|Question 1: Whom do the HIPAA privacy rules apply to, and when?
Answer: The HIPAA privacy regulations are part of HIPAA Administrative Simplification (although many people wonder if the regulations will really make their lives simpler!).
Administrative Simplification is intended to make health care administration (including payment) more efficient by providing for the adoption of uniform data sets and code sets for health care transactions (such as claims) and by encouraging the use of electronic data interchange. Final privacy regulations were issued in December, 2000, and final modifications to the privacy regulations were issued in August, 2002. Proposed security regulations were issued in August, 1998. Final security regulations have not yet been issued, but there are rumors that they will be issued on December 27, 2002. Privacy and security provisions were included in Administrative Simplification in order to help ensure that sensitive health care information, moving electronically in standard transactions, is not used or disclosed improperly.
Who is Covered?
The HIPAA privacy regulations apply directly to three types of "covered entities": health care clearinghouses, health plans, and health care providers that conduct any of the standard transactions electronically.
Clearinghouses are entities that "translate" health information from a nonstandard format to standard, or from standard to nonstandard. For example, billing services and repricing companies often function as clearinghouses.
Health plans are individual or group plans that provide or pay the cost of medical care. Health plans include HMOs, Medicare and Medicaid, health insurance issuers, and group health plans. The only health plans that are not covered entities are group health plans that have fewer than 50 participants and are administered entirely by the plan sponsor.
Health care providers are, as the term implies, persons or organizations that provide medical or health services or that bill or are paid for health care in the normal course of business. Only providers that conduct any of the HIPAA standard transactions (e.g., health care claims or encounter information; eligibility inquiry; request for authorization to refer a patient to another provider; etc.) electronically are required to comply with the HIPAA privacy regulations.
There are also two other types of entities that may find they have HIPAA privacy obligations, even though they are not "covered entities": business associates of covered entities, and plan sponsors. Obligations are imposed on business associates contractually, through business associate agreements with covered entities. Obligations are imposed on plan sponsors (as the price of obtaining protected information from the plans) by way of required plan amendments, a certification by the sponsor, and assurances of adequate separation between plan functions and employer functions.
What is the Deadline for Compliance?
The compliance deadline for most covered entities is April 14, 2003. "Small health plans" have until April 14, 2004. A "small health plan" is defined as a plan with annual receipts of $5 million or less. HHS clarified the annual receipts test to mean, for insured plans, $5 million in premiums paid in the most recent fiscal year and, for self-insured plans, $5 million in claims paid in the most recent fiscal year.