In 1996, Congress passed the Health Insurance Portability and Accountability Act (HIPAA) which in part directed the Department of Health and Human Services (HHS) to adopt and implement industry-wide health care data standards. The seven key areas which comprise HIPAA requirements are each described below. For two of these standards, Transaction and Code Sets and Privacy, federal rules (e.g., "regulations") have been adopted. The rule for Security is expected to be approved soon. When HHS approves a rule, health plans, clearinghouses, and providers have two years and two months to comply.

1. Transactions and Code Sets. This rule specifies seven different electronic data interchange (EDI) formats to be used for enrollment, monthly premium payments, eligibility verification, claims, claim status request, claims payment, and requests for referrals and authorizations. This rule specifies that the National Council for Prescription Drug Programs (NCPDP) standards be used for pharmacy. The rule also specifies code sets that must be used, including the CPT, HCPCS, and ICD-9 codes.

2. Privacy. The purpose of the Privacy rule is to limit the circumstances in which an individual's protected health information may be seen, used, or disclosed by others. Individuals will be able to obtain access to their own protected health information. However, an individual patient's authorization will be needed before the health plan can use or disclose protected health information. There are limited exceptions, for example, health plan use of data for utilization review, judicial proceedings, and protection of the public health. A formal process must be developed for individual patients to lodge complaints about a health plan's information practices. A privacy officer must be designated.

3. Security. The proposed Security rule addresses data access control, encryption, audits, authorization, biometrics, passwords, personal identification numbers (PINs), data alarms, chain of trust partner agreements, confidentiality, contingency plans for disaster preparedness, need-to-know, awareness training, and facility security. The designation of a security officer is recommended. Although the rule for Security is not yet final, some of its provisions are required to ensure the requirements of the Privacy rule.

4. National Provider Identifier. This rule proposes a standard for a national provider identifier (NPI). NPIs will be assigned by a central electronic enumerating system called the national provider system (NPS). The Centers for Medicare and Medicaid Services will exercise oversight and management of the NPS. Health care providers will not interact directly with the NPS, but rather through one of many enumerator organizations that will process applications for an NPI.

5. National Employer Identifier. The Employer Identification Number (EIN) has been proposed as the national employer identifier. The Internal Revenue Service assigns the EIN when a business submits an SS-4 Application for Employer Identification Number. The problems with using the EIN are that some organizations have more than one, some employers may not wish to supply the EIN because it's their tax identifying number, and a sole proprietor with no employees does not need to have an EIN. The upside is that the EIN is currently the employer identifier in most widespread use.

6. National Health Plan Identifier. This rule has not yet been proposed.

7. Health Claim Attachments (i.e., documentation). This rule will propose HL-7 standards for claims attachments and later other forms of attachments. Attachments include laboratory reports, physician notes, and other documents which further explain the medical appropriateness for the claim. Health care industry organizations are working on defining the requirements for Attachments..

Please look to this site for updated information on HIPAA, contact numbers, useful links, and Santa Clara Family Health Plan's efforts to comply.