National Committee on Vital and Health Statistics

Third Annual Report to the Congress
on the Implementation of the Administrative Simplification Provisions of the Health Insurance Portability and Accountability Act

Executive Summary

Overview

Enacted in August 1996 with the widespread support of the industry and bipartisan support in Congress, the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) require the Secretary of Health and Human Services (HHS) to adopt standards to support electronic data interchange for a variety of administrative and financial health care transactions. The purposes of these provisions are to improve the Medicare and Medicaid programs in particular and the efficiency and effectiveness of the health care system in general by encouraging the use of electronic methods for transmission of health information through the establishment of standards and requirements for covered electronic transmissions.

Within 24 months of their adoption, the standards will be required for use by health plans, clearinghouses, and providers who transmit or maintain such information electronically. Small plans will have another 12 months to comply. The law also outlines a process leading to standards for the protection of the privacy and confidentiality of health information.

In addition, the statute gives expanded responsibilities to the National Committee on Vital and Health Statistics (NCVHS), including advising the Secretary on health information privacy and on the adoption of health data standards. In section 263, the Committee is further directed to submit an annual report to Congress on the status of implementation of the Administrative Simplification effort. This report is the third of those annual reports on implementation and covers the period January 1999 through December 1999.

Progress on HIPAA Standards for Privacy of Individually Identifiable Health Information

During the past year, there were significant developments in standards for privacy of individually identifiable health information. HIPAA directed the Secretary of Health and Human services to submit recommendations for federal health information privacy legislation to the Congress. Secretary Shalala forwarded these recommendations to the Congress on September 11, 1997. HIPAA also provided that if Congress did not enact health information privacy legislation by August, 1999, the Secretary was required to issue final regulations to protect the privacy of information transmitted in connection with the HIPAA administrative transaction standards.

Although several health information privacy bills were introduced in the 106th Congress, the HIPAA deadline for Congressional action on health information privacy passed without the enactment of a law. This situation triggered the HIPAA requirement on HHS to issue a final rule outlining HIPAA standards for protecting the privacy of health information. Accordingly, HHS issued a proposed rule on Standards for Privacy of Individually Identifiable Health Information on November 3, 1999. The public comment period ended on February 17, 2000. A final rule is expected later this year.

While the NCVHS supports and applauds HHS for developing the privacy NPRM as required by HIPAA, we continue to believe that the best way to assure health information privacy in the U.S. is through a comprehensive and balanced federal law. Accordingly, the NCVHS again urges the Congress to enact a comprehensive federal health information privacy law this year.

Progress on HIPAA Health Data and Security Standards

Progress also continued during the past year on the adoption of the HIPAA electronic data interchange and security standards. To date, in addition to the proposed privacy standards and based on extensive consultation with the industry, HHS has issued Notices of Proposed Rule Making for the following four required standards for administrative simplification:

  • National Standards for Transactions and Code Sets
  • National Employer Identifier
  • National Provider Identifier
  • Security and Electronic Signature Standards(1)

Issuance of final rules for these four standards is expected in 2000. While progress is evident, the first NPRMs were issued in 1998. Because of the complexity of the standards, almost two years have passed without the issuance of a final rule. The NCVHS detects a growing industry concern about a loss of momentum. Further delay in issuing final rules for standards raises the possibility that industry resources committed to implementing the HIPAA standards may be diverted to other priorities. Moreover, delays in implementation translate into the loss of economic benefits from Administrative Simplification. Consequently, the NCVHS reaffirms the importance of the Administrative Simplification initiative and is urging the Secretary to expedite the publication of the final rules.

Progress also continues on two additional standards. An NPRM is under development relating to the National Health Plan Identifier. The NPRM is expected to be published for public comment in 2000. HIPAA allows an additional twelve months for the adoption of the standard for Claims Attachments. Work on this standard also is well underway, and issuance of an NPRM is expected in 2000.

As directed by Congress and the White House, work on the HIPAA requirement for a unique health identifier for individuals has been suspended pending the development of adequate privacy protections. The FY 2000 appropriations act includes a provision barring HHS from using any of its appropriated funds to

“… promulgate or adopt any final standard under section 1173(b) of the Social Security Act providing for, or providing for the assignment of, a unique health identifier for an individual (except in an individual’s capacity as an employer or a health care provider) until legislation is enacted specifically approving the standard.”

Standards for Patient Medical Record Information

During the past year, attention also turned to issues related to the adoption of uniform data standards for patient medical record information and its electronic data interchange. HIPAA directs the NCVHS to study the issues related to the adoption of uniform data standards for patient medical record information and the electronic interchange of such information, and report to the Secretary of Health and Human Services not later than August 2000 on recommendations and legislative proposals for such standards and electronic interchange. The NCVHS expects to submit its final recommendations to the Secretary in August.

Continuing Consultation and Implementation Efforts

To address the requirements of HIPAA, HHS has developed an implementation strategy that assures coordination among HHS agencies, participation by other Federal departments, and extensive interaction with the private sector, including the four industry groups named in the statute: the National Uniform Billing Committee, the National Uniform Claim Committee, the Workgroup for Electronic Data Interchange, and the American Dental Association. This strategy continues to afford many opportunities for interested and affected parties to participate in and influence the standards development and adoption process. The NCVHS continues its role as an active partner with the Department in every aspect of the standards adoption process. As an integral part of this strategy, the HHS Data Council, the Department’s senior level internal data policy body, plays a critical role in the implementation of the administrative simplification effort and works closely with the NCVHS.

Preparing for Implementation

Since the enactment of HIPAA, HHS and the NCVHS have worked in partnership with the health care industry to communicate the requirements of HIPAA, to identify and evaluate existing industry standards for adoption, to develop rules that are workable, and to encourage the participation of all participants of the health industry in the adoption and implementation of the HIPAA standards. Building upon the success of that effort, the NCVHS is now turning attention to issues of implementation. The NCVHS has identified the following implementation issues to monitor in the coming year.

Assessing Industry Readiness

It is currently difficult to assess industry readiness for HIPAA implementation. Although the use of EDI to support administrative transactions in health care has been increasing for several years, concerns about the century date change and other issues may have diverted attention from the HIPAA effort, and base line levels of EDI use in claims and related transactions vary decidedly among types of providers and health care organizations. The NCVHS is encouraged to note that many sectors of the industry itself have been very active in the HIPAA standards adoption process and in educating and preparing their respective constituencies for implementation. The NCVHS plans to examine the issue of readiness in the year ahead, with public hearings to focus on readiness and other potential implementation issues.

Monitoring Implementation

In addition to assessing industry readiness for implementation, the NCVHS is considering several approaches to monitoring the progress of implementation, including both quantitative and qualitative approaches, using industry sources of information as well as public hearings. In this manner, the NCVHS expects to identify how well the overall effort is proceeding, identify any problem or obstacles and recommend ways to overcome them to meet the requirements of the law.

Assuring the Security of Individually Identifiable Information

Security continues as a primary concern to the public, the industry, and the Committee. During the year ahead, the NCVHS will ask the appropriate private sector certifying bodies to monitor the status of the security measures that will be adopted and to ensure that adequate safeguards are in place to protect individually identifiable information. The Committee plans to continue to monitor industry compliance with and the development and maturation of security technology and standards, including electronic signatures. The Committee is encouraged that the industry has undertaken several initiatives to support the adoption of the HIPAA EDI and security standards.

Identifying and Resolving Implementation Issues

The Committee will conduct a number of public hearings to obtain additional input from a broad cross section of users in both the public and private sectors. In addition, the health care community will be encouraged to notify the Department or the NCVHS in writing or through the appropriate web sites of any issues or concerns with the implementation of the new standards. Based on this input, the Committee will notify HHS of any problems that are presented and will provide recommendations on how to deal with those problems.

Addressing Enforcement Issues

Because of the extensive consultation among HHS, the NCVHS and the industry that has characterized the HIPAA effort, and the issuance of proposed rules, the requirements for the standards themselves are well known. However, there are a number of issues and details relating to enforcement and compliance with the standards that remain to be specified. The NCVHS is pleased to note that HHS has established an internal working group that is focusing on enforcement issues across all of the HIPAA requirements. The NCVHS plans to devote considerable attention to this issue in the year ahead as well.

Learning from Early Implementors

Although HIPAA provides a 24 month implementation period for the standards after the effective date of the final standard, clearly some health organizations will proceed with implementation long before that date. The NCVHS believes that feedback from these “early implementers” will provide an invaluable source of implementation information and potential guidance for implementation. Accordingly, the NCVHS plans to focus specifically on these efforts and organizations to gain insight into national implementation.

Identifying the Need for New and Revised Standards

HIPAA requires the Secretary of HHS to review the standards and adopt modifications to those standards (including additions to the standards), as appropriate, but not more frequently than once every 12 months. The NCVHS expects that monitoring and evaluation of HIPAA readiness and the progress of implementation will identify needs for additional standards or future revisions to existing ones. Consequently, as a part of its monitoring efforts, the NCVHS will seek input to identify any needs for modifications or additional standards that may be appropriate, and will provide timely recommendations to the HHS Data Council and the Secretary.

The Department has been negotiating with several organizations for them to serve as the focal point for requests for revisions to the standards and for additional standards. These groups have agreed in principle to work together to review these requests, and suggest revisions to the standards. The groups are: ANSI Accredited Standards Committee X12, Health Level 7, the National Uniform Billing Committee, the National Uniform Claims Committee, the National Council of Prescription Drug Programs, and the American Dental Association. On a predetermined cycle, proposed revisions will be presented to the NCVHS for consideration, and then to the Secretary for issuance.

Conclusion

To date, the process of adopting health data standards has been extremely open, collaborative, and productive. The past two years have witnessed considerable progress in the adoption of the HIPAA administrative simplification standards. The NCVHS now looks forward to assisting and advising in the implementation stage of the effort. Additional information on the NCVHS as well as the HIPAA Administrative Simplification effort can be found on the HHS and NCVHS websites:

http://aspe.hhs.gov/admnsimp

http://ncvhs.hhs.gov

THIRD ANNUAL REPORT TO CONGRESS
ON THE IMPLEMENTATION OF HIPAA

CONTENTS

Executive Summary

I. Introduction

A. Background

B. Purpose and Content of the Report

C. Statutory Requirements

II. Implementation Process

A. DHHS Implementation Strategy

B. Guiding Principles

C. Private Sector Consultation

D. NCVHS HIPAA-Related Hearings

E. Outreach to Public Health and Health Services Research

F. NCVHS Comments on NPRMs

G. NCVHS Liaison with HHS

III. Progress to Date

A. Transaction Standards and Code Sets

B. Standard Identifiers

C. Standards for Security and Electronic Signatures

D. Claims Attachment Standards

E. Standards for Privacy Protection

F. Standards for Patient Medical Record Information

G. Plans for Outreach, Education and Industry Partnerships

IV. Implementation Issues

A. Assessing Industry Readiness

B. Monitoring Implementation

C. Assuring the Security of Individually Identifiable Information

D. Identifying and Resolving Standards Implementation Issues

E. Addressing Enforcement Issues

F. Learning from Early Implementors

G. Identifying Need for New and Revised Standards

V. Conclusions

I. INTRODUCTION

A. Background

A considerable portion of every health care dollar is spent on administrative overhead. In health care, this overhead includes many tasks, such as:

  • filing a claim for payment from an insurer,
  • enrolling an individual in a health plan,
  • paying health insurance premiums, and
  • checking insurance eligibility for a particular treatment

Today these processes involve numerous paper forms, faxes and telephone calls, and many delays in communicating information among different locations. This situation creates difficulties and costs for health care providers, health plans, and consumers alike.

The burden of these costs affects everyone involved in the health care system, including the typical health plan that continues to process mountains of paper forms that differ in content from one plan to another, the typical physician who bills multiple health plans with their varying forms and formats, and who must respond to additional requirements imposed by managed care organizations, and the typical consumer, who ultimately pays for administrative burden.

To address these problems, the health care industry, including both public and private sectors, has worked to develop standards to improve the way in which transactions are exchanged electronically. However, economic pressures have prevented competing parties from adopting a uniform set of such standards. At the request of the industry and with bipartisan support, Congress enacted the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The industry has estimated that full implementation of these provisions could save up to $9 billion per year by reducing administrative overhead, without reducing the amount or quality of health care services. In fact, such savings raise the possibility of helping to improve the quality of health care by freeing up resources now devoted to paperwork and administration.

B. Purpose and Content of This Report

The purpose of this report is to describe the status of implementation of the administrative simplification provisions of HIPAA during 1999, the third year after enactment of the law. Congress gave the NCVHS the role of advising HHS on the adoption of standards, monitoring implementation of Administrative Simplification, and reporting annually on its progress. During 1999, the Committee has monitored the process of standards adoption and the issuance of proposed standards, as carried out by the Government and its advisory bodies. In the future, once the standards become effective and enter the implementation stage, the NCVHS will report on implementation issues, the rate of implementation and the growth of electronic data interchange (EDI) in the health care industry.

The Committee is pleased to report that the process of implementation to this point has been extremely open, collaborative, and productive. During 1998, four Notices of Proposed Rulemaking were published outlining the proposed standards. HHS is now working on developing the final rules and they are expected to be issued in 2000. During 1999, the NPRM for Standards for Privacy of Individual Health Information was issued for public comment. In addition, NPRMs are under development for several additional HIPAA standards, and they are expected to be published in 2000. The openness and success of the process to date bode well for the ultimate success of the implementation of these standards.

Although this report was requested by the Congress, it is directed at the industry and the public as well. The report begins with a review of the requirements of the statute, including the implementation timetable required by the law, and the expanded responsibilities of the NCVHS. The report then outlines the implementation process, which involves the Department of Health and Human Services, other Federal agencies, the States, the NCVHS, the industry, and the public health and research communities. Next, the status of implementation of each of the standards required by HIPAA is reviewed. Discussion follows in which the NCVHS highlights several readiness and implementation issues and how the NCVHS intends to monitor implementation in the future.

C. Requirements of HIPAA

The Administrative Simplification provisions, Title II, Subtitle F, of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) require the Secretary of Health and Human Services (HHS) to adopt standards for the electronic transmission of administrative and financial health care transactions, including data elements and code sets for those transactions; for unique health identifiers for health care providers, health plans, employers, and individuals for use in the health care system; and for security standards to protect individually identifiable health information. The law also requires the Secretary to submit recommendations for Federal health privacy legislation to the Congress within one year. Additionally, these provisions gave special responsibilities to the NCVHS to advise the Secretary on privacy and on the adoption of standards and to submit to Congress an annual report on the status of the Administrative Simplification effort.

The purposes of these provisions are to improve the Medicare and Medicaid programs in particular and the efficiency and effectiveness of the health care system in general by encouraging the use of electronic methods for transmission of health information through the establishment of standards and requirements for covered electronic transmissions.

1. Requirements for Standards

The standards required under the law include:

  • Transactions for:
    • Health claims or equivalent encounter information
    • Enrollment and disenrollment in a health plan
    • Eligibility for a health plan
    • Health care payment and remittance advice
    • Health plan premium payments
    • First report of injury
    • Health claim status
    • Referral certification and authorization
    • Claims attachments (The law allows an additional twelve months for the adoption of the claims attachment standard.)
  • Code sets and classification systems for the data elements of the transactions
  • Unique identifiers for health plans, health care providers, employers, and individuals for use in the health care system
  • Security and electronic signature standards and safeguards to protect health information during transmission and while stored in health information systems, to ensure the integrity of the information, and to protect against unauthorized use and disclosure.
  • Coordination of benefits and sequential processing of claims.

HIPAA also outlined a process leading to standards to protect the privacy of individually identifiable health information. Specifically, HIPAA directed the Secretary to submit recommendations to Congress for privacy protections. On September 11, 1997, Secretary Shalala delivered her detailed recommendations to Congress for Federal privacy legislation to protect individually identifiable health information. In her recommendations, she urged Congress to pass comprehensive and balanced privacy legislation. According to HIPAA, if Congress did not subsequently enact a privacy protection statute by August 1999, the Secretary is required to issue final regulations to protect the information transmitted in connection with the HIPAA administrative transaction standards.

Under the law, the Secretary may also establish standards for other financial and administrative transactions that she determines to be appropriate and that are consistent with the goals of improving the operation of the health care system and reducing administrative costs. This provision permitted designation of coordination of benefits as one of the standard transactions being adopted.

The standards will apply to all health plans, health care clearinghouses, and health care providers that transmit health information in electronic form. Health plans are required to accept standard transactions submitted electronically by health care providers, and health plans cannot delay or otherwise adversely affect such transactions. Health plans and health care providers may submit or receive transactions directly or indirectly through the use of health care clearinghouses.

2. Timetables

The Health Insurance Portability and Accountability Act, which was enacted on August 21, 1996, specified an aggressive implementation schedule:

  • The Secretary’s recommendations for protecting the privacy of individually identifiable health information were due within 12 months of the date of enactment. According to HIPAA, because Congress did not subsequently enact a privacy protection statute by August 1999, the Secretary was required to issue final regulations to protect the information transmitted in connection with the HIPAA administrative transaction standards by February 2000.
  • Standards for transaction sets, code sets, unique identifiers, and security and electronic signatures were to be adopted within 18 months of enactment, except for standards for claims attachments, which are due within 30 months of enactment.
  • Health plans, health care clearinghouses, and health care providers who conduct electronic transactions must comply with the standards within 24 months of their adoption. Small plans are given an additional 12 months to comply.

3. Expanded Responsibilities for the NCVHS

The statute significantly expanded the responsibilities of the NCVHS. In selecting standards for adoption, the Secretary is required to rely on the recommendations of the NCVHS. Subtitle F also requires the NCVHS to report to the Secretary, within four years of the passage of HIPAA, with recommendations and legislative proposals for the adoption of uniform data standards for patient medical record information and the electronic exchange of such information. Finally, Subtitle F requires the NCVHS to submit to Congress an annual report on the status of the Administrative Simplification effort.

Specifically, the requirement for the annual report states:

“SEC. 263 (7) Not later than 1 year after the date of enactment of the Health Insurance Portability and Accountability Act of 1996, and annually thereafter, the Committee shall submit to the Congress, and make public, a report regarding the implementation of Part C of title XI of the Social Security Act. Such report shall address the following subjects, to the extent that the Committee determines appropriate:

“(A) The extent to which persons required to comply with part C of title XI of the Social Security Act are cooperating in implementing the standards adopted under such part.

“(B) The extent to which such entities are meeting the security standards adopted under such part and the types of penalties assessed for noncompliance with such standards.

“(C) Whether the Federal and State Governments are receiving information of sufficient quality to meet their responsibilities under such part.

“(D) Any problems that exist with respect to implementation of such part.

“(E) The extent to which timetables under such part are being met.”

Since the first standards are not scheduled for final adoption until 2000 with implementation two years thereafter, this annual report focuses on the activities of the Federal Government, industry, and the NCVHS during the past year to identify, evaluate, select, and publish the required standards for public comment. Subsequent annual reports will focus on implementation issues.

II. IMPLEMENTATION PROCESS

A. Department of Health and Human Services (HHS) Implementation Strategy

The Secretary of HHS formulated a comprehensive strategy for adopting and implementing the standards mandated under Administrative Simplification.

  1. Establish interdepartmental implementation teams to identify and assess potential standards for adoption.
  2. Develop recommendations for standards to be adopted.
  3. Publish proposed rules in the Federal Register describing the standards. Each proposed rule provides the public with a 60-day comment period.
  4. Analyze public comments and publish the final rules in the Federal Register.
  5. Establish low-cost distribution mechanisms for standards and implementation guides.

A critical sixth step that will be implemented once the standards have been put in place will be the ongoing monitoring of the implementation of the standards to determine if additions or modifications to the standards are needed.

This implementation strategy was designed to assure coordination among HHS agencies, participation by other Federal departments, as well as interaction with the industry and the research and public health communities. Responsibilities within HHS were distributed across three interrelated organizational components: the HHS Data

Council, the Data Council’s Health Data Standards Committee, and the Implementation Teams. The HHS Data Council, the Department’s senior internal data policy body, was given the responsibility to oversee implementation of Administrative Simplification by the Secretary. The Council reports to the Secretary and consists of representatives from each major operating and staff division within HHS. As a senior policy guidance and decision-making body, the Council has been designated to guide the process and report to the Secretary on the progress of the standards and privacy efforts. The Data Council also serves as the contact point for the NCVHS and resolves issues that cannot be resolved by the Data Council’s Health Data Standards Committee.

B. Guiding Principles

With significant input from the health care industry, the Implementation Teams charged with developing recommendations for national standards defined a set of principles for guiding their choices for standards to be adopted by the Secretary. These principles are based on direct specifications in HIPAA, the purpose of the law, and generally desirable principles. To be designated as a HIPAA standard, each standard should:

  1. Improve the efficiency and effectiveness of the health care system by leading to cost reductions for or improvements in benefits from electronic health care transactions.
  2. Meet the needs of the health data standards user community, particularly health care providers, health plans, and health care clearinghouses.
  3. Be consistent and uniform with the other HIPAA standards–their data element definitions and codes and their privacy and security requirements–and, secondarily, with other private and public sector health data standards.
  4. Have low additional development and implementation costs relative to the benefits of using the standard.
  5. Be supported by an ANSI-accredited standards developing organization or other private or public organization that will ensure continuity and efficient updating of the standard over time.
  6. Have timely development, testing, implementation, and updating procedures to achieve administrative simplification benefits faster.
  7. Be technologically independent of the computer platforms and transmission protocols used in electronic transactions, except when it is explicitly part of the standard.
  8. Be precise and unambiguous, but as simple as possible.
  9. Keep data collection and paperwork burdens on users as low as is feasible.
  10. Incorporate flexibility to adapt more easily to changes in the health care infrastructure (such as new services, organizations, and provider types) and information technology.

C. Private Sector Consultation

To address the requirements of HIPAA, the HHS implementation strategy is designed to assure coordination among HHS agencies, participation by other Federal departments, and extensive interaction with the private sector, including the four industry groups named in the statute: the National Uniform Billing Committee, the National Uniform Claim Committee, the Workgroup for Electronic Data Interchange, and the American Dental Association.

This strategy continues to afford many opportunities for interested and affected parties to participate in and influence the standards development and adoption process. They can:

  1. Participate in open process with standards development organizations.
  2. Attend numerous public meetings.
  3. Write to the Secretary of HHS.
  4. Provide written input to the NCVHS.
  5. Present written and oral testimony at public meetings of the NCVHS.
  6. Comment on the proposed rules for each of the proposed standards during the 60-day comment period.
  7. Invite HHS staff to meetings with public and private sector organizations or meet directly with senior HHS staff involved in the implementation process.

D. NCVHS HIPAA-Related Hearings During 1999

The NCVHS continues to serve as the Department’s primary liaison with the private sector and continues to hold public hearings to obtain the views, perspectives, and concerns of interested and affected parties, as well as their input and advice on health data standards and privacy. In addition to providing numerous opportunities for the private sector to participate in the standards adoption process, these public hearings sponsored by the NCVHS helped maintain the openness and inclusiveness of the process.

During 1999, the NCVHS continued to hold public hearings and committee deliberations on related HIPAA data standards issues (standards for patient medical record information and health information privacy). For example, public hearings were held on the flow of information in the pharmaceutical industry and on confidentiality issues related to pharmacy benefit management activities, and disclosure of prescription information. The NCVHS also held a hearing on employer use of health information, with panel discussions by employers, insurers and privacy advocates. In addition, the NCVHS developed public comments on the NPRM related to privacy.

To enhance participation further, NCVHS public meetings are routinely broadcast live on the Internet with the help of the Department of Veterans Affairs. For those unable to attend or listen to the meetings as they occur, recordings of the live broadcasts are available also on the Internet. Agendas and transcripts of NCVHS hearings, minutes, announcements of public meetings, and schedules for future hearings are distributed through the NCVHS web site at:http://ncvhs.hhs.gov

E. Outreach to Public Health and Health Services Research

The Committee continues to support education and outreach to the industry and the public health and research communities to ensure that they understand the implications of HIPAA for their activities and are present at the table as decisions are being made. Several NCVHS members participated in a November 1998 Workshop on the implications of HIPAA Administrative Simplification Provisions for Public health and Health Services Research. The workshop, which was sponsored by NCHS/CDC in conjunction with the Agency for HealthCare Research and Quality, the NCVHS and the HHS Data Council, affirmed the potential benefits of administrative simplification for these sectors and the need for them to be a part of the standards development process. As a result of the workshop, a national Public Health Data Standards Consortium has been established.

F. NCVHS Comments on NPRMs

During 1998, the NCVHS provided comments on several of the NPRMs issued by HHS for public comment. During 1999, the NCVHS also developed comments on the privacy standard NPRM, as well as a preliminary report on standards for electronic medical record information. NCVHS comments are available on the NCVHS website.

G. NCVHS Liaison with the Department of Health and Human Services

The NCVHS has participated with the Department in every aspect of the standards adoption process. Through the HHS Data Council, the NCVHS has submitted recommendations to the Secretary for standards to be adopted and on privacy guidelines and has provided comments on HHS NPRMs. The NCVHS Subcommittee on Standards and Security has worked closely with the HDSC and the ITs.

The NCVHS provides to, and receives from the Data Council, the HDSC, and the ITs regularly scheduled reports and informal communications on their respective activities. The Data Council Chairperson or Executive Secretary attends NCVHS meetings, and the NCVHS Chair attends the monthly meetings of the Data Council. Each IT has a liaison from the NCVHS who participates in Team meetings and provides advice and guidance. Upon request, the NCVHS also advises the Secretary on particularly sensitive and controversial issues.

III. PROGRESS TO DATE

Overview

Progress continued during the past year on the adoption of the HIPAA electronic data interchange and security standards. To date, in addition to the proposed privacy standards and based on extensive consultation with the industry, HHS has issued Notices of Proposed Rule Making for the following four required standards for administrative simplification:

  • National Standards for Transactions and Code Sets
  • National Employer Identifier
  • National Provider Identifier
  • Security and Electronic Signature Standards

Issuance of final rules for these four standards is expected in 2000. While progress is evident, the first NPRMs were issued in 1998. Because of the complexity of the standards, almost two years have passed without the issuance of a final rule. The NCVHS detects a growing industry concern about a loss of momentum. Further delay in issuing final rules for standards raises the possibility that industry resources committed to implementing the HIPAA standards may be diverted to other priorities. Moreover, delays in implementation translate into the loss of economic benefits from Administrative Simplification. Consequently, the NCVHS reaffirms the importance of the Administrative Simplification initiative and is urging the Secretary to expedite the publication of the final rules.

A. Transaction Standards and Code Sets

Based on the results of the analyses performed by the Implementation Teams, the input received from the Committee, the public testimony provided at the NCVHS hearings, and the NCVHS recommendations to HHS, a Notice of Proposed Rulemaking for National Standards for Electronic Transactions, including transaction codes and code sets was issued for public comment on May 7, 1998. Approximately 17,000 comments were received. HHS is now reviewing the public comments and preparing responses. Work is proceeding on the final rule and it is expected to be published in 2000. The ANSI X12 A37 standard outlined for transactions would also be the standard for coordination of benefits.

The First Report of Injury transaction was not included in the NPRM for HIPAA transaction standards issued in 1998 because at that time there was neither a millennium-compliant version of an implementation guide nor a complete data dictionary for the ASC X12N 148 – Report of Injury, Illness, or Incident transaction. The industry continues to make progress on this standard and HHS will assess the status of this standard in the coming year.

B. Standard Identifiers

  • National Provider Identifier

The Notice of Proposed Rulemaking for the National Provider Identifier was issued in the Federal Register for public comment on May 7, 1998. Approximately 5,000 public comments were received. HHS is now reviewing the public comments and preparing responses. Work is proceeding on the final rule and it is expected to be issued in 2000.

  • National Employer Identifier

The NPRM for the National Employer Identifier was issued for public comment on June 16, 1998. Approximately 800 comments were received. HHS is now reviewing the public comments and preparing responses. Work is proceeding on the final rule and it is expected to be published in 2000.

  • National Plan Identifier

A NPRM relating to the National Health Plan/Payer Identifier is under development in HHS and is expected to be published for public comment in 2000.

  • Unique Health Identifier for Individuals

As directed by Congress and the White House, work on the HIPAA requirement for a unique health identifier for individuals has been suspended pending the development of adequate privacy protections. The FY 2000 appropriations act includes a provision barring HHS from using any of its appropriated funds to

“… promulgate or adopt any final standard under section 1173(b) of the Social Security Act providing for, or providing for the assignment of, a unique health identifier for an individual (except in an individual’s capacity as an employer or a health care provider) until legislation is enacted specifically approving the standard.”

C. Standards for Security and Electronic Signatures

Based on the results of the analyses performed by the Implementation Teams, the input received from the Committee, the public testimony provided at the NCVHS hearings during the past year, and the NCVHS recommendations to HHS, a NPRM for Security and Electronic Signature Standards was issued on August 12, 1998. Approximately 2000 comments were received. HHS is now reviewing the public comments and preparing responses. Work is proceeding on the final rule, including coordination with the privacy standards. The final rule for security standards is expected to be published in 2000.

At the request of the Commerce Department’s National Institute of Standards and Technology, HHS is deferring publication of the electronic signature standard to permit a more thorough assessment of evolving technology. The standard will be published after that assessment is completed.

D. Standard for Claims Attachments

As noted above, the statute gave an additional 12 months for the adoption of standards for claims attachments. The NCVHS held public hearings on standards for claims attachments and provided recommendations to HHS. An NPRM is under development on this standard within HHS, and it is expected to be issued for public comment in 2000.

E. Standards for Privacy of Individually Identifiable Health Information

On September 11, 1997, Secretary Shalala delivered her detailed recommendations to Congress for Federal privacy legislation to protect individually identifiable health information. In her recommendations, she urged Congress to pass without delay comprehensive and balanced privacy legislation. According to HIPAA, if Congress did not enact privacy protection by August 1999, the Secretary is required to issue final regulations to protect the information transmitted in connection with the HIPAA administrative transaction standards.

Although several health information privacy bills were subsequently introduced in the 106th Congress, the August 1999 deadline for Congressional action on health information privacy passed without the enactment of a law. This occurrence triggered the HIPAA requirement on HHS to issue a proposed rule outlining HIPAA standards for protecting the privacy of health information. Accordingly, HHS issued a proposed rule on Standards for Privacy of Individually identifiable Health Information on November 3, 1999. The public comment period ended on February 17, 2000. The NCVHS submitted comments on the proposed rule.

While the NCVHS supports and applauds HHS for developing the privacy NPRM as required by HIPAA, we continue to believe that the best way to assure health information privacy in the U.S. is through a comprehensive and balanced federal law. Accordingly, the NCVHS again urges the Congress to enact a comprehensive federal health information privacy law this year. Similarly, the Committee believes that Congress should develop and enact anti-discrimination measures to prevent the inappropriate use of confidential health information to discriminate against individuals in housing, employment and other situations.

F. Standards for Patient Medical Record Information

During the past year, attention also turned to issues related to the adoption of uniform data standards for patient medical record information and its electronic data interchange. HIPAA directs the NCVHS to study the issues related to the adoption of uniform data standards for patient medical record information and the electronic interchange of such information, and report to the Secretary of Health and Human Services not later than August 2000 on recommendations and legislative proposals for such standards and electronic interchange. During 1999, the NCVHS Working Group on the Computer-Based Patient Record held six days of public hearings involving over 70 experts in order to receive testimony from a wide range of providers, vendors, informatics specialists, clinicians, and standards organizations. The NCVHS also submitted a letter to the Secretary detailing the progress of the Work Group. The NCVHS expects to submit its final recommendations to the Secretary in August.

G. HHS Plan for Outreach, Education and Industry Partnerships

The Department has taken very seriously its responsibilities to ensure that the industry will be able to receive all of the information and assistance it will need to implement the standards. The statute requires that the Department provide a low-cost distribution method for the implementation guides for these standards.

The X12N standards committee has a long-standing agreement with the Washington Publishing Company (WPC) to develop and maintain official implementation guides for the X12N transaction sets that are being recommended for adoption in the NPRMs. In order to meet its low-cost distribution requirement, HHS has established a contract with the WPC, and implementation guides will be available for downloading from the WPC web site at no charge. Paper copies will be available for purchase from WPC. Guides for the retail drug claim standards will be available from the NCPDP web site.

Despite many efforts, discussions with the health care industry about administrative simplification continue to reveal that some in the health care industry still do not realize how these standards will affect them. To address this problem, NCVHS and HHS have initiated a comprehensive outreach and communication effort. The initiative includes the development of print materials for publication in periodicals and for distribution to the press and the public, direct mailings to affected groups, the coordinated scheduling of presentations to interested groups and press interviews. HHS also works with external organizations to support their outreach efforts.

In addition, information on the current status of these standards, as well as the NPRMs themselves is available on the HHS Administrative Simplification web site:

http://aspe.hhs.gov/admnsimp

Information on the web site is updated frequently. Agendas and transcripts of the Committee’s hearings and copies of its recommendations to the Secretary are available on the NCVHS web site.

With the assistance of the Department of Veterans Affairs, NCVHS meetings are broadcast live on the world wide web. These sites will continue to be maintained and updated throughout the implementation of administrative simplification. The Department also established a capability to receive electronic comments on the NPRMs, and is in the process of posting all of the public comments received on the NPRMs on the website.

Both the NCVHS and HHS realize that providing information and education on Administrative Simplification to the health care community will be an enormous task. While HIPAA is a federal law, it reflects a government-industry partnership framework, so that responsibility for publicity and education must be shared between the public and private sectors. While HHS must take full responsibility for the Medicare, Medicaid and Indian Health Service health plans, it has relied and will continue to rely on partnerships with a wide range of private sector organizations to assure that the message of Administrative Simplification reaches everyone involved, and that training and technical assistance opportunities exist.

The NCVHS is pleased to note that HHS is forming a group to develop work plans for training and education. These plans will include the necessary partnerships with the industry.

IV. IMPLEMENTATION ISSUES

Since the enactment of HIPAA, HHS and the NCVHS have worked in partnership with the health care industry to communicate the requirements of HIPAA, to identify and evaluate existing industry standards for adoption, to develop rules that were workable, and to encourage the participation of all participants of the health industry in the adoption and implementation of the HIPAA standards. Building upon the success of that effort, along with the issuance in 1998 of the proposed rules for four of the standards and the expected issuance of final rules for those standards within several months, the NCVHS is now turning attention to issues of implementation.

The NCVHS has identified the following implementation issues to monitor in the coming year.

A. Assessing Industry Readiness

The HIPAA data standards will apply to health plans, clearinghouses and providers who transmit health information electronically. These covered entities will have 24 months from the effective date of the final rules to come into full compliance. Small plans will have an additional 12 months to comply. It is currently difficult to assess industry readiness for HIPAA implementation. Although the use of EDI to support administrative transactions in health care has been increasing for several years, concerns about the century date change and other issues may have diverted attention from the HIPAA effort, and base line levels of EDI use in claims and related transactions vary decidedly among types of providers and health care organizations.

The NCVHS is encouraged to note that many sectors of the industry itself have been very active in the HIPAA standards adoption process and in educating and preparing their respective constituencies for implementation. The NCVHS plans to examine the issue of readiness in the year ahead, with public hearings planned to focus on readiness and other potential implementation issues.

B. Monitoring Implementation

In addition to assessing industry readiness for implementation, the NCVHS plans to devote increasing attention in the year ahead to how it may best monitor implementation of the HIPAA data standards at baseline and subsequent to issuance of final standards. The Committee is considering several approaches to monitoring the progress of implementation, including both quantitative and qualitative approaches, using industry sources of information as well as public hearings. In this manner, the NCVHS expects to identify how well the overall effort is proceeding, identify any problem or obstacles and recommend ways to overcome them to meet the requirements of the law.

The NCVHS plans to obtain information on the extent to which the adopted standards are being implemented, and to solicit reports on the progress of standards implementation from the industry as well as federal and State agencies for the health care programs under their jurisdictions. These agencies and representatives from the private sector will be asked also to provide public testimony at NCVHS hearings, where appropriate, at which they will be asked to indicate the extent of standards usage that they have observed.

The Committee will also make substantial use of industry data sources to assess major trends in the application of information technology in health care. In addition, once the final standards have been issued, the health care community will be encouraged to notify HHS or the NCVHS in writing or through the respective websites of any issues or concerns with implementation. We will also ask the applicable standards development organizations to provide regular status reports on the status of implementation of the new standards. We would also encourage them to provide advice as to how to increase the rate of compliance, if necessary.

C. Assuring the Security of Individually Identifiable Information

Security continues as a primary concern to the public, the industry, and the Committee. During the year ahead, the NCVHS will ask the appropriate private sector certifying bodies to monitor the status of the security measures that will be adopted and to ensure that adequate safeguards are in place to protect individually identifiable information.

The Committee believes that the proposed rule for security standards that HHS has published for public comment provides the basic framework to ensure that all health care entities safeguard the integrity, confidentiality and availability of their electronic data. The proposed rules incorporate all of the NCVHS recommendations on security standards. In addition, the technology-neutral approach adopted in the proposed rule will promote interoperability among health information systems, accommodate different sizes of health care organizations, and foster favorable cost benefit outcomes. The Committee plans to continue to monitor industry compliance with and the development and maturation of security technology and standards, including electronic signatures.

The Committee is encouraged that the industry has undertaken several initiatives to support the adoption of the HIPAA EDI and security standards. For example, the October 1999 HIPAA Security Summit was organized by a consortium of health care industry organizations and companies, led by Johns Hopkins Hospital and Shared Medical Systems, for the purpose of developing guidance to the industry regarding implementation of the pending HIPAA security standards. The goals of the Summit were to produce clarifying language and reasonable, scalable mechanisms to implement the HIPAA regulations in a variety of provider, payer and clearinghouse business settings. The primary work product of the Summit will be one or more reports that describe to the user how to address the HIPAA Security Regulation.

D. Identifying and Resolving Implementation Issues

Once the final Administrative Simplification standards have been adopted, the health care community will be encouraged to notify the Department or the NCVHS in writing or through the respective web sites of any issues or concerns with the implementation of the new standards. In addition, the Committee will conduct a number of public hearings to obtain additional input from a broad cross section of users in both the public and private sectors. Based on this input, the Committee will notify HHS of any problems that are presented and will provide recommendations on how to deal with those problems.

E. Addressing Enforcement Issues

Because of the extensive consultation among HHS, the NCVHS and the industry that has characterized the HIPAA effort, and the issuance of proposed rules, the requirements for the standards themselves are well known. However, there are a number of issues and details relating to enforcement and compliance with the standards that remain to be specified. The NCVHS is pleased to note that HHS has established an internal working group that is focusing on enforcement issues across all of the HIPAA requirements. The NCVHS plans to devote considerable attention to this issue in the year ahead as well.

F. Learning from Early Implementors

Although HIPAA provides a 24 month implementation period for the standards after the effective date of the final standard, clearly some health organizations will begin proceed with implementation long before that date. The NCVHS believes that feedback from these “early implementers” will provide an invaluable source of implementation information and potential guidance for implementation. Accordingly, the NCVHS plans to focus specifically on these efforts and organizations to gain insight into national implementation.

G. Identifying the Need for New and Revised Standards

HIPAA requires the Secretary of HHS to review the standards and adopt modifications to those standards (including additions to the standards), as appropriate, but not more frequently than once every 12 months. The NCVHS expects that monitoring and evaluation of HIPAA readiness and the progress of implementation will identify needs for additional standards or future revisions to existing ones. Consequently, as a part of its monitoring efforts, the NCVHS will seek input to identify any additional standards that may be appropriate, as well as the need to modify existing standards, and will provide timely recommendations to the Secretary.

The Department has been negotiating with several organizations for them to serve as the focal point for requests for revisions to the standards and for additional standards. These groups have agreed in principle to work together to review these requests, and suggest revisions to the standards. The groups are: X12, HL7, National Uniform Billing Committee, National Uniform Claims Committee, National Council of Prescription Drug Programs, and the American Dental Association. Any person or organization will be able to request a revision or a new standard through a single entry point (via the Internet or on paper). Each organization will consider the request, and a consensus recommendation will be made. On a predetermined cycle, proposed revisions will be presented to the NCVHS for consideration, and then to the Secretary for issuance.

VI. CONCLUSION

To date, the process of adopting health data standards has been extremely open, collaborative, and productive. The past two years have witnessed considerable progress in the adoption of the administrative simplification data standards required by HIPAA. The NCVHS now looks forward to assisting and advising in the implementation stage of the HIPAA effort.