Under both the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Gramm-Leach-Bliley Act, Premera Blue Cross must take measures to protect the privacy of our members’ personal information. In addition, other state and federal privacy laws may provide additional privacy protection. Personal information includes the member’s name, Social Security number, address, telephone number, account number, employment, medical history, health records, and claims information. Learn more about our member privacy practices.
Here you’ll find HIPAA information specific to providers.
The Administrative Simplification part of HIPAA aims to reduce administrative costs in the healthcare industry by mandating strict limits on how PPI can be used and disclosed, as well as through adopting and using standardized, electronic transmission of PPI.
Five Elements of Administrative Simplification
HIPAA privacy regulations require compliance with standards that protect the privacy of PPI and grant individuals other rights, without creating obstacles to care and treatment. With limited exceptions, these rules mandate that no PPI may be used or disclosed without the signed authorization of the affected member.
HIPAA states that other federal and state laws that provide more stringent individual privacy protection still apply. Therefore, Premera must also consider: state patients' bills of rights and other insurance laws, state and federal public health laws, and state regulations implementing the federal Gramm-Leach-Bliley Act.
HIPAA's Administrative Simplification provisions require compliance with security standards related to PPI that is transmitted or stored electronically. The regulations include requirements for physical, technical and procedural safeguards to keep electronic healthcare information secure.
Covered healthcare providers, healthcare payers and healthcare clearinghouses must use "standard" formats to transmit healthcare transactions electronically.
The standard formats for HIPAA transactions are the American National Standards Institute (ANSI) ASC X12N, Version 4010A1. These formats apply to the following common business functions:
Standardized Code Sets
Electronic data exchange will require using standard code sets. The medical code sets used to identify data include:
The non-medical code sets include codes for place of service, revenue codes, relationship codes and more.
* The federal government requires all HIPAA-covered healthcare organizations to be compliant with the ICD -10 code sets beginning Oct. 1, 2013.
There are standard national identifiers for providers and employers. Unique identifiers permit electronic data exchange and matching for all health insurance-related transactions.
The following list contains the unique identifiers that HIPAA requires to be standardized:
National Provider Identifier (NPI)
The NPI is a unique identification number assigned to healthcare providers to use with administrative and financial transactions. More on NPI at: nppes.cms.hhs.gov/NPPES/Welcome.do
National Employer Identifier (EIN)
The EIN is a unique identification number used to identify employers and employer groups. The final rule was published on May 31, 2002 with a compliance deadline of July 30, 2004. The employer tax identification number as assigned by the IRS was adopted as the EIN.
National Health Plan Identifier (HPIN)
The HPIN is a unique identification number used to identify health plans. For questions about HIPAA Transaction-related regulatory compliance (Transactions, Code Sets, National Identifiers, and Security) call the Centers for Medicare and Medicaid (CMS) at 866-282-0659.
The Privacy regulations give individuals the right to:
In most cases Premera’s interactions with you will be business as usual. Generally, PPI can be shared between physicians, other providers and the health plan as Premera carries out routine business functions. These include activities for processing and paying claims, determining eligibility and benefits, conducting quality audits and providing care management and case management services.
In most instances, healthcare providers are not the business associate of the health plan, so there won't be changes to your contracts with Premera. Premera has developed its standard Business Associate Addendum to existing agreements and works with vendors and contractors to implement them.
When requesting information or making a disclosure, covered entities must ensure that they ask for or disclose the minimum amount of PPI necessary to accomplish the intent of the disclosure. Covered entities must also ensure that the access employees have to PPI is limited to the minimum necessary to perform their jobs. However, one covered entity can rely on the request for PPI from another covered entity as being the minimum necessary as long as the requesting covered entity indicates that the PPI is related to treatment, payment or healthcare operations (TPO).
Premera provides the following links for your convenience, and does not make any representations or warranties that the information contained on these sites is accurate and complete. Please be aware that these links will take you to other sites not associated with or endorsed by Premera.
HIPAA Implementation and Advisory Groups
Data Standards Maintenance Organizations
National Health Care Accrediting Bodies
Other HIPAA Resources
Provider News - Monthly news for providers and office staff.
Note: This HIPAA content is for informational purposes and is not intended as legal advice. Premera makes no representations or guarantees that the information concerning HIPAA is accurate or complete. Please contact your attorney for legal advice.