HIPAA Home

PHI Protection

Disclaimer

Privacy Policy Manual

Preemption Analysis

HIPAA FAQs

Q: What is HIPAA?

A: HIPAA is the acronym for the Health Insurance Portability and Accountability Act of 1996. Title I of this act protects health insurance coverage for workers and their families when they change or lose their jobs. Title II (also known as Administrative Simplification) establishes

• national standards for electronic health care transactions
• national standards for the security and confidentiality of individually identifiable health information; and
• national identifiers for providers, health plans, and employers.

There are three sets of federal regulations established under HIPAA: Electronic Data Interchange (EDI), privacy, and security. The EDI regulations establish a standard format for administrative and financial health care transactions. The privacy regulations establish a set of rights and responsibilities with relation to the use and disclosure of "protected health information." And, the security regulations establish standards for technical, administrative, and physical safeguards for such information.

Tip: Copies of the final rules can be downloaded from the CMS/HHS HIPAA website, at www.cms.gov/HIPAAGenInfo/02_TheHIPAALawandRelated%20Information.asp , under Regulations and Standards.

Q: Who must comply with HIPAA?

A: All health plans, clearinghouses and health care providers who conduct certain financial and administrative transactions electronically are "covered entities" under HIPAA and must comply with the HIPAA regulations. In general, mental health providers that bill Medicaid, Medicare or any other third party health insurer electronically are likely to be covered entities under the HIPAA rules.

Tip: To determine if you are a covered entity, go to the Health and Human Services (HHS) 'Covered Entity Decision Tool' at http://www.cms.gov/HIPAAGenInfo/06_AreYouaCoveredEntity.asp

Q: When must covered entities be in compliance with the different HIPAA standards?

A: Privacy Standards - April 14, 2003
Standards for Electronic Transactions (EDI) - October 16, 2003
Security Standards - April 21, 2005

Tip: For more detailed description of the HIPAA standards, how they will impact your business operations and for additional resource materials, click on the Privacy, EDI and Security links in the Info for Counties and Providers website.

Q: What is the Administrative Simplification Compliance Act (ASCA)

A: The December 2001 Administrative Simplification Compliance Act (ASCA) extended the deadline for compliance with the HIPAA Electronic Health Care Transactions and Code Sets standards (the EDI regulations) by one year, to October 16, 2003, for all covered entities other than small health plans (whose compliance date was already October 16, 2003).

In order to receive an extension, covered entities had to submit their ASCA compliance plans on or before October 15, 2002.

Q: What should covered entities that did not submit an extension do?

A: They should come into compliance as soon as possible, and should be prepared to submit a corrective action plan in the event a complaint is filed against them.

Q: What does Administrative Simplification mean?

A: The Administrative Simplification provisions (title II) of HIPAA establish national standards for automating the business process of claims administration by adopting

• national transaction and code set standards for all electronic transactions involving the transmittal of patient health information, and
• national standards for security and privacy of health information to protect individually identifiable health information and for notifying patients of their rights with regard to the protection and disclosure of their health information.

Administrative Simplification is intended to improve the efficiency and effectiveness of the nation's health care system by supporting the regulatory goals of cost-effectiveness and avoidance of duplication and encouraging the widespread use of electronic data interchange.

Tip: For more information on the HIPAA Administrative Simplification provisions, visit the DOH HIPAA Information Center website at http://www.health.state.ny.us/nysdoh/medicaid/hipaa/hipaaglance.htm

Q: How do HIPAA rules affect

a. small providers that only do health care transactions on paper
b. providers with multiple programs, some of which transmit electronically, while others use paper?

A: (a) Providers that do all their health care transactions on paper are not covered by the HIPAA rules, regardless of the size of their workforce. However, the Administrative Simplification Compliance Act (ASCA) of 2001 prohibits HHS from paying Medicare claims that are not submitted electronically after October 16, 2003, except for small providers that will be able to continue to submit paper claims. ASCA defines a small provider or supplier as:

• a provider of services with fewer than 25 full-time equivalent employees or
• a physician, practitioner, facility or supplier (other than provider of services) with fewer than 10 full-time equivalent employees.

Note: this provision does not preclude providers from submitting paper claims to other health plans, including Medicaid.

(b) We recommend that providers with multiple programs, some of which transmit their PHI electronically and others that do their health care transactions on paper, adopt the HIPAA rules uniformly across all their programs to ensure consistent standards and procedures throughout.

Q: Are there penalties for violating HIPAA provisions? What are they?

A: HIPAA is a federally mandated regulation that will result in an industry-wide change in the way healthcare organizations do business. Failure to comply will carry significant penalties, including possible criminal penalties. Although the federal government has stated that its enforcement strategy will concentrate on achieving voluntary compliance through technical assistance, and penalties would be imposed as a last resort, it would be unwise to not take HIPAA compliance seriously. In the mental health system, patient confidentiality is an important cornerstone of treatment. Breaching confidentiality could have serious negative implications on the patient's well-being, not to mention the provider's reputation and possible continued viability.

Q: Who should have overall responsibility for HIPAA compliance in my organization?

A: Under the privacy regulations, each covered entity is responsible for designating a Privacy Official who is responsible for developing and implementing the entity's privacy policy and procedures. Similarly, a Security Official should be designated in accordance with the HIPAA security regulations.

Both the Privacy and Security Rules are "scalable" to give needed flexibility to covered entities to create their own privacy and security procedures, tailored to fit their size and needs. For example, the Privacy Official at a small mental health organization may be the quality assurance manager, who will have other non-privacy related duties. The policies and procedures of small providers may be more limited under the Privacy Rule than those of a large hospital, based on the volume of health information maintained and the number of interactions with those within and outside of the health care system.

Q: What is Protected Health Information (PHI)?

A: PHI means individually identifiable information relating to the past, present or future physical or mental health condition of an individual, provision of health care to an individual, or the past, present or future payment for health care provided to an individual. HIPAA privacy standards cover medical records, health care claims and payments, benefit enrollments and disenrollments and any other individually identifiable health information held or disclosed by health plans, health care clearing houses and health care providers that transmit PHI electronically.