Health Insurance Portability and Accountability Act (HIPAA)
The objective of this chapter is to provide a basic understanding of the Health Insurance Portability and Accountability Act (HIPAA) of 1996 as it pertains to hospital billing and coding. The implementation of HIPAA has and will continue to have a major impact on health care delivery and the processing of health care transactions. HIPAA includes provisions to improve the portability of health insurance, combat fraud and abuse, and simplify the administration of health insurance. A detailed discussion of all HIPAA provisions is beyond the scope of this text. The chapter will provide a brief overview of the purpose and scope of HIPAA regulations. It is critical for hospital personnel to understand HIPAA regulations to ensure compliance. A discussion of HIPAA portability, administrative simplification, privacy, and security provisions will provide a basic understanding of the mandated standards and the consequence of non-compliance with those standards. The chapter will end with a discussion of the elements of a compliance plan.
During the 1990s, the health care industry was facing major issues related to the rising cost of health care. Legislators continued to develop and implement reimbursement methods designed to control health care cost. Health care leaders were called on to identify other issues that contributed to the rising cost of health care. Several contributing factors were identified. The limited access and portability of health insurance coverage was one factor identified. Many individuals did not have health insurance coverage or lost insurance coverage because of limited access or the inability to continue coverage after a job change. Fraud and abuse were other factors identified. The government estimates that billions of dollars are lost to fraud and abuse on an annual basis. The administrative cost of processing health care transactions was seen as another factor. It is estimated that billions of dollars annually are spent on the administration of health insurance. Legislation was developed and passed to address the factors that contributed to the rising cost of health care. The Health Insurance Portability and Accountability Act (HIPAA), also known as the Kassebaum-Kennedy Legislation, was passed by Congress to improve access to health care; provide portability of health insurance coverage; combat waste, fraud, and abuse; and simplify the administration of health insurance.
HIPAA legislation is outlined under Public Law 104-191. HIPAA was passed by Congress in 1996. HIPAA provisions have been implemented in phases since the legislation was passed. Additional provisions of HIPAA are slated for implementation through 2016. The purpose of the act was to amend the Internal Revenue Code of 1986 to address many health care-related issues, including the continuance of insurance coverage, fraud and abuse, and administrative simplification. HIPAA legislation is broken down into the following five sections, referred to as titles:
This chapter will focus on HIPAA Titles I and II since they have the most significant impact today on health care providers and health insurers. The Health Insurance Portability and Accountability Act (HIPAA) Title I is referred to as Health Insurance Reform since its purpose is to ensure that individuals have access to health insurance coverage. Title I mandates improved access to health care and health coverage, and it imposes new regulations relating to the underwriting process performed by insurance companies to determine whether they will insure an individual. The Health Insurance Portability and Accountability Act (HIPAA) Title II is labeled Preventing Health Care Fraud and Abuse, Administrative Simplification, and Medical Liability Reform. Title II contains regulations aimed at protecting government programs from fraud and abuse. Another objective of HIPAA Title II is to standardize and simplify the processing of health care transactions. Figure 3-1 illustrates the five sections of HIPAA and provisions under HIPAA Title I and Title II.
The original focus of HIPAA was to ensure portability or continuation of health insurance coverage for workers who lost or changed jobs. Prior to the implementation of HIPAA, insurance companies could deny individuals coverage based on preexisting conditions or health status. Individuals who lost their jobs or changed employment often were unable to obtain health insurance coverage due to preexisting medical conditions. Individuals who presented with a catastrophic illness, such as cancer or HIV infection, could be denied coverage or insurance companies could elect to drop coverage because of the expense of treating such illnesses. HIPAA Title I is designed to reform health insurance to protect health insurance coverage for millions of Americans when they change or lose their jobs. It is designed to guarantee health insurance access, portability, and renewal. Title I of HIPAA includes provisions to achieve three major objectives that relate to portability and continuance of health insurance coverage as outlined below:
Efforts to control the rising cost of health care led to the implementation of HIPAA legislation. HIPAA Title II: Prevention of Health Care Fraud and Abuse and Administrative Simplification addresses two areas identified as contributing to the rising cost of health care: fraud and abuse and the cost of administering health insurance. One major objective of HIPAA Title II is to save health care dollars through prevention of health care fraud and abuse. To accomplish this, HIPAA Title II contains provisions to increase prevention and detection of fraud and abuse activities. Another objective is to standardize the health insurance administration process to reduce the cost of processing health care transactions. Health care leaders estimate that administrative costs could be reduced by billions of dollars annually by increasing the use of electronic data interchange (EDI) for health care transactions such as claim submission and payer remittance. CMS defines electronic data interchange (EDI) as the exchange of routine business transactions from one computer to another in a standard format, using standard communications protocols. HIPAA Title II also contains provisions to standardize health care transactions for electronic processing.
HIPAA Title II addresses the need to combat waste, fraud, and abuse in health care by increasing funding to support fraud detection activities, increasing civil monetary penalties for fraud and abuse through the creation of several programs: The Health Care Fraud and Abuse Program, The Incentive Program for Fraud and Abuse, and the Medicare Integrity Program.
The Health Care Fraud and Abuse Control (HCFAC) Program became effective in 1997. The program was created under HIPAA to identify fraud and abuse in federal programs, such as Medicare and Medicaid, and among private payers. HIPAA legislation established this program and allocated funds from the Medicare Part A Trust Fund to expand fraud and abuse control activities. The program is administered “under the joint direction of the Attorney General and the Department of Health and Human Services (acting through the Office of the Inspector General). The HCFAC program is designed to coordinate federal, state and local law enforcement activities concerning health care fraud and abuse. Monies recovered through fraud investigations must be deposited into the Federal Hospital Insurance Trust Fund, as mandated under HIPAA.”
HIPAA also expanded the definition of fraud to include language indicating that providers can be held liable if they knew or should have known that information on a claim was false. Fraud is defined as an intentional deception or misrepresentation that someone makes, knowing it is false, that could result in an unauthorized payment. The Centers for Medicare and Medicaid Services (CMS) outlines the following as the most common forms of fraud as illustrated in Figure 3-2:
Abuse is defined as actions or practices of health care providers that are inconsistent with accepted sound medical practice, which may result in improper payment. CMS outlines the following as the most common forms of abuse as illustrated in Figure 3-3:
The Incentive Program for Fraud and Abuse, also created under HIPAA, provides incentives to Medicare beneficiaries and others who report fraud and abuse in the Medicare program. Rewards are paid if the information leads directly to the recovery of Medicare funds.
Creation of the Medicare Integrity Program (MIP) was authorized under HIPAA legislation. The primary objective of the program is to develop and implement systems to safeguard Medicare payments. One function is to identify and investigate suspicious claims throughout Medicare to ensure that the program does not pay claims other insurers should pay. The MIP also ensures that Medicare pays only for covered services that are reasonable and medically necessary.
HIPAA legislation also granted CMS authority to hire contractors to perform fraud-fighting functions. CMS developed a program called Program Safeguard Contractor (PSC) in 1999 to carry out audits, to identify cases of fraud and abuse, conduct medical reviews, and perform other essential program integrity activities that were previously performed by Medicare contractors who processed claims. The transfer of fraud and abuse work from Medicare contractors to PSC was completed in 2006. The Program Safeguard Contractors were replaced by Zone Program Integrity Contractors (ZPIC) and these contractors are established in seven zones as illustrated in Figure 3-4. A contractor may be responsible for more than one zone. For example, the contractor for Zones 2 and 5 is AdvanceMed. CMS partners with other audit contractors such as Recovery Audit Contractors (RAC) and Medicaid Integrity Contractors (MIC). Recovery Audit Contractors (RAC) are audit contractors hired by CMS to carry out Medicare audits to identify and correct underpayments and overpayments, conduct medical reviews, and perform other essential program integrity activities. Medicaid Integrity Contractors (MIC) are audit contractors hired by CMS to carry out Medicaid audits, conduct medical reviews, and perform other essential Medicaid program integrity activities. Audits performed by these contractors can result in demands for repayment, civil and criminal penalties, and exclusion from government programs.
The Title II: Administrative Simplification portion of the HIPAA regulations is designed to improve the efficiency and effectiveness of the nation’s health care system by encouraging the widespread use of electronic data interchange (EDI). HIPAA Title II contains provisions that mandate the adoption of national standards for electronic health transactions, including standard transactions and code sets (TCS), and national identifiers for providers, health plans, and employers. The increased use of EDI brought with it concerns regarding the security and privacy of health data.
The implementation dates for HIPAA provisions are determined based on the publication date of the final rule. Before a rule (or law) becomes final, a preliminary draft is published in the Federal Register with a time frame for comments. After the comment period, the preliminary draft is revised to reflect the consensus of all comments received, and the final rule is published. Generally, once the final rule is published there is a 2-year plus 60-day period before the rule becomes effective. All covered entities are required to comply with the HIPAA regulations on the effective date published in the Federal Register. The Federal Register can be accessed at www.gpo.gov/fdsys/. Table 3-1 outlines implementation dates for various HIPAA regulations.
|Date||Implementation of HIPAA Regulations|
|August 21, 1996||HIPAA passed by Congress.|
|April 14, 2001||Privacy rule final implementation|
|October 16, 2003||Electronic Health Care Transactions and Code Sets |
(Medicare will only accept paper claims under limited circumstances)
|April 14, 2003–April 20, 2006||Privacy Standards, Employer Identifier Standard, Security Standards |
(all covered entities and small health plans)
|May 23, 2008||National Provider Identifier (all covered entities except small health plans)|
|January 1, 2012||ASC X12N Version 5010 Standards—replace Version 4010/4010A|
|January 1, 2013||Effective date for operating rules for eligibility for health plan and health claims status transactions|
|October 1, 2014||ICD-10-CM and ICD-10-PCS Code Sets for medical diagnosis and inpatient procedures. The original implementation date was October 1, 2013. The DHHS published a final rule that delays the ICD-10 compliance date to October 1, 2014.|
|December 31, 2013||Certification, Part 1—Health plan must certify data and information systems are in compliance with applicable standards and operating rules for health plan eligibility, health claims status, electronic funds transfer and health care payment and remittance advice.|
|January 1, 2014||Effective date of operating rules and standards for electronic funds transfers (EFT) and remittance advice|
|April 1, 2014||Penalties may be assessed against a health plan that has failed to meet the certification and compliance requirements for standards and operating rules.|
|December 31, 2015||Certification, Part 2—Health plan must certify that its data and information systems are in compliance with applicable standards and operating rules for: health claims or equivalent encounter information; enrollment and disenrollment in a health plan; health plan premium payments; referral certification and authorization and health claims attachments|
|January 1, 2016||Effective date of operating rules for health claims or equivalent encounter information, enrollment and disenrollment in a health plan, health plan premium payments, referral certification and authorization, health care claims attachments |
Effective date of standard for health care claims attachments
(Revised data from Centers for Medicare and Medicaid Services, www.cms.gov/HIPAAGenInfo/.)
The health care industry is governed and regulated in accordance with many state and federal regulations. Health care providers must implement systems to ensure compliance with all state and federal regulations. Compliance is the term used to describe the act of following standards in accordance with state and federal regulations. A number of federal laws mandate compliance and have provisions for sanctions against individuals or organizations that do not comply, particularly in the areas of privacy and security of patient information, billing, and coding guidelines and claim submission requirements. For example, the Civil Monetary Penalties Law (CMPL) of 1983 was passed for the purpose of prosecuting cases of Medicare and Medicaid fraud. This law contains provisions regarding sanctions that can be imposed on individuals or organizations convicted of fraudulent activities as defined in the Federal False Claims Act. The sanctions imposed under the CMPL are outlined below; however, it is important to note that they are periodically updated.
HIPAA legislation mandates compliance with the standards and provisions involving administrative simplification, privacy, and security. Civil and/or criminal penalties may be imposed for non-compliance of HIPAA standards. A three-tier civil penalty structure for HIPAA violations was established under the American Recovery and Reinvestment Act (ARRA) of 2009 that was signed into law on February 17, 2009. The Secretary of the DHHS is still prohibited from imposing civil penalties (except in cases of willful neglect) if the violation is corrected within 30 days (this time period may be extended). Criminal penalties can be imposed for the following violations:
Compliance requirements including the date of compliance, are published in the Federal Register. Figure 3-5 illustrates HIPAA objectives and enforcement agencies that can impose penalties for non-compliance. Three agencies responsible for enforcing standards and provisions are the Office of the Inspector General (OIG), the Centers for Medicare and Medicaid Services (CMS), and the Office of Civil Rights (OCR).
The Office of the Inspector General (OIG) is an agency under the Department of Health and Human Services (DHHS) that is responsible for the detection and prevention of fraud and abuse. The OIG monitors compliance and enforces laws related to fraud and abuse (Figure 3-6). When a Medicare provider allegedly commits fraud, an investigation is conducted by the OIG. If evidence of fraud or abuse is found by the OIG, the case is referred to the Department of Justice (DOJ) for prosecution. Criminal, civil, and/or administrative sanctions for fraud convictions may include:
• Criminal fines and/or imprisonment of up to 10 years if there is a conviction of the crime of health care fraud as outlined under HIPAA, or for violations of federal antikickback statutes, imprisonment of up to 5 years and/or criminal fines of up to $50,000.
The Centers for Medicare and Medicaid Services (CMS) is an agency under the DHHS that oversees the Medicare and Medicaid programs. CMS enforces many laws related to the Medicare and Medicaid programs including the HIPAA standard transaction and code set provisions. Non-compliance with HIPAA standard transaction and code set provisions may result in monetary penalties. Monetary penalties that may be imposed for failing to comply include:
The Office of Civil Rights (OCR) is an agency under the DHHS that is responsible for monitoring compliance and enforcement of HIPAA privacy and security standards. Complaints regarding privacy issues are submitted by individuals or other entities to the OCR in writing. The OCR conducts an investigation and determines required action. There are civil and criminal penalties for violating HIPAA privacy and security provisions. Penalties for violations can be imposed only on covered entities and business associates. Civil and criminal penalties are as follows:
For offenses committed with the intent to sell, transfer, or use individually identifiable health information (IIHI) for commercial advantage, personal gain, or malicious harm: up to $250,000 and 10 years in prison
State laws may contain more stringent privacy protections that apply over and above the federal privacy standards. For example, states may have special privacy requirements for patients tested, diagnosed, or treated for alcohol and drug abuse, sexually transmitted diseases, or mental health disorders.
A covered entity is an organization involved with health care delivery that provides health care services, submits claims for services, or provides health care coverage. HIPAA identifies three types of covered entities that must follow the regulations as illustrated in Figure 3-7:
Health care providers are people or organizations that render health care services, bill for services rendered, and are paid for those services in the normal course of business. Examples of health care providers include hospitals, physicians, ambulatory surgery centers and other facilities, home health agencies, and ambulance services. In accordance with HIPAA regulations, CMS requires that Medicare claims be sent electronically from all providers with the exception of small practices that have less than 10 employees.
A clearinghouse is an organization that receives claim information from hospitals and other providers in various formats for conversion to a required format for submission to various payers. Health care clearinghouses as defined under HIPAA include billing service companies, repricing companies, and value-added networks that process nonstandard data elements into standard data elements for the purpose of transmission of claims between health care providers and health plans.