A. The term “small providers” originates in the Administrative Simplification Compliance Act (ASCA), the law which requires those providers/submitters who bill Medicare to begin submitting only electronic claims to Medicare on October 16, 2003 in the HIPAA format. However, ASCA does provide an exception to the Medicare electronic claims submission requirements to “small providers”. ASCA defines a small provider or supplier as: a provider of services with fewer than 25 full-time equivalent employees or a physician, practitioner, facility or supplier (other than a provider of services) with fewer than 10 full-time equivalent employees.

It is important to keep in mind that this provision does not preclude providers from submitting paper claims to other health plans. In addition, if a provider transmits any of the designated transactions electronically, it is subject to the HIPAA Administrative Simplification requirements regardless of size.

A. As a provider who bills electronically, you will be required to comply with the HIPAA requirements of the Privacy Rule by April 14, 2003, unless, before that date, you stop conducting any of the HIPAA transactions electronically. The HIPAA transactions commonly used by providers include claims, eligibility queries, claim status queries, and referrals. It is important to note that you cannot avoid the HIPAA requirements by hiring another entity, such as a billing service, to conduct these transactions electronically for you. While you and other health care providers could revert to conducting solely paper transactions, doing so would have many negative effects for most providers.

The provider’s business processes would be disrupted by having to prepare paper claims and check eligibility and claim status by phone. Reverting to paper would cause particular problems for those providers who receive Medicare payments. First, these providers would experience delays in receiving payments, because Medicare by law cannot pay paper claims until 28 days after receipt (as opposed to 14 days for electronic claims). Second, effective October 16, 2003, Medicare is prohibited by law from paying paper claims except for those from small providers and under certain other limited circumstances. After that date, any provider that does not meet the “small provider” or other exception would have to return to electronic claims submission in order to continue to receive Medicare reimbursement. At that time, the provider would again be required to comply with the Privacy Rule requirements.

• Health claims and equivalent encounter information.
• Enrollment and disenrollment in a health plan.
• Eligibility for a health plan.
• Health care payment and remittance advice.
• Health plan premium payments.
• Health claim status.
• Referral certification and authorization.
• Coordination of benefits.
  

A. The Department of Health and Human Services (HHS)has determined that CMS will have responsibility for enforcing the transactions and code set standards, as well as security and identifiers standards when those are published. CMS will also continue to enforce the insurance portability requirements under Title I of HIPAA. The Office for Civil Rights in HHS will enforce the privacy standards.

The “Healthcare Provider Taxonomy Code” is a situational data element in the X12N Implementation Guides for the 837 4010A1 Institutional and Professional claims/encounter information transactions. If the Taxonomy code is required in order to properly pay or process a claim/encounter information transaction, it is required to be reported. Thus, reporting of the Healthcare Provider Taxonomy Code varies from one health plan to another.

The Healthcare Provider Taxonomy code set divides health care providers into hierarchical groupings by type, classification, and specialization, and assigns a code to each grouping. The Taxonomy consists of two parts: individuals (e.g., physicians) and non-individuals (e.g., ambulatory health care facilities). All codes are alphanumeric and are 10 positions in length. These codes are not “assigned” to health care providers; rather, health care providers select the taxonomy code(s) that most closely represents their education, license, or certification. If a health care provider has more than one taxonomy code associated with it, a health plan may prefer that the health care provider use one over another when submitting claims for certain services.

The Healthcare Provider Taxonomy code set is available at no charge from the Washington Publishing Company’s website: www.wpc-edi.com

The Healthcare Provider Taxonomy code set is maintained by the National Uniform Claim Committee (NUCC). The NUCC accepts requests for new codes and requests for changes to existing codes or descriptions. The criteria for review of a request for a new code or a change are available on the NUCC web site (www.nucc.org). The code set is updated twice a year.

In addition, the original HIPAA legislation permits civil monetary penalties of not more than $100 for each violation, with a cap of $25,000 per calendar year. (Much larger penalties are provided for certain wrongful disclosure of individually identifiable health information).

Thus, the ASCA penalty is for failure to submit an extension request, and it applies only to Medicare providers, while the HIPAA penalty is for noncompliance, and is generally applicable. Medicare providers could be both excluded and fined, while non-Medicare covered entities would be subject only to the civil monetary penalties.

A small provider who is a covered entity would first assess their security risks and vulnerabilities and the mechanisms currently in place to mitigate those risks and vulnerabilities. Following this assessment, they would determine what additional measures, if any, need to be taken to meet the standards; taking into account their capabilities and the cost of those measures.

A. ERISA plans are covered in the definition of "health plan" and therefore are covered entities. The only exception is for ERISA plans that have less than 50 participants AND are self-administered. Fully insured ERISA plans therefore are HIPAA covered entities.

The HIPAA statute gives "small health plans" an additional year to comply with the HIPAA standards. ERISA plans that meet the definition of a small plan do not need to submit an extension request, because they already have until October 16, 2003 to become compliant. A small plan is defined as having annual receipts of $5 million or less.