Printer Friendly

Cutting to the chase: what physician executives need to know about HIPAA. (Implementing HIPAA and Other Compliance Programs).

WHEN A PATIENT WALKS into a drug store to purchase a prescribed medication, the swipe of a card enters his or her insurance and personal identification information into the pharmacists' information system. The pharmacist keys in the drug information and the system determines the patient's eligibility, coverage for that drug, and co-payment responsibility. The pharmacist later receives electronic payment for the portion of the prescription costs not paid by the patient. Why are such benefits not available for transactions in a physician's office, hospital, or ambulatory clinic?

Imagine the benefits--the savings in billing costs and time, and the greater certainty of coverage and payment responsibility--if, with the push of a button, a physician's claim was sent to the right insurance company with all the information necessary to process it and payment was promptly made electronically. With hundreds of different insurance claim formats and data content requirement variations, it is no wonder that these benefits have been slow in coming.

Traveling around the United States to inform audiences about Health Insurance Portability and Accountability Act (HIPAA), the authors have experienced two predominant reactions: grave concern or abject ignorance. Among those who are aware of the legislation, strong opinions exist about the likelihood that the mandated standards will actually come to pass and the ability of the government and the health industry to monitor and enforce the 'rules.'

Great anxiety is expressed about the practical and financial impact of implementing the standards and the benefits to be received. Controversy rages over the possible consequences of the law on health information privacy and confidentiality. Those in the 'unaware' category seem surprised to hear that within two years many customary methods in health care will change markedly and that failing to comply with the new practices can bring significant penalties.

Reading the HIPAA legislation and the 'notices of proposed rule making' (NPRM) that are published for public commentary before final regulations are issued gives little comfort and an incomplete understanding to both the alarmists and the Panglossian optimists. Many questions remain.

Physician executives generally fall somewhere between these extremes. They are uneasily hoping that the 'health plan,' 'information technology division,' or 'billing and claims department' will handle the issue, but they remain properly concerned that, since medical practice and health care management fundamentally hinges on information about patients, ignorance in this arena will be far from bliss.

Administrative simplification

Over the past three decades the health industry has found itself drowning in an increasingly expensive and confusing morass of idiosyncratic data and 'form' submissions required for insurance claim processing and reimbursement. By 1990, leaders in health care were asking Congress to charge the Secretary of Health and Human Services (HHS) with choosing administrative transaction standards to streamline, simplify, and economize the payment process and mandating their implementation by providers, plans, and clearinghouses. The result was the Kassebaum-Kennedy Bill, entitled the Health Insurance Portability and Accountability Act (HIPAA), signed into law (Public Law 104-191) by President Clinton on August 21, 1996.

The "Administrative Simplification" section of HIPAA is intended to improve the efficiency and effectiveness of the health care system, as well as to increase the protection and confidentiality of individually identifiable health information. This is to be accomplished "by encouraging the development of a health information system through the establishment of standards and requirements for the electronic transmission of certain health information." (1)

The law requires the health industry to implement a series of data and transaction standards, including using a single electronic format for health providers to bill for their services. Additional standard processes are included for health plan enrollment and disenrollment, insurance eligibility checking, payment and remittance advice, authorization of referrals, and other kinds of health information exchange.

The financial benefits anticipated from uniform billing, claims processing, coordination of benefits, and other functions are estimated to exceed the costs of implementing the standards by $1.5 billion in the first five years (a net savings of $1.7 billion for health plans, and a net cost of $.2 billion for providers). The single year net savings for the year 2002 could be $3.1 billion ($1.6 billion for plans and $1.5 billion for providers). (2)

Essentially, HIPAA requires the Secretary of Health and Human Services (HHS) to adopt and mandate the use of standards for common electronic administrative transactions and to establish a privacy standard for personal health information. (3) The Department of HHS has released some of these proposed standards (many are developed and in use to some degree) in a published 'notice of proposed rule making' (NPRM), which invites public commentary. The regulations become final only after these comments have been taken into account.

There are four important features of the legislation:

1. Health care providers do not have to engage in electronic health transactions. But if they do, they must comply with HIPAA transaction data standards. Providers may comply by sending paper or nonstandard electronic transactions to a clearinghouse' where they must be converted into the required format and data elements.

2. Health plans must be able to accept transactions in standard HIPAA format, may not refuse or delay a transaction, or adversely affect the entity sending it for 'lack of proper content' if the transaction is compliant with standard health information data elements. (Plans will, however, be able to ask for additional information to determine the reasonability of the claim, such as test results to support a diagnosis.) They may comply by receiving transactions at a designated clearinghouse, which then legitimately converts them to the plan's internal format.

3. Those covered by HIPAA security standards must protect the health care information they maintain or transmit electronically from improper access, alternation, or loss.

4. Those covered by HIPAA privacy standards must not wrongfully disclose individually identifiable health information.

Standards for HIPAA transactions

Although most of the HIPAA standards apply to electronic transactions, they have far reaching effects on the organization, protection, and transmission of health care data for many other purposes. With few exceptions, the standards apply to each and every provider, plan, and clearinghouse that transmits any health information in electronic form.

HIPAA transactions include:

* Health claims or equivalent encounter information transfer

* Health claims attachments

* Enrollment and disenrollment actions in a health plan

* Eligibility status in a health plan

* Health care payment and remittance advice

* Health plan premium payments

* First report of injury

* Health claim status

* Referral certification and authorization The supporting HIPAA standards for transactions are:

* Employer

Unique identifiers for each

* Health care provider

* Individual

* Health plan

* Code sets for selected data elements

* Assurances of security and confidentiality for health information

* Electronic signature standards for health information transactions

* Specific data sets for coordination of benefits information

The Secretary of HHS is also required to promulgate final regulations with respect to the privacy of individually identifiable health information in the absence of federal legislation.


Each covered entity that fails to comply with HIPAA requirements can be fined not more than $100 per violation, up to a maximum of $25,000 per year for all violations of a given standard. An entity could be penalized up to a maximum of $250,000 and imprisoned for up to 10 years for wrongful disclosure of individually identifiable health information. The maximum penalties for wrongful disclosure could be assessed if "the offense is committed with intent to sell, transfer, or use individual identifiable health information for commercial advantage, personal gain, or malicious harm." (4)

The general tenor, however, is to promote efficiency by encouraging compliance. HIPAA allows the HHS Secretary to forgo or reduce the penalty if the entity reasonably did not know of the violation (but not under circumstances of willful neglect). Further, the Secretary may give the entity additional time or provide technical assistance to reach compliance.

Preemption of state law

Standards for HIPAA transactions supersede contrary provisions of state law, unless the Secretary determines that the law addresses controlled substances is 'otherwise necessary,' or, in the case of privacy, is more stringent than the federal health information privacy requirements.

Broad consultation

Widespread industry input is required for the adoption of HIPAA transactions standards. The Secretary must consult with the National Uniform Billing Committee (chaired by a representative of the American Hospital Association), the National Uniform Claim Committee (chaired by a representative of the American Medical Association), the Workgroup for Electronic Data Interchange (with significant insurance industry representation), and the American Dental Association.

Additionally, the Secretary must rely on the recommendations of the National Committee on Vital and Health Statistics (NCVHS), a national advisory council of 18 experts drawn from the private sector to advise on health data policy, and must consult with appropriate federal and state agencies and private organizations. On the privacy regulation, the Secretary must consult with NCVHS and the Attorney General.

Moreover, the Secretary must adopt standards that have achieved industry consensus through processes accredited by the American National Standards Institute (ANSI). HIPAA restricts the choices of standards to those that have been developed, adopted, or modified by a standards setting organization that is accredited by ANSI, unless (1) the different standard will substantially reduce administrative costs and (2) proper rulemaking procedures are followed.

Status of the major standards choices

Since the latter half of 1996, HHS has examined health data standards with substantial industry consultation and public commentary obtained from the notices of proposed rule making (NPRM).

HIPAA transactions and code sets

The NPRM for HIPAA claims transactions and code sets was published on May 7, 1998. The standard was developed by X12, an ANSI-accredited standards committee, and is labeled "837." "X12 837" provides a format for submitting an electronic claim, including the data elements that must be present for payment and the code sets that specify the acceptable values data elements may take on.

To handle the more detailed specifications and range of different situations, an official implementation guide is incorporated by reference. Along with X12 837, the NPRM proposed adopting ICD-9 codes for institutional-based procedures, CPT-4 and HCFA Common Procedure Coding System (HCPCS) codes for non-institutional or ambulatory department procedures, and National Council for Prescription Drug Programs (NCPDP) codes for drug payment claims.

National standard provider identifier

Also on May 7,1998, the NPRM for the national provider identifier (NPI) proposed an eight-digit alphanumeric identifier for use in electronic claims processing. The NPI would be unique for each provider and assigned for life. Persuasive public comments argued, however, that for ease of use, the NPI should be only numeric. Adopting this public comment would increase the size of the identifier to ten digits, including one mathematically calculated digit to assure the accuracy of the other digits.

National standard employer identifier

Released for public comment on June 16, 1998, the national employer identification number is issued and maintained by the Internal Revenue Service. Because there is widespread industry acceptance and use of this identifier, it generated the fewest comments.


The HIPAA security standard, released for public comment on August 12, 1998, fulfills the mandate that any covered entity 'that maintains or transmits health information shall maintain reasonable and appropriate administrative, technical, and physical safeguards." (5)

This standard proposes areas of risk avoidance that must be addressed by covered entities to protect individually identifiable health information from improper access, alteration, or loss. It is intended to assist health plans, providers, and clearinghouses to establish appropriate safeguards for assuring the integrity and confidentiality of this information.

Its flexibility permits entities of various sizes and complexities to have different security solutions. For example, a solo practitioner will not be expected to have the more elaborate security mechanisms of a large health plan. Because none of the HIPAA transactions presently requires an electronic signature, adopting a supporting standard could be delayed until the health industry, or for industry in general, settles on a common mechanism for a digital signature.


The privacy proposal, published on November 3,1999, establishes federal protection for the confidentiality of individually identifiable health information. This protection is balanced with permitted disclosures of the information by covered entities under specified conditions, for such purposes as public health, research, and law enforcement. It gives individuals more control over the use of their personal health information and reaffirms the rights of patients to see copy, and amend this information, and to learn of any disclosures.

Generally, individuals must consent to all disclosures of their health information for uses other than health care, payment, and operations. Exceptions are spelled out in the rule, along with the conditions that must be met for the exceptions to be valid. Health plans, providers, and clearinghouses that engage in electronic HIPAA transactions must notify patients about their health information privacy practices and inform them of their methods for tracking permissible disclosures. Clearinghouses that simply pass on electronic health transactions without manipulating the data would be exempt from many of these requirements.

Additional HIPAA standards

Final rules for the standards should be published some time later this year. Also, standards for a national health plan identifier and for health claims attachments, which supply additional information to plans to determine a claim's reasonableness, will be proposed for public comment. Work on the national individual (patient) identifier was halted in 1998 by Vice President Gore until the privacy of health information is adequately protected and Congress forbade HHS to spend appropriated funds on implementing such identifiers until specifically approved by law.

Timing of implementation

By law, each health plan, provider, and clearinghouse must comply with the particular HIPAA administrative simplification standard or specification no later than 24 months after the Secretary's adoption (small health plans will have 36 months). "Small health plans" are to be defined by the Secretary, possibly those with fewer than 50 beneficiaries or with gross revenues below a given level. If the transactions and code set rules are published in final form in June 2000, with an effective date of August 2000, full compliance would be expected by August 2002.

Although covered entities could agree among themselves to conduct transactions using the adopted standards before August 2002, penalties could not be assessed before then. Most of the standards with published 'notices of proposed rule making' will likely have compliance dates in 2002; the claims transactions and code sets standards are expected to be the first to be formally adopted.

Major issues

The costs of making the transition to the legislated standards and processes remain a worrisome factor. Testing and certifying that covered entities meet HIPAA standards will be a health industry responsibility, because there is no federal funding for these purposes. National (both federal and private) resources for implementing and maintaining standards, like the national provider identifier, will be needed. Further, covered entities will most likely adopt the various standards in some sort of sequence, rather than trying to implement all of them simultaneously, which will necessitate continual adjustments and expense until the total set is achieved.


All providers, plans, and clearinghouses will be affected by the federally mandated uniform standards for health care administrative transactions. For providers who deal with billing services and clearinghouses for claims transactions, the standards will be transparent. Over time, as providers purchase new information systems and software that incorporate these standards, they will gain the capability to deal directly with plans for electronic claims submission and payment.

The costs of protecting against security risks will probably rise with the size of the provider's business. The privacy standard will clarify how individually identifiable health information is to be protected-the rights of individuals and the responsibilities of the covered entities. Obtaining these benefits, however, will require additional resources to reduce the risk of unwarranted disclosure. Many good protection practices can be found in the report of the National Research Council, For the Record: Protecting Electronic Health Information." (6) Additional information on privacy and the health system may be found in The Limits of Privacy by Etzioni Amatai. (7)

The largest opportunity for modifying each standard is during the NPRM's public comment period. For five of the standards, that window of opportunity has passed. However, there is a two-year period between the effective date of each final standard and its required implementation, giving rise to the potential for suggesting changes that improve effectiveness and reduce the burden of compliance. Four more standards are planned with no timetable for release.

Providers can have a strong voice in changing the standards by working through representation at the meetings of the standard developing organizations, X12 and NCPDP in particular, and the national uniform billing and claims committees, and through official updating processes that will be established under HIPAA.

The information age brings continual change and opportunities to improve the efficiency of administrative practices. It also brings growing responsibility to protect the confidentiality of personal health information shared in those practices. Although there are two years before these standards must be implemented, and cost and compliance issues resolved, work has already begun in many health institutions to identify and address them..


(1.) "Report on H.R. 3103, Health Insurance Portability and Accountability Act of 1996." Congressional Record (July 31, 1996), 142(115), Washington DC: USGPO, H94739516. Section 261.

(2.) "Notice of Proposed Rulemaking for the National Standard Health care Provider Identifier, IX. Impact Analysis, A. Executive Summary," Federal Register May 7, 1998 (Volume 63, Number 88), Proposed Rules, pp. 25320-25357, web/plsql/ern.rule.rule text?user

(3.) Fitzmaurice, J. M. A New Twist in U.S. Health care Data Standards Develpment. Adoption of Electronic Health care Transactions Standards for Administrative Simplification." International Journal of Medical Informatics, 1998, 48 (1-3): 19-28.

(4.) "Report on HR. 3103, Health Insurance Portability and Accountability Act of 1996." Section 1177.

(5.) "Report on H.R. 3103, Health Insurance Portability and Accountability Act of 1996." Section 1173 (d) (2).

(6.) Computer Science and Telecommunications Board, National Research Council, For the Record: Protecting electronic Health Information, Washington, DC: National Academy Press, 1997.

(7.) Eizionl, Amatal, The Limits of Privacy. New York, New York: (Basic Books) Perseus Books Group, 1999.

Recommended Resources

Numerous educational opportunities are available to inform and assist physician executives in complying with HIPAA transaction standards. There will be many courses, seminars, and consultants interested in aiding the transition, but a good start is viewing the World Wide Web sources for the public comments on the proposals, implementation guides, and schedule for publication of the HIPAA regulations at


233 N. Michigan Avenue, Suite 2150

Chicago, Illinois 60601-5519


The 38,000 members of the American Health Information Management Association are experts in both clinical data and information management working in a variety of care settings including hospitals, physician offices, managed care organizations, and long-term care facilities. With a 70-year tradition of promoting quality health care through quality information, AHIMA has been instrumental in shaping industry standards, legislation, and regulation and in educating government agencies and the public on health information management issues. For further information, visit


4915 St. Elmo Avenue, Suite 401

Bethesda, Maryland 20814


The American Medical Informatics Association is dedicated to the development and application of information technology that supports patient care, teaching, research, and health care administrators. Its 3,700 members include developers of clinical information systems, academically based health care professionals, and health care information systems users. For further information, visit


3800 Packard Road, Suite 150

Ann Arbor, Michigan 48108-2073

Phone 734/973/6116

The Center for Healthcare information Management's mission is to positively impact the industry through the promotion of health care information technology. By disseminating information, convening educational programming, and fostering a collaborative environment, CHIM members seek to bring a greater awareness and understanding among professionals on how information technology can be harnessed to improve the quality and cost effectiveness of health care. For further information, visit


3300 Washtenaw Avenue, Suite 225

Ann Arbor, Michigan 48104-4250

Phone 734/665-0000

The College of Healthcare Information Management Executives is dedicated to serving the professional needs of CIOs and advancing the strategic application of information management in health care. For further information, visit


230 East Ohio Street, Suite 500

Chicago, Illinois 60611-3269


The Healthcare Information and Management Systems Society provides leadership in health care for the management of systems, information, and change through high quality publications, educational opportunities, and member services. HIMSS has 40 regional chapters and more than 12,000 members working in health care organizations internationally. Members include professionals in the fields of clinical systems, information systems, management engineering, and telecommunications. For further information, visit

The Joint Healthcare Information Technology Alliance (JHITA), is composed of the American Health Information Management Association (AHIMA), American Medical Informatics Association (AMIA), Center for Healthcare Information Management (CHIM), College of Healthcare Information Management Executives (CHIME), and Healthcare Information and Management Systems Society (HIMSS). For further information, visit

RELATED ARTICLE: Osteopaths Oppose Privacy Proposal

The American Osteopathic Association, which represents 44,000 osteopathic physicians, has called for the withdrawal of the U.S. Department of Health and Human Services' proposal to protect the privacy of medical information. While the AOA supports DHHS 's efforts to develop privacy standards, it thinks that the proposal falls short of the goals envisioned by the Secretary of HHS.

To adequately address the privacy of medical records, the AOA believes that the following issues need to be resolved by Congress before meaningful protection can be achieved:

* The scope of covered records. The proposal attempts to cover many paper records by stating that any information that is electronic, or becomes electronic at any time, is covered under the rule. This could make it burdensome for individual physicians to determine what is electronic, what is paper, and what may become electronic.

* Accountability. Anyone who violates a patient's privacy should be held accountable. Therefore, Congress should enact federal legislation that expands accountability to include employers, insurance companies, bankers, billing agents, and anyone else that might have access and misuse patient information. Misuse of a patient's health information could lead to discrimination in employment, insurance, and health care coverage.

* Proper authorization. Too many government agencies have access to patients' private medical information. Allowing all health-related agencies access to medical records without authorization may result in wrongful disclosure or use.

* Cost. The administrative requirements set forth by the proposal are expensive and redundant and could add significantly to the cost of care in many small physician offices.

Jim Hawkins

J. Michael Fitzmaurice, PhD, is Senior Science Advisor for Information Technology in the Immediate Office of the Director, Agency for Healthcare Research and Quality (AHRQ). He can be reached by calling 301/594-3938 or via email at mfitz-mau@AHRQ.GOF. The views expressed here are his and not necessarily those of AHRQ or of the Department of Health and Human Services.

Jeffrey S. Rose, MD, is the Chief Medical Officer of Cyber Plus Corporation, author of Medicine and the Information Age (ACPE Press, 1998), and an Instructor of the Health Information course for the American College of Physician Executives. He can be reached by calling 303/981-3220 or via email at
COPYRIGHT 2000 American College of Physician Executives
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 2000, Gale Group. All rights reserved. Gale Group is a Thomson Corporation Company.

Article Details
Printer friendly Cite/link Email Feedback
Author:Rose, Jeffrey S.
Publication:Physician Executive
Geographic Code:1USA
Date:May 1, 2000
Previous Article:The health care consumer gospel according to Harvard Business School: a talk with Regina Herzlinger, DBA. (Consumer-Driven Health Care).
Next Article:The HIPAAcratic oath: do no harm to patient data. (Implementing HIPAA and Other Compliance Programs).

Related Articles
'Second Generation' Internet e-Health: The Gladiator for HIPAA Compliance?
Get Ready for HIPAA.
New promotion eschews fear in favor of greed.
Racing toward the deadline. (Cover Story).
Software for HIPAA compliance. (Product Marketplace).
Book review: the ABCs of HIPAA compliance.
The HIPAAcratic oath: do no harm to patient data. (Implementing HIPAA and Other Compliance Programs).
HIPAA update: how the Health Insurance Portability and Accountability Act affects your business.
Hip hip hooray for HIPAA? What you need to know about the new Health Insurance Portability and Accessibility Act.
HIPAA: what it means (and doesn't mean) for your practice.

Terms of use | Privacy policy | Copyright © 2019 Farlex, Inc. | Feedback | For webmasters