An agency of the Texas Health and Human Services System.
Vision: A Healthy Texas
Mission: To improve health and well-being in Texas
HIPAA at DSHS
Topics on this page:
Covered Entities | Provisions | EDI | Privacy | Security | NPI | Penalties
What is HIPAA?
HIPAA is the acronym of the Health Insurance Portability and Accountability Act of 1996. The main purpose of this federal statute was to help consumers maintain their insurance coverage, but it also includes a separate set of provisions called Administrative Simplification. This section of the act is aimed at improving the efficiency and effectiveness of the health care system. The key components of Administrative Simplification include:
The HIPAA regulations apply to:
Business associates of a covered entity are not directly controlled by the regulations, but mandatory contracts require them to protect the privacy of individually identifiable information. Government agencies specifically named in the regulations are covered entities, as are agencies that function as a health plan or a health care provider.
Electronic Data Interchange ( EDI )
These regulations are identified as the Transaction Code Set Standards. The final rules for EDI and Code sets were implemented on October 16, 2003. Several of the transaction regulation standards are still under review and have not been published.
The HIPAA Code Set Regulations establish a uniform standard of data elements used to document reasons why patients are seen and the procedures performed during health care encounters. HIPAA specified code sets to be used are:
HIPAA specified administrative codes set for use in conjunction with certain transactions and HIPAA eliminated state-specific local codes.
These regulations establish standards for protecting individually identifiable health information and for guaranteeing the rights of individuals to have more control over such information. HIPAA privacy regulations were implemented on April 14, 2003.
Privacy rules define the rights of individuals and security rules define the process and technology required to ensure privacy.
These regulations establish standards for the security of electronic protected health information (PHI). HIPAA security regulations were implemented on April 21, 2005 for all but small health plans (who must comply by April 20, 2006).
The final regulations adopt standards for the security of electronic protected health information (e-PHI). These standards are organized into the following three high level categories:
National Provider Identifiers (NPI)
These regulations establish the standard unique health identifier for health care providers to simplify administrative processes, such as referrals and billing, to improve accuracy of data, and reduce costs. The Final Rule was published January 23, 2004.
Health Care providers began applying for NPIs on the effective date of the final rule, which was May 23, 2005. All health care providers are eligible to be assigned NPIs; health care providers who are covered entities must obtain and use NPIs.
All HIPAA covered entities must use NPIs by the compliance dates:
Penalties for Failure to Comply with HIPAA
The legislation carries heavy civil and criminal penalties for failure to comply.US DHHS Office for Civil Rights will enforce civil penalties that may include penalties from $100 per violation to $25,000 per calendar year. US Department of Justice will enforce criminal penalties which may include up to 10 years imprisonment and a $250,000 fine.