The requirement to adopt HIPAA unique identifiers for individuals, employers, health plans, and healthcare providers was originally included in the text of HIPAA in order to improve the efficiency of healthcare transactions and to reduce administrative costs. However, no standards were ever adopted for individuals, and the standards for health plans were rescinded in 2019.

The requirement for the Secretary of Health and Human Services (HHS) to adopt HIPAA unique identifiers appears in §1173 of HIPAA (42 USC 1320d-2(b)). Referred to as “unique health identifiers” in the text of HIPAA, the standard instructs the Secretary to:

“Adopt standards providing for a standard unique health identifier for each individual, employer, health plan, and healthcare provider for use in the health care system. In carrying out the preceding sentence for each health plan and health care provider, the Secretary shall take into account multiple uses for identifiers and multiple locations and specialty classifications for health care providers”.

The instruction was part of a larger goal to achieve uniform national health data standards that would support the efficient electronic exchange of health information used in HIPAA-covered transactions (the “health care system” mentioned above). However, the instruction was only partly complied with due to the cost and complexity of standardizing HIPAA unique identifiers for individuals and health plans.

The Cost of Adopting Individual HIPAA Identifiers

In 1998, HHS published a white paper containing multiple options for adopting individual HIPAA unique identifiers. The white paper listed 30 criteria for evaluating the options, and discussed the pros and cons of each identifier type. It also discussed the practicalities of adopting specific identifiers and the cost of implementation. Due to the costs of implementation and for converting existing systems, no standards for individual HIPAA unique identifiers were ever adopted.

The Quick Fix for Employer HIPAA Unique Identifiers

Employer HIPAA unique identifiers are necessary when an employer enrolls or disenrolls an employee in a health plan, or when a health plan needs to keep track of premium payments or contributions from a certain employer for certain types of benefit. As all employers are required by 26 USC 6011(b) to have an IRS-issued Employer Identification Number (EIN), HHS published a Final Rule in May 2002 adopting EINs as employer HIPAA unique identifiers.

The Complexity of Using Four Health Plan Identifiers

Due to the different ways in which health plans function, multiple codes of different lengths and formats were in use by the time HHS published a Final Rule in 2012. Even then, rather than there being one unique identifier for health plans, there were four. Due to the complexity of using the identifiers and the manual processes still required to process HIPAA transactions, the standards were never enforced and the HIPAA identifiers for health plans were rescinded in 2019.

Healthcare Provider Identifiers Were Already in Use

Prior to the passage of HIPAA, the Health Care Finance Administration (now known as CMS) had been working on a National Provider Identifier (NPI) for use in Medicare and Medicaid programs. In 1998, HHS proposed the NPI should be extended to all health plans. The proposal was finalized in 2004, and a National Plan and Provider Enumeration System was set up to assign HIPAA unique identifiers to healthcare providers not yet issued an NPI.

Unique Identifiers Should Not be Confused with PHI Identifiers

Several sources discussing HIPAA identifiers confuse employer and provider identifiers with the PHI identifiers that must be removed from a designated recorded set before any health information remaining in the record set can be considered de-identified under the safe harbor method of de-identification. It is important to understand the difference between the two types of identifiers to avoid preventable HIPAA violations.

Employer and provider identifiers are identifiers that must be used in healthcare transactions between providers (or their business associates) and health plans. PHI identifiers are individually identifying information that can identify the subject of PHI. Covered entities and business associates who are uncertain about the difference between HIPAA unique identifiers and PHI identifiers are advised to seek HIPAA compliance advice.

The post HIPAA Unique Identifiers Explained appeared first on The HIPAA Journal.