HIPAA FAQ

A. The Health Insurance Portability and Accountability Act (HIPAA) is also known as the Kennedy-Kassebaum bill. It was first proposed with the simple objective to assure health insurance coverage after leaving a job. Congress added an Administrative Simplification section to the bill.

The goal of the Administrative Simplification section of the bill was to save money. It was requested and supported by the health care industry because it standardized electronic transactions and required standard record formats, code sets, and identifiers.

The impact of Electronic Standardization, however, was that it increased risk to security and privacy of individually identifiable health information. Because Congress did not provide legislation defining the privacy and security requirements of HIPAA, the Department of Health and Human Services (DHHS) was required to provide them.

There are currently four proposed or final rules from DHHS for HIPAA:

1. Transaction and Code Set standards (Final)
2. Privacy standard (Final)
3. Security standard (Final)
4. Identifier standards (Proposed)

Q. Are Tribes required to become compliant under HIPAA?

A. We have no official answer to that question yet. However, we urge all members of the Indian health community to begin work toward HIPAA compliance.

The HIPAA legislation states:

SEC. 1172. (a) APPLICABILITY.-Any standard adopted under this part shall apply, in whole or in part, to the following persons:
1. A health plan.
2. A health care clearinghouse.
3. A health care provider who transmits any health information in electronic form in connection with a [financial or administrative] transaction referred to in section 1173(a)(1).

SEC. 1171. For purposes of this part: (3) HEALTH CARE PROVIDER.-The term 'health care provider' means a provider of services (as defined in section 1861(u) [of the Social Security Act]), a provider of medical or health services (as defined in section 1861(s) [of the Social Security Act] ), and any other person furnishing health care services or supplies.

(5) HEALTH PLAN.-The term 'health plan' means an individual or group plan that provides, or pays the cost of, medical care (as such term is defined in section 2791 of the Public Health Service Act). Such term includes the following, and any combination thereof:

(L) The Indian health service program under the Indian Health Care Improvement Act (25 U.S.C. 1601 et seq.).

Who is required to use the standards?
All private sector health plans (including managed care organizations and ERISA plans, but excluding certain small self administered health plans) and government health plans (including Medicare, State Medicaid programs, the Military Health System for active duty and civilian personnel, the Veterans Health Administration, and Indian Health Service programs), all health care clearinghouses, and all health care providers that choose to submit or receive these transactions electronically are required to use these standards. These "covered entities" must use the standards when conducting any of the defined transactions covered under the HIPAA. [Emphasis added]

Background Technologies

A. Encryption is the conversion of plaintext into ciphertext using a key to make the conversion. Unless the ciphertext is decrypted (converted back into plaintext) using the same key (symmetric cryptography) or a paired key (asymmetric or dual key cryptography), no one can read it.

Q. What is Public Key Infrastructure (PKI)?

A. Public key infrastructure is "the set of hardware, software, people, policies, and procedures needed to create, manage, store, distribute, and revoke Public Key Certificates based on public key cryptography." (IETF PKIX working group)

Q. What is a Digital Signature?

A. A Digital Signature is a type of electronic signature that combines a one-way secure hash function with public key cryptography to provide data integrity (assuring that the data has not been altered) and non-repudiation (assuring that the signer cannot later deny signing the document or message). However, a digital signature does not provide confidentiality for the signed document or message (that is, a Digital Signature does not encrypt the document or message).

Q. Will RPMS be compliant with the HIPAA Transaction Rule

A. There will be two options for HIPAA transaction compliance for RPMS.

1. Use RPMS transactions. RPMS transactions are on schedule to be fully compliant for the following transaction types:
   • 270 (Eligibility/Benefit Inquiry)
   • 271 (Eligibility/Benefit Information Response)
   • 835 (Health Care Claim Payment/Advice)
   • 837 (Health Care Claim)

2. Use a clearinghouse. Any transactions can be forwarded to a clearinghouse where they will be formatted to meet all HIPAA transaction requirements. This solution has the advantage that once the agreements are in place to use its services, the clearinghouse will be responsible for putting in place all payer agreements, thus potentially providing a substantial reduction in administrative costs. Either of these options will provide HIPAA transaction compliance.

Q. Does the HIPAA Security Rule require encryption when individually identifiable health information is sent over a network?

A. We are assured that the final HIPAA Security Rule will require encryption only when individually identifiable health information is sent over a public network, such as the Internet. Encryption will not be required for other network connections, such as dial-up lines and Intranets.

Q. How do I report HIPAA Privacy violation.

A. If you believe that a person, agency or organization covered under the HIPAA Privacy Rule ("a covered entity") violated your (or someone else's ) health information privacy rights or committed another violation of the Privacy Rule, you may file a complaint with the Office for Civil Rights (OCR). OCR has authority to receive and investigate complaints against covered entities related to the Privacy Rule. A covered entity is a health plan, health care clearinghouse, and any health care provider who conducts certain health care transactions electronically. For more information about the Privacy Rule, please look at our responses to Frequently Asked Questions (FAQs) and our Privacy Guidance. (See the web link near the bottom of this form.)

Complaints to the Office for Civil Rights must: (1) Be filed in writing, either on paper or electronically; (2) name the entity that is the subject of the complaint and describe the acts or omissions believed to be in violation of the applicable requirements of the Privacy Rule; and (3) be filed within 180 days of when you knew that the act or omission complained of occurred. OCR may extend the 180-day period if you can show "good cause." Any alleged violation must have occurred on or after April 14, 2003 (on or after April 14, 2004 for small health plans), for OCR to have authority to investigate.

Anyone can file written complaints with OCR by mail, fax, or email. If you need help filing a complaint or have a question about the complaint form, please call this OCR toll free number: 1-800-368-1019. OCR has ten regional offices, and each regional office covers certain states. You should send your complaint to the appropriate OCR Regional Office, based on the region where the alleged violation took place. Use the OCR Regions list at the end of this Fact Sheet, or you can look at the regional office map to help you determine where to send your complaint. Complaints should be sent to the attention off the appropriate OCR Regional Manager.

You can submit your complaint in any written format. We recommend that you use the OCR Health Information Privacy Complaint Form which can be found on our web site or at an OCR Regional office. If you prefer, you may submit a written complaint in your own format. Be sure to include the following information in your written complaint:

The Centers for Medicare and Medicaid has a detailed FAQs section on Transaction and Code Sets and Security Standards on their WEB site .

The Office of Civil Rights has a detailed FAQs section on Privacy Standards on their WEB site .