HIPAA Administrative Simplification Regulations

The HIPAA Administrative Simplification Regulations – listed in 45 CFR Part 160, Part 162, and Part 164 – obligate healthcare groups to adopt national standards, often called electronic data interchange or EDI standards.

The aim of these regulations is to save time and costs by streamlining the paperwork necessary for processes such as billing, verifying patient eligibility, and sending and receiving payments.

The HIPAA Administrative Simplification Regulations incorporate four standards covering transactions, identifiers, code sets, and operating rules. By implementing these standards and switching from paperwork to electronic transactions, healthcare groups can reduce the paperwork burden, receive payments quicker, obtain information more rapidly, and easily check the status of claims.

The regulations require HIPAA covered groups – healthcare providers, health plans, healthcare clearinghouses, and business associates of covered bodies – to adopt standards for transactions involving the electronic exchange of health care data, such as claims and reviewing claim status, encounter information, eligibility, enrollment and disenrollment, referrals, authorizations, premium payments, coordination of benefits, and payment and remittance details.

Identifier standards necessitate unique identifiers – A Health Plan Identifier (HPID), Employer Identification Number (EIN), or National Provider Identifier (NIP) – to be used on all HIPAA transactions.

Code sets are standard codes that must be implemented by all HIPAA covered entities. Standard codes have been created for diagnoses, procedures, diagnostic tests, treatments, and equipment and supplies. The code sets listed in HIPAA include: NDC national drug codes; CDT codes for dental processes; CPT codes for procedures; the HCPCS health care common procedure coding system; and the code set for the international classification of diseases (ICD-10) – now in its 10^th edition.

After the passing of the Affordable Care Act (ACA) in 2010, the HIPAA Administrative Simplification Regulations were refreshed to include new operating rules specifying the details that must be included for all HIPAA transactions.

Following the passing of the Administrative Simplification Compliance Act (ASCA), medical groups that work with Medicare are required to file all claims to Medicare electronically. While there are limited exceptions when written requests to Medicare contractors may be allowed, most of healthcare groups have been required to comply with this requirement since July 1, 2015. The failure to bill electronically after that date leads in claims for payments being rejected.

In addition to adhering with the HIPAA Administrative Simplification Regulations, HIPAA covered bodies must also adhere with national standards that were introduced to safeguard the privacy of patients (HIPAA Privacy Rule) and enhance security for protected health information (HIPAA Security Rule). Additionally, HITECH Act standards were incorporated into HIPAA regulations in the Final Omnibus Rule, which also added new requirements for breach notifications (HIPAA Breach Notification Rule).

While the Department of Health and Human Services’ Office for Civil Rights is the chief enforcer of the HIPAA Privacy, Security, and Breach Notification Rules, the Centers for Medicare & Medicaid Services manages and enforces the HIPAA Administrative Simplification Rules.

The HIPAA Administrative Simplification Regulations must be put in place by all HIPAA-covered groups, not only bodies that work with Medicare or Medicaid.