HIPAA Update - Basic HIPAA Implementation Facts

May 16, 2002 Advisory

The Most Basic HIPAA Implementation Facts

  • HIPAA is not going away.
  • If you, or any part of your organization, provide health care services (or prescription drugs or products) and you do any electronic billing, you are a HIPAA "covered entity."
  • The three major components of HIPAA (electronic transactions and code sets, privacy and security) have separate requirements and compliance deadlines. Only one deadline (electronic transactions and code sets) has been extended for entities filing a compliance plan.
  • Significant parts of HIPAA will require substantial lead time to implement.
  • Some important details of HIPAA remain a moving target. Changes are proposed in the privacy regulations and some specifications for electronic transactions standards may change as well.
  • Proposed modifications to the privacy regulations should not delay implementation efforts.
  • By now, your HIPAA implementation strategies should be defined, budgeted and under way.

This Advisory will update you on each HIPAA component and direct you to resources for further details and assistance.


Although several aspects of HIPAA remain subject to some modifications, any provider or organization covered by these extensive requirements should be tracking them closely and by now should have HIPAA compliance strategies identified and in progress. The three separate components to the health information or "Administrative Simplification" requirements of HIPAA (the Health Insurance Portability and Accountability Act of 1996) are: (a) electronic transactions and code sets requirements; (b) privacy and (c) security. For our detailed summary of the HIPAA statute and regulations, including recent proposed modifications to the privacy regulations, please see "HIPAA: Privacy, Security, Electronic Transactions - Summary of Statute and Regulations" on Wiggin & Dana's HIPAA web page at www.HIPAA-law.info.

As discussed below, there are two recent HIPAA developments of major significance. First, at the request of Congress, HHS has published instructions enabling covered entities (except small health plans) to extend their compliance date for the electronic transactions and code sets regulations until October 16, 2003, by filing a compliance plan no later than October 15, 2002. Secondly, as promised, HHS has proposed modifications to the HIPAA privacy regulations. If adopted, these changes would remove the current requirement for obtaining "consent" before using or disclosing health information for treatment, payment or health care operations. As described below, the modifications would change other details of HIPAA privacy, but would not generally impact the structure or substance of these comprehensive requirements concerning use and disclosure of health information. There is no proposal to extend the April 14, 2003 HIPAA privacy compliance date. Although final HHS actions on these proposed modifications will take several more months, HIPAA privacy implementation can and should be moving forward according to a well organized and sequenced implementation plan.