Access our secured site
LoginLogin
Medical Policy, Clinical UM Guidelines, and Pre-Cert Requirements

View requirements for Local Plan and BlueCard Out-of-Area members.

Search our online provider directory when you need a doctor, hospital, or other health care provider.

HIPAA

PW_AD048677
 
Health Insurance Portability & Accountability Act (HIPAA)
HIPAA Readiness Disclosure Statement  
Blue Cross Blue Shield of Georgia and its affiliates have been diligently following the evolution of the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act (HIPAA) since its inception in 1996. Our goal is to ensure our systems, supporting business processes, policies, and procedures can successfully meet the implementation standards and deadlines mandated by the United States Department of Health and Human Services (DHHS). 
To achieve this goal, we have or are in the process of accomplishing the following:  
Formation of an Executive HIPAA Steering Committee
Establishment of a HIPAA Program Management Office
Completion of an impact assessment on business processes and systems
Development and implementation of HIPAA Education and Awareness programs
Identification of specific remediation projects necessary to mitigate actual or potential exposures
Assessment of the impact the HIPAA requirements may have on our products and services
Evaluation of business processes and best practices to realize the benefits of Administrative Simplification
 
What is HIPAA?  
The Health Insurance Portability and Accountability Act (HIPAA) was signed into Federal Law on August 21, 1996 to improve the efficiency of health care delivery. HIPAA mandates standards for Electronic Data Interchange (EDI) transactions and code sets. It establishes uniform health care identifiers for providers, health plans, and employers. Compliance with HIPAA requires the use of ANSI ASC X12N (Version 4010) transaction standards and implementation guides. It also addresses privacy and security. 
The final rules for transactions and code sets were published in the Federal Register on August 17, 2000, and the compliance date is October 16, 2002. However, President Bush signed a bill on December 27, 2001 (HR 3323) enabling covered entities to delay compliance with the transactions and codes sets rule by one year until October 16, 2003. To qualify for the extension, covered entities must submit a compliance plan to the Secretary of the Department of Health and Human Services by October 15, 2002. In March 2002, the Secretary of the Department of Health and Human Services publicized a standard form that covered entities can use in filing for an extension. The form must be filed electronically or postmarked by October 15, 2002 and can be accessed from the following Web site: http://cms.hhs.gov. Blue Cross Blue Shield of Georgia and its affiliates have filed for the extension. 
The final rule for Privacy Standards was published in the Federal Register on December 28, 2000. The compliance date is April 14, 2003. This date is not affected by the extension granted for the final rules for transactions and code sets. 
Covered entities will be subject to financial penalties, which will be defined under the pending Enforcement Regulation, if they do not comply with the dates mandated by the HIPAA rules and regulations. 
HIPAA Applicability  
Under the terms of HIPAA, the rules and regulations apply to covered entities defined to include health plans, health care clearinghouses, and health care providers who transmit any health information in any electronic form in connection with transactions covered under HIPAA, and who receive, maintain, or disclose individually identifiable health information in any form or medium. All covered entities must comply with the standards adopted by HIPAA by the applicable compliance dates. If a provider chooses to conduct a standard electronic transaction with a health plan, the health plan may not refuse to conduct, or delay such transactions. The modes of electronic transmission covered under HIPAA include the Internet, extranets, leased lines, dial-up lines, private networks, and those transmissions that are physically moved from one location to another using magnetic tape, disk, or compact disk media. 
HIPAA Privacy and Security  
Privacy

Standards describe who should have access to patient information and circumstances for which patient consent or authorization is required

Health Plans are not required to obtain patient consent to use or disclose health information for treatment, payment and health care operations

Other purposes require patient authorization

Disclosure must be tracked

Patients are granted the right to:

Obtain, inspect and correct or amend their health information

Know how their health information is disclosed or used for purposes other than treatment, payment or health care operations

Receive notice about an organization's information handling and disclosure practices

 
Security (Final Rules Pending)

Four categories of the proposed requirement to guard data integrity and availability:

Administrative procedures: documented and formal practices to manage the selection and execution of security measures

Physical safeguards: protection of physical computers and equipment, locks, keys and administrative measures to control access to computer systems

Technical security services: processes that are put in place to protect, control and monitor information access

Technical security mechanisms: processes that are put in place to prevent unauthorized access to data that is transmitted over a communications network

 
HIPAA Transaction Standards  
The transactions that are required to use the HIPAA standards under this regulation are: 

Transaction Name
ASC X12 Transaction
NCPDP Transaction

Health Claims and Equivalent Encounter Information

837

NCPDP 5.1/Batch 1.0

Enrollment and Disenrollment in a Health Plan

834

 

Eligibility Inquiry/Response for a Health Plan

270/271

NCPDP 5.1/Batch 1.0

Health Care Payment/Remittance Advice (EFT/ERA)

835

NCPDP 5.1/Batch 1.0

Health Plan Premium Payments

820

 

Health Claim Status

276/277

 

Referral Certification and Authorization

278

 

Coordination of Benefits

837

NCPDP 5.1/Batch 1.0

Electronic Attachments

275/HL7/LOINC

 

 
HIPAA Code Sets  
Under HIPAA, a "code set" is any set of codes used for encoding data elements, such as tables of terms, medical concepts, medical diagnosis codes, or medical procedure codes. Code sets for medical data are required for data elements in the administrative and financial health care transaction standards adopted under HIPAA for diagnoses, procedures, and drugs. 
The following code sets have been adopted as the standard medical data code sets:  
The combination of Health Care Financing Administration Common Procedure Coding System (HCPCS), as updated and distributed by the DHHS and Current Procedural Terminology, Fourth Edition (CPT-4), as updated and distributed by the American Medical Association for physician services and other health related services.
International Classification of Diseases, 9th Edition, Clinical Modification (ICD-9-CM), Volumes 1 and 2 (including the Official ICD-9-CM Guidelines for Coding and Reporting), as updated and distributed by the DHHS.
International Classification of Diseases, 9th Edition, Clinical Modification (ICD-9-CM), Volume 3 Procedures (including the Official ICD-9-CM Guidelines for Coding and Reporting), as updated and distributed by the DHHS.
Drug and Biologic Codes - Currently under review by DHHS.
Dental Procedures and Nomenclature, as updated and distributed by the American Dental Association, for dental services.
 
HIPAA Identifiers  
Following are the HIPAA identifiers:  
Employer Identification Number (EIN): The nine-digit IRS Tax Identification Number - Compliance is required July 30, 2004
National Provider Identifier (NPI): proposed to be a ten-position numeric identifier *
Health Plan Identifier (PAYERID): not yet announced but likely to be a ten-digit number assigned to all health plans for the routing of electronic transactions *
 
* Final Rules Pending 
Blue Cross Blue Shield of Georgia Industry Involvement  
Blue Cross Blue Shield of Georgia has been involved in HIPAA since 1997 and has an early start on transaction development. Blue Cross Blue Shield of Georgia has also worked extensively with the following organizations:  
WEDi (Workgroup for Electronic Data Interchange) *
EHNAC (Electronic Healthcare Network Accreditation Commission) *
HPAG (Blue Cross/Blue Shield Association HIPAA Policy Advisory Group)
CAHP (California Association of Health Plans)
ANSI (American National Standards Institute)
WEDi SNIP (WEDi's Strategic National Implementation Process)
ICE (Industry Collaboration Effort) Co-Chair
NCPDP (National Council for Prescription Drug Programs)
 
* Blue Cross Blue Shield of Georgia holds Board positions 
How to Prepare for HIPAA  
Steps Towards Compliance:  
Understanding of how HIPAA applies to your organization

Basic understanding of HIPAA

Assess if transactions and code sets comply to HIPAA requirements

Privacy and Security

Required training for staff

Vendor and/or clearinghouse selection for electronic transactions
Coordinating implementation with payers and/or clearinghouses
Keeping abreast of new rules and regulations, and changes in the existing rules and regulations
 
Education Opportunities:  
Industry Participation

WEDI SNIP (Workgroup For Electronic Data Interchange Strategic National Implementation Process)

Blue Cross Blue Shield HIPAA Implementation Group

ICE HIPAA (Industry Collaboration Effort)

Association participation
Provider tool kits
HIPAA workshops
Web site information
 
There is a wealth of information being published to keep the health care community informed of what is happening on the HIPAA front. The following helpful HIPAA Web sites are available for assistance with HIPAA implementation: 
Public Resources:  
ASC X12N Version 4010 Transaction Implementation Guides:
http://www.wpc-edi.com/hipaa
Text Of Administrative Simplification Law And Regulations:
http://aspe.os.dhhs.gov/admnsimp
National Uniform Claims Committee:
http://www.nucc.org
National Council for Prescription Drug Programs:
http://www.ncpdp.org/
National Council on Vital and Health Statistics:
http://aspe.os.dhhs.gov/admnsimp
HIPAA Strategy and Project Plan:
http://www.hipaainfo.net/
- See Articles Section
WEDI Strategic National Implementation Process:
http://snip.wedi.org
/
 
For More Information:  
Boundary Information Group (BIG):
http://www.hipaainfo.net/
HIPAA Alert:
http://www.hipaadvisory.com/
Medical Group Management Association (MGMA):
http://www.mgma.com/
 
Tools for Organizations:  
HIPAA Tool Kit For Small Group & Safety Net Providers/ Implementing the Federal Health Privacy Rule in California:
http://www.chcf.org/
- Select HIPAA link
WEDI SNIP White Paper-Small Practice Implementation:
http://snip.wedi.org/
Early View-Tool for HIPAA Self Assessments:
http://nchica.org/
ICE HIPAA Provider Guidance Document:
http://www.iceforhealth.org/library
© 2014 BlueCross BlueShield of Georgia
Blue Cross and Blue Shield of Georgia, Inc. and Blue Cross Blue Shield Healthcare Plan of Georgia, Inc. are independent licensees of the Blue Cross and Blue Shield Association. The Blue Cross and Blue Shield names and symbols are registered marks of the Blue Cross and Blue Shield Association.