HIPAA Information
This section contains information for the public about the Health Insurance Portability and Accountability Act of 1996 as it relates to the pharmacy industry.
What Do I Need Now for HIPAA?
Implementation of the NCPDP Standards
- NCPDP Implementation Overview - NCPDP has created this document to provide summary information of the transactions requested in the next round of HIPAA. This document also provides important information needed for analysis and planning, and resource links. Please see important information regarding Quantity Prescribed field implementation.
Telecommunication Version D.0
Quantity Prescribed (460-ET) Final Rule CMS-0055-F
The final rule CMS-0055-F published on January 24, 2020, adopts a modification of the requirements for the use of the Telecommunication Standard Implementation Guide, Version D, Release 0 (Version D.0), August 2007, National Council for Prescription Drug Programs, by requiring covered entities to use the Quantity Prescribed (460-ET) field for retail pharmacy transactions for Schedule II drugs. This change constitutes a modification to the use of the adopted standard, not a modification to the standard itself.
- Compliance Date: September 21, 2020
- Refer to the following important additional references
Version D Editorial - May 2024
This document provides a consolidated reference point for questions that have been posed based on the review and implementation of the NCPDP Telecommunication Standard Implementation Guide and Data Dictionary for Version D. This document also addresses editorial changes made to these documents. Since the HIPAA-named Standards documents are "frozen" from changes, this document provides helpful FAQs, typographical changes and corrections, and further guidelines for implementation. This document is very important to implementers of the Telecommunication and Batch Standards, and Medicaid Subrogation Implementation Guide, as appropriate. Please continue to review this link as the document is updated as needed. Version D Editorial - May 2024
NCPDP Payer Sheet Template for Telecommunication Version D.0
The NCPDP SNIP Committee developed guidance that is strongly recommended to be used in filling out and creating payer sheets based on Version D.0 and above. Payer Sheets may be used in addition to provider manuals or included in provider manuals. Payers may take the request and response template sections within the guidance document, fill out the template per their usage, and send to their trading partners. The guidance also provides instructional sections to assist the payers in completing their payer sheets. Click here for current version.
Medicaid Subrogation Version 3.0
Medicaid Subrogation Questions, Answers and Editorial Updates
This document provides a consolidated reference point for questions that have been posed based on the review and implementation of the NCPDP Medicaid Subrogation Standard Implementation Guide Version 3.0, and the Data Dictionary and External Code List only as they apply to Medication Subrogation. This document also addresses an editorial change made to the implementation guide in October 2010. Please continue to review this link as the document is updated as needed.
NCPDP Payer Sheet Template for Medicaid Subrogation Version 3.0
The NCPDP SNIP Committee developed guidance is strongly recommended to be used in filling out and creating payer sheets based on Medication Subrogation Implementation Guide Version 3.0, Batch Standard Implementation Guide Version 1.2 and Telecommunication Standard Implementation Guide Version D.0 and above. Payer Sheets may be used in addition to provider manuals or included in provider manuals. Payers may take the request and response template sections within the guidance document, fill out the template per their usage, and send to their trading partners. The guidance also provides instructional sections to assist the payers in completing their payer sheets. Click here for Version 1.0.
ICD-10
CMS Resources
White Paper for HIPAA Implementation of the ICD-10 Code Sets
The NCPDP Strategic National Implementation Process (SNIP) created a white paper to assist the industry in preparing for the implementation of the ICD-10 code sets. Click here for a copy.
Electronic Funds Transfer (EFT) and Remittance Advice (RA)
- April 2013 The Interim Final Rule stands with no modifications. Per CMS, the EFT & ERA Operating Rule Set IFC is a final rule that is in effect now, which means industry implementation efforts should be underway for the January 1, 2014 compliance date. For free copies of the EFT & ERA Operating Rule Set see http://www.caqh.org/.
- January 2012 The Centers for Medicare & Medicaid Services (CMS) Interim Final Rule with Comment Period (IFC) to adopt standards for the Health Care Electronic Funds Transfers (EFT) and Electronic Remittance Advice transaction (ERA) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
Other HIPAA Information
HIPAA Privacy Information
- September 2013 The Office of the National Coordinator for Health Information Technology (ONC) and the Office for Civil Rights (OCR) have collaborated to develop model Notices of Privacy Practices for health care providers and health plans to use to communicate with their patients and plan members.
- January 2013 Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules was published in the Federal Register on January 25, 2013. Covered entities and business associates must comply with the applicable requirements of this final rule by September 23, 2013.
- HIPAA Privacy and Security Toolkit supports privacy and security principles for health care stakeholders engaged in the electronic exchange of health information and includes tangible tools to facilitate implementation of these principles.
- ONC's Office of the Chief Privacy Officer (OCPO) Guide to Privacy and Security of Health Information, an instructional guide designed to help healthcare practitioners, staff, and other professionals better understand the important role privacy and security play in the use of electronic health records (EHRs) and Meaningful Use.
HIPAA Security Information
- Security Final Rule - February 20, 2003 Health insurers, certain health care providers and health care clearinghouses must establish procedures and mechanisms to protect the confidentiality, integrity and availability of electronic protected health information. The rule requires covered entities to implement administrative, physical and technical safeguards to protect electronic protected health information in their care. The rule can be viewed at http://www.hhs.gov/ocr/privacy/hipaa/understanding/srsummary.html.
Other HIPAA Privacy and Security Resources
HIPAA Employer ID Information
- Employer ID Final Rule - May 31, 2002 The final rule adopting a standard for a National Employer Identifier was released. This standard will be the Employer Identifier Number issued by the Internal Revenue Service. The final rule can be viewed at https://www.gpo.gov/fdsys/pkg/FR-2002-05-31/pdf/02-13616.pdf.
Operating Rules
Eligibility and Claim Status Transactions
- December 2010 NCVHS received further testimony from the recommended operating rules entities. NCPDP December testimony on operating rules.
- July 2010 NCVHS received testimony from the industry on the naming of operating rules entity(ies). NCPDP formally requested to be named an operating rules entity. NCPDP testimony on operating rules.
EFT and ERA Transactions
- See NCPDP guidance on the use of the X12 835 transaction in the pharmacy industry by searching “835” on the NCPDP Resources page
National Provider ID (NPI)
- Prescriber Type 1 NPI Outreach Template may be used by pharmacies and processors/payers/plans for outreach to prescribers that should obtain a Type 1 NPI prior to May 6, 2013. Pharmacies, processors/payers/plans may add their own logo, date, and signature lines as desired and share with prescribers.
- HHS final rule (2012-21238) specifies the circumstances under which an organization covered health care provider, such as a hospital, must require certain noncovered health care providers, such as physicians who are prescribers, to obtain and disclose an NPI.