Health Insurance Portability and Accountability Act Overview

The Health Insurance Portability and Accountability Act (HIPAA) was signed into federal law in 1996 as Public Law 104-191. One purpose of the law is to protect the portability of health insurance coverage for employees and their families if they change or lose their jobs. This is not discussed in detail here.

These pages focus on the part of the HIPAA legislation collectively known as Administrative Simplification which is designed to protect sensitive health care information and reduce the administrative burden of health care for health care providers. These sections mandated that the US Secretary of Health and Human Services adopted a series of rules to accomplish the goals of the law. The resulting rules, listed below with their effective date, have been fully adopted and implemented by the Department of Health Care Policy & Financing (Department).

  • HIPAA Transactions and Code Sets (October 16, 2000)
  • HIPAA Privacy Rule (February 26, 2001)
  • HIPAA Security Rule (April 21, 2003)
  • Standard Unique Health Identifier for Health Care Providers (May 23, 2005)

The Transactions and Code Sets Rule established standards for electronic transactions of health care information and for the code sets used in those transactions within the health care industry. The use of these standard transactions and code sets improves the administrative efficiency of the Department by allowing it to communicate with its providers via industry wide standards.

The Privacy Rule mandates that health plans (including Health First Colorado), health care providers and health care clearinghouses safeguard individuals\' Protected Health Information (PHI) to prevent improper use and disclosure of that information, while providing basic individual rights to access and request amendment of this information. See the Department\'s Notice of Privacy Practices.

The Security Rule establishes a level of security for PHI, either stored in electronic media (memory devices in computers or any removable/transportable digital memory medium) or exchanged in electronic communication media including the Internet, dial-up lines and private lines.

The Standard Unique Health Identifier for Health Care Providers Rule required that health care providers be uniquely identified by a single national number, which became known as the National Provider Identified (NPI). The objective of this rule is to reduce the administrative burden on health care providers. Prior to the enforcement of this rule, providers usually needed to maintain a separate identification number for each health plan for which they provided services.