You asked several questions about the Health Insurance Portability and Accountability Act (HIPAA) as it applies to a dental office. Specifically you asked:

1. what is the law and who proposed it;

2. why a dental office is now receiving HIPAA information, some six years after the law's enactment; and

3. what procedures does HIPAA require the dental office to implement and how will they benefit both the patient and the office.

SUMMARY

In 1996, Congress passed and President Clinton signed HIPAA (also known as Kassebaum-Kennedy, after its principle sponsors) with broad bipartisan support.

HIPAA relies on a number of strategies to improve the availability of health insurance for individual and groups, establish national standards for electronic transmission of personal health information, and strengthen individuals' ability to protect and gain greater access to their personal medical records.

Health care providers and others must comply with various HIPAA provisions by 2003.

Electronic transmission of claims and reimbursement information may require some providers to modify their software and computer systems.

Some of HIPAA's provisions can make the claims paying and reimbursement process more efficient, while other provisions give patients greater control over their personal health information.

THE ACT'S PURPOSE AND SCOPE

HIPAA established a national floor of protection for all people who are or have been covered by private or self-insured health plans. It created national standards for the availability and portability of group and individual health insurance coverage, set federal standards for the electronic transfer and confidentiality of medical information, and strengthened federal health care fraud and abuse laws.

The Administrative Simplification Compliance Act (ASCA) provisions of HIPAA impose requirements on health care providers, health plans, and health care clearinghouses that do business electronically. Many of these requirements involve complex computer system modifications. Providers must make their practices compliant with HIPAA.

The ASCA's requirements consist of four parts:

1. electronic transactions and code sets,

2. security,

3. unique identifiers, and

4. privacy.

The Department of Health and Human Services (HHS) has adopted the Employer Identification Number, issued by the Internal Revenue Service, as the National Employer Identifier for use in health care transactions. This is one of the standard identifiers required by HIPAA.

Who Does It Cover?

If a provider conducts any one of the following business transactions electronically, he is most likely covered by HIPAA:

· Claims or equivalent encounter information

· Payment and remittance advice

· Claim status inquiry or response

· Eligibility inquiry or response

· Referral authorization inquiry or response

The act also covers employers, group health, and self-insured plans.

Exemptions and Exclusions

Certain types of insurance are not within HIPAA's scope: accident or disability-income, liability or liability supplemental, workers' compensation, automobile medical payments, credit-only, or coverage for on-site medical clinics. The following types of coverage are excluded if offered separately on a stand alone basis: limited scope dental and vision; long term care, nursing home, home health care, or community-based care. The following types of coverage are excluded if offered as independent non-coordinated benefits: specific disease or fixed indemnity plans and Medicare supplement insurance offered as a separate policy.

Compliance Dates

HIPAA does not require a health care provider to conduct transaction electronically, but if a provider does it must follow the standard format outlined under HIPAA.

In December 2001, the ASCA extended the deadline for compliance with HIPAA's electronic health care transactions and code sets standards by one year, to October 16, 2003, for all covered entities other than small health plans (whose compliance date was already October 16, 2003).

But, by April 16, 2003 the provider (or his software vendor) must test his software and computer systems internally to ensure they are capable of sending and receiving transactions electronically in the standard HIPAA format by October 16, 2003.

HHS issued the regulation, "Standards for Privacy of Individually Identifiable Health Information," applicable to entities covered by HIPAA. The Office for Civil Rights (OCR) is responsible for implementing and enforcing it.

The privacy rule creates national standards to protect individuals' personal health information and gives patients increased access to their medical records. As required by HIPAA, the rule covers health plans, health care clearinghouses, and those health care providers who conduct certain financial and administrative transactions electronically.

Most covered entities must comply with the rule by April 14, 2003. Small health plans have until April 14, 2004 to comply.

THE ACT'S BENEFITS

The electronic transaction and related requirements are intended to improve the efficiency and effectiveness of the nation's health care system by encouraging the widespread use of electronic data interchange in health care.

The privacy requirement gives patients greater access to their own medical records and more control over how their personal health information is used. In the area of marketing, for example, providers must obtain an individual's prior written authorization to use his or her protected health information for marketing purposes except for a face-to-face encounter or a communication involving a promotional gift of nominal value. Providers are prohibited from selling lists of patients and enrollees to third parties or from disclosing protected health information to a third party for its marketing activities, without the individual's authorization.

JH: ts