The Health Insurance Portability and Accountability Act of 1996 requires the development and implementation of standards for the exchange, storage and handling of certain health care administrative data; security measures; and privacy protections. HIPAA impacts every aspect of the health care industry.
Under HIPAA, Arkansas Medicaid is a health plan. Its fiscal agent, Gainwell Technologies, is its business associate. Business associate agreements are not necessary between Arkansas Medicaid or Gainwell Technologies and providers or other billers.
What is HIPAA?
HIPAA stands for Health Insurance Portability and Accountability Act of 1996. Congress passed this landmark law to provide consumers with greater access to health care insurance, to protect the privacy of health care data, and to promote more standardization and efficiency in the health care industry.
Administrative simplification has the following four parts:
Electronic Transactions and Code Sets
Transactions are activities involving the transfer of health care information for specific purposes. Under HIPAA administration simplification, if a health care provider engages in one of the identified transactions, the provider must
comply with the standard for that transaction. HIPAA requires every provider who does business electronically to use the same health care transactions, code sets, and identifiers.
Code sets identify diagnoses and clinical procedures on claims and encounter forms. The CPT-4 and ICD-10 codes that you are familiar with are examples of code sets for diagnosis and procedure coding. Other code sets required by HIPAA’s administrative simplification law include codes used for DME, dental services, and drugs.
The privacy requirements limit the release of protected health information (PHI) without the patient’s knowledge and consent except as needed for the patient’s care. The patient’s personal information must be guarded more securely and handled more carefully when conducting the business of health care.
The security regulation outlines the minimum administrative, technical, and physical safeguards required to prevent unauthorized access to protected health information. The U.S. Department of Health and Human Services published final instructions on security requirements in the Federal Register on February 20, 2003. HIPAA security requirements became effective April 21, 2005.
HIPAA requires health care providers, health plans, and employers to have standard ID numbers. The Employer Identification Number (EIN), issued by the Internal Revenue Service, was selected as the identifier for employers and was adopted effective July 30, 2002. The NPI Final Rule issued January 23, 2004, adopted the National Provider Identifier (NPI) as the standard for health care providers. The Centers for Medicare & Medicaid Services (CMS) developed the National Plan and Provider Enumeration System (NPPES) to assign these unique identifiers. A standard identifier has not yet been adopted for health plans.
Providers can file claims through the provider portal or with a vendor system.
NCPDP retail pharmacy
|Payment and remittance advice||835|
|Prior authorization and response and referral||278|
NCPDP retail pharmacy
|Claim status inquiry and response||276/277|
NCPDP retail pharmacy
|Eligibility inquiry and response||270/271|
|Enrollment and disenrollment in a health plan||834|
|Health plan premium payments||HIX 820|
|Physician services||HCPCS and CPT-4|
|Medical supplies, orthotics, and DME||HCPCS|
|Diagnosis codes||ICD-10-CM, Vols 1 and 2|
|Inpatient hospital procedures||ICD-10-CM, Vols 1 and 2|
|Dental services||Code on dental procedures and nomenclature|
|Drugs/biologics||NDC for retail pharmacy|
The process of improving the efficiency of health care delivery by standardizing electronic data exchange.
A person who performs a function or activity on behalf of a covered entity.
Centers for Medicare and Medicaid Services (formerly HCFA)
Any set of codes used to identify data elements, such as tables of terms, medical concepts, medical diagnostic codes, or medical procedure codes.
A health plan, a health care clearinghouse, or a health care provider that transmits any health information in electronic form in connection with a transaction.
Health and Human Services, U.S. Department of
he federal agency responsible for implementing HIPAA.
Health Care Provider
A provider of medical or other health services and any other person or organization that furnishes, bills, or is paid for health care in the normal course of business.
Any information, whether oral or recorded in any form or medium, that is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse.
U.S. Department of Health and Human Services
Health Insurance Portability and Accountability Act of 1996
Individually Identifiable Health Information
Health information that identifies the individual or can be used to identify the individual.
Office for Civil Rights
The HHS entity responsible for enforcing HIPAA privacy rules.
Protected Health Information
Individually identifiable health information that is transmitted, maintained, or accessible in any form or medium that relates to the past, present, or future physical or mental health or condition of an individual.