HIPAA

Note: This section is for informational purposes and is not intended as legal advice.

Premera makes no representations or guarantees that the information concerning HIPAA is accurate or complete. Please contact your attorney for legal advice.

Administrative Simplification

The Administrative Simplification part of HIPAA aims to reduce administrative costs in the healthcare industry by mandating strict limits on how PPI can be used and disclosed, as well as through adopting and using standardized, electronic transmission of PPI.

Five Elements of Administrative Simplification

Privacy
Security
Standardized Transactions
Standardized Medical Code Sets
Unique Identifiers

Privacy

HIPAA privacy regulations require compliance with standards that protect the privacy of PPI and grant individuals other rights, without creating obstacles to care and treatment. With limited exceptions, these rules mandate that no PPI may be used or disclosed without the signed authorization of the affected member.

HIPAA states that other federal and state laws that provide more stringent individual privacy protection still apply. Therefore, Premera must also consider: state patients' bills of rights and other insurance laws, state and federal public health laws, and state regulations implementing the federal Gramm-Leach-Bliley Act.

Security

HIPAA's Administrative Simplification provisions require compliance with security standards related to PPI that is transmitted or stored electronically. The regulations include requirements for physical, technical and procedural safeguards to keep electronic healthcare information secure.

Standardized Transactions

Covered healthcare providers, healthcare payers and healthcare clearinghouses must use "standard" formats to transmit healthcare transactions electronically.

The standard formats for HIPAA transactions are the American National Standards Institute (ANSI) ASC X12N, Version 4010A1. These formats apply to the following common business functions:

Transaction Name	Number
Healthcare Claims	837
Healthcare Claim Payment/Advice	835
Payroll Deducted and Other Group Premium Payment	820
Benefit Enrollment and Maintenance	834
Healthcare Services Review	278
Healthcare Eligibility Benefit Inquiry and Response	270/271
Healthcare Claim Status Request and Response	276/277

Standardized Code Sets

Electronic data exchange will require using standard code sets. The medical code sets used to identify data include:

ICD-9 for diseases*
CPT-4 for services and procedures
HCPCS for medical equipment, injectable drugs and transportation services
NDC for prescription drugs and CDT-3 for dental services

* The non-medical code sets include codes for place of service, revenue codes, relationship codes and more. Learn more about code sets and electronic transaction requirements.

The federal government requires all HIPAA-covered healthcare organizations to be compliant with the ICD -10 code sets beginning Oct. 1, 2013.

Unique Identifiers

There are standard national identifiers for providers and employers. Unique identifiers permit electronic data exchange and matching for all health insurance-related transactions.

The following list contains the unique identifiers that HIPAA requires to be standardized:

National Provider Identifier (NPI)

The NPI is a unique identification number assigned to healthcare providers to use with administrative and financial transactions. More on NPI at: https://nppes.cms.hhs.gov/NPPES/Welcome.do

National Employer Identifier (EIN)

The EIN is a unique identification number used to identify employers and employer groups. The final rule was published on May 31, 2002 with a compliance deadline of July 30, 2004. The employer tax identification number as assigned by the IRS was adopted as the EIN.

National Health Plan Identifier (HPIN)

The HPIN is a unique identification number used to identify health plans. For questions about HIPAA Transaction-related regulatory compliance (Transactions, Code Sets, National Identifiers, and Security) call the Centers for Medicare and Medicaid (CMS) at 866-282-0659.

HIPAA 5010

The U.S. Department of Health and Human Services has adopted the 5010 version as the standard format for electronic health claim transactions. HIPAA Version 5010 replaces Version 4010/4010A1 standards, and accommodates ICD-10 code sets.

Premera has a corporate-wide business plan for achieving full compliance with the electronic healthcare transactions requirements and all Premera applications that involve employer groups, contracted providers (physicians, dentists, hospitals), vendors, and trading partners. Information will be updated regularly here on the provider page. This includes information about future ICD-10 implementation.

Following are key dates for the transition from version 4010A1 to 5010:

Payers to begin Trading Partner testing on Jan. 1, 2011
Compliance testing completed by Dec. 31, 2011
Full transition compliance for all parties expected by Jan. 1, 2012

How can my providers organization prepare?

Talk with your practice management system vendors about accommodations for Version 5010
Discuss your implementation plans with all your billing agents and payers to ensure a smooth transition
Conduct testing with payers and billing agents using Version 5010
Stay up-to-date on resources and information from CMS

Resources

CMS Version 5010 Web site

Privacy & Security

The Privacy regulations give individuals the right to:

Receive the covered entity’s notice of privacy practices
Request an accounting of disclosures made outside of a covered entity's routine business functions
Complain to a covered entity and to the DHHS Secretary if they believe their privacy rights have been violated
Request that a covered entity communicate with them at an alternative location if they believe that disclosure of all or part of their health information could endanger them
Request to review, obtain copies, and amend their PPI.

Authorization

In most cases Premera’s interactions with you will be business as usual. Generally, PPI can be shared between physicians, other providers and the health plan as Premera carries out routine business functions. These include activities for processing and paying claims, determining eligibility and benefits, conducting quality audits and providing care management and case management services.

Business associates

In most instances, healthcare providers are not the business associate of the health plan, so there won't be changes to your contracts with Premera. Premera has developed its standard Business Associate Addendum to existing agreements and works with vendors and contractors to implement them.

Minimum Necessary

When requesting information or making a disclosure, covered entities must ensure that they ask for or disclose the minimum amount of PPI necessary to accomplish the intent of the disclosure. Covered entities must also ensure that the access employees have to PPI is limited to the minimum necessary to perform their jobs. However, one covered entity can rely on the request for PPI from another covered entity as being the minimum necessary as long as the requesting covered entity indicates that the PPI is related to treatment, payment or healthcare operations (TPO).

Resources

Links

Premera provides the following links for your convenience, and does not make any representations or warranties that the information contained on these sites is accurate and complete. Please be aware that these links will take you to other sites not associated with or endorsed by Premera.

Federal Regulations

Security Regulations

Implementation Guides

HIPAA Implementation and Advisory Groups

Workgroup for Electronic Data Interchange (WEDI)

Data Standards Maintenance Organizations

National Health Care Accrediting Bodies

Other HIPAA Resources

Premera Newsletters and Publications

EDI News - A quarterly newsletter for physicians and providers in Washington on electronic billing processes.

Network News - A newsletter for physicians, providers, and office staff. Published six times a year in Washington.