Who's Covered by HIPAA (HIPAA on the Job)

by Dan Rode, MBA, FHFMA

One of the mysteries of the administrative simplification section of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) is determining who is covered or comes under the requirements of the act. This article will examine HIPAA to unravel some of the mystery of "who's covered?" To do so, we'll refer to HIPAA (PL 104-191) and the final rules for transactions and code sets and privacy.

To find the original text of the final and proposed rules, go to the Department of Health and Human Services (HHS) administrative simplification Web site at http://aspe.os.dhhs.gov/admnsimp/.

Defining HIPAA's Terms

The HIPAA legislation covered a vast array of healthcare issues. For this article, we'll focus on Subtitle F, the administrative simplification section.

To identify who is covered, let's first look at HIPAA's definitions, which include very legalistic descriptions of the terms:

  • "health care clearinghouse"-"a public or private entity that processes or facilitates the processing of nonstandard data elements of health information into standard data elements" (Obviously, you have to read the definitions of data elements to understand the meaning)
  • "health care provider"-"includes a provider of services [as defined under Social Security and Medicare statutes], a provider of medical or other health services [also defined elsewhere], and any other person furnishing health care services or supplies"
  • "health plan"-"an individual or group plan that provides or pays the cost of medical care." The section 1171 definition of health plan goes on to describe 13 subgroups that fit this definition and leaves room for additional groups. For example, Medicare Plus-Choice plans have been created since 1996

Section 1172 of HIPAA sets general requirements for the standards and indicates that their applicability to "any standard adopted...shall apply, in whole or in part, to the following persons:

  1. a health plan
  2. a health care clearinghouse
  3. a health care provider who transmits any health information in electronic form in connection with a transaction" named elsewhere in HIPAA

Section 1173 notes that "The Secretary shall adopt standards providing for a standard unique health identifier for each individual [patient], employer, health plan, and health care provider for use in the health care system." We are still waiting to see these final regulations for healthcare providers and employers and proposed regulations for health plans. Congress, in the years since HIPAA was enacted, has halted any development of an individual/patient identifier, indicating that such an identifier can only be developed after the passage of a comprehensive privacy bill.

Section 1175 states that "If a person desires to conduct a [electronic] transaction...with a health plan as a standard transaction

(A) the health plan may not refuse to conduct such transaction as a standard transaction;

(B) the insurance plan may not delay such transaction, or otherwise adversely affect, or attempt to adversely affect, the person or the transaction on the ground that the transaction is a standard transaction; and

(C) the information transmitted and received in connection with the transaction shall be in the form of standard data elements of health information."

Section 1175 also states that "a health plan may satisfy the requirements...by

(A) directly transmitting and receiving standards data elements of health information; or

(B) submitting nonstandard data elements to a health care clearinghouse for processing into standard data elements and transmission by the health care clearinghouse, and receiving standard data elements through the health care clearinghouse."

Similar language is expressed in Section 1175 to allow a person (provider) to use clearinghouses as well.

As you can see, Congress placed significant responsibilities on healthcare plans, while clearinghouses and providers' roles are somewhat less significant. Recognizing that not all healthcare plans are the same, Congress further stipulated (Section 1174) that "in the case of a small health plan...[requirements]...shall be applied by substituting `36 months' for `24 months'...the Secretary [DHHS] shall determine the plans that qualify as small health plans."

"Person" generally describes an individual or entity that acts as one of the three covered entities (health plans, healthcare clearinghouses, or healthcare providers). In HIPAA's Section 1177, a person could also be one of these or any other individual who then would be subject to this section's prohibition against "wrongful disclosure of individually identifiable health information." Penalties in this section range from $50,000 to $250,000 in fines or up to 10 years of imprisonment.

The congressional authors of HIPAA left out a few specific entities, essentially for political purposes. Thus, while HIPAA calls for electronic standards for enrollment and premium payments, it does not call for employers to be covered entities and use such electronic transaction standards. HIPAA also exempts workers' compensation plans and liability insurers (e.g., property and casualty or auto) from using the HIPAA standards, although several of the national liability insurers will probably adopt the standards anyway.

Who Is Affected by the Transaction and Code Set Standards?

The regulations related to transaction and code set standards essentially maintain the applicability definitions as described in HIPAA-health plans, healthcare clearinghouses, and providers who transmit any health information in electronic form in connection with a covered transaction.

The regulations take a cue from HIPAA and extend coverage to "business associates," defined as "a person who performs a function or activity regulated by this...[regulation]...on behalf of a covered entity." The definition also indicates that some business associates could also be covered entities, depending on the function they are performing, such as a hospital-based business office that sells billing services to a physician.

The definition of group health plan is changed to mean "an employee welfare benefit plan...[as defined in ERISA]..., including insured and self-insured plans, to the extent that the plan provides medical care as defined in the...[Public Health Service Act]..., including items and services paid for as medical care to employees or their dependents directly or through insurance, reimbursement or otherwise that

  1. has 50 or more participants...[as defined by ERISA...] or
  2. is administered by an entity other than the employer that established and maintains the plan."

The regulations set the definition of a small versus large health plan on the basis of a Small Business Administration definition that makes the cut between large and small at $5 million maximum in receipts or premiums. Plans that are designated small will receive an extra 12 months to implement the transaction and coding regulations (October 16, 2003, as opposed to October 16, 2002, for large plans).

The clearinghouse definition remains the same, but it has been changed to indicate functions that make an entity a clearinghouse. Similarly, the regulation spells out when a transaction fits the standards and therefore makes the healthcare provider a covered entity.

In these regulations, HHS also tends to use functions or transactions to define who is covered. For instance, the requirements for covered entities include:

(a) "General Rule. Except as otherwise provided...if a covered entity conducts with another covered entity (or within the same covered entity), using electronic media, a transaction for which the Secretary has adopted a standard under this...[regulation]...the covered entity must conduct the transaction as a standard transaction."

(b) "Exception for direct data entry transactions. A health care provider electing to use direct data entry offered by a health plan to conduct a transaction for which a standard has been adopted under this part must use the applicable data content and data condition requirements of the standard when conducting the transaction. The health care provider is not required to use the format requirements of the standard."

(c) "Use of a business associate. A covered entity may use a business associate, including a health care clearinghouse, to conduct a transaction covered by this part. If a covered entity chooses to use a business associate to conduct all or part of a transaction on behalf of the covered entity, the covered entity must require the business associate to do the following: (1) Comply with all applicable requirements of this part. (2) Require any agent or subcontractor to comply with all applicable requirements of this part."

In discussing its "coordination of benefits" transaction, HHS allows health plans some option as to whether they have to be involved in such a transaction. Health plans that choose to participate then must meet an additional set of regulations.

The transaction and code set regulations leave a healthcare provider free to use paper, a clearinghouse, or the standard transaction set. They do not allow a provider to use an electronic transaction that is not standard. It is important to note that while this HIPAA regulation does not require the use of electronic standards, health plans (payers) might make this a requirement, which immediately means that the provider would have to meet the standard for electronic transmissions or use a clearinghouse.

Additionally, while the claims and payment/remittance X12 transactions chosen by HHS are already widely in use, most of the remaining provider/plan transactions are not widely used. Here, providers and plans are free to use non-electronic transactions in any way they wish. However, if they move to electronic transactions, they must move to the standard transaction, data set, and so on.

Who's Covered by the Privacy Regulations?

The HIPAA privacy standards essentially require adherence by the same entities as those covered under the transaction and code set standards. The privacy regulations, however, have been extended to cover all healthcare information, whether or not it is in electronic form.

For providers, the privacy rules appear to mean that provider entities that engage in any electronic transactions will be covered by these HIPAA requirements for all health information, whether or not the specific information in question is in an electronic format. In reality, this rule effectively covers all healthcare providers, in part because it will be difficult to avoid electronic transaction requirements from federal and state payers, and because it will be difficult to explain to patients why one provider can choose not to abide by the privacy regulations and most will.

While employers are exempted by the transaction regulation, they are indirectly covered under the privacy regulation in their role as sponsor (final payer). Here the regulation requires health plans, through their contracts with sponsors/employers, to keep private health information separate from other personnel data and private. Meanwhile, HIPAA legislation does not cover liability and workers' compensation plans under the privacy regulations and, as noted, does not require employers to use the HIPAA transactions. Any changes here require additional legislation.

What Else Do I Need to Know?

A few final thoughts about coverage under HIPAA:

  • while HIPAA law exempts some entities from using the transactions standards and abiding with the privacy requirements, there is nothing to prevent such an entity from adopting these standards
  • while HIPAA law may exempt covered entities from the regulations, public opinion may not. Entities-especially those that have covered and non-covered units-must consider the public/customer's conception of HIPAA. Nonconformance could cost more in the long run
  • some entities have been concerned that being "covered" by HIPAA means that they must collect and transmit all the data in a particular standard. While HIPAA requires that a health plan must accept a fully compliant standard, nothing prevents a provider and a plan from agreeing to transmit less than the total data set, as long as the transaction itself continues to follow other transaction requirements
  • the HIPAA rules that have currently been published are expected to be implemented in the next two to three years. An entity's status could quickly change in today's healthcare environment. It might be easier to accept standards and work with them than to avoid them and be caught short later
  • the HIPAA rules set up different (later) implementation dates for small health plans. However, there is no prohibition preventing plans from implementing sooner-say, at the same time as larger plans
  • the HIPAA rules set up an "implement by" date(s), but do not prevent plans, providers, or states from setting earlier dates

The original concept behind HIPAA was for the healthcare industry to have one standard. Such a situation would generate a number of cost and administrative benefits. The first step toward realizing the potential benefits is to answer the question "Who's covered?"

Dan Rode is AHIMA's vice president of policy and government relations. He can be reached at dan.rode@ahima.org.


Article citation:
Rode, Dan. "HIPAA On the Job: Who's Covered by HIPAA." Journal of AHIMA 72, no.3 (2001): 16A-16C.