Health Insurance Portability and Accountability Act of 1996
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was enacted on August 21, 1996, to combat waste, Important Provider Information 17 fraud, and abuse; improve portability of health insurance coverage; and simplify health care administration. All health plans, health care clearinghouses, and health care providers who conduct certain financial and administrative transactions electronically must comply with HIPAA.
The TRICARE health plan, military treatment facilities (MTFs), providers, TRICARE contractors, subcontractors, clearinghouses, and other business associates fall within these categories.
In compliance with the portability portion of HIPAA, the Military Health System (MHS), through the Defense Manpower Data Center Support Office, issues certificates of creditable coverage automatically to beneficiaries who lose TRICARE coverage. For more information, visit the TRICARE Web site at
www.tricare.mil/tma/hipaa/cocc.aspx.
Under the Administrative Simplification portion of HIPAA, the Department of Health and Human Services has published five rules for HIPAA compliance:
- Transactions and Code Sets Rule
Published: August 17, 2000
Compliance date: October 16, 2003
- Privacy Rule
Published: December 28, 2000
Compliance date: April 14, 2003
- Employer Identifier Rule
Published: May 31, 2002
Compliance date: July 30, 2004
- Security Rule
Published: February 20, 2003
Compliance date: April 21, 2005
- National Provider Identifier (NPI) Rule
Published: January 23, 2004
Compliance date: May 23, 2007
Effective April 14, 2003, the HIPAA Privacy Rule provisions were implemented nationwide, and all covered entities, including providers, were required to be in full compliance with the Privacy Rule.
Effective October 16, 2003, HIPAA standard electronic transactions were implemented within the MHS.
Effective July 30, 2004, the Employer Identifier Rule provisions were implemented nationwide, and all covered entities, including providers, were required to be in full compliance with the Employer Identifier Rule.
Effective April 21, 2005, the HIPAA Security Rule provisions were implemented nationwide, and all covered entities, including providers, were required to be in full compliance with the Security Rule.
On April 2, 2007, the Centers for Medicare andMedicaid Services (CMS) published guidance to
the health care industry regarding NPI contingency planning. For a 12-month period after the compliance date (i.e., through May 23, 2008), CMS decided not to impose penalties on covered entities that deployed contingency plans to ensure the smooth flow of payments, provided those entities made reasonable and diligent efforts to become compliant and, in the case of health plans (that are not small health plans), to facilitate the compliance of their trading partners. Specifically, as long as a health plan (that is not a small health plan) could demonstrate to CMS its active outreach and testing efforts, it could
continue processing payments to providers. In determining whether a good-faith effort had been made, CMS placed a strong emphasis on sustained actions and demonstrable progress.
CMS encouraged covered entities to assess the readiness of their communities and determine the need to implement contingency plans to maintain the flow of payments while continuing to work toward compliance.
Guidelines for Implementing the HIPAA Privacy Rule
As required by the HIPAA Privacy Rule, provider offices/groups must train all members of their workforces on the policies and procedures with respect to protected health information (PHI) as necessary to carry out their function. Appropriate safeguards must be in place that provide security to PHI from an administrative, technical, and physical standpoint. Providers must reasonably safeguard
Section 2 Important provider information 18 PHI from any intentional or unintentional use or disclosure that is in violation of the standards, implementation specifications, or other requirements of the standard.
Providers are permitted by the HIPAA Privacy Rule to make use and disclosure of an individual’s PHI for purposes of treatment, payment, and health care operations. PHI is the information created and obtained as providers deliver services to beneficiaries. Such information may include documentation of symptoms, examination and test results, diagnoses, treatments, and applying for future care or treatment. It also includes billing documents for those services.
HIPAA Transactions and Code Sets
The HIPAA Transactions and Code Sets Rule mandates the use of electronic standards for certain administrative and financial health care transactions. Compliance with this rule was mandated for October 16, 2003.
HIPPA Electronic Transactions
| Transaction No. |
Transaction Standard |
| X12N 270/271 |
Eligibility/Benefit Inquiry and Response |
| X12N 278 |
Referral Certification and Authorization |
| X12V 879 |
Claims (institutional, Professional, and Dental) and Coordination of Benefits (COB) |
| X12N 276/277 |
Claims Status Request and Response |
| X12N 835 |
Payment and Remittance Advice |
| X12N 834 |
Enrollment/Disenrollment in a Health Plan |
| X12N 820 |
Payroll Deduction for Insurance Premiums |
| NCPDP Telecome Std. Ver. 5.1
|
Retail Pharmacy Drug Claims, COB, Referral Certification
and Authorization, Eligibility Inquiry and Response |
| NCPDP Batch Std. Ver. 1.1 |
Retail Pharmacy Drug Claims, COB, Referral Certification
and Authorization, Eligibility Inquiry and Response |
| TBD |
Claims Attachments |
| TBD |
First Report of Injury |
