skip navigation

Text Only

SAMHSA News - January/February 2004, Volume 12, Number 1

Ready for HIPAA? SAMHSA Can Help

HIPAA (Health Insurance Portability & Accountability Act)

Many Americans have had some personal experience with the Federal Government's Health Insurance Portability and Accountability Act (HIPAA). To ensure privacy, for example, they may have been asked to stand farther away from a customer in line to pick up prescriptions at the pharmacy counter. Or, they've been asked by their physician's office staff to read a "Notice of Privacy Practices" and to sign an acknowledgment of receipt of that information.

"While these may be small day-to-day changes, they reflect larger changes taking place behind the scenes that will benefit everyone," says Sarah A. Wattenberg, L.C.S.W.-C, a public health advisor at SAMHSA's Center for Substance Abuse Treatment (CSAT) and the SAMHSA HIPAA Coordinator.

HIPAA can be complex at times, but the U.S. Department of Health and Human Services (HHS) is working hard to develop resources that can help people better understand the requirements, and SAMHSA is contributing to these efforts.

Back to Top

Streamlining the System

HIPAA was born out of frustration with the inefficiency—and spiraling costs—of the Nation's health care system. As a result of the Act, passed in 1996, HHS was required to create regulations for the electronic exchange of certain kinds of health information and for the security and privacy of that information. Some of the regulations, promulgated over several years, include the following:

  • Standards for Electronic Transactions and Code Sets Rule and its Modifications Rule, which had a compliance date of October 16, 2002 (the Administrative Simplification Compliance Act extended this rule for an additional year if covered entities submitted HIPAA compliance plans).
  • Privacy Rule and its Modifications Rule, with a compliance date of April 14, 2003.
  • Employer Identifier Rule, with a compliance date of July 30, 2004.
  • Security Rule, with a compliance date of April 21, 2005. (The additional year for small health plans for Transactions and Code Sets and its Modifications ended October 16, 2003.)

Three types of "covered entities" are subject to HIPAA: health plans, health care clearinghouses that health care providers
and plans can use to process and submit their transaction data in a HIPAA-approved manner, and health care providers who electronically exchange health information for which HIPAA has adopted a particular standard. Covered entities must comply with all HIPAA standards, not just one or two.

In addition, business associates of covered entities who have contact with a patient's health information are required
to sign contracts agreeing to protect that information. Business associates could include an attorney reviewing a patient's file, or an organization that collects information to evaluate patient care, among others.

What kind of information does HIPAA cover? HIPAA protects any patient information that is created or received by a covered entity and that identifies the individual or could be used to identify an individual, whether the information is in oral, written, or electronic format.

Back to Top

Electronic Transactions Standards

Until now, every health care organization had its own codes
for billing and other types of transactions. The result was babel, with health insurers and providers unable to use the same language to "talk to each other." To create a common language, HIPAA's electronic transaction regulations require covered entities to use a standardized content and format when transmitting certain health care information electronically. Standards have been adopted so far for the exchange of information related to plan eligibility, health plan enrollment and disenrollment, premium payments, referral certification and authorization, claims and encounter information, claim status, payment and remittance advice, and benefit coordination.

Back to Top

A National Code

Standard code sets for diagnosis and treatment have not existed up to this point. States have typically used "home-grown" codes for treatment procedures. Now, HIPAA requires that national, uniform codes be used. Certain code sets have been adopted by the HHS Secretary as national standards: the International Classification of Diseases, 9th Edition, Clinical Modification (Volumes 1, 2, and 3); the Current Procedural Terminology; the Centers for Medicare & Medicaid Services (CMS) Healthcare Common Procedure Coding System (HCPCS); the Code on Dental Procedures and Nomenclature; and the National Drug Codes.

Unfortunately, says Ronald W. Manderscheid, Ph.D., Chief of the Survey and Analysis Branch of the Division of State and Communities Systems Development within SAMHSA's Center for Mental Health Services (CMHS), these code sets did not originally include codes for many of the services offered by mental health and substance abuse treatment providers.

For the past 2 years, CSAT, the CMHS Decision Support 2000+ Initiative, and other groups worked to solve the problem by creating a more complete code set for behavioral health services and proposing them for inclusion into the CMS HCPCS code set. The large majority of these codes were adopted by the CMS and are now posted on the CMS Web site.

Also, while some providers may be able to adapt existing systems to comply with HIPAA's electronic transactions provision, most will need outside help, Dr. Manderscheid says. Providers can use health care clearinghouses to translate their transaction data into acceptable formats or purchase software to do the job.

Either way, Dr. Manderscheid's advice is the same: caveat emptor (buyer beware). "The burden of proof concerning the accuracy of the data ultimately lies with the provider or plan," he explains. Providers who go the software route should consult SAMHSA's handbooks for each of the eight electronic transactions to ensure that they're meeting the standards. (See "Resources")

Back to Top

Protecting Privacy

"Before HIPAA, patients were very concerned about how the general health care system was handling information about them," says Ms. Wattenberg. "In fact, in 1999, the California HealthCare Foundation conducted a survey and found that one out of seven Americans reported evasive actions to avoid inappropriate use of their health care information. For example, someone wouldn't tell the truth to their primary care physician about a chronic physical condition for fear the information might get back to their employer," says Ms. Wattenberg. "That's a pretty upsetting statistic. It means that patients may not be giving their doctors important health information that's needed for appropriate and effective treatment," she added.

Before HIPAA, patients were very concerned about how the general health care system was handling information about them.

For this reason, HIPAA requires that covered entities obtain authorization from patients before they use or disclose information. This applies unless otherwise allowed by the Privacy Rule, such as, for example, information can be shared without authorization for treatment (so that your physician can discuss your x-rays with another provider, like a radiologist); for payment (e.g., so that information can be used to process claims); or for operations (e.g., so that information can be used or disclosed to oversee the quality of the health care you are receiving).

Among other requirements, covered entities also need to establish privacy policies, put privacy safeguards in place, train staff, designate a privacy officer, and establish a grievance process.

Consumers of health care services also have new rights under HIPAA and they need to be informed of these rights. For example, patients can review their medical records, make a copy of the records, and request changes.

While some providers may be able to adapt existing systems to comply with HIPAA's electronic transactions provision, most will need outside help.

"Mental health and substance abuse treatment providers should not have a hard time complying with HIPAA's privacy rule," says Ms. Wattenberg. "For mental health providers, state laws and professional ethics have always dictated high standards for protecting the sensitive information treatment providers create or receive about their clients."

"For substance abuse providers, most treatment programs have been required for decades to comply with the Federal Confidentiality of Alcohol and Drug Abuse Patient Records regulation, 42 C.F.R. Part 2," says senior program management officer Captain Ann G. Mahony, M.P.H., of CSAT's Division of Systems Improvement. "Covered entities should read both laws together," she advises. When HIPAA conflicts with the "Part 2" regulations or with state laws, the more stringent rule applies.

Patients will enjoy even more protection when HIPAA's security standard goes into effect. The standard will require covered entities to assign a security officer who will be responsible for conducting risk assessments and other measures to assure the integrity, confidentiality, and availability of identifiable health information that covered entities store, maintain, or transmit.

For more information on HIPAA, visit SAMHSA's Web site at End of Article

« See Also—Previous Article

See Also Related Material—HIPAA Compliance Resources »

See Also—Next Article »

Back to Top

Inside This Issue

SAMHSA Helps Reduce Seclusion and Restraint at Facilities for Youth
  • Part 1
  • Part 2
    Related Content:  
  • Demonstration Sites
  • Resources

    Acculturation Increases Risk for Substance Use by Foreign-Born Youth
    Related Content:  
  • Past-Month Substance Use Among Foreign-Born Youth Age 12 to 17 vs. U.S.-Born Youth

    Ready for HIPAA? SAMHSA Can Help
    Related Content:  
  • HIPAA Compliance Resources

    SAMHSA Simplifies, Clarifies Grants Process
    Related Content:  
  • Discretionary Grant Categories

    In Brief…
  • Events
  • Publications

    SAMHSA Offers New Resource for Helping Homeless Persons with Mental Disorders

    Report Cites Reasons for Not Receiving Substance Abuse Treatment

    SAMHSA "Short Reports" on Statistics

    SAMHSA News

    SAMHSA News - January/February 2004, Volume 12, Number 1

    Go to SAMHSA Home Page

    This page was last updated on 28 February, 2003
    SAMHSA is An Agency of the U.S. Department of Health & Human Services
    Email Questions to   Click for text version of site

    Privacy Statement  |  Site Disclaimer  |  Accessibility