More than twenty years ago, Congress passed the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
One of HIPAA’s five provisions—Administrative Simplification—mandated that the Department of Health and Human Services (HHS) adopt standards to streamline communications between health care providers and health plans.
Administrative simplification requirements govern how providers, health plans, and clearinghouses handle electronic and administrative transactions and set privacy and security standards for transmitting health information.
This is done by developing and enforcing regulations that adopt standards, operating rules, unique identifiers, and code sets that these types of individuals and organizations, known as HIPAA-covered entities, are required when conducting administrative health care transactions, such as eligibility and benefits inquiries, prior authorizations, and claims payment.
Vision
Administrative Simplification is the idea that the healthcare industry can reduce burdens and lower costs by standardizing business practices.
When electronic administrative tasks between players in the healthcare industry are conducted the same way across all covered entities, the sector can automate many of its billing and payment processes.
This reduces time spent on administrative tasks and saves healthcare dollars.
The standards simplify day-to-day tasks like:
- Billing
- Verifying a patient’s eligibility
- Sending and receiving payment
Healthcare providers can use the standards to:
- Streamline manual processes—save time and costs by reducing the volume of paperwork, phone calls, and faxes
- Receive payments more quickly with electronic funds transfer
- Obtain timely information about patients’ coverage and benefits
- Check the status of claims
HHS has adopted four types of standards to make electronic communications more efficient:
- Transactions for pharmacy and health care administrative information, including claims
- Operating rules to support the standard transactions
- Unique identifiers for health plans, providers, and employers
- Code sets for clinical diagnoses and procedures
These standards are sometimes called electronic data interchange or EDI standards.
You can use the ASETT (Administrative Simplification Enforcement Transaction and Testing) tool to:
- You can file a complaint about an organization’s noncompliance with standards.
- Upon request, your identity will be kept confidential.
- Test a transaction and receive a report of any findings.
- You can test a transaction with or without filing a complaint.
Enforcement
The CMS administers the Compliance Review Program on behalf of HHS to ensure compliance among covered entities with HIPAA Administrative Simplification rules for electronic healthcare transactions.
The Administrative Simplification Enforcement and Testing Tool (ASETT) is a free tool for filing a complaint against a HIPAA-covered entity for noncompliance with HIPAA Administrative Simplification requirements.
When filing a complaint, the complainant can remain anonymous to the entity being sued. The system also allows users to test their electronic healthcare transactions and their trading partners’ transactions for compliance with HIPAA standards.
Suppose CMS identifies a covered entity non-compliant with a CMS Administrative Simplification Requirement. In that case, CMS works to ensure that the covered entity comes into compliance through corrective action and technical assistance.
Subregulatory Guidance
Subregulatory Guidance helps HIPAA-covered entities, their partners, and the healthcare community comply with statutory and regulatory requirements for standards for electronic healthcare transactions and operating rules by providing Guidance Letters, Information Bulletins, and Frequently Asked Questions (FAQs) documents.
Administrative Simplification Regulations
The HIPAA Administrative Simplification Regulations are what most people consider to be HIPAA because they contain:
- The General Provisions and the Enforcement Rule 45 CFR Part 160.
- The Standards for Electronic Transactions and Data Elements 45 CFR Part 162.
- The Privacy, Security, and Breach Notification Rules 45 CFR Part 164.
However, the provisions, rules, and standards were not included in the text of HIPAA in 1996. They were published several years later.
The HIPAA Administrative Simplification Regulations were adopted:
To improve the efficiency and effectiveness of the health care system by encouraging the development of a health information system through the establishment of standards and requirements for the electronic transmission of certain health information.
The primary objectives of the Health Insurance Portability and Accountability Act (HIPAA) were to reform the health insurance industry, ensure the continuation of health insurance between jobs, and make health insurance more accessible to American workers.
However, achieving these objectives would incur costs for health plans, which would be passed onto employers in the form of higher premiums and reduced federal tax receipts.
To offset the costs, Congress introduced measures to reduce insurance fraud and instructed the Secretary for Health and Human Services (HHS) to make healthcare transactions more efficient by adopting standards for electronic transactions and the security of health information exchanged in transactions. The Secretary was also instructed to make recommendations for health information privacy.
How the Administrative Simplification Regulations Evolved
Several significant updates have been made to the HIPAA Administrative Simplification Regulations.
The Enforcement Rule of 2005 details the procedures for investigating and resolving alleged HIPAA violations and sets the original penalty structure.
The HITECH Act of 2009 added a new four-tier penalty structure, and the Breach Notification Rule was finalized in the HIPAA Omnibus Rule of 2013.
The HIPAA Omnibus Rule also changed the Privacy Rule. It expanded patients’ rights, strengthened limitations on the uses and disclosures of PHI, and created business associates liable for HIPAA violations.
Subsequent changes to the Privacy Rule have been made to accommodate amendments to the Clinical Laboratories Improvement Act (2014) and disclosures to the National Instant Criminal Background Check System (2016).
Multiple changes have been made to the standards for electronic transactions since 2016 as new medications, services, and supplies have come to market. In addition, since 2016, the penalties for violations have increased annually to account for inflation.
Further updates are planned in 2024 to more closely align the Privacy Rule with the confidentiality requirements for SUD patient records (Part 2) and better protect reproductive health information.
Other proposed updates include amending the Security Rule to accommodate HHS’ Healthcare Sector Cybersecurity Strategy and changing the Enforcement Rule to facilitate “settlement sharing” with victims of data breaches.
The Standards for Electronic Transactions and Data Elements
The following summarizes the mandates and prohibitions regarding administrative transactions, code sets, unique identifiers, and operating rules for HIPAA-covered entities as outlined in 45 CFR Subchapter C Part 162.
General Provisions for all Covered Entities
45 CFR §162.923(a) – General Rule
When a covered entity conducts a transaction with another covered entity (or within the same covered entity) using electronic media, the covered entity must conduct the transaction as a “standard transaction.”
Conducting a transaction as a “standard transaction” includes compliance with the standard and affiliated operating rules, code sets, and unique identifiers for the particular transaction.
- HHS has adopted standards for Health Care Claims or Equivalent Encounter Information (45 CFR §162.1101-1102).
- Eligibility for a Health Plan (45 CFR §162.1201-1203).
- Referral Certification and Authorization (45 CFR §162.1301-1302).
- Health Care Claim Status (45 CFR §162.1401-1403).
- Enrollment or Disenrollment in a Health Plan (45 CFR § 162.1501-1502).
- Health Care Electronic Funds Transfer and Remittance Advice (45 CFR §162.1601-1603).
- Health Plan Premium Payments, Coordination of Benefits (45 CFR §162.1701-1702).
- Medicaid Pharmacy Subrogation Transactions (45 CFR §162.1901-1902).
45 CFR §162.923(c) – Use of a Business Associate
When a covered entity uses a business associate, as defined in 45 CFR §160.103, to conduct all or a portion of a transaction, it must require their business associate and any business associate’s agents or subcontractors to comply with all applicable requirements.
Engaging a business associate does not relieve a covered entity from its responsibility to comply with all applicable requirements. When providing services related to a transaction for which a standard has been adopted, a business associate acts on behalf of a covered entity, and the business associate’s actions or inactions are attributed to the covered entity.
45 CFR §162.915 – Trading Partner Agreements
A covered entity can’t enter into a trading partner agreement that would:
- (a) change the definition, data condition, or use of a data element or segment in an adopted standard or operating rule;
- (b) add any data elements or segments to the maximum defined data set;
- (c) use any code or data elements marked “not used,” or that are not in a standard; or
- (d) change the meaning or intent of a standard. Covered entities may not agree to conduct transactions with each other that violate the adopted standards.
The requirement to conduct transactions as standard, as described in 45 CFR §162.923(a), overrides any agreements to conduct transactions otherwise.
A trading partner agreement, as defined by 42 CFR §160.103, means an agreement related to exchanging information in electronic transactions, whether distinct or part of a more extensive agreement.
For example, a trading partner agreement may specify, among other things, the duties and responsibilities of each party to the agreement in conducting a standard transaction.
General Provisions for Health Care Providers
45 CFR §162.923(b) – Exception for Direct Data Entry (DDE) Transactions
Suppose a healthcare provider chooses to use a DDE platform, such as a provider portal, offered by a health plan to conduct a transaction for which a standard has been adopted. In that case, the provider must use the standard’s applicable data content and data condition requirements, but the standard format requirements are not required.
General Provisions for Health Plans
A health plan must conduct a transaction using an adopted standard if requested. This means that if a health plan is conducting a transaction for which a standard has been adopted using a paper-based or manual method, a DDE portal, or an electronic funds transfer outside of the ACH network when requested to do so, the health plan must conduct the transaction using the adopted standards.
The regulations do not provide any exceptions to this requirement. This means that a health plan must comply with a provider’s request to conduct a transaction as a standard transaction regardless of the provider’s affiliation, or lack thereof, with the plan.
A health plan can’t delay or reject a standard transaction or try to adversely affect the other entity or the transaction because it is standard. This includes prohibiting incentives that discourage (i.e., adversely affect) standard transactions.
A health plan can’t reject a standard transaction just because it doesn’t use or need some or all of the data elements, such as coordination of benefits data elements.
A health plan can’t incentivize a health care provider to conduct a transaction using a DDE exception provided for in 45 CFR §162.923(b).
A health plan that operates as a health care clearinghouse or requires an entity to use a health care clearinghouse to complete standard transactions with the plan may not charge fees or costs over the fees or expenses for typical telecommunications that the entity incurs when it directly transmits, or receives, a standard transaction to, or from, a health plan.
45 CFR §162.925(b) – Coordination of Benefits
When a health plan receives a standard transaction and coordinates benefits with another health plan (or another payer), the health plan must store the coordination of benefits data; even if the initial receiving health plan does not need to coordinate benefits information, it is required to process the transaction and store the unneeded information for transmission to the subsequent health plan or payer.
45 CFR §162.925(c) – Code Sets
A health plan must accept and process any standard transaction that contains valid codes and keep code sets for the current billing and appeals periods open to processing under the terms of its coverage.
Standard Unique Health Identifier for Health Care Providers
A covered health care provider must get a National Provider Identifier (NPI) from the National Provider System (NPS), known as National Plan and Provider Enumeration System (NPPES), for themselves or for any subpart of the covered entity that would be a covered health care provider if it were a separate legal entity.
A covered healthcare provider transmits health information electronically in connection with a transaction for which a standard has been adopted.
A covered healthcare provider must use an NPI on all standard transactions that require its healthcare provider identifier.
A covered healthcare provider must give its NPI, when requested, to any entity that needs the NPI to identify the healthcare provider in a standard transaction.
A covered healthcare provider must communicate any changes in its required data elements to the NPS within 30 days of the change. Required data elements are specified in the National Provider System (NPS) or National Plan and Provider Enumeration System (NPPES).
A covered healthcare provider must require its business associates to use the provider’s NPI and other NPIs as required by adopted transaction standards.
A covered healthcare provider must comply with all NPI-related requirements for all subparts assigned an NPI.
An organization-covered health care provider, such as a corporation, partnership, or another type of business separate from an individual, must require all individual prescribers it works with to get an NPI and to share the NPI (upon request) with any entity that needs the NPI for use in a standard transaction.
A health plan must use an NPI to identify any health care provider (or subpart(s)) with an NPI in all standard transactions requiring the provider’s identifier.
A health plan can’t require a healthcare provider to get an additional NPI if it already has an NPI. This includes a prohibition on requiring a second NPI to be used exclusively for one health plan or to be used on transactions for a unique program within the health plan.
A clearinghouse must use an NPI to identify any healthcare provider (or subpart(s)) with an NPI in all standard transactions requiring the provider’s identifier.
Standards for Unique Employee Identifier
A covered entity must use the appropriate employer’s standard unique employer identifier (EIN) in standard transactions that require an employer identifier.
Code Sets
When using a standard transaction, a covered entity must use the medical data code sets described in 45 CFR §162.1002 that are valid when care is provided.
There are currently four medical data code sets permitted by HIPAA, one of which is ICD-10, with over 68,000 codes representing different diagnoses and treatments. Once you multiply these by the number of HCPCS codes (for medical services and medical supplies) and numerous National Drug Codes, there are millions of codes authorized by HIPAA.
A covered entity must use valid nonmedical data code sets when initiating the transaction. Nonmedical data code sets capture organizational routing information, claim payment adjustment information, claim status information, and ZIP code information.
Additional Resources
HIPAA Administrative Simplification Resources and FAQs
Administrative Simplification Email Updates
@CMSgov on X (Twitter)
Administrative Simplification YouTube Playlist