HIPAA regulations

Nothing has had more bearing on health IT throughout the '00s than Title II of the Health Insurance Portability and Accountability Act of 1996, otherwise known as the administrative simplification regulations of HIPAA. Together, the rules on privacy and security of health information, on transactions and code sets for electronic data interchange and on the National Provider Identifier system have had an impact on pretty much every aspect of health IT this decade.

The rules didn't start to become enforceable until the privacy compliance date of April 14, 2003, but healthcare providers, insurers, vendors, data processors and pretty much everyone else that handled personally identifiable health information--whether on paper or computer--have had to consider HIPAA since proposed regulations began to appear in 1998.

The code sets for EDI transactions, which became mandatory on Oct. 16, 2003--even though CMS wasn't fully ready to accept such transactions then--were supposed to represent the heart of administrative simplification. They were intended to standardize billing, insurance eligibility checking, remittance advice, electronic payments and other communications. But HHS continued to allow private insurers to include their own addenda to each code, wiping out true standardization.

There were other headaches and criticisms, too. Privacy advocates complained about the May 2002 modifications to the privacy rule, which allowed disclosure of protected health information without patient consent for the purposes of "treatment, payment and healthcare operations." Some vendors of practice management and hospital information systems--particularly companies that also owned lucrative clearinghouses--took their time in making their products capable of producing standard HIPAA transactions. CMS let the NPI compliance date slide several times by allowing for contingency plans. And all along, the various parts of HHS and the Department of Justice that had jurisdiction over HIPAA have been lax with their enforcement.

As the decade ends, HIPAA keeps evolving. The American Recovery and Reinvestment Act, enacted in February 2009, effectively removes the "treatment, payment and healthcare operations" exemption in the absence of patient consent. It requires covered entities to notify patients of certain privacy and security breaches and calls on HHS to develop tougher regulations. Perhaps most significantly, ARRA for the first time gives states the authority to enforce HIPAA regulations.

Meanwhile, as providers look toward "meaningful use" of electronic health records to earn Medicare and Medicaid bonus payments starting in 2011, they also have to prepare to switch to the ANSI X12 version 5010 standards for HIPAA transactions by Jan. 1, 2012. The HIPAA work continues.