NCVHS letterhead header

June 22, 2006

The Honorable Michael O. Leavitt
U.S. Department of Health and Human Services
200 Independence Avenue SW
Washington, DC 20201

Dear Secretary Leavitt:

The National Committee on Vital and Health Statistics (NCVHS) has
responsibilities for assessing the impact of the adoption and use of
transactions and code sets adopted under the administrative simplification
provisions of the Health Insurance Portability and Accountability Act of 1996
(HIPAA).  Because it has been ten years since this landmark legislation
was passed, NCVHS felt it was appropriate to solicit testimony to assess the
status and lessons learned from HIPAA.  Since 2002, we have held 17
hearings with more than 200 testifiers from various stakeholder groups on a
wide range of HIPAA-related issues, including HIPAA compliance, claims
attachments, and ICD-10 adoption.  All of this input has significantly
increased our understanding of HIPAA and its effects on the delivery and
payment of health care.  It has further reminded the Committee that HIPAA
changes the business processes as well as the systems used by the healthcare

On this important anniversary, this letter provides some preliminary
observations and recommendations on the implementation and impact of
HIPAA.  Additional information and recommendations on HIPAA implementation
will be included in our annual HIPAA report, which will be sent to you later in
the year.

Observation 1: Implementations.   HIPAA implementation has taken
longer than anticipated in the HIPAA legislation. The causes for this are
numerous and include the fact that actual publication of the rules has taken
much longer than expected, as well as the fact that while payers were required
to implement all standards, adoption by providers was not required.[1] The original view was that
because standardized electronic data interchange implementation would save
providers time and money, providers would gravitate to their use to reap the
benefits of administrative simplification.

There have, however, been unanticipated impediments. These include
reluctance by the vendors to build the range of necessary software for the
non-revenue-related HIPAA transactions (such as the eligibility transactions
270/271 and claim status notification 276/277).   Additionally, there
has been reluctance by some payers to robustly implement the HIPAA non-revenue
transactions.  For example, payers in many cases included only minimum
information in the eligibility transactions, which resulted in providers not
being able to gain full benefit.  In addition, there are still health care
organizations that are not yet compliant with HIPAA standards, and many of
these organizations continue to use contingency plans, which further delays the
transition to HIPAA standards.  .

Recommendation 1.1: HHS should undertake a comprehensive evaluation of HIPAA
implementation in order to identify barriers to timely, efficient and effective
implementation, as well as areas for future improvements. NCVHS stands ready to
advise HHS in the design and conduct of such an assessment. Once these
impediments and areas of improvement are identified, the NCVHS pledges to work
closely with the Department and the industry to identify ways to best address
them. Such findings would be useful for other HIPAA implementations and federal
standards initiatives in the future.

Observation 2: The process for changing versions or updating versions
of HIPAA standards is slow and cumbersome.  The HIPAA final rule requires
covered entities to use a particular version of a standard, without
modification.  It does not permit voluntary adoption of new versions; in
contrast, this is permitted under the electronic prescribing final rule.
In addition, the administrative requirements under the Administrative
Procedures Act (APA) necessitate notice and comment rulemaking.  The HIPAA
rulemaking process has taken several years from issuance of a Notice of
Proposed Rulemaking (NPRM) to implementation.  This severely hampers the
ability of the public and private sectors to keep pace with emerging needs,
especially in the rapid acceleration toward the adoption of electronic health
record (EHR) systems. In addition, the HIPAA process requires that changes to
standards be vetted through various standards development organizations
(SDOs).  The SDOs’ processes include an extensive comment period in
which all parties can participate.  However, the fact that the standards
are on different approval cycles makes it problematic to synchronize changes or
updates.  These differences in schedules, plus the unpredictability of the
time it takes to complete all of the steps in the federal rulemaking process,
create an uncertain environment in which it is difficult for providers, payers
and vendors to influence or anticipate upcoming changes and develop business
products and processes to accommodate them.   Backward
compatibility[2], where feasible,
and voluntary adoption of backward compatible standards with the named HIPAA
standard could provide flexibility in version updating.

Recommendation 2.1: The Department should immediately explore ways to
facilitate quicker updates and implementations of HIPAA transaction standards
in a manner that can reduce or eliminate areas of redundancy in this process,
including the possibility of not requiring HHS notice and comment rulemaking
for a version update of an already existing HIPAA transaction standard.
This recommendation does not apply to the HIPAA privacy and security
regulations.  The exploration should include:

  • An in-depth review of the applicable statutory and regulatory
    requirements;; a comprehensive exploration of permissible options; and a
    determination as to whether legislative changes to HIPAA should be
  • Consideration of regulatory changes to permit the voluntary adoption of
    backward compatible updates to named HIPAA standards.
  • Consideration of how to include public comment on business process issues
    as well as functional and technical standards issues in the review process.

Recommendation 2.2: The Department should expedite issuance of the NPRM on
current HIPAA modifications.   This regulation includes the many
needed changes identified since the original HIPAA regulations were issued in
2000, including a timely modifications process.

Recommendation 2.3:  The Department should determine what would be
necessary to facilitate synchronization of the timing of implementation of
changes to HIPAA code sets (including medical and non-medical data code sets)
to minimize the scope and quantity of changes experienced by the providers,
payers, clearing houses and vendors.  Alignment of the timing of changes
and updates to the code sets would allow the industry to coordinate, test and
implement on a more orderly schedule and reduce rejected claims.

Observation 3: Return on Investment (ROI). The testifiers who were using
only the HIPAA health claims transactions indicated that they were not yet able
to show a positive ROI.  It is important that we improve the ROI for HIPAA
transactions and code sets so that they will serve as a driver for further
adoption of health information technology and standards in the healthcare
field.  The following actions could significantly increase the return on
investment from the use of HIPAA transactions and code sets.

Recommendation 3.1.: HHS should take additional steps to increase the
adoption and use by providers and payers of all those HIPAA transaction
standards beyond the health claims transactions,  such as
eligibility  (270 / 271),  claim status (276 / 277), payment
and remittance (835), and referrals (278).  These transactions when
incorporated into daily processes can reduce staff and increase
efficiency.  While we commend the ongoing work in this area by the Centers
for Medicare and Medicaid Services (CMS), we believe these activities should be

Recommendation 3.2: HHS should actively work with payers to facilitate
inclusion of enough information in their responses (eligibility standard 271
and claim status standard 277) to allow providers to use the information to
actually improve their processes.  Continuing participation by CMS is
needed in the work by the Council on Affordable Quality Healthcare (CAQH), a
voluntary group representing payers, providers, vendors and associations, on
standardization of the data in an eligibility transaction.   This is
an excellent example of voluntary cooperation to improve the HIPAA process.

Recommendation 3.3:  HHS should actively work with vendors to encourage
their inclusion of the aforementioned non-claim transactions in practice
management software used in provider offices.  Vendors are key to the
success of pilots on these topics and, more importantly, to the success of
final implementation by the industry.  As a result, their inclusion from
the planning to the execution of such studies will yield more informed and
usable results.

Recommendation 3.4:   HHS should continue to support ongoing work
by the industry and SDOs to reduce unnecessary variability of business rules,
as currently documented in companion guides. Several actions are necessary. The
first is to support processes to identify common business practices that are
included in the different payers’ companion guides. Second, harmonization
of the business practices that are not common must be promoted, to the extent
possible.  In addition, some independent initiatives are underway to
further evaluate those differences in business rules.  Continued support
of these efforts by HHS would advance the original intent of standardization.

Recommendation 3.5: HHS should facilitate and encourage the adoption of one
of the currently non-mandated acknowledgement transactions (e.g., 997 or 999)
to standardize the acknowledgement process between providers, payers,
clearinghouses and vendors.    This will achieve standardized
process flows among the parties involved, thus reducing the effort necessary to
achieve expected results.

Recommendation 3.6: HHS should continue the use of pilot testing new HIPAA
standards, such as the pilot conducted with the proposed claims attachment
standard, to obtain a real look at the actual benefits, issues, business
impacts and system changes surrounding the proposed standard.  Even
small-scale pilots can yield valuable information that could help speed

We look forward to advising the Department on issues related to HIPAA
transactions and code sets and health information technology in 2006.



Simon P. Cohn, M.D., M.P.H.

Chairman, National Committee on Vital and Health Statistics

NCVHS letterhead footer

[1] Additional details are
provided in NCVHS’ annual reports to Congress on HIPAA implementation
progress.  These are available on the NCVHS web site (

[2] As defined in the
electronic prescribing final rule, November 2005, p. 67579, backward compatible
means that the newer version would retain, at a minimum, the full functionality
of the version previously adopted in regulation, and would permit the
successful completion of the applicable transaction with entities that continue
to use the previous version.