HIPAA Administrative Simplification Rules

Careers | Brochures | Newsletters | Sitemap | Contact Us


About CBIZ	Financial Services	Employee Services	Wealth Management	Industries	News	Investors

(Privacy, EDI and Security Rules)

The administrative simplification standards required under the HIPAA law include three components: health care privacy rules, electronic data interchange (EDI) rules, and security of health data rules.

Overview of Privacy Rules

The intent of the HIPAA privacy rules is to ensure the confidentiality of medical information. Generally, these regulations protect any protected health information (PHI) maintained by a covered entity in any form, including oral communications. The final regulations do provide some permitted and prohibited disclosure of PHI to plan sponsors for plan operation purposes. Even if the employer/plan sponsor is not acting in a plan capacity, certain information can be disclosed, such as enrollment and disenrollment information, including:

Names of participants and covered dependents;
Covered plan choices; and,
Premium amounts.

In addition, PHI can be disclosed to business associates or other health plans, such as insurers or HMOs, for purposes of obtaining proposals, or for otherwise placing the business.

Applicability Date of Privacy Rules

The HIPAA privacy rules became applicable April 14, 2003 for large plans; April 14, 2004 for small plans. A small health plan is a plan with $5 million or less in annual receipts. This is determined as follows:

For an insured plan, annual receipt is determined by premiums paid in the preceding fiscal year.
For a self-funded plan, this means claims paid in the preceding fiscal year.
If the employer has a combined insured and self-funded plan, the employer adds premium and claims paid to determine receipts.
If stop loss insurance is held by the employer and not by plan to reimburse the employer for its expenses, it would appear that the premium for the stop loss insurance would not be included in the calculation of annual receipt.

Overview of HIPAA EDI Rules

The EDI rules govern electronic transactions between health plans, providers, and health care clearinghouses. Examples of administrative and financial health care transaction standards include:

Health claims and equivalent encounter information.
Enrollment and disenrollment in a health plan.
Eligibility for a health plan.
Health care payment and remittance advice.
Health plan premium payments.
Health claim status.
Referral certification and authorization.
Coordination of benefits.

Compliance Date of EDI Rules

Unless the plan is a small health plan (as defined above), all health plans must comply with the EDI rules by October 16, 2002, unless an extension was filed delaying the effective date until October 16, 2003.

Overview of HIPAA Security Rules

The third significant component of the HIPAA administrative simplification requirements, applicable to health plans as covered entities, became effective April 21, 2005 for large plans; April 21, 2006 for small plans. The HIPAA security rules specifically apply to electronic protected health information (e-PHI). e-PHI is any PHI that is created, received, maintained, or transmitted electronically, such as through the internet, CD, magnetic tape, etc. It generally does not apply to paper faxes or voice-to-voice response system, though, it would apply to computer-based faxes or computer based automated voice systems.

The HIPAA security rules require that administrative, physical, and technical safeguards be established to ensure the security of such information.

Administrative safeguards are functions implemented to meet the standards, such as appointing a security officer, or providing security training.
Physical safeguards ensure the protection of the physical system and equipment that maintains the information from such events as natural disasters or unauthorized intrusions. Examples of physical safeguards include restricting access to e-PHI, or retaining off-site computer backups.
Technical safeguards ensure protection of the information and its transmittal, such as through encryption, use of passwords, etc.

What Should An Employer Do?

Determine which of your health plans are subject to the HIPAA administrative simplification rules, and specifically, those that maintain e-PHI.
Determine the date these rules become applicable to your plan(s). Make certain that you can comply with all of the administrative requirements to which your plan are subject.
Appoint a privacy officer and a security officer.
Develop and implement policies and procedures to ensure the protection of all forms of PHI.
Prepare a Notice of Privacy Practices, including practices with respect to uses and disclosure to carry out treatment, payment and/or health care operations.
Make certain the plan has a business associate agreement in place with any entity authorized to receive or disseminate PHI. And, if the entity has access to e-PHI, make certain the business associate agreement addresses the HIPAA Security Rules.
If PHI is used for purposes of payment, treatment, or health plan operations, then a written authorization to release PHI is not required. However, if PHI is used for other purposes, such as releasing information to an employer, managing other benefit plans not subject to HIPAA, such as disability plans, or for marketing or disease management activities, then a written authorization must be obtained from the individual to release such information.
Identify the employees in your workforce with access to PHI, and train them on your policies and procedures.
Confer with external vendors to ensure their compliance with the Administrative Simplification Rules.
If you transmit or store PHI electronically, make certain you can comply with EDI and security rules.
Analyze and document all types of PHI maintained by the plan. Assess potential risk to PHI.
Review and assess security measures in light of the mandatory and addressable standards, and the particular needs of your organization.
Amend business associate agreements and plan documents to ensure protection of PHI.
Be prepared to certify that you will use medical information only for the intended purposes and no other. Expect to receive plan document modification that includes medical information privacy provisions. If you write your own plan document, add these provisions to your plan document. The plan sponsor must amend health plan documents to incorporate provisions relating to required uses and disclosure of PHI. Make certain that PHI is never used for a prohibited purpose, such as an employment-related action.