Skip to main content

DHHS Regulations to Implement the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and Applicability to the WIC Program

EO Guidance Document #
FNS-GD-2001-0020
FNS Document #
WIC Policy Memorandum #2002- 2
Resource type
Policy Memos
Guidance Documents
Resource Materials
PDF Icon Policy Memo (222.69 KB)
DATE: Dec. 5, 2001
MEMO CODE: WIC Final Policy Memorandum #2002- 2
SUBJECT: Department of Health and Human Services’ (DHHS) Regulations to Implement the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and Applicability to the WIC Program
TO: Regional Directors
Supplemental Food Programs
All Regions

This memorandum is intended to provide clarification on the applicability of two Department of Health and Human Services’ (DHHS) final regulations to the WIC program. These regulations, which are the first in a series of DHHS regulations to implement HIPAA, include requirements for: (1) the establishment of standard formats for certain administrative and financial transactions, and (2) the privacy of individually identifiable health information.

Background

On Aug. 17, 2000, DHHS published a final regulation to establish standard formats for administrative and financial health care transactions such as health care claims, enrollment and disenrollment in a health plan, and eligibility for a health plan. Under this rule, all health care providers will be able to use the electronic format to bill for their services, and all health plans will be required to accept these standard electronic claims, referral authorizations and other transactions. This rule only applies to documents transmitted electronically. Most of the affected entities – health plans, health care clearinghouses, and certain health care providers -- must comply with these requirements by Oct. 16, 2002. Small health plans have an additional year to comply with the requirements.

Further, DHHS issued a final regulation on Dec. 28, 2000, Standards for Privacy of Individually Identifiable Health Information. The regulation establishes standards to protect the privacy of individually identifiable health information maintained or transmitted electronically or in paper form in connection with certain administrative and financial transactions. The rule applies to health plans, health care clearinghouses, and certain health care providers. Subsequently, DHHS published a Notice requesting public comments on the final rule. The rule became effective April 14, 2001, and compliance must be achieved by April 14, 2003.

Impact on the WIC Program

Following publication of DHHS’ Privacy Rule, state agencies raised questions about the applicability of both DHHS’ regulations to the WIC program.

Based on our review of both these regulations, in consultation with our Office of the General Counsel, we concluded that DHHS’ regulations do not apply to or require compliance by the WIC program. In addition, the DHHS regulations on privacy do not supersede Federal WIC confidentiality requirements. The WIC program is not a covered entity – health plan, health clearinghouse, or health care provider -- as defined by DHHS in these regulations.

Further questions may arise with regard to the applicability of HIPAA to WIC where, for example, WIC clinics perform functions on behalf of another program that may be a covered entity under the DHHS regulations or when an integrated data system is used by both covered entities and non-covered entities such as WIC. We encourage WIC state agencies to coordinate with state program counterparts to resolve such issues. If WIC clinics are performing activities on behalf of another program(s) that may be affected by HIPAA, and it is determined that these activities must be HIPAA compliant, no costs associated with HIPAA compliance may be borne by the WIC program. Such costs must be borne by or reimbursed to WIC by the program(s) requesting WIC’s assistance. Immunization registries are not required to be HIPAA compliant. Therefore, any WIC activities related to such registries, such as viewing the registry or making entries in registries, do not require system changes.

With regard to integrated data systems, some WIC agencies have been apprised by state health officials that WIC must share in the state’s cost of becoming HIPAA compliant. The WIC program is not a covered entity and thus is not required to be HIPAA compliant. There is no benefit to the WIC program from changes to make data systems HIPAA compliant. Therefore, WIC state agencies are not authorized to use WIC funds to pay any costs to make a data system HIPAA compliant. However, to determine adjunct income eligibility for WIC, some state/local agencies may wish to have electronic access to eligibility data from a program that must be HIPAA compliant. In such cases, WIC state agencies are authorized to use WIC funds to develop a cross-walk or interface to access/read such HIPAA compliant data. WIC state agencies must follow the guidance found in FNS Handbook 901, Advanced Planning Document, concerning automation acquisition prior approval and notification requirements, prior to spending WIC funds for a cross-walk or interface.

State agencies are encouraged to contact the regional office if any unresolved issues exist that require further assistance by the Food and Nutrition Service. Further information about DHHS’ regulations to implement HIPAA can be found on the Internet at: http://aspe.hhs.gov/admnsimp/ .

PATRICIA N. DANIELS
Director
Supplemental Food Programs Division

Page updated: May 08, 2023

The contents of this guidance document do not have the force and effect of law and are not meant to bind the public in any way. This document is intended only to provide clarity to the public regarding existing requirements under the law or agency policies.