HIPAA Series – Sweet 16 and Coming of Age
Part I: History and Overview of HIPAA Legislation

Introduced in 1996, the Health Insurance Portability and Accountability Act (HIPAA) is widely used for safeguarding the privacy of health information.  In this first installment of a three part series, the history and background of HIPAA are discussed, as excerpted from the book authored by HCC CEO Bob Cimasi, entitled, Healthcare Valuation: The Financial Appraisal of Enterprises, Assets, and Services, to be published by John Wiley & Sons later this year, and the recent amendment are introduced. Part II of the series, due next month, will address the implications of recent changes to HIPAA that have resulted from the transition of patient information to an electronic format and the continued integration of providers, while, Part III assesses various compliance concerns and related privacy laws.

The Health Insurance Portability and Accountability Act (HIPAA) was signed into law on August 21, 1996, and encourages the development of health information systems, as well as regulating access to, and safeguarding the privacy of, individually identifiable health information.1 The final standards for HIPAA, created by the Department of Health and Human Services (HHS) were published on August 17, 2000.2   While HIPAA serves many purposes, it is most widely used for safeguarding the privacy of Protected Health Information (PHI), i.e., individually identifiable health information.3  This protection extends to information related to the “…past, present or future physical or mental health condition of an individual; the provision of healthcare services to an individual; or the past, present or future payment for the provision of healthcare to an individual.4 The HIPAA Privacy Rule provides standards for the use and disclosure of PHI by covered entities, as well as rights for individuals to control how their PHI is used.5 Covered entities include such companies as, “…health plans, healthcare clearinghouses, and any health care provider who transmits health information in electronic form in connection with a transaction for which the Secretary of HHS has adopted [HIPAA] standards.”6 

Transactions by healthcare providers falling under the Privacy Rule include claims, benefit eligibility inquiries, referral authorization requests, and other transactions for which HHS has established particular standards.7 These transactions are covered regardless of whether they are performed by the healthcare provider, a billing service, or any other third party under contract with the provider.8    When a covered entity contracts with a third party entity to perform billing or other business associate activities, such as claims processing, data analysis, or utilization review, the covered entity must impose specific safeguards to protect PHI.9 Unintentional HIPAA violations carry fines of $100 per occurrence, up to $25,000 per year. However, intentional HIPAA violations carry criminal penalties that include fines of up to $250,000 and ten years in prison.10 Significantly, however, HIPAA does not provide for private rights of action for patients who were harmed by the dissemination of their PHI; but rather it provides patients with the option of filing a complaint with the HHS Office for Civil Rights (OCR) in the event of a violation that resulted in harm to the patient.11 The proper destruction of PHI is also protected under HIPAA.12

As the healthcare industry transitions to electronic transactions, the current version of the HIPAA standards that regulate the transmission of specific health care information, known as the Accredited Standards Committee X12 Version 4010/4010AI, have become increasingly less functional for the coding and transactional updates providers are currently required to accommodate (i.e., the coming ICD-10 transition). To rectify any inefficiency, HHS approved ASC X12 Version 5010,13  which improvements in Version 5010 include technical, structural, and data content requirements; transactional business standardization; data transmission specifications, and, delineation of various patient codes.14 The transition to HIPAA Version 5010 will likely affect many healthcare industry stakeholders, including providers, health plans, healthcare clearinghouses, and business associates that participate in electronic transactions, such as billing/service agents and vendors.15  According to a 2011 Medical Group Management Association report, 45 percent of practices would have to replace their practice management systems completely to manage Version 5010, and 50.3 percent of practices would need to install upgrades to accommodate Version 5010.16  See HC Topics article HIPAA Version 5010: What and When.

One of the most significant amendments to HIPAA was passed under the American Recovery and Reinvestment Act of 2009 (ARRA), signed into law February 17, 2009. The ARRA amended HIPAA’s health information privacy and security provisions, and created funding incentives for the widespread implementation of healthcare information technology, specifically electronic health records (EHR), through the Health Information Technology for Economic Clinical Health (HITECH) Act, a portion of the ARRA.17 For more information of HITECH see HC Topics Article Obama Signs HITECH Act for Healthcare IT.

The latest amendment to the HIPAA legislation was published on January 25, 2013 in a Final Rule from HHS and OCR, which may significantly affect business associates and their subcontractors. The Final Rule changes: (1) the definition of business associate under HIPAA; (2) the liability of business associates and subcontractors under HIPAA; and, (3) the level at which agreements between business associates and covered entities are scrutinized under HIPAA. Each of these changes and their potential impact on covered entities and their business associates will be discussed in Part II of the HC Topics HIPAA Series.

1
“Health Insurance Portability and Accountability Act of 1996” Pub. L. No. 104-191 (August 21, 1996).

2
“Health Insurance Reform: Announcement of Designated Standard Maintenance Organizations: Notice” Federal Register, Vol. 65, No. 160, August 17, 2000, p. 50373.

3
“Definitions,” 45 C.F.R. 160.103, (May 31, 2002), p. 701 ; “Health Insurance Portability and Accountability Act of 1996,” Pub. L. No. 104-191 (Aug. 21, 1996).

4
Ibid.

5
“Summary of the HIPAA Privacy Rule,” OCR Privacy Brief, United States Department of Health and Human Services, May 2003, p. 4, 9, http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/privacysummary.pdf(Accessed 6/17/09).

6
Ibid, p. 2.

7
Ibid.

8
Ibid.

9
“Uses and disclosures of protected health information: general rules” 45 C.F.R. § 164.502(e), October 1, 2003, p. 3; “Summary of the HIPAA Privacy Rule,” OCR Privacy Brief, United States Department of Health and Human Services, May 2003, p. 3, http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/privacysummary.pdf (Accessed 6/17/09).

10
“Health Insurance Portability and Accountability Act, Sec. 262” Pub. Law 109-191 (August 21, 1996); “General penalty for failure to comply with requirements and standards” 42 U.S.C. § 1320d-5 (2010); “”42 U.S.C. § 1320d-7 (2010).

11
“Health Information Privacy: How to File a Compaint” Office for Civil Rights, U.S. Department of Health and Human Services, http://www.hhs.gov/ocr/privacy/hipaa/complaints/index.html (Accessed 9/26/12).

12
“Uses and disclosures of protected health information: general rules” 45 C.F.R. § 164.502(e), October 1, 2003, p. 3; “Summary of the HIPAA Privacy Rule” OCR Privacy Brief, United States Department of Health and Human Services, May 2003, p. 3, http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/privacysummary.pdf (Accessed 6/17/09).

13
“New Health Care Electronic Transactions Standards: Versions 5010, D.0, and 3.0” Centers for Medicare & Medicaid Services, January 2010, http://www.cms.gov/ICD10/Downloads/w5010 BasicsFctSht.pdf (Accessed 11/29/11).

14
“Is Your Practice Ready for Version 5010” MGMA Connexion Supplement, October 2011, p. 9.

15
Centers for Medicare & Medicaid Services, January 2010.

16
“Statement of the Medical Group Management Association to the National Committee on Vital and Health Statistics Subcommittee on Standards: RE: HIPAA Version 5010 ” Medical Group Management Association, June 17, 2011, Englewood, CO: Medical Group Management Association, p. 5.

17
“American Recovery and Reinvestment Act of 2009,” Pub. L. No. 111-5 (Feb. 17, 2009).

© Health Capital Consultants
Todd A. Zigrang

Todd A. Zigrang, MBA, MHA, CVA, ASA, FACHE, ABV, is the President of Health Capital Consultants (HCC), where he focuses on the areas of valuation and financial analysis for hospitals, physician practices, and other healthcare enterprises. Mr. Zigrang has over 28 years of experience providing valuation, financial, transaction and strategic advisory services nationwide in over 2,000 transactions and joint ventures. Mr. Zigrang is also considered an expert in the field of healthcare compensation for physicians, executives and other professionals.

Mr. Zigrang is the co-author of "The Adviser’s Guide to Healthcare – 2nd Edition" [2015 – AICPA], numerous chapters in legal treatises and anthologies, and peer-reviewed and industry articles such as: The Accountant’s Business Manual (AICPA); Valuing Professional Practices and Licenses (Aspen Publishers); Valuation Strategies; Business Appraisal Practice; and, NACVA QuickRead. In addition to his contributions as an author, Mr. Zigrang has served as faculty before professional and trade associations such as the American Society of Appraisers (ASA); the National Association of Certified Valuators and Analysts (NACVA); Physician Hospitals of America (PHA); the Institute of Business Appraisers (IBA); the Healthcare Financial Management Association (HFMA); and, the CPA Leadership Institute.

Mr. Zigrang holds a Master of Science in Health Administration (MHA) and a Master of Business Administration (MBA) from the University of Missouri at Columbia. He is a Fellow of the American College of Healthcare Executives (FACHE) and holds the Certified Valuation Analyst (CVA) designation from NACVA. Mr. Zigrang also holds the Accredited Senior Appraiser (ASA) designation from the American Society of Appraisers, where he has served as President of the St. Louis Chapter. He is also a member of the America Association of Provider Compensation Professionals (AAPCP), AHLA, AICPA, NACVA, NSCHBC, and, the Society of OMS Administrators (SOMSA).

Jessica L. Bailey-Wheaton

Jessica L. Bailey-Wheaton, Esq., is Senior Vice President and General Counsel of HCC. Her work focuses on the areas of Certificate of Need (CON) preparation and consulting, as well as project management and consulting services related to the impact of both federal and state regulations on healthcare transactions. In that role, Ms. Bailey-Wheaton provides research services necessary to support certified opinions of value related to the Fair Market Value and Commercial Reasonableness of transactions related to healthcare enterprises, assets, and services.

She serves on the editorial board of NACVA’s The Value Examiner and is the current Co-Chair of the American Bar Association (ABA) Health Law Section’s Membership Committee and the Young Lawyer Division (YLD) Liaison to the ABA Health Law Section Governing Council. She has previously presented before the ABA, American Health Law Association (AHLA). NACVA, the National Society of Certified Healthcare Business Consultants (NSCHBC), and the American College of Surgeons.

Ms. Bailey-Wheaton is a member of the Missouri and Illinois Bars and holds a J.D., with a concentration in Health Law, from Saint Louis University School of Law.

Janvi R. Shah

Janvi R. Shah, MBA, MSF, CVA, serves as Senior Financial Analyst of HCC. Mrs. Shah holds a M.S. in Finance from Washington University Saint Louis and the CVA designation from NACVA. She develops fair market value and commercial reasonableness opinions related to healthcare enterprises, assets, and services. In addition she prepares, reviews and analyzes forecasted and pro forma financial statements to determine the most probable future net economic benefit related to healthcare enterprises, assets, and services and applies utilization demand and reimbursement trends to project professional medical revenue streams and ancillary services and technical component (ASTC) revenue streams.

Click Here for More Information on
HCC's Leadership and Capabilities
© Health Capital Consultants
Healthcare Valuation Banner Advisor's Guide to Healthcare Banner Accountable Care Organizations Banner