HIPAA FAQ

FAQ

General / Privacy / Security / EDI

General

  1. What is HIPAA?
  2. What is Administrative Simplification?
  3. What are the main components of HIPAA?
  4. Who is required to comply with HIPAA regulations?
  5. What are the deadlines for HIPAA Compliance?

  6. What are the goals of the HIPAA regulations?

Privacy

  1. What is the Privacy Standard?
  2. What is the Minimum Necessary Disclosure Standard?

Security

  1. What is the purpose of HIPAA Security Policies?
  2. What are the expectations for the development of HIPAA Security policies?

EDI (Electronic Data Interchange)

  1. What is a "covered entity"?
  2. What transactions are covered?
  3. Does HIPAA require providers to submit all transactions electronically?

General

1. What is HIPAA?The Health Insurance Portability & Accountability Act (HIPAA) became public law August 21, 1996.  It was a federal bi-partisan bill based on the Kennedy-Kassebaum bill. The primary goal of the law is to make it easier for people to keep health insurance, and help the industry control administrative costs. 
2. What is Administrative Simplification?Administrative Simplification is defined in the Title II  of the Health Insurance Portability and Accountability Act of 1996.  The goal of administrative simplification is to reduce health care administrative costs and promote quality and continuity of care by facilitating electronic data interchange (EDI). HIPAA establishes standards for 10 electronic health care transactions, national code sets, and unique identifiers for providers, health plans, employers and individuals. It also establishes standards for ensuring the security of electronic health care transactions.  Read More  
3. What are the main components of HIPAA? Click here to view HIPAA Components.  
4. Who is required to comply with HIPAA regulations?Covered entities and the entities with whom they share Protected Health Information (PHI) must comply with HIPAA.  A covered entity is:
  • A health plan.
  • A health care clearinghouse.
  • A health care provider who transmits protected health information in electronic form in connection with a transaction covered by the HIPAA transactions regulation. (HHS Regulations Definitions 160.103)
 
5. What are the deadlines for HIPAA Compliance?Click here to view the Compliance Timetable.  
6. What are the goals of the HIPAA regulations?At the core of the new regulations are requirements to  systemize, expedite and protect the electronic transfer  of healthcare information. These include:
  • standards for the electronic transmission of  financial and administrative information
  • standard codes for identifying medical diagnoses  and procedures
  • a 10-digit numeric ID known as a National Provider Identifier issued to every provider organization
  • a nine-digit numeric ID issued to each employer to use in all HIPAA-governed administrative and financial transactions
  • thirty-four specific security measures that providers must adopt in order to protect patient-identifiable healthcare information
  • additional rules that will specify how and under what circumstances, healthcare information can be used and shared
 

Privacy 

1. What is the Privacy Standard?The Privacy Standard defines the requirements for the use and disclosure of protected health information. It establishes individual patient rights and defines protected health information. The Privacy Standard also requires covered entities to adopt policies for safeguarding such information.  
2. What is the Minimum Necessary Disclosure Standard?Covered entities must “make all reasonable efforts not to use or disclose more than the minimum amount of protected health information necessary to accomplish the intended purpose of the use or disclosure, taking into consideration practical and technological limitations.” With some exceptions, Minimum Necessary Disclosure Standard applies to uses and disclosures made, including those for payment, treatment and health care operations.

Security 

1. What is the purpose of the HIPAA Security Policies?The new standards are being developed to protect the confidentiality, integrity and availability of individual health information. HIPAA requires that most providers and health plans take steps to keep medical information secure and confidential. There are four types of security standards:
  • Administrative Procedures - to ensure the enforcement of company-wide standards in regard to the handling and treatment of member information by employees.
  • Physical data safeguards - to ensure the protection of computers and buildings containing member information, from theft, invasion, or environmental threats.
  • Electronic data access security - to ensure only authorized people have access to member information, and that information is maintained for the required period of time.
  • Network security - to ensure the information is transmitted to and received by only the intended recipients, unaltered.
 
2. What are the expectations for the development of HIPAA Security policies?The security rules outline the general requirements but they do not require specific technologies. This approach provides flexibility as technology evolves and standards change. Organizations are expected to establish a prudent level of security based on community practices.  

EDI (Electronic Data Interchange)

1. What is a "covered entity"?
  • A health plan.
  • A health care clearinghouse.
  • A health care provider that transmits protected health information in electronic form in connection with a transaction covered by HIPAA.
 
2. What transactions are covered?The exchange of information between two parties to carry out financial or administrative activities related to health care.  
3. Does HIPAA require providers to submit all transactions electronically?HIPAA does not require health care providers to electronically transmit information.  However, providers that do transmit information electronically must comply with EDI standards.