HIPAA

  • Under both the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Gramm-Leach-Bliley Act, LifeWise must take measures to protect the privacy of our members’ personal information. In addition, other state and federal privacy laws may provide additional privacy protection. Personal information includes the member’s name, Social Security number, address, telephone number, account number, employment, medical history, health records, and claims information. Learn more about our member privacy practices.

    Here you’ll find HIPAA information specific to providers.

  • Resources

    CMS Version 5010 Website

    Administrative Simplification

    The Administrative Simplification part of HIPAA aims to reduce administrative costs in the healthcare industry through adopting and using standardized, electronic transmission of administrative and financial data.

    Administrative Simplification encompasses five key elements:

    • Privacy
    • Security
    • Standard Transactions
    • Standard Medical Code Sets
    • Unique Identifiers

    Privacy

    HIPAA privacy regulations require standards that protect the privacy of PPI. These rules include strict limits on how information can be used and disclosed.

    Security

    HIPAA's Administrative Simplification provisions also require security standards to protect health information transmitted or stored electronically. The regulations require physical, technical and procedural safeguards to keep electronic healthcare information secure.

    Standard Transactions

    Providers, healthcare payers and clearinghouses must use "standard" formats to exchange healthcare transactions electronically.

    The standard formats for HIPAA transactions are the American National Standards Institute (ANSI) ASC X12N, Version 4010A1. These formats apply to the following common business functions:

    Transaction Name Number
    Healthcare Claims 837
    Healthcare Claim Payment/Advice 835
    Payroll Deducted and Other Group Premium Payment 820
    Benefit Enrollment and Maintenance 834
    Healthcare Services Review 278
    Healthcare Eligibility Benefit Inquiry and Response 270/271
    Healthcare Claim Status Request and Response 276/277

    Standardized Code Sets

    Electronic data exchange will require using standard code sets. The medical code sets used to identify data include:

    • ICD-9 for diseases
    • CPT-4 for services and procedures
    • HCPCS for medical equipment, injectable drugs and transportation services
    • NDC for prescriptions
    • CDT-3 for dental services

    The non-medical code sets include codes for place of service, revenue codes, relationship and more.

    Unique Identifiers

    Standard national identifiers are assigned to providers, employers and health plans. These "unique identifiers" will permit electronic data exchange and matching for all health insurance related transactions.

    Ensuring Compliance

    While we are committed to collaborating with our physicians and providers on issues related to HIPAA that affect our business relationships, we cannot take responsibility for ensuring that our providers' business processes and practices comply with the law. Because of HIPAA's complexities, we recommend that you seek legal counsel to determine your obligations under this act.

    The privacy regulation requires covered entities to protect PPI and grant individuals other rights as described, without creating obstacles to care and treatment. It applies to information that is transmitted electronically, orally or on paper.

    Full text of regulation

    HIPAA states that other federal and state laws that provide more personal privacy protection still apply. LifeWise must also consider:

    • State Patients' Bills of Rights and other insurance laws
    • State and federal public health laws for sensitive diagnoses, procedures and treatments
    • State regulations implementing the federal Gramm-Leach-Bliley Act

    Accounting of Disclosures
    A person has the right to request an accounting of disclosures made outside a covered entity's routine business functions. LifeWise's routine business functions include payment and healthcare operations, while providers' routine business functions would also include treatment.

    Authorization
    In most cases, a covered entity must obtain written authorization from the person before using or disclosing his or her PPI for other than routine business functions.

    In most cases, our interactions with you will be business as usual. Generally, PPI can be shared between physicians, other providers and the health plan as we carry out "routine business functions" which include the following activities:

    • Processing and paying claims
    • Determining eligibility and benefit
    • Conducting quality audits
    • Providing care management and case management services

    Business Associates
    In most instances, healthcare providers are not the business associates of the health plan, so there won't be changes to your contracts with LifeWise. LifeWise has developed its standard Business Associate Agreements and will be working with vendors and contractors over the next few months to implement them.

    Complaints
    Individuals have the right to complain to a covered entity and to the U.S. Department of Health and Human Services (DHHS) Secretary if they believe their privacy rights have been violated.

    Confidential Communications
    Individuals have the right to request that a covered entity communicate with them at an alternate location if they believe that disclosing all or part of their health information could endanger them.

    Inspection and Amendment
    A person has the right to request to review, obtain copies and amend their PPI.

    Minimum Necessary
    When requesting or disclosing information, covered entities must ensure that they ask for or disclose the minimum amount of PPI needed to accomplish the intent of the disclosure. Covered entities must also ensure that the access employees have to PPI is limited to the minimum necessary to perform their jobs. However, one covered entity can rely on the request for PPI from another covered entity as being the minimum necessary as long as the requesting covered entity indicates that the PPI is related to treatment, payment or healthcare operations (TPO).

    Parents and Minors
    In most situations, parents have control over the health information of their minor children. In certain situations, however, state laws give minors rights that take precedence over HIPAA privacy regulations. In some circumstances, state public health and insurance laws prohibit health plans from disclosing sensitive information such as PPI relating to chemical dependency, mental health, reproductive health, HIV/AIDS/STDs - unless the person's specifically authorizes us to do so.

    Privacy Notice
    All covered entities must provide notice of a patient's privacy rights as well as their privacy practices.

    Privacy Official
    A covered entity must designate a "Privacy Official" responsible for developing and implementing its privacy policies and procedures.

    Research
    Covered entities can use a single authorization form for using and disclosing PPI for research, as well as informed consent for the research.

    Uses and Disclosures for FDA Regulated Products
    Covered entities can disclose PPI to the FDA for public health purposes relating to quality, safety or effectiveness of FDA-regulated products or activities. This includes reporting adverse events and defects or problems with FDA-regulated products.

    HIPAA requires that covered entities choosing to exchange data electronically use the standard transactions, including code sets and unique identifiers.

    Unique Identifiers

    Unique identifiers that HIPAA requires standardized:

    National Provider Identifier (NPI)
    The NPI is a unique identification number for healthcare providers to use with administrative and financial transactions.

    National Employer Identifier (EIN)
    The EIN is a unique identification number for employers and employer groups. The employer tax ID number (TIN) assigned by the IRS was adopted as the EIN.

    National Health Plan Identifier (HPIN)
    The HPIN is a unique identification number for health plans

    For questions about HIPAA Transaction-related regulatory compliance (Transactions, Code Sets, National Identifiers, and Security) call the Centers for Medicare and Medicaid (CMS) at 410-786-4232 (local) or 866-282-0659.

    Practice Management Systems (PMS)

    If you intend to submit claims and conduct other HIPAA transactions electronically, you need to understand the costs involved in complying with standard formats. As you plan your HIPAA compliance strategy, we want to emphasize the importance of maintaining flexibility in your electronic transaction options - regardless of whether you intend to use a clearinghouse service, submit the transactions directly to a payer or some combination of both.

    Background
    First, you must understand your PMS vendor's approach to HIPAA compliance, which generally falls into two categories:

    1. Selling an add-on module that creates compliant transactions at final bill, which allows direct submission to payers or to a clearinghouse you choose. While an add-on module requires an initial investment in software and configuration services, it provides you with substantial business flexibility. It also gives you more control over the ongoing costs of submitting claims and conducting other HIPAA transactions electronically.
    2. Providing external mapping services via a clearinghouse, which is typically owned by the same vendor. These vendors are approaching their clients with "all-payer" HIPAA transaction solutions that require translation at the vendor's clearinghouse. In this arrangement, the provider gives control of the transaction to the vendor. Since the vendor must translate the transaction to become compliant, you forfeit the option of sending the transaction to another clearinghouse or directly to the payer, both of which may be less expensive options. In addition, such an exclusive relationship may put you at a disadvantage when negotiating the transaction fee structure with your PMS vendor.

    Questions To Ask PMS Vendors

    • Will I be in breach of my contract if I use another vendor's software to extract claims data from my system?
    • Will I be able to submit HIPAA compliant transactions directly to payers if I choose to do so?
    • Will I be able to use the clearinghouse service of my choice?
    • When are you going to start the necessary software testing, and who will certify the test results?
    • Will you be working directly with any insurers or clearinghouses to ease the transition to HIPAA standards and to test the messaging systems?
    • Will you be notifying physician clients of your progress?
    • Can you assure me that all transactions and data transmitted will be handled according to the HIPAA privacy and security regulations?
    • Will the HIPAA software update include all the standard transactions and edits for the required data content (i.e. claim status, eligibility, electronic remittance)?

    Connectivity Options

    If your PMS vendor will not provide the necessary transaction flexibility, there are alternatives that do not require switching to a new office management system. Several vendors offer software packages that will extract claims from practice management systems and:

    • Perform the necessary ANSI translation and edits and route the claim directly to a payer
    • Create an expanded national standard format, edit, and route the claim directly to the clearinghouse of your choice for translation.

    Need a Trading Partner Agreement 
    Contact the EDI team at 800-435-2715 or via email at edi@lifewisehealth.com

    Need an ASNI Implementation Guide? 
    You can find guides on the Washington Publishing website