Updating HIPAA Standards:
The Vendor Perspective
National Committee on Vital and Health Statistics
Subcommittee on Standards and Security
December 8, 2005
Mr. Chairman and fellow committee members, my name is Don Bechtel. I work for Siemens Medical Solutions Health Services where my responsibilities include standards and regulatory management and HIPAA compliance, specifically for X12 transaction standards and related regulations for code sets, identifiers, security, and privacy. I would like to thank you for this opportunity to share with you the views of Siemens on this increasingly important topic of “Updating HIPAA Standards”.
Siemens Medical Solutions of Siemens AG with headquarters in Malvern, Pennsylvania and Erlangen, Germany, is one of the largest suppliers to the healthcare industry in the world. The company is known for bringing together innovative medical technologies, healthcare information systems, management consulting, and support services, to help customers achieve tangible, sustainable, clinical and financial outcomes. Siemens Medical employs approximately 31,000 people worldwide and operates in more than 120 countries.
About Siemens and our Commitment to Standards:
I would like to provide a quick summary of Siemens commitment to the use of standards and why they are good for Siemens and the industry.
Siemens is currently actively supporting the development work of many Standards Development Organizations (SDOs) and consortia, including: HL7, ASTM, DICOM, X12, IHE, and others. We currently have 75 people who are actively working in the development and maintenance of standards in these SDOs and committees.
Our commitment to standards is based on the premise that we believe standards improve our products’ usefulness to our customers and help to assure that we are meeting interoperability requirements that are increasingly important to our industry today.
Interoperability has many faces in healthcare information systems and technology. The National Alliance for Health Information Technology (NAHIT) definition of interoperability is the ability of different information technology systems and software applications to communicate, to exchange data accurately, effectively, and consistently, and to use the information that has been exchanged.
The term interoperability in the Collaborative ONCHIT RFI Response has three distinct components, each of which must be present to enable full participation:
- At the IT network access level (here meaning the Internet), interoperability means the capacity to physically connect a sub-network user to the network for the purpose of exchanging data over its components with other users.
- At the network authentication level, interoperability consists of the ability of a connected user to demonstrate appropriate permissions to participate in the instant transaction over the network, based on demonstrating appropriate authentication(s) of user and sub-network identity as a privileged party.
- At the application level, interoperability means the capacity of a connected, authenticated user to access, transmit and/or receive/exchange usable information with other users. The interoperability standard must support the full spectrum from uncoded and unstructured data to highly structured and coded semantics. Therefore, at the application level, there will be a hierarchy of coexisting interoperability information standards to accommodate the varying needs and sophistication of the user information exchange.
Achieving interoperable health information technology has occurred within and among the systems of healthcare stakeholders. The transfer of information has occurred among various systems found in a hospital setting and larger Integrated Delivery Networks (IDNs). Many of these systems are from a variety of vendors, yet they must all integrate into seamless access to a patient’s data in the entities health care environment. With today’s health care initiatives from Office of the National Coordinator on Health Information Technology (ONC), the industry is now focused on moving outside of the IDNs with broader integration requirements to disseminate health information through Regional Health Information Organizations (RHIO) and ultimately the National Health Information Network (NHIN).
Updating HIPAA and Other Standards:
HIPAA is a primary building block for these external interfaces and interoperability between health care operational entities exchanging health information among providers, health plans, pharmacy benefit managers, clearinghouses, and others. A key component of HIPAA interoperability is to insure that the data content within the standards used to exchange health information is accurate, consistent with industry needs, and is used by all entities with whom the data is shared. However, for this information to remain useful toward the goal of improving the quality of health care, it must also remain current with industry improvements, and provide support for changing industry needs, such as the ICD-10 coding system, which will provide more specific and complete medical diagnosis and procedural health information. To acquire these improvements, we must be able to upgrade our standards to newer versions as they are developed by the SDOs (e.g., X12 and NCPDP) that would include enhancements needed to support ICD-10 or other similar new requirements.
It is important to Siemens customers that we (Siemens and other vendors) utilize current industry standards for quality data and information interchanges among the many systems they operate in their health care environment, and among the business partners they exchange information with, including: health plans, state and federal public health agencies, and so on. This requires that our customers remain current with the standards that are developed by the relevant SDOs, and that the industry implements these standards to support these various quality and health care initiatives.
Consequently, vendors are required by our customers to support relevant standards and regulations. As vendors, we are also interested in improving workflows that bring the fullest benefit of the standards to our customers by providing improved efficiency and effectiveness, which is good for healthcare and helps to sell our products. For EDI, implementing transaction standards that have value to the customers requires that all industry stakeholders (providers, health plans, and clearinghouses) support and use the standards; otherwise the benefits are never fully realized. Regulations help to ensure that everyone is participating. However, regular updates must also be supported to ensure industry needs are continually being met on a timely basis, which will also eliminate extensive cumulative changes.
Unfortunately, for the HIPAA transaction standards this has not been our experience. The transaction standards continue to be modified by the SDOs to meet new industry needs, but adoption of these newer versions by the industry has not occurred and this has negative consequences for our customers and the industry effectiveness overall.
One such consequence is lost opportunity to utilize improved standards for critical HIPAA transactions that realize a return on investment or quality improvements.. For example, consider Claims and Remittance transactions, which were available in X12 version 4050, but were never adopted. X12 is now working on version 5010, which should be ready for adoption by the Department of Health and Human Services (DHHS) late next year and promises to bring even more improvements. But version 5010 will bring a larger set of changes, because it is inclusive of all changes since version 4010A1., Implementing version 5010 from our current version 4010A1 will require more application development work to support the standards and will likely require a longer implementation time period for the industry. This could extend the transitional phase (or dual processing) for many affected stakeholders until full implementation can be achieved, which impacts everyone’s overall efficiency.
Some vendors have also indicated during a recent Claims Attachment Conference, that they will not implement new standards that require legislative action, such as those controlled by HIPAA, until there is a final rule. Their explanation is they don’t want to develop system enhancements that can’t be implemented by our customers. In other words, with HIPAA, legislation is required for entities to utilize newer versions of an adopted standard. Without the necessary legislation, many entities won’t move to a newer version of a standard, so exchanging the newer versions is problematic if everyone is not participating. Additionally, few vendors are willing to be early adopters in a “trial use program”, because there is no guarantee that an interim version will ever be adopted. This raises the potential risk that their development efforts would have a negative profit impact and the software would be unusable to the vendors’ overall customer base.
It is important to both the industry and vendors that we have a more frequent (timely), predictable, and consistent delivery and adoption of new versions of HIPAA standards. Frequent updates allow for smaller and more manageable changes, which are more easily accommodated in regular software updates. This is less expensive to develop, is normally easier to implement, and has less overall industry impact, yet at the same time increases the efficiency of the industry incrementally. We are in a business environment where products must be routinely updated to keep pace with demand for changes and workflow improvements that take advantage of new innovations, technologies, and industry initiatives; for example, from ONC, which lead to better quality, faster access, and less human intervention. Software updates need to be smaller and more manageable so we can continually adapt to a changing environment.
Unpredictable changes that take years to adopt tend to be much larger in scope and more difficult to integrate into our products, taking more time and effort to develop and validate, leading to longer development and implementation cycles that are not cost effective and tend to be more disruptive to all stakeholders who must implement them. While the industry waits for changes that are slow to be adopted with a federal process that can currently take four or more years, organizations are often forced to take other measures. These are often proprietary in nature and only meet individual requirements, not those of the industry. This approach is temporary and must later be undone when standards are adopted. Consequently, vendor support for such solutions is impractical and costly.
Additionally, vendors and the industry would greatly benefit from a 2-3 year roadmap of the standards development work that will be completed by each SDO; this could be developed by each SDO and harmonized collaboratively by all SDOs via Health Information Technology Standards Panel (HITSP). Such roadmaps will allow vendors and other stakeholders to better plan and budget product development work and implementation schedules to accommodate these changes accordingly. But the industry also needs some assurance that DHHS will actually adopt these new standards, so the industry will actually implement the enhancements. Without this assurance, we will continue to experience slow reactions to important industry requirements, such as ICD-10.
The current adoption process for new versions of HIPAA transactions, as you will hear later from the testimonies of X12 and NCPDP, is currently slow and redundant of activities that were already conducted by the SDO. The federal process for adopting revised HIPAA transaction standards needs to be revised to eliminate redundant comment periods during the Notice of Proposed Rule Making (NPRM) process, and to publish notifications in the Federal Register when an SDO is conducting a comment period to an adopted HIPAA standard. This may require legislative changes to permit this process modification, but such a process change would greatly reduce the adoption time for new versions of a HIPAA standard and enable more incremental adoption. Such process changes will also allow the industry to more quickly utilize new technologies and innovations as they are developed or required.
Summary of recommendations:
- HIPAA standards should continue to be regulated, but process improvements are necessary to accomplish the goal of administrative simplification.
- We need frequent and predictable updates to HIPAA adopted standards that are available on a 2-3 year cycle, or perhaps yearly, if each year alternating standards are modified. But at least every three years, all standards should be refreshed to the most appropriate standard, as identified by the SDOs and the Designated Standards Maintenance Organizations (DSMO).
- We need a roadmap of what standards development will occur during the next 2-3 years, which might be coordinated by HITSP and the participating SDOs.
- We need a less redundant federal process that does not include an NPRM step to modify rules for HIPAA standards that have already been adopted and are maintained by an ANSI accredited SDO, where a transparent process is used, that is open to the public, and includes public comments and required SDO responses.
- We need the Department of Health and Human Services to post notices in the Federal Register to indicate when an SDO is scheduling a public comment period for a standard that has been previously adopted under HIPAA.
Again, I thank you for the opportunity to allow Siemens to present our comments today, and I would be happy to make myself available to you at a later time should you have any further questions regarding my comments today.