NCPDP Testimony to NCVHS
On Updating HIPAA Standards
December 8, 2005

In 2002, the National Council for Prescription Drug Programs (NCPDP) members began working on a draft white paper discussing steps in naming a new or updated version to the HIPAA transactions due to the new versions of NCPDP standards approved since HIPAA. In 2003, WEDI formed a task group with participants from the industry and SDOs to take this paper and recommend a predictable and timely process that included steps for industry consultation and input for recommending a process for new versions and updates to named versions under HIPAA. The white paper included background information about the regulatory process, and how modifications to standards occurred in the SDOs. Sample timelines were built to show the steps and approximate length of time to help the reader understand the steps embedded in the HIPAA process. The timelines made it apparent that the regulatory process took much of the time with no apparent gained benefit. Representatives from the three Standards Development Organizations (SDOs) volunteered to begin focusing the document on improvements in the both the SDO and the regulatory process.

DSMO and OHS representatives met for a one-day session to review the SDO and the regulatory processes, look for ways to improve the process by which changes to standards are made, and to speed up the process. This meeting also included education on the American National Standards Institute (ANSI) requirements that the SDOs must follow to retain their accreditation. Discussion centered on whether the SDO balloting/voting process and the Notice of Proposed Rule Making (NPRM) public comment period could occur simultaneously to build a predictable, timely process. Representatives of ASC X12N and NCPDP each held a conference call with OHS representatives to discuss coordination of the federal regulatory process with the SDO’s process for version updates to current HIPAA transactions. It was noted that defining a predictable process might be difficult, given the length of time and the steps that must be done in the regulatory process steps.

In 2004, the SDO representatives begin revising the white paper to include more focus on education about the SDO and regulatory process, and less on the predictability of the process. The SDO representatives requested OHS assistance in understanding what the APA really required versus what other procedures were embedded in the process. The SDO representatives spent considerable time discussing a proposal to overlap the SDO ballot/approval public comment period and the HHS public comment period. The SDOs requested OHS give consideration to some kind of predictability in the federal process. After much work was completed to try to determine solutions and with the participants frustrated with the largest chunk of the timeline appearing to be the least able to change, the paper was retired, but exploration continued.

In 2005, much work was done exploring the overlap avenue. The SDOs met with OHS to discuss the proposal. Important points emerged of

  1. The important need of a predictable, timely process steps through APA.
  2. That modifications requested during the HHS public comment period could affect the approved SDO implementation guide.
  3. That modifications requested by agencies reviewing the NPRM under the Administrative Procedures Act (APA) could affect the approved SDO implementation guide.

Current Timeline

The estimated timeline from the DSMO Change Request submitted to the implementation deadline would take four (4) years minimum to any number of years maximum. The current process timeline does not include the SDO development time, as the implementation guide requested is a published product. The four year to xx year timeline includes the DSMO process, NCVHS, NPRM writing, comment period, deliberation of comments, final rule writing, and implementation date. There have been and continue to be concerns with the current process, in addition to the duration, including timeliness and predictability.

The industry requests a published implementation guide version be named in HIPAA. This implementation guide has been through the SDO-based review and approval process (including ANSI). When the NPRM public comment period finally occurs, an assumption made by OESS has occurred that the published guide will be opened and modified. With the lapsed time from the DSMO Change Request submission to the NPRM, the SDO has moved onto developing a newer version. If the newer version is complete, the problem now becomes incorporating changes from the NPRM process to the originally named version, making changes to the newer version, and resolving inconsistencies. This is a maintenance nightmare. The original guide has been through an open process; now there is another round of comments, which may be years after the original comments were made. These changes may require another SDO ballot/approval process and a new version named. Now another public comment period occurs? The loop begins? Further there is the ability via the regulatory process for given agencies to request changes, which have not been vetted through the industry process.

Approved implementation guides should not be reopened for any changes. Comments should be made at one time during the SDO open process and evaluated at that time.

In 2005, the DSMO collectively and the SDOs individually have spent many hours discussing the “maintenance” and “modification” processes. An “emergency” process was designed. The Office of E-Health Standards and Services (OESS) will be including these topics in an NPRM (now slated for mid 2006). OESS has determined that it is possible but will not make any commitment (for example) that if they received the DSMO Changes in November, they could project the following October for an NPRM publication, and 13 months later, a final rule.

The current timeline with the OESS proposed schedule is a step in the streamline direction; but the length of time still remains a couple of years from the request of a version named to the actual implementation. It does not address items 2 and 3 above. It does not address the multiple comment periods. Furthermore, the times cited are approximate. If actual months are established and adhered to, predictability could be met.

An overlapping comment timeline with OESS proposed schedule combines the requirements of items 1 and 2 above. It should be noted the timeline would still take a minimum of three years. It does not address item 3. It is a step in the right direction, but is still not timely.

The Environment Today

Since 1999, the pharmacy industry has requested modifications to the NCPDP Telecommunication Standard which has resulted in the creation of versions from 5.1 to C.2.  Change is the nature of the industry and therefore the standards. The industry has been tasked with considerable challenges due to the requirements of the MMA. We have been forced to use text fields and interpretative guidance (“kludges”) for the implementations of Medicare Part D because moving to a new version under HIPAA was not possible given the timeframes. The process for change under HIPAA was broken before it ever began. The possible “emergency” to be discussed in an NPRM hopefully this year may offer a solution to a succinct problem with correction, but the reality is that the proposal will still take too long to go through the processes. There was very little time to do all the analysis for MMA. The industry is still discovering situations that they need to resolve. We would have had to request multiple “emergency” changes over this year and the process would have tripped over itself with all of the administrative steps. In cases like this, the industry needs to work with the SDO, in as many iterations as necessary, to support the changes, and implement based on this work. The industry is being forced to support these kludges (they have to code to them, then later code to the real solution), when they would much prefer to support coding the real solution the first time.

Now we are faced with regulatory processes in the eprescribing environment. It is a reasonable expectation that this business practice will require changes to HIPAA-named standards. Waiting four or more years for a change to be in place is not acceptable. The industry must also be able to support two versions at one time – to ease migration and to respect that not all will need the changes in the latest version.


SDOs publish updated versions from as often as multiple times a year to every two years. The SDO process is important because it does vet the technical and business perspectives. The federal regulatory process takes the largest chunk of time in the process.

How do you weigh the ability to update standards with the industry’s timeframe to move? Business practice is often to support the current version for some time, while moving to the new version. Then the current version is sunset as you move to the next version. NCPDP states that any versions approved have a 180-day implementation timeframe. Prior to HIPAA, the industry moved as business needs required and the pharmacy electronic claim submission rate was at approximately 95% using the NCPDP Telecommunication Standard.

What are HIPAA and the regulatory process attempting to solve?

  1. A “large stick” – the mandating of a standard and a version when an entity apparently does not choose to move to this standard or version. (But those who see benefit or have a need move to the new standard or version.)
  2. Forcing everyone on the same version of a standard.
  3. Introducing regulatory processes that attempt to notify all of something happening and force new checks.

What are we trying to solve? Why would a new standard be requested under HIPAA knowing what we now know?

Perhaps the following represent basic tenets of what we are trying to accomplish.

  1. Outreach should occur to as many as possible, via multiple methods.
  2. The industry should be engaged in the standards development process in various ways, as early as possible.
  3. Standards implementation should be predictable and timely.

A Possible Solution For HIPAA and Eprescribing

The proposed steps below try to meet the basic tenets above. The steps would be the same for a new version or for a new standard.

Steps would include:

  1. Industry, via the SDO, approves that they wish to support a new version or standard. They prepare the benefits, modifications made, the ballot/approval information, and a recommended implementation timeframe.
  2. WEDI completes an industry survey based on the request.
  3. Notifications of the ballot take place via HHS, SDO, industry listserves and other mechanisms.
  4. SDO implements ballot/approval process.
  5. Comments are vetted through SDO process.
  6. Final implementation is prepared.
  7. Industry/SDO report to NCVHS of industry request, timeframe, and WEDI survey results. This is an established time each year.
  8. NCVHS sends recommendation to HHS, within an established timeframe each year.
  9. HHS notifies public of update and implementation timeframe. The notification occurs at an established time each year.

There may not be an industry request each year, but the predictable timeline would be established so if there is anything to bring forward, the schedule is known by the entire industry.

This solution offers some modifications. The DSMO process, the NPRM and final rule process would no longer occur. Each in their own way was intended to alert the industry of change and encourage involvement. With proper established notifications, the goals are still met with steps 1, 2, and 3 early in the process, where input and involvement should occur.

HIPAA has taught us a lot. But it is now time to apply those lessons learned and admit that we not supporting the industry need for change, it is not timely and predictable, and the process is not streamlined. It is now time to adopt this proposed solution, begin working through the details, and implement.

Thank you for your time today.