Close this search box.



The Health Insurance Portability and Accountability Act of 1996 requires the development and implementation of standards for the exchange, storage and handling of certain health care administrative data; security measures; and privacy protections. HIPAA impacts every aspect of the health care industry.


Under HIPAA, Arkansas Medicaid is a health plan. Its fiscal agent, Gainwell Technologies, is its business associate. Business associate agreements are not necessary between Arkansas Medicaid or Gainwell Technologies and providers or other billers.

What is HIPAA?

HIPAA stands for Health Insurance Portability and Accountability Act of 1996. Congress passed this landmark law to provide consumers with greater access to health care insurance, to protect the privacy of health care data, and to promote more standardization and efficiency in the health care industry.

Administrative Simplification

Administrative simplification has the following four parts:

Electronic Transactions and Code Sets

Transactions are activities involving the transfer of health care information for specific purposes. Under HIPAA administration simplification, if a health care provider engages in one of the identified transactions, the provider must
comply with the standard for that transaction. HIPAA requires every provider who does business electronically to use the same health care transactions, code sets, and identifiers.

Code sets identify diagnoses and clinical procedures on claims and encounter forms. The CPT-4 and ICD-10 codes that you are familiar with are examples of code sets for diagnosis and procedure coding. Other code sets required by HIPAA’s administrative simplification law include codes used for DME, dental services, and drugs.


The privacy requirements limit the release of protected health information (PHI) without the patient’s knowledge and consent except as needed for the patient’s care. The patient’s personal information must be guarded more securely and handled more carefully when conducting the business of health care.


The security regulation outlines the minimum administrative, technical, and physical safeguards required to prevent unauthorized access to protected health information. The U.S. Department of Health and Human Services published final instructions on security requirements in the Federal Register on February 20, 2003. HIPAA security requirements became effective April 21, 2005.

National Identifiers

HIPAA requires health care providers, health plans, and employers to have standard ID numbers. The Employer Identification Number (EIN), issued by the Internal Revenue Service, was selected as the identifier for employers and was adopted effective July 30, 2002. The NPI Final Rule issued January 23, 2004, adopted the National Provider Identifier (NPI) as the standard for health care providers. The Centers for Medicare & Medicaid Services (CMS) developed the National Plan and Provider Enumeration System (NPPES) to assign these unique identifiers. A standard identifier has not yet been adopted for health plans.

Claim Submissions

Providers can file claims through the provider portal or with a vendor system.


Claim837 Professional
837 Institutional
837 Dental
NCPDP retail pharmacy
Payment and remittance advice835
Prior authorization and response and referral278
NCPDP retail pharmacy
Claim status inquiry and response276/277
NCPDP retail pharmacy
Eligibility inquiry and response270/271
Enrollment and disenrollment in a health plan834
Health plan premium paymentsHIX 820

Code Sets

Physician servicesHCPCS and CPT-4
Medical supplies, orthotics, and DMEHCPCS
Diagnosis codesICD-10-CM, Vols 1 and 2
Inpatient hospital proceduresICD-10-CM, Vols 1 and 2
Dental servicesCode on dental procedures and nomenclature
Drugs/biologicsNDC for retail pharmacy


Administrative Simplification

The process of improving the efficiency of health care delivery by standardizing electronic data exchange.

Business Associate

A person who performs a function or activity on behalf of a covered entity.


Centers for Medicare and Medicaid Services (formerly HCFA)

Code Set

Any set of codes used to identify data elements, such as tables of terms, medical concepts, medical diagnostic codes, or medical procedure codes.

Covered Entity

A health plan, a health care clearinghouse, or a health care provider that transmits any health information in electronic form in connection with a transaction.

Health and Human Services, U.S. Department of

he federal agency responsible for implementing HIPAA.

Health Care Provider

A provider of medical or other health services and any other person or organization that furnishes, bills, or is paid for health care in the normal course of business.

Health Information

Any information, whether oral or recorded in any form or medium, that is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse.


U.S. Department of Health and Human Services


Health Insurance Portability and Accountability Act of 1996

Individually Identifiable Health Information

Health information that identifies the individual or can be used to identify the individual.

Office for Civil Rights

The HHS entity responsible for enforcing HIPAA privacy rules.

Protected Health Information

Individually identifiable health information that is transmitted, maintained, or accessible in any form or medium that relates to the past, present, or future physical or mental health or condition of an individual.