HIPAA Standards

Transactions and Code Sets

Transactions and Code Sets were the first regulations of the Administration Simplification portion of HIPAA to be published in the Federal Register on August 17, 2000. The regulations were required to be implemented by covered entities no later than October 16, 2002*. The final rules for standard transactions and code sets set the standards for data elements, code sets and formats that must be used by health plans, health care clearinghouses and by each health care provider who transmits covered transactions electronically.

* Note: On December 27, 2001, President Bush signed into law H.R. 3323, the Administrative Simplification Compliance Act (now known as Public Law 107-105). This law provides for a one-year extension of the date for complying with the HIPAA standard transactions and code set requirements (to October 16, 2003) for any covered entity that submitted to the Secretary of Health and Human Services a plan of how the entity will come into compliance with the requirements by October 16, 2003. You can read the enrolled version of the bill (the version passed by Congress) at: http://thomas.loc.gov/cgi-bin/query/z?c107:H.R.3323.ENR:

The transaction standards are:
Transaction Type Proposed Transaction Standard
*NPRM published September 23, 2005.
1. Health claims or equivalent encounter information
  • Professional claim
  • Institutional claim
  • Dental claim
  • Retail drug
  • ASC X12N 837 — Professional
  • ASC X12N 837 — Institutional
  • ASC X12N 837 — Dental
  • NCPDP Telecommunications Standard Format version 5.1
    and equivalent NCPDP Batch Standard version 1.0
2. Coordination of benefits claim Same as health claims (above)
3. Health care payment and remittance advice ASC X12N 835
4. Health claim status ASC X12N 276/277
5. Health plan enrollment and disenrollment ASC X12N 834
6. Health plan eligibility ASC X12N 270/271
7. Health plan premium payment ASC X12N 820
8. Health Care Services Review — Request for Review and Response ASC X12N 278
9. Health claims attachments — patient information* ASC X12N 275*
The code set standards include:
Code Set Description** Proposed Standard
** Please note that there are many additional non-diagnosis and procedure code sets required by the regulations.
1. Diseases, injuries, impairments, and other health related problems ICD-9-CM (volume 1)
2. Procedures — Physician Services CPT (HCPCS level 1)
3. Procedures — Dental Services Current Dental Terminology (CDT)
4. Procedures — Inpatient Hospital ICD-9-CM (volume 3)
5. Other health-related services HCPCS Alpha numeric codes
6. Retail drugs FDA National drug codes
7. Other substances, equipment, supplies, other HCPCS Alpha numeric codes

Privacy

The final Privacy rules were issued by DHHS under HIPAA on December 28, 2000, and August 14, 2002, with a compliance date of April 14, 2003. As required by the HIPAA law, most covered entities had two full years — until April 14, 2003 — to comply with the final rule's provisions. Revised guidance with changes to the final rules for privacy was issued on December 4, 2002.

The final regulation covers health plans, health care clearinghouses, and those health care providers who conduct certain financial and administrative transactions (e.g., electronic billing and funds transfers) electronically. All medical records and other individually identifiable health information used or disclosed by a covered entity in any form, whether communicated electronically, on paper, or orally, is covered by the final regulation. A party electronically transmitting or maintaining, “protected health information” may not use or disclose the information except as permitted by federal regulation.

Patients have significant new rights to understand and control how their health information is used. With few exceptions, such as appropriate law enforcement needs, an individual's health information may only be used for health purposes. The final rule establishes the privacy safeguard standards that covered entities must meet, but it gives covered entities the flexibility to design their own policies and procedures to meet those standards. The requirements are flexible and scalable to account for the nature of each entity's business, and its size and resources.

Security

The final rules for security were issued by DHHS under HIPAA on February 20, 2003 with a compliance date of April 20, 2005. The final regulation has been developed to protect the confidentiality, integrity, and availability of individual health information and will provide a standard level of protection in an environment where health information pertaining to an individual is housed electronically and/or is transmitted over telecommunications systems/networks.

The standard mandates safeguards for physical storage and maintenance, transmission, and access to individual health information. Entities required to comply with the standard include any health care provider, health care clearinghouse, or health plan that electronically maintains or transmits health information pertaining to an individual.

National Identifiers

National identifiers include the National Provider Identifier (NPI), National Employer Identifier, National Health Plan Identifier and National Individual Identifier. NPRMs were published in mid-1998 for the NPI and the National Employer Identifier.

The final rule for the National Provider Identifier standards was issued by DHHS under HIPAA on January 23, 2004 with an effective date of May 23, 2005 and a compliance date of May 23, 2007. The final regulation has been developed to assign each health care provider with a standard National Provider Identification (NPI) number which all health plans will use. The current lack of a standard, unique provider identifier across plans complicates provider claims submissions and the exchange of data between health plans when coordination of health care information is necessary. Entities required to comply with the standard include health plans, health care clearinghouse, or any health care provider that electronically transmits health information.

A final rule for the Identifier for Employers was published on May 31, 2002, and the compliance date was July 30, 2004 for most covered entities (small health plans have until August 1, 2005 to comply with the rule). The National Employer Identifier standards adopt the Employer Identification Number (EIN), the taxpayer identifying number for employers that is assigned by the Internal Revenue Service. This identifier has nine digits with the first two digits separated by a hyphen, as follows: 00-0000000. The numbers are needed by employer groups to identify themselves in electronic transactions when they enroll or disenroll employees in a health plan or make premium payments to health plans on behalf of their employees. Employers and health care providers may need to identify an employer as the source or receiver of information about a participant's eligibility. The National Health Plan Identifier NPRM is in development, and the National Individual Identifier is currently on hold.