Mental & Behavioral Health

Practice Update from the National Association of Social Workers

© NASW January 2002

Overview of HIPAA Administrative Simplification Provisions

INTRODUCTION

The passing of the Health Insurance Portability and Accountability Act (P.L.104-191) (HIPAA) by Congress in August 1996 set in motion broad reforms and changes in the health care industry. HIPAA is widely known for its focus on ensuring the portability of health insurance and eliminating pre-existing condition clauses. In addition, the lesser known Administrative Simplification provisions of HIPAA were designed to improve health care quality and reduce costs by simplifying the administration and management of health information. Congress recognized that the increasing integration of electronic transactions within the health care industry had the potential to decrease costs, paperwork, and administrative burdens, yet expanded the potential for inappropriate and unauthorized use, access, and disclosure of confidential health information if appropriate security and privacy standards were lacking.

This is a time of transition as the regulations are drafted, final rules and modifications are published, and compliance timelines are established. Under the HIPAA Administrative Simplification provisions, covered entities , defined as health plans, health care clearinghouses, and health care providers who transmit health information electronically, are expected to comply with the final regulations. Once a final rule is issued, covered entities have up to 24 months to comply with the standards, except small health plans with $5 million or less in receipts that have an additional year to comply. This practice update offers an overview of HIPAA Administrative Simplification requirements and resources to assist social workers as they familiarize themselves with these provisions and prepare for compliance, if applicable.

The Administrative Simplification provisions of HIPAA define rules and standards that must be followed by the health care industry to be compliant with HIPAA (Fraser & Stevens, 2001). Under these HIPAA provisions, the secretary of Health and Human Services (HHS) has been authorized to issue regulations to define standard electronic formats for common transactions, such as claims submission and billing, that also identify uniform data codes used for diagnoses and medical procedures; security standards to maintain the confidentiality of health information and to guard against unauthorized uses, disclosures, and access; a system of unique identifiers or identification numbers for individuals, health care providers, employers, and providers; and privacy regulations to protect client health information and clients' right to gain access to their health information (Redhead, 2001). As of November 2001, final rules have been published in two areas: (1) electronic transactions and (2) privacy of health information.

Below is a brief synopsis and status of each of the regulations, with links to the text of the final or proposed regulation. Additional resources are included at the end of this update.

Standards for Electronic Transmissions

The final rule was published August 17, 2000 , with a compliance date of October 16, 2002 . However, on December 27, 2001 , the president did enact a law that extends the compliance date until October 16, 2003 , for covered entities who submit a specified plan for their compliance with these standards to the secretary of HHS by October 15, 2002 . Under these standards, HHS has proposed a standardized electronic format for eight common health care transactions:

• claims payment and remittance advice
• coordination of benefits
• eligibility for a health plan
• enrollment and disenrollment in a health plan
• health care claim status
• premium payments
• referral certification and authorization

Currently, the health care system continues to be heavily paper-based and without standardization and uniformity. Provider time is diverted from patients to administrative tasks such as filling out forms, filing claims, checking eligibility, and providing additional requested information. It has been estimated that 20 percent of health care costs can be attributed to paperwork (Redhead, 2001). In addition, between the public and private health care systems, there are multiple insurers and various formats and methods for filing claims. The intention of these standards is to reduce the burden on health plans and providers by simplifying the current complex process. Not surprisingly, simplifying this process has proven to be cumbersome. The public health system alone uses a multitude of state and local codes for the various transactions. Some of the codes are consistent nationally, but others reflect specialized services that may be covered by a specific state system, or for which there is no national code (Redhead).

What does the future hold? Instead of a variety of transactions and claims processes across different plans, providers will use standardized formats and codes for the electronic transactions mentioned earlier. The provisions will define a uniform format and set of transaction codes that must be used for any covered electronic transaction. Presently, many social work practitioners do not transmit claims and billing electronically; however, it is predicted that in response to HIPAA, many payers will shift to electronic claims processes and Internet technology (Cassidy, 2000; Redhead, 2001). Standardized electronic transactions may well become the norm over the next few years in the health care industry. As this happens, providers will need the capacity for electronic transmissions to receive third-party payments. The text of the final standards for electronic transmissions is available at www.hhs.gov/ocr/hipaa/.

Standards for Privacy of Individually Identifiable Health Information

The HIPAA Privacy Regulations, published on December 28 2000 , were authorized by the Bush administration on April 14, 2001 , with a compliance date of April 14, 2003 . These regulations were designed to ensure the privacy and confidentiality of client health information. The rule outlines clients' rights and provider requirements in respect to privacy and confidentiality. NASW has been an active participant in the evolution of the privacy regulations—providing comments to the original draft regulations, advising members about the implications of these regulations through practice updates and national and chapter news postings, and advocating to strengthen the regulations and ensure that the privacy rule is not weakened through further modifications. For further guidance and discussion about the privacy regulations and implications for social workers, see NASW's Mental and Behavioral Health Practice Updates, What Social Workers Should Know about the HIPAA Privacy Regulations, (Bateman, 2001a) and Consent, Authorization, and Notice, (Bateman, 2001b). The text of the HIPAA Privacy Regulations is available at www.hhs.gov/ocr/hipaa/.

Unique Identifiers

In the interest of quality improvement and cost reduction, HIPAA authorized the development of unique identification numbers for providers, employers, health plans, and individuals. The intention was to facilitate the processing of claims and enrollment by establishing one set of national identification numbers used by the health care industry to identify providers, clients, and health plans (Fraser & Stevens, 2001). Controversy arose over the development of unique identification numbers for individuals (Redhead, 2001). There is much concern that development and use of an identification number for individuals would facilitate opportunities for tracking and accessing an individual's health information. The benefits in cost savings and care efficiency do not outweigh the potential for privacy breaches. For the time being, Congress has prohibited HHS from further work on the development of unique individual identifiers. The other standards were met with little opposition. In 1998 proposed rules were published for both the National Provider Identifier and Employer Identifier Standards. The final regulations are expected some time in early 2002. Currently, providers may be assigned multiple identification numbers by the various health plans with whom they do business. Under the National Provider Identifier Standards, providers would be assigned one identifier to use on all health care transactions. The text of the proposed National Provider Identifier and the Employer Identifier Standards is available on the Web at www.hhs.gov/ocr/hipaa/.

Security Standards

The Security Standards are intended to ensure that health plans, providers, and clearinghouses have appropriate administrative, physical, and technical safeguards in place to guarantee the security of electronic health information (Redhead, 2001). These regulations serve as a complement to the privacy regulations to ensure protection against unauthorized access to client protected health information. The proposed rules were published on August 12, 1998 , and apply to both paper and electronic records. They do not require the use of specific technologies or vendors but rather define a range of procedures and practices, both technical and operational, that must be implemented. Thus, health plans, providers, and clearinghouses must assess their own level of risk and develop solutions tailored to their business. These proposed standards address the need for comprehensive security policies and procedures including staff training; safeguards for the physical storage, maintenance, and transmission of client information; and measures to secure access to client information and prevent unauthorized disclosures (California Medical Association, 2001). The final security standards are expected in early 2002. The text of the proposed regulations is available on the Web at www.hhs.gov/ocr/hipaa/.

In a draft document, the Workgroup for Electronic Data Interchange (2001) developed a series of questions for physicians to assess their level of risk in the context of HIPAA. Although not comprehensive and finalized, this tool may be relevant for social workers in similar settings as they begin to familiarize themselves with HIPAA and strategize their next steps to meet HIPAA security requirements. Listed below are the recommendations from that draft document, copyright by and used with permission from the Workgroup for Electronic Data Interchange (Note: PHI refers to client protected health information as defined by HIPAA):

Conduct a Privacy/Security Walkthrough of the Practice Site

• Are patient sign up sheets with names and other information in sight?
• Are patient schedules in plain view?
• Do confidential conversations take place in areas where they can be overheard?
• Are computer screens with PHI of other patients in plain view?
• Do office staff members regularly change their passwords and safeguard access to their work areas?
• Are medical records, lab reports, and faxed information easily accessible to those who have no "need-to-know?"
• Are there safeguards that are documented regarding the transfer of PHI as paper medical records, orders, images, and lab specimens?
• Are there documented policies and procedures when an employment is terminated?
• Do these include the return of all keys, cards, and change codes and locks, as necessary?
• If office equipment is taken from the premises, is there a documented procedure to safeguard confidential patient information?

Review Current Contracts and Documentation of Policies and Procedures

• Are current confidentiality statements being reviewed for HIPAA language?
• Is there a disaster plan in place that could be reviewed and expanded to include contingency plans in the event of a critical systems failure?
• Is there an employee handbook or other human resources documentation that can be expanded to cover HIPAA requirements for security training, termination policies and procedures, etc.?
• Are there privacy/security policies and procedures as well as training to cover special functions that may be handled off-site, i.e. transcription, medical reviews, and some accounting or claims filing?
• Is there current inventory of all computer systems, and software? Does this include (forbid?) use of personal software?
• Is there a regular virus check and mitigation program in place?

Examine the Security of any Special Technology in Use

• Is PHI stored electronically? Are there system safeguards in place?
• If health care information is transmitted on the Internet or via phone lines, are these secure transmissions?
• Does this include any e-mail communications that contain PHI?
• Is there access to PHI on a web site? What safeguards are in place?
• Is there remote access to any internal networks? If so, what kind? (e.g. dial-up modem.)
• What system of password maintenance is in use? Is there a formal policy that is documented?
• What other types of computer security are in place? (Examples are: a firewall, VPN, SSL, or encryption.)

References & Resources

References:

 

Bateman, N. (2001b, July). What social workers should know about the HIPAA privacy regulations (Mental and Behavioral Health Practice Update, No. 930) [Online]. Available: www.socialworkers.org.

Bateman, N. (2001b, November). Consent, authorization, and notice under HIPAA privacy regulations (Mental and Behavioral Health Practice Update, No. 939) [Online]. Available: www.socialworkers.org.

 

California Medical Association, Center for Legal Affairs. (2001, November). HIPAA compliance for CMA members. San Francisco : Author.

Cassidy, B. (2000, June). HIPAA on the job: Enhance your organization's awareness of HIPAA. Journal of AHIMA [Online]. Available: www.ahima.org/journal/features/feature.0006.4html.

 

Fraser, B., & Stevens, T. [2001]. What is HIPAA? [Online]. Available: www.hipaahub.com/pages/what.html.

 

Health Insurance Portability and Accountability Act of 1996, P.L. 104-191, 110 Stat. 1936.

 

 

 

Redhead, C. S. (2001, April 18). Medical records privacy: Questions and answers on the HIPAA final rule (CRS Report for Congress, Order Code RS20500). Washington , DC : Congressional Research Service, Library of Congress.

Workgroup for Electronic Data Interchange. (2001, July). SNIP-Security and Privacy Workgroup "White Papers" DRAFT Version 3.0 [Online]. Available: snip.wedi.org/public/articles/s&p_version3.0r.pdf.

Resources:

The text of the final HIPAA Privacy Regulations as well as any guidance documents produced by the U.S. Department of Health and Human Services (DHHS) are available online at www.hhs.gov/ocr/hipaa/.

Fact sheets, frequently asked questions, and the text of the HIPAA Administrative Simplification regulations (proposed and/or final) are available on the DHHS Web site: aspe.os.dhhs.gov/admnsimp/Index.htm.

Phoenix Health, a health care information technology consulting and outsourcing firm, sponsors a HIPAA advisory Web site, which posts updated News on HIPAA, white papers, fact sheets, FAQs, and articles about HIPAA Administrative Simplification. Available online at www.hipaadvisory.com/.

Doc #951

Nancy Bateman, LCSW-C, CAC
Senior Staff Associate for Behavioral Healthcare
nbateman@naswdc.org