HIPAA requires covered healthcare providers that transmit certain healthcare transactions electronically, along with health plans and healthcare clearinghouses, to use federally adopted standard transaction formats, standard code sets, and standard identifiers for those transactions under the HIPAA Administrative Simplification provisions, and to maintain policies, procedures, and controls that support accurate, secure, and compliant electronic exchange.
The HIPAA electronic transaction standards apply when a Covered Entity conducts a covered transaction in electronic form, including transactions such as healthcare claims or equivalent encounter information, health care payment and remittance advice, coordination of benefits, eligibility inquiries and responses, referral authorization requests and responses, enrollment and disenrollment in a health plan, premium payments, and claim status inquiries and responses. When a Covered Entity sends one of these transactions electronically, the Covered Entity is required to use the adopted standard for that transaction, either directly or through a healthcare clearinghouse, and the Covered Entity may not refuse to conduct the transaction in the standard format when the standard applies.
HIPAA code set standards require the use of adopted medical data code sets for diagnoses, procedures, dental services, drugs, and other coded elements used in standard transactions, and Covered Entities are expected to prevent local or proprietary codes from being substituted where a HIPAA standard code set is required. HIPAA identifier standards require the use of adopted identifiers in standard transactions, including the National Provider Identifier for healthcare providers when applicable and other adopted identifiers such as the Employer Identification Number for employers in relevant contexts. Internal controls commonly address mapping and validation of data elements, testing with trading partners, version management for transaction implementation specifications, and change control processes when systems or clearinghouse connections are modified.
Operational compliance for electronic transactions is supported by governance and documentation practices that define who initiates, approves, transmits, and receives transactions, and how errors, rejections, and reconciliations are handled. A Covered Entity that uses a healthcare clearinghouse remains responsible for compliance with the transaction standards for transactions it conducts, and should maintain contracts and technical specifications that align with the adopted standards. When electronic protected health information is involved in transaction workflows, the HIPAA Security Rule applies to the systems that create, receive, maintain, or transmit the information, and safeguards such as access controls, audit controls, integrity controls, transmission security, and workforce training support compliant transaction processing.