HIPAA: Administrative Simplification Rules


Section 1. The goal of the Administrative Simplification Rules

The implementation of the Administrative Simplification Rules are an effort to promote the use of electronic means to transfer data between covered entities, especially between health care facilities and insurance plans. Of particular interest was adopting set standards around the formatting and coding of health information, as well as financial data and reimbursement information. The rules specifically deal with electronic health care transactions and code sets, unique health identifiers, and security provisions.

The following were also electronic transactions that required standardization:

  • Health claims attachments.
  • Enrollment and disenrollment in a health plan
  • Eligibility for a health plan
  • Health care payment and remittance advice
  • Health plan premium payments
  • First report of injury
  • Health claim status
  • Referral certification and authorization

Also, of principle interest to the government was standardizing the enormous amount of data it received under the Medicare and Medicaid programs, as will be described in more detail below.

Section 2. National Provider Identifiers

In an effort to streamline the health care system, it was legislated that each health care provider or facility adopts a standardized identification number called a "National Provider Identifier (NPI)", by which they are identified on all formal documents and health insurance claims. The NPI is assigned by the Centers for Medicare and Medicaid Services (CMS) and was required as of May 23, 2005.

The unique identifier must be adopted by all covered entities, including health plans, clearinghouses physicians, hospitals, medical groups, nursing homes, dentists and laboratories. This number is ten digits and although it is unique to the provider, it does not contain any special sequences that denote demographic data of any kind.

Section 3. The Security Rule

The HIPAA Security rule was enacted to ensure the protection of patient health information in all of its stages, including creation, transmission, use and maintenance. This of course applies to covered entities and requires that they have processes and security provisions sufficient to ensure the confidentiality of patient health data. This involves providing safeguards at the administrative, physical, and technical level.

While the privacy rule does address the protection of patient health information, it focuses more on ensuring privacy by regulating the uses and disclosure of health information. On the other hand the security rule specifically concentrates on securing patient data when it is collected, stored, or transmitted electronically to ensure that there are no instances of altering or deleting, or inappropriately transmitting patient records.

With advances in technology, many health facilities and insurance plans now rely heavily on various technological tools to store, process, and transfer data to other covered entities. This provides a higher level of efficiency, but also presents a higher level of risk. The Security rule seeks to safeguard against the interception and illegal use of protected health information in a way that is standardized across the industry, with specific interest in streamlining Medicare and Medicaid.

In drafting the Security Rule, the Department of Health and Human Services had to take into account that not every covered entity had the same technical resources, number of patients, and types of information stored. Therefore, HHS sought to draft the rule in a way that it is flexible enough to ensure security of patient data without imposing undue hardship on smaller covered entities.

Interested in learning more? Why not take an online HIPAA Compliance course?

Under the Security Rule, covered entities are responsible for:

  • Assessing their current electronic storage and submission portals for vulnerabilities.
  • Anticipate potential threats and implement mitigating measures
  • Develop and maintain electronic security measures to protect the patient's health information
  • Take advantage of technological advancements that would allow for greater security
  • Ensure that there is no opportunity for unauthorized access to protected health information, including from employees

Two of the main ways in which the Security Rule differs from the privacy rule is its emphasis on the integrity and availability of PHI. In the case of integrity, this means that protected health information is in no way deleted, altered, or otherwise compromised in a way that changes its accuracy and completeness. The availability component ensures that PHI is available for review and retrieval by approved individuals at any time.

Administrative Safeguards

Under the Security Rule, there are specific administrative duties that each covered entity is responsible for. Some of them are similar to those mentioned in the privacy policy, but are listed again in the Security Rule to reinforce the importance of maintaining proper oversight. Because each covered entity has different needs, budgets, and access to technology, there are no specific tools and measures that are required to be in compliance with the Security rule. Instead it is left to each covered entity to use their best judgment to implement measures that fit the scope of their operations.

Administrative Safeguards under the Security Rule include:

  • The designation of a Security Officer who is responsible for the development, implementation, and oversight of security measures
  • Implementing role-based access to electronic PHI obtained and stored by the covered entity. This means limiting access to electronic patient records only to those who require it to perform their jobs
  • Training all employees of the entity's privacy and security policies, as well as their role and what information they have access to
  • Providing oversight of staff and transactions, as well as meting out corrective action for the violation of any security measures

Risk Analysis and Management

When implementing the Security Rule, the Security Officer must perform an analysis of all current electronic systems and tools that are used to manage protected health information. Current modes of storage and transfer should be examined, as well as the possibility for them to become vulnerable to a breach of privacy from external entities, or by internal employees without clearance to view PHI. Based on the analysis, upgrades or new tools may be required to properly secure data. The Security Officer is responsible for conducting ongoing risk analysis and upgrading processes and systems as needed.

Physical Safeguards

A covered entity must ensure that its facilities are protected in such a way that prohibits the unauthorized access of individuals without clearance, while at the same time allowing for the smooth flow of business. If there are specific areas that patients and customers should not enter, these areas must be clearly marked and secure. Also, there may be areas and patient information that are off limits to certain employees based on their job functions. The Security Officer is responsible for restricting employee access and handling any breaches of security.

In addition to securing the premises, the Security Officer must secure the physical technology as well. There must be clear guidelines around the use of cell phones, flash drives, and other items that can be used to remove electronic files from the facility. Policies must be in place to govern the transfer, removal, and disposal of electronic patient data and ensure that workstations are secure.

Technical Safeguards

The covered entity must take steps to ensure that there are technical systems in place to thwart the potential misuse or removal of protected health information. This involves limiting the number of people with access to electronic PHI, and implementing audit controls, such as hardware and software that logs access to the facility's computer networks.

In addition, the Security Officer must implement integrity controls, which ensure that patient records are accurate and have not been erroneously altered in any way. This may be a system that logs every change to a patient record, complete with a date stamp and the login ID of the employee who altered the record. The covered entity must also take measures to ensure that PHI is not transmitted by way of the Internet or other unauthorized electronic network.

Section 4. Transaction and Code Set Standards

The result of most health care encounters is that a claim is sent to a health plan, a requisition sent to a pharmacy, or perhaps a referral to a specialist. In these cases, the covered entity is engaging in what is termed a "transaction" under HIPAA. The Electronic Data Exchange (EDI) of patient health information has been regulated and standardized under HIPAA for the following types of transactions:

  • Claims and encounter information
  • Payment and remittance advice
  • Claims status
  • Patient Eligibility
  • Enrollment and Disenrollment
  • Referrals and authorizations
  • Coordination of benefits
  • Premium payment

Although many items are considered to be transactions, if a covered entity engages in just one, they are required to adhere to the transactions standards. Along with a set standard format for transferring patient information, there are specific codes that are descriptive of the type of health encounter, procedures ordered, and diagnosis of the patient. This provides a standard language when submitting insurance claims to health plans for reimbursement and allows for a more streamlined process for all involved.

The codes in use are: The HCPCS (Ancillary Services/Procedures), CPT-4 (Physicians Procedures), CDT (Dental Terminology), ICD-9 (Diagnosis and Hospital Inpatient Procedures), ICD-10 (as of October 1, 2013) and NDC (National Drug Codes) codes.

2012 Transaction Standards Updates

Based on updates made to the HIPAA privacy policy in 2009, there were changes made to the standards for electronic claims submissions. The updates, listed as 5010, D.O and NCPDP 3.0 apply to the health, dental and insurance transactions. All covered entities are required to begin using the new format on Jan 1 2012, with small heath plans being given until Jan 1, 2013. The deadline for health care providers and large health plans to come into compliance is June 30, 2012. Any claims submitted after that time on other formats will be deemed not in compliance and run the risk of rejection.

Food for Thought

Do you feel that the Administrative Simplification Rules have actually simplified the way that PHI is transferred between covered entities?

Have you witnessed any of the administrative simplification rules in action?

How easy or difficult do you think it may be for the average small physician to implement the items above?


The Administrative Simplification Rules were created in order to fully implement the provisions outlined in HIPAA. The focus of the rules includes privacy, security, and standardization measures to help streamline the collection, use and transmission of PHI.