Health Insurance Portability & Accountability Act (HIPAA)

Optum 360

Optum 360 HIPAA Tool Kit

Create a new compliance program or conduct a compliance assessment with Optum 360 HIPAA Tool Kit. It includes customizable policies and procedures for HIPAA privacy, security, and transactions requirements.

Get special AAFP member pricing»

HIPAA is the acronym for the Health Insurance Portability and Accountability Act of 1996.

HIPAA and Your Practice

The Health Insurance Portability and Accountability Act (HIPAA) requires electronic transactions be transmitted using standard formats.

HIPAA 2013: Updated Privacy and Security Rules

Regulations enforcing the Health Information Technology for Economic and Clinical Health (HITECH) Act went into effect on March 26, 2013, expanding the scope of the privacy and security provisions of HIPAA. Practices were required to comply with new regulations by September 23, 2013.

Changes Notable to Physician Practices

Breach Notification Requirements

Obligations to notify patients of a breach of their protected health information (PHI) has been expanded and clarified under the new rule. Under the previous rule, a breach was not presumed reportable and was determined by whether or not there was a likelihood of “harm to the individual.”

Under the new rule, a breach is presumed reportable unless a covered entity can demonstrate low probability that the patient’s privacy or security of PHI was compromised based on a four-factor risk analysis. The new rule does not change the actual reporting and timeframe requirements.

Notice of Privacy Practices (NPPs)

Practices must amend their NPPs to reflect the changes to privacy and security rules, including those related to breach notification, disclosures to health plans, and marketing and sale of PHI. In addition, if a practice participates in fundraising, an amendment will also need to be made to the NPP to inform patients of their right to opt-out of those communications.  

The new rules eliminate the requirements to include communications concerning appointment reminders, treatment alternatives, or health-related benefits or services in NPPs. However, the rules do not require this information be removed either.

Amended NPPs will need to be posted in the office. Copies should be provided to all new patients and do not need to be redistributed to existing patients. Copies should be made available to anyone by request.  Practices that maintain a website should post the updated NPP on their website, which is a requirement of the existing HIPAA Privacy Rule.  

Business Associate Agreements

The new rules expand the list of individuals and companies who are considered business associates to include:

  • Patient Safety Organizations and others involved in patient safety activities
  • Health information organizations, including health information exchanges and e-prescribing gateways, personal health record vendors, and any other individual or company involved in the transmittal and maintenance of PHI


HIPAA Transaction Standards

On January 1, 2012, the 4010/4010A1 transaction standards were no longer accepted. All entities transmitting and receiving electronic health care transactions must now use the 5010 version of the standards.

This requires upgrading or replacing software used to conduct electronic transactions, such as claims submissions, eligibility inquiries, and receipt of electronic claims acknowledgments and reports. The transition is also a necessary step to prepare for the October 1, 2015 change from reporting ICD-9 to ICD-10 diagnosis codes.

Changes Notable to Physician Practices

Some changes that physician practices should take note of are:

  • You may continue to use a P.O. Box address in the "pay to" information on your claims but a physical address is required in the billing provider information (the 2010AA loop).
  • You must include 9-digit zip codes with billing and service facility locations.
  • Version 5010 includes a pay to plan loop (2010AC) that allows addition of information about a payer that has paid a claim under subrogation rules.
  • Up to 12 diagnosis codes may be submitted on a claim.
  • A paperwork section of the claim notifies Medicare that you are sending additional documentation to support a claim and an ID number of your choosing that will connect the claim and the documentation. Your Medicare Administrative Contractor (MAC) provides a cover sheet for faxing or mailing the documentation. The ID number you assigned in your claim should be included on the cover sheet so that the documentation can be added to the claim.