On May 10, 1869, the final track was laid for the American transcontinental railroad. Imagine what would have happened if the track laid from west to east by the Union Pacific Railroad and the track laid from east to west by the Central Pacific Railroad were not the same width. The ceremony at Promontory Summit, Utah would not have been pleasant. Fortunately, the two companies agreed early on to set the track gauge at 4 feet 8.5 inches, accommodating the most popular steam locomotive of the day and allowing rail transportation across the continent.

Standards are essential to all cooperative human enterprises, beginning with basic standards for oral and written communication (language) and extending to measurement, manufacturing, telecommunications, and information systems. - The “de facto” selection of DOS and Windows as the common “standard” operating system for personal computers used in business communications made Microsoft what it is today. Apple Computer refused to license its operating system to rival hardware manufacturers, and was left behind.

Communications standards exist for electronic data interchange to support most areas of the modern American economy. But until recently, they did not exist for health care transactions, which comprise 1/7 of the Gross Domestic Product of the United States. Despite the fact that everyone involved uses computers to run their business, the absence of standards for electronic data interchange means that much of the communication between plan sponsors, benefit plans, and health care providers is handled over the telephone or through the mail.

Think about a typical visit to a physician’s office. More often than not, the patient, medical office staff and health plan staff exchange telephone calls or paperwork to ensure that the individual is enrolled in the health plan, the anticipated service is covered, a required referral has been made, and payment for the service is authorized. After the visit, the medical office mails a HCFA 1500 claim form to the health plan, which manually enters the data into its computer system, checks for errors, and mails a check to the physician. Consider that there are over a million health care professionals in the United States. Allow for similar events involving hospitals, nursing homes, community mental health centers, pharmacies and other providers. Factor in communications among health plans and with plan sponsors, and communications required to correct mistakes and misunderstandings. Multiply all of that a few billion times and you get a sense of the staggering administrative overhead of the American health care system.

The Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) are intended to promote efficiency and reduce administrative costs in the health care system by “encouraging the development of a health information system through the establishment of standards and requirements for the electronic maintenance and transmission of certain health information”.

HIPAA requires the Secretary of Health and Human Services to enact rules to establish national standards for a host of electronic transactions between employers, health plans and health care providers. Given the sensitive nature of health information, the statute also requires DHHS to adopt standards for privacy of individually identifiable health information and security of health information systems.

Public and private health benefit programs, health care transaction clearinghouses, and health care providers that use computers for the “HIPAA transactions” are required to comply with the DHHS standards.

Eventually, health care providers and health plans will benefit from the HIPAA standards. In the meantime, HIPAA is a nightmare for a lot of people. The HIPAA rules and the standards adopted by DHHS are incredibly complicated. The penalties for non-compliance are frightening.

This Compliance Guide is designed to make it easier for people to comply with HIPAA. It is being published in electronic form on the Internet for two reasons. First, an electronic publication is searchable. Subscribers can quickly find information about specific subjects without having to plow through thousands of pages of documents. Second, federal and state law and the HIPAA standards change constantly. Publication on the Internet makes it possible to distribute updated information quickly. For those who prefer printed materials, a hard copy version is available.

Please note a few things about this Guide.

• It can be used by any health care provider or health plan. But the author has a special interest in systems that serve people with mental disabilities, and extra attention is paid in this area.

• It can be read from beginning to end as a book, or searched to obtain information about specific topics.

• It compiles and presents a lot of legal information. Hopefully, that information is presented in a way that is makes it easier to understand the requirements of HIPAA. It should be useful to people who are not attorneys, while providing a basic set of information for lawyers who are not HIPAA experts.

• The “generic” version discusses federal privacy standards. State specific versions include a “pre-emption” analysis that compares the HIPAA standards and state law to determine which applies in various situations. Versions for various states will be published over time.

• The third chapter, “A Path to HIPAA Compliance” is a step-by-step guide to the compliance process, including forms that can be used to conduct a privacy and security audit. This may be all that a small clinic or medical practice needs to meet the HIPAA standards. Larger organizations should consider an expert review of the security of their information systems and their privacy policies and procedures.

• Standards for electronic health care transactions are discussed from the point of view of an organization that relies upon a third party to supply technology required to ensure compliance with the standards. The Guide provides a good orientation to the HIPAA transaction standards, and describes what, as a business matter, you can and should expect from software vendors, billing companies and health care clearinghouses. But it does not provide detailed information about data content, data formatting, or data conditions associated with specific electronic transactions.

• Recent legislation allows HIPAA covered entities to request a one-year extension of time to comply with the transaction standards. The guide explains how to do that.

A lot of work went into creation of this Guide, and we hope it is helpful to you. But it is not a substitute for advice from a qualified professional. Please be sure to consult with an attorney before you finalize your privacy and security policies and procedures, or if you have a specific legal problem. If you need help finding a lawyer who specializes in health information technology law, please contact the American Health Lawyers Association in Washington DC. If you are concerned about the security of your computer system, please get professional help, ideally from a person who has earned the designation of Certified Information Systems Security Professional (CISSP) from the International Information Systems Security Certification Consortium.