• Under both the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Gramm-Leach-Bliley Act, Premera Blue Cross must take measures to protect the privacy of our members’ personal information. In addition, other state and federal privacy laws may provide additional privacy protection. Personal information includes the member’s name, Social Security number, address, telephone number, account number, employment, medical history, health records, and claims information. Learn more about our member privacy practices.

    Here you’ll find HIPAA information specific to providers.

  • Administrative Simplification

    The Administrative Simplification part of HIPAA aims to reduce administrative costs in the healthcare industry by mandating strict limits on how PPI can be used and disclosed, as well as through adopting and using standardized, electronic transmission of PPI.

    Five Elements of Administrative Simplification

    • Privacy
    • Security
    • Standardized Transactions
    • Standardized Medical Code Sets
    • Unique Identifiers


    HIPAA privacy regulations require compliance with standards that protect the privacy of PPI and grant individuals other rights, without creating obstacles to care and treatment. With limited exceptions, these rules mandate that no PPI may be used or disclosed without the signed authorization of the affected member.

    HIPAA states that other federal and state laws that provide more stringent individual privacy protection still apply. Therefore, Premera must also consider: state patients' bills of rights and other insurance laws, state and federal public health laws, and state regulations implementing the federal Gramm-Leach-Bliley Act.


    HIPAA's Administrative Simplification provisions require compliance with security standards related to PPI that is transmitted or stored electronically. The regulations include requirements for physical, technical and procedural safeguards to keep electronic healthcare information secure.

    Standardized Transactions

    Covered healthcare providers, healthcare payers and healthcare clearinghouses must use "standard" formats to transmit healthcare transactions electronically.

    The standard formats for HIPAA transactions are the American National Standards Institute (ANSI) ASC X12N, Version 4010A1. These formats apply to the following common business functions:

    Transaction Name Number
    Healthcare Claims 837
    Healthcare Claim Payment/Advice 835
    Payroll Deducted and
    Other Group Premium Payment
    Benefit Enrollment and Maintenance 834
    Healthcare Services Review 278
    Healthcare Eligibility Benefit Inquiry and Response 270/271
    Healthcare Claim Status Request and Response 276/277

    Standardized Code Sets

    Electronic data exchange will require using standard code sets. The medical code sets used to identify data include:

    • ICD-9 for diseases*
    • CPT-4 for services and procedures
    • HCPCS for medical equipment, injectable drugs and transportation services
    • NDC for prescription drugs and CDT-3 for dental services

    * The non-medical code sets include codes for place of service, revenue codes, relationship codes and more. Learn more about code sets and electronic transaction requirements.

    The federal government requires all HIPAA-covered healthcare organizations to be compliant with the ICD -10 code sets beginning Oct. 1, 2013.

    Unique Identifiers

    There are standard national identifiers for providers and employers. Unique identifiers permit electronic data exchange and matching for all health insurance-related transactions.

    The following list contains the unique identifiers that HIPAA requires to be standardized:

    National Provider Identifier (NPI)

    The NPI is a unique identification number assigned to healthcare providers to use with administrative and financial transactions. More on NPI at: https://nppes.cms.hhs.gov/NPPES/Welcome.do

    National Employer Identifier (EIN)

    The EIN is a unique identification number used to identify employers and employer groups. The final rule was published on May 31, 2002 with a compliance deadline of July 30, 2004. The employer tax identification number as assigned by the IRS was adopted as the EIN.

    National Health Plan Identifier (HPIN)

    The HPIN is a unique identification number used to identify health plans. For questions about HIPAA Transaction-related regulatory compliance (Transactions, Code Sets, National Identifiers, and Security) call the Centers for Medicare and Medicaid (CMS) at 866-282-0659.

    The Privacy regulations give individuals the right to:

    • Receive the covered entity’s notice of privacy practices
    • Request an accounting of disclosures made outside of a covered entity's routine business functions
    • Complain to a covered entity and to the DHHS Secretary if they believe their privacy rights have been violated
    • Request that a covered entity communicate with them at an alternative location if they believe that disclosure of all or part of their health information could endanger them
    • Request to review, obtain copies, and amend their PPI.


    In most cases Premera’s interactions with you will be business as usual. Generally, PPI can be shared between physicians, other providers and the health plan as Premera carries out routine business functions. These include activities for processing and paying claims, determining eligibility and benefits, conducting quality audits and providing care management and case management services.

    Business Associates

    In most instances, healthcare providers are not the business associate of the health plan, so there won't be changes to your contracts with Premera. Premera has developed its standard Business Associate Addendum to existing agreements and works with vendors and contractors to implement them.

    Minimum Necessary

    When requesting information or making a disclosure, covered entities must ensure that they ask for or disclose the minimum amount of PPI necessary to accomplish the intent of the disclosure. Covered entities must also ensure that the access employees have to PPI is limited to the minimum necessary to perform their jobs. However, one covered entity can rely on the request for PPI from another covered entity as being the minimum necessary as long as the requesting covered entity indicates that the PPI is related to treatment, payment or healthcare operations (TPO).


    Premera provides the following links for your convenience, and does not make any representations or warranties that the information contained on these sites is accurate and complete. Please be aware that these links will take you to other sites not associated with or endorsed by Premera.

    Federal Regulations

    Security Regulations

    Implementation Guides

    HIPAA Implementation and Advisory Groups

    Data Standards Maintenance Organizations

    National Health Care Accrediting Bodies

    Other HIPAA Resources

    Premera News

    Provider News - Monthly news for providers and office staff.

  • Note: This HIPAA content is for informational purposes and is not intended as legal advice. Premera makes no representations or guarantees that the information concerning HIPAA is accurate or complete. Please contact your attorney for legal advice.