Health Insurance Portability and Accountability Act (HIPAA) Home

Topics on this page:

Covered Entities | Provisions | EDI | Privacy | Security | NPI | Penalties

What is HIPAA?

HIPAA is the acronym of the Health Insurance Portability and Accountability Act of 1996. The main purpose of this federal statute was to help consumers maintain their insurance coverage, but it also includes a separate set of provisions called Administrative Simplification. This section of the act is aimed at improving the efficiency and effectiveness of the health care system. The key components of Administrative Simplification include:

  • Standardized electronic transmission of common administrative and financial transactions (such as billing and payments)
  • Unique health identifiers for individuals, employers, health plans, and heath care providers
  • Privacy and security standards to protect the confidentiality and integrity of individually identifiable health information


Covered Entities

The HIPAA regulations apply to:

  • Health Plans
  • Health Care Clearinghouses (Entities that facilitate electronic transactions by "translating" data between health plans and providers when they use non-compatible information systems.)
  • Health Care Providers who transmit health information in electronic form in connection with one or more of the eight covered transactions.

Business associates of a covered entity are not directly controlled by the regulations, but mandatory contracts require them to protect the privacy of individually identifiable information. Government agencies specifically named in the regulations are covered entities, as are agencies that function as a health plan or a health care provider.



  • Electronic Data Interchange (EDI)
    • Transaction Standards
    • Code Sets
  • Privacy
  • Security
  • National Standard Identifiers
    • Provider
    • Employer
    • Health Plan


Electronic Data Interchange ( EDI )

These regulations are identified as the Transaction Code Set Standards. The final rules for EDI and Code sets were implemented on October 16, 2003. Several of the transaction regulation standards are still under review and have not been published.

The purpose of these regulations is to standardize the electronic exchange of information (transactions) between trading partners. These transactions are mandated to be in the ANSI ASC X12 version 4010 format. The covered transactions include:

  • 270 = Eligibility Inquiry
  • 271 = Inquiry and Response
  • 276 = Claim Status Inquiry
  • 277 = Claim Status Inquiry and Response
  • 278 = Authorization Request and Authorization Response
  • 820 = Health Insurance Premium Payment
  • 834 = Beneficiary Enrollment
  • 835 = Remittance / Payment
  • 837 = Claim or Encounter

The HIPAA Code Set Regulations establish a uniform standard of data elements used to document reasons why patients are seen and the procedures performed during health care encounters. HIPAA specified code sets to be used are:

  • Diagnoses - ICD 9
  • Procedures - CPT 4, CDT
  • Supplies/Devices - HCPCS
  • Additional Clinical Data - Health Level Seven (HL7)

HIPAA specified administrative codes set for use in conjunction with certain transactions and HIPAA eliminated state-specific local codes.



These regulations establish standards for protecting individually identifiable health information and for guaranteeing the rights of individuals to have more control over such information. HIPAA privacy regulations were implemented on April 14, 2003.

Privacy rules define the rights of individuals and security rules define the process and technology required to ensure privacy.



These regulations establish standards for the security of electronic protected health information (PHI). HIPAA security regulations were implemented on April 21, 2005 for all but small health plans (who must comply by April 20, 2006).

The final regulations adopt standards for the security of electronic protected health information (e-PHI). These standards are organized into the following three high level categories:

  • Administrative safeguards include policies, procedures, and practices that guide security management and information access authorization/revocation, contingency planning and training. These rules are enforced through sanctions and are largely directed toward the covered entity's workforce.
  • Physical safeguards include protections that minimize physical access to information within buildings, floors, departments, offices, and desks. These safeguards include doors, locks, badge access, location of workstations (obscured from public view), and media controls (e.g. location of back-up tapes).
  • Technical safeguards include limiting electronic information access to particular users or user groups, including different levels of software access rights, and tracking access through audit controls.


National Provider Identifiers (NPI)

These regulations establish the standard unique health identifier for health care providers to simplify administrative processes, such as referrals and billing, to improve accuracy of data, and reduce costs. The Final Rule was published January 23, 2004.

Health Care providers began applying for NPIs on the effective date of the final rule, which was May 23, 2005. All health care providers are eligible to be assigned NPIs; health care providers who are covered entities must obtain and use NPIs.

All HIPAA covered entities must use NPIs by the compliance dates:

  • May 23, 2007 for all but small health plans.
  • May 23, 2008 for small health plans.


Penalties for Failure to Comply with HIPAA

The legislation carries heavy civil and criminal penalties for failure to comply.US DHHS Office for Civil Rights will enforce civil penalties that may include penalties from $100 per violation to $25,000 per calendar year. US Department of Justice will enforce criminal penalties which may include up to 10 years imprisonment and a $250,000 fine.