Ready for HIPAA? SAMHSA Can Help
By Rebecca A. Clay
Many Americans have had some personal experience with the Federal
Government's Health Insurance Portability and Accountability
Act (HIPAA). To ensure privacy, for example, they may have been
asked to stand farther away from a customer in line to pick up prescriptions
at the pharmacy counter. Or, they've been asked by their physician's
office staff to read a "Notice of Privacy Practices"
and to sign an acknowledgment of receipt of that information.
"While these may be small day-to-day changes, they reflect
larger changes taking place behind the scenes that will benefit
everyone," says Sarah A. Wattenberg, L.C.S.W.-C, a public
health advisor at SAMHSA's Center for Substance Abuse Treatment
(CSAT) and the SAMHSA HIPAA Coordinator.
HIPAA can be complex at times, but the U.S. Department of Health
and Human Services (HHS) is working hard to develop resources that
can help people better understand the requirements, and SAMHSA is
contributing to these efforts.
Back to Top
Streamlining the System
HIPAA was born out of frustration with the inefficiency—and
spiraling costs—of the Nation's health care system.
As a result of the Act, passed in 1996, HHS was required to create
regulations for the electronic exchange of certain kinds of health
information and for the security and privacy of that information.
Some of the regulations, promulgated over several years, include
- Standards for Electronic Transactions and Code Sets Rule
and its Modifications Rule, which had a compliance date of October
16, 2002 (the Administrative Simplification Compliance Act extended
this rule for an additional year if covered entities submitted HIPAA
- Privacy Rule and its Modifications Rule, with a compliance
date of April 14, 2003.
- Employer Identifier Rule, with a compliance date of July
- Security Rule, with a compliance date of April 21, 2005.
(The additional year for small health plans for Transactions and
Code Sets and its Modifications ended October 16, 2003.)
Three types of "covered entities" are subject to HIPAA:
health plans, health care clearinghouses that health care providers
and plans can use to process and submit their transaction data in
a HIPAA-approved manner, and health care providers who electronically
exchange health information for which HIPAA has adopted a particular
standard. Covered entities must comply with all HIPAA standards,
not just one or two.
In addition, business associates of covered entities who have
contact with a patient's health information are required
to sign contracts agreeing to protect that information. Business
associates could include an attorney reviewing a patient's
file, or an organization that collects information to evaluate patient
care, among others.
What kind of information does HIPAA cover? HIPAA protects any
patient information that is created or received by a covered entity
and that identifies the individual or could be used to identify
an individual, whether the information is in oral, written, or electronic
Back to Top
Electronic Transactions Standards
Until now, every health care organization had its own codes
for billing and other types of transactions. The result was babel,
with health insurers and providers unable to use the same language
to "talk to each other." To create a common language,
HIPAA's electronic transaction regulations require covered
entities to use a standardized content and format when transmitting
certain health care information electronically. Standards have been
adopted so far for the exchange of information related to plan eligibility,
health plan enrollment and disenrollment, premium payments, referral
certification and authorization, claims and encounter information,
claim status, payment and remittance advice, and benefit coordination.
Back to Top
A National Code
Standard code sets for diagnosis and treatment have not existed
up to this point. States have typically used "home-grown"
codes for treatment procedures. Now, HIPAA requires that national,
uniform codes be used. Certain code sets have been adopted by the
HHS Secretary as national standards: the International Classification
of Diseases, 9th Edition, Clinical Modification (Volumes 1, 2, and
3); the Current Procedural Terminology; the Centers for Medicare
& Medicaid Services (CMS) Healthcare Common Procedure Coding
System (HCPCS); the Code on Dental Procedures and Nomenclature;
and the National Drug Codes.
Unfortunately, says Ronald W. Manderscheid, Ph.D., Chief of the
Survey and Analysis Branch of the Division of State and Communities
Systems Development within SAMHSA's Center for Mental Health
Services (CMHS), these code sets did not originally include codes
for many of the services offered by mental health and substance
abuse treatment providers.
For the past 2 years, CSAT, the CMHS Decision Support 2000+ Initiative,
and other groups worked to solve the problem by creating a more
complete code set for behavioral health services and proposing them
for inclusion into the CMS HCPCS code set. The large majority of
these codes were adopted by the CMS and are now posted on the CMS
Also, while some providers may be able to adapt existing systems
to comply with HIPAA's electronic transactions provision,
most will need outside help, Dr. Manderscheid says. Providers can
use health care clearinghouses to translate their transaction data
into acceptable formats or purchase software to do the job.
Either way, Dr. Manderscheid's advice is the same: caveat
emptor (buyer beware). "The burden of proof concerning the
accuracy of the data ultimately lies with the provider or plan,"
he explains. Providers who go the software route should consult
SAMHSA's handbooks for each of the eight electronic transactions
to ensure that they're meeting the standards. (See "Resources")
Back to Top
"Before HIPAA, patients were very concerned about how the
general health care system was handling information about them,"
says Ms. Wattenberg. "In fact, in 1999, the California HealthCare
Foundation conducted a survey and found that one out of seven Americans
reported evasive actions to avoid inappropriate use of their health
care information. For example, someone wouldn't tell the truth
to their primary care physician about a chronic physical condition
for fear the information might get back to their employer,"
says Ms. Wattenberg. "That's a pretty upsetting statistic.
It means that patients may not be giving their doctors important
health information that's needed for appropriate and effective
treatment," she added.
Before HIPAA, patients were very concerned about how the general health care system was handling information about them.
For this reason, HIPAA requires that covered entities obtain authorization
from patients before they use or disclose information. This applies
unless otherwise allowed by the Privacy Rule, such as, for example,
information can be shared without authorization for treatment (so
that your physician can discuss your x-rays with another provider,
like a radiologist); for payment (e.g., so that information can
be used to process claims); or for operations (e.g., so that information
can be used or disclosed to oversee the quality of the health care
you are receiving).
Among other requirements, covered entities also need to establish
privacy policies, put privacy safeguards in place, train staff,
designate a privacy officer, and establish a grievance process.
Consumers of health care services also have new rights under HIPAA
and they need to be informed of these rights. For example, patients
can review their medical records, make a copy of the records, and
While some providers may be able to adapt existing systems to comply with HIPAA's electronic transactions provision, most will need outside help.
"Mental health and substance abuse treatment providers should
not have a hard time complying with HIPAA's privacy rule,"
says Ms. Wattenberg. "For mental health providers, state laws
and professional ethics have always dictated high standards for
protecting the sensitive information treatment providers create
or receive about their clients."
"For substance abuse providers, most treatment programs
have been required for decades to comply with the Federal Confidentiality
of Alcohol and Drug Abuse Patient Records regulation, 42 C.F.R.
Part 2," says senior program management officer Captain Ann
G. Mahony, M.P.H., of CSAT's Division of Systems Improvement.
"Covered entities should read both laws together," she
advises. When HIPAA conflicts with the "Part 2" regulations
or with state laws, the more stringent rule applies.
Patients will enjoy even more protection when HIPAA's security
standard goes into effect. The standard will require covered entities
to assign a security officer who will be responsible for conducting
risk assessments and other measures to assure the integrity, confidentiality,
and availability of identifiable health information that covered
entities store, maintain, or transmit.
For more information on HIPAA, visit SAMHSA's
Web site at www.hipaa.samhsa.gov.
Related MaterialHIPAA Compliance Resources »
Back to Top