March 22, 2001 Fourth Annual Report to Congress on the Implementation of the Administrative Simplification Provisions of the Health Insurance Portability and Accountability Act

March 22, 2001

The Honorable Richard Cheney
President of the Senate
Washington, D.C. 20510
Dear Mr. President:

I am pleased to transmit our Fourth Annual Report to Congress on the Implementation of the Administrative Simplification Provisions of the Health Insurance Portability and Accountability Act (HIPAA). In compliance with Section 263, Subtitle F of Public Law 104-191, the report was developed by the National Committee on Vital and Health Statistics (NCVHS), the public advisory committee to the U.S. Department of Health and Human Services on health data, privacy, and health information policy, and covers the period January – December 2000.

The Administrative Simplification provisions of HIPAA require the Secretary of Health and Human Services (HHS) to adopt a variety of standards to support electronic interchange for administrative and financial health care transactions, including standards for security and privacy to protect individually identifiable health information. In addition, the statute gives expanded responsibilities to the National Committee on Vital and Health Statistics, including advising the Secretary on health information privacy and on the adoption of health data standards. The Committee is further directed to submit an annual report to Congress on the status of implementation of the Administrative Simplification effort. The fourth annual report is enclosed.

As described in our enclosed report, significant progress occurred on HIPAA Administrative Simplification during the past year, HHS issued two final rules, one describing standards for transactions and code sets, and the other outlining standards for privacy of individually identifiable health information. Progress also continued on the adoption of the remaining suite of administrative simplification standards. NCVHS applauds these accomplishments and reaffirms the importance of the HIPAA administrative simplification initiative for improving the efficiency and effectiveness of the health care system in the U.S. The full economic benefits of Administrative Simplification will only be realized when all of the standards are in place, and implementation activities and resource planning in the industry will be more effective when the entire suite of standards is finalized. Accordingly, we urge the Secretary of HHS to expedite the publication of the remaining rules, and urge Congress to provide sufficient resources and support.

We hope that you will find this fourth annual report informative and look forward to continued progress on these important issues for the nation’s health system. If you or your staff would like a briefing presentation on any of our past or anticipated activities, please let me know. We are committed to improvements in health information systems that will enhance the quality of health care, lower costs, and facilitate access to care in the U.S.

Sincerely,

/s/

John R. Lumpkin, M.D.
Chairman

Enclosure

Identical letters to:

The Honorable Dennis Hastert
Speaker of the House of Representatives
Washington, D.C. 20515

The Honorable XXXXX
Chairman
Committee on Finance
219 Senate Dirksen Office Building
United States Senate
Washington, D.C. 20510

The Honorable James Jeffords
Chairman
Committee on Health, Education, Labor and Pensions
428 Senate Dirksen Office Building
United States Senate
Washington, D.C. 20510

The Honorable William Archer
Chairman
Committee on Ways and Means
U.S. House of Representatives
1102 Longworth House Office Building
Washington, D.C. 20515

The Honorable XXXXX
Chairman
Committee on Commerce
U.S. House of Representatives
2125 Rayburn House Office Building
Washington, D.C. 20515

The Honorable William Goodling
Chairman
Committee on Education and the Workforce
U.S. House of Representatives
2181 Rayburn House Office Building
Washington, D.C. 20515

NATIONAL COMMITTEE ON VITAL AND HEALTH STATISTICS

ADMINISTRATIVE SIMPLIFICATION
IN HEALTH CARE: 2000

Fourth Annual Report to Congress on the Implementation of the Administrative Simplification Provisions of the Health Insurance Portability and Accountability Act

March 22, 2001

FOURTH ANNUAL REPORT TO CONGRESS ON THE IMPLEMENTATION OF HIPAA

Executive Summary

I. Introduction

A. Background
B. Purpose of Report
C. Content of Report
D. Statutory Requirements

II. Implementation Process

A. DHHS Implementation Strategy
B. Guiding Principles
C. Private Sector Consultation
D. NCVHS HIPAA-Related Hearings
E. Outreach to Public Health and Health Services Research
F. NCVHS Comments on NPRMs
G. NCVHS Liaison with HHS

III. Progress to Date

A. Transaction Standards and Code Sets
B. Standard Identifiers
C. Standards for Security and Electronic Signatures
D. Claims Attachment Standards
E. Standards for Privacy of Individually Identifiable Health Information
F. Standards for Patient Medical Record Information
G. Outreach, Education and Industry Partnerships
H. Establishment of the DSMO Process
I. Industry Implementation Efforts
J. State of Industry Response to HIPAA

IV. Implementation Issues

A. HHS Resources in Promoting Industry HIPAA Implementation
B. Funding to Deploy Identifiers
C. Testing and Compliance with HIPAA Standards
D. Data Availability Gap
E. Electronic Signature Standards
F. Code Set Issues

V. Conclusions

NATIONAL COMMITTEE ON VITAL AND HEALTH STATISTICS

ADMINISTRATIVE SIMPLIFICATION
IN HEALTH CARE: 2000

Fourth Annual Report to the Congress
on the Implementation
of the Administrative Simplification Provisions of the
Health Insurance Portability and Accountability Act

Executive Summary

Overview

Enacted in 1996 with the widespread support of the industry and bipartisan support in Congress, the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) require the Secretary of Health and Human Services (HHS) to adopt standards to support electronic data interchange for a variety of administrative and financial health care transactions. Within 24 months of their adoption, the standards will be required for use by health plans, clearinghouses, and providers who transmit or maintain such information electronically. Small plans will have another 12 months to comply. The law also outlines a process leading to standards for the protection of the privacy and confidentiality of health information. The purposes of these provisions are to improve the Medicare and Medicaid programs in particular and the efficiency and effectiveness of the health care system in general by encouraging the use of electronic methods for transmission of health information through the establishment of standards and requirements for covered electronic transmissions.

In addition, the statute gives expanded responsibilities to the National Committee on Vital and Health Statistics (NCVHS), including advising the Secretary on health information privacy and on the adoption and implementation of health data standards. In section 263, the Committee is further directed to submit an annual report to Congress on the status of implementation of the Administrative Simplification effort. This report is the fourth of those annual reports on implementation and covers the period January 2000 through December 2000.

Progress on HIPAA Standards for Privacy of Individually Identifiable Health Information

During the past year, major developments occurred in the area of national standards for protecting the privacy of individually identifiable health information. On December 28, 2000, HHS issued final regulations outlining standards for Privacy of Individually Identifiable Health Information. The final regulations were issued in compliance with HIPAA requirements that directed HHS to issue regulations after a self imposed Congressional deadline passed without the enactment of federal privacy legislation. The effective date for the privacy regulation is April 14, 2001, and the expected compliance date is April 2003 (April 2004 for small plans). On February 28 2001, in response to some industry concerns, HHS issued a Federal Register notice inviting public comment on the final regulation. The 30 day comment period will conclude on March 30.

The privacy standards protect medical records and other personal health information maintained by certain health care providers, health plans and health care clearinghouses. They limit the non-consensual use and release of private health information, give patients new rights to access their medical records and to know who else has accessed them, restrict most disclosures of health information to the minimum needed for the intended purpose, and establish new requirements for disclosure of records to researchers and others.

The NCVHS supports and applauds this progress on national health information privacy standards. The Committee views health information privacy protection as a foundation for the full complement of health care administrative simplification standards, and for progress on additional information technology applications to improve the health of the population and the efficiency and effectiveness of the health system. Because of limitations in the HIPAA statute itself, the HHS privacy regulation was unable to cover all entities that may hold individually identifiable health information. Accordingly, the Committee urges Congress to build upon the framework of the privacy regulation to enact legislation that extends privacy protection to all entities that hold individually identifiable health information.

Standards for Administrative Transactions and Code Sets in Health Care

The past year also saw the issuance of final HIPAA rules adopting national standards for administrative transactions and code sets. The final rule describing the suite of administrative transactions standards and code sets was issued on August 17, 2000. The expected compliance date is October 16, 2002 (October 16, 2003 for small health plans). Because of the extensive consultation and collaborative effort among HHS, the NCVHS and all segments of the health care industry and the significant demands of the federal regulatory process itself, it was not possible to meet the original timetables outlined in the law. However, the NCVHS is certain that the time and effort expended in the public, open consultation and collaboration process has both vastly improved the ultimate outcomes of HIPAA and helped to facilitate implementation of the adopted standards.

The NCVHS is very pleased to note that, with the issuance of this final rule, industry attention and energy has now turned to implementation of the national standards. By promoting greater use of electronic transactions and the elimination of inefficient paper forms, the administrative simplification regulations are expected to provide a net savings to the health care industry of $29.9 billion over ten years.

Progress on Health Data and Security Standards

Progress also continued on the adoption of the remainder of the HIPAA administrative simplification standards. Notices of Proposed Rule Making in the Federal Register have been issued for the following standards:

National Employer Identifier
National Provider Identifier
Security and Electronic Signature Standards

Work on the final rules for these standards is well underway and final rules are expected in 2001. Progress also continues on two additional standards. A NPRM is under development relating to the National Health Plan Identifier. The NPRM is expected to be published for public comment in 2001. HIPAA allows an additional twelve months for the adoption of the standard for Claims Attachments. Work on this standard also is nearly complete, and issuance of an NPRM is expected in 2001.

The NCVHS reaffirms the importance of the HIPAA Administrative Simplification initiative and urges the Secretary to expedite the publication of the remaining rules. The full economic benefits of Administrative Simplification will only be realized when all of the standards are in place, and implementation activities and resource planning in the industry will be more effective when the regulatory framework for the entire suite of standards is final.

Standards for Patient Medical Record Information

In addition to a focus on administrative simplification in health care, HIPAA directs the NCVHS to “…study the issues related to the adoption of uniform data standards for patient medical record information and the electronic interchange of such information, and report to the Secretary of Health and Human Services not later than August 2000 on recommendations and legislative proposals for such standards and electronic interchange.” Accordingly, the NCVHS also dedicated a major effort to developing and finalizing the report on Uniform Standards for Patient Medical Record Information. Based on 11 days of public hearings involving over 90 experts, the NCVHS submitted its report and recommendations to the Secretary on July 6, 2000.

The report describes a number of clinical and economic benefits relating to electronic medical record information, and concludes that the major impediments to electronic exchange of patient medical record information are

limited interoperabilty of health information systems,
limited comparability of data exchanged among providers,
the need for better quality, accountability and integrity of data, and
the need for adequate privacy protections.

The report also includes ten recommendations relating to the

selection of PMRI standards,
acceleration of the development of such standards,
early adoption of PMRI standards, and
relationship of PMRI standards to other issues.

The recommendations have been presented to the HHS Data Council and are currently under evaluation and consideration in HHS. The report is available on the NCVHS website.

The Designated Standards Maintenance Organization (DSMO) Process

HHS recognized the need for the ongoing maintenance of the HIPAA transaction standards, and especially the need for the industry to collect, review and recommend changes to the standards. The final regulation for transactions and code sets established a set of organizations called Designated Standards Maintenance Organizations (DSMOs) to receive and process requests for modifications to standards or for adopting new standards, and an accompanying notice named the following organizations as DSMOs:

Accredited Standards Committee X12.
Dental Content Committee of the American Dental Association.
Health Level Seven.
National Council for Prescription Drug Programs.
National Uniform Billing Committee.
National Uniform Claim Committee.

At a NCVHS Security and Standards Subcommittee meeting on March 31, 2000, these six organizations signed a Memorandum of Understanding agreeing to a national process to manage the maintenance of HIPAA standards. They agreed to work cooperatively to accept requests through a public web site, review these requests, and develop a joint recommendation to the NCVHS as to whether or not these requested changes should be made to the standards. This process in now in full operation.

The DSMO process has numerous and obvious benefits. It represents an industry effort to keep the standards current. It allows full public input and gives the parties most affected by these change requests the opportunity to review and respond to them. It also brings together several disparate constituencies working together in this process.

Industry Implementation Efforts

The health care industry has taken a proactive stance in the planning and coordination of HIPAA standards implementation activities. While the emergence of firms offering HIPAA implementation assistance was to be expected as awareness of the HIPAA process and standards increased, several industry organizations are stepping forward to produce white papers and bring industry participants together to work out problems cooperatively. Several organizations have taken actions to help plans, providers and clearinghouses implement the standards. Both the Association for Electronic Health Care Transactions (AFEHCT) and the Workgroup for Electronic Data Interchange (WEDI) have papers on their web sites. WEDI in particular is sponsoring the Strategic National Implementation Process (SNIP). SNIP has brought participants from all facets of the industry (plans, providers, vendors) together to provide implementation education, assistance, time frames and solutions to problems with the aim of facilitating and coordinating HIPAA implementation nationwide. SNIP also is working to provide specific guidance on issues identified by industry participants, and making guidance available via their web site and in periodic conferences.

In addition, WEDI has created a draft HIPAA Security Implementation Guide. AFEHCT, which represents health care clearinghouses and vendors, has collaborated with WEDI on a Security Interoperabilty Study and participates in SNIP. Several regional health data consortia are also assisting with HIPAA awareness and implementation efforts, including the Massachusetts Health Data Consortium, the North Carolina Health Care Information and Communications Alliance, and the Utah Health Information Network.

The Washington Publishing Company is publishing implementation guides for the HIPAA transactions standards on its website. A number of major trade publications in health care are featuring articles on HIPAA implementation planning. Finally, several States have sponsored education and working sessions to coordinate the implementation of HIPAA standards within the public and private sectors of their respective States.

State of Industry Response to HIPAA

In general, the publication of the final rule for standard transactions and code sets has mobilized many segments of the industry to begin implementation planning. There are numerous conferences, web sites, and firms providing HIPAA education, compliance assistance and consulting services. In fact, there are increasing indications that HIPAA Administrative Simplification implementation may now rank among the top IT priorities in the health care sector. While awareness has clearly increased, there are segments of the industry which remain unaware of the HIPAA impact. In particular, small providers and individual physicians offices, many of whom rely on vendors for information technology and services, seem to be unaware of the HIPAA initiative and its potential impact, benefits and costs.

Now that awareness and assessment activities are under way, many firms are realizing that implementation is a major undertaking. Serious review of the adopted standards is uncovering potential problems for many participants. The scope of the effort is raising some concerns in the industry relating to the adequacy of the two-year implementation time frame and the cost of implementation. The NCVHS will monitor these issues in the coming year and provide advice and recommendations to HHS.

Continuing Consultation and Implementation Efforts

To address the requirements of HIPAA, HHS continues an implementation strategy that assures coordination among HHS agencies, participation by other Federal departments, and extensive interaction with the private sector, including the four industry groups named in the statute – the National Uniform Billing Committee, the National Uniform Claim Committee, the Workgroup for Electronic Data Interchange, and the American Dental Association. This strategy continues to afford many opportunities for interested and affected parties to participate in and influence the standards development and adoption processes. The NCVHS continues its role as an active partner with the Department in every aspect of the standards adoption process. As an integral part of this strategy, the HHS Data Council, the Department’s senior level internal data policy body, plays a critical role in the implementation of the administrative simplification effort and works closely with the NCVHS.

Implementation Issues

Since the enactment of HIPAA, HHS and the NCVHS have worked in partnership with the health care industry to communicate the requirements of HIPAA, to identify and evaluate existing industry standards for adoption, to develop rules that are workable, and to encourage the participation of all participants of the health industry in the adoption and implementation of the HIPAA standards. Now that the final standards for transactions and code sets have been issued, the NCVHS has begun focusing on potential barriers to successful implementation. The intent, on an ongoing basis, is to identify implementation issues and barriers and make recommendations to HHS that address these issues.

Based on public hearings conducted by the NCVHS Subcommittee on Standards and Security during 2000, the following implementation issues were identified.

HHS Resources in Promoting Industry HIPAA Implementation

A number of experts and industry representatives suggested that HHS should assume a more active role (and increase funding) to actively promote the implementation of the HIPAA data standards by the industry. The NCVHS recommends that not only should the Department closely monitor the progress of national implementation, but it must devote sufficient resources to ensure there is adequate technical support, education, and testing.

Funding to Deploy Identifiers

Testifiers stressed the need for adequate funding to build the infrastructure and obtain necessary support to deploy the HIPAA identifiers, especially the provider and health plan identifiers, in a timely manner. The timely availability of HIPAA identifiers is crucial for obtaining the expected benefits of electronic transactions. We recommend that HHS provide adequate resources to assure that the HIPAA identifiers are available for identifying all providers and payers as soon as is possible.

Testing and Compliance with HIPAA Standards

Testing was identified as a critical component of HIPAA implementation. There was concern from testifiers that different private certifying bodies, using different criteria, could provide different results to the industry and thereby undermine implementation. The NCVHS recommends that HHS take an active role in providing support for uniform compliance certification. The role should include activities such as “certifying the certifiers” so that purchasers would not be misled by unsupported claims of HIPAA-compliant software or services.

Data Availability Gap

The Committee also is concerned that vendors of provider systems have products that cannot produce standard HIPAA transaction messages because of the current unavailability of the data in electronic format. The Committee has begun to hold hearings on this issue to understand the breadth of the problem and to provide additional guidance in the coming year.

Electronic Signature Standard

With respect to the Security and Electronic Signature Standards, the NCVHS noted that while the NPRM included criteria for an electronic signature standard, no consensus industry standard for electronic signature standards could be identified at that time. At the request of the Commerce Department’s National Institute of Standards and Technology, HHS has deferred publication of the electronic signature standard to permit a more thorough assessment of evolving technology and current industry consensus on this issue. Inclusion of an electronic signature standard in the final rule on security standards will depend on industry progress on this issue and the outcome of these activities. For its part, the NCVHS views the electronic signature standard as an essential element of the administrative simplification suite of national standards. The NCVHS will continue to hold hearings on this issue and is actively encouraging industry to move towards consensus on an electronic signature standard.

Code Set Issues

NCVHS hearings related to HIPAA implementation have identified a number of issues involving code sets, issues relating both to externally maintained codes sets and to the widespread use of local (non-national, non-standard) codes in health care transactions. In addition, additional issues are being identified based on the experience of early implementers of the health care transactions adopted as final standards. Testifiers expressed concern that the maintenance processes used for external code sets must be effective, timely, and nationally responsive. These processes should be based on the same maintenance principles adopted by the DSMOs. The NCVHS recommends that HHS examine the maintenance processes used by the external entities and conduct discussions with them to resolve any weaknesses that are found.

With respect to local codes, according to those testifying, movement away from Health Care Financing Administration (HCFA) Common Procedure Coding System Level III local codes and those local codes developed by others in the industry, as required by the final rule for Standards for Electronic Transactions, is possible, but will require significant effort, resources and leadership. In a letter to the Secretary of HHS, the NCVHS has identified a number of issues relating to the process for development and maintenance of local codes. These issues are discussed in detail in a letter to the Secretary of HHS posted on the NCVHS website.

Conclusion

To date, the process of adopting and implementing health data standards has been extremely open, collaborative, and productive. The past three years have witnessed considerable progress in the adoption of the HIPAA administrative simplification standards. With the issuance in 2000 of the final regulations for transactions and code sets standards and privacy standards, the NCVHS has begun to focus on the implementation stage of the effort. Additional information on the NCVHS as well as the HIPAA Administrative Simplification effort can be found on the HHS and NCVHS websites:

http://www.aspe.hhs.gov/admnsimp;
http://ncvhs.hhs.gov

I. INTRODUCTION

A. Background

A considerable portion of every health care dollar is spent on administrative overhead. In health care, this overhead includes many tasks, such as:

filing a claim for payment from an insurer,
enrolling an individual in a health plan,
paying health insurance premiums, and
checking insurance eligibility for a particular treatment

Today these processes involve numerous paper forms, faxes and telephone calls, and many delays in communicating information among different locations. This situation creates difficulties and costs for health care providers, health plans, and consumers alike.

The burden of these costs affects everyone involved in the health care system, including the typical health plan that continues to process mountains of paper forms that differ in content from one plan to another, the typical physician who bills multiple health plans with their varying forms and formats, and who must respond to additional requirements imposed by managed care organizations, and the typical consumer, who ultimately pays for administrative burden.

To address these problems, the health care industry, including both public and private sectors, has worked to develop standards to improve the way in which transactions are exchanged electronically. However, economic pressures have prevented competing parties from adopting a uniform set of such standards. At the request of the industry and with bipartisan support, Congress enacted the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). HHS has estimated that full implementation of these provisions are expected to provide a net savings to the health care industry of $29.9 billion over ten years. In fact, such savings raise the possibility of helping to improve the quality of health care by freeing up resources now devoted to paperwork and administration.

B. Purpose of This Report

The purpose of this report is to describe the status of implementation of the administrative simplification provisions of HIPAA during 2000, the fourth year after enactment of the law. Congress gave the NCVHS the role of advising HHS on the adoption of standards, monitoring implementation of Administrative Simplification, and reporting annually on its progress. During 2000, the Committee has monitored the process of standards adoption and the issuance of proposed standards, as carried out by the Government and its advisory bodies. In addition, now that the standards have become finalized and attention turns to their implementation, the NCVHS has begun to examine and report on implementation issues, the rate of implementation and the growth of electronic data interchange (EDI) in the health care industry.

C. Content of the Report

Although this report was requested by the Congress, it is directed at the industry and the public as well. The report begins with a review of the requirements of the statute, including the implementation timetable required by the law, and the expanded responsibilities of the NCVHS. The report then outlines the implementation process, which involves the Department of Health and Human Services, other Federal agencies, the States, the NCVHS, the industry, and the public health and research communities. Next, the status of implementation of each of the standards required by HIPAA is reviewed. Discussion follows in which the NCVHS highlights several readiness and implementation issues and how the NCVHS intends to monitor implementation in the future.

D. Requirements of HIPAA Administrative Simplification

The Administrative Simplification provisions, Title II, Subtitle F, of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) require the Secretary of Health and Human Services (HHS) to adopt standards for the electronic transmission of administrative and financial health care transactions, including data elements and code sets for those transactions; for unique health identifiers for health care providers, health plans, employers, and individuals for use in the health care system; and for security standards to protect individually identifiable health information. The law also requires the Secretary to submit recommendations for Federal health privacy legislation to the Congress within one year. Additionally, these provisions gave special responsibilities to the NCVHS to advise the Secretary on establishing privacy standards.

The purposes of these provisions are to improve the Medicare and Medicaid programs in particular and the efficiency and effectiveness of the health care system in general by encouraging the use of electronic methods for transmission of health information through the establishment of standards and requirements for covered electronic transmissions.

1. Requirements for Standards

The standards required under the law include:

Transactions for:
Health claims or equivalent encounter information
Enrollment and disenrollment in a health plan
Eligibility for a health plan
Health care payment and remittance advice
Health plan premium payments
First report of injury
Health claim status
Referral certification and authorization
Claims attachments (The law allows an additional twelve months for the adoption of the claims attachment standard.)
Code sets and classification systems for the data elements of the transactions
Unique identifiers for health plans, health care providers, employers, and individuals for use in the health care system
Security and electronic signature standards and safeguards to protect health information during transmission and while stored in health information systems, to ensure the integrity of the information, and to protect against unauthorized use and disclosure.
Coordination of benefits and sequential processing of claims.

HIPAA also outlined a process leading to standards to protect the privacy of individually identifiable health information. Specifically, HIPAA directed the Secretary to submit recommendations to Congress for privacy protections. In September 1997, the HHS Secretary delivered detailed recommendations to Congress for federal privacy legislation to protect individually identifiable health information. In those recommendations, the Secretary urged Congress to pass comprehensive and balanced privacy legislation. According to HIPAA, since Congress did not subsequently enact a privacy protection statute by August 1999, the Secretary was required to issue final regulations to protect the information transmitted in connection with the HIPAA administrative transaction standards.

Under the law, the Secretary may also establish standards for other financial and administrative transactions that he determines to be appropriate and that are consistent with the goals of improving the operation of the health care system and reducing administrative costs. This provision permitted designation of coordination of benefits as one of the standard transactions being adopted.

The standards will apply to all health plans, health care clearinghouses, and health care providers that transmit health information in electronic form. Health plans are required to accept standard transactions submitted electronically by health care providers, and health plans cannot delay or otherwise adversely affect such transactions. Health plans and health care providers may submit or receive transactions directly or indirectly through the use of health care clearinghouses.

2. Timetables

The Health Insurance Portability and Accountability Act, which was enacted on August 21, 1996, specified the following implementation schedule:

The Secretary’s recommendations for protecting the privacy of individually identifiable health information were due within 12 months of the date of enactment. According to HIPAA, because Congress did not subsequently enact a privacy protection statute by August 1999, the Secretary was required to issue final regulations establishing privacy standards by February 21, 2000.
Standards for transaction sets, code sets, unique identifiers, and security and electronic signatures were to be adopted within 18 months of enactment, except for standards for claims attachments, which were due within 30 months of enactment.
Health plans, health care clearinghouses, and health care providers who conduct electronic transactions must comply with the standards within 24 months of their adoption. Small plans are given an additional 12 months to comply.

Because of the extensive consultation and collaborative effort among HHS, the NCVHS and all segments of the health care industry and the significant demands of the federal regulatory process itself, it was not possible to meet the original timetables outlined in the law. However, the NCVHS is certain that the time and effort expended in the public, open consultation and collaboration process has both vastly improved the ultimate outcomes of HIPAA, and helped to facilitate implementation of the adopted standards.

3. Expanded Responsibilities for the NCVHS

The statute significantly expanded the responsibilities of the NCVHS. In selecting standards for adoption, the Secretary is required to rely on the recommendations of the NCVHS. Subtitle F also requires the NCVHS to report to the Secretary, within four years of the passage of HIPAA, with recommendations and legislative proposals for the adoption of uniform data standards for patient medical record information and the electronic exchange of such information. Finally, Subtitle F requires the NCVHS to submit to Congress an annual report on the status of the Administrative Simplification effort.

Specifically, the requirement for the annual report states:

“SEC. 263 (7) Not later than 1 year after the date of enactment of the Health Insurance Portability and Accountability Act of 1996, and annually thereafter, the Committee shall submit to the Congress, and make public, a report regarding the implementation of Part C of title XI of the Social Security Act. Such report shall address the following subjects, to the extent that the Committee determines appropriate:

“(A) The extent to which persons required to comply with part C of title XI of the Social Security Act are cooperating in implementing the standards adopted under such part.
“(B) The extent to which such entities are meeting the security standards adopted under such part and the types of penalties assessed for noncompliance with such standards.
“(C) Whether the Federal and State Governments are receiving information of sufficient quality to meet their responsibilities under such part.
“(D) Any problems that exist with respect to implementation of such part.
“(E) The extent to which timetables under such part are being met.”

II. IMPLEMENTATION PROCESS

A. Department of Health and Human Services (HHS) Implementation Strategy

The Secretary of HHS formulated a comprehensive strategy for adopting and implementing the standards mandated under Administrative Simplification.

Establish interdepartmental implementation teams to identify and assess potential standards for adoption.
Develop recommendations for standards to be adopted.
Publish proposed rules in the Federal Register describing the standards. Each proposed rule provides the public with a 60-day comment period.
Analyze public comments and publish the final rules in the Federal Register.
Establish low-cost distribution mechanisms for standards and implementation guides.
Monitor the implementation of the standards to determine if additions or modifications to the standards are needed.

This implementation strategy was designed to assure coordination among HHS agencies, participation by other Federal departments, as well as interaction with the industry and the research and public health communities. Responsibilities within HHS were distributed across three interrelated organizational components: the HHS Data

Council, the Data Council’s Health Data Standards Committee, and the Implementation Teams. The HHS Data Council, the Department’s senior internal data policy body, was given the responsibility to oversee implementation of Administrative Simplification by the Secretary. The Council reports to the Secretary and consists of representatives from each major operating and staff division within HHS. As a senior policy guidance and decision-making body, the Council has been designated to guide the process and report to the Secretary on the progress of the standards and privacy efforts. The Data Council also serves as the contact point for the NCVHS and resolves issues that cannot be resolved by the Data Council’s Health Data Standards Committee.

B. Guiding Principles

With significant input from the health care industry, the Implementation Teams charged with developing recommendations for national standards defined a set of principles for guiding their choices for standards to be adopted by the Secretary. These principles are based on direct specifications in HIPAA, the purpose of the law, and generally desirable principles. To be designated as a HIPAA standard, each standard should:

Improve the efficiency and effectiveness of the health care system by leading to cost reductions for or improvements in benefits from electronic health care transactions.
Meet the needs of the health data standards user community, particularly health care providers, health plans, and health care clearinghouses.
Be consistent and uniform with the other HIPAA standards–their data element definitions and codes and their privacy and security requirements–and, secondarily, with other private and public sector health data standards.
Have low additional development and implementation costs relative to the benefits of using the standard.
Be supported by an ANSI-accredited standards developing organization or other private or public organization that will ensure continuity and efficient updating of the standard over time.
Have timely development, testing, implementation, and updating procedures to achieve administrative simplification benefits faster.
Be technologically independent of the computer platforms and transmission protocols used in electronic transactions, except when it is explicitly part of the standard.
Be precise and unambiguous, but as simple as possible.
Keep data collection and paperwork burdens on users as low as is feasible.
Incorporate flexibility to adapt more easily to changes in the health care infrastructure (such as new services, organizations, and provider types) and information technology.

C. Private Sector Consultation

The HHS implementation strategy was designed to afford many opportunities for interested and affected parties to participate in the standards development and adoption processes. They can:

Participate in open process with standards development organizations.
Attend numerous public meetings.
Write to the Secretary of HHS.
Provide written input to the NCVHS.
Present written and oral testimony at public meetings of the NCVHS.
Comment on the proposed rules for each of the proposed standards during the 60- day comment period.
Invite HHS staff to meetings with public and private sector organizations or meet directly with senior HHS staff involved in the implementation process.

D. NCVHS HIPAA-Related Hearings During 2000

The NCVHS continues to serve as the Department’s primary liaison with the private sector and continues to hold public hearings to obtain the views, perspectives, and concerns of interested and affected parties, as well as their input and advice on health data standards and privacy. In addition to providing numerous opportunities for the private sector to participate in the standards adoption process, these public hearings sponsored by the NCVHS helped maintain the openness and inclusiveness of the process.

During 2000, the focus of NCVHS public hearings and committee deliberations was on issues in early implementation of HIPAA and related HIPAA data standards issues. Specifically, the NCVHS discussed standards for digital signatures, local codes issues, and data issues in HIPAA implementation. The NCVHS also dedicated a major effort to developing and finalizing the report on Uniform Standards for Patient Medical Record Information. In addition, the Committee facilitated the signatories for a Memorandum of Understanding among Organizations Designated to Manage the Maintenance of the Transactions Standards Adopted Under HIPAA in an unprecedented display of solidarity by these groups.

To enhance participation further, NCVHS public meetings are routinely broadcast live on the Internet with the help of the Department of Veterans Affairs. For those unable to attend or listen to the meetings as they occur, recordings of the live broadcasts are available also on the Internet. Agendas and transcripts of NCVHS hearings, minutes, announcements of public meetings, and schedules for future hearings are distributed through the NCVHS web site at:http://ncvhs.hhs.gov

E. Outreach to Public Health and Health Services Research

The Committee continues to support the activities of the Public Health Data Standards Consortium, which was established in response to a consensus recommendation at the 1998 Workshop on Implications of the Administrative Simplification Provisions of HIPAA for Public Health and Health Services Research. The Consortium is serving as a mechanism for ongoing representation of public health and health services research interests in HIPAA implementation and other data standards setting processes.

The Consortium represents the federal and State perspectives on both the National Uniform Billing Committee (NUBC) and the National Uniform Claim Committee. (NUCC), two data content committees under HIPAA. Both seats were approved by the respective committees in 1999. Several federal and State Consortium members also attend and actively participate in both the ANSI ASC X12 and Health Level Seven (HL7) Standards Development Organizations. During 2000, the Consortium participated in two successful requests for modifications and additions to the ANSI ASC X12 standards and HIPAA implementation Guides. The Consortium also established several work groups on critical data needs and initiated development of an educational strategy for public health to migrate to HIPAA related standards.

F. NCVHS Comments on NPRMs

During 2000, the NCVHS provided comments on several implementation issues, and submitted its report on standards for electronic medical record information. The full text of the NCVHS comments and reports is available on the NCVHS website.

G. NCVHS Liaison with the Department of Health and Human Services

The NCVHS has participated with the Department in every aspect of the standards adoption process. Through the HHS Data Council, the NCVHS has submitted recommendations to the Secretary for standards to be adopted and on privacy guidelines and has provided comments on HHS NPRMs. The NCVHS Subcommittee on Standards and Security has worked closely with the Health Data Standards Committee and the Implementation Teams.

The NCVHS provides to, and receives from the Data Council, the HDSC, and the ITs regularly scheduled reports and informal communications on their respective activities. The Data Council Chairperson or Executive Secretary attends NCVHS meetings, and the NCVHS Chair attends the monthly meetings of the Data Council. Upon request, the NCVHS also advises the Secretary on particularly sensitive and controversial issues.

III. PROGRESS TO DATE

A. Transaction Standards and Code Sets

The final rule describing the suite of administrative transactions standards and code sets was issued on August 17, 2000. The expected compliance date is October 16, 2002 (October 16, 2003 for small health plans). Because of the extensive consultation and collaborative effort among HHS, the NCVHS and all segments of the health care industry and the significant demands of the federal regulatory process itself, it was not possible to meet the original timetables outlined in the law. However, the NCVHS is certain that the time and effort expended in the public, open consultation and collaboration process has both vastly improved the ultimate outcomes of HIPAA, and helped to facilitate implementation of the adopted standards.

The First Report of Injury transaction was not included in the NPRM or final rule for HIPAA transaction standards because at that time there was neither a millennium- compliant version of an implementation guide nor a complete data dictionary for the ASC X12N 148 – Report of Injury, Illness, or Incident transaction. The industry continues to make progress on this standard and HHS will assess the status of this standard in the coming year.

B. Standard Identifiers

National Provider Identifier

The Notice of Proposed Rulemaking for the National Provider Identifier was issued in the Federal Register for public comment on May 7, 1998. Approximately 5,000 public comments were received. HHS is now reviewing the public comments and preparing responses. Work is proceeding on the final rule and it is expected to be issued in 2001.

National Employer Identifier

The NPRM for the National Employer Identifier was issued for public comment on June 16, 1998. Approximately 800 comments were received. HHS is now reviewing the public comments and preparing responses. Work is proceeding on the final rule and it is expected to be published in 2001.

National Plan Identifier

A NPRM relating to the National Health Plan/Payer Identifier is under development in HHS and is expected to be published for public comment in 2001.

Unique Health Identifier for Individuals

As directed by Congress, work on the HIPAA requirement for a unique health identifier for individuals has been suspended. The FY 2001 appropriations act includes a provision barring HHS from using any of its appropriated funds to

“… promulgate or adopt any final standard under section 1173(b) of the Social Security Act providing for, or providing for the assignment of, a unique health identifier for an individual (except in an individual’s capacity as an employer or a health care provider) until legislation is enacted specifically approving the standard.”

C. Standards for Security and Electronic Signatures

A NPRM for Security and Electronic Signature Standards was issued on August 12, 1998. Approximately 2000 comments were received. HHS is now reviewing the public comments and preparing responses. Work is proceeding on the final rule, including harmonization with the privacy standards. The final rule for security standards is expected to be published in 2001. While the NPRM included criteria for an electronic signature standard, no consensus industry standard for electronic signature standards could be identified at that time. At the request of the Commerce Department’s National Institute of Standards and Technology, HHS has deferred publication of the electronic signature standard to permit a more thorough assessment of evolving technology and current industry consensus on this issue. Inclusion of an electronic signature standard in the final rule on security standards will depend on industry progress on this issue and the outcome of these activities. For its part, the NCVHS is actively encouraging industry to move towards an electronic signature standard.

D. Standard for Claims Attachments

As noted above, the statute gave an additional 12 months for the adoption of standards for claims attachments. The NCVHS held public hearings on standards for claims attachments in 1998 and provided recommendations to HHS. Development of a NPRM on this standard is well underway within HHS, and is expected to be issued for public comment in 2001.

E. Standards for Privacy of Individually Identifiable Health Information

The NCVHS supports and applauds this progress on national health information privacy standards. The Committee views health information privacy protection as a foundation for the full complement of health care administrative simplification standards, and for progress on additional information technology applications to improve the health of the population and the efficiency and effectiveness of the health system. Accordingly, the Committee urges Congress to build upon the framework of the privacy regulation to enact a comprehensive and balanced health information privacy law that extends privacy protection to all entities that hold individually identifiable health information.

F. Standards for Patient Medical Record Information

limited interoperabilty of health information systems,
limited comparability of data exchanged among providers,
the need for better quality, accountability and integrity of data, and
the need for adequate privacy protections.

The report also includes ten recommendations relating to the

selection of PMRI standards,
acceleration of the development of such standards,
early adoption of PMRI standards, and
relationship of PMRI standards to other issues.

The recommendations have been presented to the HHS Data Council and are currently under evaluation and consideration in HHS. The report is available on the NCVHS website.

G. HHS Plan for Outreach, Education and Industry Partnerships

The Department has taken very seriously its responsibilities to ensure that the industry will be able to receive all of the information and assistance it will need to implement the standards. The statute requires that the Department provide a low-cost distribution method for the implementation guides for these standards.

The X12N standards committee has a long-standing agreement with the Washington Publishing Company (WPC) to develop and maintain official implementation guides for the X12N transaction sets that are being recommended for adoption in the NPRMs. In order to meet its low-cost distribution requirement, HHS has established a contract with the WPC, and implementation guides will be available for downloading from the WPC web site at no charge. Paper copies will be available for purchase from WPC. Guides for the retail drug claim standards will be available from the NCPDP web site.

Despite many efforts, discussions with the health care industry about administrative simplification continue to reveal that some in the health care industry still do not realize how these standards will affect them. To address this problem, NCVHS and HHS have initiated a comprehensive outreach and communication effort. The initiative includes the development of print materials for publication in periodicals and for distribution to the press and the public, direct mailings to affected groups, the coordinated scheduling of presentations to interested groups and press interviews. HHS also works with external organizations to support their outreach efforts.

In addition, HHS maintains a very complete and active website on Administrative Simplification.

http://aspe.hhs.gov/admnsimp

The website includes the current status of these HIPAA standards, as well as copies of the final and proposed regulations themselves. The website also includes a capability for anyone to submit questions on the final transactions and code sets rule. HHS staff then group the questions, develop answers and post the answers on the website. Information on the web site is updated frequently. Agendas and transcripts of the Committee’s hearings and copies of its recommendations to the Secretary are available on the NCVHS web site.

With the assistance of the Department of Veterans Affairs, NCVHS meetings are broadcast live on the world wide web. These sites will continue to be maintained and updated throughout the implementation of administrative simplification. The Department also established a capability to receive electronic comments on the NPRMs, and is in the process of posting all of the public comments received on the NPRMs on the website.

Both the NCVHS and HHS realize that providing information and education on Administrative Simplification to the health care community will be an enormous task. While HIPAA is a federal law, it reflects a government-industry partnership framework, so that responsibility for publicity and education must be shared between the public and private sectors. While HHS must take full responsibility for the Medicare, Medicaid and Indian Health Service health plans, it has relied and will continue to rely on partnerships with a wide range of private sector organizations to assure that the message of Administrative Simplification reaches everyone involved, and that training and technical assistance opportunities exist.

The Designated Standards Maintenance Organization (DSMO) Process

Accredited Standards Committee X12.
Dental Content Committee of the American Dental Association.
Health Level Seven.
National Council for Prescription Drug Programs.
National Uniform Billing Committee.
National Uniform Claim Committee.

At a NCVHS Security and Standards Subcommittee meeting on March 31, 2000, these six organizations signed a Memorandum of Understanding agreeing to a process to manage the maintenance of HIPAA standards. They agreed to work cooperatively to accept requests through a public web site, review these requests, and develop a joint recommendation to the NCVHS as to whether or not these requested changes should be made to the standards. This process in now in full operation.

The DSMO process has numerous and obvious benefits. t represents an industry effort to keep the standards current. It allows full public input and gives the parties most affected by these change requests the opportunity to review and respond to them. It also brings together several disparate constituencies working together in this process.

Industry Implementation Efforts

The health care industry has taken a proactive stance in the planning and coordination of HIPAA standards implementation activities. While the emergence of firms offering HIPAA implementation assistance was to be expected as awareness of the HIPAA process and standards increased, several industry organizations are stepping forward to produce white papers and bring industry participants together to work out problems cooperatively. Several organizations have taken actions to help plans, providers and clearinghouses implement the standards. Both the Association for Electronic Health Care Transactions (AFEHCT) and the Workgroup for Electronic Data Interchange (WEDI) have papers on their web sites. WEDI in particular is sponsoring the Strategic National Implementation Process (SNIP). SNIP has brought participants from all facets of the industry (plans, providers, vendors) together to provide implementation education, assistance, time frames and solutions to problems with the aim of facilitating and coordinating HIPAA implementation nationwide. SNIP also is working together to provide specific guidance on issues identified by industry participants, and making guidance available via their web site and in periodic conferences.

State of Industry Response to HIPAA

In general, the publication of the final rule for standard transactions and code sets has mobilized many segments of the industry to begin their implementation process. There are numerous conferences, web sites, and firms providing HIPAA education, assistance and consulting. In fact, there are increasing indications that HIPAA Administrative Simplification implementation may now rank among the top IT priorities in the health care sector. While awareness has clearly increased, there are segments of the industry which still do not understand the HIPAA impact. Small providers and individual physicians offices seem to be a particular problem.

IV. IMPLEMENTATION ISSUES

Since the enactment of HIPAA, HHS and the NCVHS have worked in partnership with the health care industry to communicate the requirements of HIPAA, to identify and evaluate existing industry standards for adoption, to develop rules that were workable, and to encourage the participation of all members of the health industry in the adoption and implementation of the HIPAA standards. Now that the final standards for transactions and code sets have been issued, the NCVHS has begun focusing on potential barriers to implementation. The intent, on an ongoing basis, is to identify implementation issues and barriers and make recommendations to HHS that address these issues.

Based on public hearings conducted by the NCVHS Subcommittee on Standards and Security, the following implementation issues were identified.

HHS Resources in Promoting Industry HIPAA Implementation

A number of experts and industry representatives suggested that HHS should assume a more active role (and increase funding) to actively promote the implementation of the HIPAA data standards by the industry. We recommend that not only should the Department closely monitor the progress of national implementation, but it must devote sufficient resources to ensure there is adequate technical support, education, and testing.

Funding to Deploy Identifiers

Testing and Compliance with HIPAA Standards

The Committee also is concerned that vendors of provider systems have products that cannot produce standard HIPAA transaction messages. The Committee plans to hold hearings on this issue to understand the breadth of the problem and to provide additional guidance in the coming year.

Data Availability Gap

Electronic Signature Standard

Code Set Issues

Externally Maintained Code Sets – These are code sets that are maintained by external entities, rather than by the Designated Standard Maintenance Organizations (DSMOs) that have agreed to maintain the standard transactions. External code sets include codes for provider taxonomy (specialty and type), place of service, claims adjustment reason, claims status, and remittance advice remarks. Testifiers expressed concern that the maintenance processes used for external code sets must be effective, timely, and nationally responsive. These processes should be based on the same maintenance principles adopted by the DSMOs. Testifiers stated that these processes should consider all bona fide business needs, permit balanced participation from across the health care industry, and provide a widely available mechanism (such as a web site) to receive requests, publicize deliberations and disseminate decisions. The NCVHS recommends that HHS examine the maintenance processes used by the external entities and conduct discussions with them to resolve any weaknesses that are found.

Eliminating Local Codes – According to those testifying, movement away from Health Care Financing Administration (HCFA) Common Procedure Coding System Level III local codes and those local codes developed by others in the industry, as required by the final rule for Standards for Electronic Transactions, is possible, but will require significant effort and resources. The Health Care Financing Administration’s Common Procedure Coding System (HCPCS) is comprised of Level I, Level II, and Level III codes. HCPCS Level I codes are based on the American Medical Association’s Current Procedure Terminology (CPT) and are used to classify procedures and ancillary services provided to patients. HCPCS Level II codes are developed by the HCPCS Panel and issued by HCFA and used to identify durable medical equipment, drugs, supplies, and services not covered by Level I codes. Both Level I and Level II codes are nationally listed and maintained. HCPCS Level III “local” codes are issued for the Medicare Contractors for specific local needs and these codes have different meanings from region to region. In addition, other local codes are developed in an ad hoc fashion by many different health plans and insurers in the health care industry. These are not nationally listed or maintained.

The National Medicaid Electronic Data Interchange (EDI) HIPAA Workgroup is serving as a valuable focal point for Medicaid programs attempting to standardize their use of national codes. In a letter to the Secretary of HHS, the NCVHS has identified a number of issues relating to the process for development and maintenance of local codes. These issues are discussed in detail in a letter to the Secretary of HHS posted on the NCVHS website.

VI. CONCLUSION

To date, the process of adopting and implementing health data standards has been extremely open, collaborative, and productive. With the issuance in 2000 of the final regulations for transactions and code sets standards and privacy standards, the NCVHS has begun to focus on the implementation stage of the effort. Additional information on the NCVHS as well as the HIPAA Administrative Simplification effort can be found on the HHS and NCVHS websites

March 22, 2001 Fourth Annual Report to Congress on the Implementation of the Administrative Simplification Provisions of the Health Insurance Portability and Accountability Act

NATIONAL COMMITTEE ON VITAL AND HEALTH STATISTICS

ADMINISTRATIVE SIMPLIFICATION IN HEALTH CARE: 2000

Fourth Annual Report to Congress on the Implementation of the Administrative Simplification Provisions of the Health Insurance Portability and Accountability Act

March 22, 2001

FOURTH ANNUAL REPORT TO CONGRESS ON THE IMPLEMENTATION OF HIPAA

CONTENTS

Executive Summary

NATIONAL COMMITTEE ON VITAL AND HEALTH STATISTICS

ADMINISTRATIVE SIMPLIFICATION IN HEALTH CARE: 2000

Fourth Annual Report to the Congress on the Implementation of the Administrative Simplification Provisions of the Health Insurance Portability and Accountability Act

Executive Summary

Overview

Progress on HIPAA Standards for Privacy of Individually Identifiable Health Information

Standards for Administrative Transactions and Code Sets in Health Care

Progress on Health Data and Security Standards

Standards for Patient Medical Record Information

The Designated Standards Maintenance Organization (DSMO) Process

Industry Implementation Efforts

State of Industry Response to HIPAA

Continuing Consultation and Implementation Efforts

Implementation Issues

Conclusion

I. INTRODUCTION

A. Background

B. Purpose of This Report

C. Content of the Report

D. Requirements of HIPAA Administrative Simplification

1. Requirements for Standards

2. Timetables

3. Expanded Responsibilities for the NCVHS

II. IMPLEMENTATION PROCESS

A. Department of Health and Human Services (HHS) Implementation Strategy

B. Guiding Principles

C. Private Sector Consultation

D. NCVHS HIPAA-Related Hearings During 2000

E. Outreach to Public Health and Health Services Research

F. NCVHS Comments on NPRMs

G. NCVHS Liaison with the Department of Health and Human Services

III. PROGRESS TO DATE

A. Transaction Standards and Code Sets

B. Standard Identifiers

National Provider Identifier

National Employer Identifier

National Plan Identifier

Unique Health Identifier for Individuals

C. Standards for Security and Electronic Signatures

D. Standard for Claims Attachments

E. Standards for Privacy of Individually Identifiable Health Information

F. Standards for Patient Medical Record Information

G. HHS Plan for Outreach, Education and Industry Partnerships

http://aspe.hhs.gov/admnsimp

The Designated Standards Maintenance Organization (DSMO) Process

Industry Implementation Efforts

State of Industry Response to HIPAA

IV. IMPLEMENTATION ISSUES

VI. CONCLUSION

ADMINISTRATIVE SIMPLIFICATION
IN HEALTH CARE: 2000

ADMINISTRATIVE SIMPLIFICATION
IN HEALTH CARE: 2000

Fourth Annual Report to the Congress
on the Implementation
of the Administrative Simplification Provisions of the
Health Insurance Portability and Accountability Act