What is the Administrative Simplification Section of HIPAA?

What is the Administrative Simplification Section of HIPAA? HIPAA Guide.net

The Administrative Simplification section of HIPAA contains the regulations, standards, and implementation specifications that resulted from Congressโ€™ instruction to the Secretary of Health and Human Service to standardize transaction codes, develop security standards for electronic transactions, and make recommendations for the privacy of health information. The Section also includes the Breach Notification Rule that resulted from the passage of HITECH.

When Congress passed the Health Insurance Portability and Accountability Act (HIPAA) in 1996, the primary purpose of HIPAA was to reform the health insurance industry. To counter the cost of the reforms, Congress added a second Title to the Act that included measures to reduce insurance fraud and abuse in the healthcare industry and to make the administration of healthcare transactions between healthcare providers and health insurance companies more efficient.

The measures to make the administration of healthcare transactions more efficient consisted of three instructions to the Secretary of Health and Human Services (HHS):

  • Standardize transaction codes used by healthcare providers and health insurance companies,
  • Develop security standards for health information exchanged during electronic transactions, and
  • Make recommendations for the privacy of health information transmitted or maintained by covered entities.

The Administrative Simplification Section of HIPAA Starts to Take Shape

At the time HIPAA was passed, there were hundreds of proprietary and local formats used to process healthcare transactions. As a result, it took four years for HHS to publish the first nationwide standards for transaction codes. Further transaction codes have since been added to accommodate new technologies, new medical processes, and revised operating rules. This Administrative Simplification section of HIPAA can be found in 45 CFR Part 162.

With regards to the security standards, the first set of proposed standards was published in 1998. However, due to the challenges of developing specific standards that could be applied by covered entities of varying size, resources, and risk appetite, the Final Security Rule (45 CFR Part 164 Subpart C) was not published until 2003. Although effective from April 2003, covered entities were given a further two years to comply with the standards and implementation specifications.

The privacy recommendations were delivered to Congress in 1997. Congress had given itself three years to pass Federal privacy legislation; but, when the deadline passed, the recommendations were published as a Proposed Rule in 1999 and finalized in 2000, before being modified and republished in 2002 (see 45 CFR Part 164 Subpart E) . Since 2002, minor changes have been made to the Privacy Rule to accommodate regulations within other Acts passed by Congress.

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

Download Free Checklist

The most recent Subpart to be added to the Administrative Simplification Section of HIPAA is the Breach Notification Rule. The Breach Notification Rule was one of a number of changes to HIPAA prompted by the passage of the HITECH Act in 2009. This Rule (45 CFR Part 164 Subpart D) not only applies to HIPAA covered entities and business associates, but also to vendors of personal health devices that create, collect, maintain, or transmit Protected Health Information.

State Laws Can Supersede Part 164 Rules

The Part of the Administrative Simplification Section of HIPAA not yet discussed is Part 160 โ€“ the General Administrative Requirements. This Part covers the General Provisions, the Preemption of State Law, the Principals for Achieving HIPAA Compliance, the Imposition of Civil Monetary Penalties, and the Procedures for Hearings. ย Of the five Subparts, the most important for covered entities and business associates to understand is the Preemption of State Law.

Prior to the passage of HIPAA and the publication of the Privacy Rule, the controls on uses and disclosures of health information were described as โ€œa morass of erratic lawโ€. The Privacy Act of 1974 covered health information maintained by Federal agencies, the Substance Use Disorder Rules applied to Medicare providers, and each state had different standards for uses and disclosures of health information. In many cases, the standards were also enforced differently.

The Preemption of State Law Subpart stipulates that the Administrative Simplification Section of HIPAA preempts state laws relating to uses and disclosures of health information unless a state law has more stringent requirements than HIPAA. This exemption can apply to any requirement, standard, or implementation specification of the Part 164 Rules including those relating to patientsโ€™ rights, workforce training, and the time allowed to notify individuals of data breaches.

The exemptions to HIPAA are the reason it is important for covered entities and business associates to understand the Preemption of State Law Subpart. Healthcare providers that comply with HIPAA, but who fail to take state disclosure exemptions into account โ€“ or advise individuals of the exemptions in their Notices of Privacy Practices – could incur penalties for breaches of state laws or receive unjustified complaints from patients unaware of the exemptions.

Future Changes to the Administrative Simplification Part 164 Rules

Other than a few minor changes to accommodate the Clinical Laboratory Improvement Amendments (2014) and the National Instant Criminal Background Check System (2016), there have been no changes to the Privacy. Security, and Breach Notification Rules since the HIPAA Omnibus Final Rule in 2013. However, there are multiple proposals being considered that could significantly change both the Privacy and the Security Rules โ€“ and how they are complied with.

Possibly the most significant proposed Privacy Rule change relates to reproductive health data. To address the risks of unauthorized disclosures when a patient travels across state borders to have a legal termination, HHS is considering a new category of โ€œattestedโ€ uses and disclosures. Data protected by attested disclosures will not be able to be further disclosed for certain uses, and violations of this Rule change would result in a felony penalty for a wrongful disclosure.

With regards to Security Rule changes, in December 2023, HHS published its Healthcare Sector Cybersecurity Strategy. The strategy not only proposes to increase the number of standards and implementation specifications in the Security Rule, but also to make meeting Cybersecurity Performance Goals a condition of participation in Medicare. Quite what the new standards will be or how HHS proposes to enforce compliance with the standards has not been revealed.

The takeaway from this is that, not only do healthcare providers have to implement policies and procedures to comply with the Administrative Simplification Section of HIPAA and any state exemptions, but they also need to be prepared to amend the policies and procedures. Healthcare providers with concerns that they may need help complying with the Administrative Simplification Section of HIPAA are advised to seek professional compliance advice.

About Liam Johnson

Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/