 |
|
|
 |
 |
|
|
|
Federal Office of Civil Rights - HIPAA Privacy
U.S. Department of Health and Human Services
Centers for Medicare and Medicaid Services
Workgroup for Electronic Data Interchange
Office of HIPAA Compliance
919-855-4220
Fax 919-715-0673
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is the federal law that introduced standards for the electronic exchange of information between health care plans (payers), clearinghouses, and providers.
EOB Code Crosswalk to HIPAA Standard Codes (revised October 1, 2009)
Transactions, as defined under HIPAA, are electronic communications between covered entities. Standards for electronic transactions and their applicable code sets were adopted and made effective on October 16, 2000, and all covered entities were required to comply with these standards by October 16, 2002.
Health plans (payers) and those providers who conduct transactions electronically are defined as covered entities.
Providers who submit transactions through a clearinghouse or vendor should contact their clearinghouse or vendor to ensure proper measures are being taken for HIPAA compliance.
HIPAA also introduced regulations to protect patient rights and to guard against the misuse or disclosure of their health records.
The privacy rule establishes accountability and responsibility for the use or disclosure of any protected health information (PHI) for the purposes of treatment, payment or health care operations. This includes all medical records and health information used or disclosed in any form, whether electronic, written or oral.
The HIPAA Privacy Rule (45 CFR 164.502 and .508) as well as the Federal Social Security Act 1902(a)27, 45 CFR 431.107, and the N.C. Medicaid provider enrollment agreements all allow providers to share information with the Division of Medical Assistance or its agents without additional patient authorization. This includes information needed for payment of claims as well as additional information that may be requested for audits, investigations, and civil, criminal or administrative proceedings.
The privacy rule does require the disclosure must be limited to the minimum amount of information that is necessary to accomplish the intended purpose. The complete medical record should not be sent to the Division of Medical Assistance or its agents unless it is specifically requested.
A Trading Partner Agreement (69 KB PDF) is required for entities that are directly exchanging electronic data with N.C. Medicaid.
A Trading Partner Agreement (TPA), defined in 45 CFR 160.163 of the transaction and code set rule, is a contract between parties who have chosen to exchange information electronically. The TPA stipulates the general terms and conditions by which the partners agree to exchange information electronically. The document defines participant roles, communication, privacy and security requirements, and identifies the electronic documents to be exchanged. TPAs are used by all entities that wish to establish an electronic relationship with the N.C. Medicaid program. TPAs must be on file prior to testing electronic transactions with N.C. Medicaid.
Note: Providers who contract with billing services or clearinghouses will not establish a TPA directly with N.C. Medicaid.
Providers must ensure that proper measures are taken when submitting patient information to the N.C. Medicaid program.
Currently, the State of N.C. does not encrypt emails. Therefore, the security of patient information sent by e-mail cannot be guaranteed. If it is necessary to send patient-specific information to an employee of the Division of Medical Assistance, we advise you to send the information in a password protected attachment to the e-mail. The password should not be sent by e-mail.
Addressing Correspondence to the Division of Medical Assistance
To ensure that information is delivered to the intended staff, please address all correspondence to a specific person at the Division of Medical Assistance. If a person’s name is not known please, at a minimum, address the information to a specific Section. Otherwise, significant delays may occur in proper delivery of the information.
Mail sent through the US Postal Service should be addressed as follows:
DMA Name of Section
Attn: First and Last Name of person who should receive the mail
2501 Mail Service Center
Raleigh, NC 27699-2501
Certified mail, UPS, or Federal Express deliveries that require a street address should be sent to the following address:
DMA Name of Section
Attn: First and Last Name of person who should receive the mail
1985 Umstead Drive
Raleigh, NC 27603
Additional information about HIPAA is also available in the June 2003 Special Bulletin, HIPAA Update.
