HIPAA's Title II- Administrative Simplification Rules: The Three Basic Rules that You Need to

Know about Electronic Filing SystemsBy: Aaron Varrone

ABSTRACT

HIPAA Title II, The Administrative Simplification provisions were establish for a variety of reasons. The main rationale was to take advantage of twenty-first century technology, and increase efficiency by eliminating redundant and manual processes. By establishing electronic health information systems, electronic protected health information (ePHI) became Congress’ top priority, on how healthcare organizations should deal with such vital and confidential information.

The aim of this paper is to examine an in-depth look at HIPAA’s Title II on how technology has enhanced the way healthcare organizations conduct their business activities on a daily basis, while specifically addressing the privacy and security issues that many are concerned about. This paper will explain the background and history behind HIPAA and Title II, including Congress’ goals and objectives for this act, and then will go into great detail about the three basic rules that HIPAA, and more specifically Title II, are all about.

INTRODUCTION

In the summer of 1996, the United States Congress passed The Health Insurance Portability and Accountability Act (HIPAA). HIPAA was enacted for a variety of reasons which include: giving patients the ability to transfer and continue health insurance coverage when they change or lose jobs, reduce healthcare fraud and abuse, mandate industry-wide standards for healthcare information on electronic billing and other processes, and required protection and confidential handling of protected health information (State of California, 2007).

HIPAA is organized into five separate “titles”. Title 1, HIPAA Health Insurance Reform; mainly enhances both the Employee Retirement Income Security Act of 1974 (ERISA) and the Public Health Service Act, to increase the portability of health insurance by limiting exclusions that can be made for pre-existing conditions, prohibiting discrimination based on claim history or health status, and guarantee the availability or renewability of health coverage for individuals with prior coverage. Title 2, Administrative Simplification; addresses the issues of preventing and controlling healthcare fraud, reform of medical liability, and simplifying the administration of healthcare in the United States. Title 3, HIPAA Tax Related Health Provisions; changes to the Tax Code, including the creation of a deduction for funds paid into Medical Savings Accounts (MSAs), increased deductions for the health insurance expenses of self-employed individuals, shifting the treatment of long-term care agreements as an insurance contract, and tax exemption for state insurance pools. Title 4, Application and

Enforcement of Group Health Plan Requirements; covers portability, access, and renewability for group health plans. Title 5, Revenue Offsets, addresses various revenue offsets (Lauber, 2003). This paper will focus specifically in regards to Title 2- HIPAA Administrative Simplification.

The Administrative Simplification provisions of HIPAA require the Department of Health and Human Services to establish national standards for electronic healthcare transactions and national identifiers for providers, health plans, and employers (Amatayakul, 2000). This title of HIPAA was intended to improve the effectiveness and efficiency of the various Medicare, Medicaid, Federal, and Private health programs of the healthcare industry. By simplifying the administration of various systems and enabling the efficient electronic transmission of certain health information, adopting these standards have greatly improved the effectiveness of our nation’s healthcare system (Health Reference Center Academic, 2008).

BACKGROUND INFORMATION

U.S. Legislation recognized that standardizing the means of paying and collecting claims data electronically, would in fact increase the potential for abuse of people’s medical information. Therefore, a main part of the act also included increasing and standardizing the confidentiality and security of people’s health information, also referred to as ePHI (electronic protected health information) (Centers for Disease Control, 2003). The United States Department of Health and Human Services (HHS, which is a government agency for protecting the health of all Americans and administering all federal programs dealing with health and welfare), defines protected health information as the following:

Individually identifiable health information transmitted or maintained in any form or medium, which is held by a covered entity or its business associate.

Identifies the individual or offers a reasonable basis for identification. Is created or received by a covered entity or an employer Relates to a past, present, or future physical or mental condition, provision of

healthcare or payment for healthcare.

HIPAA privacy regulations require that access to patient’s information may only be available to those who are authorized, and that only the information they need (in order to complete a task) may be accessible, otherwise all other information obtained is a significant violation of this law (U.S. Department of Health & Human Services, 2009)

The final version of HIPAA privacy regulations were issued by Congress in December, 2000, and went into effect on April 14, 2001. Healthcare organizations were allowed up to a two-year grace period to be in compliance with these new regulations, without receiving a penalty. After April 14, 2003, organizations were warned that if they weren’t incompliance with HIPAA, that they indeed would be penalized and fined a hefty amount (Lauber, 2003).

Prior to HIPAA, there was no uniformed standardization between healthcare organizations in regards to one’s own personal health record. Many rules and regulations varied across state to state, and even among healthcare organizations. Various questions came up and became debatable; such as if an organization was doing business in multiple states, were the organizations subject to the state where the office was located, or instead were they subject by the rules of the state where the headquarters was located? Many healthcare organizations became quickly baffled and didn’t know whether they should follow federal regulations, or state regulations (HIPAA PS, 2003).

HIPAA clarifies this by providing a uniformed standardization when it comes to the basic level of security and privacy to one’s own health record information throughout the country. A prime example of how HIPAA clarifies and simplifies this process occurs when sending a referral to another office. When doing this, only the medical history needs to be known, and not the billing information. Thus, healthcare organizations should only be given the information they need, rather than all the information of one’s record (HIPAA PS, 2003). With all this being said, the aim is for these organizations to evaluate these requirements, examine their current methods of how this is being done, specifically in regards to one’s personal health record, and apply these results to be in compliance with HIPAA.

GOALS & OBJECTIVES

Title II was designed to accomplish several goals and objectives. In no particular order, these goals and objectives include: encouraging the use of electronic media to conduct healthcare transactions, standardize and improve the oversight of how health information is collected, stored, transmitted, and reported, simplify the administration of healthcare finance, ensure the continuity of healthcare coverage of people who change jobs, combat waste, fraud, and abuse in health insurance and healthcare delivery, and require new safeguards to protect security and privacy of certain health information (US Department of Health and Human Services, 2005).

To effectively implement the requirements of Title II, three rules were created: The Privacy Rule, The Security Rule, and The Transactions and Code Set Rule (TCS) (Jacob & Sundstrom).

NEED FOR PRIVACY & SECURITY STANDARDS

Although converting of individual health records into a more uniformed approach and digital format by utilizing twenty-first century technology, instead of a redundant, old and time-consuming manual process, is great for the healthcare industry by eliminating inefficiencies; it must be noted that with the uses of such technology, comes the exploit of accessing such vital and confidential data with ease. Given that healthcare organizations are now required to transmit patients’ information electronically, there is great concern that it will be easier than ever for this confidential information to be leaked out into the public domain. Therefore, privacy of one’s data is mandated across all organizations. The United States Department of Health and Human Services for Civil

Rights administers and enforces the “Privacy Rule” and the “Security Rule”. (US Department of Health and Human Services, 2005)

PRIVACY RULE

The HIPAA Privacy Rule is a national standard to protect individuals’ medical records and other personal health information and applies to health plans, healthcare clearinghouses, and to other healthcare organizations that conduct healthcare transactions electronically. This rule requires the appropriate safeguards to protect the privacy of one’s personal health information, and sets limits on the uses and disclosures that may be made available of such information without proper patient authorization. This rule also gives patients rights over their own health information, including rights to evaluate and obtain a copy of their record, and to correct any possible inaccuracy reporting in their record (Department of Health and Human Services: Office of the Secretary, 2002).

If any organizations are at fault at respecting these privacy laws, such as any person who knowingly uses a unique health identifier, or obtains or discloses individually identifiable health information without necessary reason or without proper authorization, Congress has establish civil monetary penalties and imprisonment for such violations of these provisions. These violations include fines of up to $50,000 and/or imprisoned for one year. If the offense is “under false pretenses” fines can accumulate of up to $100,000 and/or imprisonment of up to 5 years. Lastly, if the offense is with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, fines can accumulate of up to $250,000 and/or 10 years of imprisonment (Department of Health and Human Services: Office of the Secretary, 2002).

WHY PRIVACY?

Growing concerns about ones privacy in regards to information in the healthcare industry has always been an issue of such immense importance. There are many reasons why people want this information protected at the highest level. Whatever the reason may be, people have the right to have their own personal information protected and privacy is necessary to secure effective, high quality healthcare. Below are some examples of recent (within the last 15 years) health-related privacy breaches with the use of technology (Health System Compliance: Privacy Case Examples, 2009):

A Michigan-based health system inadvertently posted medical records of thousands of patients on the Internet.

A Utah-based pharmaceutical benefits management firm used patient data to solicit business for its owner, a drug store.

An employee of the Tampa, FL health department took a computer disk containing the names of 4,000 people who had tested positive for HIV.

A Nevada woman purchased a used computer, discovered that the computer contained prescription records of the customers of the pharmacy that had

previously owned the computer, which included: names, addresses, social security numbers, and a list of all the medicines the customers had purchased.

SECURITY RULE

The HIPAA Security Rule consists of standards and implementation requirements that healthcare organizations must convene in order to become compliant with HIPAA. All organizations that access, store, maintain, or transmit patient-identifiable information are required by law to meet the HIPAA Security Rule. Failure to be in compliance with this rule, similar to the Privacy Rule, can result in a hefty fine and criminal imprisonment (HIPAA Security Rule Overview, 2004).

Below, are the general requirements that the HIPAA Security Rule establishes, and that individuals and organizations are mandated to follow (Jacob & Sundstrom):

1) Ensure the confidentiality, integrity, and availability of all electronic protected health information (ePHI) the covered entity creates, receives, maintains, or transmits.

2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.

3) Protect against any reasonably anticipated uses or disclosures of such information.4) Ensure compliance by the workforce.

Covered entities, defined by HHS as: a healthcare provider that conducts certain transactions in electronic form, a healthcare clearinghouse, or a health plan; have been provided with flexibility of approach and can decide on which security measures to use by taking into consideration the following factors (HHS Centers for Medicare & Medicaid Services, 2005):

The size, complexity, and capabilities of the covered entity. The covered entity’s technical infrastructure, hardware, and software security

capabilities. The costs of security measures. The probability and criticality of potential risks to electronic protected health

information.

The main objective of the Security Rule is for all covered entities, such as hospitals, healthcare providers, pharmacies, clearing houses, and health plans to support the Confidentiality, Integrity, and Availability (CIA) of all ePHI. With this being said, the Security Rule outlines five major requirements (HIPAA Security Rule Overview, 2004):

Administrative Safeguards Physical Safeguards Technical Safeguards Organizational Requirements Policies, Procedures, and Documentation Requirements

Administrative Safeguards

Administrative Safeguards are defined as the “administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect ePHI and to manage the conduct of the covered entity’s workforce in relation to the protection of that information” (Walter L. Fitzgerald Jr., 2004).

The Security Rule includes nine standards under the Administrative Safeguards (Mount Carmel, 2009):

1) Security Management Process2) Assigned Security Responsibility3) Workforce Security4) Information Access Management5) Security Awareness and Training6) Security Incident Procedures7) Contingency Plan8) Evaluation9) Business Associate Contracts (BAC) and Other Arrangements

Physical Safeguards

Physical Safeguards are defined as the “physical measures, policies and procedures to protect a covered entity’s electronic information systems and related buildings and equipment from natural and environmental hazards, and unauthorized intrusion” (HIPAA FAQ, 2004):

The Security Rule includes four standards under Physical Safeguards: 1) Facility Access Controls2) Workstation use3) Workstation Security 4) Device and Media Controls

Technical Safeguards

Technical Safeguards are defined as the “technology and policy and procedures for its use that protect ePHI and control access to it” (US Department of Health and Human Services, 2005).

The Security Rule includes five standards under Technical Safeguards:1) Access Controls2) Audit Controls3) Integrity4) Person or Entity Authentication

5) Transmission Security

Organizational Requirements

Organizational Requirements includes the standard, business associate contracts or other arrangements where a covered entity must be in compliance with these standards. If they are not, the covered entity is required to (Davis, 2001):

1) Terminate the contract or arrangement, if feasible or2) If termination is not feasible, report the problem to the Secretary (HHS).

Policies, Procedures, and Documentation Requirements

The Policies, Procedures, and Documentation requirements includes two standards (Mount Carmel, 2009):

1) Policies and Procedures Standard2) Documentation Standard

With this requirement, covered entities must implement reasonable and appropriate policies and procedures to comply with the standards and implementation specifications. Policies and procedures can be changed at any time, however as long as the changes are documented and implemented with compliancy (HIPAA Security Rule Overview, 2004).

PRIVACY RULE vs SECURITY RULE

In order to protect one’s privacy of information, the existence and deliberation of security measures must be taken to protect that information. As a result, privacy and security jointly rely heavily on the other in order for HIPAA to be successful.

The Security Rule defines the administrative, physical, and technical safeguards needed to protect the confidentiality, integrity, and availability of electronic protected health information. Covered entities must implement specific safeguards and protect ePHI from unauthorized access, alteration, deletion, and transmission (Jacob & Sundstrom).

In contrast, the Privacy Rule sets standards for how protected health information (both electronic and non-electronic) should be controlled (Nosowsky & Giordano, 2005). For instance, who is authorized to receive such information and what rights do patients have in regards to the respect and confidentiality of their own health information. The immense difference between the two though is that Security is only regarded to the ePHI, whereas Privacy can be regarded to non ePHI as well.

BEYOND PRIVACY & SECURITY

On July 27, 2009, Secretary of the Department of HHS, Kathleen Sebelius, delegated authority for the administration and enforcement of the Security Standards for the Protection of Electronic Protected Health Information (Security Rule) to the Office for Civil Rights (OCR). According to the U.S Department of HHS, this achievement will

improve HHS’ ability to protect individuals’ health information by combining the authority for administration and enforcement of the Federal standards for health information privacy, HIPAA. The Privacy Rule is also administered and enforced by OCR (U.S. Department of Health & Human Services, 2009).

Congress authorized the improved enforcement of the Privacy and Security Rule in the Health Information Technology for Economic and Clinical Health (HITECH) Act, as part of the American Recovery and Reinvestment Act of 2009 (ARRA). Since Privacy and Security go hand-in-hand with each other, combining the enforcement authority into one agency within HHS, will aid in making improvements by eliminating redundancy, and increasing the efficiency of investigations and resolutions of failures to comply with both rules. Additionally, combining the administration of the Privacy and Security Rule, establishes consistency within the healthcare industry (U.S. Department of Health & Human Services, 2009).

TRANSACTION AND CODE SETS RULE (TCS)

The HIPAA Transaction and Code Sets (TCS) Rule regulates to a uniformed standard that an covered entity must adhere to. These codes were created to establish efficiency and better manage the flow of information among entities. By maintaining this standard, one’s cost savings can greatly be improved (American Medical Association, 2009).

As defined by HHS, transactions are “electronic exchanges involving the transfer of information between two parties for specific purposes.” (Department of Health and Human Services: Office of the Secretary, 2002) For instance, transactions can consist of any of the following: claims and encounter information, payment and remittance advice, claims status, eligibility, enrollment, and disenrollment, referrals and authorizations, and premium payments. Under HIPAA, if a covered entity conducts any of the mentioned transactions electronically, they must use this standard, which means that they must adhere to the content and format requirements of each standard (HHS Centers for Medicare & Medicaid Services, 2005)

HIPAA has also adopted specific code sets for diagnosis and procedures to be used in all transactions. The HCPCS (Ancillary Services/Procedures), CPT-4 (Physicians Procedures), CDT (Dental Terminology), ICD-9 (Diagnosis and Hospital Inpatient Procedures), ICD-10 (As of October 1, 2013) and NDC (National Drug Codes). These codes in which covered entities are familiar with, are nationally accepted wide code sets for procedures, diagnoses, and drugs (HHS Centers for Medicare & Medicaid Services, 2005).

Additionally, HIPAA has also adopted standards for unique identifiers for Employers and Providers, which must be used in all transactions. Similar to the previous two rules, if a covered entity fails to comply with this rule, they are in violation of the law and face hefty penalties (Cunningham, 2000).

CONCLUSION

Title II of HIPAA was established because of the lack of standardization and inefficiency in processing financial and administrative transactions. In addition, with twenty-first century technology at the tip of Congress’ tongue (when making of HIPAA), they realized that it was time for the healthcare industry to bite into this technology, and for the industry to start taking advantage of the opportunity that lies upon them, while addressing major privacy and security concerns.

This title was not only designated to encourage the use of electronic media for healthcare transactions, but in addition to simplify the administration piece by standardizing and improve the oversight of this information. With the use of requiring new safeguards and new rules; waste, fraud, and abuse all have been issues that have been identified and reduced in the health insurance and healthcare industry.

References

BIBLIOGRAPHY Amatayakul, M. (2000). The Race to Standardize Medical Record Information. MD Computing , 17 (6), 22-24.

American Medical Association. (2009). Understanding the HIPAA Standard Transactions: The HIPAA Transactions and Code Set Rule.

Centers for Disease Control. (2003). HIPAA Privacy Rule and Public Health. Morbidity and Mortality Weekly Report , 52, 1-12.

Cunningham, R. (2000). Old Before Its Time: HIPAA. Health Affairs: The Policy Journal of the Health Sphere , 19, 231-237.

Davis, K. B. (2001). Privacy Rights in Personal Information: HIPAA and The Privacy Gap Between Fundamental Privacy Rights and Medical Information. The John Marshall Journal of Computer & Information Law , 19.

Department of Health and Human Services: Office of the Secretary. (2002). Standards for Privacy of Individually Identifiable Health Information; Final Rule.

Fitzgerald Jr, W. L. (2004, June 21). HIPAA Today: Get Acquainted with Terminology of Security Standards. DrugTopics , p. 148.

Health Reference Center Academic. (2008). Healthcare Financial Management , 62 (10).Health System Compliance: Privacy Case Examples. (2009). Retrieved December 13, 2009, from UC Davis Health System: http://www.ucdmc.ucdavis.edu/compliance/guidance/privacy/example.html

HHS Centers for Medicare & Medicaid Services. (2005). HIPAA Regulations and Guidance HIPAA General Information. Baltimore: US Department of Health & Human Services CMS.

HIPAA FAQ. (2004). Retrieved December 13, 2009, from Emory University: http://hipaa.emory.edu/FAQs/index.cfm

HIPAA PS. (2003). What is HIPAA? Retrieved December 11, 2009, from HIPAA PS: http://www.hipaaps.com/main/background.html

HIPAA Security Rule Overview. (2004, December 3). Retrieved December 12, 2009, from HIPAA Academy: http://www.hipaaacademy.net/consulting/hipaaSecurityRuleOverview.html

Jacob & Sundstrom. HIPAA Security Rule Basics. Baltimore: Jacob & Sundstrom, Inc. Information Systems Consulting.

Lauber, J. G. (2003). HIPAA Administrative Simplification: How the Privacy Rule Affects Municipal Ambulance Service Providers. Urban Lawyer , 317.

Mount Carmel. (2009). HIPAA Information Security Overview. Trinity Health.

Nosowsky, R., & Giordano, T. J. (2005, November 7). The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule: Implications for Clinical Research. Annual Reviews , 575-590.

State of California. (2007). What is HIPAA. Retrieved December 11, 2009, from Department of Health Care Services: http://www.dhcs.ca.gov/formsandpubs/laws/hipaa/Pages/1.00%20WhatisHIPAA.aspx

U.S. Department of Health & Human Services. (2009). Health Information Privacy. Retrieved December 12, 2009, from HHS: http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/

US Department of Health and Human Services. (2005). Information Security Program: Health Insurance Portability and Accountability Act (HIPAA) Compliance Guide. US Department of Health and Human Services.