 Hello and welcome to the Centers for Medicare and Medicaid Services program on the basics of HIPAA administrative simplification. I'm Valerie Hart and I'm joined by John Young and we'll be your guides as we review the information you need to know about HIPAA and complying with its administrative simplification provisions, specifically the electronic healthcare transaction and code set standards. This program is designed to help you understand the history of HIPAA and its benefits for you. Unsure whether you're a covered entity, we'll show you how to find out. Then we'll cover the standards that have been adopted for electronic transactions and code sets. You'll find out why the designated standards maintenance organizations may be important to you. You will also learn about some of the steps you need to take to become compliant with the administrative simplification provisions of HIPAA. We'll also touch on how HIPAA's rules and deadlines will be enforced. We'll also share the answers to some of the HIPAA questions that we have received and show you how to get more information about HIPAA. Congress passed the Health Insurance Portability and Accountability Act in 1996. In addition to creating consumer protection for healthcare benefits, the portability part of HIPAA, HIPAA will, Standardized Financial and Administrative Health Transactions for the public and private sectors, increase speed and efficiency, cut the cost of delivering healthcare services, and set minimum standards of protection for the storage, use and transfer of protected health information. In short, HIPAA puts the force of law behind the adoption of standards. The HIPAA statute has five titles. The second title contains the administrative simplification provisions and is the one we will focus on today. There are four main areas that comprise administrative simplification. The first is electronic transactions and code sets. HIPAA adopts and requires the use of uniformed national standards and requirements for conducting electronic healthcare transactions. The second area is the unique identifier. HIPAA requires establishing and assigning a standard identifier that providers, health plans and employers will use for every electronic healthcare transaction. The third is privacy. Under HIPAA, covered entities must implement standards to protect and guard against the misuse of individually identifiable health information. The final area is security. HIPAA addresses how electronic health information is stored, transmitted and accessed. The administrative simplification standards adopted by the Secretary of the Department of Health and Human Services under HIPAA applies to all healthcare clearinghouses, all health plans, those healthcare providers that conduct certain transactions in electronic form or use a billing service to conduct transactions on their behalf. If you meet one or more of these criteria, you are a covered entity and must comply with the administrative simplification requirements of HIPAA. We have mentioned transactions a lot. Exactly what is a transaction? A transaction is the electronic transmission of information between two parties to carry out financial or administrative activities related to healthcare. Electronic transaction standards have been developed for the following exchanges of information. Healthcare claims or equivalent encounter information, healthcare payment and remittance device, healthcare claim status, eligibility inquiry, referral certification and authorization, enrollment and disenrollment in the health plan, health plan premium payments, coordination of benefits, claims attachment, standards forthcoming, and first report of injury, standards forthcoming. What do we mean by electronic? The term electronic is used to describe moving healthcare data via the internet and extranet leased lines, dial up lines such as direct data entry or DDE, private networks, point of service, and health data that is physically moved from one location to another using magnetic tape, disk or CD media. Fax is sent using a dedicated fax machine as opposed to faxing from a computer and voice response units on phones are not subject to the transaction standards but may have to meet privacy and security standards. Now let's catch up with another special term and define direct data entry or DDE in some more detail. With DDE a remote user keys data directly into a health plan's computer using dumb terminals or computer browser screens. Health plans can give providers the option to use DDE but are not obligated to do so. In this segment we get back to more of the details of administrative simplification. Although HIPAA was enacted in 1996, each of the provisions of administrative simplification are set in motion through the issuing of proposed and final regulations. Thus, each part of administrative simplification has different effective dates and different compliance deadlines. We'll review them in the next section. The final rule for electronic transactions and code set standards was issued in August 2000. Compliance with this rule was required by October 16, 2002 for large health plans, health care providers and health care clearing houses. However, Congress realized that many covered entities would not be ready to comply with that date. So in December of 2001, it passed legislation that became Public Law 107-105, also known as the Administrative Simplification Compliance Act or ASCA for short, which amended HIPAA and granted a one-year compliance extension to October 16, 2003 under certain conditions. That extension was available to covered entities scheduled to become compliant in 2002, provided the covered entity submitted a compliance extension plan to CMS by October 15, 2002. Small health plans with receipts of less than $5 million have always had until October 16, 2003 to comply, and the compliance date was not affected by the extension. Covered entities that filed for an extension are required to begin their internal testing by April 16, 2003. Does HIPAA require that I submit my health care claims electronically? HIPAA does not require that you submit health care claims electronically. What it does require is that if you conduct certain transactions electronically, you must use the HIPAA standards. And there's another important element of ASCA. It requires that most Medicare claims submitted after October 16, 2003 be submitted electronically. There will be exceptions to this requirement. For example, you will be able to continue to submit paper claims if there is no method available for submitting them electronically. Also, regardless of whether an electronic claim format is available, small providers of services or supplies can continue to use paper. Small providers are defined by ASCA as a physician, practitioner, facility or supplier other than provider of services with fewer than 10 full-time equivalent employees, or a provider of services with fewer than 25 full-time equivalent employees. There may be additional exceptions. Regulations clarifying the exceptions to the Medicare electronic billing requirements will be issued. If you are a provider and believe you qualify for an exception, you should continue to build Medicare via paper. There is currently no mechanism in place to request a waiver of these requirements, so please be patient and wait for the regulations to be issued. It's time to hear one of the HIPAA questions that we received. I'm a small healthcare provider. I've heard that I'm excluded from HIPAA. Is that true? No. Small providers are not excluded from HIPAA. The size of the healthcare provider's office does not exempt them from HIPAA. If a healthcare provider transmits any of the designated transactions electronically, they are considered a covered entity and are subject to the administrative simplification provisions of HIPAA. Thanks. Now, let's move on to the compliance dates for the other key components of administrative simplification. The final rule for HIPAA privacy was published in December of 2000 with final modifications published August 14, 2002. Set the compliance date of April 14, 2003 for all covered entities except small health plans. Remember, even if you got the one-year extension for meeting the electronic transactions and code sets requirements, you still must meet all deadlines for compliance with the deadlines for the privacy provisions or any of the other HIPAA administrative simplification provisions. April 14, 2004 is the privacy compliance date for small health plans. The standard unique identifiers mandated by HIPAA include the following, the National Employer Identifier, the National Provider Identifier, and the National Health Plan Identifier. The final regulations that specify the National Employer Identifier were published in May 2002. The rules adopt the Employer Identification Number, or EIN, an existing identifier already issued by the Internal Revenue Service as the National Employer Identifier for use in health care transactions. The use of this identifier will improve the Medicare and Medicaid programs and the effectiveness and efficiency of the health care industry in general by simplifying the administration of the system and enabling the efficient electronic transmission of certain health information. All covered entities except small health plans must comply with the National Employer Identifier Standards by July 30, 2004. Small health plans must comply by August 1, 2005. As of December 2002, the final regulations for the National Provider Identifier are still pending and the rule for the National Health Plan Identifier has not been released. On February 20, 2003, the Department of Health and Human Services published the final rule for security standards for electronic protected health care information. This rule specifies a series of administrative, technical, and physical security procedures for covered entities to use to assure the confidentiality of electronic protected health information. The security compliance dates are April 21, 2005 and April 21, 2006 for small health plans. Please visit the CMS website for current information about security. That site is www.cms.hhs.gov slash HIPAA slash HIPAA 2. We'll provide a list with this address and other helpful web addresses at the end of the program. Before we move on, let's review each of the three covered entity categories in more detail to help you determine if you are a covered entity. Let's start with providers. How do you know if you or your business is a covered health care provider? All health care providers that conduct any electronic transactions for which the Secretary of the Department of Health and Human Services has adopted standards are covered entities. This includes providers who use a billing service or a clearinghouse. This includes hospitals, clinics, nursing homes, positions, suppliers, and others that furnish, bill, or receive payments for health care services in the normal course of business. If you use another entity such as a clearinghouse to conduct covered transactions in electronic form on your behalf, you are considered to be conducting the transaction in electronic form and thus you are a covered entity. Now how do you determine if your business is a covered health care clearinghouse? If your business processes or facilitates the processing of health information from non-standard formats to standard formats and vice-versa, you are considered a clearinghouse and thus a covered entity. Clearinghouse services may be provided by many types of organizations, including billing services, repricing companies, or in some cases, banks. Finally, how do you determine if your private benefit plan or government funded program is a health plan? A health plan is broadly defined as an individual or group plan that provides or pays the cost of medical care. For private benefit plans in general, it is considered a health plan if the plan is a health insurance issuer, a group health plan, an insurer of a Medicare supplemental policy, an HMO, or a multi-employer welfare benefit plan. Long-term care policies in addition to other policies are covered. However, nursing home fixed indemnity policies are not. There is an important exception to that definition. If the plan is a group health plan that has fewer than 50 participants and is self-administered, then it is not considered a health plan. Remember, HIPAA gave small health plans an additional year to comply with the HIPAA transaction and code sets standards. So what exactly is a small plan? A small health plan is defined as having annual receipts of $5 million or less. Annual receipts means total income or gross income plus cost of goods sold as these terms are defined or reported on IRS federal tax return forms. Health plans that do not report receipts to the IRS, such as ERISA group health plans exempt from filing income tax returns, should use proxy measures to determine their annual receipts. Fully insured health plans should use the amount of total premiums which they paid for health insurance benefits during the plan's last full fiscal year. Self-insured plans, both funded and unfunded, should use the total amount paid for healthcare claims by the employer, plan sponsor or benefit fund, as applicable to their circumstances on behalf of the plan during the plan's last fiscal year. These plans that provide health benefits through a mix of purchased insurance and self-insurance should combine the proxy measures to determine their total annual receipts. Finally, most government-funded programs are considered health plans. This includes Medicare, Medicare Plus Choice, Medicaid, State Children's Health Insurance Program, TRICARE, Indian Health Service, Veterans Health Care Program and the Federal Employees Health Benefit Program. However, government-funded programs other than those listed above are not health plans if their primary purpose is other than paying for or providing care, or if their principal activity is the direct provision of health care or making grants to fund health care. Remember, if you are a covered entity, you are responsible for complying with the rules and regulations of administrative simplification, including meeting all compliance deadlines of each of the provisions. If you still have questions about how to determine if you are a covered entity, you can visit the CMS website at the address on the screen and follow the covered entity flowchart decision tool. Okay, so let's say you've determined that you are a covered entity. In segment two, we briefly touched on the HIPAA transactions. Now let us clarify the transactions and code set standards that covered entities must use. Let's listen to another HIPAA question. I'm a health care provider. Am I allowed to submit claims both electronically and by paper? Under HIPAA, a provider has the option for any transaction to conduct it electronically or on paper. HIPAA does not require that you choose one method. However, if you choose to conduct electronic transactions, you must use the HIPAA transactions and code sets. Also, once a provider uses an electronic transaction, you become a covered entity and subject to the privacy rules also. Keep in mind that after October 16, 2003, Medicare will only accept paper claims under limited circumstances. HIPAA mandates the use of national standards for the electronic transfer of certain health care data between health care providers, health plans, and health care clearinghouses. It replaces many non-standard formats with a single set of electronic standards to be used throughout the U.S. health care industry. Standards have been developed for eight of the 10 transactions. We'll review these in a moment. Not every covered entity will conduct all of these transactions. For instance, health care providers would not engage in enrollment or disenrollment in a health plan. For each of the transaction standards, there is also an associated implementation guide. Implementation guides can be thought of as big recipe books, which provide detailed technical specifications that explain how to build a standard transaction. This includes format specifications, content specifications, and certain code sets. These guides define the data elements that are required for electronic transactions. Implementation guides provide important information for an information technology group or vendor that handles electronic claims submission. While many covered entities may never need to look at an implementation guide, it is important to know that they exist. Software vendors may rely on these to update your billing software. These guides may be downloaded for free from the website on your screen. Providers should also contact their payers and inquire whether they have companion guides available to accompany the implementation guides. If available, companion guides can provide additional information that is helpful in interpreting the implementation guides. Now let's return to the specific standards that have been adopted for each of the eight transactions. Please note that health care providers should mainly concern themselves with the first five transactions, as the other ones may not apply to them. The regulation adopted what is commonly referred to as the ASC X12N837 format for health care claims and coordination of benefits for professional, institutional, and dental claims. This format and many of the other adopted standards have been developed and maintained by X12 Standards Development Organization, who has been accredited by the American National Standards Institute as the standards organization for many electronic transactions. For retail pharmacy drug claims, the regulation adopted the NCPDP telecommunication version 5.1 and batch standard 1.1. For health care payment and remittance advice, the regulation adopted ASC X12N835. Currently, many providers spend precious time reconciling submitted claims with the paper remittance advice. Under HIPAA, providers can get electronic remittance advices from health plans and their practice management systems can auto-post them. In essence, you'll be able to conduct claims accounting without wasting staff time. For health claims status, the regulation adopted ASC X12N276 and 277. Office staff who have been spending time on hold calling a health plan to check on the status of the claim will now be able to electronically request claim status information and get the answer without using the phone. For eligibility for a health plan, HIPAA adopted ASC X12N270 and 271 for health care eligibility, benefit inquiry, and response. Under HIPAA, providers should have fewer worries about getting correct eligibility information quickly. For referral certification and authorization, the transaction standard adopted is ASC X12N278 for health care services review or request for review and response. This transaction is to allow providers to electronically ask for permission from the health plan to refer their patients to other providers or to perform additional procedures. For enrollment and disenrollment in a health plan, HIPAA adopted ASC X12N834 for benefit enrollment and maintenance. For health plan premium payments, the transaction standard is ASC X12N820 for payment order remittance advice. Now that you know what the HIPAA standards are, you might be wondering where they came from. HIPAA requires the Secretary of the Department of Health and Human Services to adopt standards that were developed by private sector standard development organizations. The ASC X12 organization maintains the standards. And the National Council for Prescription Drug Programs, or NCPDP, maintains the telecommunication and batch standards, and they can be found at www.ncpdp.org. In addition to standard transactions, the HIPAA regulation also requires the use of standard code sets. Here are the code sets adopted in the final rule. For diagnosis and procedure codes, HIPAA adopted ICD-9-CM. That stands for International Classification of Diseases, Ninth Revision Clinical Modification. Versions one and two are maintained by the Centers for Disease Control in DHHS, while version three is maintained by CMS. For services provided by physicians and other professionals, CPT-4 was adopted. CPT stands for Current Procedure Terminology and is maintained and copyrighted by the American Medical Association. HIPAA stands for Healthcare Common Procedure Coding System and is maintained by CMS. These codes are for products, supplies, and services not included in the CPT-4 codes. The code stands for Code on Dental Procedures and Nomenclature and is maintained and copyrighted by the American Dental Association. Finally, NDC stands for National Drug Code, which is used by retail pharmacies and is maintained by the Food and Drug Administration in DHHS. The transactions and code set regulation adopted these first sets of HIPAA standards. It also created a process to allow anyone to request a change in the standards. Six organizations known as Designated Standards Maintenance Organizations, or DISMOS, were designated by the Secretary of DHHS and have agreed to work together to collect requests for changes to HIPAA standards, evaluate the requests, and suggest changes to the standards for the Secretary's consideration. The six DISMOS are the Accredited Standards Committee X-12, Health Level 7, Inc., the National Council for Prescription Drug Programs, the National Uniform Billing Committee, the National Uniform Claim Committee, and the American Dental Association. The Secretary may modify a standard or its implementation guides, but no more frequently than once every 12 months. You can find out more by going to the DISMO website at www.HIPAA-DISMO.org. As always, any time you want to find out more information about this or any other HIPAA topic, you can visit the CMS HIPAA website. In the next section, we'll review some steps you can take to help reach HIPAA compliance. It's time for another question. Let's listen. I'm overwhelmed by HIPAA. Where do I start? Watching this program is a great start. Visit the CMS website. It contains many helpful items. The HIPAA provider readiness checklist can help you get the ball rolling. Also, review the frequently asked questions on the website. We also put HIPAA updates on our website, so try to get in the habit of checking it monthly. Many of you might be wondering just where to start with HIPAA. In this section, we'll outline some key steps and questions that covered entities should be addressing to help reach compliance with the electronic transactions and code set standards. While not all are encompassing, knowing where you're standing in relation to these steps and questions should help you to better focus your efforts in reaching compliance. The first step is HIPAA project planning. Assign someone in your office as a HIPAA point person if you haven't already done so. This person should be responsible for all aspects of HIPAA and should have access to the HIPAA decision makers such as the CEO, the CFO, and the CIO. Covered entities have many ways to communicate transactions and requests for information. You need to identify which modes you use that are covered under HIPAA, such as discats, direct data entry, or DDE, web-based, or any other form of EDI or electronic data interchange. Paper, telephone, and faxing with a dedicated fax machine as opposed to faxing from a computer are not considered electronic transactions under HIPAA. Have you identified all modes of communication for all HIPAA-covered transactions? Have you identified who your trading partners are? What methods do you use to conduct HIPAA-covered transactions electronically? Your HIPAA budget, resources, and contracts should be reviewed. The next step is evaluating the impact on business processes and systems. Some general points to consider include, have you assessed the business processes for HIPAA impact? Have the processes been prioritized for contingency planning? Adopting the HIPAA standard code sets means the loss of local codes. Has the impact of the loss of local codes and adoption of standard codes on your systems been assessed? Do you have a plan for changing policies, processes, and procedures, as well as staff training to accommodate the switch to standard codes? A system assessment in the form of a gap analysis needs to be completed. Simply put, this means identifying where you aren't ready or gaps between what you do now and what you'll need to do under HIPAA. For providers, the practice management software vendor may be responsible for all or part of gap analysis. Points to consider as part of a gap analysis include, has a gap analysis been performed on your systems or your vendor's systems? Have mandated standard transactions been mapped? Has the system assessment been completed? In addition to performing gap analyses, health plans and clearinghouses need to review and likely revise many of their internal systems to ensure that HIPAA codes, fields, and field sizes are fully supported. The next step is validation and testing. All covered entities must perform testing. For providers, focusing on key transactions, such as the claim, remittance advice, and eligibility transactions is important. Also, if you're testing with one payer, you should not assume that you are okay. You need to test with all of your payers. Remember, technical glitches can occur, so be sure to build in enough time. The World Group on Electronic Data Interchange in the Strategic National Implementation Process, or WEDI SNP, has a suggested seven-step testing process that you can follow as HIPAA does not specify how testing should be conducted. You can visit WEDI's website at the address on your screen for more information. And remember, testing must begin no later than April 16th, 2003. Try to test early and often as testing may take many months. The next step is coordinating with your trading partners. Trading partners include health plans, billing services, and clearing houses with which you may conduct HIPAA transactions. Here are some points to consider. Have you contacted your trading partners to determine their HIPAA readiness? Are contracts in place with vendors, billing services, or clearing houses for HIPAA-compliant transaction services? When will your vendor be updating and sending you HIPAA-compliant software? Do you or your system vendor have a schedule for design development and implementation? Do you have a way to track system modification status in progress? Have you or your system vendor decided on an overall approach to achieving compliance? Is everyone aware of the April 16th, 2003 testing deadline? While trading partner agreements, or TPAs, are not required by HIPAA, these agreements specify the communication methods and specific processing and code requirements not determined by the HIPAA transaction implementation guides. While the HIPAA standard to address data format and content, they do not address other issues, such as the method by which trading partners can accept and send transactions. And many data elements are considered situational, which means they are required as a given situation is met. However, these sorts of issues are not addressed in the standards and should be outlined in a TPA. Some additional questions to be asked and include, have transmission methods been agreed upon? Have situational data elements been identified? Do you have the appropriate implementation guides and companion guides? Have you accepted the processing and code requirements not determined by HIPAA? CMS has been designated by the Secretary of DHHS to enforce all of the HIPAA administrative simplification provisions with the exception of the privacy standards. This includes transactions and codes at standards and security and identifier standards after they are in effect. The Office for Civil Rights, or OCR, at DHHS, is responsible for enforcement of the privacy provisions. The enforcement process for both will be primarily complaint-driven. Thus, the process leading to any penalties will be initiated primarily in response to an external complaint filed against the covered entity. CMS will provide opportunities for a covered entity to demonstrate compliance or submit a corrective action plan with the focus on obtaining voluntary compliance through technical assistance. CMS will notify you by letter only if a complaint is filed against you. At that time, you will have the opportunity to show compliance or to submit a corrective action plan. Only if you do none of these things would consideration be given to invoking penalties. And what are the penalties? Civil monetary penalties of not more than $100 per violation capped at $25,000 for each requirement or prohibition that is violated. Criminal penalties of up to $50,000 in one year imprisonment for knowingly obtaining or disclosing individually identifiable health information in violation of the HIPAA rules. Up to $100,000 in five years imprisonment if the violation is committed under false pretenses. And up to $250,000 in 10 years imprisonment if the violation is committed with intent to sell, transfer, or use for commercial advantage, personal gain, or malicious harm. All criminal penalties are under the jurisdiction of the Department of Justice. The enforcement aspect of administrative simplification is still in the early stages. Again, CMS's emphasis is on ensuring everyone becomes compliant with the HIPAA provisions. While it's true that penalties can be imposed, the first course of action will focus on providing technical assistance aimed at helping an entity reach compliance. For the most recent information with regard to enforcement and other general areas of HIPAA administrative simplification, visit the CMS website at www.cms.hhs.gov slash HIPAA slash HIPAA2. To learn more about HIPAA and privacy or privacy enforcement issues, visit OCR's website at www.hhs.gov slash OCR slash HIPAA. Now that we have provided you with an introduction to HIPAA, you may still be wondering how the administrative simplification provisions of HIPAA will benefit you. Let's meet Dr. Barbara Paul, CMS official, practicing physician, and covered entity. Dr. Paul is the Director of Quality Measurement and Health Assessment Group at CMS. Thanks, John. Hello, I'm Barbara Paul, one of the many practicing physicians who work at CMS. As I listened to this program, I realized that I had many of the same questions you heard today. As I navigate my way through HIPAA, I try to be patient with the stresses and strains of transitioning from the 400 different formats for submitting claims currently in use today. What keeps me going, and I hope will keep you going as well, is the prospect of simpler, more streamlined administrative environment for physicians and the healthcare industry overall. John and Valerie have already mentioned many of the advantages of a HIPAA-compliant practice. Speedy determination of your patient's eligibility, giving you fewer worries about what's covered and who to bill. The promise of prior authorization and referral requests for your patients in any health plan, and much quicker turnaround for these requests without ever picking up the phone. You'll also be able to send in bills and batches or online and get a speedy response from your payer if they cannot be processed. Thus, physicians will be paid faster and have fewer administrative hassles. That should translate into more time for patient care. Another benefit is that administrative simplification mandates that healthcare entities implement a set of standards that will be used by all sectors of the healthcare industry, thus eliminating the use of local codes. This means that under HIPAA, your office will use the same set of codes for the same procedure with all health plans that you bill. Before HIPAA, you had to know which local code to bill, which health plan for the same service. Thanks, Dr. Paul. In general, HIPAA intends to reduce the cost of administrative operations to simplify the electronic exchange of information and to prevent unauthorized access to patient health information. Your patients should see faster responses to their concerns such as unpaid bills or access to patient records. And this should serve to improve your patient's satisfaction with you. It is time for another HIPAA question. My vendor says they're handling everything so I don't need to worry about HIPAA, right? Good question, but you do need to worry about HIPAA. If you are a covered entity, you are ultimately responsible for compliance, not your vendor or anyone else. So it's important that you understand the deadlines and details about HIPAA and its impact on your business and communicate often with your payers, software vendors, billing service or clearing houses to find out where they are with HIPAA implementation. In our final segment, we'll review important facts from our program and tell you about additional resources you can access to find out more information on HIPAA. By now, you should have a better understanding of the many aspects of complying with HIPAA's administrative simplification provisions. Remember that the next compliance date is April 14th, 2003. This is a deadline for meeting the privacy requirements with the exception of small health plans who have another year. Then, just two days later, is the testing deadline for all covered entities who submitted a compliance extension form. Compliance with the electronic transactions and code set standards for all covered entities, including small health plans, is required by October 16th, 2003. The compliance deadline for privacy is April 14th, 2004 for small health plans. The compliance date for national employer identifiers is July 30th, 2004 for all covered entities except small health plans. Small health plans have until August 1st, 2005 to comply. The compliance date for security is April 21st, 2005 for all covered entities except small health plans. Small health plans have until April 21st, 2006 to comply. To find out more information about HIPAA administrative simplification, there are a number of resources available. The HIPAA hotline number is available to answer your questions. That number is 1-866-282-0659. This hotline can help you with your questions about electronic transactions and code sets, unique identifiers, and security. Please direct your privacy questions to the HIPAA Privacy Hotline. That number is 1-866-627-7748. The CMS HIPAA website is another good resource of information. It's updated frequently and provides access to free tools and information, such as the covered entity decision tool, a provider readiness checklist, information on upcoming conference calls, and enforcement information, plus access to frequently asked questions about HIPAA. The address is www.cms.hhs.gov-hippa-hippa2. For more information on the HIPAA privacy provisions, visit www.hhs.gov-hippa-hippa. This website includes privacy guidance documents and sample business associate contract provisions. Here are some additional web resources that you might find useful. You have found the information in this program helpful in your efforts to comply with the administrative simplification provisions of HIPAA. Thank you for watching, and remember to check our website for the latest HIPAA information.