HIPAA
101
Under
HIPAA, Arkansas Medicaid is a health plan. Its fiscal agent, DXC Technology, is its business associate. Business associate agreements are not necessary between Arkansas Medicaid or DXC Technology and providers or other billers.
HIPAA stands for Health Insurance Portability and Accountability Act of 1996. Congress passed this landmark law to provide consumers with greater access to health care insurance, to protect the privacy of health care data, and to promote more standardization and efficiency in the health care industry.
Administrative simplification has the following four parts:
Electronic Transactions and Code Sets
Transactions are activities involving the transfer of health care information
for specific purposes. Under
HIPAA
administration simplification, if a health
care provider engages in one of the identified transactions, the provider must
comply with the standard for that transaction.
HIPAA
requires every provider
who does business electronically to use the same health care transactions, code
sets, and identifiers.
Code sets identify diagnoses and clinical procedures on claims and encounter
forms. The CPT-4 and ICD-10 codes that you are familiar with are examples of
code sets for diagnosis and procedure coding. Other code sets required by
HIPAA’s administrative simplification law include codes used for DME, dental
services, and drugs.
Privacy
The privacy requirements limit the release of protected health information (PHI)
without the patient’s knowledge and consent except as needed for the patient’s
care. The patient’s personal information must be guarded more securely and
handled more carefully when conducting the business of health care.
Security
The security regulation outlines the minimum administrative, technical, and
physical safeguards required to prevent unauthorized access to protected health
information. The U.S. Department of Health and Human Services published final
instructions on security requirements in the Federal Register on
February 20, 2003.
HIPAA
security requirements became effective April
21, 2005.
National Identifiers
HIPAA
requires health care providers, health plans, and employers to have
standard ID numbers. The Employer Identification Number (EIN), issued by the
Internal Revenue Service, was selected as the identifier for employers and was
adopted effective July 30, 2002. The NPI Final Rule issued January 23, 2004,
adopted the National Provider Identifier (NPI) as the standard for health care
providers. The Centers for Medicare & Medicaid Services (CMS) developed the
National Plan and Provider Enumeration System (NPPES) to assign these unique
identifiers. A standard identifier has not yet been adopted for health plans.
Providers can file claims through the Arkansas Medicaid website, with a vendor
system, or with the most current version of Provider
Electronic Solutions (PES) software.
| Claim |
837 Professional
837 Institutional
837 Dental
NCPDP retail pharmacy |
| Payment and remittance advice |
835 |
| Prior authorization and response and referral |
278
NCPDP retail pharmacy |
| Claim status inquiry and response |
276/277
NCPDP retail pharmacy |
| Eligibility inquiry and response |
270/271 |
| Enrollment and disenrollment in a health plan |
834 |
| Health plan premium payments |
HIX 820 |
| Physician services |
HCPCS
and
CPT-4 |
| Medical supplies, orthotics, and DME |
HCPCS |
| Diagnosis codes |
ICD-10-CM, Vols 1 and 2 |
| Inpatient hospital procedures |
ICD-10-CM, Vols 1 and 2 |
| Dental services |
Code on dental procedures and nomenclature |
| Drugs/biologics |
NDC
for retail pharmacy |
Administrative Simplification — The process of improving the efficiency of health care delivery by standardizing electronic data exchange.
Business Associate — A person who performs a function or activity on behalf of a covered entity.
CMS — Centers for Medicare and Medicaid Services (formerly
HCFA)
Code Set — Any set of codes used to identify data elements, such as tables of terms, medical concepts, medical diagnostic codes, or medical procedure codes.
Covered Entity — A health plan, a health care clearinghouse, or a health care provider that transmits any health information in electronic form in connection with a transaction.
Health and Human Services, U.S. Department of — The federal agency responsible for implementing
HIPAA.
Health Care Provider — A provider of medical or other health services and any other person or organization that furnishes, bills, or is paid for health care in the normal course of business.
Health Information — Any information, whether oral or recorded in any form or medium, that is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse.
HHS — U.S. Department of Health and Human Services
HIPAA — Health Insurance Portability and Accountability Act of 1996
Individually Identifiable Health Information — Health information that identifies the individual or can be used to identify the individual.
Office for Civil Rights — The HHS entity responsible for enforcing
HIPAA
privacy rules.
Protected Health Information — Individually identifiable health information that is transmitted, maintained, or accessible in any form or medium that relates to the past, present, or future physical or mental health or condition of an individual.
https://www.cms.gov/Regulations-and-Guidance/Administrative-Simplification/HIPAA-ACA/index.html
http://www.cms.gov/home/medicaid.asp
http://www.hhs.gov/ocr/hipaa/