Posted in November 2012

Are You Antsy over ANSI & Why It’s Hanging Out in HIPAA Regs?

Are You Antsy over ANSI?

ANSI stands for the American National Standards Institute. ANSI is a private non-profit organization that oversees the development of voluntary consensus standards for products, services, processes, systems, and personnel in the United States. The organization also coordinates U.S. standards with international standards so that American products can be used worldwide. For example, standards ensure that people who own cameras can find the film they need for that camera anywhere around the globe.  The Institute administers five standards panels including the Healthcare Information Technology Standards Panel.  The panel works to identify, coordinate, and harmonize relevant voluntary standards relevant to these areas.  So you may now see why ANSI would be relevant to HIPAA.

ANSI is referenced in Section 160.103 of the Health Information Portability and Accountability Act (HIPAA), within the definitional section. HIPAA authorizes HHS to require the use of standards for the electronic exchange of health care data and to specify what medical and administrative code sets should be used within those standards.   Later, ANSI appears in the administrative requirement section of HIPAA- Section 162.940- which explains how an organization may petition HHS to deviate from standard transactions and code sets.  HHS sets forth a list of evaluative criteria by which such requests will be examined.  The petitioning process is extensive and burdensome. In part, an organization must show that the modification be supported by an ANSI-accredited standard setting organization or public organization that would maintain the standard over time.


There has been much discussion and gnashing of teeth regarding a looming requirement that all HIPAA covered entities update to ANSI 5010 and begin using the updated ICD-10 code set. Here, think of ANSI 5010 as the pipeline and ICD-10 as the oil—the highly detailed and discrete coding information system to help ensure precise reimbursement.

By October 1, 2014, all covered entities must be ready to embrace the new coding system, having made all the necessary technological updates and provided adequate training to physicians and administrative staff.

ANSI Understanding?

Hopefully, you now have a better idea about ANSI’s role in standardizing the method by which health care information is coded and conveyed.

Please comment if you have thoughts or questions.  You can also e-mail me @

Thinking too much about ANSI

Julie Meadows-Keefe

Tagged , , , ,

How to Scrub Your PHI

Thinking too much about meaningful use

Julie Meadows-Keefe

Protected Health Information (PHI) is Personal

Protected health information (PHI) is some of the most personal information that exists about you and I.  It includes things like our date of birth, height, weight, address, contact numbers, family member names, medication history and more.  Generally an individual receiving health care knows that their PHI will be used for their treatment, for payment and for certain health care operations.  Do they also know that their PHI can be sanitized (de-identified) and used for research?

PHI Can Be De-Identified, and therefore, less personal.

At long last, the HHS Office of Civil Rights (OCR) has issued guidance regarding how health insurers, clearinghouses and medical providers should strip patient records of identifying information, in order to permit data to be exempt from privacy restrictions and used in clinical and research studies.

The HHS guidance presents two methods by which health care companies can satisfy a so-called de-identification standard contained within the privacy rule of the Health Insurance Portability and Accountability Act, affectionately known as HIPAA.  These two methods are expert determination and safe harbor.  OCR’s guidance is designed to assist covered entities to understand de-identification, the general process by which de-identified information is created, and the options available for performing de-identification.

The HIPAA Privacy Rule permits a covered entity or its business associate to create information that is not individually identifiable by following certain de-identification methods. The Privacy Rule provides two de-identification methods: 1) a formal determination by a qualified expert; or 2) the removal of specified individual identifiers as well as absence of actual knowledge by the covered entity that the remaining information could be used alone or in combination with other information to identify the individual.

Regardless of the method by which de-identification is achieved, the Privacy Rule does not restrict the use or disclosure of de-identified health information, as it is no longer considered protected health information.

If a covered entity decides to de-identify information via the expert route, the guidance states that the following criteria are met:
(1) A person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable:
(i) Applying such principles and methods, determines that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is a subject of the information; and
(ii) Documents the methods and results of the analysis that justify such determination;


Interestingly, OCR takes pains to state that there is no particular credential necessary for this expert.  If the matter becomes one of OCR enforcement, OCR would look at a particular expert’s qualifications on a case-by-case basis. The expert does not necessarily need to be a statistician.

If a covered entity decides to de-identify by entering the “safe harbor” there is a rather exhaustive list of what information must be removed.  This includes names, street addresses, complete ZIP codes, telephone numbers and social security numbers.  OCR points out that only 3 data points-date of birth, gender and zip code uniquely identify over ½ of US Citizens.

PHI is Irresistable to Researchers and Others Because it is a Rich Resource

My personal take on this dates back several years when I recognized that HITECH was invariably tied to the Affordable Care Act in the following ways:

  1.  HITECH has incentivized health care providers through both a carrot and stick approach to adopt electronic health records.
  2. HITECH established funding for networking health care providers to share this data.
  3. HITECH, through the mechanism of meaningful use has developed a methodology for collecting health data on all patients.  This includes things like smoking status and body mass index.
  4. The Affordable Care Act ties patient outcome and cost of care to reimbursement.
  5. To control health care costs and maximize better health care outcomes, it makes sense to draw from all available data to see what treatments work best for high-cost chronic conditions that strain the health care system such as heart disease, asthma and diabetes.  The data has to come from somewhere.
  6. Privacy advocates and others are concerned that our health information will be grist for the research mill whether we want it to be or not.
  7. Many individuals are concerned about privacy breaches involving their most sensitive personal information.
  8. On the other hand, researchers, policy-makers and others are salivating over the rich data that now exists to answer many compelling questions and bring us further down the road to curing cancer and other devastating illness.

Varying interests must be balanced moving forward, but one wonders if a patient will be able to fully comprehend that their health information may be scrubbed and used for research.  Perhaps we all have a moral obligation to contribute to the body of scientific research aimed at helping us all live healthier lives.  But at what point could such research be used to deny care on the basis that it has been proven that in most cases a particular treatment succeeds very seldom yet is very expensive.


We enter into a brave new world.  May patients, providers and the public remain engaged on the topic of PHI. Please leave a comment if you’d like to join the discussion!


What is a Health Care Clearinghouse?

What is a health care clearinghouse?  Most people hear the word “clearinghouse” and think of commercials featuring shocked sweepstakes winners having their lives changed when strangers come to their door with tv cameras, balloons, bouquets  and big cardboard checks.

However, for purposes of HIPAA (Health Insurance Portability and Accountability Act), a health care clearinghouse is an entity that transforms or translates data from one form to another so that it usable for a particular purpose. A health care clearinghouse is a covered entity under HIPAA.  That means that a health care clearinghouse is governed by HIPAA.

In trying to understand the nature of a health care clearinghouse,  imagine the difficulty you have traveling abroad and not speaking the native language.  You will need a translator to in order to communicate.  A clearinghouse can be thought of as a sort of translator.  A clearinghouse can also organize or structure data.  Whereas health data used by a doctor or hospital may be useful to them for documenting patient care, data in that form may not be useful to payors.  Data may need to be coded or presented in a certain way to be usable for a permitted purpose.

Health care clearinghouses can be public or public or private entities.  As HIPAA considers a clearinghouse, the entity most often is one of the following:

  • a billing service
  • a repricing company (which takes the bills, matches them up with the insured’s contract with the hospital, and adjusts them to the pre-negotiated price).
  • a  community health management information system or community health information system and “value-added” networks and switches, that does either of the following functions:

(1) Processes or facilitates the processing of health information received from another entity in a nonstandard format or containing nonstandard data content into standard data elements or a standard transaction.   A key objective of HIPAA was to require national uniform methods and uniform codes for the exchange of electronic information between health care providers and health plans.

(2) Receives a standard transaction from another entity and processes or facilitates the processing of health information into nonstandard format or nonstandard data content for the receiving entity.

Health care clearinghouses make data user-friendly for particularized purposes.  Most often, clearinghouses are trying to convert data for billing purposes, price comparison and cost-effectiveness analysis.  It’s reasonable to speculate that health care clearinghouses will have an enhanced role to play in a post Affordable Care Act world, because costs and benefits of particular treatments and efficient use of resources will become even more important.

Although you have not won a sweepstakes by reading this post, you now know what a health care clearinghouse is, how it functions, its purpose and why it’s important for clearinghouses to understand HIPAA’s requirements.

If you need assistance understanding HIPAA’s applicability to your organization, contact me: or leave a comment below.


What is a Health Plan?

Health Plans Under HIPAA

The law is just a part of my identity

Julie Meadows-Keefe








Health Plans are important to Americans.  HIPAA applies to health plans, health care providers and health care clearinghouses.

 What does HIPAA Consider a Health Plan?

Today, I want to focus on its applicablity to health plans 45 CHR 160.102(a)(1). Health plans are probably familiar to you.  These are most often known as health insurance companies.  More specifically, a health plan means an individual or group plan that provides or pays the cost of medical care.

I’ll provide a quick list of further definitional aspects of what consitutues a health plan.  A health plan can have one or several aspects of the following:

(i) A group health plan;

(ii) A health insurance issuer;

(iii) An HMO (Health Maintence Organization);

(iv) Part A or Part B of the Medicare program;

(v) The Medicaid program;

(vi) An issuer of a Medicare supplemental policy;

(vii) An issuer of a long-term care policy, excluding a nursing home fixed-indemnity policy;

(viii) An employee welfare benefit plan or any other arrangement that is established or maintained for the purpose of offering or providing health benefits to the employees of two or more employers;

(ix) The health care program for active military personnel under title 10 of the United States Code;

(x) The veterans health care program under 38 U.S.C. chapter 17;

(xi) The Civilian Health and Medical Program of the Uniformed Services (CHAMPUS);

(xii) The Indian Health Service program under the Indian Health Care Improvement Act;

(xiii) The Federal Employees Health Benefits Program;

(xiv) An approved State child health plan under title XXI; providing benefits for child health assistance;

(xv) The Medicare+Choice program under Part C of title XVIII;

(xvi) A high risk pool that is a mechanism established under State law to provide health insurance coverage or comparable coverage to eligible individuals;

(xvii) Any other individual or group plan, or combination of individual or group plans, that provides or pays for the cost of medical care.

What’s not considered a health plan under HIPAA?

Any discussion of what a health plan includes should also include a list of what’s excluded from the definition of a health plan.  These exclusions include:

(ii) A government-funded program (other than one listed in paragraph (1)(i)–(xvi) of this definition):

(A) Whose principal purpose is other than providing, or paying the cost of, health care; or

(B) Whose principal activity is:

(1) The direct provision of health care to persons; or

(2) The making of grants to fund the direct provision of health care to persons.

 Under HIPAA, there is a rather specific laundry list of what is and isn’t a health plan.

It’s intuitve to think you already know what a health plan looks like for general purposes, but I hope that it was helpful to receive more details regarding how HIPAA defines a health plan.

If your organization would like further training, please contact me at