Help Desks / Support Centers

(800) 457-4454
in-state toll-free or
(501) 376-2211
local and out-of-state

Arkansas Payment Improvement Initiative
(866) 322-4696 in-state toll-free or
(501) 301-8311 local and out-of-state

Magellan Medicaid Administration Pharmacy Help Desk
(800) 424-7895, Option 2 for Prescribers

HIPAA 101

Tip

Under HIPAA, Arkansas Medicaid is a health plan. Its fiscal agent, DXC Technology, is its business associate. Business associate agreements are not necessary between Arkansas Medicaid or DXC Technology and providers or other billers.

What is HIPAA?

HIPAA stands for Health Insurance Portability and Accountability Act of 1996. Congress passed this landmark law to provide consumers with greater access to health care insurance, to protect the privacy of health care data, and to promote more standardization and efficiency in the health care industry.

Administrative Simplification

Administrative simplification has the following four parts:

Electronic Transactions and Code Sets

Transactions are activities involving the transfer of health care information for specific purposes. Under HIPAA administration simplification, if a health care provider engages in one of the identified transactions, the provider must comply with the standard for that transaction. HIPAA requires every provider who does business electronically to use the same health care transactions, code sets, and identifiers.

Code sets identify diagnoses and clinical procedures on claims and encounter forms. The CPT-4 and ICD-10 codes that you are familiar with are examples of code sets for diagnosis and procedure coding. Other code sets required by HIPAA’s administrative simplification law include codes used for DME, dental services, and drugs.

Privacy

The privacy requirements limit the release of protected health information (PHI) without the patient’s knowledge and consent except as needed for the patient’s care. The patient’s personal information must be guarded more securely and handled more carefully when conducting the business of health care.

Security

The security regulation outlines the minimum administrative, technical, and physical safeguards required to prevent unauthorized access to protected health information. The U.S. Department of Health and Human Services published final instructions on security requirements in the Federal Register on February 20, 2003. HIPAA security requirements became effective April 21, 2005.

National Identifiers

HIPAA requires health care providers, health plans, and employers to have standard ID numbers. The Employer Identification Number (EIN), issued by the Internal Revenue Service, was selected as the identifier for employers and was adopted effective July 30, 2002. The NPI Final Rule issued January 23, 2004, adopted the National Provider Identifier (NPI) as the standard for health care providers. The Centers for Medicare & Medicaid Services (CMS) developed the National Plan and Provider Enumeration System (NPPES) to assign these unique identifiers. A standard identifier has not yet been adopted for health plans.

Claim Submissions

Providers can file claims through the Arkansas Medicaid website, with a vendor system, or with the most current version of Provider Electronic Solutions (PES) software.

Transactions

Claim 837 Professional
837 Institutional
837 Dental
NCPDP retail pharmacy
Payment and remittance advice 835
Prior authorization and response and referral 278
NCPDP retail pharmacy
Claim status inquiry and response 276/277
NCPDP retail pharmacy
Eligibility inquiry and response 270/271
Enrollment and disenrollment in a health plan 834
Health plan premium payments HIX 820

Code Sets

Physician services HCPCS and CPT-4
Medical supplies, orthotics, and DME HCPCS
Diagnosis codes ICD-10-CM, Vols 1 and 2
Inpatient hospital procedures ICD-10-CM, Vols 1 and 2
Dental services Code on dental procedures and nomenclature
Drugs/biologics NDC for retail pharmacy

Terms

Administrative Simplification — The process of improving the efficiency of health care delivery by standardizing electronic data exchange.

Business Associate — A person who performs a function or activity on behalf of a covered entity.

CMS — Centers for Medicare and Medicaid Services (formerly HCFA)

Code Set — Any set of codes used to identify data elements, such as tables of terms, medical concepts, medical diagnostic codes, or medical procedure codes.

Covered Entity — A health plan, a health care clearinghouse, or a health care provider that transmits any health information in electronic form in connection with a transaction.

Health and Human Services, U.S. Department of — The federal agency responsible for implementing HIPAA.

Health Care Provider — A provider of medical or other health services and any other person or organization that furnishes, bills, or is paid for health care in the normal course of business.

Health Information — Any information, whether oral or recorded in any form or medium, that is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse.

HHS — U.S. Department of Health and Human Services

HIPAA — Health Insurance Portability and Accountability Act of 1996

Individually Identifiable Health Information — Health information that identifies the individual or can be used to identify the individual.

Office for Civil Rights — The HHS entity responsible for enforcing HIPAA privacy rules.

Protected Health Information — Individually identifiable health information that is transmitted, maintained, or accessible in any form or medium that relates to the past, present, or future physical or mental health or condition of an individual.

Links

https://www.cms.gov/Regulations-and-Guidance/Administrative-Simplification/HIPAA-ACA/index.html

http://www.cms.gov/home/medicaid.asp

http://www.hhs.gov/ocr/hipaa/