Second Annual Report to Congress on the Implementation of the Administrative Simplification Provisions of the Health Insurance Portability and Accountability Act (HIPAA)

I. INTRODUCTION

A. Background

A considerable portion of every health care dollar is spent on administrative overhead. In health care, this overhead includes many tasks, such as:

• filing a claim for payment from an insurer,
• enrolling an individual in a health plan,
• paying health insurance premiums,
• checking insurance eligibility for a particular treatment,
• requesting authorization to refer a patient to a specialist,
• responding to requests for additional information to support a claim,
• coordinating the processing of a claim across different insurance companies, and
• notifying the provider about the payment of a claim.

Today these processes involve numerous paper forms and telephone calls, non-standard electronic commerce, and many delays in communicating information among different locations. This situation creates difficulties and costs for health care providers, health plans, and consumers alike.

The burden of these costs affects everyone involved in the health care system. For example:

• the typical health plan that continues to process mountains of paper forms that differ in content from one plan to another,
• the typical physician who bills multiple health plans with their varying forms and formats, and who must respond to additional requirements imposed by managed care organizations,
• the typical hospital that needs to lower administrative costs in order to continue to provide quality health care,
• the typical employer who sees an increasing share of resources being eaten up by health care costs, and
• the typical consumer, who ultimately pays for administrative burden.

To address these problems, the health care industry, including both public and private sectors, has worked to develop standards to improve the way in which transactions are exchanged electronically. However, economic pressures have prevented competing parties from adopting a uniform set of such standards. At the request of the industry and with bipartisan support, Congress enacted the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The industry has estimated that full implementation of these provisions could save up to $9 billion per year by reducing administrative overhead, without reducing the amount or quality of health care services. In fact, such savings raise the possibility of helping to improve the quality of health care by freeing up resources now devoted to paperwork and administration.

B. Purpose of This Report

The purpose of this report is to describe the status of implementation of the administrative simplification provisions of HIPAA during 1998, the second year after enactment of the law. Congress gave the NCVHS the role of advising HHS on the adoption of standards, monitoring implementation of Administrative Simplification, and reporting annually on its progress. During 1998, the Committee has monitored the process of standards adoption and the issuance of proposed standards, as carried out by the Government and its advisory bodies. In the future, once the standards become effective and enter the implementation stage, the NCVHS will report on the rate of implementation and the growth of electronic data interchange (EDI) in the health care industry.

The Committee is pleased to report that the process of implementation to this point has been extremely open, collaborative, and productive. During 1998, four Notices of Proposed Rulemaking were published outlining the proposed standards. The openness and success of the process to date bode well for the ultimate success of the implementation of these standards.

C. Content of the Report

Although this report was requested by the Congress, it is directed at the industry and the public as well. The report begins with a review of the requirements of the statute, including the implementation timetable required by the law, and the expanded responsibilities of the NCVHS. The report then outlines the implementation process, which involves the Department of Health and Human Services, other Federal agencies, the States, the NCVHS, the industry, and the public health and research communities. Next, the status of implementation of each of the standards required by HIPAA is reviewed. Last year’s report included the NCVHS’ recommendations for each of the required standards. Those recommendations are available on the NCVHS website and are not repeated here. In 1998, the NCVHS held several public hearings on HIPAA related issues and provided comments to HHS on the NPRM’s themselves. The comments are discussed briefly in this report and are available in their entirety on the NCVHS website. A discussion follows in which the NCVHS highlights several issues that deserve particular attention by HHS and by the Congress. Finally, the report concludes with a discussion of implementation issues and how the NCVHS intends to monitor implementation in the future.

D. Requirements of the Statute

The Administrative Simplification provisions, Title II, Subtitle F, of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) require the Secretary of Health and Human Services (HHS) to adopt standards for the electronic transmission of administrative and financial health care transactions, including data elements and code sets for those transactions; for unique health identifiers for health care providers, health plans, employers, and individuals for use in the health care system; and for security standards to protect individually identifiable health information. The law also requires the Secretary to submit recommendations for Federal health privacy legislation to the Congress within one year. Additionally, these provisions gave special responsibilities to the NCVHS to advise the Secretary on privacy and on the adoption of standards and to submit to Congress an annual report on the status of the Administrative Simplification effort.

The purposes of these provisions are to improve the Medicare and Medicaid programs in particular and the efficiency and effectiveness of the health care system in general by encouraging the use of electronic methods for transmission of health information through the establishment of standards and requirements for covered electronic transmissions.

1. Requirements for Standards

The standards required under the law include:

• Transactions for:

Health claims or equivalent encounter information
Enrollment and disenrollment in a health plan
Eligibility for a health plan
Health care payment and remittance advice
Health plan premium payments
First report of injury
Health claim status
Referral certification and authorization
Claims attachments (The law allows an additional twelve months for the adoption of the claims attachment standard.)

• Code sets and classification systems for the data elements of the transactions
• Unique identifiers for health plans, health care providers, employers, and individuals for use in the health care system
• Security and electronic signature standards and safeguards to protect health information during transmission and while stored in health information systems, to ensure the integrity of the information, and to protect against unauthorized use and disclosure.
• Coordination of benefits and sequential processing of claims.

Under the law, the Secretary may also establish standards for other financial and administrative transactions that she determines to be appropriate and that are consistent with the goals of improving the operation of the health care system and reducing administrative costs. This provision permitted designation of coordination of benefits as one of the standard transactions being adopted.

The standards will apply to all health plans, health care clearinghouses, and health care providers that transmit health information in electronic form. Health plans are required to accept standard transactions submitted electronically by health care providers, and health plans cannot delay or otherwise adversely affect such transactions. Health plans and health care providers may submit or receive transactions directly or indirectly through the use of health care clearinghouses.

In addition to the requirement for security standards, the statute also requires the Secretary to submit to Congress detailed recommendations on standards with respect to the privacy of individually identifiable health information. These recommendations were delivered to the Congress on September 11, 1997.

2. Timetables

The Health Insurance Portability and Accountability Act, which was enacted on August 21, 1996, specifies an aggressive implementation schedule:

• The Secretary’s recommendations for protecting the privacy of individually identifiable health information were due within 12 months of the date of enactment.
• Standards for transaction sets, code sets, unique identifiers, and security and electronic signatures were to be adopted within 18 months of enactment, except for standards for claims attachments, which are due within 30 months of enactment.
• Health plans, health care clearinghouses, and health care providers who conduct electronic transactions must comply with the standards within 24 months of their adoption. Small plans are given an additional 12 months to comply.

The NCVHS and the Department have worked diligently to address the schedule required by the statute. As noted above, the Secretary’s recommendations for federal privacy legislation have been delivered to the Congress. Notices of Proposed Rule Making for the transactions, code sets, some identifiers, and security and electronic signature standards were issued in 1998. Because of the extensive and unprecedented level of industry consultation and the number of issues that need to be resolved before final standards are selected, the requirement to publish the final rules for the first set of standards by February 21, 1998 has not been met. However, four of the proposed rules were published in 1998, and two more are expected to be issued in 1999. Based on the public comments received on the NPRMs, HHS is revising the rules and they will be issued as final rules as they are completed.

3. Expanded Responsibilities for the NCVHS

The statute significantly expanded the responsibilities of the NCVHS. In selecting standards for adoption, the Secretary is required to rely on the recommendations of the NCVHS. Subtitle F also requires the NCVHS to report to the Secretary, within four years of the passage of HIPAA, with recommendations and legislative proposals for the adoption of uniform data standards for patient medical record information and the electronic exchange of such information. Finally, Subtitle F requires the NCVHS to submit to Congress an annual report on the status of the Administrative Simplification effort.

Specifically, the requirement for the annual report states:

“SEC. 263 (7) Not later than 1 year after the date of enactment of the Health Insurance Portability and Accountability Act of 1996, and annually thereafter, the Committee shall submit to the Congress, and make public, a report regarding the implementation of Part C of title XI of the Social Security Act. Such report shall address the following subjects, to the extent that the Committee determines appropriate:

“(A) The extent to which persons required to comply with part C of title XI of the Social Security Act are cooperating in implementing the standards adopted under such part.

“(B) The extent to which such entities are meeting the security standards adopted under such part and the types of penalties assessed for noncompliance with such standards.

“(C) Whether the Federal and State Governments are receiving information of sufficient quality to meet their responsibilities under such part.

“(D) Any problems that exist with respect to implementation of such part.

“(E) The extent to which timetables under such part are being met.”

Since the first standards are not scheduled for final adoption until 1999 or early 2000 with implementation two years thereafter, this annual report focuses on the activities of the Federal Government, industry, and the NCVHS during the past year to identify, evaluate, select, and publish the required standards for public comment. Subsequent annual reports will focus on implementation issues.

II. IMPLEMENTATION PROCESS

A. Department of Health and Human Services (HHS) Implementation Strategy

The Secretary of HHS formulated a comprehensive strategy for developing and implementing the standards mandated under Administrative Simplification.

1. Establish interdepartmental implementation teams to identify and assess potential standards for adoption.
2. Develop recommendations for standards to be adopted.
3. Publish proposed rules in the Federal Register describing the standards. Each proposed rule provides the public with a 60-day comment period.
4. Analyze public comments and publish the final rules in the Federal Register.
5. Establish low-cost distribution mechanisms for standards and implementation guides.

A critical sixth step that will be implemented once the standards have been put in place will be the ongoing monitoring of the implementation of the standards to determine if additions or modifications to the standards are needed.

This implementation strategy was designed to assure coordination among HHS agencies, participation by other Federal departments, as well as interaction with the industry and the research and public health communities. Responsibilities within HHS were distributed across three interrelated organizational components: the HHS Data

Council, the Data Council’s Health Data Standards Committee, and the Implementation Teams.

1. HHS Data Council

The HHS Data Council, the Department’s senior internal data policy body, was given the responsibility to oversee implementation of Administrative Simplification by the Secretary. The Council reports to the Secretary and consists of representatives from each major operating and staff division within HHS. As a senior policy guidance and decision-making body, the Council has been designated to guide the process and report to the Secretary on the progress of the standards and privacy efforts. During the past year, the co-chairs of the Data Council have been the Assistant Secretary for Planning and Evaluation and the Administrator of the Agency for Health Care Policy and Research. The Data Council also serves as the contact point for the NCVHS and resolves issues that cannot be resolved by the Data Council’s Health Data Standards Committee.

2. Health Data Standards Committee

The Data Council’s Health Data Standards Committee (HDSC) is responsible for the daily operation and management of the standards activities. The membership of the Health Data Standards Committee includes representatives from the Executive Office of Management and Budget, HHS components and other affected Federal Departments, including the Department of Defense, the Department of Veterans Affairs, and others. The HDSC determines the membership and coordinates the activities of the Implementation Teams. It is also responsible for ensuring that external groups — NCVHS’ Subcommittee on Standards and Security; the Workgroup for Electronic Data Interchange (WEDI); the American National Standards Institute’s Healthcare Informatics Standards Board (ANSI HISB); the National Uniform Claim Committee (NUCC); the National Uniform Billing Committee (NUBC); the American Dental Association (ADA); and the National Council for Prescription Drug Programs (NCPDP) — are appropriately consulted and involved in the development process. The HDSC resolves issues that cannot be resolved by the Implementation Teams.

3. Implementation Teams

Seven Implementation Teams (ITs) are responsible for the research, analysis, and development of recommendations for national standards for consideration by the HDSC and the Data Council. These teams are made up of representatives from HHS and from a number of other government Agencies that will be affected by the standards or have specific expertise necessary for development of the recommendations. These include the Department of Defense, the Department of Veterans Affairs, the Department of Labor, the Department of Commerce, the Social Security Administration, the Department of the Treasury, the Office of Personnel Management, and Tricare. A member of the NCVHS has been assigned as liaison to advise and assist each of the Teams and to monitor their progress.

The subject matter of the teams includes (1) claims/encounters, (2) identifiers, (3) enrollment/eligibility, (4) security, (5) medical coding/classification, (6) claims attachments. A seventh team addresses cross-cutting issues and coordinates the subject matter teams. The teams have consulted with external groups such as the NCVHS Subcommittee on Standards and Security, WEDI, the ANSI HISB, the NUCC, the NUBC, and the ADA.

B. Guiding Principles

With significant input from the health care industry, the Implementation Teams charged with developing recommendations for national standards defined a set of principles for guiding their choices for standards to be adopted by the Secretary. These principles are based on direct specifications in HIPAA, the purpose of the law, and generally desirable principles. To be designated as a HIPAA standard, each standard should:

1. Improve the efficiency and effectiveness of the health care system by leading to cost reductions for or improvements in benefits from electronic health care transactions.
2. Meet the needs of the health data standards user community, particularly health care providers, health plans, and health care clearinghouses.
3. Be consistent and uniform with the other HIPAA standards–their data element definitions and codes and their privacy and security requirements–and, secondarily, with other private and public sector health data standards.
4. Have low additional development and implementation costs relative to the benefits of using the standard.
5. Be supported by an ANSI-accredited standards developing organization or other private or public organization that will ensure continuity and efficient updating of the standard over time.
6. Have timely development, testing, implementation, and updating procedures to achieve administrative simplification benefits faster.
7. Be technologically independent of the computer platforms and transmission protocols used in electronic transactions, except when it is explicitly part of the standard.
8. Be precise and unambiguous, but as simple as possible.
9. Keep data collection and paperwork burdens on users as low as is feasible.
10. Incorporate flexibility to adapt more easily to changes in the health care infrastructure (such as new services, organizations, and provider types) and information technology.

C. Private Sector Consultation

The HHS implementation strategy was designed to afford many opportunities for interested and affected parties to participate in the standards development and adoption processes. They can:

1. Participate in open process with standards development organizations.
2. Attend numerous public meetings.
3. Write to the Secretary of HHS.
4. Provide written input to the NCVHS.
5. Present written and oral testimony at public meetings of the NCVHS.
6. Comment on the proposed rules for each of the proposed standards during the 60-day comment period.
7. Invite HHS staff to meetings with public and private sector organizations or meet directly with senior HHS staff involved in the implementation process.

Early on, ANSI HISB provided the Department with an inventory of standards that currently exist in the health care industry. This inventory served as the starting point for the Implementation Teams’ evaluation of existing standards to identify candidate standards for adoption.

D. NCVHS Hearings During 1998

In response to its new responsibilities, the NCVHS achieved an unprecedented level of activity and output during the first year of HIPAA implementation. During 1998, the NCVHS modified and streamlined its structure to more effectively address the requirements of HIPAA, accommodate new areas, and promote a broader perspective on population-based data issues and a vision for the National Health Information Infrastructure generally. The reorganization resulted in the following four subcommittees: the Executive Subcommittee, the Subcommittee on Privacy and Confidentiality, the Subcommittee on Standards and Security, and the Subcommittee on Populations. The new structure also includes four working groups: the Workgroup on Computer-Based Patient Records, the Workgroup on Health Statistics for the 21st Century, the Workgroup on Quality, and the Workgroup on the National Health Information Infrastructure.

The NCVHS continues to serve as the Department’s primary liaison with the private sector and continues to hold public hearings to obtain the views, perspectives, and concerns of interested and affected parties, as well as their input and advice on health data standards and privacy. In addition to providing numerous opportunities for the private sector to participate in the standards adoption process, these public hearings sponsored by the NCVHS helped maintain the openness and inclusiveness of the process.

During 1997, NCVHS sponsored more than 40 days of public hearings involving more than 200 witnesses from across the health spectrum. In 1998, the NCVHS sponsored an additional six full days of public hearings on HIPAA data standards (claims attachments, unique identifiers, CPR data standards) and heard from 62 witnesses. To enhance participation further, NCVHS public meetings are routinely broadcast live on the Internet with the help of the Department of Veterans Affairs. For those unable to attend or listen to the meetings as they occur, recordings of the live broadcasts are available also on the Internet.

Agendas and transcripts of NCVHS hearings, minutes, announcements of public meetings, and schedules for future hearings are distributed through the NCVHS web site at:

http://ncvhs.hhs.gov

During 1998, the Full Committee held public hearings and panels relating to HIPAA issues on:

• March 3-4, 1998

Topic: Perspectives on standards for computer-based patient records; need for data quality standards.

• June 16-17, 1998

Topic: Panel discussion on claims attachments standards.

The Subcommittee on Standards and Security conducted hearings on:

• February 9-10, 1998

Topic: Two full days of public hearings on standards for claims attachments.

• March 3, 1998

Topic: Panel discussion on standards for claims attachments.

• July 20-21, 1998

Topic: Two full days of public hearings on HIPAA requirements for the unique health identifier for individuals.

• December 8-9, 1998

Topic: Two full days of public hearings on approaches to standards for computer based patient records.

The Subcommittee on Privacy and Confidentiality conducted panel discussions on:

• January 28-29, 1997

Topic: Panel discussion on identifiability issues; panel discussion on confidentiality issues in health and medical registries.

• September 15, 1998

Topic: Panel discussion on privacy issues and health care anti-fraud activities

• November 12, 1998

Topic: Discussion of model privacy legislation developed by National Association of Insurance Commissioners.

The Subcommittee on Populations held public hearings on:

• January 12-13, 1998

Topic: Panel discussion of Medicaid managed care data needs and issues.

• February 9-10, 1998

Topic: Field hearing in Phoenix Arizona on Medicaid managed care data issues.

• March 2, 1998

Topic: Joint hearing with the Subcommittee on Standards and Security on post acute care data issues.

• April 14-16, 1998

Topic: Field hearing in Boston, Massachusetts on data issues in Medicaid Managed Care.

• July 14-15, 1998

Topic: Public hearing on health data needs and issues in the Pacific Insular Areas, Puerto Rico and the Virgin Islands.

E. Outreach to Public Health and Health Services Research

The Committee has supported outreach to the public health and health services research communities to ensure that they understand the implications of HIPAA for their activities and are present at the table as decisions are being made. Several NCVHS members participated in a November 2-3, 1998 Workshop on the implications of HIPAA Administrative Simplification Provisions for Public health and Health Services Research. The workshop, which was sponsored by NCHS/CDC in conjunction with the Agency for Health Care Policy and Research and the NCVHS, affirmed the potential benefits of administrative simplification for these sectors and the need for them to be a part of the standards development process.

F. NCVHS Comments on NPRMs

During 1997, the NCVHS forwarded a number of recommendations to the Secretary of HHS relating to the standards and privacy requirements in HIPAA. Those recommendations were summarized in last year’s annual report and are available in their entirety on the NCVHS website. During 1998, the NCVHS provided comments on several of the NPRMs issued by HHS for public comment. With respect to the NPRMs relating to the National Provider Identifier and the standards for transactions and code sets, the NCVHS generally supported the proposals, observed that the proposals were based largely upon and consistent with the NCVHS recommendations for standards, and provided responses to specific issues raised in the NPRMs. The NCVHS comments also raised questions relating to OMB’s interpretation of the applicability of the Paperwork Reduction Act (PRA) to the adoption of HIPAA EDI standards, and urged OMB to use its discretion and not apply the PRA to the HIPAA EDI standards adoption process.

With respect to the NPRM relating to Standards for Security and Electronic Signatures, the NCVHS comments recognized the proposal as a positive step toward requiring that all health care entities safeguard the integrity, confidentiality and availability of their electronic data. The comments also supported the NPRM recommendations for a technology-neutral standard that will promote interoperability among information systems, the accommodation of different sizes of health care entities, and consideration of the cost of implementation. The full text of these recommendations is available on the NCVHS web site.

G. NCVHS Liaison with the Department of Health and Human Services

The NCVHS has participated with the Department in every aspect of the standards adoption process. Through the HHS Data Council, the NCVHS has submitted recommendations to the Secretary for standards to be adopted and on privacy guidelines and has provided comments on HHS NPRMs. The NCVHS Subcommittee on Standards and Security has worked closely with the HDSC and the ITs.

The NCVHS provides to, and receives from the Data Council, the HDSC, and the ITs regularly scheduled reports and informal communications on their respective activities. The Data Council Chairs attend NCVHS meetings, and the NCVHS Chair attends the monthly meetings of the Data Council. Each IT has a liaison from the NCVHS who participates in Team meetings and provides advice and guidance. Upon request, the NCVHS also advises the Secretary on particularly sensitive and controversial issues.

III. PROGRESS TO DATE

A. Standard Identifiers

• National Provider Identifier

The Notice of Proposed Rulemaking for the National Provider Identifier was issued in the Federal Register for public comment on May 7, 1998. Approximately 5,000 public comments were received. HHS is now reviewing the public comments and preparing responses. Work is proceeding on the final rule and it will be published when finalized.

• National Employer Identifier

The NPRM for the National Employer Identifier was issued for public comment on June 16, 1998. Approximately 800 comments were received. HHS is now reviewing the public comments and preparing responses. Work is proceeding on the final rule and it will be published when finalized.

• National Plan Identifier

A NPRM relating to the National Plan/Payer Identifier is under development in HHS and is expected to be published for public comment in 1999.

• Unique Health Identifier for Individuals

Because of extensive privacy concerns and a lack of consensus on the appropriate technical standard for a UHI, HHS decided in October 1997 not to proceed immediately with a proposed rule for the UHI. Instead, HHS decided to initiate an open public process for discussion of the issues surrounding the unique identifier for individuals. This process involved a public hearing on the issue by the NCVHS, and the release of a White Paper discussing the options and implications of those options. Initially, HHS planned to include in the public consultation process additional NCVHS hearings and publication in the Federal Register of a Notice of Intent (NOI) that would solicit information and public input on concerns and possible approaches. The purpose of the NOI would be to seek public input on a variety of options and approaches for individual health identifiers without presenting a specific option as the preferred direction, and to invite comment on privacy issues. Once the public comments had been received and analyzed, the Secretary would be in a better position to decide whether and how to proceed with the selection of the identifier.

However, the initial NCVHS hearing held in July 1998 drew significant media attention, and there was great concern expressed that privacy protections were essential before any UHI is put in place. The announcement by Vice President Gore in late July that no UHI will be implemented until privacy protections are in place has done little to stem public and Congressional concerns. The FY 1999 appropriations act signed on October 21 includes a provision barring HHS from using any of its appropriated funds to

“… promulgate or adopt any final standard under section 1173(b) of the Social Security Act providing for, or providing for the assignment of, a unique health identifier for an individual (except in an individual’s capacity as an employer or a health care provider) until legislation is enacted specifically approving the standard.”

In light of these circumstances, publication of the NOI and further NCVHS hearings on this topic have been put on hold. Thus, the selection of the unique identifier for individuals will be delayed relative to the deadline established by the statute. The NCVHS strongly believes that the delay is warranted and that additional public involvement in this very sensitive area is imperative.

B. Transaction Standards and Code Sets

Based on the results of the analyses performed by the Implementation Teams, the input received from the Committee, the public testimony provided at the NCVHS hearings during the past year, and the NCVHS recommendations to HHS, a Notice of Proposed Rulemaking for National Standards for Electronic Transactions, including transaction codes and code sets was issued for public comment on May 7, 1998. Approximately 17,000 comments were received. HHS is now reviewing the public comments and preparing responses. Work is proceeding on the final rule and it will be published when finalized.

The First Report of Injury transaction was not included in the NPRM for HIPAA transaction standards issued in May because there was neither a millennium-compliant version of an implementation guide nor a complete data dictionary for the ASC X12N 148 – Report of Injury, Illness, or Incident transaction. The Secretary will issue a separate Notice of Proposed Rulemaking at a later date after the implementation guide and data dictionary have been completed.

C. Security and Electronic Signatures

Based on the results of the analyses performed by the Implementation Teams, the input received from the Committee, the public testimony provided at the NCVHS hearings during the past year, and the NCVHS recommendations to HHS, a NPRM for Security and Electronic Signature Standards was issued on August 12, 1998. Approximately 2000 comments were received. HHS is now reviewing the public comments and preparing responses. Work is proceeding on the final rule and it will be published when finalized.

D. Claims Attachments

As noted above, the statute gave an additional 12 months for the adoption of standards for claims attachments. The NCVHS held public hearings on standards for claims attachments in 1998 and provided recommendations to HHS. Development of a NPRM on this standard is well underway within HHS, and is expected to be issued for public comment in 1999.

E. Privacy

On September 11, 1997, Secretary Shalala delivered her detailed recommendations to Congress for Federal privacy legislation to protect individually identifiable health information. In her recommendations, she urged Congress to pass without delay privacy legislation that would be based on five key principles:

1. Boundaries – An individual’s health care information should be used for health purposes and only those purposes, subject to a few carefully defined exceptions.

2. Security – Organizations to which we entrust health information ought to protect it against deliberate or inadvertent misuse or disclosure. Federal law should require such security measures.

3. Consumer Control – Patients should be able to see what is in their records, get a copy, correct errors, and find out who else has seen them.

4. Accountability – Those who misuse personal health information should be punished, and those who are harmed by its misuse should have legal recourse.

5. Public Responsibility – Federal law should identify those limited arenas in which our public responsibilities warrant authorization of access to our medical information, and should sharply limit the uses and disclosure of information in those contexts.

In addition, the Secretary recommended that Federal privacy legislation not preempt or supersede other State or Federal laws that are more protective of individual privacy. The full text of the Secretary’s privacy recommendations is available in the HHS administrative simplification website: http://aspe.os.dhhs.gov/admnsimp.

Although a number of health record privacy bills were introduced in the 105th Congress, none were enacted. It is expected that health information privacy legislation will receive considerable attention in the 106th Congress. According to HIPAA, if Congress does not enact privacy protection by August 1999, the Secretary is required to issue final regulations to protect the information transmitted in connection with the HIPAA administrative transaction standards by February 2000.

F. Implementation Plan and Communication Strategy

The Department has taken very seriously its responsibilities to ensure that the industry will be able to receive all of the information and assistance it will need to implement the standards. The statute requires that the Department provide a low-cost distribution method for the implementation guides for these standards.

The X12N standards committee has a long-standing agreement with the Washington Publishing Company (WPC) to develop and maintain official implementation guides for the X12N transaction sets that are being recommended for adoption in the NPRMs. In order to meet its low-cost distribution requirement, HHS has established a contract with the WPC, and implementation guides will be available for downloading from the WPC web site at no charge. Paper copies will be available for purchase from WPC. Guides for the retail drug claim standards will be available from the NCPDP web site.

Despite many efforts, discussions with the health care industry about administrative simplification continue to reveal that some in the health care industry still do not realize how these standards will affect them. To address this problem, NCVHS and HHS have initiated a comprehensive outreach and communication effort. The initiative includes the development of print materials for publication in periodicals and for distribution to the press and the public, direct mailings to affected groups, the coordinated scheduling of presentations to interested groups and press interviews. HHS also works with external organizations to support their outreach efforts.

In addition, information on the current status of these standards, as well as the NPRMs themselves is available on the HHS Administrative Simplification web site:

http://aspe.os.dhhs.gov/admnsimp/

Information on the web site is updated frequently. Agendas and transcripts of the Committee’s hearings and copies of its recommendations to the Secretary are available on the NCVHS web site:

http://ncvhs.hhs.gov

With the assistance of the Department of Veterans Affairs, NCVHS meetings are broadcast live on the world wide web. These sites will continue to be maintained and updated throughout the implementation of administrative simplification. The Department also established a capability to receive electronic comments on the NPRMs, and is in the process of posting all of the public comments received on the NPRMs on the website.

IV. SPECIAL PRIVACY AND SECURITY CONCERNS

The Committee has identified a number of special privacy and security concerns that it wishes to highlight for the Congress and the public.

A. Federal Privacy Legislation

The NCVHS continues to believe that the United States is in the midst of a health privacy crisis. The protection of health records has eroded significantly in the last two decades. Major contributing factors are ongoing institutional changes in the structure of the health care system and the lack of modern privacy legislation. Without a federal health privacy law, patient protections will continue to deteriorate.

Delays in passing privacy legislation will allow additional and uncontrolled uses of health information to continue to develop. Failure to address health privacy will also undermine public confidence in the health care system, expose patients to continuing invasions of privacy, subject record keepers to potentially significant legal liability, and interfere with the ability of health care providers and others to operate the health care delivery and payment system in an effective and efficient manner. The greater the delay in imposing meaningful controls on the inappropriate use and disclosure of identifiable individual information, the more difficult it will be to overcome institutional resistance to restrictions on use and disclosure or changing the way that information is acquired and used.

The NCVHS urges the Congress to act quickly to pass Federal privacy legislation to counter these disturbing trends.

B. Linkage of the Individual Identifier to Privacy Protections

In 1997, the Committee recommended that the selection of a unique health identifier for individuals be delayed until the passage of legislation to assure the confidentiality of individually identifiable health information and to protect an individual’s right to privacy. The identification of patients is a constant issue in health treatment, payment, and administrative activities. The choice of a unique patient identifier will affect every health care transaction, provider, and institution. Patient privacy will be directly affected by any decision about the adoption of a unique patient identifier.

Selection of a patient identifier will have significant consequences both within and outside the health care system. A properly chosen patient identification system has the potential to enhance privacy. However, at its hearings, the Committee found no consensus on a patient identifier. Indeed, the testimony presented to the Committee reflected the extent to which public opinion is deeply divided on the approach for protecting privacy and on the issue of whether a unique patient identifier should be adopted at all. Thus, the Committee continues to believe that any discussion of a unique patient identifier for health care is incomplete without substantive privacy protections. The Committee again urges the Congress to enact a comprehensive federal health information privacy law this year.

C. Anti-Discrimination Measures are Needed

An issue of concern to consumers revealed during the Committee’s hearings on privacy was the relationship between privacy (as defined by principles of fair information practices) and potential discrimination in employment, insurance, and elsewhere. The protection of individual privacy requires that this relationship be addressed. Part of the motivation for seeking protections for health information is to prevent the use of such information for purposes outside of health care delivery and payment. Patients receiving care for certain health conditions or who have been the subject of genetic testing are potentially subject to discrimination in employment, insurance, and elsewhere. Some patients are fearful of disclosing their full medical information to health care providers and thereby might unknowingly compromise the quality of medical care they receive. Several bills introduced in the last Congress address the possible use of genetic information to discriminate.

Privacy legislation that specifies legitimate uses of health data can prevent potential discrimination and reassure consumers by establishing a legal requirement that identifiable health information be used only for the purposes for which it was collected. Further, health care providers can be more assured of delivering quality health care services if they have more accurate patient medical information. This would be a major step toward preventing the use of health information for non-health purposes.

The Committee recognizes the fact that privacy issues and discrimination issues are complicated. An already complex health privacy bill may not be the best place to sort out responses to equally complex discrimination problems. The Committee suggests that privacy and discrimination issues deserve separate legislative treatment. The problems of discrimination are important, but further work needs to be done to more fully develop anti-discrimination legislation.

D. Security

Assuring the security of information systems in the health care industry is a critical concern if the health care sector is to achieve the full benefit of advances in information technology. While information technology holds the promise of improving the quality of care and reducing costs, it also introduces new vulnerabilities. Thus, the Committee believes that the move toward electronic storage and transmission of health information must be accompanied by strong security policies and procedures for sensitive information.

The Committee believes that the proposed rule for security standards that HHS has published for public comment provides the basic framework to ensure that all health care entities safeguard the integrity, confidentiality and availability of their electronic data. The proposed rules incorporate all of the NCVHS recommendations made last year. In addition, the technology-neutral approach adopted in the proposed rule will promote interoperability among health information systems, accommodate different sizes of health care organizations, and foster favorable cost benefit outcomes.

The Committee plans to continue to monitor industry compliance with and the development and maturation of security technology and standards, including electronic signatures.

V. IMPLEMENTATION ISSUES

A. Identifying and Resolving Standards Implementation Issues

Once the Administrative Simplification standards have been adopted, the health care community will be encouraged to notify the Department or the NCVHS in writing or through our respective web sites of any issues or concerns with the implementation of the new standards. In addition, the Committee will conduct a number of public hearings to obtain additional input from a broad cross section of users in both the public and private sectors. Based on this input, the Committee will notify HHS of any problems that are presented and will provide recommendations on how to deal with those problems.

B. Identifying Need for New Standards

The statute requires the Secretary of HHS to review the standards and adopt modifications to those standards (including additions to the standards), as appropriate, but not more frequently than once every 12 months. The Committee will seek input from the public on additional standards or modifications to existing standards that may be needed and will provide timely recommendations to the Secretary.

C. Measurement of Standards Implementation Status

The Committee will follow the status of standards implementation from Federal and State agencies for the health care programs under their jurisdiction. These agencies and representatives from the private sector will be asked also to provide public testimony at NCVHS hearings, where appropriate, at which they will be asked to indicate the extent of standards usage that they have observed.

We will also ask the applicable standards development organizations to provide regular status reports on the status of implementation of the new standards. We would also encourage them to provide advice as to how to increase the rate of compliance, if necessary.

Since security is a primary concern to the public, the industry, and the Committee, we will ask the appropriate private sector certifying bodies to monitor the status of the security measures that will be adopted and to ensure that adequate safeguards are in place to protect individually identifiable information.

In addition to these status reports and public hearings, the Committee will make substantial use of industry sources that provide information on and analyses of major trends in the application of information technology in health care. This information will include major trends in applying electronic data interchange; the development of computer networks; the growth of computer-based patient records; and trends in automation in health care organizations.

D. Strengthening the National Health Information Infrastructure to Improve Health Care Quality and Access and Reduce Costs

The Committee is charged to make sound recommendations on health information policy to the Executive and Legislative Branches of our nation’s government. To accomplish this end, the NCVHS plans to draw upon all available reports and recommendations in order to develop a vision for the future relating to data needs for quality, costs and access to care as well as for the information infrastructure needed for both health care delivery and management. To that end, the NCVHS has submitted a concept paper to HHS on enhancing health applications in the national information infrastructure.

VI. CONCLUSION

To date, efforts to implement the Administrative Simplification provisions of HIPAA and to adopt standards stand apart from other government activity in several ways. They differ in:

• Origin — The health care industry came to Congress to ask for help in setting standards, which they knew they needed but were unable to make happen on their own.
• Process — The government’s adoption process has been completely open, inclusive and collaborative.
• Advisory role of the NCVHS — The NCVHS has been a participant and partner, with a valued role in the process.
• Scope — Government programs will have to follow these regulations, just like other players in the health care system.
• Future — The playing field being established is level. The development and maintenance of the standards will depend on an open, consensus-driven standards development process supported by the private sector. The government will be an active participant, but it is not establishing a government program.

In summary, the process of adopting health data standards has been extremely open, collaborative, and productive. The success of the process up to this point bodes well for the ultimate success of the implementation of these standards. The Committee is committed to improving the national health information infrastructure needed to enhance quality and access to care and reduce costs.

VII. ADDITIONAL VIEWS

Additional Views of Robert Gellman
to the
Second Annual Report to the Congress
on the Implementation
of the Administrative Simplification Provisions of the
Health Insurance Portability and Accountability Act

The discussion in the report about the unique health identifier for individuals offers a misleading impression about the activities of the Committee. What the Committee really did in its 1997 recommendation was to decide that a unique patient identifier was a desirable goal. The Committee expressly voted on this specific issue, and it insisted on affirming support for an identifier despite opposition from some Committee members who argued that any decision on the patient identifier issue was unwise and precipitous. The report ignores the dissent on the Committee by failing to take note of the differing points of view among Committee members.

The Committee adopted its recommendation for a unique patient identifier in advance of public hearings and in the absence any formal analysis of the costs or benefits of a patient identifier. Indeed, in its zeal, the Committee even voted to proceed with hearings on the issue before the Department’s promised white paper was to be publicly available.

The consequences of the Committee’s rush to judgment are now apparent. The Committee’s misguided and hasty actions on the patient identifier backfired in the end. The hearings on the patient identifier sparked a national wave of opposition. One result was a promise from the Vice President to slow down consideration of the identifier issue. Another consequence was the enactment by the Congress of a moratorium on the administrative adoption of a patient identifier.

In the report, the Committee characterizes the public response to its July 1988 hearings by stating that “there was great concern expressed that privacy protections were essential before any UHI is put in place.” In my opinion, that is a distortion of the objections. The public appeared to be dead set against an identifier without qualification. The Committee nevertheless clings to its predetermined view supporting an identifier and hears only what it wants to hear.

It is very nice that the Committee wants to see privacy legislation before an identifier is adopted. But this is the only qualification to the Committee’s support for a health identifier. The Committee expressed no reservation about the costs of an identifier, about any possible negative consequences for the availability of health care, or about the nature of privacy controls that might be needed. In my opinion, none of the health privacy proposals offered to date would prevent a health identifier from becoming a universal national identifier for all governmental and private purposes. Neither these concerns nor the lack of evidence about them deterred the Committee from prematurely taking a position in favor of a health identifier.