What is HIPAA?

The Health Insurance Portability and Accountability Act of 1996 ("HIPAA") was enacted in August 1996 as part of a broad congressional attempt at health care reform. 

The "Administrative Simplification" provisions of HIPAA required the Department of Health and Human Services ("HHS") to:

  1. Create privacy standards to protect personal health information,
  2. Adopt national standards for format and content of electronic health care transactions (called "EDI" for electronic data interchange transactions) and
  3. Create security standards to protect the electronic transmission of personal health information.

What is HIPAA EDI?

EDI stands for Electronic Data Interchange, which is the electronic transfer of information in a standard format. It allows for the exchange of information in a fast and cost-effective way. 

In order to ensure the efficiency of this process, Health and Human Services (HHS) has adopted record formats for certain transactions. These record formats are called "standards". The standards specify the format, data content and code sets to be used for each transaction. Covered entities, which are required to use these standards (see Q #4 below), are prohibited from altering these standards when exchanging data.

Why did Congress include the EDI transaction standards in the HIPAA regulation?

Electronic Data Interchange can eliminate the inefficiencies of handling paper documents, which will significantly reduce administrative burden, lower operating costs, and improve overall data quality. 

Currently, there are about 400 formats for electronic health claims being used in the United States. 

According to HHS, this lack of standardization:

  • Makes it difficult and expensive to develop and maintain software; and
  • Reduces the ability of health care providers and health plans to achieve efficiencies and savings.

Who must comply with this regulation?

The regulation defines three groups, referred to as Covered Entities that must comply with the HIPAA EDI Rule. The Covered Entities are Health Plans, Health Care Clearinghouses, and Health Care Providers.

(i) A Health Plan is an individual or group plan that provides or pays the cost of, medical care. 

Common examples of "health plans" include:

  • An ERISA group health plan (providing medical care) if the plan has 50 or more participants or is not self-administered by the employer.
  • An issuer of health insurance.
  • An issuer of long term care insurance.
  • An HMO.
  • Medicare Part A or Part B.
  • Medicaid.
  • A multiple employer welfare benefit plan.
  • Other individual or group plans that provide or pay the cost of medical care.

(ii) A Health Care Clearinghouse ("HCC") is a public or private entity that either:

  1. Receives health information from another entity in nonstandard format or containing nonstandard data and processes or facilitates the processing of it into standard data elements or a standard transaction; or
  2. Receives a standard transaction from another entity and processes it or facilitates the processing of health information into nonstandard format or nonstandard data content for the receiving party.

Common examples of entities that may be HCCs include:

  • Billing services.
  • Repricing companies.
  • Third party administrators.

(iii) A Health Care Provider ("HCP") is a covered entity only if that HCP transmits health information in electronic form in connection with a HIPAA regulated EDI transaction. 

For HIPAA EDI and Privacy purposes, a health care provider means:

  • The following entities: a hospital, a critical access hospital, a skilled nursing facility, a comprehensive outpatient rehabilitation facility, a home health agency, a hospice program or certain funds paying for services provided by teaching hospitals or medical schools.
  • An entity or person that provides of medical or health services as defined in 42 U.S.C. 1395x(s), or
  • Any other person or organization who furnishes, bills, or is paid for health care in the normal course of business.

Are we a covered entity?

We are a Health Plan, but only when conducting business activities for certain of its products called "covered products." 

The majority of our products are exempt from HIPAA mandates. For example, Long Term Disability (fully insured and self insured), Short Term Disability (fully insured and self insured), Life and Accident coverages are all excluded.;

Products that are "covered products" include long term care, expense base cancer, hospital confinement, dental, vision or intensive care policies, certain medical coverages and other health plans pursuant to the Health Insurance Portability and Accountability Act ("HIPAA").  

What are the HIPAA EDI transaction standards that impact our covered products?

  • 834 Enrollment/disenrollment
  • 270 Eligibility inquiry
  • 837 Claim encounter
  • 276 Claim status inquiry
  • 835 Remittance advice EOB
  • 820 Premium payment
  • 271 Eligibility response
  • 837COB Coordination of benefits
  • 277 Claim status response

Aren't there additional transactions not included in the above list of transactions?

Yes, the 278 and 278z transactions are used when there is "a request for the review of health care to obtain authorization for the treatment of health care; or a request to obtain authorization for referring an individual to another health care provider and the response to those requests." 

We are not impacted by these transactions as our "covered products" do not require these types of authorizations.

When will we be able to share data using the HIPAA EDI transaction standards?

We will be in compliance with the EDI Rules under the Administrative Simplification provision of HIPAA on October 16, 2003.