Executive Summary, Second Annual Report to the Congress on the Implementation of the Administrative Simplification Provisions of the Health Insurance Portability and Accountability Act

NATIONAL COMMITTEE ON VITAL AND HEALTH STATISTICS

Second Annual Report to the Congress
on the Implementation
of the Administrative Simplification Provisions of the
Health Insurance Portability and Accountability Act

Executive Summary

Background and Purpose

The Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) outline a new framework for electronic data interchange standards to support health care in the U.S. Enacted in August 1996 with the widespread support of the industry and bipartisan support in Congress, HIPAA requires the Secretary of Health and Human Services (HHS) to adopt standards to support electronic data interchange for a variety of administrative and financial health care transactions. The law also outlines a process leading to protection of the privacy and confidentiality of health information.

The transactions for which standards are to be adopted deal largely with health insurance administrative and financial operations and include data elements and code sets for those transactions; unique health identifiers for health care providers, health plans, employers, and individuals for use in the health care system; and security standards to protect health information. Within 24 months of their adoption, the standards would be required for use by health plans, clearinghouses, and providers who transmit or maintain such information electronically. Small plans would have another 12 months to comply.

In recognition of the importance of protecting the privacy of individually identifiable health information, the law also outlines a process leading to confidentiality protections for health information. Specifically, the law requires the Secretary to submit recommendations for federal health information privacy legislation to the Congress. Secretary Shalala forwarded these recommendations to the Congress on September 11, 1997. Several health information privacy bills have subsequently been introduced in Congress. If Congress does not enact health information privacy legislation by August 1999, the Secretary is required by HIPAA to issue final regulations to protect the information transmitted in connection with the HIPAA administrative transaction standards by February 2000.

In addition, the statute gives expanded responsibilities to the National Committee on Vital and Health Statistics (NCVHS), including advising the Secretary on health information privacy and on the adoption of health data standards. In section 263, the Committee is further directed to submit an annual report to Congress on the status of

implementation of the Administrative Simplification effort. This report is the second of those annual reports on implementation and covers the period January 1998 through December 1998.

Because of its extensive consultation with the industry and the research and public health communities, its close involvement with the Department and its intense focus on administrative simplification issues during the past two years, the NCVHS is well positioned to comment on the progress of the implementation effort as well as related health information policy. As a general goal, the Committee is committed to improvements in the national health information infrastructure that will enhance quality, lower costs, and facilitate access to care.

Progress on HIPAA Health Data Standards

The past year witnessed significant progress in the adoption of the health care EDI and security standards outlined in the law. After extensive consultation with the industry and other interested and affected parties, including over 40 days of public hearings sponsored by the NCVHS involving over 200 witnesses from throughout the industry, the public health and the research communities, HHS published four Notices of Proposed Rulemaking (NPRM) in 1998 for public comment in the Federal Register:

• The NPRM for the National Provider Identifier was issued for public comment on May 7, 1998. Approximately 5000 comments were received. The final rule is now being drafted.
• The NPRM for National Standards for Transactions and Code Sets was issued for public comment on May 7, 1998. Approximately 17,000 comments were received. The final rule is now being drafted.
• The NPRM for the National Employer Identifier was issued for public comment on June 16, 1998. Approximately 800 comments were received. The final rule is now being drafted.
• The NPRM for Security and Electronic Signature Standards was issued on August 12, 1998. Approximately 2000 comments were received. The final rule is now being drafted.

Progress also continues on two additional standards. An NPRM is under development relating to the National Plan Identifier. The NPRM is expected to be published for public comment in 1999. HIPAA allows an additional twelve months for the adoption of the standard for claims attachments. Work on this standard also is well underway, and issuance of an NPRM is expected in 1999.

During 1998, the NCVHS held an additional six days of public hearings on related HIPAA data standards issues (claims attachments, computer-based patient records, and unique health identifier for individuals) involving 62 additional witnesses. In addition, the NCVHS provided public comments on the NPRMs issued during 1998. The NCVHS comments are included on the NCVHS website in their entirety and discussed briefly in this report. HHS is now in the process of reviewing all of the public comments received and revising the proposed standards for issuance as final regulations. Copies of all of the NPRMs as well as public comments submitted electronically to HHS are available on the HHS administrative simplification website:

http://aspe.os.dhhs.gov/admnsimp

Work is proceeding on the final regulations, and they will be issued as they are finalized during 1999 and 2000.

Administrative Simplification and Y2K Issues

As clearinghouses, plans and providers prepare to implement the HIPAA administrative transaction standards, they are also necessarily focusing resources and attention on ensuring that their computer systems recognize the century date change and continue operating. The Committee believes that both of these activities can and should proceed in tandem. Indeed, the timing of the implementation of the HIPAA standards, described above, may prove to be fortuitous.

Unique Health Identifier for Individuals (UHI)

Prior to the enactment of HIPAA in 1996, after conducting public hearings, the NCVHS had endorsed the concept of unique health identifiers for use in a variety of uniform health data sets and core data sets in health care. As a result of the requirement for such an identifier in HIPAA, both the Committee and HHS began to focus increased attention on the issue. In 1997, the NCVHS recommended to the Secretary that the selection of a unique health identifier for individuals be delayed until after passage of federal health record privacy legislation.

Accordingly, because of both privacy concerns and the lack of a consensus on the appropriate technical standard for a UHI, HHS decided in October 1997 not to issue a proposed rule for the UHI. Instead, HHS initiated an open public process for discussion of the issues surrounding the unique identifier for individuals. This process included an initial hearing on the issue by the NCVHS, and release of a White Paper discussing the options and implications of those options.

Initially, HHS planned to include in the public consultation process additional NCVHS hearings and publication in the Federal Register of a Notice of Intent (NOI) that would solicit information, public input on concerns and possible approaches. However, the initial NCVHS hearing held in July 1998 drew significant media attention relating to concerns that a unique identifier not be put into place until adequate privacy protections were available. The announcement by Vice President Gore in late July that no UHI will be implemented until privacy protections are in place has done little to stem public and Congressional concerns. The FY 1999 appropriations act signed on October 21 includes a provision barring HHS from using any of its appropriated funds to

“… promulgate or adopt any final standard under section 1173(b) of the Social Security Act providing for, or providing for the assignment of, a unique health identifier for an individual (except in an individual’s capacity as an employer or a health care provider) until legislation is enacted specifically approving the standard.”

In light of these circumstances, publication of the NOI and further NCVHS hearings on this topic have been put on hold.

Continuing Consultation and Implementation Efforts

During the first year following the enactment of HIPAA, HHS and NCVHS efforts necessarily focused on widespread consultation with interested and affected parties to identify and evaluate potential standards to be adopted, as well as the development of health information privacy recommendations to Congress. During 1998, the efforts shifted to issuing proposed rules outlining the standards for public comment. Accordingly, HHS is now in the process of reviewing public comments and revising the regulations for final issuance. Plans, clearinghouses and providers subject to the standards will then have 24 months after the effective date of the final regulations to comply. Subsequent reports in this series will describe progress on later stages of implementation.

To address the requirements of the law, HHS has developed an implementation strategy that assures coordination among HHS agencies, participation by other Federal departments, and extensive interaction with the private sector. This strategy continues to afford many opportunities for interested and affected parties to participate in and influence the standards development and adoption processes, by participating with standards development organizations, providing testimony at NCVHS public meetings, inviting HHS representatives to speak at various meetings, and providing comments on proposed rules. As an integral part of this strategy, the HHS Data Council, the Department’s senior level internal data policy body, plays a critical role in the implementation of administrative simplification and works closely with the NCVHS. As required by the statute, the Department also consulted with the National Uniform Billing Committee, the National Uniform Claim Committee, the Workgroup for Electronic Data Interchange, the American Dental Association, and a number of other private sector organizations.

The NCVHS continues its role as an active partner with the Department in every aspect of the standards adoption process. As the Department’s primary liaison with the private sector, the NCVHS held a number of public hearings to obtain the views, perspectives, and concerns of organizations and individuals, as well as their input and advice on health data standards and privacy. As required by the statute, the NCVHS submitted recommendations to the Secretary for standards to be adopted and on privacy guidelines and has commented on HHS NPRMs. The full text of the NCVHS recommendations and comments is available from the NCVHS web site at http://aspe.os.dhhs.gov/ncvhs.

Progress on Privacy Protections

In its 1997 privacy recommendations, the NCVHS recommended that the Administration assign the highest priority to the development of a strong position on health privacy and that the 105th Congress enact a health privacy law before it adjourns in the fall of 1998. Similarly, in her detailed recommendations to Congress, Secretary Shalala recommended that Congress enact comprehensive health information privacy legislation. Although a number of health record privacy bills were introduced in the 105th Congress, none were enacted. It is expected that health information privacy legislation will receive considerable attention in the 106th Congress. According to HIPAA, if Congress does not enact health information privacy legislation by August 1999, the Secretary is required to issue final regulations to protect the information transmitted in connection with the HIPAA administrative transaction standards by February 2000.

The NCVHS has identified a number of additional privacy and security concerns. In addition to the importance of Congressional action on privacy legislation, these concerns include the stronger linkage of the individual identifier standard to privacy protections, the need for privacy protections to deal with fair information practices as well as antidiscrimination measures, and the need for better implementation of security standards. The Committee will continue to examine these issues and additional recommendations may be forthcoming.

Standards for Computer-Based Patient Records

HIPAA directs the NCVHS to study the issues related to the adoption of uniform data standards for patient medical record information and the electronic interchange of such information, and report to the Secretary of Health and Human Services not later than August 2000 on recommendations and legislative proposals for such standards and electronic interchange. During 1998, the NCVHS established the Working Group on the Computer-Based Patient Record. The Working Group held two days of public hearings in December 1998, to invite interested and affected parties to express their views about possible directions for the recommendations. Additional hearings are planned during 1999 to discuss approaches to these recommendations.

Communications

HHS and the NCVHS, in partnership with private sector organizations, are also working to promote an integrated communication strategy to ensure that the industry will continue to receive all the information and assistance that it needs to implement the proposed standards. Once the standards have been adopted, the health care community will be encouraged to notify the Department or the NCVHS of any issues or concerns with the implementation of the standards.

Future Reports

During the next several years, the NCVHS plans to monitor the implementation of the standards and to conduct public hearings to obtain additional input from a broad cross section of users in both the public and private sectors. The NCVHS will also seek input from the public on additional standards that may be appropriate, as well as the need to modify existing standards, and will provide timely recommendations to the Secretary.

In later stages of the standardization effort, the Committee plans to obtain information on the extent to which the adopted standards are being implemented, and to solicit reports on the progress of standards implementation from the industry as well as federal and State agencies for the health care programs under their jurisdictions. These agencies, as well as industry representatives, will be asked to provide public testimony at NCVHS hearings, where appropriate. The Committee will also make substantial use of industry data sources to assess major trends in the application of information technology in health care.

To date, the process of adopting health data standards has been extremely open, collaborative, and productive. The past year has witnessed considerable progress in the adoption of the administrative simplification data standards required by HIPAA. The openness and success of the process up to this point bodes well for the success of the ultimate implementation of these standards.