HIPAA + prior authorization: proposed new legislation

This article defines HIPAA and includes some of the requirements to be compliant with federal regulations. It also briefly talks about proposed legislation for private health information as it pertains to prior authorization.


The Health Insurance Portability and Accountability Act of 1996 (HIPAA) required the Secretary of the U.S. Department of Health and Human Services (HHS) to develop rules that would protect the privacy and security of health information. HHS then created the HIPAA Privacy Rule and the HIPAA Security Rule. The Privacy Rule consists of standards to protect health information; whereas the Security Rule establishes security standards for electronic health information. Together, these rules address technical and non-technical safeguards to protect patient health information. 

The Office for Civil Rights (OCR) enforces both rules through voluntary compliance activities and civil money penalties.

The Security Rule…

  • Applies to health plans, health care clearinghouses and any health care provider who works with electronic health information (every provider). 
  • Protects privacy of electronic protected health information (PHI). 
  • Does NOT apply to oral or written PHI transmission. 
  • Only authorized persons can access an individual’s PHI.

Security Rule Safeguards (generally)

  • Administrative safeguards include stipulations around securing a security management process, security personnel, information access management, workforce training and periodic evaluation. 
  • Physical safeguards include facility access/control and workstation/device security to protect electronic PHI (e-PHI) from getting into unauthorized hands.
  • Technical safeguards include PHI access control, audit controls, integrity controls and transmission security. 
  • In the event of an information breach, the covered entity must take reasonable steps to cure the problem/end the violation.
  • A covered entity must update documentation periodically.

The Privacy Rule…

  • Applies to health plans, health care clearinghouses and any health care provider who works with electronic health information (every provider). 
  • Allows PHI to be disclosed under specific conditions. 
  • Only allows PHI disclosure with written authorization unless certain circumstances arise.

Learn more in this Privacy Rule Summary and on OCR's Enforcement Rule page. See “HIPAA FAQs for Professionals” to see frequently asked questions by category.

Proposed Rule by HHS on January 24, 2022

Summary: HHS is seeking input from the public about electronic prior authorization standards, implementation specifications and more. 

Specifically, the proposed rule mandates that HHS clarify requirements under HIPAA for electronic prior authorizations. According to the Federal Register website, HHS has only adopted operating rules for three HIPAA transactions: “eligibility for a health plan, healthcare claim status, healthcare electronic funds transfers (EFT) and remittance advice.” 

The comment period ended in March 2022, so findings should be published soon.

New HIPAA guidance for prior authorization would issue a PHI standard for prior authorization across the board, helping to ensure security for patients in need of prior authorization. 

Prior authorization has become such a giant part of healthcare. On average, practices work on 41 prior authorizations per week. In fact, prior authorization is such a massive undertaking that approximately 40% of physicians have staff who work exclusively on prior authorizations. 

The legislation, "Request for Information: Electronic Prior Authorization Standards, Implementation Specifications, and Certification Criteria" discusses possible solutions to the burden of prior authorization (and not just on the HIPAA front). Back in 2019 the Health Information Technology Advisory Committee (HITAC) identified a "need for standards to support the integration of prior authorization into all applicable EHR-based ordering workflows."

HITAC recommended that standards be established for prior authorization workflows. 

Learn more about this proposed legislation here.

Shameless Plug: Rivet Estimates help your practice succeed.

Rivet offers software solutions that integrate with your EHR for up-front patient cost estimates (that comply with the No Surprises Act), as well as denied claim and underpaid claim solutions.

To see a demo and discuss billing pain points, request a Rivet demo now.

View blog posts:

No items found.