The Health Insurance Portability and Accountability Act (HIPAA) of 1996 regulates how your medical information, known as Protected Health information (PHI), is shared or disclose by organizations covered by this law. The Med-QUEST Division (MQD), as the HI State Medical Assistance Program, do not create medical health information. MQD obtains medical health Information to process the payment and to evaluate the quality of medical services you received from health care providers and health plans. The Notice of Privacy Practices (NPP) explains when PHI is shared or disclosed by MQD. HIPAA also guarantee individuals with specific rights to the protected health information. These rights include the right to review and obtain copies of the PHI MQD maintains, the right to request an amendment of PHI and the right to request a restriction to the disclosure of PHI. MQD has created forms to assist Medicaid clients with in the forms section.


The Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191), also known as HIPAA, was enacted by Congressional to reform and improve healthcare. The purpose of the Act is to:
  • Improve portability and continuity of health insurance coverage in the group and individual markets;
  • To combat waste, fraud, and abuse in health insurance and health care delivery;
  • To promote the use of medical savings accounts;
  • To improve access to long-term care services and coverage;
  • To simplify the administration of health insurance;
  • To provide Americans with new rights to control the release of their personal health information;
  • To protect the privacy of personal health information maintained by most health care providers, hospitals, health plans and health insurers, and health care clearinghouses;
  • To protect against unauthorized use of medical records for employment purposes;
  • To establish specific federal penalties if an individual’s right to privacy of health information is violated; and
  • Other purposes such as standardization of identifiers.
Title I of the HIPAA law deals with health care access, portability, and renewal of health insurance, with the intention of protecting health insurance coverage for workers and their families when they change or lose their jobs. Title II of the law, also known as "Administrative Simplification", deals with preventing health care fraud and abuse, and to simplify and standardize the exchange of health information between health care organizations.

The "Administrative Simplification" aspect of that law requires the United States Department of Health and Human Services (HHS) to develop standards or the protection, maintenance, and transmission of health information that identifies individual patients. These standards are usually referred to as "HIPAA Regulations". These regulations are designed to:
  • Improve the efficiency and effectiveness of the healthcare system by standardizing the interchange of electronic data for specified administrative and financial transactions; and
  • Ensure all affected health care related organizations develop both physical and procedural guidelines to protect the security and confidentiality of health information.

    Back To Top

Who is Affected?

The new laws affect virtually all health care-related organizations, including health plans, providers, business associates, clearinghouses, federal Medicare and State Medicaid programs, and other state and local government organizations that handle health care information.

Every link in the communication chain is affected in some way, including providers and benefits payers that exchange claim and payment data. Electronic processes that are affected by HIPAA include enrollments and eligibility transactions, provider transactions and communications, claim transactions, and remittance advice. Non-compliance can lead to severe civil and criminal penalties.

What are the Regulations?

The Administrative Simplification provision is composed of four parts, each of which has generated a variety of rules and standards. Final and pending rules address transactions and code set standards, privacy and security standards to protect health information, and establish national provider and employer identifiers.

Back To Top

Administrative Simplification Provisions

  • Electronic Health Transactions and Code Set Standards – Proposes electronic Standards for eight transactions and for code sets. The final TCS rules was published 8/17/00 and had subsequent modifications. All covered entities (with the exception of small health plans) must be in compliance with this component by 10/16/03.
  • Unique Health Identifiers - Proposes standards for a National Health Care Provider Identifier, a National Employer Identifier and a National Health Plan Identifier. This component is currently in development. The National Individual Identifier has been placed on hold due to citizen concerns. (National Employer Identifier compliance date is 7/30/04). The (National Provider Identifier (NPI) compliance date is 05/23/07).
  • Privacy Rule Standards – Proposes confidentiality standards to protect the privacy of an individual’s health information maintained by a covered entity. The final Privacy rule was published 12/28/00 and modified in 8/02. Covered entities must be in compliance with this component by April 14, 2003.
  • Security Rule Standards - Proposes Administrative, Technical and Physical Standards for the security of electronic health information. The final security rule was published in CFR Friday 2/20/2003. Covered entities must be in compliance with the Security rule by 4/21/05
  • Enforcement Rule – Proposes a regulatory framework for the civil monetary penalty and authority of the Administrative Simplification part of HIPAA. The final enforcement rule is published in 02/06 with the effective date of 03/16/06.

    Back To Top

HIPAA Enforcement Final Rule

On February 16, 2006, the department of Health and Human Services (HHS) published a final rule which details the bases and procedures for imposing civil monetary penalties for violations of the 1996 Health Insurance Portability & Accountability Act (HIPAA), Administrative Simplification Rules. The Center for Medicare and Medicaid Services (CMS) has been delegated the authority to investigate complaints of non- compliance and enforcement with respect to the following regulations known as the:the Transaction and Code Set Rule (TCS), the National Employer Identifier Number (EIN)Rule, the National Provider Identifier (NPI) Rule and the Security Rule and the expected National Plan Identifier Rule. This authority does not include the regulation know as the:Privacy Rule, which has been delegated to the Office for Civil Rights.

© Hawaii State Med-QUEST Division 2003-2007