Everything you always wanted to know but were afraid to ask!

HIPAA Health Insurance Portability and Accountability Act of 1996: everything you always wanted to know but were afraid to ask!

Robin M. Caplan

The Health Insurance Portability and Accountability Act of 1996 was signed into law on August 21, 1996 by then President Bill Clinton. It’s many provisions were designed to make health insurance more affordable and accessible. Congress included provisions in HIPAA to require Health and Human Services (HHS) to adopt national standards for certain electronic health care transactions, codes, identifiers and security. These rules may have a profound impact on healthcare organizations. At a minimum, organizations must ensure that they have written policies and procedures, training programs for staff, and methods in place to communicate with patients and ensure that their protected health information is kept private and confidential.

The Structure of the Law

HIPAA is comprised of five Titles: Title I: Portability (medical plans only), Title II: Fraud and Abuse, Subtitle F: Administrative Simplification, Title III: Tax Related, Title IV: Group Health Plans and Title V: Revenue Offsets. Dental Health care providers (as well as health plans, hospitals, etc.) are governed by the provisions in Title II, Subtitle F.

Covered Entities: those who must comply with HIPAA are health plans, healthcare clearinghouses (third party insurance), software vendors and healthcare providers (including pharmacies) who conduct certain financial and administrative transactions electronically, such as eligibility, referral authorizations and claims. Offices should contact their software vendor/clearinghouse to make sure they are compliant and determine if the office will need a software upgrade.

Title II Fraud and Abuse, Subtitle F: Administrative Simplification.

The Fraud and Abuse Control Program created under the Attorney General and Secretary of Health and Human Services acts to conduct investigations, audits and evaluations relating to delivery of health and payment for healthcare. It provides guidance on fraudulent practices and establishes a national data bank. Subtitle F mandates electronic claims filing by developing 1) Standard Healthcare Transaction and Code Set (effective 10/16/2002 or file for an extension, see below), 2) Patient Privacy Standard (effective 4/14/2003), 3) Information System Security Standard and 4) National Standard Healthcare Provider Identifier. In short, the purpose of Administrative Simplification is to streamline the processing of health care claims, reduce the volume of paperwork and provide better service for providers, insurers and patients. It is estimated that by eliminating inefficient paper forms and encouraging the use of electronic transactions, the health care industry will realize a savings of $29.9 billion over a ten year period.

Standard Health Care Transaction and Code Set: by standardizing data content, codes and electronic formats, all health plans will be required to accept these standard electronic claims, referral authorizations and other transactions. In order to apply for an extension, you must submit a plan for achieving compliance by the new deadline. The model plan is available at http://www.cms.gov/hipaa.

Patient Privacy Standard: the final modifications to the rule was published on August 14, 2002 in the Federal Register and was enacted to protect the confidentiality of medical records and other personal health information. The rule limits the use and release of individually identifiable health information; gives patients the rights to access their medical records; restricts most disclosure of health information to the minimum needed for the intended purpose; and establishes safeguards and restrictions regarding disclosure of records for certain public responsibilities such as public health, research and law enforcement. In other words:

* patients must give specific authorization before covered entities can use or disclose protected information for most non-routine circumstances.

* covered entities must provide patients with written notice of their privacy practices and patient’s privacy rights.

* covered entities must first obtain an individual’s specific authorization before sending them marketing materials. However, the rule permits free communication with patients about treatment options and other health related information.

* covered entities may not sell, trade, share or otherwise release patients’ names to a business for the purposes of marketing.

* consents for release of information and use of health information will have to be more specific about what and how much information is released.

* offices will need to obtain written authorization from patients permitting the office to leave messages for them on their personal answering devices

* while locking file cabinets are not necessary, offices need to evaluate where patient charts are stored and who has access to those charts.

Offices may utilize patient sign in sheets, post daily schedules in operatories and conduct health related or business related conversations with patients in a semi-private setting as long as the office has made every reasonable attempt to comply with the final privacy rule. Detailed information regarding the privacy rule can be found at http://www.hhs.gov/ocr/hipaa or www.hhs.gov/ocr/hipaa/finalreg.html

Employer Identifier: In the past, health plans and providers may have used different ID numbers for a single employer in their transactions, increasing the time and cost for routine activities such as health plan enrollments and health plan premium payments.

In May 2002, HHS issued a final rule to standardize the identifying numbers assigned to employers in the health care industry by using the existing Employer Identification Number (EIN). Any employer that pays wages to employees already has an IRS-issued EIN.

National Provider Identifier: Standards are being developed by HHS for health care providers to obtain a unique identifier when filing electronic claims with public and private insurance programs. This identifier would be assigned to and forever belong to the individual provider. Currently, health care providers are assigned different ID numbers by each different private health plan. By standardizing the Provider Identifier the result will be to eliminate slower payments, decrease health care costs and coordinate the efforts of the providers and the health plans.


* Organizations must obtain a copy of the final privacy rule. For those organizations that have acted in advance and developed policies it will be necessary for them to assess and revise these policies as indicated.

* Develop and post a notice of the organizations privacy practices and patient’s privacy rights.

* Develop and implement a mechanism in which patients would be asked to sign an acknowledgment of receipt of the privacy notice, which would become part of the patient’s treatment record.

* Offices will be required to provide evidence that staff has been trained on the organization’s privacy policies procedures, patient’s privacy rights and the consequence of violating established policies and procedures. This training should become part of the employee initial orientation.

* Develop a log to be kept in each patient’s record to document release of information. This includes any element of the patient’s medical record released to a third party (sexual abuse, substance abuse, health issues, etc.). This document should be reviewed with legal counsel.

* Develop a log to be kept in each patient’s record to document patient authorization to leave messages on personal answering devices

By ensuring consistency throughout the industry, these national standards will make it easier for health plans, doctors, dentists and hospitals to process claims and other electronic transactions efficiently and effectively.


HHS–Health and Human Services

OCR–Office For Civil Rights

HIPAA–Health Insurance Portability and Accountability Act

CMS–Center for Medicare/Medicaid Services

EIN–Employer Identification Number (issued by the IRS)









HHS Fact Sheet 2002.08.09 Statement by HHS Secretary Tommy G. Thompson

HHS Fact Sheet 2002.08.02 Patient Protection

HHS Fact Sheet 2002.08.21 Administrative Simplification Under HIPAA

OCR Privacy of Health Records

MedSafe Executive Insights: HIPAA Impact

MedSafe In the News: HHS Issues First Major Protections for Patient Privacy

ODA Newsletter April 2002 Volume 7, Number 11

Robin M. Caplan, CDA, is a technical specialist for Total Compliance Solutions, Inc of Wayland, MA, OSHA compliance specialists. She was educated at Community College of Baltimore and Towson University in the area of community health and authored an instructors manual to accompany Delmar Publishing’s book Dental Assisting–A Comprehensive Approach. At this time she serves her profession as president of the Maryland Dental Assistants Association as well as being ADAA Third District Trustee.

COPYRIGHT 2003 American Dental Assistants Association

COPYRIGHT 2003 Gale Group