Online Services | Commonwealth Sites | Help | Governor

Virginia Department of Medical Assistance Services

HIPAA - Frequently Asked Questions (FAQs)
Q1. What is HIPAA?
Q2. What's the purpose of HIPAA?
Q3. What is meant by Privacy and Security?
Q4. Which of the HIPAA regulations will have the most impact on healthcare?
Q5. What is the purpose of the HIPAA Security standards?
Q6. Why are new Security standards needed?
Q7. How will the standards to protect individual health information be implemented?
Q8. Who must comply?
Q9. Do security requirements apply only to the transactions adopted under HIPAA?
Q10. Is it mandatory to use an electronic signature?
Q11. Do the Security Standards apply to paper documents?
Q12. Does the Security Standard require use of specific technologies?
Q13. How will smaller providers be affected?
Q14. What are the required timelines for achieving compliance with HIPAA regulations?
Q15. What benefits do the new HIPAA regulations provide to healthcare organizations?
Q16. What is the tentative schedule for publication of HIPAA Administrative Simplification Regulations?
Q17. What are some of the ways that PHI is de-identified? 
   
Q1:  What is HIPAA?
A1. The Health Insurance Portability & Accountability Act of 1996 (August 21), Public Law 104-191, which amends the Internal Revenue Service Code of 1986.

Title II includes a section, Administrative Simplification, requiring:

1. Improved efficiency in healthcare delivery by standardizing electronic data interchange, and
2. Protection of confidentiality and security of health data through setting and enforcing standards.

More specifically, HIPAA calls for:

1. Standardization of electronic patient health, administrative and financial data
2. Unique health identifiers for individuals, employers, health plans and health care providers
3. Security standards protecting the confidentiality and integrity of "individually identifiable health information," past, present or future. The bottom line: sweeping changes in most healthcare transaction and administrative information systems.
Top  
Q2: What is the purpose of HIPAA?
A2: The purpose of HIPAA is to prevent inappropriate use an disclosure of individuals' health information and to require organizations which use health information to protect that information and the systems which store, transmit, and process it.
Top  
Q3: What is meant by Privacy and Security?
A3: HIPAA Privacy requires appointment of a Privacy officer and restricts use and disclosure:
  1. by a covered entity
  2. of protected health information
  3. to the minimum information necessary to accomplish the purpose for which the information is used or disclosed but any disclosure to a provider for purposes of treatment is permitted.

It also defines rights of individuals with respect to information about themselves:

  • right to written notice of information practices;
  • rights of access, review, and correction;
  • right to an accounting of disclosures not for provision of care.

HIPAA Security requires appointment of a Security officer responsible for security of health information and maintaining reasonable and appropriate safeguards to:

  • ensure integrity and confidentiality of all health information which is maintained or transmitted in electronic form;
  • protect against reasonably anticipated threats or hazards to security and integrity of information;
  • protect against reasonably anticipated unauthorized uses or disclosures of information;
  • ensure compliance to safeguards by officers and employees.
Top  
Q4: Which of the HIPAA regulations will have the most impact on healthcare?
A4: At the core of the new regulations are requirements to systemize, expedite and protect the electronic transfer of healthcare information. These include:
  • standards for the electronic transmission of financial and administrative information
  • standard codes for identifying medical diagnoses and procedures
  • a 10-digit numeric ID known as a National Provider Identifier issued to every provider organization
  • a nine-digit numeric ID issued to each employer to use in all HIPAA-governed administrative and financial transactions thirty-four specific security measures that providers must adopt in order to protect patient-identifiable healthcare information
  • additional rules that will specify how and under what circumstances, healthcare information can be used and shared
Top  
Q5: What is the purpose of the HIPAA Security and Electronic Signature standards?
A5: The new standards are being developed to protect the confidentiality, integrity and availability of individual health information.
Top  
Q6: Why are new Security and Electronic Signature standards needed?
A6: There were no existing standards that provided comprehensive and uniform protection of individual health information. HIPAA's new security standards will permit appropriate access and use of an individual's health information by health care providers, clearinghouses, and health plans while providing appropriate safeguards against misuse and dissemination. 
Top  
Q7: How will the standards to protect individual health information be implemented?
A7: The standards require safeguards for the physical storage and maintenance, transmission, and access to individual health information. Implementation will depend upon the individual organization, its existing technology and the risks to and vulnerabilities of the information it must protect.
Top  
Q8: Who must comply?
A8: All Covered Entities. Covered Entities include 1) all health care providers who transmit any health information electronically in connection with standard financial or administrative transactions, 2) all health plans, 3) all health care clearinghouses. Covered entities are accountable for PHI. Centers for Medicaid and Medicare Services (CMS) (formerly HCFA), Medicare + Choice and Medicaid state plans are also Covered Entities
 Top  
Q9: Do security requirements apply only to the transactions adopted under HIPAA?
A9: No. The security standard applies to all individual health information that is maintained or transmitted and which is in rest or motion. This is much broader than the specific transactions currently defined in the law.
 Top  
Q10: Is it mandatory to use an electronic signature?
A10: No. At this time, none of the transactions adopted under HIPAA requires an electronic signature.
 Top  
Q11: Do the Security Standards apply to paper documents?
A11: No. The standards apply to individual health information in electronic form only, such as maintained in databases, website and electronic mail (email).
Top  
Q12: Does the Security Standard require use of specific technologies?
A12: No. The Security Standard is "technologically neutral" in order to facilitate use of the latest and most promising technologies that meet the needs of different healthcare organizations. The security standard is a compendium of security requirements that must be satisfied. While all organizations will be required to meet the basic requirements, particular solutions will likely vary based upon organizational size and complexity.
 Top  
Q13: How will smaller providers be affected?
A13: The final security standard does not require extraordinary measures. It involves taking actions that assure the security of the information to be protected. The standard does not dictate specific technologies. The requirements of the standard may be implemented in a number of ways, depending upon the security needs and technologies in place at each business and upon agreements among businesses that work together.
 Top  
Q14: What are the required timelines for achieving compliance with HIPAA regulations?
A14: According to HHS rules, the implementation deadline will be two years and two months after the final HIPAA regulations are released.

An interim HIPAA Enforcement Rule was published on April 17, 2003 which defines procedures for HHS’s Office of Civil Rights (OCR) and Center for Medicare & Medicaid Services (CMS) to perform investigations, hold hearings and impose civil penalties for non-compliance of the HIPAA standards. OCR has been named to enforce the Final Privacy rule and CMS has been named to enforce the Final Transaction and Code Set Rule. The Interim Enforcement Rule became effective on May 19, 2003 and will cease to be in effect on September 16, 2005.

Top  
Q15: What benefits do the new HIPAA regulations provide to healthcare organizations?
A15: We can identify three important potential benefits:
  • The standardization of electronic data interchange may significantly improve information transfer between payer and provider.
  • Codification of electronic data standards may position providers to efficiently move their services onto the Internet
  • It provides healthcare organizations with an opportunity to streamline and simplify their operations and infrastructure thereby providing a significant potential for savings. For example, a large amount of physician practice time is currently spent on administrative processing. We expect that administrative needs may significantly decrease with implementation of HIPAA standards.
 Top  
Q16: What is the tentative schedule for publication of HIPAA Administrative Simplification Regulations?
A16: View the most recent schedule as published by the U.S. Department of Health and Human Services.

Standards are required to be implemented within 2 years of the effective date of the final rule; generally 60 days after publication of the rule. 

The latest published rules include:

The Final National Employer ID Rule was published on May 31, 2002
The Final Security Rule was published on February 20, 2003
The Interim Enforcement Rule was published April 17, 2003
The Final National Provider ID Rule was published on January 23, 2004.
 Top  
Q17. What are some of the ways that PHI is de-identified? 
A17: PHI is de-identified by removing identifiers such as:
  • Name
  • Geographic identifiers smaller than a state (except first three digits of a zip code)
  • Telephone or fax numbers
  • Birth date (except the year)
  • Admission or discharge dates
  • Social Security or medical records numbers 
Top