The Health Insurance Portability and Accountability Act (HIPAA) was signed into law August 21, 1996. This industry sweeping, landmark legislation affects nearly everyone involved in the healthcare process from providers to healthcare information systems vendors to payers. HIPAA contains provisions for the portability of insurance coverage as employees move from one employer to another. It also contains provisions for Administrative Simplification covering privacy and security of healthcare information and for government- mandated Standards for electronic Transactions, Code Sets and Identifiers.

HIPAA Administrative Simplification provisions require the protection of patient data from inappropriate disclosure, define the type of information that must be protected.. and define the circumstances under which this information can be disclosed. HIPAA Administrative Simplification Security provisions define the policies, practices, and mechanisms that should be in place to ensure that the privacy of healthcare information is maintained.

The goals of the Administrative Simplification provisions of HIPM are to improve the efficiency and effectiveness of healthcare through standardization of all shared electronic information, protect the privacy and security of patient information stored and exchanged electronically and reduces the cost of exchanging information among healthcare partners. HIPM legislation will restructure the approach in which health data is captured, transmitted, stored, secured and managed. It will affect healthcare policy, procedure, and information technology. Those payers and providers that choose not to use the electronic standards can use a clearinghouse to comply with the requirement. Providers' paper transactions are not subject to this requirement.  

The Administrative Simplification portion of HIPAA drew heavily from the work developed by the Workgroup for Electronic Data Interchange (WEDi). Their report, published in July 1992, proposed the use of standard transactions and codes for healthcare transactions, and the use of national identifiers for patients, providers and health plans. As a result, HIPAA Administrative Simplification establishes standards for the format and data content of various healthcare transactions. It also sets minimum requirements for the transmission, storage and handling of healthcare information.

 The following deadlines exist relating to HIPAA Administrative Simplification:

Standards for Electronic Transactions 

(Compliance Date: October 16, 2002, with an extension allowed until October 16, 2003 for entities that filed for an extension with Secretary of Department of Health and Human Services (HHS) by October 16, 2002, the original compliance date) CMS (Centers for Medicare and Medicaid Services) has indicated that a covered entity that did not submit an extension request should come into compliance as soon as possible and be prepared to submit a corrective action plan in the event a complaint is filed against them. CMS has also indicated that penalties for non-compliance would not be automatically imposed on entities that did not file for the extension. The process leading to these penalties will be initiated primarily in response to an external complaint filed against a covered entity. If a complaint is received, the entity will have opportunities to avoid penalties by demonstrating compliance, or showing how they will achieve compliance by submitting a corrective action plan. Only when an entity does none of these things would CMS give consideration to invoking civil monetary penalties or excluding a provider from Medicare. Please refer to http://www.cms.gov/higaa/.

It is important to note that the compliance date for Privacy, April 14, 2003, is not affected by this legislation.

 The Privacy Standard

The Privacy Standards apply to "individually-identifiable health information" transmitted or stored in any form ("paper, oral, or electronic") that concern the individual's past, present, or future physical or mental health, or that relates to the provision of health care to or payment of health care for the individual.

The phrase "individually identifiable health information" refers to any health-related information that could be used to identify an individual. Examples include but are not limited to the following:  

Names Addresses Cities and countries Phone numbers Fax numbers Email addresses Web addresses (URLs)

IP addresses Certificate numbers License numbers Zip codes Account numbers Birth dates

Patients are afforded a number of new rights under the Privacy Standards, including the right to adequate notice of privacy policies, the right to access protected health information, the right to an accounting of disclosures and the right to request amendment of protected health information. Covered entities are obligated to implement a number of administrative requirements (including privacy initiatives, security administration, physical and technical security safeguards for information), in order to honor these patient rights and achieve compliance with the other provisions of the rule. Covered entities will generally be permitted to disclose protected health information to "business associates," provided that they obtain contractual assurances from the business associate that it will safeguard the information. A business association is created when the right to use or disclose information belongs to the covered entity and another party requires the information either (1) to perform a function for, or on behalf of the covered entity (e.g. billing or practice management services) or (2) to provide certain specified services (e.g., legal and accounting) to the covered entity. A business associate contract is not required where a disclosure is made for treatment purposes from one provider to another.

The Transaction Standard 

HIPAA contains provisions for Administrative Simplification covering privacy and security of healthcare information including government-mandated Standards for electronic transactions.

The Transaction Standards covered by HIPAA include the following types of transactions:

	Healthcare claims or equivalent encounter information;
	Eligibility for a health plan;
	Referral certification and authorization;
	Healthcare claim status;
	Enrollment and disenrollment in a health plan;
	Healthcare payment and remittance advice;
	Health plan premium payments;
	Coordination of benefits.

The HIPAA Transaction Standards rules define a special role for Healthcare Clearinghouses, allowing them to provide services to translate non- compliant data into standard electronic formats. This role is particularly important to our existing practice management clients, since it provides a mechanism for them to meet the HIPAA Transaction Standards' compliance requirements without the substantial investment in software or hardware upgrades that would be required to process these transactions directly. As part of our commitment to our customers, PracticeWorks developed an implementation schedule in 2001 that would bring transactions currently offered by our company into compliance by the original deadline of October 16, 2002.

HIPAA Security Standard

The new release date for the Standards document is set for April 21, 2005.  It is the intention of New Horizons to fully comply with this Standard, and to maintain a copy of the Rules and Regulations on the web site at www.newhorizonscsb.org and in the IT Directors office as well as other places in the agency for staff to review.