Mental & Behavioral Health
Practice Update from the National Association of Social Workers
© NASW January 2002
Overview of HIPAA Administrative Simplification Provisions
The passing of the Health Insurance Portability and Accountability Act (P.L.104-191) (HIPAA) by Congress in August 1996 set in motion broad reforms and changes in the health care industry. HIPAA is widely known for its focus on ensuring the portability of health insurance and eliminating pre-existing condition clauses. In addition, the lesser known Administrative Simplification provisions of HIPAA were designed to improve health care quality and reduce costs by simplifying the administration and management of health information. Congress recognized that the increasing integration of electronic transactions within the health care industry had the potential to decrease costs, paperwork, and administrative burdens, yet expanded the potential for inappropriate and unauthorized use, access, and disclosure of confidential health information if appropriate security and privacy standards were lacking.
This is a time of transition as the regulations are drafted, final rules and modifications are published, and compliance timelines are established. Under the HIPAA Administrative Simplification provisions, covered entities , defined as health plans, health care clearinghouses, and health care providers who transmit health information electronically, are expected to comply with the final regulations. Once a final rule is issued, covered entities have up to 24 months to comply with the standards, except small health plans with $5 million or less in receipts that have an additional year to comply. This practice update offers an overview of HIPAA Administrative Simplification requirements and resources to assist social workers as they familiarize themselves with these provisions and prepare for compliance, if applicable.
The Administrative Simplification provisions of HIPAA define rules and standards that must be followed by the health care industry to be compliant with HIPAA (Fraser & Stevens, 2001). Under these HIPAA provisions, the secretary of Health and Human Services (HHS) has been authorized to issue regulations to define standard electronic formats for common transactions, such as claims submission and billing, that also identify uniform data codes used for diagnoses and medical procedures; security standards to maintain the confidentiality of health information and to guard against unauthorized uses, disclosures, and access; a system of unique identifiers or identification numbers for individuals, health care providers, employers, and providers; and privacy regulations to protect client health information and clients' right to gain access to their health information (Redhead, 2001). As of November 2001, final rules have been published in two areas: (1) electronic transactions and (2) privacy of health information.
Below is a brief synopsis and status of each of the regulations, with links to the text of the final or proposed regulation. Additional resources are included at the end of this update.
Standards for Electronic Transmissions
The final rule was published August 17, 2000 , with a compliance date of October 16, 2002 . However, on December 27, 2001 , the president did enact a law that extends the compliance date until October 16, 2003 , for covered entities who submit a specified plan for their compliance with these standards to the secretary of HHS by October 15, 2002 . Under these standards, HHS has proposed a standardized electronic format for eight common health care transactions:
Currently, the health care system continues to be heavily paper-based and without standardization and uniformity. Provider time is diverted from patients to administrative tasks such as filling out forms, filing claims, checking eligibility, and providing additional requested information. It has been estimated that 20 percent of health care costs can be attributed to paperwork (Redhead, 2001). In addition, between the public and private health care systems, there are multiple insurers and various formats and methods for filing claims. The intention of these standards is to reduce the burden on health plans and providers by simplifying the current complex process. Not surprisingly, simplifying this process has proven to be cumbersome. The public health system alone uses a multitude of state and local codes for the various transactions. Some of the codes are consistent nationally, but others reflect specialized services that may be covered by a specific state system, or for which there is no national code (Redhead).
What does the future hold? Instead of a variety of transactions and claims processes across different plans, providers will use standardized formats and codes for the electronic transactions mentioned earlier. The provisions will define a uniform format and set of transaction codes that must be used for any covered electronic transaction. Presently, many social work practitioners do not transmit claims and billing electronically; however, it is predicted that in response to HIPAA, many payers will shift to electronic claims processes and Internet technology (Cassidy, 2000; Redhead, 2001). Standardized electronic transactions may well become the norm over the next few years in the health care industry. As this happens, providers will need the capacity for electronic transmissions to receive third-party payments. The text of the final standards for electronic transmissions is available at www.hhs.gov/ocr/hipaa/.
Standards for Privacy of Individually Identifiable Health Information
The HIPAA Privacy Regulations, published on December 28 2000 , were authorized by the Bush administration on April 14, 2001 , with a compliance date of April 14, 2003 . These regulations were designed to ensure the privacy and confidentiality of client health information. The rule outlines clients' rights and provider requirements in respect to privacy and confidentiality. NASW has been an active participant in the evolution of the privacy regulationsâ€”providing comments to the original draft regulations, advising members about the implications of these regulations through practice updates and national and chapter news postings, and advocating to strengthen the regulations and ensure that the privacy rule is not weakened through further modifications. For further guidance and discussion about the privacy regulations and implications for social workers, see NASW's Mental and Behavioral Health Practice Updates, What Social Workers Should Know about the HIPAA Privacy Regulations, (Bateman, 2001a) and Consent, Authorization, and Notice, (Bateman, 2001b). The text of the HIPAA Privacy Regulations is available at www.hhs.gov/ocr/hipaa/.
In the interest of quality improvement and cost reduction, HIPAA authorized the development of unique identification numbers for providers, employers, health plans, and individuals. The intention was to facilitate the processing of claims and enrollment by establishing one set of national identification numbers used by the health care industry to identify providers, clients, and health plans (Fraser & Stevens, 2001). Controversy arose over the development of unique identification numbers for individuals (Redhead, 2001). There is much concern that development and use of an identification number for individuals would facilitate opportunities for tracking and accessing an individual's health information. The benefits in cost savings and care efficiency do not outweigh the potential for privacy breaches. For the time being, Congress has prohibited HHS from further work on the development of unique individual identifiers. The other standards were met with little opposition. In 1998 proposed rules were published for both the National Provider Identifier and Employer Identifier Standards. The final regulations are expected some time in early 2002. Currently, providers may be assigned multiple identification numbers by the various health plans with whom they do business. Under the National Provider Identifier Standards, providers would be assigned one identifier to use on all health care transactions. The text of the proposed National Provider Identifier and the Employer Identifier Standards is available on the Web at www.hhs.gov/ocr/hipaa/.
The Security Standards are intended to ensure that health plans, providers, and clearinghouses have appropriate administrative, physical, and technical safeguards in place to guarantee the security of electronic health information (Redhead, 2001). These regulations serve as a complement to the privacy regulations to ensure protection against unauthorized access to client protected health information. The proposed rules were published on August 12, 1998 , and apply to both paper and electronic records. They do not require the use of specific technologies or vendors but rather define a range of procedures and practices, both technical and operational, that must be implemented. Thus, health plans, providers, and clearinghouses must assess their own level of risk and develop solutions tailored to their business. These proposed standards address the need for comprehensive security policies and procedures including staff training; safeguards for the physical storage, maintenance, and transmission of client information; and measures to secure access to client information and prevent unauthorized disclosures (California Medical Association, 2001). The final security standards are expected in early 2002. The text of the proposed regulations is available on the Web at www.hhs.gov/ocr/hipaa/.
In a draft document, the Workgroup for Electronic Data Interchange (2001) developed a series of questions for physicians to assess their level of risk in the context of HIPAA. Although not comprehensive and finalized, this tool may be relevant for social workers in similar settings as they begin to familiarize themselves with HIPAA and strategize their next steps to meet HIPAA security requirements. Listed below are the recommendations from that draft document, copyright by and used with permission from the Workgroup for Electronic Data Interchange (Note: PHI refers to client protected health information as defined by HIPAA):
Conduct a Privacy/Security Walkthrough of the Practice Site
Review Current Contracts and Documentation of Policies and Procedures
Examine the Security of any Special Technology in Use
References & Resources
The text of the final HIPAA Privacy Regulations as well as any guidance documents produced by the U.S. Department of Health and Human Services (DHHS) are available online at www.hhs.gov/ocr/hipaa/.
Fact sheets, frequently asked questions, and the text of the HIPAA Administrative Simplification regulations (proposed and/or final) are available on the DHHS Web site: aspe.os.dhhs.gov/admnsimp/Index.htm.
Phoenix Health, a health care information technology consulting and outsourcing firm, sponsors a HIPAA advisory Web site, which posts updated News on HIPAA, white papers, fact sheets, FAQs, and articles about HIPAA Administrative Simplification. Available online at www.hipaadvisory.com/.
Nancy Bateman, LCSW-C, CAC