In this article, you will learn about the origin of HIPAA, including the initial failure of Congress to enact privacy protection for medical records and transactions. Also covered is the official drafting of the act by the U.S. Department of Health and Human Services, as well as how HIPAA was rolled out in medical establishments across the country.
Section 1. The Origin of HIPAA
HIPAA stands for the "Health Insurance Portability and Accountability Act", which was signed into law by then-President Bill Clinton in 1996. The act was the result of mounting concerns regarding patient access to insurance during unstable times, as well as concerns regarding the mass collection and storage of highly sensitive personal information by health insurance companies and medical establishments. HIPAA is divided into two components, Title 1 and Title 2.
Title 1: Health Coverage Access and Portability
The focus of Title 1 is on the portability of health coverage. This protects an individual's ability to maintain health coverage even when moving between jobs, and is especially important in the case of pre-existing conditions.
In the past, many employers denied health coverage to new employees if they could verify the existence of a pre-existing condition. Due to this, many people were afraid to leave their jobs, even if the work environment and compensation were poor. The risk of being unable to acquire health insurance for themselves and their families was one that few people were willing to take, especially in uncertain economic times.
Under the protection of HIPAA, individuals and their dependents are more likely to receive coverage under a new employer due to a clause limiting what can be considered a pre-existing condition. Under the provisions of HIPAA, a new employer can only look at six months of historical data when determining exclusions based on pre-existing conditions. More specifically, it must be documented that the individual received a diagnosis, treatment, medical care, or advice for this specific ailment within the prior six months. If this does not exist, the patient cannot be denied coverage under HIPAA.
To illustrate this point, someone may have asthma, arthritis, or another condition for many years. However, they have never been to a doctor for treatment and have either suffered in silence, or found ways to manage the illness themselves. In this case, there are no diagnosis or treatment records, and the patient is fully eligible for coverage without exclusions.
Title 2: Developing the Administrative Simplification Provisions
The focus of Title 2, also known as the "Administrative Simplification" provisions, is to protect unique identifying information found in patient health records, insurance claims and many other types of health documents. Title 2 also encourages the use of electronic patient records systems and imposes penalties for breaches of patient privacy.
When the act was initially drafted, there was a mandate for the Administrative Simplification rules to be developed and ratified by Congress and publicized by the Secretary of the Department of Health and Human Services to the public within three years. In the absence of action by Congress, the Secretary of HHS was to take responsibility for drafting the legislation. As Congress failed to move on this initiative, the Secretary of HHS took over.
The Secretary created proposed legislation that governed the exchange, privacy, and security of personal health information. This proposal was released to the public for feedback and amended based on more than 52,000 comments that were received. The final version was released in December of 2000. The legislation was later revised and again vetted by the public, with the final version released in August of 2002.
The First Federal Medical Privacy Data Legislation
There were privacy laws on the books in the individual states, but they mainly focused on financial data, identity theft, and other types of fraud. The laws that dealt with medical information were not robust or clear enough to eliminate the many breaches of privacy that had occurred, or could occur. HIPAA provided a blanket set of expectations for medical data privacy that provided more security for patients and uniform direction for those who deal with medical data. The fact that the law included civil and criminal penalties also gave it more credibility.
Prior to the inception of HIPAA's privacy rule, there was a sense of organized chaos in the medical community. Clinics were burdened with increased administrative duties required by managed care companies, which included keeping up to date on procedure codes, billing requirements, and record maintenance. Also, there was no standard format for the establishments that maintained electronic patient records. One of the main goals of HIPAA was to streamline the process for maintaining and transmitting patient data electronically while limiting breaches in confidentiality.
The main benefits of the Standards for Privacy of Individually Identifiable Health Information ("Privacy Rule") are:
- Specific rules regarding the disclosure of Protected Health Information (PHI)
- Guidelines for transmitting patient data electronically
- Limiting internal employee access to PHI to the minimum necessary to perform their jobs
- Guidelines for health insurance companies and clearing houses that transmit PHI
- The ability for patients to access their medical records and make amendments to their medical data if warranted
- To require authorization from the individual to utilize or transmit PHI as part of any marketing communications
The privacy rule has gone through a few iterations. The original version was released in December of 2000. The privacy rule was later amended in August of 2002, and required compliance by February 14, 2003. Smaller health plans with fewer resources were required to be in compliance by April 14, 2004.
Food for Thought
Have you or someone you know ever been excluded from health coverage?
Do you feel that your doctor and health plan take adequate measures to ensure your privacy?
Covered Entities under HIPAA
In this article you will learn about "covered entities" in the context of HIPAA. We will examine the sometime complex relationships between health care practitioners, insurance plans, and business associates -- and how those relationships were impacted by the implementation of the HIPAA privacy rule.
Section 1. Who Does the Privacy Rule Apply to?
Medical practitioners and organizations that are subject to the privacy rule under HIPAA's Administrative Simplification guidelines are referred to as "covered entities." These are entities that routinely collect, store, and transmit personally identifiable health information in order to diagnose, treat, bill for services, or process claims. This applies to entities transmitting patient information electronically and applies to such organizations as:
- Nursing Homes
- Dental Offices
- Insurance Companies
- Medicare and Medicaid
The status of "covered entity" is applied to any organization that submits HIPAA-protected information electronically. This applies to both large and small organizations and applies even if only a small portion of the total claims are transmitted and stored electronically. Once one electronic disclosure is made, the HIPAA privacy rules apply.
The organizations listed above can be grouped into four main categories, as shown below:
Health Plans - This includes individual and group insurance plans that are administered through an employer. Most types of plans are included as covered entities, including HMOs, dental plans, vision plans, Medicare and Medicaid, and prescription drug plans.
Health Care Providers - This is any health care organization, or solo medical provider, that electronically transmits personal health information that is protected by HIPAA. Any person or organization that provides a medical service and submits electronic bills for this service is considered a covered entity. The covered entity status is in effect whether the organization manages the billing process itself, or hires a third-party billing service.
In addition to electronic billing giving one status as a covered entity, electronic claims inquiries, referral authorizations, and online patient eligibility inquiries also confer covered entity status. This is true for large hospitals, as well as solo medical practitioners.
Health Care Clearinghouses - These organizations receive unique patient information after a medical service has been performed and compile the data in a standardized way for submission to health plans for reimbursement. Often, a clearinghouse will reprice or reformat a claim based on the known parameters of a specific health plan. Technically, clearinghouses also can be classified as business associates of the primary medical establishment, which gives them less stringent guidelines, as explained below.
Business Associates - Though not technically covered entities, Business Associates are subject to some of the same rules. Business Associates are third-party independent contractors that have permission to view and process personally identifiable health information on behalf of a medical establishment or health plan. Examples of activities performed by business associates include claim processing, billing and collection services, and data analysis.
Companies that act as business associates offer non-medical services in the realm of financial, legal and administrative assistance. While they may provide some form of medical services and be a covered entity in their own right, they do not do so for the company of which they are a business associate. Also, their non-medical assistance must involve the use of protected health information in order for them to be considered a business associate.
Covered entities that contract work out to business associates are responsible for documenting -- in a contract -- what measures the business associate will take to protect the personal health information it comes in contact with. The covered entity must clearly state in writing how the information is to be used, and under what circumstances disclosure of PHI is acceptable.
Section 2. Indications that you are NOT a Covered Entity
The privacy rule may be hard for some administrators to understand fully. You are not a covered entity, and therefore not subject to HIPAA privacy regulations, for the following types of transactions:
- Filing paper claims to health plans, including Medicare and Medicaid. Only claims filed electronically qualify. Note however, that many insurance carriers are phasing out paper claims in favor of a strictly electronic claims submission platform.
- Submitting claims for medical services by paper or dedicated fax machine
- Checking claim status by phone
- Checking patient insurance eligibility by phone
- Enrolling or removing oneself from a group or individual health plan by phone or fax
- Receiving payment from insurance carriers, or paper explanation of benefits documents through the mail
"Covered Transactions" are electronic exchanges of personally identifiable patient information that is transmitted between two covered entities in accordance with HIPAA guidelines.
Examples of covered transactions include:
- Electronic referral authorizations for visits to a specialist or a laboratory
- Electronic claim submissions to an insurance company
- Electronic information sent to a third party billing or collection service
- Electronic claim information sent to a clearinghouse for reformatting and submission to an insurance carrier
Covered transactions do not include letters, emails, and documents sent by the patient, as the patient is not deemed a covered entity under HIPAA. Covered transactions must comply with all HIPAA privacy standards.
Food for Thought
What additional types of business associates might a medical provider contract work out to?
Any medical provider, large or small, that electronically transmits personally identifying health information is considered a covered entity. Covered entities and their business associates engage in covered transactions, such as claims submission and processing, and data analysis, and are held accountable for maintaining patient privacy.