• HIPAA

    Note: This section is for informational purposes and is not intended as legal advice.

    Premera makes no representations or guarantees that the information concerning HIPAA is accurate or complete. Please contact your attorney for legal advice.

  • HIPAA Overview

    Administrative Simplification 

    The Administrative Simplification part of HIPAA aims to reduce administrative costs in the healthcare industry by mandating strict limits on how PPI can be used and disclosed, as well as through adopting and using standardized, electronic transmission of PPI.

    Five Elements of Administrative Simplification 

    • Privacy
    • Security
    • Standardized Transactions
    • Standardized Medical Code Sets
    • Unique Identifiers

    Privacy 

    HIPAA privacy regulations require compliance with standards that protect the privacy of PPI and grant individuals other rights (described below), without creating obstacles to care and treatment. With limited exceptions, these rules mandate that no PPI may be used or disclosed without the signed authorization of the affected member.

    HIPAA states that other federal and state laws that provide more stringent individual privacy protection still apply. Therefore, Premera must also consider: state patients’ bills of rights and other insurance laws, state and federal public health laws, and state regulations implementing the federal Gramm-Leach-Bliley Act.

    Security 

    HIPAA's Administrative Simplification provisions require compliance with security standards related to PPI that is transmitted or stored electronically. The regulations include requirements for physical, technical and procedural safeguards to keep electronic healthcare information secure.

    Standardized Transactions 

    Covered healthcare providers, healthcare payers and healthcare clearinghouses must use "standard" formats to transmit healthcare transactions electronically.

    The standard formats for HIPAA transactions are the American National Standards Institute (ANSI) ASC X12N, Version 4010A1. These formats apply to the following common business functions:

    Transaction NameNumber
    Healthcare Claims837
    Healthcare Claim Payment/Advice835
    Payroll Deducted and Other Group Premium Payment820
    Benefit Enrollment and Maintenance 834
    Healthcare Services Review 278
    Healthcare Eligibility Benefit Inquiry and Response 270/271
    Healthcare Claim Status Request and Response 276/277

    Standardized Code Sets 

    Electronic data exchange will require using standard code sets. The medical code sets used to identify data include:

    • ICD-9 for diseases*
    • CPT-4 for services and procedures
    • HCPCS for medical equipment, injectable drugs and transportation services
    • NDC for prescription drugs and CDT-3 for dental services

    * The non-medical code sets include codes for place of service, revenue codes, relationship codes and more. Learn more about code sets and electronic transaction requirements.

    The federal government requires all HIPAA-covered healthcare organizations to be compliant with the ICD -10 code sets beginning Oct. 1, 2013.

    Unique Identifiers 

    There are standard national identifiers for providers and employers. Unique identifiers permit electronic data exchange and matching for all health insurance-related transactions.

    The following list contains the unique identifiers that HIPAA requires to be standardized:

    National Provider Identifier (NPI) 

    The NPI is a unique identification number assigned to healthcare providers to use with administrative and financial transactions. More on NPI at: https://nppes.cms.hhs.gov/NPPES/Welcome.do

    National Employer Identifier (EIN) 

    The EIN is a unique identification number used to identify employers and employer groups. The final rule was published on May 31, 2002 with a compliance deadline of July 30, 2004. The employer tax identification number as assigned by the IRS was adopted as the EIN. More on EIN at: cms.gov/EmployerIdentifierStand/ 

    National Health Plan Identifier (HPIN) 

    The HPIN is a unique identification number used to identify health plans. For questions about HIPAA Transaction-related regulatory compliance (Transactions, Code Sets, National Identifiers, and Security) call the Centers for Medicare and Medicaid (CMS) at 866-282-0659.

    HIPAA 5010

    HIPAA 5010

    The U.S. Department of Health and Human Services has adopted the 5010 version as the standard format for electronic health claim transactions. HIPAA Version 5010 replaces Version 4010/4010A1 standards, and accommodates ICD-10 code sets.

    Premera has a corporate-wide business plan for achieving full compliance with the electronic healthcare transactions requirements and all Premera applications that involve employer groups, contracted providers (physicians, dentists, hospitals), vendors, and trading partners. Information will be updated regularly here on the provider page. This includes information about future ICD-10 implementation.

    Following are key dates for the transition from version 4010A1 to 5010:

    • Payers to begin Trading Partner testing on Jan. 1, 2011
    • Compliance testing completed by Dec. 31, 2011
    • Full transition compliance for all parties expected by Jan. 1, 2012

    How can my providers organization prepare?  

    • Talk with your practice management system vendors about accommodations for Version 5010
    • Discuss your implementation plans with all your billing agents and payers to ensure a smooth transition
    • Conduct testing with payers and billing agents using Version 5010
    • Stay up-to-date on resources and information from CMS

    Resources 

    CMS Version 5010 Web site 

    Privacy & Security

    The Privacy regulations give individuals the right to:

    • Receive the covered entity’s notice of privacy practices
    • Request an accounting of disclosures made outside of a covered entity's routine business functions
    • Complain to a covered entity and to the DHHS Secretary if they believe their privacy rights have been violated
    • Request that a covered entity communicate with them at an alternative location if they believe that disclosure of all or part of their health information could endanger them
    • Request to review, obtain copies, and amend their PPI.

    Authorization

    In most cases Premera’s interactions with you will be business as usual. Generally, PPI can be shared between physicians, other providers and the health plan as Premera carries out routine business functions. These include activities for processing and paying claims, determining eligibility and benefits, conducting quality audits and providing care management and case management services.

    Business Associates

    In most instances, healthcare providers are not the business associate of the health plan, so there won't be changes to your contracts with Premera. Premera has developed its standard Business Associate Addendum to existing agreements and works with vendors and contractors to implement them.

    Minimum Necessary

    When requesting information or making a disclosure, covered entities must ensure that they ask for or disclose the minimum amount of PPI necessary to accomplish the intent of the disclosure. Covered entities must also ensure that the access employees have to PPI is limited to the minimum necessary to perform their jobs. However, one covered entity can rely on the request for PPI from another covered entity as being the minimum necessary as long as the requesting covered entity indicates that the PPI is related to treatment, payment or healthcare operations (TPO).

    Resources

    Links

    Premera provides the following links for your convenience, and does not make any representations or warranties that the information contained on these sites is accurate and complete. Please be aware that these links will take you to other sites not associated with or endorsed by Premera.

    Federal Regulations

    Security Regulations

    Implementation Guides

    HIPAA Implementation and Advisory Groups

    Data Standards Maintenance Organizations 

    National Health Care Accrediting Bodies

    Other HIPAA Resources

    Premera Newsletters and Publications

    EDI News - A quarterly newsletter for physicians and providers in Washington on electronic billing processes.

    Network News - A newsletter for physicians, providers, and office staff. Published six times a year in Washington.