What are the HIPAA Administrative Simplification Regulations?
The HIPAA Administrative Simplification Regulations are the regulations adopted “to improve the efficiency and effectiveness of the health care system by encouraging the development of a health information system through the establishment of standards and requirements for the electronic transmission of certain health information” (42 USC §1320d).
The HIPAA Administrative Simplification Regulations are what most people consider to be HIPAA because they contain the General Provisions and the Enforcement Rule (Part 160), the Standards for Electronic Transactions and Data Elements (Part 162), and the Privacy, Security, and Breach Notification Rules (Part 164). However, the provisions, rules, and standards were not included in the text of HIPAA in 1996. They were published several years later.
How the HIPAA Administrative Simplification Regulations Evolved
The primary objectives of the Health Insurance Portability and Accountability Act (HIPAA) were to reform the health insurance industry, ensure the continuation of health insurance between jobs, and make health insurance more accessible to American workers. However, achieving these objectives would incur costs for health plans, which would be passed onto employers in the form of higher premiums, which would reduce federal tax receipts.
To offset the costs, Congress introduced measures to reduce insurance fraud and instructed the Secretary for Health and Human Services (HHS) to make the administration of healthcare transactions more efficient by adopting standards for electronic transactions and for the security of health information exchanged in transactions. The Secretary was also instructed to make recommendations for the privacy of health information.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The order in which the instructions were complied with, published as regulations, and were effective have different timelines.
The Privacy Rule
The Secretary for Health and Human Services – Donna Shalala – delivered recommendations for the privacy of health information in 1997. In her letter to Congress, Ms. Shalala advocated for the passage of federal privacy legislation rather than the publication of HIPAA privacy standards. However, HIPAA had set Congress a three year deadline to pass privacy legislation; and, when the deadline passed, the recommendations were published as a proposed Privacy Rule in 1999.
Although the recommendations were finalized the following year, HHS received thousands of queries raising concerns that the privacy standards would affect the efficient delivery of healthcare. The agency subsequently rewrote large passages of the Privacy Rule to clarify the standards and v2 of the Privacy Rule was published in 2002 with compliance dates of April 2003 for most covered entities and April 2004 for small health plans.
The Security Rule
The original proposals for the “Security of Individual Health Information and Electronic Signatures” were published in August 1998 (the standards for Electronic Signatures were removed before the proposed Rule was finalized). At the time, the standards were not included in the HIPAA Administrative Simplification Regulations, but in Part 142 of Public Welfare Code. They were moved in order to be governed by the HIPAA General Provisions.
Due to the volume of comments from concerned stakeholders, the Final Security Rule was not published until February 2003. The Final Rule was significantly different from the proposals published four and a half years previously – not only with regards to the security standards, but also in the terminologies used. Consequently, covered entities were given two years to comply with the Security Rule – with a further one year extension for small health plans.
The Standards for Electronic Transactions
Due to the wide variety of non-standard code sets used in healthcare and health insurance industries at the time HIPAA was enacted, it took four years for the first standards for electronic transactions to be published. The standards relate to transactions such as encounter information, eligibility, enrollment and disenrollment, referrals, authorizations, premium payments, coordination of benefits, and payment and remittance advices.
With regards to the data elements used in electronic transactions, these took even longer to standardize. There are currently four medical data code sets permitted by HIPAA, one of which – ICD-10 – has more than 74,000 codes to represent different diagnoses and treatments. Once you multiply these by the number of HCPCS codes (for medical services and medical supplies) and numerous National Drug Codes, there are millions of codes authorized by HIPAA.
Updates to the HIPAA Administrative Simplification Regulations
There have been several major updates to the HIPAA Administrative Simplification Regulations. The Enforcement Rule of 2005 details the procedures for investigating and resolving alleged violations of HIPAA and set the original penalty structure for HIPAA violations. A new four-tier penalty structure was added by the HITECH Act in 2009, and the Breach Notification Rule was finalized in the HIPAA Omnibus Rule of 2013.
The HIPAA Omnibus Rule also made changes to the Privacy Rule. These included expanding patients’ rights, strengthening limitations on uses and disclosures of PHI, and making business associates directly liable for HIPAA violations. Subsequent changes to the Privacy Rule have been made to accommodate amendments to the Clinical Laboratories Improvement Act (2014) and disclosures to the National Instant Criminal Background Check System (2016).
Since 2016, there have been multiple changes to the standards for electronic transactions as new medications, services, and supplies have come to market. In addition, since 2016, the penalties for violations have increased annually to account for inflation. Further updates are planned to ease certain restrictions on disclosures of PHI, although when these updates will be finalized is not known. In addition, a Privacy Rule update to better protect reproductive health information was subsequently vacated by a Texas judge.
Other proposed updates include amending the Security Rule to accommodate HHS’ Healthcare Sector Cybersecurity Strategy and changing the Enforcement Rule to facilitate “settlement sharing” with victims of data breaches. Covered entities and business associates who are concerned about the volume of proposed changes and how they will impact HIPAA compliance – or how to provide revision HIPAA training – are advised to discuss their concerns with a healthcare compliance professional.
