This page was last updated February 26, 2003.
The Health Insurance Portability and Accountability Act of 1996 requires the Department of Health and Human Services through the Health Care Financing Administration to establish rules for administrative simplification. These rules are meant to have the effect of reducing health care costs by standardizing health related transactions while at the same time protecting the privacy of individuals.
Hospitals must comply with the Rule for Transactions and Code Sets by October 16, 2003. The rule states that those electronic transactions for which a standard exists must comply with the standard. The rule does not require hospitals to use electronic transactions. Also, hospitals may elect to use a health care clearinghouse, or intermediary, such as Blue Cross, to make standard electronic transactions on their behalf. In this case, nonstandard transactions may be sent to the intermediary. Currently Blue Cross of Mississippi supports 835 but not any of the other standards. Paper, phone, and direct entry submissions are all permitted in nonstandard formats. HDMS2000 currently supports ASC X12N 835 - Health Care Claim Payment / Advice. Support is being added for ASC X12N 837 - Health Care Claim: Institutional. It is currently being tested with Blue Cross of Alabama and Blue Cross of Louisiana. We can provide customized support for the other standard transactions for those hospitals wishing to use them. The remaining standard transactions are: 837 - Health Care Claim: Dental, 837 - Health Care Claim: Professional, 270/271 - Health Care Eligibility Benefit Inquiry and Response, 278 - Health Care Services Review - Request for Review and Response, 276/277 - Health Care Claim Status Request and Response, 834 - Benefit Enrollment and Maintenance, 820 - Payroll Deducted and Other Group Premium Payment for Insurance Products. Currently not all health care clearinghouses are accepting standard transactions. Compliance with these standards will depend upon the organization to whom you are transmitting. According to the rule those institutions acting as health care clearinghouses can accept nonstandard transactions and translate them to standard transactions for retransmission.
The Final Privacy Rule will take effect on April 14, 2003. This will require hospitals to take steps to safeguard patient information and document their efforts to do so. This applies to any diagnostic, treatment, or prescription information, but not financial information. Access to patient information should be on a need to know basis. Health care professionals involved in the care of a patient must have immediate access to that patient's health records. The patients must have access to their own records. Other employees that need access to patient records to perform their jobs should have access to those records. Paper records must be stored in an area with limited physical access. A log should be kept of people accessing records and what records they access. Records should not be left where other people could see them. Magnetic tapes should be stored in the same way. Electronic records on the AS/400 are secured by the AS/400 system. Employees that do not need access to the AS/400 should not be given access. Employees that do need access to the AS/400 should agree not to misuse patient information. Most likely hospitals already do these things. The privacy rule will require that there be a person designated to be responsible for privacy. They will need to formalize and write down privacy procedures and educate patients and employees about those procedures. They will need to collect and store patient consent forms for the use of patient health information.
The final security rule will require that the patient information covered by the privacy rule that is stored or transmitted electronically, be kept private. Many of the steps necessary to accomplish security are not technical. Don't share passwords. Don't write down passwords. Signoff when you leave your desk. The Security Rule will require hospitals to have a designated security officer, a written security policy, and a regular security review. Providers must comply with the rule by April 21, 2005.