The First HIPAA Rule Finalized

by Jackie Huchenski and Jessica Friedman

On August 17, 2000 the first of the administrative simplification rules under HIPAA, "Transactions and Code Sets", was published in the Federal Register; it will become effective on October 16, 2000 (unless Congress acts to change this date). Compliance with the Rule will be required by October 16, 2002 (except for small health plans which must comply by October 16, 2003).

The Transactions and Code Sets rule attempts to reduce the inefficiency and burden created by the approximately 400 formats for health care claims currently in use. The Rule adopts standards for eight electronic transactions and for code sets (defined as "any set of codes used to encode data elements" such as tables of terms and medical procedure codes, for example) to be used in those transactions. Health care clearinghouses, plans, and providers (who transmit any health information in electronic form) must use the standards.

The final rule affects health care clearinghouses, plans and providers who electronically transmit health information (together "covered entities"). Covered entities will be subject to civil sanctions of $100 per violation with a limit for each violation of $25,000 per year and criminal penalties up to $250,000 and/or 10 years imprisonment for noncompliance. Enforcement will be addressed in a future rule to be published next year.

The final rule addresses the same eight transactions included in the proposed rule:

  1. Health Claims or Equivalent Encounter Information (from providers to health plans);
  2. Eligibility for a Health Plan;
  3. Referral Certification and Authorization;
  4. Health Claim Status;
  5. Enrollment and Disenrollment in a Health Plan;
  6. Health Claims and Remittance Advice (e.g. payment);
  7. Health Plan Premium Payments; and
  8. Coordination of Benefits.

Like the proposed rule, the final rule requires health plans and providers to use the designated transaction standards when performing such transactions electronically and prohibits health plans from refusing to process or causing a delay in processing any of the transactions when submitted electronically. Nor may providers or health plans offer incentives to conduct a transaction under an exception to the rule.

For each element required in a given transaction, the Transaction and Code Sets rule identifies all codes which will be valid. For example, codes are required for data elements such as race/ethnicity and type of facility (administrative codes) as well as for diseases and their manifestations and causes of injury (clinical codes). For the most part, HHS has adopted the code sets currently used in the industry. For example, ICD-9-CM codes are to be used to indicate diseases, injuries, impairments, and their manifestations for diagnoses and inpatient procedures and CPT codes are to be used by physicians (and hospitals, as applicable) for outpatient procedures.

Changes from Proposed Rule:

  1. One major difference between the proposed rule and the final Rule is the introduction of the concept of a "business associate". A "business associate" is defined in the final rule as a person who performs a function or activity on behalf of a covered entity but who is not an employee of the covered entity (The proposed Security and Privacy Rules under HIPAA include similar concepts.). A covered entity may be a "business associate" of another covered entity. To the extent that a covered entity uses a business associate to conduct an electronic transaction, the covered entity must require the business associate to comply with the rule.

  2. Another major difference between the final rule and the proposed rule is the adjustment of the definition of "small health plan" so that it agrees with the definition used in the other HIPAA rules ("small health plan" is defined as "a health plan with annual receipts of $5 million or less").

  3. The final rule adds numerous defined terms (including "trading partner agreement", "standard setting organization" and "implementation specification").

  4. The final rule eliminated an exception for transactions within a "corporate entity" (covered entities must now use a standard transaction when transmitting to another covered entity regardless of whether the two entities are affiliated with one another).

  5. Finally, under the final rule, case management is treated as a health care service.

President Clinton has promised to finalize the Privacy Rule by the November elections and even to expand the Privacy Rule to paper information (not just electronically transmitted or stored information). According to WEDI (the Workgroup for Electronic Interchange), the Security rule is expected to become final in the fall as well, to be followed by the National Provider Identifier and Employer Identifier rules. The preamble to the Transactions and Code Sets rule warns that if the privacy rule is "substantially delayed" or if Congress fails to act, the Department of Health and Human Services would "seriously consider" withdrawing this rule.

About the authors: Jackie Huchenski (jhuchenski@mosessinger.com) is a partner with Moses & Singer LLP. She is the chair of the healthcare groupo and a co-chair of the eHealth Practice. Jessica Friedman (jfriedman@mosessinger.com) is an associate in both the Healthcare and eHealthcare and eHealthlaw group.

This article was taken from the September 5, 2000 issue of iHealthcare Weekly, a Rising Tide Publication. Reprinted with the permission of the publisher. All Rights Reserved. Copyright 2000. Please visit http://ihealthcareweekly.com/issues/ihcw09052000.


© 1999 - Moses & Singer LLP all rights reserved.

Health Law Today Home | Moses & Singer LLP Home

Disclaimer | Privacy Policy