What is HIPAA?
White Paper by Tom Stevens, President and CEO ESG, Inc.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA), was the result of
efforts by the Clinton Administration and congressional healthcare reform proponents to
reform healthcare. The goals and objectives of this legislation are to streamline industry
inefficiencies, reduce paperwork, make it easier to detect and prosecute fraud and abuse and
enable workers of all professions to change jobs, even if they (or family members) had pre-
existing medical conditions.
The HIPAA legislation had four primary objectives:
1. Assure health insurance portability by eliminating job-lock due to pre-existing
2. Reduce healthcare fraud and abuse
3. Enforce standards for health information
4. Guarantee security and privacy of health information
The HIPAA legislation is organized as follows:
Title I: Guarantees health insurance access, portability and renewal
Guarantees coverage and renewal
Eliminates some pre-existing condition exclusions
Prohibits discrimination based on health status
Title II: Preventing healthcare fraud and abuse
Fraud and abuse controls
Administrative Simplification (AS) provisions (Subtitle)
Medical Liability Reform
Medical Savings Accounts
Health Insurance tax deduction for self-employed
Enforcement of group health plan provisions
Title V: Revenue offset provisions. However, when looking at HIPAA it is important to
remember that the actual HIPAA rules and detail requirements that the healthcare industry
have to follow stem from the Administrative Simplification (AS) provisions of HIPAA, which fall
under Title II (Fraud and Abuse) of the HIPAA act itself. These provisions are intended to reduce
the costs and administrative burdens of healthcare by making possible the standardized,
electronic transmission of administrative and financial transactions that are currently executed
manually and on paper.
The Administrative Simplification (AS) provisions specifically state what rules and standards
the healthcare industry must implement in order to be in compliance with HIPAA. The AS
provisions also require specific implementation deadlines, based upon the date when the Final
Rule (for a specific issue) is published in the Federal Register, plus the mandatory 60 day
review period during which time the rule may be challenged and overturned or delayed on
appeal. For example, The Final Rule for National Standards for Electronic Transactions (which
include EDI Transaction and National Code Set standards for claims processing) was the first
HIPAA compliance rule to publish on August 17, 2000. Therefore the compliance date for this
rule becomes April 14, 2003.
This rule requires healthcare organizations, insurers and payors that have been using any
electronic means of storing patient data and performing claims submission (including
faxes we are told), must comply with this new Final Rule for National Standards for
Providers that use an electronic clearinghouses to process their transactions do not have
to modify their systems at present to assure compliance, however the provider has to
make sure that the clearinghouse, as a business partner, is compliant with the new
regulations. In all likelihood, providers will have to make some modifications to ensure
ancillary and departmental systems are capturing HIPAA required information and
transmitting that data. Transmissions to their Admission, Discharge and Transfer (ADT)
systems and billing systems in order for the clearinghouse to be able to create and send
a HIPAA compliant transaction.
Additional provider, payor and insurance system modifications will also be required for
Privacy and Security rules as mandated by the AS provisions, so having a clearinghouse
does not preclude a provider, insurer or payor from having to make other computer
system changes as part of their HIPAA compliance efforts. At the risk of
oversimplification, this rule requires providers, insurers, payors and to a small extent,
employers to submit enrollments, eligibility and claims processing via Electronic Data
Interchange or EDI transactions.
EDI is nothing new and has been commercially available since the 1980s. Many large
companies have been using EDI for years to process orders, send invoices and issue or
receive payments with their electronic trading partners.
EDI is essentially a set of very specific rules governing how information will be packaged
in order to send orders, invoices, statements and payments electronically from one
electronic trading partner to another.
The government has essentially adopted this standard as a good way of ensuring that
everyone (providers, payors, insurers and employers) will use these excellent standards
as a way of communicating and sending information to each other. Properly done, EDI
transactions do not require human intervention and should process very quickly.
Therefore, providers should be able to submit electronic eligibility or benefit inquires
and claims via EDI transactions to the payor whose claims system should process the EDI
transaction quickly, returning a claim payment/advice electronically and without delay.
Other HIPAA compliance rules currently defined and proposed under the (AS)
provisions, but not expected to be finalized until 4Q, 2000 or early 1Q, 2001, include:
Standards for Privacy of Individually Identifiable Health Information
National Provider Identifier
Security and Electronic Signatures
The Standards for Privacy of Individually Identifiable Health Information are designed to
help guarantee privacy and confidentiality of patient medical records. These new
Standards for Privacy are quite extensive. Healthcare providers, insurers, payors and
employers should review this rule and it's requirements in great detail with the intent to
update and replace any current internal guidelines in order to insure HIPAA compliance.
The National Provider Identifier, the Employer Identifier and an earlier proposal for a
National Individual Identifier were designed to help speed processing of enrollment,
eligibility and claims processing by having a national set of identification numbers that
the entire industry would use to identify a specific provider, insurer or patient. These
same steps would also help identify fraud and abuse by eliminating situations where
providers and individuals have multiple identifiers today, making it difficult to match and
track claims to both providers and individuals, particularly where fraud is intended.
However, the National Individual Identifier ran afoul of protests from civil libertarians and
individuals concerned about big brother having the ability to identify, track and gain
information about anyone in the country via a single identification number. As a result,
the National Individual Identifier seems to have been put on the sidelines until such time
as a reasonable compromise could be worked out that would assure all sides that there
would be no abuses of such a system.
Electronic Signatures will come into play at some point in the future, but when is difficult to predict at
this time. Electronic Signatures may be required for persons submitting healthcare claims and
claims attachments through the use of a digitally encrypted key "signature", that requires a "private
key" to create and send the "signed document". The document and electronic signature can then be
authenticated as only having been sent by that individual, by a person using a public key to
decipher and open the document, typically a payor or insurer who would be processing the claim
and attachments. This eliminates the possibility of persons submitting false or fraudulent claims later
denying that they were the one that sent the claim.
However, for a uniform encrypted key system to work absolutely and without the
possibility of error (that could lead to deniability) for the entire health industry in the
United States, there must be a national organization. An organization that could be
universally trusted to assign, distribute and manage keys on a national basis and without
error. Such an organization has yet to be established. Therefore, this HIPAA rule seems
somewhat more distant than the others, in terms of implementation.
These rules fall short of requiring specific technology or specific vendor solutions to
address such issues as security and protection of individually identifiable patient
information. Tools being discussed are the use of biometric devices (palm print readers,
retinal scanners, finger print readers, etc.) for workstation security, enterprise wide
network security or the security of data transmission of claims information to insurers or
payors for claims processing. By not defining specific technology or vendor solutions,
The Department of Health and Human Services (DOHSS) has left enough wiggle room to
say that the AS provisions are technology neutral. Thereby passing the responsibility of
evaluating and justifying appropriate technological solutions into the laps of each
individual healthcare institution, based upon their unique business requirements.
Healthcare organizations under tremendous financial pressure and having enough
difficulty fielding enough qualified nurses for a single shift will have trouble justifying the
expense of retinal scanners on their workstations and servers or encrypting their entire
hospital data network in order to ensure the protection of individually identifiable patient
data. As a result, there will be a distinct lack of uniformity in HIPAA compliance and
implementation at the institutional level, based upon what each organization can justify
Achieving HIPAA compliance, particularly for healthcare providers, will not be easy and
will be costly to the provider and payor organizations. Providers, payors and insurers
will have to educate and train their staffs to be in compliance with the new requirements
and then perform ongoing compliance monitoring and application of appropriate
sanctions when necessary. Providers, unlike insurers, also have to deal with millions of
family members, loved ones and outside visitors from all walks of life in the course of
performing daily business. These daily visitors, along with security challenges supplied
in ample quantity by the Internet hackers, email viruses and the shear physical size of
some organizations makes the protection of individually identifiable patient information a
major challenge in itself.
Like most federally mandated programs, there are no provisions for the recovery of
HIPAA compliance implementation costs or the ongoing costs to train new staff and
monitor HIPAA compliance after initial implementation. Sadly, it is the author's opinion
that more institutions will close as a result of not being able to achieve HIPAA compliance
for a variety of reasons. Currently, some experts are estimating the costs of achieving
initial HIPAA compliance (not counting ongoing compliance training and monitoring once
implemented) at over $66 billion dollars and climbing.
However, there is a long-term, bright side to HIPAA compliance. Over time and once
fully implemented, HIPAA should minimize the amount of paperwork and human
intervention required to verify a patient's eligibility and minimize the amount of human
effort required to perform claims processing. The required eligibility and claims
transactions should not require human intervention if submitted correctly and according
to the transaction standards. Insurers or payors may only want to manually examine
randomly submitted claims or claims for a specific individual or business as part of fraud
or abuse detection. Since claims should be processed far more quickly, claims payments
to the providers should also speed up (at least in theory), hopefully easing some of the
cash flow burden for provider organizations. Security improvements to prevent
deliberate or accidental accessing of unique or individually identifiable patient data will
address concerns over privacy of patient data. Moreover, digital Electronic Signature (as
proposed) will ensure that persons submitting fraudulent electronic insurance or
Medicare/Medicaid claims, will not be able to deny submitting them in court later on.
While it is easy to get tangled up in the emotion of having the expenditures and work
effort required to achieve HIPAA compliance, it is important to remember there are many
positive features of HIPAA. The need for insurance portability is apparent. Protecting the
patients' right to the privacy of healthcare information has always been, and should
remain a high priority. Reductions in fraud and abuse are certainly welcome, if not long
Quicker processing of eligibility and claims not only reduces the cost of these items to
the hospital and the insurer/payor but provides better service to the patient as well.
Although there may be some pain associated with the successful implementation of
compliance rules, the result will ultimately be the improvements that the Clinton
administration and Congress agreed upon and intended.