Book:HIPAA Compliance: An Introduction/Administration

From LIMSWiki
Jump to navigationJump to search


Training for trainers - Wikimedia UK (14841183304).jpg

Previous sections have dealt with explaining what HIPAA is, who it applies to, what data are protected and how the PHI of individuals must be handled, according to HIPAA generally and the Privacy Rule specifically. However, implications for administration of HIPAA and how it applies to and affects healthcare organizations and administrative departments are also important to understand.

Administrative requirements and recommendations

Administratively, there are a few things to keep in mind when seeking to comply with HIPAA, according to the HHS. They are detailed in subsections below.

Privacy policies and procedures

A covered entity must develop and implement written privacy policies and procedures that are consistent with the Privacy Rule.[1] (This was discussed in detail in the prior section, under "Patient notification and rights.")

Privacy personnel

Covered entities must designate a privacy official, who is responsible for developing and implementing its written privacy policies and procedures. It must also provide a contact person or contact office responsible for receiving complaints and providing individuals with information on the covered entity’s privacy practices. There isn't anything preventing these being the same person/office.[1]

Workforce training and management

Workforce requirements should address privacy and breach procedures. Workforce members include employees, volunteers and trainees, and may also include other persons whose conduct is under the direct control of the covered entity (whether or not they are paid by the covered entity). Covered entities must train all workforce members on privacy policies and procedures, but only as necessary and appropriate for them to carry out their functions. In addition, the covered entity must have and apply appropriate sanctions against workforce members who violate privacy policies and procedures or the HIPAA Privacy Rule. The information to do this is contained in this course and at the HHS website, as well as in the HIPAA law itself.[1]


Sometimes HIPAA regulations and/or covered entity privacy policies are broken, either accidentally or intentionally. In such cases, a covered entity must mitigate (to the extent practicable) any harmful effect it learns was caused by that use or disclosure of PHI by its workforce or its business associates.[1]

Data safeguards

Per the HIPAA Security Rule, a covered entity must maintain reasonable and appropriate administrative, technical and physical safeguards to prevent either intentional or unintentional use or disclosure of PHI in violation of the Privacy Rule, and to minimize its incidental use and disclosure in the process of providing otherwise allowed or required use or disclosure. For example, such safeguards could include shredding documents containing PHI before discarding them, securing medical records with lock and key or pass code, and limiting access to keys or pass codes.[1] More suggestions can be had at the HHS website.[2]


To comply with HIPAA, a covered entity must have procedures for individuals to complain about problems with its compliance with privacy policies and procedures and the Privacy Rule. As stated above, the covered entity must provide those procedures in its privacy practices notice. In the notice, among other things, the covered entity must let individuals know where they can submit complaints to, and let them know that complaints can also be submitted to the Secretary of HHS.[1]

Retaliation and waiver

Under HIPAA, a covered entity may not retaliate against a person for[1]:

  • exercising rights provided by the Privacy Rule
  • assisting in an investigation by HHS or another appropriate authority
  • opposing an act or practice that the person believes in good faith violates the Privacy Rule

A covered entity may not require an individual to waive any right under the Privacy Rule as a condition for obtaining treatment, payment, and enrollment or benefits eligibility.

Documentation and record retention

As a HIPAA covered entity, all actions, activities and designations that the Privacy Rule requires to be documented must be maintained until six years after the later of the date of their creation or last effective date. This includes covered entity privacy policies and procedures, privacy practices notices and disposition of any complaints, along with any other required documentation as outlined in this course and at HHS or in the HIPAA law available from the U.S. Government Publishing Office.[1][3]

Fully-insured group health plan exception

The only administrative obligations with which a fully-insured group health plan that has no more than enrollment data and summary health information is required to comply are the[1]:

  1. ban on retaliatory acts and waiver of individual rights, and
  2. documentation requirements with respect to plan documents if such documents are amended to provide for the disclosure of PHI to the plan sponsor by a health insurance issuer or HMO that services the group health plan.

Organizational options

Despite the guidance on who is actually required to comply, there are subtle variations on the way entities are organized or departmentalized that require clarification on how HIPAA privacy and security rules apply.


The Privacy Rule permits a covered entity that is a single legal entity and that conducts both covered and non-covered functions to elect to be a "hybrid entity." (The activities that make a person or organization a covered entity are its "covered functions.") To be a hybrid entity, the covered entity must designate in writing its operations that perform covered functions as one or more "health care components." After making this designation, most of the requirements of the Privacy Rule will apply only to the health care components. A covered entity that does not make this designation is subject in its entirety to the Privacy Rule.[1]


Legally separate covered entities that are affiliated by common ownership or control may designate themselves (including their health care components) as a single covered entity for Privacy Rule compliance. The designation must be in writing. An affiliated covered entity that performs multiple covered functions must operate its different covered functions in compliance with the Privacy Rule provisions applicable to those covered functions.[1]

Organized healthcare arrangement

The Privacy Rule identifies relationships in which participating covered entities share PHI to manage and benefit their common enterprise as "organized health care arrangements." Covered entities in an organized health care arrangement can share PHI with each other for the arrangement’s joint health care operations.[1]

Covered entities with multiple covered functions

A covered entity that performs multiple covered functions must operate its different covered functions in compliance with the Privacy Rule provisions applicable to those covered functions. The covered entity may not use or disclose the PHI of an individual who receives services from one covered function (e.g., healthcare provider) for another covered function (e.g., health plan) if the individual is not involved with the other function.[1]

Group health plan disclosures to plan sponsors

A group health plan and the health insurer or HMO offered by the plan may disclose the following PHI to the "plan sponsor" (i.e., the employer, union or other employee organization that sponsors and maintains the group health plan)[1]:

  • enrollment or disenrollment information with respect to the group health plan or a health insurer or HMO offered by the plan - If requested by the plan sponsor, summary health information for the plan sponsor to use to obtain premium bids for providing health insurance coverage through the group health plan, or to modify, amend or terminate the group health plan. "Summary health information" is information that summarizes claims history, claims expenses or types of claims experience of the individuals for whom the plan sponsor has provided health benefits through the group health plan, and that is stripped of all individual identifiers other than five-digit zip code (though it need not qualify as de-identified PHI).
  • PHI of the group health plan’s enrollees for the plan sponsor to perform plan administration functions - The plan must receive certification from the plan sponsor that the group health plan document has been amended to impose restrictions on the plan sponsor’s use and disclosure of the PHI. These restrictions must include the representation that the plan sponsor will not use or disclose the PHI for any employment-related action or decision or in connection with any other benefit plan.

Other administrative simplification rules

In addition to the HIPAA Privacy, Security, and Enforcement Rules, the HIPAA Administrative Simplification Rule is also relevant.

Transactions and codes set standards

These standards follow from the Security Rule, which is covered in the next section.

"Transactions" are activities involving the transfer of healthcare information for specific purposes. Under HIPAA, if a health plan or healthcare provider engages in one of the identified transactions, they must comply with the standard for it, which includes using a standard code set to identify diagnoses and procedures. The Standards for Electronic Transactions and Code Sets, published August 17, 2000 and since modified, adopted standards for several transactions, including[4]:

  • claims and encounter information
  • payment and remittance advice
  • claims status

Any healthcare provider that conducts a standard transaction also must comply with the Privacy Rule.

If a covered entity conducts one of the adopted transactions electronically, they must use the adopted standard, either from the Accredited Standards Committee X12, Insurance Subcommittee (ASC X12N) or National Council for Prescription Drug Programs (NCPDP). Covered entities must adhere to the content and format requirements of each transaction. Under HIPAA, HHS also adopted specific code sets for diagnoses and procedures to be used in all transactions. The adopted code sets for procedures, diagnoses and drugs with which providers and health plan are familiar, include[4]:

  • HCPCS (Ancillary Services/Procedures)
  • CPT-4 (Physicians Procedures)
  • ICD-9 (Diagnosis and Hospital Inpatient Procedures)
  • ICD-10 (As of October 1, 2015)
  • CDT (Dental Terminology)
  • NDC (National Drug Codes)

HHS also adopted standards for unique identifiers for employers and providers, which must also be used in all transactions.

Identifier standards for employers and providers

HIPAA requires that employers have standard national numbers that identify them on standard transactions. The employer identification number (EIN), issued by the Internal Revenue Service (IRS), was selected as the identifier for employers and was adopted effective July 30, 2002.

Healthcare providers must also have standard national numbers that identify them on standard transactions. The National Provider Identifier (NPI) is a unique identification number for covered healthcare providers. Covered healthcare providers and all health plans and health care clearinghouses use the NPIs in the administrative transactions adopted under HIPAA. The NPI is a 10-position, intelligence-free numeric identifier (10-digit number). This means that the numbers do not carry other information about healthcare providers, such as the state in which they live or their medical specialty.[5]


  1. 1.00 1.01 1.02 1.03 1.04 1.05 1.06 1.07 1.08 1.09 1.10 1.11 1.12 1.13 Office for Civil Rights (26 July 2013). "Summary of the HIPAA Privacy Rule". United States Department of Health and Human Services. Retrieved 09 February 2022. 
  2. Office for Civil Rights (26 July 2013). "Incidental Uses and Disclosures". U.S. Department of Health & Human Services. Retrieved 10 February 2022. 
  3. "Public Law 104 - 191 - Health Insurance Portability And Accountability Act of 1996". GovInfo. U.S. Government Publishing Office. 21 August 1996. Retrieved 09 February 2022. 
  4. 4.0 4.1 "What Are HIPAA Transaction and Code Sets Standards?". Texas Medical Association. 29 October 2019. Retrieved 09 February 2022. 
  5. Office for Civil Rights. "Other Administrative Simplification Rules". U.S. Department of Health & Human Services. Retrieved 10 February 2022. 

Citation for this section

Title: HIPAA Compliance: An Introduction - Administration

Author for citation: Alan Vaughan, with editorial modifications by Shawn Douglas

License for content: Creative Commons Attribution-ShareAlike 4.0 International

Publication date: Originally published June 2016; compiled and lightly edited February 2022