The Health Insurance Portability and Accountability Act (HIPAA) was enacted by the U.S. Congress in 1996. According to the Centers for
Medicare and Medicaid Services (CMS) website, Title I of HIPAA protects health insurance coverage for workers and their families
when they change or lose their jobs. Title II of HIPAA, known as the Administrative Simplification (AS) provisions, requires the
establishment of national standards for electronic home health care transactions and national identifiers for providers, home health care insurance
plans, and employers.
The Administration Simplification provisions also address the security and privacy of home health care data. The standards are meant to improve
the efficiency and effectiveness of the nation's home health care system by encouraging the widespread use of electronic data interchange
in the US home health care system.
Title I of HIPAA regulates the availability and breadth of group and individual home health care insurance plans. It amends both the Employee
Retirement Income Security Act and the Public Health Service Act.
Title I HIPAA also limits restrictions that a group home health care plan can place on benefits for preexisting conditions. Group health plans
may refuse to provide benefits relating to preexisting conditions for a period of 12 months after enrollment in the plan or 18 months
in the case of late enrollment. However, individuals may reduce this exclusion period if they had home health care insurance prior to enrolling
in the plan. Title I allows individuals to reduce the exclusion period by the amount of time that they had "creditable coverage"
prior to enrolling in the plan and after any "significant breaks" in HIPAA coverage. "Creditable coverage" is defined quite broadly
and includes nearly all group and individual home health care plans, Medicare, and Medicaid. A "significant break" in coverage is defined as
any 63 days period without any creditable coverage.
Some HIPAAhome health care plans are exempted from Title I requirements, such as long-term health plans, and limited-scope plans such
as dental or vision plans that are offered separately from the general home health care plan. However, if such benefits are part of the general
health plan, then HIPAA still applies to such benefits. For example, if the new plan offers dental benefits, then it must count
creditable continuous coverage under the old home health care plan towards any of its exclusion periods for dental benefits.
However, an alternate HIPAA method of calculating creditable continuous coverage is available to the health plan under Title I. That
is, 5 categories of health care coverage can be considered separately, including dental and vision coverage. Anything not under those 5
categories must use the general calculation (e.g., the beneficiary may be counted with 18 months of general coverage, but only 6
months of dental coverage, because the beneficiary did not have a general home health care plan that covered dental until 6 months prior to the
application date). Unfortunately, since limited-coverage plans are exempt from HIPAA requirements, the odd case exists in which the
applicant to a general group home health care plan cannot obtain certificates of creditable continuous coverage for independent limited-scope
plans such as dental to apply towards exclusion periods of the new plan that does include those coverages.
Hidden exclusion periods are not valid under Title I HIPAA (e.g., "The accident, to be covered, must have occurred while the beneficiary
was covered under this exact same home health care insurance contract." Such clauses must not be acted upon by the home health care plan and also must be
re-written so that they comply with HIPAA.
Title II of HIPAA defines numerous offenses relating to home health care and sets civil and criminal penalties for them. It also creates
several programs to control fraud and abuse within the home health care system. However, the most significant provisions of Title II are
its Administrative Simplification rules. Title II requires the Department of Health and Human Services (HHS) to draft rules aimed at
increasing the efficiency of the home health care system by creating standards for the use and dissemination of home health care information.
These rules apply to "covered entities" as defined by HIPAA and the HHS. Covered entities include home health care plans, health care
clearinghouses, such as billing services and community home health care information systems, and home health care providers that transmit health
care data in a way that is regulated by HIPAA.
The HIPAA / EDI provision was scheduled to take effect from October 16, 2003 with a one-year extension for certain "small plans;"
however, due to widespread confusion and difficulty in implementing the rule, CMS granted a one-year extension to all parties. As of
October 16, 2004, full implementation was not achieved and CMS began an open-ended "contingency period." Penalties for non-compliance
were not levied; however, all parties are expected to make a "good-faith effort" to come into compliance.
CMS announced that the Medicare contingency period ended July 1, 2005. After July 1, most medical providers that file electronically
will have to file their electronic claims using the HIPAA standards in order to be paid. There are exceptions for doctors that meet
certain criteria.
HIPAA covered entities such as providers completing electronic transactions, home health care clearinghouses, and large home health care plans, must
use only the NPI to identify covered home health care providers in standard transactions by May 23, 2007. Small home health care plans must use only
the NPI by May 23, 2008.
On February 16, 2006, HHS issued the Final Rule regarding HIPAA enforcement. It became effective on March 16, 2006. The Enforcement
Rule sets civil money penalties for violating HIPAA rules and establishes procedures for investigations and hearings for HIPAA
violations, however its deterrent effects seems to be negligible with few prosecutions for violations.
The enactment of the Privacy and Security Rules has caused major changes in the way physicians and medical centers operate. While
respect for patient privacy was already informally considered a cornerstone of medical professionalism, the complex legalities and
potentially stiff penalties associated with HIPAA, as well as the increase in paperwork and the cost of its implementation, were
causes for concern among physicians and medical centers. An August 2006 article in the journal Annals of Internal Medicine detailed
some such concerns over the implementation and effects of HIPAA.
HIPAA restrictions on researchers have affected their ability to perform retrospective, chart-based research as well as their ability
to prospectively evaluate patients by contacting them for follow-up. A study from the University of Michigan demonstrated that
implementation of the HIPAA Privacy rule resulted in a drop from 96% to 34% in the proportion of follow-up surveys completed by study
patients being followed after a heart attack. Another study, detailing the effects of HIPAA on recruitment for a study on cancer
prevention, demonstrated that HIPAA - mandated changes led to a 73% decrease in patient accrual, a tripling of time spent recruiting
patients, and a tripling of mean recruitment costs.
These data suggest that the HIPAA privacy rule, as currently implemented, may be having negative impacts on the cost and quality of
medical research. Dr. Kim Eagle, professor of internal medicine at the University of Michigan, was quoted in the Annals article as
saying, "Privacy is important, but research is also important for improving care. We hope that we will figure this out and do it right."
The complexity of HIPAA, combined with potentially stiff penalties for violators, can lead physicians and medical centers to withhold
information from those who may have a right to it. A review of the implementation of the HIPAA Privacy Rule by the U.S. Government
Accountability Office found that home health care providers were "uncertain about their [legal] privacy responsibilities and often
responded with an overly guarded approach to disclosing information...than necessary to ensure compliance with the Privacy rule." This
uncertainty continues, as evidenced by a New York Times article in July 2007.
Costs of Implementation In the period immediately prior to the enactment of the HIPAA Privacy and Security Acts, medical centers and
medical practices were charged with getting "into compliance." With an early emphasis on the potentially severe penalties associated
with violation, many practices and centers turned to private, for-profit "HIPAA consultants" who were intimately familiar with the
details of the legislation and offered their services to ensure that physicians and medical centers were fully "in compliance." In
addition to the costs of developing and revamping systems and practices, the increase in paperwork and staff time necessary to meet
the legal requirements of HIPAA may impact the finances of medical centers and practices at a time when insurance company and Medicare
reimbursement is also declining.