Provider Handbook - Health Insurance Portability and Accountability Act of 1996

Home » Provider » Tools & Resources » Handbook and Materials » Handbook Table of Contents » Provider Information » HIPAA

Provider Information Policy Resources Social Security Numbers HIPAA Overview HIPAA Privacy HIPAA Transaction & Code Sets NPI Provider Types Credentialing Provider Responsibilities PCM Role Balance Billing Release of Patient Information Releasing Medical Records Updating Provider Information Beneficiary Rights & Responsibilities

Adjust Text Size:

Health Insurance Portability and Accountability Act of 1996

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was enacted on August 21, 1996, to combat waste, fraud, and abuse; improve portability of health insurance coverage; and simplify health care administration. All health plans, health care clearinghouses, and health care providers who conduct certain financial and administrative transactions electronically must comply with HIPAA.

The TRICARE health plan, military treatment facilities (MTFs), providers, TRICARE contractors, subcontractors, clearinghouses, and other business associates fall within these categories.

In compliance with the portability portion of HIPAA, the Military Health System (MHS), through the Defense Manpower Data Center Support Office, issues certificates of creditable coverage automatically to beneficiaries who lose TRICARE coverage. Visit the TRICARE Web site for information about Certificates of Creditable Coverage.

Under the Administrative Simplification portion of HIPAA, the Department of Health and Human Services has published five rules for HIPAA compliance:

Transactions and Code Sets Rule
Published: August 17, 2000
Compliance date: October 16, 2003
Privacy Rule
Published: December 28, 2000
Compliance date: April 14, 2003
Employer Identifier Rule
Published: May 31, 2002
Compliance date: July 30, 2004
Security Rule
Published: February 20, 2003
Compliance date: April 21, 2005
National Provider Identifier Rule
Published: January 23, 2004
Compliance date: May 23, 2007

Effective April 14, 2003, the HIPAA Privacy Rule provisions were implemented nationwide, and all covered entities, including providers, were required to be in full compliance with the Privacy Rule.

Effective October 16, 2003, HIPAA standard electronic transactions were implemented within the MHS.

Effective July 30, 2004, the Employer Identifier Rule provisions were implemented nationwide, and all covered entities, including providers, were required to be in full compliance with the Employer Identifier Rule.

Effective April 21, 2005, the HIPAA Security Rule provisions were implemented nationwide, and all covered entities, including providers, were required to be in full compliance with the Security Rule.

On April 2, 2007, the Centers for Medicare and Medicaid Services (CMS) published guidance to the health care industry regarding NPI contingency planning. For a 12-month period after the compliance date (i.e., through May 23, 2008), CMS decided not to impose penalties on covered entities that deployed contingency plans to ensure the smooth flow of payments, provided those entities made reasonable and diligent efforts to become compliant and, in the case of health plans (that are not small health plans), to facilitate the compliance of their trading partners. Specifically, as long as a health plan (that is not a small health plan) could demonstrate to CMS its active outreach and testing efforts, it could continue processing payments to providers. In determining whether a good-faith effort had been made, CMS placed a strong emphasis on sustained actions and demonstrable progress.

CMS encouraged covered entities to assess the readiness of their communities and determine the need to implement contingency plans to maintain the flow of payments while continuing to work toward compliance.

Last Update: August 26, 2009