The Health Insurance Portability and Accountability Act (Public Law 104-191) was signed into law on August 21, 1996.

Its roots were formed in the 1993 Clinton health care reform proposals and it’s intent is to streamline industry inefficiencies, make it easier to detect and prosecute fraud and abuse, enable workers of all professions to change jobs, to provide better access to health insurance, and most importantly ensure that patient health information remains confidential.

Developing the Regulations

The law itself required extensive consultation with industry groups regarding what standards should be used, and the government made an impressive effort to comply with both the letter and spirit of those requirements. There were numerous public hearings and briefings, and the government asked selected organizations to consult with their members and make recommendations regarding many issues that arose during the development of the rules.

The rulemaking delays were welcomed to the extent that they allowed the industry to postpone related changes until after Y2K work was completed. But, as they continued, they made it difficult for everyone, including the Federal Government, to make realistic plans and budgets for accommodating the HIPAA requirements. But they were legislated mandates, not voluntary initiatives, and they appeared unlikely to be repealed or abandoned, and nearly all of the initiatives were still moving forward. Thus, the industry needed to make the best business plans that it could for use of the proposed data formats. And those plans would have been formed around, but not conditioned on, the HIPAA regulatory schedule.

The provisions of HIPAA had come to dominate nearly all aspects of the health care data standards development process. HIPAA was forcing all of the standards developers and many industry sectors to rethink their plans, and, in many cases, to redefine their roles.

Security and Privacy

The DHHS published a Security NPRM (Notice of Proposed Rule Making) on August 12, 1998. The NPRM was essentially a compilation of the typical recommendations of the many different industry standards groups. The most typical complaint was that, while the goals described were terrific, the NPRM was far too specific regarding how they should be achieved.

The DHHS published a Privacy NPRM on November 3, 1999. The law itself anticipated additional Congressional action in this area by August 21, 1999, but gave DHHS the authority to issue regulations if no action was taken. Most sources in and out of government preferred that Congress pass new legislation, rather than leave this up to the Administration. The Privacy NPRM’s provisions were quite wide-ranging, and estimates are that it will cost the health care industry over 40 billion dollars to comply. Also, many of the provisions are similar to those included in many recently enacted state privacy laws.


Congress has prescribed penalties for noncompliance with any provision of the HIPAA mandates. This includes civil fines of up to $100 per occurrence, with a maximum of $25,000 per calendar year for “… all violations of an identical requirement or prohibition…”. Thus, with nine transactions included in the mandate, with four new national identifiers, and with a separate mandate on security and privacy, these penalties can total as much as $350,000 per year for up to 14 violations.

DHHS interpreted the transaction mandates as worth up to four penalties each, with separate penalties for not using a transaction, for not using the standard data elements within a transaction, for not using the standard data values (or code sets) within the data elements, and for not using the transaction as described in the associated Implementation Guide. This interpretation gives you maximum annual penalties of up to (4 x 9 + 4 + 1) = 41 x $25,000 = $1,025,000 and counting. It was also proposed that separate fines be imposed for each major component of the security requirements that is violated. There are 25 such components.

Administrative & Medical Code Sets

HIPAA also gives the DHHS the authority to specify what data coding schemes can be used in the health care transactions. People usually think of this in terms of what medical coding schemes can be used, but the authority is broader than that. There are national standard schemes for types of providers, types of services, claim status, claim adjudication results, and so on. These are commonly referred to as “administrative coding schemes”, to distinguish them from the more specific “medical schemes”. These all have to be used in place of proprietary coding schemes when using any of the mandated transactions. Some of these schemes are already in widespread use, while others require substantial changes in business practices.

And So It Began

HIPAA was eventually born and, at a minimum, everyone in the health care industry and all related industries and vendors are faced with a huge continuing education effort. If the provisions are to work, every sector of the industry will have to repeatedly re-evaluate how it does business, and make continuous efforts to maintain the standards as set forth in HIPAA. It is an objective here at the CAL HIPAA to assist in the ongoing HIPAA educational and information disemination process as well as provide data security and implementation solutions to all California health care providers.