The "Health Insurance Portability & Accountability Act of 1996" (August 21), Public Law 104-191, which was referred to often during its debate in the United States Congress as the "Kennedy-Kassebaum Act," eventually came to be referred to as simply "HIPAA." By the time the Act was approved by Congress, several matters other than just portability of insurance coverage had been added – one of those topics being what Congress called "Administrative Simplification."

Congress declares at Section 261 of HIPAA that a goal of the Act's Administration Simplification sub-title is " ... to improve … the efficiency and effectiveness of … the health care system … by encouraging the development of a health information system … " that addresses both the transmission and the maintenance of health information.

We all eventually learned that what this language means is that Congress wants: (1) to improve the efficiency of delivery of health care by standardizing the interchange (transmission and receipt) of electronic data, and (2) to ensure the (i) confidentiality and (ii) integrity of "individually identifiable health information" by setting, and enforcing, privacy and security standards.

Administrative Simplification affects all health care professionals – hospitals, physicians, pharmacists, to name just a few. And it affects practices of all sizes – health care practices with only one practitioner and those with 100 and more. It will also require certain contracts, called Business Associate Agreements, between a practitioners and many of their suppliers and vendors.

There are four major elements of Administrative Simplification, each of which having generated a variety of "rules" or "standards." Many of the rules and standards are still in only the "proposed" (draft) stage of publication. The rules, when final, will have different compliance deadlines. The four major elements of Administrative Simplification are:

1. Electronic Health Transactions and Code Sets Standards — this will require the electronic transfer of information between trading partners in a standard/uniform format; and, electronic Coding/Code Sets used to describe diseases and other health problems, as well as their causes and the actions taken, will be uniform. All parties to any transaction will have to use and accept the same coding.
   
2. Unique Identifiers — while the current system allows different parties to have different identification numbers when dealing with each other, these numbers will become unique and universal – meaning that each provider, employer, etc., will have one and only one number used to identify them across the health care system for and in all transactions (claims filing, health plan eligibility, claims payment, coordination of benefits and others).
   
3. Security and Electronic Signature Standards — this will mandate safeguards for physical storage and maintenance, for transmission, and for access to individual health information, but will not mandate any specific technologies, all with the aim of ensuring the integrity and confidentiality of a person's health information.
   
4. Privacy Standards — this will define what are appropriate and inappropriate uses and disclosures of individually identifiable health information and how patient rights are to be protected and enforced.

For most entities, the compliance date for each standard or rule will be 24 months from the effective date of a final rule. Most often, the effective date is 60 days after a final rule's publication date. The final Transactions and Code Sets Rule was published on August 17, 2000, making the compliance date for that rule October 16, 2002. The only other standard in final form, the Privacy Rule, had a publication date of December 28, 2000, but due to a glitch in the last weeks of the Clinton administration didn't become effective until April 14, 2001. The required compliance date for the Privacy Rule thus became April 14, 2003. None of the other standards (Security, Unique Identifiers, etc.) have yet been published as final, so not any of those can be said to yet have an official compliance date.

HIPAA mandates severe civil and criminal penalties for noncompliance, including: civil fines up to $25,000 for multiple violations of the same standard in a calendar year; and criminal fines up to $250,000 or imprisonment up to 10 years, or both, for knowing misuse of individually identifiable health information.

There will be much more detail to learn as the regulations that are to be prepared unfold more. For now: "HIPAA Medical Privacy?" The "HIPAA" stuff, as it relates to health care, is Congress' "Administrative Simplification" ideas, and the "medical privacy" stuff is only one of the four parts/elements of Administrative Simplification. What's more, the edicts (both statutory and regulatory) are MANDATORY — meaning that, unlike the D.H.H.S.'s Office of Inspector General anti fraud and abuse "suggestions" (OIG has ordained them "Guidances"), those who are part of the health care system and affected by the HIPAA provisions MUST comply, and do so by the compliance dates that will be give, or suffer the rather harsh penalties.