Overview: What is HIPAA? Who does HIPAA affect? What will HIPAA change? Administrative simplification Fraud and abuse Insurance reform HIPAA companion legislation Other HIPAA regulations Our progress Contact us Titles: List of titles	Details: Administrative simplification Insurance reform provisions Certificates of creditable coverage Other Resources: HIPAA information on the Web HIPAAFAQs: Frequently asked questions -- general Frequently asked questions -- privacy HIPAA myths For Trading Partners: EDI sign-up and trading partner information

The most prominent aspects of HIPAA that affect almost everyone in the health care industry are described in detail here.

I. Administrative simplification

Electronic health transaction standards and code sets — There are no true standards for the electronic transfer of information between health care providers and insurance companies; over 400 electronic data interchange (EDI) formats are in use today.

HIPAA calls for a standard in the way health information is transferred and the use of standard codes to identify each disease, illness and other health problems. These standard formats and codes will make communications easier and more cost-effective.

The implementation guides for the new electronic health care transaction standards can be downloaded here.

They include:

• 270/271: Health Care Eligibility Benefit Inquiry and Response
• 276/277: Health Care Claim Status Request and Response
• 278: Health Care Services Review
• 835: Health Care Claim Payment/Advice
• 837: Health Care Claim — Professional
• 837: Health Care Claim — Dental
• 837: Health Care Claim — Institutional
• 820: Payroll Deducted and Other Group Premium Payment for Insurance Products
• 834: Benefit Enrollment and Maintenance

Unique identifiers — In conjunction with HIPAA's Administrative Simplification efforts, the Centers for Medicare and Medicaid Services (CMS) proposed four unique identifiers for the purpose of standardizing the identification numbers for providers, employers and plans to ensure future consistency and ease of use. Of the four proposed identifiers, one has been finalized, one has been discarded and two remain in a "proposed" state.

• Standard Unique Employer Identifier – The standard unique employer identifier is the standard employer identification number (EIN) that appears on an employee's federal Internal Revenue Service (IRS) Form W-2, Wage and Tax Statement received from their employer. The EIN will be used to identify an entity acting in an employer role in standard HIPAA transactions. It will not identify the patient's health plan or insurance coverage and will not replace the group number, account number, policy number or subscriber number. The regulations do not require employers to use the EIN or submit standard transactions, however, when an employer elects to use electronic HIPAA Transactions, the EIN will be used in those transactions initiated by the employer itself, such as the enrollment in a health plan standard transaction (X12N 4010A1 834 transaction). In all standard electronic transactions conducted by the health care provider, the employer identifier is not used or is situational. In the instances when an EIN could be used by a health care provider to identify an employer its' usage is contingent upon the health care provider's ability to obtain the EIN from the employer. If a health care provider is unable to obtain the EIN, then the situational data condition has not been met and it's use is not required. Health plans and clearinghouses that engage in electronic commerce are required to use the EIN to identify the employer in standard electronic health transactions that require an employer identifier. Health plans are permitted, as part of their business arrangements with employers, to require employers to use the standard transactions and to provide their EINs for this purpose. The standard unique employer identifier was published in the May 31, 2002 Federal Register by the Centers for Medicare and Medicaid Services (CMS). The rule's effective date is July 30, 2002, with a compliance date of July 30, 2004. Very small payers have an additional year to comply.
  
  
• The National Provider Identifier (NPI) is proposed for the purpose of uniquely identifying anyone that provides medical or other health services or supplies. The intent of the NPI is to replace the multiple proprietary provider numbers that various payers have assigned to any one provider with a unique number that each provider will retain indefinately. However, multiple location providers may have one NPI assigned per each location. As currently proposed, NPIs will consist of an alphanumeric identifier most likely to be assigned by a federal agency. The proposed National Provider Identifier was in the May 7, 1998 Federal Register by the Centers for Medicare and Medicaid Services (CMS).
  
  
• National Health Plan Identifier (NHI) – a proposed identifier to uniquely identify health plans and payers is under consideration. No additional information is available at this time regarding the composition or length of this identifier.
  
  
• National Individual Identifier – a proposed identifier for individuals is not being pursued, as the government is not allotting funding for its development. The concept of an individual identifier has been discarded, as there is much controversy as to how it can be implemented without comprising individual privacy.

Security — The final security regulation adopts national standards that covered entities and their business associates must meet to safeguard the confidentiality, integrity, and availability of electronic protected health information (ePHI). The scope of the HIPAA security rule applies only to health information in electronic form.

The security standards were developed to be comprehensive, scalable, and technology neutral in order to apply to many organizational sizes and types. The implementation requirements will vary business-by-business and can be implemented regardless of what computer systems the company uses. Anyone who transmits or maintains electronic health information must at least conduct a risk assessment and develop a security plan to protect this information.

In order to achieve these goals, Covered Entities are required to utilize three categories of security safeguards:

1. Administrative safeguards - these are administrative actions, policies and procedures to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity's workforce in relation to the protection of that information.
   
   
2. Physical safeguards - these are physical measures, policies, and procedures to protect a covered entity's electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.
   
   
3. Technical safeguards - these are the technology and the policy and procedures for its use that protect electronic protected health information and control access to ePHI.

Enforcement of the security standards will be addressed in future regulations.

Privacy — HIPAA's privacy standards refer to all medical records and other individually identifiable health information in any format, whether communicated electronically, on paper or orally.

Patient rights include:

• Receipt of a written explanation of how their health information may be used, kept and disclosed.
  
  
• The right to see and get copies of their health records and request changes.
  
  
• Limitation of the use or disclosure of protected health information.
  
  
• An accounting of uses or disclosures for other than treatment, payment or health care operations.
  

II. Insurance reform provisions

Certificate of creditable coverage — If you change jobs or lose your health coverage, your previous employer or insurance company is required to issue you a certificate. This certificate will provide evidence of your prior coverage, which can be applied to any pre-existing condition waiting periods on your new health insurance if you meet eligibility requirements.

If you use continued coverage through COBRA, you will be issued a certificate from your insurance carrier when that coverage is terminated or exhausted.

Under HIPAA guidelines, these certificates can be issued as proof of coverage as far back as June 1, 1997. A certificate issued for that date would show proof of coverage as of June 30, 1996.

Members of Highmark Blue Shield insurance plans can request a certificate of creditable coverage by calling the member services number on the back of their insurance card.

Pre-existing conditions and waiting periods — A condition for which medical advice, diagnosis, care or treatment was recommended or received within six months before an individual enrolls in a new health plan.

If you had a medical condition seven months ago, and have not received care or treatment for the past seven months, it is not considered a pre-existing condition.

A pre-existing condition generally does not apply to pregnancy, newborns or adopted children under age 18.

Some health plans will limit or deny coverage and treatment of a pre-existing condition. Under HIPAA, a health plan must limit that period of time to no more than 12 months (18 months if you are a late enrollee). You may be able to bypass some or all of the waiting period if you have proof of prior coverage that did not lapse for more than 63 days (see breaks in coverage).

For example: You are diagnosed with carpal tunnel syndrome in January. You've had health insurance through your company for 10 years and you start a new job with new benefits in February.

Your new health plan doesn't cover care or treatment of pre-existing conditions for one year. Under HIPAA guidelines, the company will have to waive that waiting period of one year because you had continuous coverage over that past year.

Breaks in coverage — A break in coverage is defined as more than 63 consecutive days of not carrying insurance. If this occurs, you are not eligible for creditable coverage toward a pre-existing condition.

For example: You were employed at your job for two years but quit three months ago (90 days) and didn't opt to continue coverage through COBRA. You have a pre-existing condition and your new employer's health plan has a waiting period of 12 months for care and coverage for a pre-existing condition. Therefore, you will have to wait the entire 12 months for your new employer's benefits to cover treatment for that pre-existing condition.

Special enrollment provision — A requirement for health insurance issuers to provide special enrollment periods during which individuals who previously declined coverage may be allowed to enroll without having to wait until the plan's next open enrollment period.

A person becomes eligible for a special enrollment period if that person loses his or her health coverage or becomes a new dependant by marriage, birth, adoption or placement for adoption.

Availability and renewability of health insurance coverage — Prohibits discrimination against employees and their dependents when considering their enrollment in a health plan, based on health status.

Insurers must guarantee renewal of all group health plans with the exception of the following situations:

• Termination of plan
• Fraud
• Violation of participation and contribution rules
• Enrollee movement outside of service area
• Non-payment of premium
• Association membership ceases

Pre-emption provisions — States may impose shorter waiting periods for pre-existing condition exclusions and longer enrollment eligibility periods for individuals and dependents than permitted by the act.

States may also substitute their own programs for ensuring the availability of health coverage for the individual market segment, provided such programs include at least the same renewal and portability requirements as the act.