November 12, 2002
The Honorable Dennis Hastert
Speaker of the House of Representatives
Washington, D.C. 20515
Dear Mr. Speaker:
I am pleased to transmit our Fifth Annual Report to Congress on the Implementation of the Administrative Simplification Provisions of the Health Insurance Portability and Accountability Act (HIPAA). In compliance with Section 263, Subtitle F of Public Law 104-191, the report was developed by the National Committee on Vital and Health Statistics (NCVHS), the public advisory committee to the U.S. Department of Health and Human Services on health data, privacy, and health information policy, and covers the period January 2001 through August 2002.
The Administrative Simplification provisions of HIPAA require the Secretary of Health and Human Services (HHS) to adopt a variety of standards to support electronic interchange for administrative and financial health care transactions, including standards for security and privacy to protect individually identifiable health information. In addition, the statute gives expanded responsibilities to the National Committee on Vital and Health Statistics for advising the Secretary on health information privacy and on the adoption of health data standards. The Committee is further directed to submit an annual report to Congress on the status of implementation of the Administrative Simplification effort.
As described in our report, significant progress occurred on several HIPAA Administrative Simplification standards during the past year. NCVHS applauds these accomplishments and reaffirms the importance of the HIPAA administrative simplification initiative for improving the efficiency and effectiveness of the health care system in the U.S. However, the full economic benefits of Administrative Simplification will only be realized when all of the standards are in place, and implementation activities and resource planning in the industry will be more effective when the entire suite of standards is finalized. Accordingly, we encourage the Secretary of HHS to expedite the publication of the remaining rules without delay, and urge Congress to provide sufficient resources and support to assure successful implementation of this important initiative.
We hope that you will find this fifth annual report informative and look forward to continued progress on these important issues for the nation’s health system. If you or your staff would like a briefing presentation on any of our past or anticipated activities, please let me know.
We are committed to improvements in health information systems that will enhance the quality of health care, lower costs, and facilitate access to care in the U.S.
Sincerely,
/s/
John R. Lumpkin, M.D.
Chair, National Committee on Vital and Health Statistics
Enclosure
Identical letters to:
Richard Cheney
President of the Senate
Washington, D.C. 20510
The Honorable Max Baucus
Chairman
Committee on Finance
219 Senate Dirksen Office Building
United States Senate
Washington, D.C. 20510
The Honorable Edward M. Kennedy
Chairman
Committee on Health, Education, Labor and Pensions
428 Senate Dirksen Office Building
United States Senate
Washington, D.C. 20510
The Honorable Bill Thomas
Chairman
Committee on Ways and Means
U.S. House of Representatives
1102 Longworth House Office Building
Washington, D.C. 20515
The Honorable W.J. “Billy” Tauzin
Chairman
Committee on Energy and Commerce
U.S. House of Representatives
2125 Rayburn House Office Building
Washington, D.C. 20515
The Honorable John A. Boehner
Chairman
Committee on Education and the Workforce
U.S. House of Representatives
2181 Rayburn House Office Building
Washington, D.C. 20515
NATIONAL COMMITTEE ON VITAL AND HEALTH STATISTICS
Administrative Simplification in Health Care: 2001
Annual Report to Congress on the Implementation
of the Administrative Simplification Provisions of the
Health Insurance Portability and Accountability Act
Executive Summary
Overview
Enacted in 1996 with the widespread support of the industry and bipartisan support in Congress, the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) require the Secretary of Health and Human Services (HHS) to adopt standards to support electronic data interchange for a variety of administrative and financial health care transactions, including standards to protect the security of the information. Within 24 months of their adoption, the standards are required for use by health plans, clearinghouses, and providers who transmit or maintain such information electronically. Small plans have another 12 months to comply. The law also includes provisions for standards for the protection of the privacy and confidentiality of health information.
The purposes of these provisions are to improve the Medicare and Medicaid programs in particular and the efficiency and effectiveness of the health care system in general by encouraging the use of electronic methods for transmission of health information through the establishment of standards and requirements for electronic transmissions.
In addition, the statute gives expanded responsibilities to the National Committee on Vital and Health Statistics (NCVHS), including advising the Secretary of Health and Human Services on health information privacy and on the adoption and implementation of health data standards. In section 263, the Committee is further directed to submit an annual report to Congress on the status of implementation of the Administrative Simplification effort. This report is the fifth of those annual reports on implementation and covers the period January 2001 through August 2002.
Major Milestones Achieved on HIPAA Standards for Privacy of Individually Identifiable Health Information
In December 2000, HHS issued final regulations outlining Standards for Privacy of Individually Identifiable Health Information. The final regulations were issued in compliance with HIPAA requirements that directed HHS to issue regulations after a Congressional deadline passed without the enactment of federal health information privacy legislation. On February 28 2001, in response to some industry concerns, HHS issued a Federal Register notice inviting public comment on the final regulation. The comment period concluded on March 30, 2001. The effective date for the final privacy regulation was subsequently announced as April 2001, and the compliance date is April 2003 (April 2004 for small plans). The final modifications to the health information privacy rule were issued in August 2002.
Based on the comments on the final rule, HHS subsequently issued guidelines in July 2001 on how several elements of the rule should be implemented. In addition, HHS issued proposed modifications to the health information privacy regulations on March 27, 2002.
To assist HHS and the industry in the development of modifications to the rule, the NCVHS held two days of public hearings in 2001. Based on these hearings, the NCVHS developed recommendations to HHS relating to the rule s requirements for informed consent to use information for treatment, payment and health operations, minimum necessary disclosure, and the impact of the rule on research. A copy of the NCVHS letter outlining the recommendations is available on the Committee’s website. A second set of hearings was held in January 2002 to gather additional testimony related to marketing and fund-raising, and the NCVHS has submitted recommendations to HHS in those areas as well.
The NCVHS applauds the release of the privacy rule and modifications as major milestones. The Committee views health information privacy protection as a foundation for the full complement of health care administrative simplification standards, and for progress on additional information technology applications to improve the health of the population and the efficiency and effectiveness of the health system.
Compliance Date Extended for Administrative Transactions and Code Set Standards
During 2001, Congress responded to industry requests to extend the transactions standards compliance date for one year until October 16, 2003. The compliance date for small health plans is unchanged. The Administrative Simplification Compliance Act (ASCA) was signed into law on December 27, 2001 (P.L. 107-105). The law provides for a 12 month extension in transaction and code set compliance. The extension applies to covered entities that submit a compliance extension plan to HHS before October 16, 2002 summarizing how they will come into compliance by the following October. Under the law, health care plans and providers must submit information on their compliance activities, including budget, assessment of compliance concerns, whether a contractor or vendor might be used to help achieve compliance, and a schedule for testing to begin no later than April 16, 2002. The law also directs HHS to issue a model form for the compliance extension plans by March 31, 2002. The model form is available on the CMS website. In addition, HHS is instructed to provide a sample of compliance extension plans to the NCVHS, which will analyze the information as a basis for publicizing solutions to identified problems. HIPAA’s privacy time lines are unaffected.
Based on testimony from the industry, the NCVHS believes that the one year extension in compliance is a welcome and useful development if the extra time is spent in constructive implementation efforts. To ensure the most productive use of this time, it is incumbent on the industry to direct focused effort and resources on implementing the standards. The burden of responsibility falls equally on HHS to issue the final and proposed rules needed to support strategic implementation efforts. Accordingly, as it has indicated in two letters to HHS, the Committee calls again on HHS to issue the two final rules that outline needed essential changes to the transactions rules that the Committee has already recommended without delay, as well as the final security standards rule.
Modifications Proposed to Transactions Standards
During May 2002, HHS issued two Notices of Proposed Rule Making that would modify aspects of several of the transaction standards as requested by the industry. One NPRM would adopt two technical implementation specifications for electronic retail pharmacy claims. The first set of specifications would adopt the National Council for Prescription Drug Programs Batch Standards Implementation Guide, (Version 1, Release 1) and would repeal the adoption of the National Drug Codes as the standard medical code set for reporting drugs and biologics in all standard electronic transactions except for retail pharmacy transactions. The second NPRM proposed certain modifications to the HIPAA electronic transactions standards recommended by the Designated Standards Maintenance Organizations. Drafts of these modifications have been published as addenda to the technical implementation guides.
Final Rule Issued for National Employer Identifier Standard
In May 2002, HHS issued a final rule adopting the Employer Identification Number (EIN) as the standard unique identifier for employers in the filing and processing of health care claims and other HIPAA transactions. The EIN is issued and maintained by the Internal Revenue Service.
Progress on Security Standards and Other Identifiers
Although work continued within HHS on the adoption of the remainder of the HIPAA administrative simplification standards, no proposed or final rules were issued in 2001.
Standards for Patient Medical Record Information
In addition to a focus on administrative simplification in health care, HIPAA directs the NCVHS to “…study the issues related to the adoption of uniform data standards for patient medical record information and the electronic interchange of such information, and report to the Secretary of Health and Human Services not later than August 2000 on recommendations and legislative proposals for such standards and electronic interchange.” As a result, the NCVHS developed a report on Issues and Opportunities for Standards for Patient Medical Record Information. The report describes the clinical and economic benefits that would result from electronic medical record information, and identifies the major impediments to electronic exchange of patient medical record information.
During 2001, the NCVHS began the next step of assessing and evaluating potential PMRI standards that might be recommended for adoption in the U.S. The first set of specific standards that the NCVHS focused on was message format standards. The recommendations for message format standards were submitted to HHS in March 2002, and are available on the NCVHS website.
Implementation Issues
Even as the industry debated the need for additional time to comply with the administrative transactions and code sets standards, many organizations in the health care industry took a proactive stance in the planning and coordination of HIPAA standards implementation activities. There are increasing indications that HIPAA Administrative Simplification implementation now ranks among the top IT priorities in the health care sector. Based on public hearings conducted by the NCVHS Subcommittee on Standards and Security and the Subcommittee on Privacy and Confidentiality during 2001, the Committee has identified the following implementation issues.
- Issuance of Remaining HIPAA Standards Needed to Ensure Effective and Efficient Implementation
While the one year extension afforded by the ASCA allows additional time for covered entities to implement the transactions standards, implementation efforts will remain sub-optimal until all of the remaining HIPAA standards are finalized, including the fast track changes already recommended to the transaction rule and the final security standards rule. The NCVHS urges the Secretary to issue the remaining standards without delay.
- HHS Resources Needed in Promoting Industry HIPAA Implementation
The NCVHS recommends that not only should the Department closely monitor the progress of national implementation, but it must devote sufficient resources to ensure there is adequate technical support, education, and testing. The need for resources and outreach applies to both the transactions standards and the privacy standards.
- Funding Needed to Deploy Identifiers
Adequate funding is needed to build the infrastructure and obtain necessary support to deploy the HIPAA identifiers, especially the provider and health plan identifiers, in a timely manner. The timely availability of HIPAA identifiers is crucial for obtaining the expected benefits of electronic transactions.
- Uniform Testing and Compliance with HIPAA Standards Needed
The NCVHS believes that HHS should take an active role in providing support for uniform compliance certification. The role should include activities such as “certifying the certifiers” so that purchasers would not be misled by unsupported claims of HIPAA-compliant software or services.
Conclusion
The NCVHS reaffirms the importance of the HIPAA Administrative Simplification initiative and urges the Secretary to expedite the publication of the remaining rules. The enactment of the one year extension for compliance only increases the urgency of the situation. The full economic benefits of Administrative Simplification will only be realized when all of the standards are in place, and implementation activities and resource planning in the industry will be more effective when the regulatory framework for the entire suite of standards is final.
ANNUAL REPORT TO CONGRESS
ON THE IMPLEMENTATION OF HIPAA
CONTENTS
Executive Summary
I. Introduction
A. Background
B. Purpose of Report
C. Content of Report
D. Statutory Requirements
II. Implementation Process
A. DHHS Implementation Strategy
B. Guiding Principles
C. Private Sector Consultation
D. NCVHS HIPAA-Related Hearings
E. Outreach to Public Health and Health Services Research
F. NCVHS Comments on NPRMs
G. NCVHS Liaison with HHS
III. Progress to Date
A. Transaction Standards and Code Sets
B. Standard Identifiers
C. Standards for Security and Electronic Signatures
D. Claims Attachment Standards
E. Standards for Privacy of Individually Identifiable Health Information
F. Standards for Patient Medical Record Information
G. Outreach, Education and Industry Partnerships
H. Establishment of the DSMO Process
I. Industry Implementation Efforts
J. State of Industry Response to HIPAA
IV. Implementation Issues
A. HHS Resources in Promoting Industry HIPAA Implementation
B. Funding to Deploy Identifiers
C. Testing and Compliance with HIPAA Standards
D. Data Availability Gap
E. Electronic Signature Standards
F. Code Set Issues
V. Conclusions
I. INTRODUCTION
A. Background
A considerable portion of every health care dollar continues to be spent on administrative overhead. In health care, this overhead includes many tasks, such as:
- filing a claim for payment from an insurer,
- enrolling an individual in a health plan,
- paying health insurance premiums, and
- checking insurance eligibility for a particular treatment
Today these processes involve numerous paper forms, faxes and telephone calls, and many delays in communicating information among different locations. This situation creates difficulties and costs for health care providers, health plans, and consumers alike.
The burden of these costs affects everyone involved in the health care system, including the typical health plan that continues to process mountains of paper forms that differ in content from one plan to another, the typical physician who bills multiple health plans with their varying forms and formats, and who must respond to additional requirements imposed by managed care organizations, and the typical consumer, who ultimately pays for administrative burden.
To address these problems, the health care industry, including both public and private sectors, has worked to develop standards to improve the way in which transactions are exchanged electronically. However, economic pressures have prevented competing parties from adopting a uniform set of such standards. At the request of the industry and with bipartisan support, Congress enacted the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). HHS has estimated that full implementation of these provisions are expected to provide a net savings to the health care industry of $11 billion over ten years. In fact, such savings raise the possibility of helping to improve the quality of health care by freeing up resources now devoted to paperwork and administration.
B. Purpose of This Report
The purpose of this report is to describe the status of implementation of the administrative simplification provisions of HIPAA during 2001, the fifth year after enactment of the law. Congress gave the NCVHS the role of advising HHS on the adoption of standards, monitoring implementation of Administrative Simplification, and reporting annually on its progress. During 2001, the Committee has monitored the process of standards adoption and the issuance of proposed standards, as carried out by the Government and its advisory bodies. In addition, now that some of the standards have become finalized and attention turns to their implementation, the NCVHS has begun to examine and report on implementation issues, the rate of implementation and the growth of electronic data interchange (EDI) in the health care industry.
C. Content of the Report
Although this report was requested by the Congress, it is directed at the industry and the public as well. The report begins with a review of the requirements of the statute, including the implementation timetable required by the law, and the expanded responsibilities of the NCVHS. The report then outlines the implementation process, which involves the Department of Health and Human Services, other Federal agencies, the States, the NCVHS, the industry, and the public health and research communities. Next, the status of implementation of each of the standards required by HIPAA is reviewed. Discussion follows in which the NCVHS highlights several readiness and implementation issues and how the NCVHS intends to monitor implementation in the future.
D. Requirements of HIPAA Administrative Simplification
The Administrative Simplification provisions, Title II, Subtitle F, of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) require the Secretary of Health and Human Services (HHS) to adopt standards for the electronic transmission of administrative and financial health care transactions, including data elements and code sets for those transactions; for unique health identifiers for health care providers, health plans, employers, and individuals for use in the health care system; and for security standards to protect individually identifiable health information. The law also outlines a process leading to standards for protecting the privacy and confidentiality of health information. In addition, these provisions gave special responsibilities to the NCVHS to advise the Secretary on establishing privacy standards.
The purposes of these provisions are to improve the Medicare and Medicaid programs in particular and the efficiency and effectiveness of the health care system in general by encouraging the use of electronic methods for transmission of health information through the establishment of standards and requirements for covered electronic transmissions.
1. Requirements for Standards
The standards required under the law include:
- Standards for specific transactions:
Health claims or equivalent encounter information
Enrollment and disenrollment in a health plan
Eligibility for a health plan
Health care payment and remittance advice
Health plan premium payments
First report of injury
Health claim status
Referral certification and authorization
Claims attachments (The law allows an additional twelve months for the adoption of the claims attachment standard.)
- Code sets and classification systems for the data elements of the transactions
- Unique identifiers for health plans, health care providers, employers, and individuals for use in the health care system
- Security and electronic signature standards and safeguards to protect health information during transmission and while stored in health information systems, to ensure the integrity of the information, and to protect against unauthorized use and disclosure.
- Coordination of benefits and sequential processing of claims.
HIPAA also outlined a process leading to standards to protect the privacy of individually identifiable health information. Specifically, HIPAA directed the Secretary to submit recommendations to Congress for privacy protections. In September 1997, the HHS Secretary delivered detailed recommendations to Congress for federal privacy legislation to protect individually identifiable health information. In those recommendations, the Secretary urged Congress to pass comprehensive and balanced privacy legislation. Since Congress did not subsequently enact a privacy protection statute by August 1999, the Secretary was required by HIPAA to issue final regulations to protect the information transmitted in connection with the HIPAA administrative transaction standards.
Under the law, the Secretary may also establish standards for other financial and administrative transactions that he determines to be appropriate and that are consistent with the goals of improving the operation of the health care system and reducing administrative costs. This provision permitted designation of coordination of benefits as one of the standard transactions being adopted.
The standards apply to all health plans, health care clearinghouses, and health care providers that transmit health information in electronic form. Health plans are required to accept standard transactions submitted electronically by health care providers, and health plans cannot delay or otherwise adversely affect such transactions. Health plans and health care providers may submit or receive transactions directly or indirectly through the use of health care clearinghouses.
2. Timetables
The Health Insurance Portability and Accountability Act, which was enacted on August 21, 1996, specified the following implementation schedule:
- The Secretary’s recommendations for protecting the privacy of individually identifiable health information were due within 12 months of the date of enactment. Because Congress did not subsequently enact a privacy protection statute by its statutory, self-imposed deadline of August 1999, the Secretary was required to issue final regulations establishing privacy standards by February 21, 2000.
- Standards for transaction sets, code sets, unique identifiers, and security and electronic signatures were to be adopted within 18 months of enactment, except for standards for claims attachments, which were due within 30 months of enactment.
- Health plans, health care clearinghouses, and health care providers who conduct electronic transactions must comply with the standards within 24 months of their adoption. Small plans are given an additional 12 months to comply.
Because of the extensive consultation and collaborative effort among HHS, the NCVHS and all segments of the health care industry and the significant demands of the federal regulatory process itself, it was not possible to meet the original timetables outlined in the law. However, the NCVHS is certain that the time and effort expended in the public, open consultation and collaboration process has both vastly improved the ultimate outcomes of HIPAA, and helped to facilitate implementation of the adopted standards.
3. Expanded Responsibilities for the NCVHS
The statute significantly expanded the responsibilities of the NCVHS. In selecting standards for adoption, the Secretary is required to rely on the recommendations of the NCVHS. Subtitle F also requires the NCVHS to report to the Secretary, within four years of the passage of HIPAA, with recommendations and legislative proposals for the adoption of uniform data standards for patient medical record information and the electronic exchange of such information. Finally, Subtitle F requires the NCVHS to submit to Congress an annual report on the status of the Administrative Simplification effort.
Specifically, the requirement for the annual report states:
“ SEC. 263 (7) Not later than 1 year after the date of enactment of the Health Insurance Portability and Accountability Act of 1996, and annually thereafter, the Committee shall submit to the Congress, and make public, a report regarding the implementation of Part C of title XI of the Social Security Act. Such report shall address the following subjects, to the extent that the Committee determines appropriate:
“ (A) The extent to which persons required to comply with part C of title XI of the Social Security Act are cooperating in implementing the standards adopted under such part.
“ (B) The extent to which such entities are meeting the security standards adopted under such part and the types of penalties assessed for noncompliance with such standards.
“ (C) Whether the Federal and State Governments are receiving information of sufficient quality to meet their responsibilities under such part.
“ (D) Any problems that exist with respect to implementation of such part.
“ (E) The extent to which timetables under such part are being met.”
II. IMPLEMENTATION PROCESS
A. Department of Health and Human Services (HHS) Implementation Strategy
The Secretary of HHS formulated a comprehensive strategy for adopting and implementing the standards mandated under Administrative Simplification:
- Establish interdepartmental implementation teams to identify and assess potential standards for adoption.
- Develop recommendations for standards to be adopted.
- Publish proposed rules in the Federal Register describing the standards. Each proposed rule provides the public with a 60-day comment period.
- Analyze public comments and publish the final rules in the Federal Register.
- Establish low-cost distribution mechanisms for standards and implementation guides.
- Monitor the implementation of the standards to determine if additions or modifications to the standards are needed.
This implementation strategy was designed to assure coordination among HHS agencies, participation by other Federal departments, as well as interaction with the industry and the research and public health communities. Responsibilities within HHS were distributed across three interrelated organizational components: the HHS Data
Council, the Data Council’s Health Data Standards Committee, and the Implementation Teams. The HHS Data Council, the Department s senior internal data policy body, was given the responsibility to coordinate and oversee implementation of Administrative Simplification by the Secretary. The Council reports to the Secretary and consists of representatives from each major operating and staff division within HHS. As a senior policy guidance and decision-making body, the Council has been designated to guide the process and report to the Secretary on the progress of the standards and privacy efforts. The Data Council also serves as the contact point for the NCVHS and resolves issues that cannot be resolved by the Data Council’s Health Data Standards Committee.
B. Guiding Principles
With significant input from the health care industry, the Implementation Teams charged with developing recommendations for national standards defined a set of principles for guiding their choices for standards to be adopted by the Secretary. These principles are based on direct specifications in HIPAA, the purpose of the law, and generally desirable principles. To be designated as a HIPAA standard, each standard should:
- Improve the efficiency and effectiveness of the health care system by leading to cost reductions for or improvements in benefits from electronic health care transactions.
- Meet the needs of the health data standards user community, particularly health care providers, health plans, and health care clearinghouses.
- Be consistent and uniform with the other HIPAA standards their data element definitions and codes and their privacy and security requirements–and, secondarily, with other private and public sector health data standards.
- Have low additional development and implementation costs relative to the benefits of using the standard.
- Be supported by an ANSI-accredited standards developing organization or other private or public organization that will ensure continuity and efficient updating of the standard over time.
- Have timely development, testing, implementation, and updating procedures to achieve administrative simplification benefits faster.
- Be technologically independent of the computer platforms and transmission protocols used in electronic transactions, except when it is explicitly part of the standard.
- Be precise and unambiguous, but as simple as possible.
- Keep data collection and paperwork burdens on users as low as is feasible.
- Incorporate flexibility to adapt more easily to changes in the health care infrastructure (such as new services, organizations, and provider types) and information technology.
C. Private Sector Consultation
The HHS implementation strategy was designed to afford many opportunities for interested and affected parties to participate in the standards development and adoption processes. They can:
- Participate in open process with standards development organizations.
- Attend numerous public meetings.
- Write to the Secretary of HHS.
- Provide written input to the NCVHS.
- Present written and oral testimony at public meetings of the NCVHS.
- Comment on the proposed rules for each of the proposed standards during the 60-day comment period.
- Invite HHS staff to meetings with public and private sector organizations or meet directly with senior HHS staff involved in the implementation process.
D. NCVHS HIPAA-Related Hearings During 2001
The NCVHS continues to serve as the Department’s primary liaison with the private sector and continues to hold public hearings to obtain the views, perspectives, and concerns of interested and affected parties, as well as their input and advice on health data standards and privacy. In addition to providing numerous opportunities for the private sector to participate in the standards adoption process, these public hearings sponsored by the NCVHS helped maintain the openness and inclusiveness of the process.
During 2001, the focus of NCVHS public hearings and committee deliberations was on issues in early implementation of HIPAA, industry readiness, obstacles in achieving successful implementation, and issues relating to implementation of the privacy regulation. The NCVHS also dedicated a major effort to identifying and assessing candidates that might be recommended to HHS for adoption as Patient Medical Record Information Standards.
In addition, the Committee facilitated the operation of the Designated Standards Maintenance Organizations (DSMO) process leading to a series of recommendations for fast track modifications to the administrative simplification standards to ensure implementation. The DSMO process involves a Memorandum of Understanding among Organizations Designated to Manage the Maintenance of the Transactions Standards Adopted Under HIPAA, and reflects an unprecedented display of solidarity by these groups.
To enhance participation further, NCVHS public meetings are routinely broadcast live on the Internet with the help of the Department of Veterans Affairs. For those unable to attend or listen to the meetings as they occur, recordings of the live broadcasts are available also on the Internet. Agendas and transcripts of NCVHS hearings, minutes, announcements of public meetings, and schedules for future hearings are distributed through the NCVHS web site at:
https://ncvhs.hhs.gov
E. Outreach to Public Health and Health Services Research
The Committee continues to support the activities of the Public Health Data Standards Consortium, which was established in response to a consensus recommendation at the 1998 Workshop on Implications of the Administrative Simplification Provisions of HIPAA for Public Health and Health Services Research. The Consortium is serving as a mechanism for ongoing representation of public health and health services research interests in HIPAA implementation and other data standards setting processes.
The Consortium represents the federal and State perspectives on both the National Uniform Billing Committee (NUBC) and the National Uniform Claim Committee. (NUCC), two data content committees under HIPAA. Both seats were approved by the respective committees in 1999. Several federal and State Consortium members also attend and actively participate in both the ANSI ASC X12 and Health Level Seven (HL7) Standards Development Organizations.
During 2001, the Consortium received approval from ANSI ASC X12 to develop the health care service data reporting guide that will mine the claim/encounter standard for public health and related reporting. The guide will incorporate and standardize State reporting requirements for encounter data and will promote migration by States and others to a HIPAA compatible standard. The Consortium also continued other aspects of its educational strategy, including development of a web-based resource center.
F. NCVHS Recommendations to HHS
During 2001, the NCVHS provided comments on several implementation issues relating to the administrative transactions and code set standards, the privacy rule, patient medical records standards and their electronic interchange, and Improving Health through the National Health Information Infrastructure generally. The full text of the NCVHS comments and reports is available on the NCVHS website.
G. NCVHS Liaison with the Department of Health and Human Services
The NCVHS has participated with the Department in every aspect of the standards adoption process. Through the HHS Data Council, the NCVHS has submitted recommendations to the Secretary for standards to be adopted and on privacy guidelines and has provided comments on HHS NPRMs. The NCVHS Subcommittee on Standards and Security has worked closely with the Health Data Standards Committee and the Implementation Teams within HHS.
The NCVHS provides to, and receives from the Data Council, regularly scheduled reports and informal communications on HIPAA activities. The Data Council Chairperson or Executive Secretary attends NCVHS meetings, and the NCVHS Chair attends the monthly meetings of the Data Council. Upon request, the NCVHS also advises the Secretary on particularly sensitive and controversial issues.
III. PROGRESS TO DATE
A. Compliance Date Extended for Administrative Transactions and Code Sets in Health Care
While progress continued on industry readiness assessment and implementation planning for the suite of national standards for administrative transactions and code sets adopted as a final rule in 2000, Congress responded to industry requests to extend the compliance date for one year until October 16, 2003. The compliance date for small health plans is unchanged. The HIPAA Compliance Act was passed by Congress and signed into law on December 27, 2001 (P.L. 107-105).
The law provides for a 12 month extension in transaction and code set compliance. The extension applies to covered entities that submit a compliance extension plan to HHS before October 16, 2002 summarizing how they will come into compliance by the following October. The plan is to include an analysis of noncompliance and the reasons why, time lines and budget, and it is to indicate whether vendor services are envisioned. The law also directs HHS to issue a model form for the compliance extension plans by March 31, 2002. In addition, HHS is instructed to provide a sample of compliance extension plans to the NCVHS, who will analyze the information as a basis for publicizing solutions to identified problems. HIPAA’s privacy time lines are unaffected.
Based on testimony from the industry, the NCVHS believes that the one year extension in compliance is a welcome and useful development if the extra time is spent in constructive implementation efforts. To ensure the most productive use of this time, it is incumbent on the industry to direct focused effort and resources on implementing the standards. The burden of responsibility falls equally on HHS to issue the remaining final and proposed rules needed to support strategic implementation efforts.
Accordingly, the Committee calls again on HHS to issue the two final rules that outline needed essential changes to the transactions rules that the Committee has already recommended (retraction of the National Drug Codes requirement for institutional pharmacies and adoption of the DSMO recommended “Fast Track” modifications necessary to insure successful implementation) without delay.
The First Report of Injury transaction was not included in the NPRM or final rule for HIPAA transaction standards because at that time there was neither a millennium-compliant version of an implementation guide nor a complete data dictionary for the ASC X12N 148 – Report of Injury, Illness, or Incident transaction. The industry continues to make progress on this standard and HHS will assess the status of this standard in the coming year.
B. Standard Identifiers
-
National Provider Identifier
The Notice of Proposed Rulemaking for the National Provider Identifier was issued in the Federal Register for public comment in May 1998. Approximately 5,000 public comments were received. HHS has reviewed the public comments and has developed responses. No proposed or final rules were issued on this standard during 2001.
-
National Employer Identifier
In May 2002, HHS issued a final rule adopting the Employer Identification Number (EIN) as the standard unique identifier for employers in the filing and processing of health care claims and other HIPAA transactions. The EIN is issued and maintained by the Internal Revenue Service.
- National Plan Identifier
A NPRM relating to the National Health Plan/Payer Identifier is under development in HHS.
- Unique Health Identifier for Individuals
As directed by Congress, work on the HIPAA requirement for a unique health identifier for individuals has been suspended. The FY 2002 appropriations act includes a provision barring HHS from using any of its appropriated funds to
“… promulgate or adopt any final standard under section 1173(b) of the Social Security Act providing for, or providing for the assignment of, a unique health identifier for an individual (except in an individual’s capacity as an employer or a health care provider) until legislation is enacted specifically approving the standard.”
C. Standards for Security and Electronic Signatures
A NPRM for Security and Electronic Signature Standards was issued on August 12, 1998. Approximately 2000 comments were received. HHS has reviewed the public comments and work is proceeding on the final rule, including harmonization with the privacy standards. The final rule for security standards is expected to be published in 2002. While the NPRM included criteria for an electronic signature standard, no consensus industry standard for electronic signature standards could be identified at the time that the proposed rule was published. At the request of the Commerce Department’s National Institute of Standards and Technology, HHS has deferred publication of the electronic signature standard to permit a more thorough assessment of evolving technology and current industry consensus on this issue. Inclusion of an electronic signature standard in the final rule on security standards will depend on industry progress on this issue and the outcome of these activities. For its part, the NCVHS is actively encouraging industry to move towards an electronic signature standard.
D. Standard for Claims Attachments
As noted above, the statute gave an additional 12 months for the adoption of standards for claims attachments. The NCVHS held public hearings on standards for claims attachments in 1998 and provided recommendations to HHS. Development of a NPRM on this standard is well underway within HHS, and a NPRM is expected to be issued for public comment in 2002. Issuance of this proposed rule is needed so that the industry can begin to plan for electronic claims attachments.
E. Standards for Privacy of Individually Identifiable Health Information – Major Milestone Achieved
During 2001 and 2002, major milestones were achieved in the area of national standards for protecting the privacy of individually identifiable health information. In December 2000, HHS issued final regulations outlining standards for Privacy of Individually Identifiable Health Information. The final regulations were issued in compliance with HIPAA requirements that directed HHS to issue regulations after a Congressional deadline passed without the enactment of federal health information privacy legislation. On February 28 2001, in response to some industry concerns, HHS issued a Federal Register notice inviting public comment on the final regulation. The 30 day comment period concluded on March 30. The effective date for the final privacy regulation was subsequently announced as April 2001, and the compliance date is April 2003 (April 2004 for small plans).
Based on the comments on the final rule, HHS subsequently issued guidelines on how several elements of the rule should be implemented in July 2001. In addition, HHS issued proposed modifications to the health information privacy regulations on March 27, 2002. Final modifications to the health information privacy rule were issued in August 2002.
To assist HHS and the industry in the development of modifications to the rule, the NCVHS held two days of public hearings involving over 30 representatives from all sectors of the health industry on selected provisions of the rule. Based on the hearings, the NCVHS developed recommendations to HHS relating to the following provisions of the rule:
- requirements for informed consent to use information for treatment, payment and health operations
- minimum necessary disclosure provisions of the rule, and
- impact of the rule on research.
A copy of the NCVHS letter outlining the recommendations is available on the Committee’s website. A second set of hearings was held in January 2002 to gather additional testimony related to marketing and fund-raising, and the NCVHS has submitted recommendations to HHS in these areas as well.
The privacy standards protect medical records and other personal health information maintained by certain health care providers, health plans and health care clearinghouses. They limit the non-consensual use and release of private health information, give patients new rights to access their medical records and to know who else has accessed them, restrict most disclosures of health information to the minimum needed for the intended purpose, and establish new requirements for disclosure of records to researchers and others.
The NCVHS supports and applauds this major milestone progress on national health information privacy standards. The Committee views health information privacy protection as a foundation for the full complement of health care administrative simplification standards, and for progress on additional information technology applications to improve the health of the population and the efficiency and effectiveness of the health system.
F. Standards for Patient Medical Record Information
In addition to a focus on administrative simplification in health care, HIPAA directs the NCVHS to “…study the issues related to the adoption of uniform data standards for patient medical record information and the electronic interchange of such information, and report to the Secretary of Health and Human Services not later than August 2000 on recommendations and legislative proposals for such standards and electronic interchange.” As a result, the NCVHS developed a report on Issues and Opportunities for Standards for Patient Medical Record Information. The NCVHS report and recommendations were submitted to the Secretary in July 2000.
The report describes the clinical and economic benefits associated with electronic medical record information, and concludes that the major impediments to electronic exchange of patient medical record information are
- limited interoperability of health information systems,
- limited comparability of data exchanged among providers,
- the need for better quality, accountability and integrity of data, and
- the need for adequate privacy protections.
The report did not actually include recommendations for specific PMRI standards, but it did include developmental recommendations relating to the following themes:
- selection of PMRI standards,
- acceleration of the development of such standards,
- early adoption of PMRI standards, and
- relationship of PMRI standards to other issues.
The recommendations have been presented to the HHS Data Council and circulated to HHS agencies. Progress reports indicate that a number of HHS agencies continue or have begun work on virtually all of the recommendations. The report is available on the NCVHS website.
During 2001, the NCVHS began the next step of assessing and evaluating potential PMRI standards that might be recommended for adoption in the U.S. The first set of specific standards that the NCVHS focused on was PMRI message format standards. The recommendations for PMRI message format standards were submitted to HHS in February 2002 and are available on the NCVHS website.
G. HHS Plan for Outreach, Education and Industry Partnerships
The Department has taken very seriously its responsibilities to ensure that the industry will be able to receive all of the information and assistance it will need to implement the standards. The statute requires that the Department provide a low-cost distribution method for the implementation guides for these standards.
The X12N standards committee has a long-standing agreement with the Washington Publishing Company (WPC) to develop and maintain official implementation guides for the X12N transaction sets that are being recommended for adoption in the NPRMs. In order to meet its low-cost distribution requirement, HHS has established a contract with the WPC, and implementation guides will be available for downloading from the WPC web site at no charge. Paper copies will be available for purchase from WPC. Guides for the retail drug claim standards will be available from the NCPDP web site.
Despite many efforts, discussions with the health care industry about administrative simplification continue to reveal that some in the health care industry still do not realize how these standards will affect them. To address this problem, NCVHS and HHS have initiated a comprehensive outreach and communication effort. The initiative includes the development of print materials for publication in periodicals and for distribution to the press and the public, direct mailings to affected groups, the coordinated scheduling of presentations to interested groups and press interviews. HHS also works with external organizations to support their outreach efforts.
In addition, HHS maintains a very complete website on Administrative Simplification:
The website includes information about the current status of these HIPAA standards, as well as copies of the final and proposed regulations themselves. The website also includes a capability for anyone to submit questions on the final transactions and code sets rule. HHS staff then group the questions, develop answers and post the answers on the website.
Extensive information concerning the Privacy Rule is maintained by HHS s Office for Civil Rights on a similar linked website: http://OCR.hhs.gov/privacy.
Both the NCVHS and HHS realize that providing information and education on Administrative Simplification to the health care community is an enormous task. While HIPAA is a federal law, it reflects a government-industry partnership framework, so that responsibility for publicity and education must be shared between the public and private sectors. While HHS must take full responsibility for the Medicare, Medicaid and Indian Health Service health plans, it has relied and will continue to rely on partnerships with a wide range of private sector organizations to assure that the message of Administrative Simplification reaches everyone involved, and that training and technical assistance opportunities exist.
The Designated Standards Maintenance Organization (DSMO) Process
HHS recognized the need for the ongoing maintenance of the HIPAA transaction standards, and especially the need for the industry to collect, review and recommend changes to the standards. The final regulation for transactions and code sets established a set of organizations called Designated Standards Maintenance Organizations (DSMOs) to receive and process requests for modifications to standards or for adopting new standards, and an accompanying notice named the following organizations as DSMOs:
- Accredited Standards Committee X12.
- Dental Content Committee of the American Dental Association.
- Health Level Seven.
- National Council for Prescription Drug Programs.
- National Uniform Billing Committee.
- National Uniform Claim Committee.
At a meeting of the NCVHS Standards and Security Subcommittee in March 2000, these six organizations signed a Memorandum of Understanding agreeing to a national process to manage the maintenance of HIPAA standards. They agreed to work cooperatively to accept requests through a public web site, review these requests, and to develop a joint recommendation to the NCVHS as to whether or not these requested changes should be made to the standards. This process worked extremely well in 2001. In response to the NCVHS request, the DSMO arrangement produced an initial set of changes under a “fast track” process to expedite changes in the transactions standards that are judged necessary to facilitate successful implementation. The process required the DSMOs to do their review and analysis in a highly compressed time frame, so that changes could be made to the standards during the first year after adoption and in time to assist with initial industry implementation. The DSMO representatives responded to the challenge in an exemplary fashion. After deliberation, the NCVHS then forwarded a letter (June 29, 2001) of recommended changes to the Secretary. The changes have since been incorporated into a NPRM that HHS expects to issue shortly. A second NPRM is under development to retract the NDC code as the HIPAA requirement for institutional pharmacies and is expected to be issued shortly.
The DSMO process has numerous and obvious benefits. It represents an industry effort to keep the standards current. It allows full public input and gives the parties most affected by these change requests the opportunity to review and respond to them. It also brings together in a cooperative fashion several disparate constituencies with major responsibilities in this process.
Industry Implementation Efforts
Even as the industry debated the need for additional time to comply with the administrative transactions and code sets standards, many organizations in the health care industry took a proactive stance in the planning and coordination of HIPAA standards implementation activities. While the emergence of firms offering HIPAA implementation assistance was to be expected as awareness of the HIPAA process and standards increased, several industry organizations are stepping forward to produce white papers and bring industry participants together to work out problems cooperatively. Several organizations have taken actions to help plans, providers and clearinghouses implement the standards. Both the Association for Electronic Health Care Transactions (AFEHCT) and the Workgroup for Electronic Data Interchange (WEDI) have papers on their web sites. WEDI in particular is sponsoring the Strategic National Implementation Process (SNIP). SNIP has brought participants from all facets of the industry (plans, providers, vendors) together to provide implementation education, assistance, time frames and solutions to problems with the aim of facilitating and coordinating HIPAA implementation nationwide. SNIP also is working together to provide specific guidance on issues identified by industry participants, and making guidance available via their web site and in periodic conferences.
In addition, WEDI has created a draft HIPAA Security Implementation Guide. AFEHCT, which represents health care clearinghouses and vendors, has collaborated with WEDI on a Security Interoperability Study and participates in SNIP. Several regional health data consortia are also assisting with HIPAA awareness and implementation efforts, including the Massachusetts Health Data Consortium, the North Carolina Health Care Information and Communications Alliance, and the Utah Health Information Network.
The Washington Publishing Company is making implementation guides for the HIPAA transactions standards available on its website. A number of major trade publications in health care are featuring articles on HIPAA implementation planning. Finally, several States have sponsored education and working sessions to coordinate the implementation of HIPAA standards within the public and private sectors of their respective States.
State of Industry Response to HIPAA
In general, the publication of the final rules for standard transactions and code sets and health information privacy has mobilized many segments of the industry to begin implementation planning. There are numerous conferences, web sites, and firms providing HIPAA education, compliance assistance and consulting services. In fact, there are increasing indications that HIPAA Administrative Simplification implementation may now rank among the top IT priorities in the health care sector. While awareness has clearly increased, there are segments of the industry which remain unaware of the HIPAA requirements. In particular, small providers and individual physicians offices, many of whom rely on vendors for information technology and services, seem to be unaware of the HIPAA initiative and its potential impact, benefits and costs, and relatively few have begun assessment activities.
During 2001, growing awareness led to organizational assessment activities in many covered entities, and many firms are realizing that implementation is a major undertaking. Serious review of the adopted standards is uncovering potential problems for many participants. The scope of the effort led to some concerns in the industry relating to the adequacy of the two-year implementation time frame and the cost of implementation. Although segments of the industry differed on the state of readiness and the need for delay, Congress ultimately passed the Administrative Simplification Compliance Act of 2001 in response to the request for an extension of the compliance date for the transaction rules. The compliance date for the privacy rule is unchanged.
IV. IMPLEMENTATION ISSUES
Since the enactment of HIPAA, HHS and the NCVHS have worked in partnership with the health care industry to communicate the requirements of HIPAA, to identify and evaluate existing industry standards for adoption, to develop rules that are workable, and to encourage the participation of all participants of the health industry in the adoption and implementation of the HIPAA standards. Once the final standards for transactions and code sets and the final privacy regulations were issued, the NCVHS began focusing on potential barriers to successful implementation. The intent, on an ongoing basis, is to identify implementation issues and barriers and make recommendations to HHS that address these issues.
Based on public hearings conducted by the NCVHS Subcommittee on Standards and Security and the Subcommittee on Privacy and Confidentiality during 2001, the Committee has identified the following implementation issues.
A. Issuance of Remaining HIPAA Standards Essential for Effective and Efficient Implementation
While the one year extension afforded by the HIPAA Compliance Act allows additional time for covered entities to implement the transactions standards, implementation efforts will remain suboptimal unless the fast track changes already recommended to the transaction rule are finalized and issued, and the requirements of the final security standard are available. Clarification about the format and timing of the identifier standards also would facilitate implementation efforts. Finally, issuance of the proposed rule for claims attachments is needed so that the industry can begin to plan for electronic attachments. Accordingly, the NCVHS urges the Secretary to issue the remaining standards without delay.
B. HHS Resources Needed in Promoting Industry HIPAA Implementation
A number of experts and industry representatives have suggested that HHS should assume a more active role (and increase funding) to actively promote the implementation of the HIPAA data standards by the industry. The NCVHS recommends that not only should the Department closely monitor the progress of national implementation, but it must devote sufficient resources to ensure there is adequate technical support, education, and testing. The need for resources and outreach applies to both the transactions standards and the privacy standards.
C. Funding to Deploy Identifiers
A number of testifiers at NCVHS public hearings stressed the need for adequate funding to build the infrastructure and obtain necessary support to deploy the HIPAA identifiers, especially the provider and health plan identifiers, in a timely manner. The timely availability of HIPAA identifiers is crucial for obtaining the expected benefits of electronic transactions. The NCVHS recommends that HHS provide adequate resources to assure that the HIPAA identifiers are available for identifying all covered providers and payers as soon as is possible.
D. Testing and Compliance with HIPAA Standards
Testing was identified as a critical component of HIPAA implementation. There was concern from testifiers that different private certifying bodies, using different criteria, could provide different results to the industry and thereby undermine implementation. The NCVHS recommends that HHS take an active role in providing support for uniform compliance certification. The role should include activities such as “certifying the certifiers” so that purchasers would not be misled by unsupported claims of HIPAA-compliant software or services.
F. Electronic Signature Standard
With respect to the Security and Electronic Signature Standards, the NCVHS noted that while the NPRM included criteria for an electronic signature standard, no consensus industry standard for electronic signature standards could be identified at the time the proposed rule was published. At the request of the Commerce Department’s National Institute of Standards and Technology, HHS has deferred publication of the electronic signature standard to permit a more thorough assessment of evolving technology and current industry consensus on this issue. Inclusion of an electronic signature standard in the final rule on security standards will depend on industry progress on this issue and the outcome of these activities. For its part, the NCVHS views the electronic signature standard as an essential element of the administrative simplification suite of national standards. The NCVHS will continue to hold hearings on this issue and is actively encouraging industry to move towards consensus on an electronic signature standard. In February 2001, the NCVHS encouraged the DSMOs to work together within a forum provided by ANSI-HISB to agree upon a common standard for electronic signatures. The DSMOs along with representatives from the ASTM Subcommittee on Electronic Signatures have had several meetings within the forum during 2001 to converge upon common electronic signature standards.
G. Code Set Issues
NCVHS hearings related to HIPAA implementation have identified a number of issues involving code sets, issues relating both to externally maintained codes sets and to the widespread use of local (non-national, non-standard) codes in health care transactions. In addition, additional issues are being identified based on the experience of early implementers of the health care transactions adopted as final standards. Testifiers expressed concern that the maintenance processes used for external code sets must be effective, timely, and nationally responsive. These processes should be based on the same maintenance principles adopted by the DSMOs. The NCVHS recommends that HHS examine the maintenance processes used by the external entities and conduct discussions with them to resolve any weaknesses that may be found. In a letter to the Secretary of HHS dated October 16, 2000, the NCVHS identified a number of issues relating to externally maintained code sets and the elimination of local codes.
Conclusion
The NCVHS reaffirms the importance of the HIPAA Administrative Simplification initiative and urges the Secretary to expedite the publication of the remaining rules. The enactment of the one year extension for compliance only increases the urgency of the situation. The full economic benefits of Administrative Simplification will only be realized when all of the standards are in place, and implementation activities and resource planning in the industry will be more effective when the regulatory framework for the entire suite of standards is final
During 2002, NCVHS will continue to focus on HIPAA implementation. Additional information on the NCVHS and the HIPAA Administrative Simplification effort is available on the following websites: