include malpractice, or settlements in which no finding of liability are made. Information supplied includes the name and tax identification number of a person subject to an adverse action, the name of any healthcare group with which the person is associated, the final action and whether it is on appeal, and a description of the evidence on which the final action is based. Procedures must be developed for protecting the privacy of healthcare consumers involved in cases reported in the system. System data will be reported on demand to healthcare providers, suppliers, and practitioners.

Medicare fiscal intermediaries and carriers will no longer conduct fraud and abuse monitoring or prevention activities. Qualified entities will perform activities to promote Medicare integrity, such as reviewing provider services, auditing cost reports, conducting provider and enrollee education on payment and quality assurance, and updating the list of durable medical equipment items subject to prior authorization. A consumer suggestions program will be established to encourage people to submit ideas for improving Medicare efficiency; the Secretary could reward people whose suggestions are adopted.

Administrative simplification: The Secretary of Health and Human Services will establish standards to enable most health records and financial transactions to be exchanged electronically. Unique identifiers would be created for users, purchasers, and suppliers of healthcare services. The electronic standards will be developed, adopted, and modified by a national standard setting group. Standards will be developed for the electronic transmission and authentication of signatures. System security procedures must be developed. Initial standards for the electronic transmission of healthcare transactions must be promulgated within 18 months of the new law's enactment. Users not complying with the new electronic standards will be subject to a $100 fine per failure to comply; the total fines in a calendar year may not exceed $25,000. A person who discloses individually identifiable health information may be fined $50,000, imprisoned for a year, or both. If such a disclosure is under false pretenses, the offender may be fined $100,000 and imprisoned up to five years. If the disclosure is for malicious purposes or commercial advantage, the offers may be fined $250,000 and imprisoned up to 10 years.

Medical savings accounts (MSAs): Individual contributions to MSAs are deductible from personal income taxes. Employer contributions to MSAs are not included in an individual's taxable income. MSA earnings are not taxable. Distributions from an MSA for medical expenses are not taxable. Non-medical distributions from the MSA are subject to taxation, and would be subject to an additional tax penalty of 15 percent unless made after age 60, the onset of disability, or death. Money in the MSA after the holder's death is included in his or her estate.

No more than 750,000 individuals can participate in the MSA program at this time. New MSAs cannot be opened after December 31, 2000, unless Congress chooses to expand the program.
The General Accounting Office (GAO) must prepare a report for Congress describing how MSAs affect the usage of preventive healthcare services, the scope of coverage, premium costs, adverse selection in the small group insurance market, and so forth. The Treasury Department must report to Congress on whether the use of MSAs generates federal savings.

Tax deductibility for the self-employed: An increase to 80 percent in the tax deduction for the health insurance premium payments of self-insured persons would be phased in between 1997 and 2006.
Long-term care insurance: Premiums for long-term care insurance would be treated as deductible expenses. Up to $175 per day, or $63,875 per year, of payments from long-term care policies would not be included in personal income. These new standards would also apply to life insurance riders designed to provide long-term care benefits.

Accelerated death benefits: Amounts that terminally ill or chronically ill policy holders cash out from their life insurance policies will be excluded from income and treated as a death benefit.

Income tax exemption: Organizations formed to provide medical care for the uninsurable on a not-for-profit basis, and organizations established before June 1, 1996 solely to reimburse its members for losses arising from workmen's compensation acts, are deemed tax-exempt.

Individual Retirement Account (IRA) distributions for medical purposes: No tax penalties will be imposed if IRA proceeds are used to pay the health insurance premium of an unemployed individual.
Organ and tissue donations: A statement promoting organ and tissue donations will be included with federal income tax refunds.

Miscellaneous: Revenue offsets to cover the federal costs of this new law will be generated by federal taxes imposed on persons renouncing their U.S. citizenship for tax advantages, and a variety of tax revisions affecting financial institutions.

Important Questions & Critical Answers


What does HIPAA really mean, in layman's terms?

HIPAA has two goals:

  • To make healthcare insurance more accessible by making it "portable". Primarily this means restricting, and in some cases, eliminating the practice of excluding people from coverage because of pre-existing conditions.
  • To make healthcare more accountable in terms of cost. How? By reducing fraud and increasing efficiency and effectiveness through administrative simplification.


What are its implications for me?

Compliance, compliance, compliance. For most healthcare constituencies, administrative simplification is the real crux of HIPAA. Administrative simplification seeks to improve healthcare by standardizing such data as identification numbers and administrative/ financial data transactions while protecting the security and privacy of the transmitted information.
Compliance, which will be mandatory, will engender profound changes in procedures and the implementation of systems to support them. Noncompliance can be extremely expensive, not only because of actual penalties, but also because noncompliant organizations will lose business if they're unable to communicate with compliant organizations.

When must I comply?

As early as February 2002 for some initiatives; no later than July 2002 for most of the remaining ones. And Health & Human Services (HHS) is very clear on one thing: For most organizations, the standards become effective 24 months after adoption, no matter how long the adoption process takes.
For more information, see The Health Insurance Portability and Accountability Act Timeline and Milestones in Health Information Standards

What's going on with the legislation? Why the delay?

Administrative simplification is anything but simple. Because the final rules will have the force of Federal law, the process to develop them is designed to achieve consensus within HHS and across other Federal departments. The approval process is convoluted at best.
For more information, see Time On Our Side: Why HIPAA Hasn't Hit and The Rule Making Process for Administrative Simplification: What Is Taking So Long?

HIPAA has been around since 1996 – why the urgency now?

Many of HIPAA's original compliance deadlines were set for 2000. Delays have pushed these dates forward, but not very far. As early as February 2002, organizations must begin complying with proposed standards. If systems are not in place, compliance will be difficult – if not impossible.

Why HIPAA Hasn´t Hit

In August 1996, the Health Insurance Portability and Accountability Act (HIPAA) became law.
By all rights, it seemed like a good idea: mandate standards for the electronic transfer of administrative and financial healthcare-related information and save billions of dollars in costs each year. It didn't impose rules and regulations unnecessarily, because the standards apply primarily to payers and clearinghouses, as well as those providers who choose to transmit information electronically. And the implementation time frames were reasonable — 18 months to adopt the standards, then another 24 months to implement them.

Road Paved With Good Intentions

The driving factor behind the legislation in the first place was that an uncommonly high percentage of every dollar spent on healthcare-related services in the U.S. goes toward administrative overhead. This includes processes for:

  • Enrolling individuals in health plans.
  • Paying health insurance premiums.
  • Checking insurance eligibility.
  • Authorizing a patient's referral to a specialist.
  • Filing claims for payment of healthcare services.
  • Requesting or responding to additional information in support of a claim.
  • Coordinating the payment of claims involving two or more insurers.
  • Notifying providers about the payment of claims.

Estimates on the savings that could be realized by moving these tasks from manual, paper-based transactions to electronic transmissions range from $9 billion - $42 billion in the first six years.

The Complicated Business of Administrative Simplification

One part of the 1996 law, Administrative Simplification, targeted the high cost of paper-based transactions. It required the secretary of the Dept. of Health and Human Services (H & HS) to adopt "national uniform standards" for their electronic transmission. But between the passing of the law and the deadline for adopting standards, something went slightly awry.

The February 1998 adoption deadline came and went. And, while H & HS has made good headway, it's evident that both the process and the healthcare industry are more complicated than first glance revealed.

So what exactly went wrong? H & HS officials give two main reasons for the delay:

  • Complexity of the issues involved; and
  • A cumbersome review process.

What they didn't mention is that the complexity increases because there are a number of different types of organizations affected, including:

  • Government and private health plans, insurers and administrators.
  • Hospitals, physicians and care providers.
  • Employers.
  • Clearinghouses.
  • Value added networks (VANs).
  • Translator vendors.
  • Hospital and practice management system vendors.
  • Billing agents.
  • Other service organizations.

And for each type of organization, there are a number of very specific implementation requirements, steps, and issues. But perhaps the most complicated part of the entire undertaking is the review process.

Despite the goal of simplification, the process is far from simple. The short description of the process includes the following steps:

  • Identify existing standards that could be adopted.
  • Analyze existing standards, identify gaps and conflicts.
  • Develop recommendations for standards to be adopted.
  • Publish proposed rules outlining the standards in the Federal Register for 60-day public comment period.
  • Analyze comments and prepare and publish final rules.
  • Distribute standards and prepare and distribute implementation guides.

But what this description doesn't show is how complicated steps 3, 4 and 5 really are. Because the final rules will have the force of Federal law, the process to develop them is designed to achieve consensus within H & HS and across other Federal departments.
Here's how it works:
First, H & HS Implementation Teams draft Notices of Proposed Rule Making (NPRMs) for the following:

  • Administrative and financial transaction standards and code sets;
  • National provider identifiers;
  • Identifier for health plans;
  • Identifier for employers; and
  • Security standards.

Then, each NPRM is reviewed and approved within the Federal government to answer and resolve governmental questions and concerns. This within-government review is a three-stage process by which the NPRMs are approved by:

  • The H & HS Data Council's Committee on Health Data Standards, which is responsible for overseeing the entire AS implementation process for the Secretary of H & HS.
  • Advisors to the Secretary within H & HS, who are heads of divisions that may be affected by the proposed standards or are responsible for particular issues (e.g., the impact of the standards on the Federal budget).
  • The Office of Management and Budget, which reviews the NPRMs from a government-wide perspective and circulates the NPRMs for review by Federal departments other than H & HS.

Once this internal review process is complete, the NPRMs can finally be published in the Federal Register for public comment. Public comment on the NPRM is used to fashion the final rule.

What's Been Done?

H & HS has actually done rather well, given the task it faced. Roughly three months off-schedule (see The Health Insurance Portability and Accountability Act Timeline), the organization submitted NPRMs to the Federal Register as follows:
National Standard Health Care Provider Identifier, published May 7, 1998.
Standards for Electronic Transactions and Code Sets, published May 7, 1998.
National Standard Employer Identifier, published June 16, 1998.
Security and Electronic Signature Standards, published August 12, 1998.
The National Standard for Identifiers of Health Plans has not yet been submitted.
Now that the public comment period is over for four of the NPRMs, H & HS faces the task of incorporating public comment. It's no surprise that they're not yet publishing target dates for publishing final rules.

Only Time Will Tell

In the beginning, officials in the Health Care Finance Administration (HCFA) had anticipated publishing the proposed rules in early spring 1998. They did reach that goal -- almost. However, so far, the rest of their initial scenario -- which called for final regulations to be published in late 1998, and therefore healthcare organizations' compliance in late 2000 -- has not held true.

While the delays mean the continued high cost of healthcare, there are some positives. First, it means healthcare has a bit more time to corral the necessary resources to comply to the final rules once they are published. Second, the extra time will keep new regulations from hitting at the same time as any potential Year 2000 issues.

But we can't let these delays lull us into a sense of false security. H & HS is very clear on one thing: The standards become effective 24 months after adoption for most organizations and delays in adoption of the standards will not shorten these periods for implementation.
Whether or not healthcare takes advantage of the breathing room it has been granted could mean the difference between a difficult transition and an impossible one. Even though the clock is ticking, it would be wise for healthcare to realize that the extra time is time on our side.

HIPAA Frequently Asked Questions (FAQ)

Question: What is the purpose of the HIPAA Security Standards rule and why were security standards needed as published in the Federal Register on February 20, 2003?
Answer: The purpose of this Security Standards rule is to adopt national standards for safeguards to protect the confidentiality, integrity, and availability of electronic protected health information. They were needed because there were no standard measures existing in the health care industry that addressed all aspects of the security of electronic protected health information while it is in use, in storage, or during the exchange of that information between entities. HIPAA mandated security standards to protect an individual's health information, while permitting the appropriate access and use of that information by health care providers, clearinghouses, and health plans.

Question: Do the Security Standards as published in the Federal Register on February 20, 2003 require use of specific technologies?
Answer: No. The security standards were designed to be "technology neutral" in order to facilitate use of the latest and most promising technologies that meet the needs of different healthcare organizations. Any regulatory requirement for implementation of specific technologies would bind the health care community to specific systems and/or software that may be superseded by rapidly developing technologies and improvements.

HIPAA Resource List

American Health Information Management Association (AHIMA)

  • Under FAQs, a concise HIPAA preparation checklist and practice briefs

http://www.ahima.org/
DHHS HIPAA Administrative Simplification

  • text of proposed rules and comments
  • implementation guide
  • subscription to HIPAA-REGS listserve (notification when final rules are published)
  • FAQ list*

http://aspe.hhs.gov/admnsimp/
HCFA Information Clearinghouse:

  • section on Internet Security Policy

http://www.hcfa.gov/pubforms/pubforms.htm
Healthcare Informatics

  • HIPAA links and articles

http://www.healthcare-informatics.com/
HIPAA Advisory (Phoenix Systems)

  • Good summaries of HIPAA issues
  • Full text of proposed regulations, including keyword search
  • FAQ list
  • Action tools
  • Subscription to HIPAAlert e-mail monthly newsletter
  • Subscription to HIPAAlive listserve (active/detailed issues: IS, HIM, vendors)

http://www.hipaadvisory.com/
HIPAA Comply

  • Discussion forum
  • Legal issues

http://www.hipaacomply.com/
Shared Medical Systems HIPAA Central

  • HIPAA Security Summit: Guidelines Draft Document (comprehensive)*

http://www.smed.com/hipaa/
3-Com HIPAA E-Source

  • Computer-based Patient Record Institute (CPRI) comprehensive HIPAA Toolkit*
  • Toolkit includes excellent sample security and privacy policies from different healthcare organizations
  • CPRI Guide to Information Security Education with sample training materials

http://healthcare.3com.com/securitynet/hipaa/

  
InfoSec Home
Free Anti-Virus
PSS Help
Report an Incident
Security Update
 
 

Featured Article

 
 

It's all UC Footer rule line
 
Contact Us | University of Cincinnati | 2600 Clifton Ave., Cincinnati, Ohio 45221
Undergraduate Admission: 513-556-1100 | Graduate Admission: 513-556-4335
University Information: 513-556-6000 | Copyright Information © 2006