Congress passed the HIPAA law in 1996 to safeguard workers and their families’ health insurance in the event of job loss. HIPAA also creates several rules for the electronic transfer of healthcare data and safeguards the privacy of children between the ages of 11 and 18.
The Health Insurance Portability and Accountability Act (HIPAA) mandates the development of national standards to protect against the disclosure of sensitive patient health details without the patient’s knowledge or consent.
The United States Department of Health and Human Services (HHS) established the HIPAA Privacy Rule to put HIPAA’s obligations into practice. A portion of the data covered by the Privacy Rule is protected under the HIPAA Security Rule.
HIPAA Privacy Rule
The Privacy Rule’s principles cover how organizations covered by the rule should use and disclose peoples’ protected health information (also known as PHI). The term “covered entities” refers to these people and businesses.
The Privacy Rule also establishes guidelines for people’s rights to know how their health information is used and to exercise that control. A primary objective of the Privacy Rule is to ensure that people’s health information is appropriately safeguarded while permitting the flow of health information required to deliver and promote high-quality healthcare, as well as to ensure the health and well-being of the general public. The Privacy Rule authorizes significant information uses while safeguarding the privacy of those seeking medical treatment and recovery.
The Privacy Rule applies to the following categories of people and businesses, which are known as covered entities:
Healthcare professionals Any healthcare professional, regardless of practice size, electronically transfer patient data in connection with certain transactions. Among these transactions are:
- inquiries about benefit eligibility
- petitions for referral authorization
- other transactions for which the HIPAA Transactions Rule has established criteria by HHS.
- health programs
Health plans consist of:
- Insurance for health, dental, vision, and prescription drugs
upkeep of health organizations (HMOs)
- Insurance companies for Medicare, Medicaid, Medicare+Choice, and Medicare Supplement
- insurers for long-term care (excluding nursing home fixed-indemnity policies)
- Plans for collective health funded by employers
- Health plans provided by the government and churches
- Health plans for several employers
Exception: An employer that formed and managed the group health plan alone is not a covered organization if the program has fewer than 50 participants.
Healthcare clearinghouses: Organizations that convert nonstandard data or format received from another organization into a standard form, or vice versa, are healthcare clearinghouses. Healthcare clearinghouses will often only get individually identifiable health information when acting as a business associate for a health plan or healthcare provider and offering these processing services.
Business associates: An individual or group that uses or discloses personally identifiable health information on behalf of a covered entity but is not a member of that entity’s staff is referred to as business associates. These jobs, duties, or services consist of:
- Process of claiming
- data evaluation
- Utilization analysis
The HIPAA Security Rule
The HIPAA Security Rule requires doctors to use suitable administrative, physical, and technical protections to maintain the confidentiality, integrity, and security of patients’ electronically stored, protected health information.
Who the Security Rule Protects
The “covered entities” (health plans, clearinghouses, and other healthcare providers) and their business partners who transmit health information electronically in conjunction with a transaction for which the Secretary of HHS has set HIPAA standards are subject to the Security Rule.
All personally identifiable health information that a covered entity generates acquires, retains, or transmits electronically is protected by the Security Rule as a subset of information covered by the Privacy Rule. This data is referred to as “electronically protected health information” in the Security Rule. The Security Rule does not cover PHI transmitted verbally or in writing.
Medical billing and HIPAA
Whether you realize it or not, you are already familiar with many of HIPAA’s regulations. The uniformity of the medical codes used by coders and billers is one of HIPAA’s most immediately noticeable effects.
Electronic medical transactions are established and managed by HIPAA. All providers and billers covered by Title II of HIPAA must submit claims electronically in the approved manner. The name of this format is ASC X12 005010. This form may also be referred to by its abbreviation, “HIPAA 5010.”
It’s critical to remember that HIPAA 5010 focuses more on the transfer of information than the style of a claim. HIPAA 5010 transactions can be compared to standardized automobiles. Although they must all have the same appearance, each vehicle may transport passengers in various configurations (in this case, medical information).
Each type of transaction has its code set number within ASC X12 005010. Now let’s take a closer look at these code set numbers and the kinds of transactions they relate to. You’ll notice an “X12” before each code set number. This is to notify you that the ASC X12 keeps an eye on and maintains the code set.
Each transaction adopts a specific Electronic Data Interchange format (EDI). Each of these transaction forms has its own set of guidelines and formats. We have concentrated on the health care claim out of convenience.
CODE SETS FOR HIPAA FORMS AND THEIR NUMBERS
TRANSACTION RELATING TO A MEDICAL CLAIM
X12 837 is the code set number.
The health care claim is the most fundamental and typical electronic medical transaction. Billers submit claims to obtain payment on the providers’ behalf. Claims contain codes for the treatment and diagnosis and details about the patient, the provider, and the patient’s health insurance plan.
Medical billers must utilize the proper type of EDI to carry out a specific billing operation, much as medical coders must use the appropriate code set to describe a treatment or diagnosis.
The relationship between HIPAA and other healthcare regulations, such as the Affordable Care Act (ACA)
The HIPAA of 1996 is built upon the Administrative Simplification provisions of the Affordable Care Act of 2010 (ACA) (HIPAA). The Patient Protection and Affordable Care Act (PPACA) mandated that HHS create operational guidelines for HIPAA’s basic transactions to standardize information and transmission formats and minimize the need for plan-specific companion manuals.
As you can see, practically every part of the medical billing process is impacted by HIPAA, from how records are kept and accessible to the course codes applied when generating claims. You’ll learn more about HIPAA and how it affects medical billing as you continue your formal study.