1. HIPAA's Title II- Administrative Simplification
Rules: The Three Basic Rules that You Need to
Know about Electronic Filing Systems
By: Aaron Varrone
ABSTRACT
HIPAA Title II, The Administrative Simplification provisions were establish for a variety
of reasons. The main rationale was to take advantage of twenty-first century technology,
and increase efficiency by eliminating redundant and manual processes. By establishing
electronic health information systems, electronic protected health information (ePHI)
became Congress’ top priority, on how healthcare organizations should deal with such
vital and confidential information.
The aim of this paper is to examine an in-depth look at HIPAA’s Title II on how
technology has enhanced the way healthcare organizations conduct their business
activities on a daily basis, while specifically addressing the privacy and security issues
that many are concerned about. This paper will explain the background and history
behind HIPAA and Title II, including Congress’ goals and objectives for this act, and
then will go into great detail about the three basic rules that HIPAA, and more
specifically Title II, are all about.
INTRODUCTION
In the summer of 1996, the United States Congress passed The Health Insurance
Portability and Accountability Act (HIPAA). HIPAA was enacted for a variety of
reasons which include: giving patients the ability to transfer and continue health
insurance coverage when they change or lose jobs, reduce healthcare fraud and abuse,
mandate industry-wide standards for healthcare information on electronic billing and
other processes, and required protection and confidential handling of protected health
information (State of California, 2007).
HIPAA is organized into five separate “titles”. Title 1, HIPAA Health Insurance Reform;
mainly enhances both the Employee Retirement Income Security Act of 1974 (ERISA)
and the Public Health Service Act, to increase the portability of health insurance by
limiting exclusions that can be made for pre-existing conditions, prohibiting
discrimination based on claim history or health status, and guarantee the availability or
renewability of health coverage for individuals with prior coverage. Title 2,
Administrative Simplification; addresses the issues of preventing and controlling
healthcare fraud, reform of medical liability, and simplifying the administration of
healthcare in the United States. Title 3, HIPAA Tax Related Health Provisions; changes
to the Tax Code, including the creation of a deduction for funds paid into Medical
Savings Accounts (MSAs), increased deductions for the health insurance expenses of
self-employed individuals, shifting the treatment of long-term care agreements as an
insurance contract, and tax exemption for state insurance pools. Title 4, Application and

2. Enforcement of Group Health Plan Requirements; covers portability, access, and
renewability for group health plans. Title 5, Revenue Offsets, addresses various revenue
offsets (Lauber, 2003). This paper will focus specifically in regards to Title 2- HIPAA
Administrative Simplification.
The Administrative Simplification provisions of HIPAA require the Department of
Health and Human Services to establish national standards for electronic healthcare
transactions and national identifiers for providers, health plans, and employers
(Amatayakul, 2000). This title of HIPAA was intended to improve the effectiveness and
efficiency of the various Medicare, Medicaid, Federal, and Private health programs of the
healthcare industry. By simplifying the administration of various systems and enabling
the efficient electronic transmission of certain health information, adopting these
standards have greatly improved the effectiveness of our nation’s healthcare system
(Health Reference Center Academic, 2008).
BACKGROUND INFORMATION
U.S. Legislation recognized that standardizing the means of paying and collecting claims
data electronically, would in fact increase the potential for abuse of people’s medical
information. Therefore, a main part of the act also included increasing and standardizing
the confidentiality and security of people’s health information, also referred to as ePHI
(electronic protected health information) (Centers for Disease Control, 2003). The
United States Department of Health and Human Services (HHS, which is a government
agency for protecting the health of all Americans and administering all federal programs
dealing with health and welfare), defines protected health information as the following:
 Individually identifiable health information transmitted or maintained in any form
or medium, which is held by a covered entity or its business associate.
 Identifies the individual or offers a reasonable basis for identification.
 Is created or received by a covered entity or an employer
 Relates to a past, present, or future physical or mental condition, provision of
healthcare or payment for healthcare.
HIPAA privacy regulations require that access to patient’s information may only be
available to those who are authorized, and that only the information they need (in order to
complete a task) may be accessible, otherwise all other information obtained is a
significant violation of this law (U.S. Department of Health & Human Services, 2009)
The final version of HIPAA privacy regulations were issued by Congress in December,
2000, and went into effect on April 14, 2001. Healthcare organizations were allowed up
to a two-year grace period to be in compliance with these new regulations, without
receiving a penalty. After April 14, 2003, organizations were warned that if they weren’t
incompliance with HIPAA, that they indeed would be penalized and fined a hefty amount
(Lauber, 2003).

3. Prior to HIPAA, there was no uniformed standardization between healthcare
organizations in regards to one’s own personal health record. Many rules and regulations
varied across state to state, and even among healthcare organizations. Various questions
came up and became debatable; such as if an organization was doing business in multiple
states, were the organizations subject to the state where the office was located, or instead
were they subject by the rules of the state where the headquarters was located? Many
healthcare organizations became quickly baffled and didn’t know whether they should
follow federal regulations, or state regulations (HIPAA PS, 2003).
HIPAA clarifies this by providing a uniformed standardization when it comes to the basic
level of security and privacy to one’s own health record information throughout the
country. A prime example of how HIPAA clarifies and simplifies this process occurs
when sending a referral to another office. When doing this, only the medical history
needs to be known, and not the billing information. Thus, healthcare organizations
should only be given the information they need, rather than all the information of one’s
record (HIPAA PS, 2003). With all this being said, the aim is for these organizations to
evaluate these requirements, examine their current methods of how this is being done,
specifically in regards to one’s personal health record, and apply these results to be in
compliance with HIPAA.
GOALS & OBJECTIVES
Title II was designed to accomplish several goals and objectives. In no particular order,
these goals and objectives include: encouraging the use of electronic media to conduct
healthcare transactions, standardize and improve the oversight of how health information
is collected, stored, transmitted, and reported, simplify the administration of healthcare
finance, ensure the continuity of healthcare coverage of people who change jobs, combat
waste, fraud, and abuse in health insurance and healthcare delivery, and require new
safeguards to protect security and privacy of certain health information (US Department
of Health and Human Services, 2005).
To effectively implement the requirements of Title II, three rules were created: The
Privacy Rule, The Security Rule, and The Transactions and Code Set Rule (TCS) (Jacob
& Sundstrom).
NEED FOR PRIVACY & SECURITY STANDARDS
Although converting of individual health records into a more uniformed approach and
digital format by utilizing twenty-first century technology, instead of a redundant, old and
time-consuming manual process, is great for the healthcare industry by eliminating
inefficiencies; it must be noted that with the uses of such technology, comes the exploit
of accessing such vital and confidential data with ease. Given that healthcare
organizations are now required to transmit patients’ information electronically, there is
great concern that it will be easier than ever for this confidential information to be leaked
out into the public domain. Therefore, privacy of one’s data is mandated across all
organizations. The United States Department of Health and Human Services for Civil

4. Rights administers and enforces the “Privacy Rule” and the “Security Rule”. (US
Department of Health and Human Services, 2005)
PRIVACY RULE
The HIPAA Privacy Rule is a national standard to protect individuals’ medical records
and other personal health information and applies to health plans, healthcare
clearinghouses, and to other healthcare organizations that conduct healthcare transactions
electronically. This rule requires the appropriate safeguards to protect the privacy of
one’s personal health information, and sets limits on the uses and disclosures that may be
made available of such information without proper patient authorization. This rule also
gives patients rights over their own health information, including rights to evaluate and
obtain a copy of their record, and to correct any possible inaccuracy reporting in their
record (Department of Health and Human Services: Office of the Secretary, 2002).
If any organizations are at fault at respecting these privacy laws, such as any person who
knowingly uses a unique health identifier, or obtains or discloses individually identifiable
health information without necessary reason or without proper authorization, Congress
has establish civil monetary penalties and imprisonment for such violations of these
provisions. These violations include fines of up to $50,000 and/or imprisoned for one
year. If the offense is “under false pretenses” fines can accumulate of up to $100,000
and/or imprisonment of up to 5 years. Lastly, if the offense is with intent to sell, transfer,
or use individually identifiable health information for commercial advantage, personal
gain, or malicious harm, fines can accumulate of up to $250,000 and/or 10 years of
imprisonment (Department of Health and Human Services: Office of the Secretary, 2002).
WHY PRIVACY?
Growing concerns about ones privacy in regards to information in the healthcare industry
has always been an issue of such immense importance. There are many reasons why
people want this information protected at the highest level. Whatever the reason may be,
people have the right to have their own personal information protected and privacy is
necessary to secure effective, high quality healthcare. Below are some examples of
recent (within the last 15 years) health-related privacy breaches with the use of
technology (Health System Compliance: Privacy Case Examples, 2009):
 A Michigan-based health system inadvertently posted medical records of
thousands of patients on the Internet.
 A Utah-based pharmaceutical benefits management firm used patient data to
solicit business for its owner, a drug store.
 An employee of the Tampa, FL health department took a computer disk
containing the names of 4,000 people who had tested positive for HIV.
 A Nevada woman purchased a used computer, discovered that the computer
contained prescription records of the customers of the pharmacy that had
previously owned the computer, which included: names, addresses, social security
numbers, and a list of all the medicines the customers had purchased.

5. SECURITY RULE
The HIPAA Security Rule consists of standards and implementation requirements that
healthcare organizations must convene in order to become compliant with HIPAA. All
organizations that access, store, maintain, or transmit patient-identifiable information are
required by law to meet the HIPAA Security Rule. Failure to be in compliance with this
rule, similar to the Privacy Rule, can result in a hefty fine and criminal imprisonment
(HIPAA Security Rule Overview, 2004).
Below, are the general requirements that the HIPAA Security Rule establishes, and that
individuals and organizations are mandated to follow (Jacob & Sundstrom):
1) Ensure the confidentiality, integrity, and availability of all electronic protected
health information (ePHI) the covered entity creates, receives, maintains, or
transmits.
2) Protect against any reasonably anticipated threats or hazards to the security or
integrity of such information.
3) Protect against any reasonably anticipated uses or disclosures of such information.
4) Ensure compliance by the workforce.
Covered entities, defined by HHS as: a healthcare provider that conducts certain
transactions in electronic form, a healthcare clearinghouse, or a health plan; have been
provided with flexibility of approach and can decide on which security measures to use
by taking into consideration the following factors (HHS Centers for Medicare &
Medicaid Services, 2005):
 The size, complexity, and capabilities of the covered entity.
 The covered entity’s technical infrastructure, hardware, and software security
capabilities.
 The costs of security measures.
 The probability and criticality of potential risks to electronic protected health
information.
The main objective of the Security Rule is for all covered entities, such as hospitals,
healthcare providers, pharmacies, clearing houses, and health plans to support the
Confidentiality, Integrity, and Availability (CIA) of all ePHI. With this being said, the
Security Rule outlines five major requirements (HIPAA Security Rule Overview, 2004):
 Administrative Safeguards
 Physical Safeguards
 Technical Safeguards
 Organizational Requirements
 Policies, Procedures, and Documentation Requirements
Administrative Safeguards

6. Administrative Safeguards are defined as the “administrative actions, and policies and
procedures, to manage the selection, development, implementation, and maintenance of
security measures to protect ePHI and to manage the conduct of the covered entity’s
workforce in relation to the protection of that information” (Walter L. Fitzgerald Jr.,
2004).
The Security Rule includes nine standards under the Administrative Safeguards (Mount
Carmel, 2009):
1) Security Management Process
2) Assigned Security Responsibility
3) Workforce Security
4) Information Access Management
5) Security Awareness and Training
6) Security Incident Procedures
7) Contingency Plan
8) Evaluation
9) Business Associate Contracts (BAC) and Other Arrangements
Physical Safeguards
Physical Safeguards are defined as the “physical measures, policies and procedures to
protect a covered entity’s electronic information systems and related buildings and
equipment from natural and environmental hazards, and unauthorized intrusion” (HIPAA
FAQ, 2004):
The Security Rule includes four standards under Physical Safeguards:
1) Facility Access Controls
2) Workstation use
3) Workstation Security
4) Device and Media Controls
Technical Safeguards
Technical Safeguards are defined as the “technology and policy and procedures for its
use that protect ePHI and control access to it” (US Department of Health and Human
Services, 2005).
The Security Rule includes five standards under Technical Safeguards:
1) Access Controls
2) Audit Controls
3) Integrity
4) Person or Entity Authentication
5) Transmission Security

7. Organizational Requirements
Organizational Requirements includes the standard, business associate contracts or other
arrangements where a covered entity must be in compliance with these standards. If they
are not, the covered entity is required to (Davis, 2001):
1) Terminate the contract or arrangement, if feasible or
2) If termination is not feasible, report the problem to the Secretary (HHS).
Policies, Procedures, and Documentation Requirements
The Policies, Procedures, and Documentation requirements includes two standards
(Mount Carmel, 2009):
1) Policies and Procedures Standard
2) Documentation Standard
With this requirement, covered entities must implement reasonable and appropriate
policies and procedures to comply with the standards and implementation specifications.
Policies and procedures can be changed at any time, however as long as the changes are
documented and implemented with compliancy (HIPAA Security Rule Overview, 2004).
PRIVACY RULE vs SECURITY RULE
In order to protect one’s privacy of information, the existence and deliberation of security
measures must be taken to protect that information. As a result, privacy and security
jointly rely heavily on the other in order for HIPAA to be successful.
The Security Rule defines the administrative, physical, and technical safeguards needed
to protect the confidentiality, integrity, and availability of electronic protected health
information. Covered entities must implement specific safeguards and protect ePHI from
unauthorized access, alteration, deletion, and transmission (Jacob & Sundstrom).
In contrast, the Privacy Rule sets standards for how protected health information (both
electronic and non-electronic) should be controlled (Nosowsky & Giordano, 2005). For
instance, who is authorized to receive such information and what rights do patients have
in regards to the respect and confidentiality of their own health information. The
immense difference between the two though is that Security is only regarded to the ePHI,
whereas Privacy can be regarded to non ePHI as well.
BEYOND PRIVACY & SECURITY
On July 27, 2009, Secretary of the Department of HHS, Kathleen Sebelius, delegated
authority for the administration and enforcement of the Security Standards for the
Protection of Electronic Protected Health Information (Security Rule) to the Office for
Civil Rights (OCR). According to the U.S Department of HHS, this achievement will
improve HHS’ ability to protect individuals’ health information by combining the
authority for administration and enforcement of the Federal standards for health

8. information privacy, HIPAA. The Privacy Rule is also administered and enforced by
OCR (U.S. Department of Health & Human Services, 2009).
Congress authorized the improved enforcement of the Privacy and Security Rule in the
Health Information Technology for Economic and Clinical Health (HITECH) Act, as part
of the American Recovery and Reinvestment Act of 2009 (ARRA). Since Privacy and
Security go hand-in-hand with each other, combining the enforcement authority into one
agency within HHS, will aid in making improvements by eliminating redundancy, and
increasing the efficiency of investigations and resolutions of failures to comply with both
rules. Additionally, combining the administration of the Privacy and Security Rule,
establishes consistency within the healthcare industry (U.S. Department of Health &
Human Services, 2009).
TRANSACTION AND CODE SETS RULE (TCS)
The HIPAA Transaction and Code Sets (TCS) Rule regulates to a uniformed standard
that an covered entity must adhere to. These codes were created to establish efficiency
and better manage the flow of information among entities. By maintaining this standard,
one’s cost savings can greatly be improved (American Medical Association, 2009).
As defined by HHS, transactions are “electronic exchanges involving the transfer of
information between two parties for specific purposes.” (Department of Health and
Human Services: Office of the Secretary, 2002) For instance, transactions can consist of
any of the following: claims and encounter information, payment and remittance advice,
claims status, eligibility, enrollment, and disenrollment, referrals and authorizations, and
premium payments. Under HIPAA, if a covered entity conducts any of the mentioned
transactions electronically, they must use this standard, which means that they must
adhere to the content and format requirements of each standard (HHS Centers for
Medicare & Medicaid Services, 2005)
HIPAA has also adopted specific code sets for diagnosis and procedures to be used in all
transactions. The HCPCS (Ancillary Services/Procedures), CPT-4 (Physicians
Procedures), CDT (Dental Terminology), ICD-9 (Diagnosis and Hospital Inpatient
Procedures), ICD-10 (As of October 1, 2013) and NDC (National Drug Codes). These
codes in which covered entities are familiar with, are nationally accepted wide code sets
for procedures, diagnoses, and drugs (HHS Centers for Medicare & Medicaid Services,
2005).
Additionally, HIPAA has also adopted standards for unique identifiers for Employers and
Providers, which must be used in all transactions. Similar to the previous two rules, if a
covered entity fails to comply with this rule, they are in violation of the law and face
hefty penalties (Cunningham, 2000).

9. CONCLUSION
Title II of HIPAA was established because of the lack of standardization and inefficiency
in processing financial and administrative transactions. In addition, with twenty-first
century technology at the tip of Congress’ tongue (when making of HIPAA), they
realized that it was time for the healthcare industry to bite into this technology, and for
the industry to start taking advantage of the opportunity that lies upon them, while
addressing major privacy and security concerns.
This title was not only designated to encourage the use of electronic media for healthcare
transactions, but in addition to simplify the administration piece by standardizing and
improve the oversight of this information. With the use of requiring new safeguards and
new rules; waste, fraud, and abuse all have been issues that have been identified and
reduced in the health insurance and healthcare industry.

10. References
Amatayakul, M. (2000). The Race to Standardize Medical Record Information. MD
Computing , 17 (6), 22-24.
American Medical Association. (2009). Understanding the HIPAA Standard
Transactions: The HIPAA Transactions and Code Set Rule.
Centers for Disease Control. (2003). HIPAA Privacy Rule and Public Health. Morbidity
and Mortality Weekly Report , 52, 1-12.
Cunningham, R. (2000). Old Before Its Time: HIPAA. Health Affairs: The Policy
Journal of the Health Sphere , 19, 231-237.
Davis, K. B. (2001). Privacy Rights in Personal Information: HIPAA and The Privacy
Gap Between Fundamental Privacy Rights and Medical Information. The John Marshall
Journal of Computer & Information Law , 19.
Department of Health and Human Services: Office of the Secretary. (2002). Standards
for Privacy of Individually Identifiable Health Information; Final Rule.
Fitzgerald Jr, W. L. (2004, June 21). HIPAA Today: Get Acquainted with Terminology
of Security Standards. DrugTopics , p. 148.
Health Reference Center Academic. (2008). Healthcare Financial Management , 62 (10).
Health System Compliance: Privacy Case Examples. (2009). Retrieved December 13,
2009, from UC Davis Health System:
http://www.ucdmc.ucdavis.edu/compliance/guidance/privacy/example.html
HHS Centers for Medicare & Medicaid Services. (2005). HIPAA Regulations and
Guidance HIPAA General Information. Baltimore: US Department of Health & Human
Services CMS.
HIPAA FAQ. (2004). Retrieved December 13, 2009, from Emory University:
http://hipaa.emory.edu/FAQs/index.cfm
HIPAA PS. (2003). What is HIPAA? Retrieved December 11, 2009, from HIPAA PS:
http://www.hipaaps.com/main/background.html
HIPAA Security Rule Overview. (2004, December 3). Retrieved December 12, 2009,
from HIPAA Academy:
http://www.hipaaacademy.net/consulting/hipaaSecurityRuleOverview.html
Jacob & Sundstrom. HIPAA Security Rule Basics. Baltimore: Jacob & Sundstrom, Inc.
Information Systems Consulting.

11. Lauber, J. G. (2003). HIPAA Administrative Simplification: How the Privacy Rule
Affects Municipal Ambulance Service Providers. Urban Lawyer , 317.
Mount Carmel. (2009). HIPAA Information Security Overview. Trinity Health.
Nosowsky, R., & Giordano, T. J. (2005, November 7). The Health Insurance Portability
and Accountability Act of 1996 (HIPAA) Privacy Rule: Implications for Clinical
Research. Annual Reviews , 575-590.
State of California. (2007). What is HIPAA. Retrieved December 11, 2009, from
Department of Health Care Services:
http://www.dhcs.ca.gov/formsandpubs/laws/hipaa/Pages/1.00%20WhatisHIPAA.aspx
U.S. Department of Health & Human Services. (2009). Health Information Privacy.
Retrieved December 12, 2009, from HHS:
http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/
US Department of Health and Human Services. (2005). Information Security Program:
Health Insurance Portability and Accountability Act (HIPAA) Compliance Guide. US
Department of Health and Human Services.