What are the HIPAA Administrative Simplification Regulations?

The HIPAA Administrative Simplification Regulations – detailed in 45 CFR Part 160, Part 162, and Part 164 – require healthcare organizations to adopt national standards, often referred to as electronic data interchange or EDI standards.

The purpose of these regulations is to save time and costs by streamlining the paperwork required for processes such as billing, verifying patient eligibility, and sending and receiving payments.

HIPAA Administrative Simplification Standards

The HIPAA Administrative Simplification Regulations include four standards covering transactions, identifiers, code sets, and operating rules. By adopting these standards and switching from paperwork to electronic transactions, healthcare organizations can reduce the paperwork burden, receive payments faster, obtain information more rapidly, and easily check the status of claims.

The regulations require HIPAA covered entities – healthcare providers, health plans, healthcare clearinghouses, and business associates of covered entities – to adopt standards for transactions involving the electronic exchange of health care data, such as claims and checking claim status, encounter information, eligibility, enrollment and disenrollment, referrals, authorizations, premium payments, coordination of benefits, and payment and remittance advice.

Identifier standards require unique identifiers – A Health Plan Identifier (HPID), Employer Identification Number (EIN), or National Provider Identifier (NIP) – to be used on all HIPAA transactions.

Code sets are standard codes that must be adopted by all HIPAA covered entities. Standard codes have been developed for diagnoses, procedures, diagnostic tests, treatments, and equipment and supplies. The code sets detailed in HIPAA include: NDC national drug codes; CDT codes for dental procedures; CPT codes for procedures; the HCPCS health care common procedure coding system; and the code set for the international classification of diseases (ICD-10) – now in its 10th edition.

Updates to the HIPAA Administrative Simplification Regulations

Following the passing of the Affordable Care Act (ACA) in 2010, the HIPAA Administrative Simplification Regulations were updated to include new operating rules specifying the information that must be included for all HIPAA transactions.

Following the passing of the Administrative Simplification Compliance Act (ASCA), medical organizations that work with Medicare are required to submit all claims to Medicare electronically. While there are limited exceptions when written requests to Medicare contractors may be permitted, the majority of healthcare organizations have been required to comply with this requirement since July 1, 2015. The failure to bill electronically after that date results in claims for payments being rejected.

In addition to complying with the HIPAA Administrative Simplification Regulations, HIPAA covered entities must also comply with national standards that were introduced to protect the privacy of patients (HIPAA Privacy Rule) and improve security for protected health information (HIPAA Security Rule). Additionally, HITECH Act standards were incorporated into HIPAA regulations in the Final Omnibus Rule, which also added new requirements for breach notifications (HIPAA Breach Notification Rule). Further information on the HIPAA Privacy, Security, and Breach Notification Rules can be found in our HIPAA compliance checklist, with further advice on HIPAA compliance detailed here.

While the Department of Health and Human Services’ Office for Civil Rights is the main enforcer of the HIPAA Privacy, Security, and Breach Notification Rules, the Centers for Medicare & Medicaid Services administers and enforces the HIPAA Administrative Simplification Rules.

The HIPAA Administrative Simplification Regulations apply to all HIPAA-covered entities, not only entities that work with Medicare or Medicaid.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.