DISCLAIMER: The following information is intended for guidance purposes only and does not replace appropriate legal or regulatory advice.

HIPAA Providers

HIPAA Enforcement Final Rule
Electronic Data Interchange
National Provider Identifier (NPI)
National Plan Identifier (NPlanID)
Transaction and Code Sets
Technical Documents


Providers are covered under the HIPAA Privacy Rule if they conduct one of the electronic standard transactions required in the Transactions and Code Sets Rule. In this case electronic means Internet, dial-up, FTP, magnetic tape, CD, or floppy disk. If you conduct your business electronically and submit electronic claims, you must comply with the Privacy Rule, with a compliance date of April 14, 2003.

Educate yourself, the first thing you need to do is read the final HIPAA Privacy Rule at http://aspe.os.dhhs.gov/admnsimp/. Attend any sessions that are offered by your associations or other organizations, and search the Internet for Web sites offering HIPAA information and commercial products.

Assess how the Privacy Rule Affects You. We recommend that you begin putting together a plan to handle these changes by the April 2003 implementation date and that you assess your readiness and needs. Security 

The final Security Rule was published in the Federal Register February 20, 2003, The compliance date is April 21, 2005; however there are many overlaps with the Privacy Rule relating to the protection of Protected Health Information. Educate Yourself, The first thing you need to do is read the Final Security Rule, For more information and a link to the Rule go to: Assess how the Security Rule affect you, We recommend that you begin putting together a plan to handle the required changes by the April 2005 implementation date.


The final Security Rule was published in the Federal Register February 20, 2003, The compliance date is April 21, 2005; however there are many overlaps with the Privacy Rule. For more information and a link to the Rule go to http://cms.hhs.gov/hipaa/hipaa2/regulations/security/default.asp

HIPAA Enforcement Final Rule

On February 16, 2006, the department of Health and Human Services (HHS) published a final rule which details the bases and procedures for imposing civil monetary penalties for violations of the 1996 Health Insurance Portability & Accountability Act (HIPAA), Administrative Simplification Rules. The Center for Medicare and Medicaid Services (CMS) has been delegated the authority to investigate complaints of non-compliance and enforcement with respect to the following regulations known as the: Transaction and Code Set Rule (TCS), the National Employer Identifier Number (EIN) Rule, the National Provider Identifier (NPI) Rule and the Security Rule and the expected National Plan Identifier Rule. This authority does not include the regulation known as the Privacy Rule, which has been delegated to the Office for Civil Rights.

Electronic Data Interchange

Med-QUEST and ACS strongly encourage providers to consider Electronic Data Interchange, or EDI, as a way of doing business. EDI covers all aspects of electronic transactions, from eligibility verification to claims submission and electronic remittance advice. EDI carries the following benefits:

  • Faster claims payment (837)
  • Less time spent on the phone verifying eligibility (270/271)
  • Automated Clearing House (ACH) payment for providers receiving an electronic remittance advice (835)
  • On-demand claims status (276/277)

To learn more about these transactions, providers are encouraged to contact ACS at (808) 952-5570 (Oahu and mainland) or (800) 235-4378 (Neighbor Islands). The 270/271 and 276/277 transactions can be accessed through DHS Medicaid Online. To use the 270/271 and 276/277 batch options, or to submit electronic claims (837) or receive electronic remittance advice (835), providers must have their own software. ACS can supply providers with basic information and the DHS Medicaid EDI Manual, which explains how to prepare for EDI, sign-up with Med-QUEST, complete testing, and transmit production transactions.

National Provider Identifier (NPI)

On January 23, 2004 , the Centers for Medicare & Medicaid Services (CMS) announced the adoption of the National Provider Identifier (NPI) as the standard unique health identifier for health care providers to use in filing and processing health care claims and other transactions.

Providers shall be able to apply for an NPI through the web, paper application, or the EFI process. The Enumerator shall provide NPI application forms to health care providers upon request (CMS will furnish paper copies of the NPI application form to the Enumerator). A pdf version of the application form shall also be available for download by providers through a CMS maintained website.

CMS is currently in the process of contracting with an enumerator (contractor) to identify, assign, update and disseminate NPI data to the health care industry. The Enumerator shall input data from the NPI application into the National Plan and Provider Enumeration System (NPPES) from paper applications, while checking for completeness and accuracy. The Enumerator shall be responsible for mailing a system-generated letter notifying the provider of its NPI. In the event that any application is disallowed, the Enumerator shall prepare a letter notifying the applicant of the reason for the disallowance, the Enumerator will also assist health care providers with resolving discrepancies to obtain an NPI.  The Enumerator shall carry out a number of functions, including, but not limited to:

  • enter identifying information about a health care provider into the NPPES for those providers applying by paper application;
  • provide NPI application forms to providers upon request;
  • notify the provider of its NPI;
  • process provider information updates received from providers via paper applications;
  • assist providers with questions or problems, including those providers applying for NPIs by the internet;
  • handle all requests for deactivations and replacement NPIs for providers;
  • handle potential error resolutions including investigating and resolving pending applications (applications with errors that prevent the NPPES from assigning an NPI);
  • work with provider organizations that wish to submit files through Electronic File Interchange (EFI);
  • validate the organization’s identity and establish accounts;
  • work with organizations to determine if their providers have NPIs;
  • reset web users’ passwords and user IDs; and
  • maintain a call center for providers.

The final rules and additional information can be viewed at http ://www.cms.hhs.gov/hipaa/hipaa2/default.asp

The compliance date for providers to obtain and use the NPI is 5/23/07. All health care providers impacted by the standard can apply for an NPI with the National Plan and Provider Enumeration System (NPPES). For more information and a link to the Rule go to: http://www.cms.hhs.gov/NationalProvIdentStand. CMS has contracted with Fox Systems, Inc. to serve as the NPI Enumerator. The NPI Enumerator is responsible for dealing with health plans and providers on issues relating to unique identification. On 5/23/05 The NPPES online website is available for online NPI application at https://nppes.cms.hhs.gov/NPPES/Welcome.do. Paper application will be accepted on 7/1/05. On 10/2/06, Medicare will begin accepting use of the NPI.

National Plan Identifier (NPlanID)

HIPAA will also adopt standard unique identifiers for health plans that are covered entities. The NPPES will also assign these unique health plan identifiers.

Transactions and Code Sets

Med-QUEST successfully implemented the following transactions for the October 2003 TCS Implementation:

  • 837 Fee For Service Claims
  • 835 Electronic Remittance Advice
  • 270/271 Eligibility Verification Request and Response
  • 276/277 Claim Status Request and Response
  • 834 Health Plan Roster
  • 820 Premium Payment

Med-QUEST is able to accept and process all of the above transactions. Trading partners interested in exchanging the above electronic transactions with Med-QUEST are urged to contact ACS, the Med-QUEST fiscal agent, at (808) 952-5570 (O’ahu and mainland) or (800) 235-4378 ( Neighbor Islands). Please note Med-QUEST does not exchange electronic claims and remittance advice directly with QUEST providers. Instead, QUEST providers work with the various QUEST health plans. QUEST providers must contact health plans, not ACS, for issues related to electronic claims and remittance advice. Health Plans may contact Med-QUEST directly for transaction-related issues. Med-QUEST successfully converted most of its local codes on October 16, 2003. Social Services Division (SSD) local codes will convert in January 2004. Med-QUEST will convert the remaining local codes as instructed by Medicare. In October 2003 Med-QUEST and SSD notified all affected providers of local codes changes. Med-QUEST will continue to implement TCS transactions as mandated by federal law, The latest Proposed Rules include Standards for Electronic Health care Claims Attachment and Electronic Signature Standard. National Provider Identifier (NPI) Med-QUEST, in conjunction with the Arizona’s State Medicaid program, began a review of the NPI Standard and an analysis of the Hawaii Prepaid Medical Management system (HPMMIS). A crosswalk with the NPI requirements and the current HPMMIS provider identification database was conducted to identify and begin modifications to the current provider identification database to assure compliance with the NPI Standard by 5/23/07.

Technical Documents






The Department of Human Services, Med-QUEST Division, is responsible for ensuring HIPAA compliance for Hawaii Medicaid program. This includes health plans, and fee for service providers. Med-QUEST works with the fiscal agent to review requirements, write regulations, and revise operational procedures. 


HIPAA compliance consists of three components: privacy, security, and transactions and code sets (TCS). Privacy 
Med-QUEST is committed to the protection of an individual’s health information and was compliant with all the requirements of the Privacy Rule on April 14, 2003. Our efforts to date include:

  • Preemption analysis of HIPAA privacy rule and other relevant federal Medicaid and state regulations.
  • Development of a strategy to analyze and implement the HIPAA Privacy rule requirements.
  • Review of organizational practices to determine potential gaps with HIPAA compliance.
  • Development and implementation of administrative, technical, and physical safeguards to protect health information.
  • Participation with other covered entities to develop consistent practices
  • Development of the following Med-QUEST policies and practices:
  • The Notice of Privacy Practices (NPI), which goes out to all current Medicaid recipient households before April 14 and to all new applicants and recipients thereafter.
  • DHS Department level policies and Med-QUEST divisional policies and procedures in conformance with the Privacy Rule
  • Identifying business associates and Business Associate contract language, which will be inserted in all business associate contracts starting July 1, 2003.
  • New Authorization forms have been developed for any requests for information maintained by MQD.

Med-QUEST conducted DHS departmental training and Privacy policy and procedure training for all affected staff in March 2003.


The final Security Rule was published in the Federal Register February 20, 2003 and the compliance date was April 21, 2005. Med-QUEST performed initial security assessments in conjunction with the Privacy rule. Our efforts included:

  • Evaluation of existing security practices with the HIPAA Security rule.
  • Risk Analysis of MQD information network and computer system.
  • Development of a Risk management Plan.
  • Information Technology testing and remediation of computer networks.
  • Implementation of technical administrative, physical and technical policies and procedures.
  • Development of a Business Contingency Plan (BCP) for IT recovery.
  • Participation with other covered entities and process stakeholders to assure practices adequately protect PHI (as well as ongoing participation).
  • Development and implementation of a security awareness and policy training program.
  • Development of an ongoing security reminders program to assure staff has periodic updates with technical security of PHI.