September 6, 2007
The Honorable Nancy Pelosi
Speaker of the House of Representatives
H-209, The Capitol
Washington, D.C. 20510
Dear Mme Speaker:
I am pleased to transmit our Eighth Annual Report to Congress on the Implementation of the Administrative Simplification Provisions of the Health Insurance Portability and Accountability Act. In compliance with Section 263, Subtitle F of Public Law 104-191, the report was developed by the National Committee on Vital and Health Statistics (NCVHS), the public advisory committee to the U.S. Department of Health and Human Services on health data, privacy, and health information policy, and covers the period May 2005 through November 2006.
The Administrative Simplification provisions of HIPAA require the Secretary of Health and Human Services (HHS) to adopt a variety of standards to support electronic interchange for administrative and financial healthcare transactions, including standards for security and privacy to protect individually identifiable health information. The statute assigns expanded responsibilities to the National Committee on Vital and Health Statistics for advising the Secretary on health information privacy and on the adoption of health data standards. Among those responsibilities, the Committee is directed to submit an annual report to Congress on the status of implementation of the administrative simplification effort.
This year marks the tenth anniversary of the enactment of HIPAA. Accordingly, while our report provides an update on several HIPAA accomplishments this past year, the NCVHS takes this opportunity to reflect on the HIPAA experience to date and to offer some lessons learned. NCVHS applauds these accomplishments and reaffirms the importance of the administrative simplification initiative to improving the efficiency and effectiveness of the U.S. healthcare system. While not all standards are identified or fully implemented, NCVHS is gratified that the promise of administrative simplification is beginning to be realized as the industry moves from “implementation” of the standards to “optimization” of work processes enabled by the standards. Additionally, the industry is beginning to discuss moving to updated versions of the administrative and financial transactions—indicative of the fact that we are moving to a new phase in the HIPAA process. However, the full economic benefits of Administrative Simplification will only be realized when all of the standards are in place; implementation activities and industry resource planning will be more effective when the entire suite of standards is finalized. Accordingly, we encourage the Secretary of HHS to expedite promulgation of the remaining rules, and urge Congress to provide sufficient resources and support to assure successful implementation of this important initiative.
We hope that you will find this report informative and useful. If you or your staff would like a briefing on any of our past or anticipated activities, please let me know.
We are committed to improvements in health information systems that will enhance the quality of healthcare, lower costs, and facilitate access to care in the U.S. We look forward to continued progress.
Sincerely,
/s/
Simon P. Cohn, M.D., M.P.H.,
Chairman, National Committee on Vital and Health Statistics
Enclosure
Identical letters to:
Richard Cheney
President of the Senate
Washington, D.C. 20510
The Honorable Max Baucus
Chairman
Committee on Finance
219 Senate Dirksen Office Building
United States Senate
Washington, D.C. 20510
The Honorable Edward M. Kennedy
Chairman
Committee on Health, Education, Labor and Pensions
428 Senate Dirksen Office Building
United States Senate
Washington, D.C. 20510
The Honorable Charles B. Rangel
Chairman
Committee on Ways and Means
U.S. House of Representatives
1102 Longworth House Office Building
Washington, D.C. 20515
The Honorable John D. Dingell
Chairman
Committee on Energy and Commerce
U.S. House of Representatives
2125 Rayburn House Office Building
Washington, D.C. 20515
The Honorable George Miller
Chairman
Committee on Education and Labor
U.S. House of Representatives
2181 Rayburn House Office Building
Washington, D.C. 20515
NATIONAL COMMITTEE ON VITAL AND HEALTH STATISTICS
Administrative Simplification in Healthcare: May 2005 – November 2006
Eighth Annual Report to Congress on the Implementation
of the Administrative Simplification Provisions of the
Health Insurance Portability and Accountability Act of 1996
Executive Summary
This report describes the activities related to implementation of the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) during the past year and offers observations on the occasion of the 10th anniversary of the enactment of HIPAA.
HHS Activities
The major milestone in this reporting period was HHS’s February 2006 issuance of the final regulation establishing the enforcement regime for violations of HIPAA’s privacy, transactions, code sets, and security standards. This rule ensures uniform rules for the imposition of civil monetary penalties for HIPAA violations.
HIPAA established the National Plan and Provider Enumeration System (NPPES) which has been collecting identifying information on health care providers and assigning each a unique National Provider Identifier (NPI) since May 2005. The National Provider ID replaces current identifiers used in today’s HIPAA standard transactions thus eliminating the use of multiple identification numbers by each provider. As of October 30, 2006, 1.35 million health care providers had been assigned NPIs. There are an estimated 2.3 million covered providers who needed the new provider ID before May 23, 2007. Small health plans must comply by May 23, 2008. HHS is developing a Notice of Proposed Rulemaking for the related National Health Plan Identifier, but according to HHS’ semi-annual Regulatory Agenda published in the Federal Register in April 2006, publication of this rule has been postponed.
Although HIPAA included a requirement for a unique personal healthcare identifier, Members of Congress have since expressed strong reservations about the appropriateness of creating a new identifier of individuals that might be perceived as a “universal identifier,” and the Congress has, through appropriations legislation, prohibited expending funds for its development. As a consequence, HHS has postponed development of such a standard indefinitely.
The Centers for Medicare and Medicaid Services (CMS) published a Notice of Proposed Rulemaking on Electronic Health Care Claims Attachments, one of the last transactions standards required to be adopted, in September 2005. An attachment is sent along with a claim in cases where additional information is requested by a health care plan to adjudicate a claim. The attachment may respond with clinical data necessary for the plan to determine whether a service should be covered. The National Committee on Vital and Health Statistics (NCVHS, the Committee) developed comments on this proposal, and submitted them to HHS in November 2005. A final rule is expected by September 2008.
As of October 31, 2006, more than three years after the compliance date, the number of privacy complaints to the Office for Civil Rights (OCR) totaled 23,268, and more than three quarters had been closed. About two thirds of the closures are due to lack of jurisdiction, deficiency in the complaint, or because no violation is alleged by the facts of the complaint. Over 346 cases were referred by OCR to the Department of Justice for criminal investigation based solely on facts alleged in those complaints with no investigation by OCR. Justice has the lead on the initial investigation of such cases. To date, no prosecutions have arisen from these referrals. Neither has OCR yet brought a civil enforcement action based on cases that OCR investigates. Rather, OCR continues to attempt to resolve problems that lead to complaints directly with the covered entities by providing technical assistance to facilitate compliance.
NCVHS Activities
In June 2006, NCVHS wrote to Secretary Leavitt a letter report, “Privacy and Confidentiality in the Nationwide Health Information Network,” culminating an 18-month process of learning and deliberation through hearings, meetings, and conference calls. The report covers several topics central to the challenges for safeguarding health privacy in the Nationwide Health Information Network (NHIN) environment: the role of individuals in making decisions about the use of their personal health information, policies for controlling disclosures across the NHIN, regulatory issues such as jurisdiction and enforcement, use of information by non-health care entities, and establishing and maintaining the public trust that is necessary to ensure NHIN is a success.
In particular, the Committee concluded that the definition of “covered entity” in the current HIPAA Privacy Rule is outdated, as it was based on assumptions made in the 1990s that are no longer valid. NCVHS also stated that, the prospective general improvements by covered entities brought about by OCR’s enforcement efforts often do not satisfy the individual who makes the complaint nor reassure the public that the law is being enforced adequately. The Committee implored that a commitment to aggressive enforcement on the part of federal regulators would be necessary to ensure the adoption and success of the Secretary’s Nationwide Health Information Network initiative. The subset of NCVHS recommendations related to privacy, HIPAA, and the NHIN are discussed further in this report.
During the past year, NCVHS provided recommendations to HHS on several additional proposed standards related to the allergy, multimedia and disability domains to be adopted through the Consolidated Health Informatics (CHI) initiative.
NCVHS transmitted recommendations to HHS in October 2006 that define a minimum, but inclusive, set of functional requirements necessary for activities of the Nationwide Health Information Network. The Office of the National Coordinator for Health Information Technology (ONC) earlier in the year requested that NCVHS convene to study the matter. The recommendations include not only the statements of requirements, but also recommendations to broaden the array of scenarios studied in the development of the NHIN to ensure completeness and widespread applicability of the functional requirements; the NCVHS recognizes the significant number of policy decisions that must be made to enable the NHIN, and enumerates several standards to be developed that will be necessary to support the NHIN.
As 2006 marked the tenth anniversary of the enactment of HIPAA, NCVHS took the opportunity to reflect on the HIPAA experience and consider what lessons we have learned. A summary of these observations appears at the end of the report.
NATIONAL COMMITTEE ON VITAL AND HEALTH STATISTICS
Administrative Simplification in Healthcare: May 2005 – November 2006
Eighth Annual Report to Congress on the Implementation
of the Administrative Simplification Provisions of the
Health Insurance Portability and Accountability Act of 1996
This report describes the status of implementation of the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA.)
The administrative simplification provisions (title II, subtitle F of Pub. L. No. 104-191,
adding a new title XI, part C, to the Social Security Act (42 U.S.C. 1320d et seq.)) have four main provisions. Those provisions require the Secretary of the Health and Human Services (HHS) to adopt standards for 1) the electronic transmission of administrative and financial healthcare transactions, including data elements and code sets for those transactions; 2) unique health identifiers for health care providers, health plans, employers, and individuals; 3) protecting the privacy of health information; and 4) security of individually identifiable health information.
Congress assigned the National Committee on Vital and Health Statistics (NCVHS) the roles of advising the Secretary of HHS on the adoption of standards, monitoring their implementation, and reporting annually on progress. This report is the eighth of those annual reports on implementation and covers the period May 2005 through November 2006. Previous NCVHS reports to Congress about the progress of the implementation of administrative simplification may be found at the committee’s web site, http://ncvhs.hhs.gov/.
The Committee has monitored the process of standards adoption and the issuance of proposed standards, as carried out by the Government and its advisory bodies. In addition, now that most of the standards have become finalized and attention turns to their implementation, the NCVHS identifies and advises on implementation issues and lessons for improvement.
Why Administrative Simplification?
The purpose of HIPAA’s administrative simplification provisions was to improve the efficiency and effectiveness of the healthcare system by adopting national standards. Under HIPAA, HHS must adopt recognized industry standards (on which NCVHS provides advice) when appropriate.
By ensuring consistency throughout the industry, the national standards are intended to make it easier for health plans, healthcare clearinghouses, doctors, hospitals and other healthcare providers to process claims and other transactions electronically while preserving the privacy and security of individually identifiable health information. HHS has completed most of the administrative simplification regulations required under the statute:
- Electronic healthcare transactions and code sets (August 17, 2000);
- Health information privacy (August 14, 2002),
- Unique identifier for employers (May 31, 2002),
- Security requirements (February 20, 2003),
- Unique identifier for providers (January 23, 2004),
- Enforcement procedures and policies (February 2006),
- Unique identifier for health plans (proposed rule in development),
- Claims Attachments (final rule in development), and
- Unique identifier for individuals (postponed indefinitely).
Each of these standards is described below.
Who is Covered by Administrative Simplification?
In HIPAA, Congress required health plans, healthcare clearinghouses, and those healthcare providers who conduct electronically certain financial and administrative transactions (such as eligibility, referral authorizations, and claims) to comply with each set of standards. The Medicare Prescription Drug, Improvement and Modernization Act of 2003 (MMA) created a fourth type of covered entity, Medicare discount drug card sponsors that also have to comply with the standards. Other businesses may voluntarily comply with the standards, but the law does not require them to do so.
By When did Covered Entities Have to Comply?
In general, the law requires covered entities to come into compliance with each set of standards within two years following the effective date of the regulation, except for small businesses, which have three years to come into compliance. For the first of the standards promulgated, the electronic transactions and code sets, Congress enacted an extension to three years and two months after the final rule, but the legislation did not affect the compliance dates for the privacy rule or subsequent rules.
What Standards Were in Place at the Beginning of this Reporting Period?
Transactions and Code Sets Standards — The final rule on transactions and code sets standards was issued on August 17, 2000. As HHS developed this first of the administrative simplification regulations, it recognized the need for the ongoing maintenance of the standards, and especially the need for the industry to collect, review and recommend changes. The final regulation established a set of industry organizations called Designated Standards Maintenance Organizations (DSMOs) to receive and process requests for modifications to standards or for adopting new standards. The DSMO members include three data content committees and three standards development organizations.
Privacy standards — The final rule on privacy standards, commonly called the Privacy Rule, was issued on August 14, 2002. The Privacy Rule imposes obligations on covered entities to give notices of their privacy practices to subjects at the time they establish a relationship, governs the uses and disclosures that may be made of the individually identifiable health information in their custody, and grants certain rights to the subjects of records such as the right to review and obtain copies of their records. Most covered entities were required to comply with the privacy rule by April 14, 2003, and small businesses were required by April 14, 2004, to come into compliance.
Employer identifiers standard — The regulation on Employer Identifiers standardized the identifying numbers assigned to employers in the healthcare industry by using the existing Employer Identification Number (EIN), assigned and maintained by the Internal Revenue Service. Businesses that pay wages to employees already have an EIN. Before the rule, health plans and providers could use different ID numbers for a single employer in their transactions, increasing the time and cost for routine activities such as health plan enrollments and premium payments. Most covered entities were required to comply with the EIN standard by July 30, 2004; small health plans had an additional year to comply.
Security standards — The regulations for security standards require covered entities to protect the confidentiality, integrity, and availability of electronic protected health information. The rule requires administrative, physical and technical safeguards for electronic protected health information in their care. While the security standards rule was finalized in February 2003, the compliance date for small businesses fell during this reporting period on April 21, 2006.
National Provider Identifier — HHS established the National Plan and Provider Enumeration System (NPPES) to carry out the requirement in HIPAA to establish a National Provider Identification number. The NPI replaces identifiers used in today’s HIPAA standard transactions, and will eliminate the use of multiple ID numbers by each provider. The rule was published on January 24, 2004, and the compliance date was May 23, 2007. As a result of NCVHS testimony and recommendations, the Department determined that the industry was not in a position to achieve the compliance date, and, on April 2, 2007, published guidance clarifying that covered entities that have been making a good faith effort to comply with the NPI provisions may implement contingency plans that could include accepting legacy provider numbers in order to maintain operations and cash flows for up to twelve months.
What Standards Are Still in Development?
Transactions and code sets modifications — CMS is developing the second round of modifications to the transactions regulation. The proposed rule would streamline the adoption process for electronic transactions and code sets standards and provide certain other technical corrections and clarifications to the regulations.
Dissemination Policy for National Provider Identifier — The health industry anticipated for some time publication of the National Provider ID Data Dissemination Policy to explain which data elements would be disclosed to the public after the May 23, 2007, implementation date, since a complete understanding of the policy is necessary to fully implement the program. The policy was published on May 30, 2007.
National Health Plan Identifier — HIPAA requires HHS to establish standards that would create a unique identifier for health plans, making it easier for healthcare providers to conduct transactions with different health plans. The National Health Plan ID is similar to the National Provider ID. According to HHS’ semi-annual Regulatory Agenda published in the Federal Register in April 2006, publication of this rule has been postponed
Unique Personal Identifier — HIPAA included a requirement that HHS develop a unique personal healthcare identifier, to improve processing and recordkeeping. This would be a unique number assigned to every individual in the country who uses the healthcare system. Members of Congress have since expressed strong reservations about the appropriateness of creating a new identifier of individuals that might be perceived as a “universal identifier,” and since 1999 the Congress has, through appropriations legislation, prohibited expending funds for its development. As a consequence, HHS has postponed development of such a standard indefinitely.
What Progress Has HHS Made Since the Last Report to Congress?
The Department accomplished two important regulatory tasks during the reporting period, and three other administrative activities are worth mentioning.
Issued the final Enforcement Rule — The major HIPAA milestone in this reporting period was HHS’s February 2006 issuance of the final regulation establishing the enforcement regime for violations of HIPAA’s privacy, transactions, code sets, and security standards. CMS and OCR divide responsibilities for compliance with the HIPAA standards. OCR was delegated by the Secretary to handle the Privacy rule, and CMS was delegated the other standards, so this rule affects both of these divisions of the Department, assuring uniform standards for the imposition of civil monetary penalties for HIPAA violations. Previously, HHS also issued guidance documents describing the process for filing complaints under the enforcement rule.
Proposed rule on Electronic Health Care Claims Attachments — During the reporting period, CMS published a Notice of Proposed Rule Making (NPRM) on standards for electronic health care claims attachments, one of the last transactions standards required to be adopted. The claims attachment transactions are used to request and supply additional data necessary to adjudicate a claim. This additional data typically is specific clinical information that is needed for the plan to decide whether a service should be covered. As such, this transaction is a key bridge between administrative transactions and clinical data.
The NPRM proposed to adopt two transactions developed by the American National Standards Institute (ANSI) Accredited Standards Committee X12, Subcommittee N. X12N is a standards development organization that deals with the health insurance industry. The two transactions relate to the requests and responses to requests for certain additional clinical information needed to adjudicate a health care claim. The NPRM also proposes the adoption of implementation specifications developed by ANSI’s Health Level 7 standards development organization for each of six attachment types, including lab results, clinical reports, rehabilitation services, medications, emergency department, and ambulance services. The X12N group develops standards for primarily administrative transactions, while Health Level 7 works primarily in the clinical space that enables disparate health care applications to exchange key sets of data. This is the first time HHS is proposing the two organizations work together on a HIPAA standard.
During the comment period on the NPRM, more than 100 organizations submitted technical and policy comments. NCVHS also developed comments on the claims attachment proposal, and submitted them to HHS in November 2005. According to HHS’ semi-annual Regulatory Agenda published in the Federal Register in December 2006, a final rule is expected by September 2008.
Began enumerating providers — The National Plan and Provider Enumeration System (NPPES) began collecting identifying information on health care providers and assigning each a unique National Provider Identifier (NPI) in May 2005. As of October 30, 2006, 1.35 million health care providers had been assigned NPIs. There are an estimated 2.3 million covered providers who will need the new provider ID before the implementation deadline of May 23, 2007. Small health plans must comply by May 23, 2008. The NPI replaces current provider identifiers used in HIPAA standard transactions, eliminating the use of multiple identification numbers by each provider. As noted above, CMS has issued guidance on implementation of contingency plans for up to twelve months.
Enforced the Privacy Rule through conciliation — As of October 31, 2006, more than three years after the compliance date, the number of privacy complaints to the Office for Civil Rights (OCR) totaled 23,268, and more than three quarters had been closed. About two thirds of the closures are due to lack of jurisdiction, deficiency in the complaint, or because no violation is alleged by the facts of the complaint. Over 346 cases were referred by OCR to the Department of Justice for criminal investigation based solely on facts alleged in those complaints with no investigation by OCR. Justice has the lead on the initial investigation of such cases. To date, no prosecutions have arisen from these referrals. Neither has OCR yet brought a civil enforcement action based on cases that OCR investigates. Rather, OCR continues to attempt to resolve problems that lead to complaints directly with the covered entities by providing technical assistance to facilitate compliance. OCR also began work to improve its complaint tracking and reporting system.
Established the Office of the National Coordinator for Health Information Technology — In accordance with a recommendation of the NCVHS in the November 15, 2001, report, Information for Health: A Strategy for Building the National Health Information Infrastructure, the Department formally established the Office of the National Coordinator for Health Information Technology (ONC) with Dr. David Brailer at the helm in August 2005. After his departure, Dr. Robert Kolodner was named interim director in September 2006, and has since been named the permanent director.
What Other Ongoing Activities is HHS Pursuing?
Two important activities related to the implementation of HIPAA’s administrative simplification provisions are actively ongoing.
Recommended Adoption of ICD-10 code sets — In November 2003, the NCVHS recommended that the Department initiate the regulatory process for the concurrent adoption of ICD-10-CM and ICD-10-PCS as HIPAA standards for national implementation as replacements for current uses of ICD-9-CM, Vol. 1, 2 and 3. This recommendation is still under review by the Department.
Education and Outreach — Both CMS and OCR have engaged in campaigns to educate the public and the industry about HIPAA Administrative Simplification requirements. These strategies include informative web sites, frequently asked questions, conferences, toll free hotlines and targeted technical assistance materials. We continue to support expanding these efforts.
What Activities has the National Committee on Vital and Health Statistics Been Pursuing?
The NCVHS has a prominent role in monitoring the implementation of HIPAA’s administrative simplification standards. One aspect of this work is that the Committee has continued to serve as the Department’s primary liaison with the private sector to obtain the views, concerns, input, and advice of interested parties on health data and privacy standards. During the reporting period, the focus of NCVHS’ public hearings and committee deliberations about HIPAA administrative simplification shifted from regulatory matters to implementation issues and lessons learned.
Designated Standards Monitoring Organizations — The DSMOs provided an annual update of their activities to the NCVHS Standards and Security Subcommittee in February 2006. The update described a myriad of changes requested by the industry to the administrative simplification standards and relayed industry interests in streamlining the standards update process.
Reported on Protecting Privacy and Confidentiality in the National Health Information Network — During this reporting period, the NCVHS Subcommittee on Privacy and Confidentiality focused on privacy and confidentiality considerations in the emerging Nationwide Health Information Network (NHIN), and based on that work, the Committee submitted findings and recommendations in a report to HHS in June 2006. The report, Privacy and Confidentiality in the Nationwide Health Information Network, is the culmination of an 18 month process of learning and deliberation. The Subcommittee held three hearings in Washington, D.C., one in Chicago, and one in San Francisco. At each hearing, witnesses representing different constituencies concerned about the privacy and confidentiality of health information testified, including hospitals, integrated health systems, providers, payers, medical informatics experts, experts in health law, ethicists, Regional Health Information Organizations (RHIOs), and consumer and patient advocacy groups. We also heard testimony from representatives of nationwide health networks in Australia, Canada, England, and Denmark. The hearings were followed by a series of conference calls and public meetings to discuss findings and prepare the report that the Committee submitted to HHS.
The report covers several topics central to the challenges for safeguarding health privacy in the NHIN environment: the role of individuals in making decisions about the use of their personal health information, policies for controlling disclosures across the NHIN, regulatory issues such as jurisdiction and enforcement, use of information by non-health care entities, and establishing and maintaining the public trust that is necessary to ensure NHIN is a success. In particular, the committee came to the conclusion that the definition of “covered entity” in the current HIPAA Privacy Rule is outdated, as it was based on assumptions made in the 1990s that are no longer valid. The move toward an NHIN stresses the original definitions because new business models and new entities not contemplated at the time of HIPAA are arising, and the concept of a “covered entity” is inefficient and limiting. Based on this work, the Committee made the following recommendations with respect to HIPAA:
- HHS should work with other federal agencies and the Congress to ensure that privacy and confidentiality rules apply to all individuals and entities that create, compile, store, transmit, or use personal health information in any form and in any setting, including employers, insurers, financial institutions, commercial data providers, application service providers, and schools.
- HHS should explore ways to preserve some degree of state variation in health privacy law without losing systemic interoperability and essential protections for privacy and confidentiality.
- HHS should harmonize the rules governing the NHIN with the HIPAA Privacy Rule, as well as other relevant federal regulations, including those regulating substance abuse treatment records.
- NCVHS endorses strong enforcement of the HIPAA Privacy Rule with regard to business associates, and, if necessary, HHS should amend the Rule to increase the responsibility of covered entities to control the privacy, confidentiality, and security practices of business associates.
In presenting this report to the Secretary, NCVHS acknowledged that the broad contour of the NHIN is still being determined, and that the Committee expects to continue to update and refine these recommendations as the architecture and functional requirements of the NHIN advance. The Subcommittee is now studying the desirability and feasibility of implementing consumer controls in the NHIN and at what levels they might be appropriate.
Recommended multimedia and disability standards for patient medical records — In addition to its role in monitoring the implementation of administrative simplification, HIPAA directed the NCVHS to study issues regarding standards for the electronic exchange of patient medical record information. During the reporting period, NCVHS concurred with several standards for the multimedia, allergy and disability domains that had been recommended by the Consolidated Health Informatics Initiative (CHI), and transmitted the recommendations to the Secretary The Role of CHI, which is one of the federal electronic government initiatives established by the Office of Management and Budget., is to review and adopt uniform standards to promote interoperability of clinical information in the federal healthcare enterprise. CHI activities have now become part of the Federal Health Architecture, an interagency group of government experts managed by the Office of the National Coordinator for Health Information Technology (ONC). Although the CHI standards will apply only to federal healthcare agencies and programs, federal adoption of standards could profoundly impact private industry due to the government’s large footprint in the healthcare market. The CHI standards are serving as the foundation for standards considered by the Health Information Technology Standards Panel (HITSP).
Drafted functional requirements for the NHIN — During 2006, NCVHS transmitted recommendations to HHS on the functional requirements for a nationwide health information network (NHIN). The 2004 HHS publication, Framework for Strategic Action, identifies “a nationwide health information network that can provide low-cost and secure data movement” as a key strategy for interconnecting health care stating that an NHIN is critical “to link all health records through an interoperable system that protects privacy as it connects patients, providers, and payers resulting in fewer medical mistakes, less hassle, lower costs, and better health.” The Office of the National Coordinator for Health Information Technology (ONC) has also observed that “as the nation embarks on the widespread deployment of [electronic health records], a key consideration will be the ability to exchange patient health information accurately and in a timely manner under stringent security, privacy, and other protections.”
To that end, the NCVHS was asked by the ONC to define a minimum, but inclusive, set of functional requirements necessary for NHIN activities. To undertake this task, the NCVHS utilized an open process through which we received a significant number of public comments. The NCVHS participated in two NHIN Forums organized by ONC that brought together vendors, users, and government to hear presentations by the four consortia under contract with ONC to develop architectural models for an NHIN, and to discuss issues n breakout sessions throughout the day organized by entity, function, and application. The Committee also held two public hearings in Washington, DC, and hosted two public conference calls to receive comments on preliminary drafts. In addition, working documents were posted on the Web for further contributions.
In developing the recommendations, NCVHS bore in mind that an NHIN is not a single entity, but a system of systems. Variations in the designs of services are emerging from the work of the consortia that have been contracted to develop NHIN prototypes as well as in the growing numbers of communities involved in health information exchange. Where variations appear to be compatible with one another and do not impose an undue burden, the NCVHS recommended that they be accommodated to the extent possible. However, for an NHIN to work for the nation, NCVHS recommended that variations that may be incompatible with one another or impose an undue burden be further studied to determine how incompatibility and burdens might be reduced. In keeping with the transmittal to the Secretary on Recommendations Regarding Privacy and Confidentiality in the Nationwide Health Information Network, transmitted the same day, the NCVHS also observed that what distinguishes a nationwide health information network must be that NHIN activities are wrapped in a privacy and security structure that warrants the trust of the individuals whose information is exchanged.
The NCVHS recommendations on functional requirements for an NHIN include not only the statements of requirements themselves, but also recommendations to broaden the array of scenarios studied in the development of an NHIN to ensure completeness and widespread applicability of the functional requirements. We recognized the significant number of policy decisions that must be made to enable a NHIN, and enumerated several standards that must be developed to support it.
NCVHS is very appreciative of the effort so many put into contributing comments, and feedback on the recommendations has been very positive.
Recommended Electronic Prescribing Standards — The Committee made significant recommendations concerning standards for electronic prescribing for use in the new Medicare drug benefit, as required by the Medicare Prescription Drug, Improvement and Modernization Act of 2003. Together with HIPAA standards, the e-prescribing standards will help promote interoperability in the nation’s health data infrastructure as well as improve the quality, safety and cost effectiveness of patient care.
Conclusions
Enactment of HIPAA was an important first step toward an efficient and effective electronic health infrastructure for the United States. But it was only a first step. The NCVHS reaffirms the importance of the HIPAA administrative simplification effort and we have urged the Secretary to expedite the publication of the remaining rules. The industry and HHS have achieved a high level of adoption for the healthcare claims transaction standard, although this same level has not occurred for standards in eligibility, enrollment, health claim remittance, healthcare claim status and the coordination of benefits. This low level of adoption has delayed the achievement of efficiencies and industry cost savings with the full economic benefits of administrative simplification to be realized only when the entire suite of standards is implemented. In addition, the delays in promulgation of the regulations for health plan identifiers have slowed the realization of expected benefits by the healthcare industry. Congressional support is needed to accelerate the promulgation of the remaining two HIPAA standards as well as to provide appropriate levels of industry education, which includes efforts to educate the healthcare industry about the Privacy Rule.
Acknowledging the 10th Anniversary of HIPAA:
Lessons Learned
The 10th anniversary of the Health Insurance Portability and Accountability Act affords an opportunity to reflect on our experience and offer some observations and lessons learned. The National Committee on Vital and Health Statistics has responsibilities for assessing the impact of the adoption and use of standards adopted under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Because it has been ten years since this landmark legislation was passed, NCVHS felt it was appropriate to solicit testimony to assess the status and lessons learned from HIPAA. Since 2002, the Committee has held two dozen hearings with more than 200 presenters from various stakeholder groups on a wide range of HIPAA-related issues, including compliance, claims attachments, and ICD-10 adoption. All of this input has significantly increased our understanding of HIPAA’s effects on the delivery and payment of health care. It has further reminded us that HIPAA affects not only the exchange of data, but also the business processes in the healthcare industry that create and use the data exchanges. NCVHS transmitted a letter to the Secretary describing our observations on the implementation and impact of the HIPAA transaction and code set standards and making recommendations on June 22, 2006. We reaffirm those observations below.
Observation 1: Implementation. HIPAA implementation has taken much longer than expected. The causes for this are numerous. HHS has taken much longer than anticipated to develop and publish the regulations. While payers were required to implement all standards, providers are required to use the standards only if they decide to conduct transactions electronically The original view was that the ability to conduct standardized transactions across health plans would save providers time and money, and providers would naturally gravitate to their use to reap the benefits of administrative simplification anyway.
There have, however, been unanticipated impediments. Vendors are reluctant build the range of necessary software for the non-revenue-related HIPAA transactions (such as eligibility 270/271 and claim status notification 276/277). Some payers are also reluctant to implement robustly the non-revenue transactions. For example, in many cases payers include only minimum information in the eligibility transactions, which results in providers not being able to obtain details about the patient’s benefits.
Recommendation 1.1: HHS should undertake a comprehensive evaluation of HIPAA implementation in order to identify barriers to timely, efficient and effective implementation as well as areas for future improvements. NCVHS stands ready to advise HHS in the design and conduct of such an assessment. Once these impediments and areas of improvement are identified, the NCVHS pledges to work closely with the Department and the industry to identify ways to best address them. Such findings would be useful for other HIPAA implementations in the future.
Observation 2: The process for changing versions or updating versions of HIPAA standards is slow and cumbersome. The requirements of the Administrative Procedure Act for informal rulemaking require publishing notice in the Federal Registerand providing an opportunity for public comment. The process can take several years from publication of the proposed rule to implementation, severely hampering the ability of the public and private sectors to keep pace with emerging needs, especially in the rapid acceleration toward the adoption of electronic health record systems. Moreover, the HIPAA process requires that changes to standards be vetted through various standards setting organizations. These organizations’ processes include further extensive comment periods in which all parties may participate. However, they are on different approval cycles, making it difficult to synchronize changes or updates. These differences in schedules, coupled with the unpredictability of the timing of the federal rulemaking process, create an uncertain environment in which it is difficult for providers, payers and vendors to anticipate or influence upcoming changes and to develop solutions to accommodate them. Where feasible, voluntary adoption of standards that retain, at a minimum, the full functionality of the previously adopted version and permit the successful completion of the transactions with entities that continue to use the previous version (i.e. backward compatibility), would provide flexibility as versions are updated.
Recommendation 2.1: The Department should immediately explore ways to facilitate quicker updates and implementations of HIPAA standards without notice and comment rulemaking. This exploration should include:
- An in-depth review of the statutory and regulatory requirements, such as those under the APA; a comprehensive exploration of permissible options; and a determination as to whether legislative changes should be initiated.
- Consideration of regulatory changes to permit the voluntary adoption of backward compatible updates to named HIPAA standards.
- Consideration of how to include public comment on business process issues as well as functional and technical standards issues in the review process.
The Committee is pleased to note that several health information technology bill under consideration before the Congress include provisions for an expedited process for updating changes to existing HIPAA transactions and code set data standards.
Recommendation 2.2: The Department should expedite issuance of the NPRM on HIPAA modifications. This regulation includes the many needed changes identified since the original HIPAA regulations were issued in 2000, including a timely modifications process.
Recommendation 2.3: The Department should determine what would be necessary to facilitate synchronization of the timing of implementation of changes to HIPAA code sets (including medical and non-medical data code sets) to minimize the scope and quantity of changes experienced by the providers, payers, clearing houses and vendors. Alignment of changes and updates to the code sets would allow the industry to coordinate, test and implement on a more orderly schedule and reduce rejected claims.
Observation 3: Return on Investment. The witnesses who appeared at our hearings who were using only the HIPAA health claims transactions, for example, not the eligibility and claims status query transactions, indicated that they were not yet able to show a positive return on investment. It is important to improve the return on investment for HIPAA transactions and code sets so that they will serve as a driver for further adoption of health information technology and standards in the industry, and, in turn, we will reap the rewards of lower costs and improved quality of care. The following actions could significantly increase the return on investment from the use of HIPAA transactions and code sets.
Recommendation 3.1.: HHS should take additional steps to increase the adoption and use by providers / payers of all those HIPAA transaction standards beyond the health claims transactions (such as eligibility (270 / 271), claim status (276 / 277) payment and remittance (835), and referrals (278)). These transactions when incorporated into daily processes can reduce the need for human resources and increase efficiency. While we commend the ongoing work in this area by the Centers for Medicare and Medicaid Services, we believe these activities should be expanded.
Recommendation 3.2: HHS should actively work with payers to facilitate inclusion of enough information in their responses (eligibility standards 271 and claims standard 277) to allow providers to use the information to actually improve their processes. Continuing participation by CMS is needed in the work by the Council on Affordable Quality Healthcare (CAQH), a voluntary group representing payers, providers, and associations, on standardization of the data in an eligibility transaction. This is an excellent example of voluntary cooperation to improve the HIPAA process.
Recommendation 3.3: HHS should actively work with vendors to encourage their inclusion of the aforementioned non-claim transactions in practice management software used in provider offices. Vendors are key to the success of pilots on these topics and, more importantly, to the success of final implementation by the industry. As a result, their inclusion from the planning to the execution of such studies will yield more informed and usable results.
Recommendation 3.4: HHS must continue to support ongoing work by the industry and SDOs to reduce unnecessary variability of business rules, as currently documented in companion guides. Several actions are necessary. The first is to support processes to identify common business practices that are included in the different payers’ companion guides. Second, harmonization of the business practices that are not common must be promoted, to the extent possible. In addition, some independent initiatives are underway to further evaluate those differences in business rules. Continued support of these efforts by HHS would advance the original intent of standardization.
Recommendation 3.5: HHS must facilitate and encourage the adoption of one of the currently non-mandated acknowledgement transactions (e.g.: 997 or 999) to standardize the acknowledgement process between providers, payers, clearing houses and vendors. This will achieve standardized process flows among the parties involved, thus reducing the effort necessary to achieve expected results.
Recommendation 3.6: HHS should continue the use of pilot testing new HIPAA standards, such as the pilot conducted with the proposed claims attachment standard, to obtain a real look at the actual benefits, issues, business impacts and system changes surrounding the proposed standard. Even small-scale pilots can yield valuable information that could help speed implementation.
Appendix — Where can I find more information about administrative simplification or other activities mentioned in this report?
In addition to the NCVHS web site, http://ncvhs.hhs.gov/, HHS maintains two other web sites containing HIPAA administrative simplification regulations, frequently asked questions, and other helpful materials:
For information about the HIPAA Privacy Rule, point your browser at the website of HHS’ Office for Civil Rights, http://www.hhs.gov/ocr/
To learn more about the other administrative simplification rules, point your browser at the website of HHS’ Centers for Medicare and Medicaid Services, http://www.cms.hhs.gov/hipaa/hipaa2 .
To learn more about the Department’s health IT activities, point your browser at the website of HHS’ Office of the National Coordinator for Health IT, http://www.hhs.gov/healthit/.