What is HIPAA?
Created in 1996, HIPAA is an act of Congress that protects the health insurance of workers and their families if they lose their jobs. HIPAA also protects the privacy of children 12 to 18 years of age and establishes a number of regulations for the electronic transfer of healthcare data. This last point is where we’ll spend the most time in our summary, but let’s look at the whole Act in brief first.
HIPAA is divided into five sections, or Titles. For the sake of this course, we’ll focus only on the first two Titles, which are the largest and most far-reaching.
Title I establishes rules for how group health organizations (like managed care organizations) interact with patients. Title I limits the restrictions a group health organization can put into place based solely on a pre-existing condition.
Title I also limits the amount of time it takes to get coverage for that pre-existing condition. Specifically, once a person has coverage under a group health organization, that person must receive coverage for their pre-existing condition within 12 months (or 18 months in certain circumstances).
Title I also provides protection to individuals and their families when that individual changes or loses their job. If an individual has health insurance under their old job, they are allowed to keep that insurance until the point when their new health care coverage kicks in. There are a few caveats to this, of course, and HIPAA does not provide permanent health insurance. It does, however, ensure that persons out of work can continue their health care coverage while in between jobs.
As you may be able to tell, this Title of HIPAA affects insurance companies and their interactions with patients much more than it does medical billers. Title II is where we’ll see HIPAA affect medical billing more directly.
When HIPAA was passed, an increasing number of medical transactions were being performed electronically. While electronic transactions (like claims) were faster, more cost-efficient, and less error-prone, they also caused some patients and regulators to worry about the privacy of the personal medical records. Title II addresses theses concerns and establishes standards and guidelines for these types of transactions.
Privacy and Security
Title II lays out a set of security guidelines that ensure the safety of both physical and electronic records. These regulations limits who can view medical information, and also dictates how this information is transferred.
Title II also established a set of rules limiting who can distribute your medical information, and when. These rules give patients more control over their medical records, including who can access them and at what times. These rules prevent anyone—including providers, payers, or government agencies—from viewing or distributing a patient’s medical information for anything not related to treatment for the patient. For instance, on a worker’s compensation claim for a broken finger, a biller would not include the patient’s history of heart disease.
Title II and Medical Billing
The passage of HIPAA added an “Administrative Simplification” (AS) to a portion of the Social Security Act. With the AS, Title II established a set of regulations and guidelines for the electronic transmission of healthcare data, and sets up guidelines for the code sets used in medical billing and coding.
The goal of the AS was to establish a regular, uniform method of communication for any party involved in healthcare, such as insurance payers, providers, clearinghouses, and government agencies. All bodies covered by HIPAA (and this includes most providers and payers, including Medicare and Medicaid) must adhere to these standards of transactions.
Under Title II, all electronic transactions must be performed as a type of Electronic Data Interchange (EDI). (An EDI is a standardized form of electronic transaction. It’s widely used in all types of commerce. An ATM withdrawal, for example, uses an EDI). For healthcare transactions, providers and payers must use the EDI approved by the Accredited Standards Committee X12 (ASC X12).
Under Title II, each medical transaction has to adhere to a certain format. HIPAA dictates that those electronic transactions follow the format laid out by the ASC X12. This form is the ASC X12 005010. Included in that form are various subforms, each of which corresponds to a certain type of medical transaction.
Again, we’ll discuss more of how HIPAA Title II affects medical billing in the next course. Let’s close out this section with a brief overview of what else Title II does.
Title II establishes the mandatory use of National Provider Identifier (NPI) numbers. You should remember NPIs from our discussion on creating medical claims. These NPIs are ten characters long, may be alphanumeric, and are never re-used (except in very particular situations). Like ICD or CPT codes, NPIs provide an efficient universal shorthand for identifying a crucial part of the healthcare process.
In addition to establishing the above regulations and rules, Title II also outlines a number of offenses related to healthcare and prescribes civil and criminal punishments for these fraudulent offenses.