What Physician Executives Need to Know about HIPAA: Cutting to the Chase
By J. Michael Fitzmaurice, Ph.D., and Jeffrey S. Rose, M.D.
All health care providers, plans, and clearinghouses will be affected by the Federally mandated uniform standards for administrative transactions. This article presents distilled core information about the Health Insurance Portability and Accountability Act (HIPAA) legislation—the standards, penalties for violations, and status of final rules. It also raises several key unsolved issues of which clinicians, executives, and health care providers must be aware so they can prepare and plan for the upcoming changes.
HIPAA is intended to improve the efficiency and effectiveness of the health care system, as well as to increase the protection and confidentiality of individually identifiable health information. The costs of making the transition to the legislated standards and processes remain a worrisome factor. Although there are 2 years before these standards must be implemented, and cost and compliance issues resolved, work has already begun in many health institutions to identify and address them.
Used with permission from The Physician Executive. Adapted from The Physician Executive, May-June 2000, pp. 42-49, Copyright © 2000.
Administrative Simplification | Standards for HIPAA Transactions | Penalties
Status of the Major Standards Choices | Timing of Implementation
Major Issues | Conclusion | References | Authors | Recommended Resources
When a patient walks into a drug store to purchase a prescribed medication, the swipe of a card enters his or her insurance and personal identification information into the pharmacists' information system. The pharmacist keys in the drug information and the system determines the patient's eligibility, coverage for that drug, and co-payment responsibility. The pharmacist later receives electronic payment for the portion of the prescription costs not paid by the patient. Why are such benefits not available for transactions in a physician's office, hospital, or ambulatory clinic?
Imagine the benefits—the savings in billing costs and time, and the greater certainty of coverage and payment responsibility—if, with the push of a button, a physician's claim was sent to the right insurance company with all the information necessary to process it and payment was promptly made electronically. With hundreds of different insurance claim formats and data content requirement variations, it is no wonder that these benefits have been slow in coming.
Traveling around the United States to inform audiences about Health Insurance Portability and Accountability Act (HIPAA), the authors have experienced two predominant reactions: grave concern or abject ignorance. Among those who are aware of the legislation, strong opinions exist about the likelihood that the mandated standards will actually come to pass and the ability of the government and the health industry to monitor and enforce the "rules."
Great anxiety is expressed about the practical and financial impact of implementing the standards and the benefits to be received. Controversy rages over the possible consequences of the law on health information privacy and confidentiality. Those in the "unaware" category seem surprised to hear that within 2 years many customary methods in health care will change markedly and that failing to comply with the new practices can bring significant penalties.
Reading the HIPAA legislation and the "Notices of Proposed Rule Making" (NPRM) that are published for public commentary before final regulations are issued gives little comfort and an incomplete understanding to both the alarmists and the Panglossian optimists. Many questions remain.
Physician executives generally fall somewhere between these extremes. They are uneasily hoping that the "health plan," "information technology division," or "billing and claims department" will handle the issue. But they remain properly concerned that, since medical practice and health care management fundamentally hinges on information about patients, ignorance in this arena will be far from bliss.
Over the past three decades, the health industry has found itself drowning in an increasingly expensive and confusing morass of idiosyncratic data and "form" submissions required for insurance claim processing and reimbursement. By 1990, leaders in health care were asking Congress to charge the Secretary of Health and Human Services (HHS) with choosing administrative transaction standards to streamline, simplify, and economize the payment process and mandating their implementation by providers, plans, and clearinghouses. The result was the Kassebaum-Kennedy Bill, entitled the Health Insurance Portability and Accountability Act (HIPAA), signed into law (Public Law 104-191) by President Clinton on August 21, 1996.
The "Administrative Simplification" section of HIPAA is intended to improve the efficiency and effectiveness of the health care system, as well as to increase the protection and confidentiality of individually identifiable health information. This is to be accomplished "by encouraging the development of a health information system through the establishment of standards and requirements for the electronic transmission of certain health information."1
The law requires the health industry to implement a series of data and transaction standards, including using a single electronic format for health providers to bill for their services. Additional standard processes are included for:
- Health plan enrollment and disenrollment.
- Insurance eligibility checking.
- Payment and remittance advice.
- Authorization of referrals.
- Other kinds of health information exchange.
The financial benefits anticipated from uniform billing, claims processing, coordination of benefits, and other functions are estimated to exceed the costs of implementing the standards by $1.5 billion in the first 5 years (a net savings of $1.7 billion for health plans, and a net cost of $.2 billion for providers). The single year net savings for the year 2002 could be $3.1 billion ($1.6 billion for plans and $1.5 billion for providers).2
Essentially, HIPAA requires the Secretary of HHS to adopt and mandate the use of standards for common electronic administrative transactions and to establish a privacy standard for personal health information.3
The Department of HHS has released some of these proposed standards (many are developed and in use to some degree) in a published "Notices of Proposed Rule Making," which invites public commentary. The regulations become final only after these comments have been taken into account.
There are four important features of the legislation to bear in mind:
- Health care providers do not have to engage in electronic health transactions. But if they do, they must comply with HIPAA transaction data standards. Providers may comply by sending paper or nonstandard electronic transactions to a "clearinghouse," where they must be converted into the required format and data elements.
- Health plans must be able to accept transactions in standard HIPAA format, may not refuse or delay a transaction, or adversely affect the entity sending it for "lack of proper content" if the transaction is compliant with standard health information data elements. (Plans will, however, be able to ask for additional information to determine the reasonability of the claim, such as test results to support a diagnosis.) They may comply by receiving transactions at a designated clearinghouse, which then legitimately converts them to the plan's internal format.
- Those covered by HIPAA security standards must protect the health care information they maintain or transmit electronically from improper access, alternation, or loss.
- Those covered by HIPAA privacy standards must not wrongfully disclose individually identifiable health information.
Although most of the HIPAA standards apply to electronic transactions, they have far-reaching effects on the organization, protection, and transmission of health care data for many other purposes. With few exceptions, the standards apply to each and every provider, plan, and clearinghouse that transmits any health information in electronic form.
HIPAA transactions include:
- Health claims or equivalent encounter information transfer.
- Health claims attachments.
- Enrollment and disenrollment actions in a health plan.
- Eligibility status in a health plan.
- Health care payment and remittance advice.
- Health plan premium payments.
- First report of injury.
- Health claim status.
- Referral certification and authorization.
The supporting HIPAA standards for transactions are:
- Unique identifiers for each individual, employer, health plan, and health care provider.
- Code sets for selected data elements.
- Assurances of security and confidentiality for health information.
- Electronic signature standards for health information transactions.
- Specific data sets for coordination of benefits information.
The Secretary of HHS is also required to promulgate final regulations with respect to the privacy of individually identifiable health information in the absence of federal legislation.
Each covered entity that fails to comply with HIPAA requirements can be fined not more than $100 per violation, up to a maximum of $25,000 per year for all violations of a given standard. An entity could be penalized up to a maximum of $250,000 and imprisoned for up to 10 years for wrongful disclosure of individually identifiable health information. The maximum penalties for wrongful disclosure could be assessed if "the offense is committed with intent to sell, transfer, or use individual identifiable health information for commercial advantage, personal gain, or malicious harm."4
The general tenor, however, is to promote efficiency by encouraging compliance. HIPAA allows the HHS Secretary to forego or reduce the penalty if the entity reasonably did not know of the violation (but not under circumstances of willful neglect). Further, the Secretary may give the entity additional time or provide technical assistance to reach compliance.
Pre-emption of State Law
Standards for HIPAA transactions supersede contrary provisions of state law, unless the Secretary determines that the law addresses controlled substances, is "otherwise necessary," or, in the case of privacy, is more stringent than the Federal health information privacy requirements.
Widespread industry input is required for the adoption of HIPAA transactions standards. The HHS Secretary must consult with:
- The National Uniform Billing Committee (chaired by a representative of the American Hospital Association).
- The National Uniform Claim Committee (chaired by a representative of the American Medical Association).
- The Workgroup for Electronic Data Interchange (with significant insurance industry representation).
- The American Dental Association.
Additionally, the Secretary must rely on the recommendations of the National Committee on Vital and Health Statistics (NCVHS), a national advisory council of 18 experts drawn from the private sector to advise on health data policy, and must consult with appropriate Federal and State agencies and private organizations. On the privacy regulation, the Secretary must consult with NCVHS and the Attorney General.
Moreover, the Secretary must adopt standards that have achieved industry consensus through processes accredited by the American National Standards Institute (ANSI). HIPAA restricts the choices of standards to those that have been developed, adopted, or modified by a standards setting organization that is accredited by ANSI, unless: 1. the different standard will substantially reduce administrative costs and 2. proper rulemaking procedures are followed.
Since the latter half of 1996, HHS has examined health data standards with substantial industry consultation and public commentary obtained from the Notices of Proposed Rule Making (NPRM).
HIPAA Transactions and Code Sets
The NPRM for HIPAA claims transactions and code sets was published on May 7, 1998. The standard was developed by X12, an ANSI-accredited standards committee, and is labeled "837." "X12 837" provides a format for submitting an electronic claim, including the data elements that must be present for payment and the code sets that specify the acceptable values data elements may take on.
To handle the more detailed specifications and range of different situations, an official implementation guide is incorporated by reference. Along with X12 837, the NPRM proposed adopting:
- ICD-9 codes for institutional-based procedures.
- CPT-4 and HCFA Common Procedure Coding System (HCPCS ) codes for non-institutional or ambulatory department procedures.
- National Council for Prescription Drug Programs (NCPDP) codes for drug payment claims.
National Standard Provider Identifier
Also on May 7, 1998, the NPRM for the national provider identifier (NPI) proposed an eight-digit alphanumeric identifier for use in electronic claims processing. The NPI would be unique for each provider and assigned for life. Persuasive public comments argued, however, that for ease of use, the NPI should be only numeric. Adopting this public comment would increase the size of the identifier to 10 digits, including one mathematically calculated digit to assure the accuracy of the other digits.
National Standard Employer Identifier
Released for public comment on June 16, 1998, the national employer identification number is issued and maintained by the Internal Revenue Service. Because there is widespread industry acceptance and use of this identifier, it generated the fewest comments.
The HIPAA security standard, released for public comment on August 12, 1998, fulfills the mandate that any covered entity "that maintains or transmits health information shall maintain reasonable and appropriate administrative, technical, and physical safeguards."5 This standard proposes areas of risk avoidance that must be addressed by covered entities to protect individually identifiable health information from improper access, alteration, or loss. It is intended to assist health plans, providers, and clearinghouses to establish appropriate safeguards for ensuring the integrity and confidentiality of this information.
Its flexibility permits entities of various sizes and complexities to have different security solutions. For example, a solo practitioner will not be expected to have the more elaborate security mechanisms of a large health plan. Because none of the HIPAA transactions presently requires an electronic signature, adopting a supporting standard could be delayed until the health industry, or for industry in general, settles on a common mechanism for a digital signature.
The privacy proposal, published on November 3, 1999, establishes Federal protection for the confidentiality of individually identifiable health information. This protection is balanced with permitted disclosures of the information by covered entities under specified conditions, for such purposes as public health, research, and law enforcement. It gives individuals more control over the use of their personal health information and reaffirms the rights of patients to see, copy, and amend this information, and to learn of any disclosures.
Generally, individuals must consent to all disclosures of their health information for uses other than health care, payment, and operations. Exceptions are spelled out in the rule, along with the conditions that must be met for the exceptions to be valid. Health plans, providers, and clearinghouses that engage in electronic HIPAA transactions must notify patients about their health information privacy practices and inform them of their methods for tracking permissible disclosures. Clearinghouses that simply pass on electronic health transactions without manipulating the data would be exempt from many of these requirements.
Additional HIPAA Standards
Final rules for the standards should be published some time later this year. Also, standards for a national health plan identifier and for health claims attachments, which supply additional information to plans to determine a claim's reasonableness, will be proposed for public comment. Work on the national individual (patient) identifier was halted in 1998 by Vice President Gore until the privacy of health information is adequately protected. Congress forbade HHS to spend appropriated funds on implementing such identifiers until specifically approved by law.
By law, each health plan, provider, and clearinghouse must comply with the particular HIPAA administrative simplification standard or specification no later than 24 months after the Secretary's adoption (small health plans will have 36 months). "Small health plans" are to be defined by the Secretary, possibly those with fewer than 50 beneficiaries or with gross revenues below a given level. If the transactions and code set rules are published in final form in June 2000, with an effective date of August 2000, full compliance would be expected by August 2002.
Although covered entities could agree among themselves to conduct transactions using the adopted standards before August 2002, penalties could not be assessed before then. Most of the standards with published Notices of Proposed Rule Making will likely have compliance dates in 2002. The claims transactions and code sets standards are expected to be the first to be formally adopted.
The costs of making the transition to the legislated standards and processes remain a worrisome factor. Testing and certifying that covered entities meet HIPAA standards will be a health industry responsibility, because there is no Federal funding for these purposes. National (both Federal and private) resources for implementing and maintaining standards, like the national provider identifier, will be needed. Further, covered entities will most likely adopt the various standards in some sort of sequence, rather than trying to implement all of them simultaneously, which will necessitate continual adjustments and expense until the total set is achieved.
All providers, plans, and clearinghouses will be affected by the federally mandated uniform standards for health care administrative transactions. For providers who deal with billing services and clearinghouses for claims transactions, the standards will be transparent. Over time, as providers purchase new information systems and software that incorporate these standards, they will gain the capability to deal directly with plans for electronic claims submission and payment.
The costs of protecting against security risks will probably rise with the size of the provider's business. The privacy standard will clarify how individually identifiable health information is to be protected—the rights of individuals and the responsibilities of the covered entities. Obtaining these benefits, however, will require additional resources to reduce the risk of unwarranted disclosure. Many good protection practices can be found in the report of the National Research Council, For the Record: Protecting Electronic Health Information.6 Additional information on privacy and the health system may be found in The Limits of Privacy by Etzioni Amatai.7
The largest opportunity for modifying each standard is during the NPRM's public comment period. For five of the standards, that window of opportunity has passed. However, there is a 2-year period between the effective date of each final standard and its required implementation, giving rise to the potential for suggesting changes that improve effectiveness and reduce the burden of compliance. Four more standards are planned with no timetable for release.
Providers can have a strong voice in changing the standards by working through representation at the meetings of the standard developing organizations, X12 and NCPDP in particular, and the national uniform billing and claims committees, and through official updating processes that will be established under HIPAA.
The information age brings continual change and opportunities to improve the efficiency of administrative practices. It also brings growing responsibility to protect the confidentiality of personal health information shared in those practices. Although there are 2 years before these standards must be implemented and cost and compliance issues resolved, work has already begun in many health institutions to identify and address them.
- Report on H.R. 3103, Health Insurance Portability and Accountability Act of 1996. Congressional Record (July 31, 1996), 142(115), Washington, DC: USGPO, H9473-9516. Section 261.
- "Notice of Proposed Rulemaking for the National Standard Health Care Provider Identifier, IX. Impact Analysis, A. Executive Summary," Federal Register: May 7, 1998 (Volume 63, Number 88), Proposed Rules, pp. 25320-57.
- Fitzmaurice JM. A New Twist in U.S. Health Care Data Standards Development: Adoption of Electronic Health Care Transactions Standards for Administrative Simplification. International Journal of Medical Informatics 1998; 48(1-3):19-28.
- Report on H.R. 3103, Health Insurance Portability and Accountability Act of 1996. Congressional Record (July 31, 1996), 142(115), Washington, DC: USGPO, H9473-9516. Section 1177.
- Report on H.R. 3103, Health Insurance Portability and Accountability Act of 1996. Congressional Record (July 31, 1996), 142(115), Washington, DC: USGPO, H9473-9516. Section 1173 (d) (2).
- Computer Science and Telecommunications Board, National Research Council, For the Record: Protecting Electronic Health Information, Washington, DC, National Academy Press, 1997.
- Etzioni A. The Limits of Privacy, New York, New York, (Basic Books) Perseus Books Group, 1999.
J. Michael Fitzmaurice, Ph.D., is Senior Science Advisor for Information Technology in the Immediate Office of the Director, Agency for Healthcare Research and Quality (AHRQ). He can be reached by calling (301) 427-1227 or via E-mail at MFitzmau@ahrq.gov. The views expressed here are his and not necessarily those of AHRQ or of the Department of Health and Human Services.
Jeffrey S. Rose, M.D., is the Chief Medical Officer of CyberPlus Corporation, author of Medicine and the Information Age (ACPE Press, 1998), and an instructor of the health informatics course for the American College of Physician Executives. He can be reached by calling (303) 981-3220 or via E-mail at email@example.com.
Numerous educational opportunities are available to inform and assist physician executives in complying with HIPAA transaction standards. There will be many courses, seminars, and consultants interested in aiding the transition, but a good start is viewing the World Wide Web sources for the public comments on the proposals, implementation guides, and schedule for publication of the HIPAA regulations at http://aspe.hhs.gov/admnsimp/.
American Health Information Management Association
233 N. Michigan Avenue, Suite 2150
Chicago, Illinois 60601-5519
The 38,000 members of the American Health Information Management Association (AHIMA) are experts in both clinical data and information management working in a variety of care settings including hospitals, physician offices, managed care organizations, and long-term care facilities. With a 70-year tradition of promoting quality health care through quality information, AHIMA has been instrumental in shaping industry standards, legislation, and regulation and in educating government agencies and the public on health information management issues.
American Medical Informatics Association
4915 St. Elmo Avenue, Suite 401
Bethesda, Maryland 20814
The American Medical Informatics Association (AMIA) is dedicated to the development and application of information technology that supports patient care, teaching, research, and health care administrators. Its 3,700 members include developers of clinical information systems, academically based health care professionals, and health care information systems users.
Center for Healthcare Information Management
3800 Packard Road, Suite 150
Ann Arbor, Michigan 48108-2073
The Center for Healthcare Information Management's (CHIM) mission is to positively impact the industry through the promotion of health care information technology. By disseminating information, convening educational programming, and fostering a collaborative environment, CHIM members seek to bring a greater awareness and understanding among professionals on how information technology can be harnessed to improve the quality and cost effectiveness of health care.
College of Healthcare Information Management Executives
3300 Washtenaw Avenue, Suite 225
Ann Arbor, Michigan 48104-4250
The College of Healthcare Information Management Executives (CHIME) is dedicated to serving the professional needs of CIOs and advancing the strategic application of information management in health care.
Healthcare Information and Management Systems Society
230 East Ohio Street, Suite 500
Chicago, Illinois 60611-3269
The Healthcare Information and Management Systems Society (HIMSS) provides leadership in health care for the management of systems, information, and change through high quality publications, educational opportunities, and member services. HIMSS has 40 regional chapters and more than 12,000 members working in health care organizations internationally. Members include professionals in the fields of clinical systems, information systems, management engineering, and telecommunications.
Joint Healthcare Information Technology Alliance
Advocacy Liaison for JHITA
3800 Packard Road, Suite 150
Ann Arbor, Michigan 48108-2037
(734) 937-6116, ext. 109
The Joint Healthcare Information Technology Alliance (JHITA), is composed of the American Health Information Management Association (AHIMA), American Medical Informatics Association (AMIA), Center for Healthcare Information Management (CHIM), College of Healthcare Information Management Executives (CHIME), and Healthcare Information and Management Systems Society (HIMSS).