Fact Sheet

Overview: To improve the efficiency and effectiveness of the health care system, the Health Insurance Portability and Accountability Act (HIPAA) of 1996 included a series of "administrative simplification" provisions that required the Department of Health and Human Services (HHS) to adopt national standards for electronic health care transactions. By ensuring consistency throughout the industry, these national standards will make it easier for health plans, health care clearinghouses, doctors, hospitals and other health care providers to process claims and other transactions electronically. The law also requires the adoption of privacy and security standards in order to protect individually identifiable health information. HIPAA administrative simplification regulations include:

• Electronic health care transaction and code sets (final rule issued);
• Health information privacy (final rule issued);
• Unique identifier for employers (final rule issued);
• Security requirements (final rule issued);
• Unique identifier for providers (proposed rule issued; final rule in development);
• Unique identifier for health plans (proposed rule in development); and
• Enforcement procedures (interim rule issued; proposed rule in development).

Under HIPAA, most health plans, health care clearinghouses and health care providers who engage in certain electronic transactions have two years from the time the final regulation takes effect to implement each set of final standards. More information about the HIPAA standards is available at www.cms.gov/hipaa/hipaa2 and www.hhs.gov/ocr/hipaa.

BACKGROUND

Health plans, hospitals, pharmacies, doctors and other health care entities generally have used a wide array of systems to process and track health care bills and other information. Hospitals and doctors' offices may treat patients with many different types of health insurance and would have to spend time and money ensuring that each claim contains the format, codes and other details required by each insurer. Similarly, health plans spend time and money to ensure their systems can handle transactions from various health care providers and clearinghouses.

Enacted in August 1996, HIPAA was designed to make health insurance more affordable and accessible. With support from the health care industry, Congress also included provisions in HIPAA to require HHS to adopt national standards for certain electronic health care transactions, code sets, identifiers and the security of health information. HIPAA also set a three-year deadline for Congress to enact comprehensive privacy legislation to protect medical records and other personal health information. When Congress did not meet this deadline, HIPAA required HHS to issue health privacy regulations.

Privacy and security standards promote higher quality care by assuring consumers that their health information will be protected from inappropriate uses and disclosures. In addition, uniform national transaction and code set standards will save billions of dollars each year for health care businesses by lowering the costs of developing and maintaining software and reducing the time and expense needed to handle health care transactions.

COVERED ENTITIES

In HIPAA, Congress required health plans, health care clearinghouses, and those health care providers who conduct certain financial and administrative transactions electronically (such as eligibility, referral authorizations and claims) to comply with each set of standards. Other businesses may voluntarily comply with the standards, but the law does not require them to do so.

COMPLIANCE SCHEDULE

In general, the law requires covered entities to come into compliance with each set of standards within two years following adoption, except for small health plans, which have three years to come into compliance. For the electronic transaction and code sets rule only, Congress in 2001 enacted legislation extending the deadline to Oct. 16, 2003 for all covered entities, including small health plans. The legislative extension did not affect the compliance dates for the health information privacy rule, which was April 14, 2003 for most covered entities (and April 14, 2004 for small health plans).

DEVELOPING STANDARDS

Under HIPAA, HHS must adopt recognized industry standards when appropriate. HHS works with industry standard-setting groups to identify and develop consensus standards for specific requirements. For each set of standards, HHS first develops proposed requirements to obtain public feedback. After analyzing public comments, HHS makes appropriate changes before adopting the standards. The law also allows HHS to propose appropriate changes to the HIPAA regulations to ensure that the standards can be implemented effectively and be maintained over time to continue to meet industry needs.

ELECTRONIC TRANSACTION
AND CODE SETS STANDARDS

In August 2000, HHS issued final electronic transaction and code sets standards to streamline the processing of health care claims, reduce the volume of paperwork and provide better service for providers, insurers and patients. HHS adopted modifications to some of those standards in final regulations published on Feb. 20, 2003. Overall, the regulations establish standard data elements, codes and formats for submitting electronic claims and other health care transactions. By promoting the greater use of standardized electronic transactions and the elimination of inefficient paper forms, these standards are expected to provide a net savings to the health care industry of $29.9 billion over 10 years. All health care providers will be able to use the standardized transactions to bill for their services, and all health plans will be required to accept these standard electronic transactions.

All covered entities must be in compliance with the electronic transaction and code set standards by Oct. 16, 2003. However, HHS' Centers for Medicare & Medicaid Services (CMS) -- the agency charged with overseeing the implementation of these standards -- issued guidance in July 2003 regarding the enforcement of the HIPAA transactions and code set standards after Oct. 16, 2003. The guidance clarified that covered entities, which make a good faith effort to comply with the standards, may implement contingency plans to maintain operations and cash flow. Specifically, as long as a health plan demonstrates a good-faith effort to come into compliance through active outreach and testing efforts, it can continue processing payments to providers using non-standard transactions.

CMS will focus on obtaining voluntary compliance and use a complaint-driven approach for the enforcement of the electronic transactions and code sets provisions. Entities that wish to file an electronic transaction and/or code set complaint can do so electronically at www.cms.gov/hipaa/hipaa2.

PRIVACY STANDARDS

In December 2000, HHS issued a final rule to protect the confidentiality of individually identifiable health information. The rule limits the use and disclosure of certain individually identifiable health information; gives patients the right to access their medical records; restricts most disclosure of health information to the minimum needed for the intended purpose; and establishes safeguards and restrictions regarding the use and disclosure of records for certain public responsibilities, such as public health, research and law enforcement. Improper uses or disclosures under the rule may be subject to criminal or civil sanctions prescribed in HIPAA.

After reopening the final rule for public comment, HHS Secretary Tommy G. Thompson allowed it to take effect as scheduled, with compliance for most covered entities required by April 14, 2003. (Small health plans have an additional year.) In March 2002, HHS proposed specific changes to the privacy rule to ensure that it protects privacy without interfering with access to care or quality of care. After considering public comments, HHS issued a final set of modifications on Aug. 14, 2002. Most covered entities were required to comply with the privacy rule by April 14, 2003; small health plans have until April 14, 2004 to come into compliance, as required under the law. Detailed information about the privacy rule is available at www.cms.gov/hipaa/hipaa2/enforcement.

SECURITY STANDARDS

In February 2003, HHS adopted final regulations for security standards to protect electronic health information systems from improper access or alteration. Under the security standards, covered entities must protect the confidentiality, integrity and availability of electronic protected health information. The rule requires covered entities to implement administrative, physical and technical safeguards to protect electronic protected health information in their care. The standards use many of the same terms and definitions as the privacy rule to make it easier for covered entities to comply. Most covered entities must comply with the security standards by April 21, 2005, while small health plans will have an additional year to come into compliance.

EMPLOYER IDENTIFIER

In May 2002, HHS issued a final rule to standardize the identifying numbers assigned to employers in the health care industry by using the existing Employer Identification Number (EIN), which is assigned and maintained by the Internal Revenue Service. Businesses that pay wages to employees already have an EIN. Currently, health plans and providers may use different ID numbers for a single employer in their transactions, increasing the time and cost for routine activities such as health plan enrollments and premium payments. Most covered entities must comply with the EIN standard by July 30, 2004. (Small health plans have an additional year to comply.)

OTHER HIPAA REGULATIONS

HHS is currently developing other administrative simplification standards. HHS has published proposed regulations for national identifiers for health care providers - and is now reviewing public comments and preparing final regulations. HHS also is working to develop other proposed standards, including a national health plan identifier and additional electronic transaction standards. In addition, HHS is developing a rule regarding enforcement of the HIPAA requirements. Part of this rule was issued as an interim final rule on April 17, 2003. The rest of the enforcement rule will be proposed for public comment. The status of key standards required under HIPAA follows:

National provider identifier. In May 1998, HHS proposed standards to require hospitals, doctors, nursing homes, and other health care providers to obtain a unique identifier when filing electronic claims with public and private insurance programs. Providers would apply for an identifier once and keep it if they relocated or changed specialties. Currently, health care providers are assigned different ID numbers by each different private health plan, hospital, nursing home, and public program such as Medicare and Medicaid. These multiple ID numbers result in slower payments, increased costs and a lack of coordination.

National health plan identifier and other HIPAA regulations. HHS is working to propose standards that would create a unique identifier for health plans, making it easier for health care providers to conduct transactions with different health plans. HHS is also working to develop additional transaction standards for attachments to electronic claims and for a doctor's first report of a workplace injury. In addition, HHS is developing a proposed rule on enforcement of the HIPAA requirements. As with other HIPAA regulations, HHS will first consider public comment on each proposed rule before issuing any final standards

Personal identifier on hold. Although HIPAA included a requirement for a unique personal health care identifier, HHS and Congress have put the development of such a standard on hold indefinitely. In 1998, HHS delayed any work on this standard until after comprehensive privacy protections were in place. Since 1999, Congress has adopted appropriations language to ensure no appropriated funds are used to promulgate such a standard. HHS has no plans to develop such an identifier.

###

Note: All HHS press releases, fact sheets and other press materials are available at www.hhs.gov/news.

Last Revised: October 17, 2003

HHS Home | Questions? | Contact HHS | Site Map | Accessibility | Privacy Policy | Freedom of Information Act | Disclaimers

The White House | FirstGov

U.S. Department of Health & Human Services · 200 Independence Avenue, S.W. · Washington, D.C. 20201