NCVHS letterhead

September 8, 2005

The Honorable Dennis J. Hastert
Speaker of the House of Representatives
H-209, The Capitol
Washington, D.C. 20515

Dear Mr. Speaker:

I am pleased to transmit our Seventh Annual Report to Congress on the Implementation of the Administrative Simplification Provisions of the Health Insurance Portability and Accountability Act (HIPAA). In compliance with Section 263, Subtitle F of Public Law 104-191, the report was developed by the National Committee on Vital and Health Statistics (NCVHS), the public advisory committee to the U.S. Department of Health and Human Services on health data, privacy, and health information policy, and covers the period January 2004 through April 2005.

The Administrative Simplification provisions of HIPAA require the Secretary of Health and Human Services (HHS) to adopt a variety of standards to support electronic interchange for administrative and financial healthcare transactions, including standards for security and privacy to protect individually identifiable health information. In addition, the statute gives expanded responsibilities to the National Committee on Vital and Health Statistics for advising the Secretary on health information privacy and on the adoption of health data standards. The Committee is further directed to submit an annual report to Congress on the status of implementation of the Administrative Simplification effort.

As described in our report, significant progress occurred on several HIPAA Administrative Simplification standards during the past year. NCVHS applauds these accomplishments and reaffirms the importance of the HIPAA administrative simplification initiative for improving the efficiency and effectiveness of the healthcare system in the U.S. However, the full economic benefits of Administrative Simplification will only be realized when all of the standards are in place, and implementation activities and resource planning in the industry will be more effective when the entire suite of standards is finalized. Accordingly, we encourage the Secretary of HHS to expedite the publication of the remaining rules without delay, and urge Congress to provide sufficient resources and support to assure successful implementation of this important initiative.

We hope that you will find this seventh annual report informative and look forward to continued progress on these important issues for the nation’s health system. If you or your staff would like a briefing presentation on any of our past or anticipated activities, please let me know.

We are committed to improvements in health information systems that will enhance the quality of healthcare, lower costs, and facilitate access to care in the U.S.

Sincerely,

  /s/

Simon P. Cohn, M.D., M.P.H., Chairman,
National Committee on Vital and Health Statistics

Enclosure

Identical letters to:

Richard Cheney
President of the Senate
Washington, D.C. 20510

The Honorable Chuck Grassley
Chairman
Committee on Finance
219 Senate Dirksen Office Building
United States Senate
Washington, D.C. 20510

The Honorable Mike Enzi
Chairman
Committee on Health, Education, Labor and Pensions
428 Senate Dirksen Office Building
United States Senate
Washington, D.C. 20510

The Honorable Bill Thomas
Chairman
Committee on Ways and Means
U.S. House of Representatives
1102 Longworth House Office Building
Washington, D.C. 20515

The Honorable Joe Barton
Chairman
Committee on Energy and Commerce
U.S. House of Representatives
2125 Rayburn House Office Building
Washington, D.C. 20515

The Honorable John A. Boehner
Chairman
Committee on Education and the Workforce
U.S. House of Representatives
2181 Rayburn House Office Building
Washington, D.C. 20515

NCVHS footer


NATIONAL COMMITTEE ON VITAL AND HEALTH STATISTICS

Administrative Simplification in Healthcare: January 2004 – April 2005

Seventh Annual Report to Congress on the Implementation
of the Administrative Simplification Provisions of the

Health Insurance Portability and Accountability Act of 1996

CONTENTS

Executive Summary

  1. Introduction
  2. Background About HIPAA Administrative Simplification
  3. Progress Since Last Report to Congress
  4. Conclusions

Executive Summary

NATIONAL COMMITTEE ON VITAL AND HEALTH STATISTICS

Administrative Simplification in Healthcare: January 2004 – April 2005

Seventh Annual Report to Congress on the Implementation
of the Administrative Simplification Provisions of the
Health Insurance Portability and Accountability Act of 1996

This report describes the status of implementation of the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA.)

The major purpose of the HIPAA provisions is to improve the efficiency and effectiveness of the nation’s healthcare system, specifically Medicare and Medicaid programs and, in general, the overall healthcare system by encouraging the electronic transmission of health information through the use of standards. The HIPAA standards are required to be used by health plans, clearinghouses, and healthcare providers who transmit or maintain electronic health information.

Through the HIPAA statute Congress expanded the responsibilities of the National Committee on Vital and Health Statistics (NCVHS), which include advising the Secretary of Health and Human Services on the adoption of standards, monitoring their implementation, and reporting annually on progress. This report is the seventh annual report on implementation and covers the period January 2004 through April 2005.

Background About HIPAA Administrative Simplification

To improve the effectiveness and efficiency of the nation’s healthcare system, the Health Insurance Portability and Accountability Act (HIPAA) of 1996 includes a series of “administrative simplification” provisions requiring HHS to adopt national standards for electronic healthcare transactions. By ensuring consistency throughout the industry, the national standards will make it easier for health care organizations to process transactions electronically. The law also requires the adoption of privacy and security standards in order to protect individually identifiable health information.  HIPAA requires that “covered entities” e.g. health plans, healthcare clearinghouses, and those healthcare providers conducting electronic financial and administrative transactions (such as eligibility, referral authorizations, and claims) comply with each set of standards. Other businesses may choose to comply with the standards, but the law does not mandate that they do so.

In general, the law requires covered entities to comply with each set of standards within two years following adoption, except for small health plans, which have three years to come into compliance. For the electronic transactions and code sets rule only, Congress in 2001 enacted legislation (Administrative Simplification Compliance Act [ASCA]; Pub. L. No. 107-105) extending the initial deadline one year to Oct. 16, 2003 for all covered entities, including small health plans. The compliance dates for the health information privacy rule were April 14, 2003 for large health plans, healthcare clearinghouses and participating healthcare providers and April 14, 2004 for small health plans.

The newest regulations under HIPAA’s Administrative Simplification provisions that took effect during this report’s timeframe (along with the privacy rule for small health plans stated previously) include the employer identifier standard on July 30, 2004 and the security standard on April 20, 2005. All covered entities were required to comply with each of these standards with the exception of the small health plans, which must do so one year later respectively.

The next HIPAA regulation with scheduled compliance dates is the national provider identifier (NPI) standard slated for May 23, 2007 (most covered entities) and May 23, 2008 (small health plans). Other HIPAA regulations in various stages of development or publication include enforcement, claims attachment, and the national health plan identifier standards.  Although HIPAA included a requirement for a unique personal healthcare identifier, HHS and Congress have put the development of such a standard on hold indefinitely.

Progress Since Last Report to Congress

Compliance
Eighteen months after the compliance date for the transactions and code sets rule, progress continues with the implementation of the HIPAA standards. The Centers for Medicare and Medicaid Services (CMS) report that as of the end of April 2005 the proportion of HIPAA-compliant claims coming into Medicare reached ninety-nine percent. In addition over eighty percent of receivers of the remittent advice transactions are able to use the HIPAA standard.

Current healthcare industry enforcement for HIPAA compliance is managed by CMS for the non-privacy standards (transactions and code sets, security, etc.) and by the Office for Civil Rights (OCR) for the privacy standards.  Both CMS and OCR have employed proactive strategies involving extensive multi-faceted outreach campaigns to educate the public about HIPAA Administrative Simplification requirements. These strategies include informative web sites, frequently asked questions, conferences, toll free hotlines and targeted technical assistance materials.

To strengthen HIPAA enforcement and to ensure uniform rules for the imposition of civil monetary penalties for HIPAA violations, two notices were posted in the Federal Register. The first notice was posted on March 25, 2005 entitled: Procedures for Non-Privacy Administrative Simplification Complaints Under the Health Insurance Portability and Accountability Act of 1996. The second, a Notice of Proposed Rule Making (NPRM), was posted on April 18, 2005 entitled: HIPAA Administrative Simplification: the Enforcement Rule.

Seventy-eight percent of the 334 complaints received by CMS involved private sector entities. CMS has determined that most complaints filed are resolved by the involved parties before the need to issue a corrective action plan.

By the end of April 2005 (two years after the initial compliance date) the number of privacy complaints to OCR totaled 12,542 with sixty-five percent closed. Two hundred cases have been referred by OCR to the Department of Justice (DoJ).

The compliance date for the employer identifier was July 30, 2004 (small health plans July 30, 2005). No complaints have been received by CMS regarding the employer identifier.

The compliance date for the security rule was April 20, 2005 (small health plans April 20, 2006). CMS was prepared for security complaint submission on that date.  CMS and OCR also developed procedures to investigate “dual” complaints, those that involve violations of both the privacy and security rule.  A small number of complaints were received during the first several weeks after the compliance date.

CMS is preparing the system to issue the National Provider Identifier (NPI) for use in the HIPAA standard electronic healthcare transactions. The NPI will replace current provider identifiers used in today’s HIPAA standard transactions thus eliminating the use of multiple identification numbers by each provider. The earliest application for an NPI is through a web-based process, which started May 23, 2005. The paper applications for NPI enumeration will begin July 1, 2005.  The system began issuing NPIs on May 23.

The proposed rule on standards for claims attachments was signed by the Secretary of HHS and sent to the Office of Management and Budget (OMB) in May 2005.  Publication is expected this fall.

The proposed rule on a National Health Plan ID is being developed within HHS.

Private Sector Input About HIPAA Administrative Simplification
The Committee has continued to serve as the Department’s primary liaison with the private sector to obtain the views, perspectives, and concerns of the interested and affected parties, as well as their input and advice, on health data standards and privacy. During 2004 and through April 2005, the focus of NCVHS public hearings and committee deliberations about HIPAA Administrative Simplification was on implementation issues, industry readiness and obstacles in achieving successful implementation.

In March 2004 the Committee recommended to HHS the continued use of the National Council for Prescription Drug Programs (NCPDP) Telecommunication Standard Version 5.1 for billing supplies consumed or used during the administration of a drug therapy or commonly dispensed through a retail pharmacy channel. A clarification to this standard was prompted by a request by the Designated Standards Maintenance Organization (DSMO). When the use of the National Drug Code (NDC) designated standard code set within the NCPDP standard is not possible, the Committee recommended the continued use of the Universal Product Code (UPC) and the Health Related Item Code (HRI) be allowed.

In general areas of HIPAA implementation, the leadership from the Workgroup for Electronic Data Interchange (WEDI) testified to the Subcommittee on Standards and Security in May 2004. WEDI reported on the healthcare industry’s progress from the perspective of the private sector and expressed two general concerns:  the importance of pilot testing the standards before their adoption and validating of costs and benefits prior to issuing final rules.

Progress of the DSMO activities was reported to the Subcommittee on Standards and Security by the 2004 DSMO Chair in February 2005. The final HIPAA rule established the new organization under Section 162.910 with the HHS Secretary designating the members to be comprised of three standard data content committees (DCC) and three standard development organizations (SDO). The role of the DSMO is to maintain the standards adopted by the Secretary and to establish criteria for the processes to be used in such maintenance.

The most recent testimony to the Subcommittee on Standards and Security about the healthcare industry’s experience with implementing the HIPAA standards was heard April 2005. The hearing provided a forum to report implementation issues with standards for financial and administrative transactions and the national provider identifier (NPI). Testimony included reports of financial results such as early and general perspectives on the industry’s return on investment (ROI) after implementing HIPAA and specific recommendations about NPI pre-implementation.  Testimony was received from health plans, physician and provider groups, WEDI, health information technology vendors and clearinghouses.

The NCVHS Subcommittee on Privacy and Confidentiality has held many hearings about HIPAA standards since the implementation of the HIPAA Privacy Rule (April 14, 2003-2004).  Reported to HHS in March 2004 was feedback from the public and private sectors about the privacy regulation’s impact on public health and research, healthcare providers, health plans, and consumers. In general, witnesses reported less anxiety and confusion since passage of the initial compliance date and identified the need to continue expanding outreach and to provide more public education activities so that the rule can be implemented effectively.

An additional series of privacy hearings were held in February and July 2004 and focused on the impact of the rule specific to the areas of banking, schools, law enforcement, fundraising, marketing and media access.  A critical issue of whether other privacy laws adequately protect health information held by financial institutions exempt from HIPAA under Section 1179 warranted several recommendations (see full report).

The effect of the privacy rule on schools pertained to the control of health information disclosures by covered entities (such as family physicians) to schools in situations where the information is needed in the school setting. While covered entities under the privacy rule may disclose protected health information (PHI) to public health authorities for public health activities, there is no provision permitting covered entities to disclose PHI to schools for purposes such as for tracking immunizations. Based on the oral and written testimony presented at the hearing, NCVHS made several recommendations (see full report).

Based on limited oral and written testimony about the effect of the privacy rule on law enforcement, the Committee framed its recommendations in the context of drug diversion activities. NCVHS recommended that HHS work with the U.S. Department of Justice’s Drug Enforcement Administration (DEA) to educate providers that communicating information about drug diversion or complying with State reporting requirements are permissible under the HIPAA Privacy Rule.

The Subcommittee heard from witnesses who had previously testified about the impact of the privacy rule on marketing.  Based on the testimony several areas of concern were highlighted for HHS to explore (see full report).

In addition, testimony was heard about the effect of the privacy rule on fundraising. The witnesses had predicted in previous hearings that prohibiting disclosure of patient service department information would adversely affect the fundraising activities of many nonprofit health care institutions. The witnesses’ testimony expressed that their experience with the privacy rule had confirmed their fears about the likely consequences of the Rule.  Based on this testimony, NCHVS made several recommendations (see full report).

The most recent HIPAA recommendations to the Secretary in March 2005 by the Committee reflected testimony heard by the Subcommittee on Privacy and Confidentiality on the impact of the Security Rule.

In November 2004 witnesses from the Veterans Health Administration (VHA), the Food and Drug Administration (FDA), and various manufacturers of FDA regulated software and medical devices voiced concerns about the challenges with bringing medical devices into compliance with the Security Rule as well as providing effective security. Based on the testimony NCVHS made several recommendations (see full report).

In addition to a focus on administrative simplification in healthcare, HIPAA directed the NCVHS to study issues regarding electronic exchange of patient medical record information (PMRI). The Committee’s 2000 report and subsequent recommendations in 2002 and 2003 served as the foundation for standards to be adopted through the

Consolidated Health Informatics (CHI) Initiative, one of the federal E-Government initiatives established by OMB. The CHI goal is to adopt uniform standards to promote interoperability of clinical information in the federal healthcare enterprise. Recently the CHI activities became part of the Federal Health Architecture (FHA), which is operated by the Office of the National Coordinator for Health Information Technology (ONCHIT).

The NCVHS Workgroup on the National Health Information Infrastructure (NHII) heard testimony about PMRI standards in July 2004 at the second Secretarial HIT Summit and NHII 04 Conference. The Committee made recommendations on September 8, which identified areas where more work is needed to advance the ONCHIT Framework for Strategic Action. Previous NCVHS recommendations are currently being implemented through the FHA activities, which include the adoption of CHI standards. Although these standards apply only to federal healthcare agencies and programs, NCVHS believes that the federal adoption will profoundly impact the private industry by providing the impetus to accelerate the convergence and voluntary adoption of standards in a broader context.

The NCVHS also made significant recommendations concerning standards for electronic prescribing for use in the new Medicare drug benefit, as required by the Medicare Prescription Drug, Improvement and Modernization Act of 2003.  Together with HIPAA standards, the e-prescribing standards will help promote interoperability in the nation’s health data infrastructure as well as improve the quality, safety and cost effectiveness of patient care.

The Public Health Data Standards Consortium has continued to be a key organization in the implementation of administrative simplification in the public health and health services research arenas.

Conclusions

The NCVHS reaffirms the importance of the HIPAA administrative simplification initiative and urges the Secretary to expedite the publication of the remaining rules. A high level of adoption for the healthcare claims transaction standard has been achieved, although this same level has not occurred for standards in eligibility, enrollment, health claim remittance, healthcare claim status and the coordination of benefits. This low level of adoption has delayed the achievement of efficiencies and industry cost savings with the full economic benefits of Administrative Simplification to be realized only when the entire suite of standards are implemented. In addition, the delays in promulgation of the regulations for provider and health plan identifiers have slowed the realization of expected benefits by the healthcare industry. Congressional support is needed for additional resources to enable the Department to accelerate the promulgation of the remaining HIPAA standards as well as to provide appropriate levels of industry education, which includes efforts to educate the healthcare industry about the Privacy Rule.


NATIONAL COMMITTEE ON VITAL AND HEALTH STATISTICS

Administrative Simplification in Healthcare: January 2004 – April 2005

Seventh Annual Report to Congress on the Implementation
of the Administrative Simplification Provisions of the
Health Insurance Portability and Accountability Act of 1996

I. Introduction

This report describes the status of implementation of the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA.) The Administrative Simplification provisions (title II, subtitle F of Pub. L. No. 104-191, adding a new title XI, part C, to the Social Security Act (42 U.S.C. 1320d et seq.)) require the Secretary of Health and Human Services (HHS) to adopt standards for the electronic transmission of administrative and financial healthcare transactions, including data elements and code sets for those transactions; for unique health identifiers for health care providers, health plans, employers, and individuals for use in the healthcare system; and for security standards to protect individually identifiable health information. The law also requires standards to protect the privacy of health information.

Congress gave the National Committee on Vital and Health Statistics (NCVHS) the roles of advising the Secretary of Health and Human Services on the adoption of standards, monitoring their implementation, and reporting annually on progress. This report is the seventh of those annual reports on implementation and covers the period January 2004 through April 2005. Previous NCVHS reports to congress about the progress of the implementation of administrative simplification may be found at the committee’s web site, http://ncvhs.hhs.gov/.

The Committee has monitored the process of standards adoption and the issuance of proposed standards, as carried out by the Government and its advisory bodies. In addition, now that most of the standards have become finalized and attention turns to their implementation, the NCVHS is identifying and advising on implementation issues.

II. Background About HIPAA Administrative Simplification

To improve the efficiency and effectiveness of the healthcare system, the Health Insurance Portability and Accountability Act (HIPAA) of 1996 included a series of “administrative simplification” provisions that required the Department of Health and Human Services (HHS) to adopt national standards for electronic healthcare transactions. By ensuring consistency throughout the industry, these national standards will make it easier for health plans, healthcare clearinghouses, doctors, hospitals and other healthcare providers to process claims and other transactions electronically. The law also requires the adoption of privacy and security standards in order to protect individually identifiable health information. HIPAA administrative simplification regulations include:

  • Electronic healthcare transactions and code sets (final rule issued August 17, 2000);
  • Health information privacy (final rule issued December 28, 2000 and modified August 14, 2002);
  • Unique identifier for employers (final rule issued May 31, 2002);
  • Security requirements (final rule issued February 20, 2003);
  • Unique identifier for providers (final rule issued January 23, 2004);
  • Enforcement procedures (interim final procedural rule issued April 17, 2003, a proposed rule for policy and procedures for investigations, imposition of civil monetary penalties, and hearings issued April 18, 2005 entitled: HIPAA Administrative Simplification: the Enforcement Rule, and a Notice on March 25, 2005 entitled: Procedures for Non-Privacy Administrative Simplification Complaints Under the Health Insurance Portability and Accountability Act of 1996);
  • Unique identifier for health plans (proposed rule in development); and
  • Claims Attachment (proposed rule in development).

Organizations covered by HIPAA Administrative Simplification

In HIPAA, Congress required health plans, healthcare clearinghouses, and those health care providers who conduct certain financial and administrative transactions electronically (such as eligibility, referral authorizations, and claims) to comply with each set of standards. The Medicare Prescription Drug, Improvement and Modernization Act of 2003 (MMA) created a fourth type of covered entity, Medicare discount drug card sponsors.  Other businesses may voluntarily comply with the standards, but the law does not require them to do so.

Compliance Schedule

In general, the law requires covered entities to come into compliance with each set of standards within two years following the effective date of the regulation, except for small health plans, which have three years to come into compliance. For the electronic transactions and code sets rule only, Congress in 2001 enacted legislation (Administrative Simplification Compliance Act; Pub. L. No. 107-105) extending the deadline to October 16, 2003 for all covered entities, including small health plans. The legislative extension did not affect the compliance dates for the privacy rule or all subsequent rules that have since followed.

HIPAA Transaction and Code Set Standards

Under HIPAA, HHS must adopt recognized industry standards when appropriate (and as advised by NCVHS). HHS recognized the need for the ongoing maintenance of the HIPAA transaction and code set standards, and especially the need for the industry to collect, review and recommend changes to the standards. The final regulation for transactions and code sets established a set of industry organizations called Designated Standards Maintenance Organizations (DSMOs) to receive and process requests for modifications to standards or for adopting new standards. The DSMO members include three standard data content committees and three standards development organizations.

HIPAA Privacy Standards

In December 2000, HHS issued a final rule to protect the confidentiality of individually identifiable health information. The rule limits the use and disclosure of certain individually identifiable health information; gives patients the right to access their medical records; restricts most disclosure of health information to the minimum needed for the intended purpose; and establishes safeguards and restrictions regarding the use and disclosure of records for certain public responsibilities, such as public health, research and law enforcement. Improper uses or disclosures under the rule may be subject to criminal or civil sanctions prescribed in HIPAA.

After reopening the final rule for public comment, HHS Secretary Tommy G. Thompson allowed it to take effect as scheduled. In March 2002, HHS proposed specific changes to the privacy rule to ensure that it protects privacy without interfering with access to care or quality of care. After considering public comments, HHS issued a final set of modifications in August 2002. Most covered entities were required to comply with the privacy rule by April 14, 2003 with small health plans required by April 14, 2004 to come into compliance, as required under the law.

Employer Identifier

In May 2002, HHS issued a final rule to standardize the identifying numbers assigned to employers in the healthcare industry by using the existing Employer Identification Number (EIN), which is assigned and maintained by the Internal Revenue Service. Businesses that pay wages to employees already have an EIN. Currently, health plans and providers may use different ID numbers for a single employer in their transactions, increasing the time and cost for routine activities such as health plan enrollments and premium payments. Most covered entities were required to comply with the EIN standard by July 30, 2004. (Small health plans have an additional year to comply.)

Security Standards

In February 2003, HHS adopted final regulations for security standards to protect electronic health information systems from improper access or alteration. Under the security standards, covered entities must protect the confidentiality, integrity, and availability of electronic protected health information. The rule requires covered entities to implement administrative, physical and technical safeguards to protect electronic protected health information in their care. The standards use many of the same terms and definitions as the privacy rule to make it easier for covered entities to comply. The rule does not address the use of electronic signatures. Most covered entities were required to comply with the security standards by April 21, 2005, while small health plans will have an additional year to come into compliance.

National Provider Identifier

HHS issued a final rule January 23, 2004 adopting the National Provider Identifier (NPI) as the standard provider identifier to be used in electronic transactions. Most covered entities are required to comply with the requirements of this rule by May 23, 2007, while small health plans have an additional year.

Enforcement

HHS issued two notices regarding enforcement of the HIPAA requirements. In March 2005 the Centers for Medicare and Medicaid Services (CMS) explained its procedures for processing HIPAA Administrative Simplification complaints and in April 2005 the Office for Civil Rights (OCR) proposed new provisions of civil money penalties on covered entities that violate the HIPAA regulations, as well as changes to procedural requirements for penalties issued as an interim final rule in April 2003.

National Health Plan Identifier

HHS is working to propose standards that would create a unique identifier for health plans, making it easier for healthcare providers to conduct transactions with different health plans.

Unique Personal Identifier

Although HIPAA included a requirement for a unique personal healthcare identifier, HHS and Congress have put the development of such a standard on hold indefinitely. In 1998, HHS delayed any work on this standard until after comprehensive privacy protections were in place. Since 1999, Congress has adopted appropriations language to prevent appropriated funds from being used to promulgate such a standard. HHS has no plans to develop such an identifier.

Other HIPAA Administrative Simplification Regulations

A proposed rule adopting a standard for claims attachments was signed by the Secretary and forwarded to the Office of Management and Budget (OMB) in May 2005.  Publication is expected this fall.

Federal Government Web Sites for HIPAA Administrative Simplification

In addition to the NCVHS web site, https://ncvhs.hhs.gov/, two other web sites containing HIPAA administrative simplification regulations, frequently asked questions, and other helpful materials are: the HHS Office for Civil Rights, http://www.hhs.gov/ocr/; and, the HHS Centers for Medicare and Medicaid Services.

III. Progress Since Last Report to Congress

Compliance
Eighteen months after the compliance date for the transactions and code sets rule, progress continues with the implementation of these HIPAA standards. CMS reported to the NCVHS Full Committee in June and September 2004 that the proportion of HIPAA-compliant claims coming into Medicare increased from eighty-six to ninety-seven percent respectively.  As of May 2005, the proportion has risen above ninety-nine percent.  In addition, over eighty percent of receivers of remittance advice transactions are able to use the HIPAA standard.

Current healthcare industry enforcement for HIPAA compliance is managed by CMS for the non-privacy standards (transactions and code sets, security, etc.) and by the Office for Civil Rights (OCR) for the privacy standards. By May 2005, CMS had received 334 complaints of which seventy-eight percent involved private sector entities as opposed to governmental organizations qualifying as covered. The majority of complaints fell into three categories: compliant transactions rejected, non-compliant transactions sent, and excessive telecommunication fees by trading partner.  One hundred-fifty two of the complaints have been closed. CMS monitors all corrective action plans and has determined that most complaints filed are resolved by the involved parties before reaching the point of issuing a corrective action plan.

OCR reports that through the end of April 2005 (two years after the initial privacy rule compliance date) the number of privacy complaints totaled 12,542 of which sixty-five percent were closed. The majority of the complaints deal with health information uses, disclosures and safeguards.  Access to information continues to garner a number of complaints followed by complaints of the minimum necessary standards and violations of the authorization standards and notice. Most complaints are filed against provider groups such as private physician practices, general hospitals, pharmacies and outpatient clinics, and group health plans. OCR has made 200 referrals to the Department of Justice (DoJ).

To strengthen HIPAA enforcement two notices were recently posted in the Federal Register. The first notice was posted on March 25, 2005 entitled: Procedures for Non-Privacy Administrative Simplification Complaints Under the Health Insurance Portability and Accountability Act of 1996. It details the procedures for filing a complaint with the Department on non-compliance with the non-privacy HIPAA provisions.

The second notice, a Notice of Proposed Rule Making (NPRM), strengthening enforcement and ensuring uniform rules for the imposition of civil monetary penalties for HIPAA violations was posted on April 18, 2005 entitled: HIPAA Administrative Simplification: the Enforcement Rule. This proposed rule contains new provisions for the imposition by the Secretary of civil money penalties on covered entities violating the regulations, as well as proposing changes to and responding to comment on the procedural requirements for penalties issued as an interim final rule on April 17, 2003. For example, it proposes to amend the existing rules relating to the investigation of non-compliance to make them apply to all of the HIPAA Administrative Simplification rules, rather than exclusively to the privacy standards.  It would also amend the existing rules relating to the process for imposition of civil money penalties. Among other matters, the proposed rule would clarify and elaborate upon the investigation process, bases for liability, determination of the penalty amount, grounds for waiver, conduct of the hearing, and the appeal process.

The second round of modifications to the transactions code sets is under development, expected to be published sometime early in 2006.

The compliance date for the employer identifier was July 30, 2004 (small health plans July 30, 2005). No complaints have been received by CMS regarding the employer identifier.

The compliance date for security rule was April 20, 2005 (small health plans April 20, 2006). CMS was prepared for security complaint submission on that date. CMS and OCR also developed procedures to investigate “dual” complaints, those that involve violations of both the privacy and security rule. A small number of complaints were received during the first several weeks after the compliance date.

CMS is now preparing the system to issue the National Provider Identifier (NPI) for use in the HIPAA standard electronic healthcare transactions.  With national standard identifiers healthcare providers will be able to submit HIPAA transactions (eligibility inquiries and responses, claim status inquiries and responses, remittance advices and referral authorizations) to any health plan in the United States. Healthcare providers who transmit electronic health information are required to obtain NPIs, even if they use business associates such as billing agencies, to prepare the transactions. The NPI will replace current provider identifiers used today in HIPAA standard transactions and will eliminate the need for and use of multiple identification numbers by each provider.

The earliest application for an NPI is through a web-based process, which started May 23, 2005. The paper applications for NPI enumeration will begin July 1, 2005. The system began issuing NPIs on May 23, 2005. Healthcare providers are being advised not to begin using the NPI on or before the compliance dates (May 23, 2007 for most covered entities and May 23, 2008 for small health plans) so that health plans may issue their instructions on accepting the NPI transactions.

The proposed rule on standards for claims attachments was signed by the Secretary of HHS and sent to OMB in May 2005.  Publication is expected this fall. CMS has funded a pilot test of electronic claims attachment standards developed by HL7 and X12.  The pilot is taking place in New York State, involving Empire Medicare Services, and hospitals and physician providers.  Results of the pilot test are expected in the fall.

The proposed rule on a National Health Plan Identifier is being developed within HHS with publication expected late in 2005 or early in 2006.

Transactions and Code Sets

In November 2003, the NCVHS recommended that the Department initiate the regulatory process for the concurrent adoption of ICD-10-CM and ICD-10-PCS as HIPAA standards for national implementation as replacements for current uses of ICD-9-CM, Vol. 1, 2 and 3.  This recommendation is still under review by the Department.

The NCVHS Quality Workgroup completed a report on Measuring Health Care Quality in May 2004; the report included a number of candidate recommendations for enhancing the data included in the HIPAA claim standard for quality measurement.  In November 2004, the NCVHS recommended to the Department that the next version of the Uniform Bill for Hospitals (UB-04) and the ANSI ASC X12N 837I HIPAA Implementation Guide be revised to facilitate reporting of a diagnosis indicator to flag diagnoses that were present on admission in secondary diagnosis fields for all inpatient claims transactions.  The National Uniform Billing Committee is developing coding guidelines for implementing this recommendation.

Standards for Patient Medical Record Information

In addition to a focus on administrative simplification in healthcare, HIPAA directed the NCVHS to study issues regarding electronic exchange of patient medical record information (PMRI). The Committee’s 2000 report and subsequent recommendations in 2002 and 2003 served as the foundation for standards to be adopted through the Consolidated Health Informatics (CHI) Initiative, one of the federal E-Government initiatives established by OMB. The CHI goal is to adopt uniform standards to promote interoperability of clinical information in the federal healthcare enterprise. Recently the CHI activities became part of the Federal Health Architecture (FHA), which is operated by the Office of the National Coordinator for Health Information Technology (ONCHIT) and lead by Dr. David J. Brailer. Nearly all federal agencies involved in the healthcare industry participate in the FHA. The general partner group has 15 federal departments or agencies participating in the FHA Partner Council with approximately 350 people participating in FHAs e-community.

The NCVHS Workgroup on the National Health Information Infrastructure (NHII) heard testimony about PMRI standards on July 23, 2004 at the second Secretarial HIT Summit and NHII 04 Conference. As a result of testimony from each of the conference break out groups, the Committee made recommendations to HHS on September 8, 2004 (https://ncvhs.hhs.gov/rrp/september-8-2004-letter-to-the-secretary-on-the-health-it-nhii-summit/), which identified areas where more work is needed to advance the ONCHIT Framework for Strategic Action. Previous recommendations included naming a core set of PMRI standards for adoption, a policy of guidance and incentives for encouraging use of the standards, suggestions for mapping among the various terminology standards, and areas for further research. Further suggested was naming the National Library of Medicine (NLM) as the central coordinating body for the PMRI terminology standards. Many of these recommendations are currently being implemented through the FHA activities.  NCVHS believes that the federal adoption of the CHI standards will profoundly impact the private industry by providing the impetus to accelerate the convergence and voluntary adoption of standards in a broader context.

HHS Outreach Activities

Within HHS, the Secretary has assigned responsibility for implementation and enforcement of the HIPAA regulations to two organizations: the Office for Civil Rights (OCR) is responsible for the privacy rule and the Centers for Medicare and Medicaid Services (CMS) is responsible for the rest of the administrative simplification standards.

In addition, the NCVHS has a prominent role in monitoring the implementation of HIPAA’s administrative simplification standards. Both CMS and OCR have employed extensive multi-faceted outreach strategies to educate the public about HIPAA Administrative Simplification requirements. Elements of the strategy include informative web sites, frequently asked questions, teleconferences, toll free hotlines and targeted technical assistance materials.

National Committee on Vital and Health Statistics

Private Sector Input About HIPAA Administrative Simplification
The Committee has continued to serve as the Department’s primary liaison with the private sector to obtain the views, perspectives, and concerns of the interested and affected parties, as well as their input and advice, on health data standards and privacy. During 2004 and through April 2005, the focus of NCVHS public hearings and committee deliberations about HIPAA Administrative Simplification was on implementation issues, industry readiness, obstacles in achieving successful implementation, and issues relating to implementation of the privacy rule.

The March 31, 2004 NCVHS hearing resulted from a request by the Designated Standards Maintenance Organization (DSMO) membership for the Committee to address implementation issues related to the standard for electronic billing of supplies, issues which were initially raised in 2001. The Committee recommended the continued use of the National Council for Prescription Drug Programs (NCPDP) Telecommunication Standard Version 5.1 for billing supplies consumed or used during the administration of a drug therapy or commonly dispensed through a retail pharmacy channel. When the use of the National Drug Code (NDC) designated standard code set within the NCPDP standard is not possible, the Committee recommended the continued use of the Universal Product Code (UPC) and the Health Related Item Code (HRI) be allowed.

In general areas of HIPAA implementation, the leadership from the Workgroup for Electronic Data Interchange (WEDI) testified to the Subcommittee on Standards and Security on May 26, 2004. WEDI reported on the healthcare industry’s progress focusing on private sector issues. Their recommendations were consolidated into issues needing immediate, ongoing and strategic or longer-term attention. WEDI emphasized the need for (1) a continued focus on full compliance while maintaining contingency plans with timelines to “move beyond”; (2) a renewed effort to identify and promote benefits of other transactions and moving toward them (i.e., contingency plans and data content standardization); (3) a requirement for the use of a standard acknowledgement transaction along with more clarity on reporting; and (4) a comprehensive review of coordination of benefits issues, especially the need for a health plan identifier. Other suggestions included developing standardized test data; expediting changes to the standards; addressing standard data content issues more timely; restructuring to a coordinated and annual code set maintenance schedule; and specifying code values on instructions. Strategic issues focus on the need to consider ways of drawing healthcare providers into the standards development process, boosting overall participation in the Standard Development Organizations (SDO), and balancing the DSMO representation. Two general concerns expressed were the importance of pilot testing the standards in order to identify changes needed before their adoption and the validating of costs and benefits prior to final rules.

Progress of the DSMO activities was reported to the Subcommittee on Standards and Security by the 2004 DSMO Chair on February 2, 2005. The role of the DSMO is to maintain the standards adopted by the Secretary and to establish criteria for the processes to be used in such maintenance. The DSMO Chair reported the DSMO process improvements, which covered a period of 16 months and reflected the receipt of 35 change requests for the transaction standards. The monthly volume dropped from eleven to four over this period with twelve requests considered ones that would significantly impact the use of standard and the remainder being simple clarifications. The DSMO did not receive any requests for appeals as opposed to one appeal during the previous annual DSMO report. A significantly lower number of change requests was noted since the last DSMO reporting period (a drop of 63 percent). The reason for this decline was unclear with speculation by the DSMO membership cited as being due to the maturity of the healthcare industry’s implementation of the current HIPAA transaction standards and that the requests were being submitted directly to each standards group (DCCs and SDOs) rather than through the DSMO change request system.

The most recent testimony to the Subcommittee on Standards and Security about the healthcare industry’s experience with implementing the HIPAA standards was heard on April 6, 2005. The hearing provided a forum to report implementation issues with standards for financial and administrative transactions and the national provider identifier (NPI). Testimony included reports of financial results such as early and general perspectives on the industry’s return on investment (ROI) after implementing HIPAA and specific recommendations about NPI pre-implementation.

Blue Cross Blue Shield (BCBS) of Arkansas reported that the cost to implement HIPAA has been greater then originally estimated with the benefits lower then originally projected. Their comparison is based on the 1993 WEDI cost-benefit study, which projected a $29 billion dollar savings over ten years. Arkansas BCBS acknowledged that a greater positive impact will be achieved once providers engage in the full suite of HIPAA transactions, which was also identified within the WEDI report. One area that added to higher implementation costs resulted from the need to run concurrent pre-HIPAA and HIPAA-compliant systems during the extended HIPAA compliance period for standard transactions and code sets. Further testimony from physician and provider groups, WEDI, and health information technology (HIT) vendors and clearinghouses generally supported the correlation between improved ROI and the full or improved implementation of HIPAA transactions.

The American Hospital Association expressed concerns about implementing the NPI standard suggesting an incremental approach and the need for a central authority to effectively respond to questions and concerns about the NPI.  It was suggested that the central authority be the source for clear and authoritative responses about general NPI issues and questions, subpart guidance in relationship to federal programs, bulk enumeration procedures, and enumeration progress reports.

The NCVHS Subcommittee on Privacy and Confidentiality has held many hearings about HIPAA standards since the implementation of the HIPAA Privacy Rule (April 14, 2003-2004).  The initial hearings held in November 2003 and reported to HHS in March 2004 provided feedback from the public and private sectors about the privacy regulation’s impact on public health and research, healthcare providers, health plans, and consumers. In general, witnesses reported less anxiety and confusion since passage of the initial compliance date and identified the need to continue expanding outreach and to provide more public education activities so that the rule can be implemented effectively.

An additional series of privacy hearings were held in February and July 2004 and focused on the impact of the rule specific to the areas of banking, schools, law enforcement, fundraising, marketing and media access.  One critical issue addressed was whether other privacy laws adequately protect health information held by financial institutions exempt from HIPAA under Section 1179. After witness testimony, NCVHS recommended the following:

  • HHS should clarify the nature of the Section 1179 exception for financial institutions when engaged in processing health care transactions. Specifically, clarification is needed from HHS about whether the exception applies to consumer-initiated transactions (e.g., credit card or check payments), covered entity-initiated payment transactions, or both.
  • Until HHS clarifies the Section 1179 exception, HHS should recommend to health care providers and payers that they use business associate agreements with financial institutions.
  • Regardless of the technical status of financial institutions under the law and the regulation, HHS should consider whether encryption should be required for Protected Health Information (PHI) moving through the Automated Clearing House (ACH), to ensure that it is available only to final recipients.

The effect of the privacy rule on schools addressed during the February 2004 hearings pertained to the control of health information disclosures by covered entities (such as family physicians) to schools in situations where the information is needed in the school setting. While covered entities under the privacy rule may disclose PHI to public health authorities for public health activities, there is no provision permitting covered entities to disclose PHI to schools for purposes such as for tracking immunizations. Based on the oral and written testimony presented at the hearing, NCVHS recommended the following:

  • HHS should continue to work with the U.S. Department of Education to clarify how the privacy rule and Family Educational Rights and Privacy Act of 1974 (FERPA) interact with respect to confidentiality of school health records, and where possible to harmonize these regulations and issue guidance.
  • HHS should make special efforts to focus its outreach and education activities, in a timely manner, on schools, physicians, and State health departments to clear up any confusion regarding the permissible disclosures of health information in the context of dealing with the health needs of students in the school setting.
  • HHS should regard disclosure of immunization information to schools as a public health disclosure, thereby permitting providers to disclose this information to appropriate school officials without an authorization.
  • HHS should clarify that disclosure of health information to school health personnel in the context of dealing with the health needs of students is a disclosure for treatment, and thus possible without an authorization.

Based on limited oral and written testimony presented in the February 2004 hearings about the effect of the privacy rule on law enforcement, the Committee framed its recommendations in the context of drug diversion activities. NCVHS recommended that HHS work with the U.S. Department of Justice’s Drug Enforcement Administration (DEA) to educate providers that communicating information about drug diversion or complying with State reporting requirements are permissible under the HIPAA Privacy Rule.

The Committee has addressed marketing in several prior hearings and letters to the Department. For this reason the Subcommittee on Privacy and Confidentiality requested that two previous witnesses (the general counsel of the National Association of Chain Drug Stores [NACDS] and a representative of the Georgetown University Health Privacy Institute) address the privacy rule’s marketing provisions during the July 2004 hearings. Based on the testimony, NCVHS highlighted three areas of concern to be explored by HHS as follows:

  • HHS should explore whether to require the disclosure of the financial and other arrangements when covered entities and commercial entities collaborate to approach individuals with recommendations that they utilize specific health care products and services.
  • HHS should explore whether to require that covered entities and their business associates take specific measures to prevent the incidental disclosure of PHI in communications promoting products and services.
  • HHS should explore whether it would be feasible and desirable to permit individuals to opt out of further communications regarding products and services.

Also during the July 2004 NCVHS hearings, the subcommittee heard from witnesses who had previously testified about the impact of the privacy rule on fundraising prior to the rule’s compliance date of April 2003.  The witnesses had predicted that prohibiting disclosure of patient service department information would adversely affect the fundraising activities of many nonprofit health care institutions. In particular, large general hospitals would be unable to target specialized fundraising efforts to patients who were treated, for example, in their ophthalmology or cardiology departments. By contrast, specialty hospitals, by their very nature, would have this information. The witnesses’ testimony in July 2004 expressed that their experience with the privacy rule had confirmed their fears about the likely consequences of the Rule. Based on the oral and written testimony, NCVHS recommended the following:

  • HHS should allow covered entities and institutionally related foundations to use information related to the patient’s department of service for fundraising activities without the requirement to secure a patient’s authorization.
  • Department of service information should apply only to broad designations (e.g. surgery, oncology, but not narrower designations), and the privacy rule should retain the prohibitions on disclosure of information relating to diagnosis and treating physician.
  • The covered entity’s notice of privacy practices should inform patients that their department of service information may be used in fundraising, and patients should be afforded the opportunity to decline to permit their department of service information to be disclosed for fundraising or to opt out of all fundraising contacts.

 The most recent HIPAA recommendations to the Secretary by the Committee (March 4, 2005) reflect the testimony heard by the Subcommittee on Privacy and Confidentiality about the impact of the Security Standard for Electronic Protected Health Information (Security Rule). In November 2004 witnesses from the Veterans Health Administration (VHA), the Food and Drug Administration (FDA), and various manufacturers of FDA regulated software and medical devices voiced concerns about the challenges with bringing medical devices into compliance with the Security Rule as well as providing effective security. Based on the oral and written testimony, NCVHS recommended the following:

  • HHS should provide guidance to covered entities to assist them to bring medical equipment into compliance with the Security Rule and to otherwise take appropriate steps to make medical equipment secure (e.g. protection from viruses that may impact the proper functioning of the medical equipment).
  • HHS should provide clarification regarding the compliance obligations of covered entities with non-compliant and non-upgradeable legacy medical devices. A range of options should be considered based on the nature of the equipment, its replacement cost and life expectancy, patient safety implications, security problems, and the possibility of protecting the security of PHI through other means.
  • HHS should develop guidance to assist medical device manufacturers to provide medical device functionality consistent with the Security Rule, as well as address reasonable security risks.
  • HHS should support industry efforts to have medical device manufacturers self report the capability of their medical devices consistent with the Security Rule.

The Public Health Data Standards Consortium has continued to be a key organization in the implementation of administrative simplification in the public health and health services research arenas. During this time period, the Consortium provided input for the development of the next version (5010) of the American Standards Committee (ASC) X12 837 Health Care Service: Data Reporting Guide. The guide provides a standardized format and data content for reporting health care service data that are compatible with the 837 Health Care Claim transaction set standards identified by HIPAA.  The guide provides assistance in developing and executing the electronic transfer of health care systems data for reporting purposes to local, State, and Federal agencies that utilize the data for monitoring utilization rates, assessing patterns of health care quality and access, and other purposes required by legislative and regulatory mandates. The new version of the guide provides additional data capability for pay-for-performance initiatives.  The Consortium has also served as a vehicle for educating, discussing and disseminating information related to the guide to State and local healthcare organizations and agencies.

IV. Conclusions

The NCVHS reaffirms the importance of the HIPAA Administrative Simplification

initiative and urges the Secretary to expedite the publication of the remaining rules. A high level of adoption for the healthcare claims transaction standard has been achieved, although this same level has not occurred for standards in eligibility, enrollment, health claim remittance, health claim status and the coordination of benefits. The low level of adoption has delayed the achievement of efficiencies and industry cost savings with the full economic benefits of Administrative Simplification to be realized only when the entire suite of standards are implemented. In addition, the delays in promulgation of the regulations for provider and health plan identifiers have slowed the realization of expected benefits by the healthcare industry. Congressional support is needed for additional resources to enable the Department to accelerate the promulgation of the remaining HIPAA standards as well as to provide appropriate levels of industry education, which includes efforts to educate the healthcare industry about the Privacy Rule.