HIPAA Compliance

The provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) were designed to streamline all areas of the health care industry and provide additional rights and protections to health plan members. HIPAA also established standards for electronic health care transactions as well as privacy and security standards to protect individually identifiable health information of patients.

HIPAA was enacted to:

  • Provide continued health care coverage for individuals who change jobs, are self-employed, or have pre-existing medical conditions.
  • Improve efficiency by simplifying and streamlining health care administration.
  • Establish national standards and regulations for sharing and storing health information.
  • Protect patients’ privacy and confidential health records.

National Provider Identifier (NPI)

HMSA has modified our systems to accommodate the use of NPI in HIPAA-covered transactions, such as claims, remittance advices, and eligibility inquiries.


HMSA’s security policies, procedures, and practices are consistent with the HIPAA security regulations and generally accepted industry practices. We continue to assess our information security program and make improvements as necessary.

Electronic Health Care Transactions & Code Sets

HMSA uses HIPAA-standard formats for all electronic health care transactions governed by HIPAA.


HMSA’s policies meet HIPAA Privacy regulations. Privacy policies include:

  • Notifying members about their privacy rights and how their information can be used.
  • Implementing privacy policies and procedures to assure member rights to privacy.
  • Employee training on privacy policies and procedures.
  • Designating an individual responsible for seeing that privacy policies and procedures are adopted and followed.
  • Securing records with confidential member information and providing access only to those who need them.

HMSA's HIPAA Compliance Status:

HIPAA 5010

Compliance Date - 1/1/2012
The current 4010A1 standard format of electronic transactions of certain administrative or financial information is being replaced with a new 5010 version.

National Provider Identifier

Compliance Date - 5/23/2007
A national, standard identifier for health care providers. The National Provider Identifier (NPI) is required for all electronic transactions governed by HIPAA.


Compliance Date - 04/20/2005
Safeguards for protected health information (PHI) including storage, maintenance, transmission, and access.

Electronic Health Care Transactions & Code Sets

Compliance Date - 10/16/2003
A standard format for electronic transmission of certain administrative or financial information. National standards for coding medical procedures, prescription drugs, and diagnoses.


Initial Compliance Date - 4/14/2003
HITECH Compliance Date - 2/18/2010
Omnibus Compliance Date - 9/23/2013
Policies and procedures for authorization, notice of privacy practices, members’ rights, minimum necessary uses and disclosures of PHI. HMSA Membership Notice

Health Plan Identifier (HPID)

Compliance Date – 11/5/2014
Establishes a unique health plan identifier to identify the Health Plan within the HIPAA transactions. Health Plans must obtain an HPID by Nov. 5, 2014. Covered entities must use HPIDs in the standard transactions starting Nov 2016.

Operating Rules for Eligibility & Claim Status

Compliance Date – 1/1/2013
Operating Rules to streamline data content & infrastructure for 270/271 & 276/277 HIPAA transactions.

EFT & Operating Rules for EFT/ERA

Compliance Date – 1/1/2014
To establish standards for Electronic Funds Transfer. Operating Rules to streamline data content & infrastructure for EFT & ERA transactions, as well as establishing an online enrollment mechanism to enroll in EFT & ERA.


Compliance Date – 10/1/2015
Conversion from current ICD-9 codes to ICD-10-CM (diagnosis) and ICD-10-PCS (inpatient procedure) codes for services starting on October 1, 2015.