The HIPAA Security Rule requires administrative, physical, and technical safeguards to assure the confidentiality, integrity, and availability of PHI in electronic form. Specific safeguards are not prescribed. Instead, the HIPAA Security Rule establishes general standards and associated implementation specifications. The implementation standards are either “required” (standards that must be implemented) or “addressable” (standards that must be assessed and either implemented if reasonable and appropriate, or otherwise addressed with reasonable alternative measures and documentation of the assessment). TRICARE providers are expected to adhere to industry standards and regulatory developments on data security protection. Additionally, providers should consult the guidance materials available on the TMA Privacy Office web site, which includes information on new regulations under the HITECH Act and any other legislative initiatives affecting data security.
        

The HIPAA Transactions and Code Sets Rule, effective October 16, 2003, implements electronic standards for certain administrative and financial health care transactions. As required by the HIPAA Standard Transactions and Code Sets Rule, the MHS and TRICARE apply HIPAA standards for electronic business functions. For more information, visit the HIPAA and TRICARE Transaction and Code Sets web page.  Figure 2.1 lists mandated HIPAA electronic transactions.
       

The National Employer Identifier Final Rule, effective July 30, 2004, requires health care providers, plans, and clearinghouses to accept and transmit employer identification numbers (EINs) in electronic health care transactions, when applicable. HIPAA defines employers as health insurance sponsors for their employees. The standard selected for the national employer identifier is the EIN issued by the Internal Revenue Service (IRS). The EIN appears on an employee’s IRS Form W-2 Wage and Tax Statement and is used to identify the employer in standard electronic health care transactions.

The HIPAA National Provider Identifier (NPI) Final Rule, published in the Federal Register January 23, 2004, establishes the NPI as the standard unique identifier for health care providers. An NPI is a 10-digit number used to identify a health care provider in all HIPAA standard electronic transactions. NPIs do not contain intelligence about providers. All entities defined as “health care providers” are eligible for NPIs.  However, providers defined under HIPAA as “covered entities” are required to obtain and use NPIs. A covered entity is a provider, health plan, or clearinghouse that conducts electronic health care transactions.

Health care provider NPI enumeration (i.e., assignment of NPIs to providers) and NPI-associated data maintenance are conducted through the National Plan and Provider Enumeration System (NPPES). The NPPES is the central system for identifying and uniquely enumerating health care providers at the national level. For enumeration purposes, there are two categories of health care providers. Entity Type 1 is for individuals, such as physicians, nurses, dentists, chiropractors, pharmacists, and physical therapists. Entity Type 2 is for organizations, such as hospitals, home health agencies, clinics, nursing homes, laboratories, and MTFs. The NPI is meant to be a lasting identifier and is not replaced due to changes in a health care provider’s name, address, ownership, health plan membership, or Healthcare Provider Taxonomy classification.

TRICARE providers should already have NPIs. If you do not have an NPI, complete the online NPPES application at the National Plan and Provider Enumeration System web site or download a paper application of the National Provider Identifier (NPI) Application/Update form. You can also request an application from the NPI Enumerator in one of the ways listed in Figure 2.2.