Professional Documents
Culture Documents
3
• HIPAA is the United States Health Insurance Portability and Accountability
Act of 1996. There are two sections to the Act.
Title 1 Title 2
Title I Title II
Deals with Includes an administrative
protecting health simplification section which
insurance deals with
coverage for the standardization of
people who lose healthcare-related
or change jobs. information systems.
Title II is most important section when referred to HIPAA
Objectives of the Act:
• HIPAA seeks to establish standardized mechanisms for Electronic Data
Interchange (EDI), security, and confidentiality of all healthcare-related data.
i. Patient health,
ii. Administrative, and financial data
iii. Unique identifiers (ID numbers) for each healthcare entity, including individuals,
employers,
iv. Health plans and health care providers
v. Security mechanisms to ensure confidentiality and data integrity for any
information that identifies an individual.
5
Title I:
• Deals with Health care access, Portability and Renewability (Plans)
• It regulates the availability and extent of group health plans and certain
• Limits restriction that a group health plan can place on benefits of certain
preexisting conditions.
6
Title lI:
• Deals with:
• Administrative Simplification
7
What it does?
• Defines policies, procedures and guidelines for maintaining the privacy and
security of individually identifiable health information.
8
Contd…..
9
This rule is applicable to :
• Health plans
• Billing services
10
As per the requirements of Title II, the HHS has promulgated five rules regarding
Administrative Simplification:,
11
The Unique Identifier Rule:
• HIPAA covered entities such as providers completing electronic transactions, healthcare clearing
houses, and large health plans, must use only the National Provider Identifier (NPI) to identify
covered healthcare providers in standard transactions. (A National Provider Identifier (NPI) is a
unique 10-digit identification number issued to health care providers in the United States by the
Centers for Medicare and Medicaid Services (CMS). The NPI has replaced the Unique Physician
Identification Number (UPIN) as the required identifier for Medicare services, and is used by other
payers, including commercial healthcare insurers. )
• This rule came into force by May 23rd 2006 and was to be implemented by May 23rd 2007, for
small health care plans the rule was effective from May 23 rd 2008.
12
The Unique Identifier Rule:
Contd…..
• All the covered entities using electronic communications must use a single new
NPI.
• The NPI replaces all other identifiers used by the covered entities and assigns a
unique number.
• The NPI does not replace DEA (Drug enforcement agency) Number, state
license number, or tax identification number.
13
• NPI Number is 10 Digit Number.
• Alpha- Numeric.
• Does not contain any embedded intelligence and its simply a number.
• An institution can obtain multiple NPI’s for different subparts. Ex: Hospital
providing cancer treatment, as well as running rehabilitation center can
have two different NPI Numbers.
14
Enforcement Rule
15
Transactions and Code Sets Rule
• HIPAA was intended to make the health care system in the United States
simplification.
• This act simplifies the health care transactions by requiring all health
16
• Information about the administrative simplification can be found at 42 USC §
1320d-2 and 45 CFR Part 162.
• It can also be used to transmit health care claims and billing payment
information between payers with different payment responsibilities where
coordination of benefits is required or between payers and regulatory
agencies to monitor the rendering, billing, and/or payment of health care
services within a specific health care/insurance industry segment.
EDI Retail Pharmacy Claim Transaction:
• It can also be used to transmit claims for retail pharmacy services and
billing payment information between payers with different payment
responsibilities where coordination of benefits is required or between
payers and regulatory agencies to monitor the rendering, billing, and/or
payment of retail pharmacy services within the pharmacy health
care/insurance industry segment.
EDI Health Care Claim Payment/Advice Transaction Set:
• It can be used to make a payment, send an Explanation of Benefits
(EOB), send an Explanation of Payments (EOP) remittance advice, or
make a payment and send an EOP remittance advice only from a health
insurer to a health care provider either directly or via a financial institution.
24
EDI Functional Acknowledgement Transaction Set :
• This transaction set can be used to define the control structures for a set
of acknowledgments
• The encoded documents are the transaction sets, which are grouped in
functional groups, used in defining transactions for business data
interchange. This standard does not cover the semantic meaning of the
information encoded in the transaction sets
Privacy rule
Effective date: April 14th 2003. (one year extension for small plans).
• What it regulates?
• Dept. of health and human services extended HIPAA privacy rule to independent
• PHI is the information held by a covered entity which concerns health status,
provision of health care, or payment for health care that can be linked to an
individual.
Privacy rule Contd….
• Also includes patients medical history and payment history.
28
Privacy rule Contd….
• Any other disclosures of PHI (Protected Health Information) require the covered
entity to obtain written authorization from the individual for the disclosure.
• Confers right to individuals that a covered entity correct the any inaccurate PHI.
29
Privacy rule Contd….
• Ensures confidentiality of communications with the individuals.
• Mandates that the covered entities keep the individuals notified, of their uses of
PHI.
• Covered entities must keep track of disclosures of information, document privacy
policies and procedures.
• Must appoint a person to handle the complaints and to train all members of work
force in the area of PHI.
• Complaint filing – if privacy rule is not being upheld.
30
Security Rule
• The Final Rule on Security Standards was issued on 20th February, 2003.
• It took effect on April 21, 2003 with a compliance date of April 21, 2005 for
most covered entities and April 21, 2006 for "small plans“.
31
Security Rule Contd….
• This rule lays out three safe guards.
1. Administrative safeguards
2. Physical safeguards
3. Technical safeguards.
32
Security Rule Contd…. Security Rule Contd….
• Addressable specification – a bit flexible specification.
Administrative safeguard:
• Policies and procedures designed to clearly show how the entity will comply with
the act.
• Covered entities (entities that must comply with HIPAA requirements) must adopt
a written set of privacy procedures and designate a privacy officer to be
responsible for developing and implementing all required policies and procedures.
33
Administrative safeguard:
Contd…..
• Procedures must identify employees, their class and must assign access
to those who need PHI to complete their job.
35
Administrative safeguard:
Contd…..
• Contingency plan to exist.
36
Physical Safeguards
• controlling physical access to protect against inappropriate access to protected
data.
• Controls must govern the introduction and removal of hardware and software
from the network. (When equipment is retired it must be disposed of properly to
ensure that PHI is not compromised.)
37
Physical Safeguards Contd….
• Access to hardware and software must be limited to properly authorized
individuals.
• If the covered entities utilize contractors or agents, they too must be fully
trained on their physical access responsibilities.
38
Technical Safeguards
• Each covered entity is responsible for ensuring that the data within its
systems has not been changed or erased in an unauthorized manner.
39
Technical Safeguards
Contd…..
40
Technical Safeguards
Contd…..
41
Technical Safeguards
Contd…..
42
REFERENCES
1. https://searchhealthit.techtarget.com/definition/HIPAA
2. https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/
index.html
3. https://www.dhcs.ca.gov/formsandpubs/laws/hipaa/pages/
1.00whatishipaa.aspx
4. https://compliancy-group.com/hipaa/
5. https://evisit.com/resources/what-is-hipaa/
43