[Federal Register: June 16, 1998 (Volume 63, Number 115)] [Proposed Rules] [Page 32784-32798] From the Federal Register Online via GPO Access [wais.access.gpo.gov] [DOCID:fr16jn98-39] ======================================================================= ----------------------------------------------------------------------- DEPARTMENT OF HEALTH AND HUMAN SERVICES Office of the Secretary 45 CFR Part 142 [HCFA-0047-P] RIN 0938-AI59 Health Insurance Reform: National Standard Employer Identifier AGENCY: Health Care Financing Administration (HCFA), HHS. ACTION: Proposed rule. ----------------------------------------------------------------------- SUMMARY: This rule proposes a standard for a national employer identifier and requirements concerning its use by health plans, health care clearinghouses, and health care providers. The health plans, health care clearinghouses, and [[Page 32785]] health care providers would use the identifier, among other uses, in connection with certain electronic transactions. The use of this identifier would improve the Medicare and Medicaid programs, and other Federal health programs and private health programs, and the effectiveness and efficiency of the health care industry in general, by simplifying the administration of the system and enabling the efficient electronic transmission of certain health information. It would implement some of the requirements of the Administrative Simplification subtitle of the Health Insurance Portability and Accountability Act of 1996. DATES: Comments will be considered if we receive them at the appropriate address, as provided below, no later than 5 p.m. on August 17, 1998. ADDRESSES: Mail written comments (1 original and 3 copies) to the following address: Health Care Financing Administration, Department of Health and Human Services, Attention: HCFA-0047-P, P.O. Box 26676, Baltimore, MD 21207-0519. If you prefer, you may deliver your written comments (1 original and 3 copies) to one of the following addresses: Room 309-G, Hubert H. Humphrey Building, 200 Independence Avenue, SW., Washington, DC 20201, or Room C5-09-26, 7500 Security Boulevard, Baltimore, MD 21244-1850. Comments may also be submitted electronically to the following e- mail address: employer@osaspe.dhhs.gov. For e-mail and comment procedures, see the beginning of SUPPLEMENTARY INFORMATION. For information on ordering copies of the Federal Register containing this document and on electronic access, see the beginning of SUPPLEMENTARY INFORMATION. FOR FURTHER INFORMATION CONTACT: Mary Emerson, (410) 786-7065. SUPPLEMENTARY INFORMATION: E-mail Comments, Procedures, Availability of Copies, and Electronic Access: E-mail comments should include the full name, postal address, and affiliation (if applicable) of the sender and must be submitted to the referenced address to be considered. All comments should be incorporated in the e-mail message because we may not be able to access attachments. Because of staffing and resource limitations, we cannot accept comments by facsimile (FAX) transmission. In commenting, please refer to file code HCFA-0047-P and the specific section or sections of the proposed rule. Both electronic and written comments received by the time and date indicated above will be available for public inspection as they are received, generally beginning approximately 3 weeks after publication of a document, in Room 309-G of the Department's offices at 200 Independence Avenue, SW., Washington, DC, on Monday through Friday of each week from 8:30 a.m. to 5 p.m. (phone: (202) 690-7890). Electronic and legible written comments will also be posted, along with this proposed rule, at the following web site: http://aspe.hhs.gov/admnsimp/. Copies: To order copies of the Federal Register containing this document, send your request to: New Orders, Superintendent of Documents, P.O. Box 371954, Pittsburgh, PA 15250-7954. Specify the date of the issue requested and enclose a check or money order payable to the Superintendent of Documents, or enclose your Visa or Master Card number and expiration date. Credit card orders can also be placed by calling the order desk at (202) 512-1800 or by faxing to (202) 512- 2250. The cost for each copy is $8. As an alternative, you can view and photocopy the Federal Register document at most libraries designated as Federal Depository Libraries and at many other public and academic libraries throughout the country that receive the Federal Register. This Federal Register document is also available from the Federal Register online database through GPO Access, a service of the U.S. Government Printing Office. Free public access is available on a Wide Area Information Server (WAIS) through the Internet and via asynchronous dial-in. Internet users can access the database by using the World Wide Web http://www.access.gpo.gov/nara, by using local WAIS client software, or by telnet to swais.access.gpo.gov, then login as guest (no password required). Dial-in users should use communications software and modem to call (202) 512-1661; type swais, then login as guest (no password required). I. Background [Please label written and e-mailed comments about this section with the subject: Background.] When claims are filed, employer information is used by health plans to identify the employer of the participant in the health plan and to develop coordination of benefits information. Employers may transmit information to health plans when enrolling or disenrolling an employee as a participant in a health plan. Employers, health care providers, and health plans may need to identify the source or receiver of eligibility or benefit information. Although the source or receiver is usually a health plan, it could be an employer. Employers, health care providers, and health plans may need to identify the employer when making or keeping track of health plan premium payments or contributions relating to an employee. In all cases where information about the employer is transmitted electronically, it would be beneficial to identify the employer using a standard identifier. A. Legislation The Congress included provisions to address the need for a standard identifier and other administrative simplification issues in the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, which was enacted on August 21, 1996. Through subtitle F of title II of that law, the Congress added to title XI of the Social Security Act a new part C, entitled ``Administrative Simplification.'' (Public Law 104-191 affects several titles in the United States Code. Hereafter, we refer to the Social Security Act as the Act; we refer to the other laws cited in this document by their names.) The purpose of this part is to improve the Medicare and Medicaid programs in particular and the efficiency and effectiveness of the health care system in general by encouraging the development of a health information system through the establishment of standards and requirements to facilitate the electronic transmission of certain health information. Part C of title XI consists of sections 1171 through 1179 of the Act. These sections define various terms and impose several requirements on HHS, health plans, health care clearinghouses, and certain health care providers concerning electronic transmission of health information. The first section, section 1171 of the Act, establishes definitions for purposes of part C of title XI for the following terms: code set, health care clearinghouse, health care provider, health information, health plan, individually identifiable health information, standard, and standard setting organization. Section 1172 of the Act makes any standard adopted under part C applicable to (1) all health plans, (2) all health care clearinghouses, and (3) any health care providers that transmit any health information in electronic form in connection with the transactions referred to in section 1173(a)(1) of the Act. [[Page 32786]] This section also contains requirements concerning standard setting. The Secretary may adopt a standard developed, adopted, or modified by a standard setting organization (that is, an organization accredited by the American National Standards Institute (ANSI)) that has consulted with the National Uniform Billing Committee (NUBC), the National Uniform Claim Committee (NUCC), the Workgroup on Electronic Data Interchange (WEDI), and the American Dental Association (ADA). The Secretary may also adopt a standard other than one established by a standard setting organization, if the different standard will reduce costs for health care providers and health plans, the different standard is promulgated through negotiated rulemaking procedures, and the Secretary consults with each of the above-named groups. If no standard has been adopted by any standard setting organization, the Secretary is to rely on the recommendations of the National Committee on Vital and Health Statistics (NCVHS) and consult with each of the above-named groups. In complying with the requirements of part C of title XI, the Secretary must rely on the recommendations of the NCVHS, consult with appropriate State, Federal, and private agencies or organizations, and publish the recommendations of the NCVHS in the Federal Register. Paragraph (a) of section 1173 of the Act requires that the Secretary adopt standards for financial and administrative transactions, and data elements for those transactions, to enable health information to be exchanged electronically. Standards are required for the following transactions: health claims, health encounter information, health claims attachments, health plan enrollments and disenrollments, health plan eligibility, health care payment and remittance advice, health plan premium payments, first report of injury, health claim status, and referral certification and authorization. In addition, the Secretary is required to adopt standards for any other financial and administrative transactions that are determined to be appropriate by the Secretary. Paragraph (b) of section 1173 of the Act requires the Secretary to adopt standards for unique health identifiers for all individuals, employers, health plans, and health care providers and requires further that the adopted standards specify for what purposes unique health identifiers may be used. Paragraphs (c) through (f) of section 1173 of the Act require the Secretary to establish standards for code sets for each data element for each health care transaction listed above, security standards for health care information systems, standards for electronic signatures (established together with the Secretary of Commerce), and standards for the transmission of data elements needed for the coordination of benefits and sequential processing of claims. Compliance with electronic signature standards will be deemed to satisfy both State and Federal requirements for written signatures with respect to the transactions listed in paragraph (a) of section 1173 of the Act. In section 1174 of the Act, the Secretary is required to adopt standards for all of the above transactions, except claims attachments, within 18 months of enactment. The standards for claims attachments must be adopted within 30 months. Generally, after a standard is established it cannot be changed during the first year except for changes that are necessary to permit compliance with the standard. Modifications to any of these standards may be made after the first year, but not more frequently than once every 12 months. The Secretary must also ensure that procedures exist for the routine maintenance, testing, enhancement, and expansion of code sets and that there are crosswalks from prior versions. Section 1175 of the Act prohibits health plans from refusing to process or delaying the processing of a transaction that is presented in standard format. The Act's requirements are not limited to health plans; however, each person to whom a standard or implementation specification applies is required to comply with the standard within 24 months (or 36 months for small health plans) of its adoption. A health plan or other entity may, of course, comply voluntarily before the effective date. Entities may comply by using a health care clearinghouse to transmit or receive the standard transactions. Compliance with modifications and implementation specifications to standards must be accomplished by a date designated by the Secretary. This date may not be earlier than 180 days after the notice of change. Section 1176 of the Act establishes a civil monetary penalty for violation of the provisions in part C of title XI of the Act, subject to several limitations. The Secretary is required by statute to impose penalties of not more than $100 per violation on any person who fails to comply with a standard, except that the total amount imposed on any one person in each calendar year may not exceed $25,000 for violations of one requirement. The procedural provisions in section 1128A of the Act, ``Civil Monetary Penalties,'' are applicable. Section 1177 of the Act establishes penalties for a knowing misuse of unique health identifiers and individually identifiable health information: (1) A fine of not more than $50,000 and/or imprisonment of not more than 1 year; (2) if misuse is ``under false pretenses,'' a fine of not more than $100,000 and/or imprisonment of not more than 5 years; and (3) if misuse is with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, a fine of not more than $250,000 and/ or imprisonment of not more than 10 years. Under section 1178 of the Act, the provisions of part C of title XI of the Act, as well as any standards established under them, supersede any State law that is contrary to them. However, the Secretary may, for statutorily specified reasons, waive this provision. Finally, section 1179 of the Act makes the above provisions inapplicable to financial institutions or anyone acting on behalf of a financial institution when ``authorizing, processing, clearing, settling, billing, transferring, reconciling, or collecting payments for a financial institution.'' Although the provisions of the law are inapplicable to financial institutions when they are carrying out the listed financial functions, the provisions are applicable to financial institutions when they perform the functions of health care clearinghouses. Concerning this last provision, the conference report, in its discussion on section 1178, states: The conferees do not intend to exclude the activities of financial institutions or their contractors from compliance with the standards adopted under this part if such activities would be subject to this part. However, conferees intend that this part does not apply to use or disclosure of information when an individual utilizes a payment system to make a payment for, or related to, health plan premiums or health care. For example, the exchange of information between participants in a credit card system in connection with processing a credit card payment for health care would not be covered by this part. Similarly sending a checking account statement to an account holder who uses a credit or debit card to pay for health care services, would not be covered by this part. However, this part does apply if a company clears health care claims, the health care claims activities remain subject to the requirements of this part.'') (H.R. Rep. No. 736, 104th Cong., 2nd Sess. (1996) reprinted in 1996 U.S.C.C.A.N. 264, 265) [[Page 32787]] B. Process for Developing National Standards The Secretary has formulated a 5-part strategy for developing and implementing the standards mandated under Part C of title XI of the Act: 1. To ensure necessary interagency coordination and required interaction with other Federal departments and the private sector, establish interdepartmental implementation teams to identify and assess potential standards for adoption. The subject matter of the teams includes claims/encounters, identifiers, enrollment/eligibility, systems security, and medical coding/classification. Another team addresses cross-cutting issues and coordinates the subject matter teams. The teams consult with external groups such as the NCVHS' Workgroup on Data Standards, WEDI, ANSI's Healthcare Informatics Standards Board, the NUCC, the NUBC, and the ADA. The teams are charged with developing regulations and other necessary documents and making recommendations for the various standards to the HHS' Data Council through its Committee on Health Data Standards. (The HHS Data Council is the focal point for consideration of data policy issues. It reports directly to the Secretary and advises the Secretary on data standards and privacy issues.) 2. Develop recommendations for standards to be adopted. 3. Publish proposed rules in the Federal Register describing the standards. Each proposed rule provides the public with a 60-day comment period. 4. Analyze public comments and publish the final rules in the Federal Register. 5. Distribute standards and coordinate preparation and distribution of implementation guides. This strategy affords many opportunities for involvement of interested and affected parties in standards development and adoption: Participate with standards development organizations. Provide written input to the NCVHS. Provide written input to the Secretary of HHS. Provide testimony at NCVHS' public meetings. Comment on the proposed rules for each of the proposed standards. Invite HHS staff to meetings with public and private sector organizations or meet directly with senior HHS staff involved in the implementation process. The implementation teams charged with reviewing standards for designation as required national standards under the statute have defined, with significant input from the health care industry, a set of principles for guiding choices for the standards to be adopted by the Secretary. These principles are based on direct specifications in HIPAA and the purpose of the law, principles that support the regulatory philosophy set forth in Executive Order 12866 and the Paperwork Reduction Act of 1995. To be designated as an HIPAA standard, each standard should: 1. Improve the efficiency and effectiveness of the health care system by leading to cost reductions for or improvements in benefits from electronic health care transactions. 2. Meet the needs of the health data standards user community, particularly health care providers, health plans, and health care clearinghouses. 3. Be consistent and uniform with the other HIPAA standards--their data element definitions and codes and their privacy and security requirements--and, secondarily, with other private and public sector health data standards. 4. Have low additional development and implementation costs relative to the benefits of using the standard. 5. Be supported by an ANSI-accredited standards developing organization or other private or public organization that will ensure continuity and efficient updating of the standard over time. 6. Have timely development, testing, implementation, and updating procedures to achieve administrative simplification benefits faster. 7. Be technologically independent of the computer platforms and transmission protocols used in electronic transactions, except when they are explicitly part of the standard. 8. Be precise and unambiguous, but as simple as possible. 9. Keep data collection and paperwork burdens on users as low as is feasible. 10. Incorporate flexibility to adapt more easily to changes in the health care infrastructure (such as new services, organizations, and provider types) and information technology. A master data dictionary providing for common data definitions across the standards selected for implementation under HIPAA will be developed and maintained. We intend for the data element definitions to be precise, unambiguous, and consistently applied. The transaction- specific reports and general reports from the master data dictionary will be readily available to the public. At a minimum, the information presented will include data element names, definitions, and appropriate references to the transactions where they are used. This proposed rule would establish the standard health care employer identifier. We anticipate publishing several regulations documents altogether to promulgate the various standards required under the HIPAA. The other proposed regulations cover security standards, the transactions specified in the Act, and the other three identifiers. II. Provisions of the Proposed Regulations [Please label written and e-mailed comments about this section with the subject: Provisions.] In this proposed rule, we propose a standard employer identifier and requirements concerning its implementation. This rule would establish requirements that health plans, health care clearinghouses, and health care providers would have to meet to comply with the statutory requirement to use a unique employer identifier in electronic transactions. We propose to add a new part to title 45 of the Code of Federal Regulations for health plans, health care providers, and health care clearinghouses in general. The new part would be part 142 of title 45 and would be titled ``Administrative Requirements.'' Subpart F would contain provisions specific to the employer identifier. A. Applicability Section 262 of HIPAA applies to any health plans, any health care clearinghouses, and any health care provider that transmits any health information in electronic form in connection with transactions referred to in section 1173(a)(1) of the Act. Our proposed rules (at 45 CFR 142.102) would apply to the health plans and health care clearinghouses as well, but we would clarify the statutory language in our regulations for health care providers: we would have the regulations apply to any health care provider only when electronically transmitting any of the transactions to which section 1173(a)(1) of the Act refers. Electronic transmissions would include transmissions using all media, even when the transmission is physically moved from one location to another using magnetic tape, disk, or CD media. Transmissions over the Internet (wide-open), Extranet (using Internet technology to link a business with information only accessible to collaborating parties), leased lines, dial-up lines, and private networks are all [[Page 32788]] included. Telephone voice response and ``faxback'' systems would not be included. The ``HTML'' interaction between a server and a browser by which the elements of a transaction are solicited from a user would not be included, but once assembled into a transaction by the server, transmission of the full transaction to another corporate entity, such as a health plan, would be required to comply. Our regulations would apply to health care clearinghouses when transmitting transactions to, and receiving transactions from, a health care provider or health plan that transmits and receives standard transactions (as defined under ``transaction'') and at all times when transmitting to or receiving electronic transactions from another health care clearinghouse. The law would apply to each health care provider when transmitting or receiving any electronic transaction. The law applies to health plans for all transactions. Section 142.104 would contain the following provisions (from section 1175 of the Act): If a person desires to conduct a transaction (as defined in Sec. 142.103) with a health plan as a standard transaction, the following apply: (1) The health plan may not refuse to conduct the transaction as a standard transaction. (2) The health plan may not delay the transaction or otherwise adversely affect, or attempt to adversely affect, the person or the transaction on the ground that the transaction is a standard transaction. (3) The information transmitted and received in connection with the transaction must be in the form of standard data elements of health information. As a further requirement, we would require that a health plan that conducts transactions through an agent assure that the agent meets all the requirements of part 142 that apply to the health plan. Section 142.105 would state that a person or other entity may meet the requirements of Sec. 142.104 by either-- (1) Transmitting and receiving standard data elements, or (2) Submitting nonstandard data elements to a health care clearinghouse for processing into standard data elements and transmission by the health care clearinghouse and receiving standard data elements through the clearinghouse. Health care clearinghouses would be able to accept nonstandard transactions for the sole purpose of translating them into standard transactions for sending customers and would be able to accept standard transactions and translate them into nonstandard formats for receiving customers. We would state in Sec. 142.105 that the transmission of nonstandard transactions, under contract, between a health plan or a health care provider and a health care clearinghouse would not violate the law. Transmissions within a corporate entity would not be required to comply with the standards. For example, a hospital that is wholly owned by a managed care company would not have to use the standards to pass encounter information back to the home office, but it would have to use the standard claims transaction to submit a claim to another health plan. Although there are situations in which the use of the standards is not required (for example, health care providers may continue to submit paper claims and employers are not required to use any of the standard transactions), we stress that a standard may be used voluntarily in any situation in which it is not required. B. Definitions Section 1171 of the Act defines several terms and our proposed rules would, for the most part, simply restate the law. The terms that we are defining in this proposed rule follow: 1. Code Set We would define ``code set'' as section 1171(1) of the Act does: ``code set'' means any set of codes used for encoding data elements, such as tables of terms, medical concepts, medical diagnostic codes, or medical procedure codes. 2. Employer We would define ``employer'' as 26 U.S.C. 3401(d) does: ``employer'' means the person for whom an individual performs or performed any service, of whatever nature, as the employee of that person or organization, except that: a. If the person for whom the individual performs or performed the services does not have control of the payment of wages for those services, the term ``employer'' means the person having control of the payment of those wages; and b. In the case of a person paying wages on behalf of a nonresident alien individual, foreign partnership, or foreign corporation, not engaged in trade or business within the United States, the term ``employer'' means that person. 3. Health Care Clearinghouse We would define ``health care clearinghouse'' as section 1171(2) of the Act does, but we are adding a further, clarifying sentence. The statute defines a ``health care clearinghouse'' as a public or private entity that processes or facilitates the processing of nonstandard data elements of health information into standard data elements. We would further explain that such an entity is one that currently receives health care transactions from health care providers and other entities, translates the data from a given format into one acceptable to the intended recipient and forwards the processed transaction to appropriate health plans and other clearinghouses, as necessary, for further action. There are currently a number of private clearinghouses that perform these functions for health care providers. For purposes of this rule, we would consider billing services, repricing companies, community health management information systems or community health information systems, value-added networks, and switches performing these functions to be health care clearinghouses. 4. Health Care Provider As defined by section 1171(3) of the Act, a ``health care provider'' is a provider of services as defined in section 1861(u) of the Act, a provider of medical or other health services as defined in section 1861(s) of the Act, and any other person who furnishes health care services or supplies. Our regulations would define ``health care provider'' as the statute does and clarify that the definition of a health care provider is limited to those entities that furnish, or bill and are paid for, health care services in the normal course of business. For a more detailed discussion of the definition of health care provider, we refer the reader to our proposed rule, HCFA-0045-P, Standard Health Care Provider Identifier, published on May 7, 1998 (63 FR 25320). 5. Health Information ``Health information,'' as defined in section 1171 of the Act, means any information, whether oral or recorded in any form or medium, that-- Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual. [[Page 32789]] We propose the same definition for our regulations. 6. Health Plan We propose that a ``health plan'' be defined essentially as section 1171 of the Act defines it. Section 1171 of the Act cross refers to definitions in section 2791 of the Public Health Service Act (as added by Public Law 104-191, 42 U.S.C. 300gg-91); we would incorporate those definitions as currently stated into our proposed definitions for the convenience of the public. We note that many of these terms are defined in other statutes, such as the Employee Retirement Income Security Act of 1974 (ERISA), Public Law 93-406, 29 U.S.C. 1002(7) and the Public Health Service Act. Our definitions are based on the roles of plans in conducting administrative transactions, and any differences should not be construed to affect other statutes. For purposes of implementing the provisions of administrative simplification, a ``health plan'' would be an individual or group health plan that provides, or pays the cost of, medical care. This definition includes, but is not limited to, the 13 types of plans listed in the statute. On the other hand, plans such as property and casualty insurance plans and workers compensation plans, which may pay health care costs in the course of administering nonhealth care benefits, are not considered to be health plans in the proposed definition of health plan. Of course, these plans may voluntarily adopt these standards for their own business needs. At some future time, the Congress may choose to expressly include some or all of these plans in the list of health plans that must comply with the standards. Health plans often carry out their business functions through agents, such as plan administrators (including third party administrators), entities that are under ``administrative services only'' (ASO) contracts, claims processors, and fiscal agents. These agents may or may not be health plans in their own right; for example, a health plan may act as another health plan's agent as another line of business. As stated earlier, a health plan that conducts HIPAA transactions through an agent is required to assure that the agent meets all HIPAA requirements that apply to the plan itself. ``Health plan'' includes the following, singly or in combination: a. ``Group health plan'' (as currently defined by section 2791(a) of the Public Health Service Act). A group health plan is a plan that has 50 or more participants (as the term ``participant'' is currently defined by section 3(7) of ERISA) or is administered by an entity other than the employer that established and maintains the plan. This definition includes both insured and self-insured plans. We define ``participant'' separately below. Section 2791(a)(1) of the Public Health Service Act defines ``group health plan'' as an employee welfare benefit plan (as currently defined in section 3(1) of ERISA) to the extent that the plan provides medical care, including items and services paid for as medical care, to employees or their dependents directly or through insurance, or otherwise. It should be noted that group health plans that have fewer than 50 participants and that are administered by the employer would be excluded from this definition and would not be subject to the administrative simplification provisions of HIPAA. b. ``Health insurance issuer'' (as currently defined by section 2791(b) of the Public Health Service Act). Section 2791(b)(2) of the Public Health Service Act currently defines a ``health insurance issuer'' as an insurance company, insurance service, or insurance organization that is licensed to engage in the business of insurance in a State and is subject to State law that regulates insurance. c. ``Health maintenance organization'' (as currently defined by section 2791(b) of the Public Health Service Act). Section 2791(b) of the Public Health Service Act currently defines a ``health maintenance organization'' as a Federally qualified health maintenance organization, an organization recognized as such under State law, or a similar organization regulated for solvency under State law in the same manner and to the same extent as such a health maintenance organization. These organizations may include preferred provider organizations, provider sponsored organizations, independent practice associations, competitive medical plans, exclusive provider organizations, and foundations for medical care. d. Part A or Part B of the Medicare program (title XVIII of the Act). e. The Medicaid program (title XIX of the Act). f. A ``Medicare supplemental policy'' as defined under section 1882(g)(1) of the Act. Section 1882(g)(1) of the Act defines a ``Medicare supplemental policy'' as a health insurance policy that a private entity offers a Medicare beneficiary to provide payment for expenses incurred for services and items that are not reimbursed by Medicare because of deductible, coinsurance, or other limitations under Medicare. The statutory definition of a Medicare supplemental policy excludes a number of plans that are generally considered to be Medicare supplemental plans, such as health plans for employees and former employees and for members and former members of trade associations and unions. A number of these health plans may be included under the definitions of ``group health plan'' or ``health insurance issuer'', as defined in a. and b. above. g. A ``long-term care policy,'' including a nursing home fixed- indemnity policy. A ``long-term care policy'' is considered to be a health plan regardless of how comprehensive it is. We recognize the long-term care insurance segment of the industry is largely unautomated and we welcome comments regarding the impact of HIPAA on the long-term care segment. h. An employee welfare benefit plan or any other arrangement that is established or maintained for the purpose of offering or providing health benefits to the employees of two or more employers. This includes plans and other arrangements that are referred to as multiple employer welfare arrangements (``MEWAs'') as defined in section 3(40) of ERISA. i. The health care program for active military personnel under title 10 of the United States Code. j. The veterans health care program under chapter 17 of title 38 of the United States Code. This health plan primarily furnishes medical care through hospitals and clinics administered by the Department of Veterans Affairs for veterans with a service-connected disability that is compensable. Veterans with non-service-connected disabilities (and no other health benefit plan) may receive health care under this health plan to the extent resources and facilities are available. k. The Civilian Health and Medical Program of the Uniformed Services (CHAMPUS), as defined in 10 U.S.C. 1072(4). CHAMPUS primarily covers services furnished by civilian medical providers to dependents of active duty members of the uniformed services and retirees and their dependents under age 65. l. The Indian Health Service program under the Indian Health Care Improvement Act (25 U.S.C. 1601 et seq.). This program furnishes services, generally through its own health care providers, primarily to persons who are eligible to receive services because they are of American Indian or Alaskan Native descent. [[Page 32790]] m. The Federal Employees Health Benefits Program under 5 U.S.C. chapter 89. This program consists of health insurance plans offered to active and retired Federal employees and their dependents. Depending on the health plan, the services may be furnished on a fee-for-service basis or through a health maintenance organization. (Note: Although section 1171(5)(M) of the Act refers to the ``Federal Employees Health Benefit Plan,'' this and any other rules adopting administrative simplification standards will use the correct name, the Federal Employees Health Benefits Program. One health plan does not cover all Federal employees; there are over 350 health plans that provide health benefits coverage to Federal employees, retirees, and their eligible family members. Therefore, we will use the correct name, the Federal Employees Health Benefits Program, to make clear that the administrative simplification standards apply to all health plans that participate in the Program.) n. Any other individual or group health plan, or combination thereof, that provides or pays for the cost of medical care. We would include a fourteenth category of health plan in addition to those specifically named in HIPAA, as there are health plans that do not readily fit into the other categories but whose major purpose is providing health benefits. The Secretary would determine which of these plans are health plans for purposes of title II of HIPAA. This category would include the Medicare Plus Choice plans that will become available as a result of section 1855 of the Act as amended by section 4001 of the Balanced Budget Act of 1997 (Public Law 105-33) to the extent that these health plans do not fall under any other category. 7. Medical Care ``Medical care,'' which is used in the definition of health plan, would be defined as current section 2791 of the Public Health Service Act defines it: the diagnosis, cure, mitigation, treatment, or prevention of disease, or amounts paid for the purpose of affecting any body structure or function of the body; amounts paid for transportation primarily for and essential to these items; and amounts paid for insurance covering the items and the transportation specified in this definition. 8. Participant We would define the term ``participant'' as section 3(7) of ERISA currently defines it: a ``participant'' is any employee or former employee of an employer, or any member or former member of an employee organization, who is or may become eligible to receive a benefit of any type from an employee benefit plan that covers employees of such an employer or members of such an organization, or whose beneficiaries may be eligible to receive any of these benefits. An ``employee'' would include an individual who is treated as an employee under section 401(c)(1) of the Internal Revenue Code of 1986 (26 U.S.C. 401(c)(1)). 9. Small Health Plan We would define a ``small health plan'' as a group health plan or individual health plan with fewer than 50 participants. The HIPAA does not define a ``small health plan'' but instead leaves the definition to be determined by the Secretary. The Conference Report suggests that the appropriate definition of a ``small health plan'' is found in current section 2791(a) of the Public Health Service Act, which is a group health plan with fewer than 50 participants. We would also define small individual health plans as those with fewer than 50 participants. 10. Standard Section 1171 of the Act defines ``standard,'' when used with reference to a data element of health information or a transaction referred to in section 1173(a)(1) of the Act, as any such data element or transaction that meets each of the standards and implementation specifications adopted or established by the Secretary with respect to the data element or transaction under sections 1172 through 1174 of the Act. Under our definition, a standard would be a set of rules for a set of codes, data elements, transactions, or identifiers promulgated either by an organization accredited by the American National Standards Institute or HHS for the electronic transmission of health information. 11. Transaction ``Transaction'' would mean the exchange of information between two parties to carry out financial and administrative activities related to health care. A transaction would be any of the transactions listed in section 1173(a)(2) of the Act and any determined appropriate by the Secretary in accordance with section 1173(a)(1)(B) of the Act. We present them below in the order in which we propose to list them in the regulations text to thisdocument and in the regulations document for proposed standards for these transactions that we will publish later. A ``transaction'' would mean any of the following: a. Health claims or equivalent encounter information. This transaction may be used to submit health care claim billing information, encounter information, or both, from health care providers to health plans, either directly or via intermediary billers and claims clearinghouses. b. Health care payment and remittance advice. This transaction may be used by a health plan to make a payment to a financial institution for a health care provider (sending payment only), to send an explanation of benefits or a remittance advice directly to a health care provider (sending data only), or to make payment and send an explanation of benefits remittance advice to a health care provider via a financial institution (sending both payment and data). c. Coordination of benefits. This transaction can be used to transmit health care claims and billing payment information between health plans with different payment responsibilities where coordination of benefits is required or between health plans and regulatory agencies to monitor the rendering, billing, and/or payment of health care services within a specific health care/insurance industry segment. In addition to the nine electronic transactions specified in section 1173(a)(2) of the Act, section 1173(f) directs the Secretary to adopt standards for transferring standard data elements among health plans for coordination of benefits and sequential processing of claims. This particular provision does not state that these should be standards for electronic transfer of standard data elements among health plans. However, we believe that the Congress, when writing this provision, intended for these standards to apply to the electronic form of transactions for coordination of benefits and sequential processing of claims. The Congress expressed its intent on these matters generally in section 1173(a)(1)(B), where the Secretary is directed to adopt ``other financial and administrative transactions . . . consistent with the goals of improving the operation of the health care system and reducing administrative costs''. Adoption of a standard for electronic transmission of standard data elements among health plans for coordination of benefits and sequential processing of claims would serve these goals expressed by the Congress. [[Page 32791]] d. Health claim status. This transaction may be used by health care providers and recipients of health care products or services (or their authorized agents) to request the status of a health care claim or encounter from a health plan. e. Enrollment and disenrollment in a health plan. This transaction may be used to establish communication between the sponsor of a health benefit and the health plan. It provides enrollment data, such as subscriber and dependents, employer information, and primary care health care provider information. The sponsor is the backer of the coverage, benefit, or product. A sponsor can be an employer, union, government agency, association, or insurance company. The health plan refers to an entity that pays claims, administers the insurance product or benefit, or both. f. Eligibility for a health plan. This transaction may be used to inquire about the eligibility, coverage, or benefits associated with a benefit plan, employer, plan sponsor, subscriber, or a dependent under the subscriber's policy. It also can be used to communicate information about or changes to eligibility, coverage, or benefits from information sources (such as insurers, sponsors, and health plans) to information receivers (such as physicians, hospitals, third party administrators, and government agencies). g. Health plan premium payments. This transaction may be used by, for example, employers, employees, unions, and associations to make and keep track of payments of health plan premiums to their health insurers. This transaction may also be used by a health care provider, acting as liaison for the beneficiary, to make payment to a health insurer for coinsurance, copayments, and deductibles. h. Referral certification and authorization. This transaction may be used to transmit health care service referral information between primary care health care providers, health care providers furnishing services, and health plans. It can also be used to obtain authorization for certain health care services from a health plan. i. First report of injury. This transaction may be used to report information pertaining to an injury, illness, or incident to entities interested in the information for statistical, legal, claims, and risk management processing requirements. j. Health claims attachments. This transaction may be used to transmit health care service information, such as subscriber, patient, demographic, diagnosis, or treatment data for the purpose of a request for review, certification, notification, or reporting the outcome of a health care services review. k. Other transactions as the Secretary may prescribe by regulation. Under section 1173(a)(1)(B) of the Act, the Secretary shall adopt standards, and data elements for those standards, for other financial and administrative transactions deemed appropriate by the Secretary. These transactions would be consistent with the goals of improving the operation of the health care system and reducing administrative costs. C. Effective Dates--General In general, any given standard would be effective 24 months after the effective date (36 months for small health plans) of the final rule for that standard. Because there are other standards to be established than those in this proposed rule, we specify the date for a given standard under the subpart for that standard. If HHS adopts a modification to an implementation specification or a standard, the implementation date of the modification would be no earlier than the 180th day following the adoption of the modification. HHS would determine the actual date, taking into account the time needed to comply due to the nature and extent of the modification. HHS would be able to extend the time for compliance for small health plans. This provision would be at Sec. 142.106. The law does not address scheduling of implementation of the standards; it gives only a date by which all concerned must comply. As a result, any of the health plans, health care clearinghouses, and health care providers may implement a given standard earlier than the date specified in the subpart created for that standard. We realize that this may create some problems temporarily, as early implementers would have to be able to continue using old standards until the new ones must, by law, be in place. At the WEDI Healthcare Leadership Summit held on August 15, 1997, it was recommended that health care providers not be required to use any of the standards during the first year after the adoption of the standard. However, willing trading partners could implement any or all of the standards by mutual agreement at any time during the 2-year implementation phase (3-year implementation phase for small health plans). In addition, it was recommended that a health plan give its health care providers at least 6 months notice before requiring them to use a given standard. We welcome comments specifically on early implementation as to the extent to which it would cause problems and how any problems might be alleviated. D. Employer Identifier Standard [Please label written and e-mailed comments about this section with the subject: EIN STANDARD.] Section 142.602, Employer identifier standard, would contain the employer identifier standard. There is no recognized standard for employer identification as defined in the law. That is, there is no standard that has been developed, adopted, or modified by a standard setting organization after consultation with the National Uniform Billing Committee, the National Uniform Claim Committee, WEDI, and the American Dental Association. Therefore, we would designate a new standard. We are proposing as the standard the employer identification number (EIN), which is assigned by the Internal Revenue Service (IRS), Department of the Treasury. The EIN is defined in 26 CFR 301.7701-12. We would define ``Employer identification number'' (EIN) as 26 CFR 301.7701-12 does: ``Employer identification number'' is the taxpayer identifying number of an individual or other person (whether or not an employer) that is assigned pursuant to 26 U.S.C. 6011(b) or corresponding provisions of prior law, or pursuant to 26 U.S.C. 6109, and in which nine digits are separated by a hyphen, as follows: 00-0000000. 1. Selection Criteria The implementation team used the criteria described in section I.B., Process for Developing National Standards, to evaluate the EIN as a candidate for the employer identifier standard. Criteria #1, #2, #4, and #6--The team found that the EIN met these criteria in that it is a nationally defined and assigned employer identifier and is the most widely used employer identifier in the United States. Criteria #3 and #5--The team found that the EIN met these criteria in that it is an identifier that is already in use in the Accredited Standards Committee (ASC) X12N Insurance Subcommittee electronic transactions that require an employer identifier, including the transactions used for the Health Claim, Enrollment and Disenrollment in a Health Plan, Eligibility for a Health Plan, and Health Plan Premium Payment. Criterion #7--The team found that the EIN met criterion #7 in that it is technologically independent of [[Page 32792]] computer platforms and transmission protocols. Criterion #8--The team found that the EIN met criterion #8 in that it is a relatively short identifier that would fit into many existing formats. Criterion #9--The team found that the EIN met criterion #9 in that it is an identifier already assigned to each employer for tax identification purposes. Its adoption as a standard would not result in additional data collection or paperwork burdens on users. Criterion #10--The team found that the EIN met criterion #10 in that it is flexible enough to identify any employer, regardless of services, organization, or provider type. 2. Other Identifiers We initially considered whether the PAYERID, the 9 position numeric identifier developed by HCFA as the unique identifier for health plans, could be used as the employer identifier. Since all employers are already enumerated by EIN, an entirely new employer identifier would require everyone to convert to a new identifier in addition to the EIN, which would still be used. Another key drawback to the use of the PAYERID as the employer identifier is the fact that the PAYERID numbering scheme does not have sufficient numbers available to enumerate all health plans and all employers. In addition, PAYERID's data capabilities were developed based on the data requirements for health plans, which are not the same as those for employers. Based on these limitations, the team believed that the PAYERID would not meet criteria #1, #2, #4, #9, and #10 and would not be acceptable as a candidate for the employer identifier. The EIN is the most widely used employer identifier in the claim, enrollment and disenrollment for a health plan, eligibility for a health plan and health plan premium payment transactions. The D-U-N-S number and the D-U-N-S+4 number, maintained by Dun & Bradstreet, are sometimes used to identify business entities including employers in these transactions (primarily in premium payment transactions), but the EIN is used to a far greater extent than any other identifier to identify the employer of a participant. Since the D-U-N-S and D-U-N-S+4 numbers were not widely used in the claim, the enrollment and disenrollment in a health plan, and the eligibility for a health plan transactions, the team believed that these numbers did not meet criteria #1, #2, #4, and #9 and were less appropriate than the EIN as candidates for the employer identifier. Because of the widespread use of the EIN to identify the employer in health transactions, we selected the EIN as the national employer identifier standard for use in those electronic health transactions that require an employer identifier. Since the IRS is responsible for issuing the EIN, we consulted with the IRS on the legality and feasibility of using the EIN as the standard employer identifier for electronic health transactions. On September 11, 1997, we forwarded our request for IRS concurrence, and on January 16, 1998, IRS concurred. Although the EIN is not confidential, some employers may not wish to supply the EIN because it is their tax identifying number. We welcome comments on this issue and on any other possible problems that the use of the EIN would cause for employers or others who would need to obtain and use the EIN in their electronic health transactions. E. Requirements [Please label written and e-mailed comments about this section with the subject: Requirements] We note that the law does not bind employers to use the standard. However, providers, health plans, and health care clearinghouses are bound to use the standard in electronic health transactions. Any individual or other entity that needs to know an employer's EIN for use in electronic health transactions would obtain it directly from the employer. The EIN is not considered confidential and it may be freely used and exchanged by employers and others. 1. Health Plans In Sec. 142.604, Requirements: Health plans, we would require health plans to accept the EIN on all electronic transactions and transmit the EIN on all electronic transactions that require an employer identifier. Federal agencies and States may place additional requirements on their health plans. 2. Health care clearinghouses We would require in Sec. 142.606 that each health care clearinghouse use the EIN on all electronic transactions that require an employer identifier. 3. Health care providers In Sec. 142.608, Requirements: Health care providers, we would require each health care provider to use the EIN on all transactions, wherever required, that are electronically transmitted. 4. Employers In Sec. 142.610, Requirements: Employers, we would require each employer to disclose its EIN, when requested, to any entity that conducts standard electronic transactions that require that employer's identifier. We believe the authority to require employers to disclose their EINs to entities that are required to use these numbers in electronic health care transactions is implicit in the statutory directive to the Secretary to adopt an employer identification number for use in the health care system. We note that we have been unable to identify any reason for an employer to refuse to furnish the number to an entity that conducts electronic health care transactions since the EIN, unlike the social security number, is not information about a person. We note too that access to the EIN does not give access to specific tax information. F. Effective Dates of the Employer Identifier Health plans would be required to comply with our requirements as follows: 1. Each health plan that is not a small health plan would have to comply with the requirements of Secs. 142.104 and 142.604 no later than 24 months after publication of the final rule. 2. Each small health plan would have to comply with the requirements of Secs. 142.104 and 142.604 no later than 36 months after the date of publication of the final rule. 3. If HHS adopts a modification to a standard or implementation specification, the implementation date of the modification would be no earlier than the 180th day following the adoption of the modification. HHS would determine the actual date, taking into account the time needed to comply due to the nature and extent of the modification. HHS would be able to extend the time for compliance for small health plans. Failure to comply with standards may well result in monetary penalties. The Secretary is required by statute to impose penalties of not more than $100 per violation on any person who fails to comply with a standard, except that the total amount imposed on any one person in each calendar year may not exceed $25,000 for violations of one requirement. We will propose enforcement procedures in a future Federal Register document once the industry has more experience with using the standards. [[Page 32793]] III. Implementation of the Employer Identification Standard [Please label written and e-mailed comments about this section with the subject: Implementation] A. Obtaining an EIN The Internal Revenue Service maintains the process for assigning EINs. A business can obtain an EIN by submitting, to the Internal Revenue Service, Internal Revenue Service Form SS-4, Application for Employer Identification Number. Any business that pays wages to one or more employees is required to have an EIN as its tax identifying number. A sole proprietor who has no employees and who files no excise or pension tax returns is the only business person who does not need to have an EIN as the tax identifying number. We believe that there would be few, if any, employers that would not have an EIN for tax identifying purposes. The EIN is currently the employer identifier in most widespread use in the health claim, the enrollment and disenrollment in a health plan, the eligibility for a health plan, and the health plan premium payment transactions. If they conduct administrative health transactions electronically, health care providers, health care clearinghouses, and health plans would have to obtain and use the EIN on all electronic transactions that require an employer identifier. Employers are not required by subtitle F of HIPAA to use the EIN or conduct standard electronic health transactions. However, we believe that many employers will find that it will be to their advantage and will choose to do so. B. Organizations with Multiple EINs We are aware that some organizations have more than one EIN. We seek comment from the public on whether it is important, in order to avoid confusion and achieve administrative simplification, that one of these EINs be used consistently in health transactions. If use of one EIN is desirable, how should it be chosen? C. Approved Uses Two years after adoption of this standard (3 years for small health plans) the EIN must be used as the employer identifier in the health- related financial and administrative transactions identified in section 1173(a) that require an employer identifier. The approved uses of the EIN are detailed in 26 U.S.C. 6109 (i.e., income tax purposes and for purposes of implementing certain provisions of the Food Stamp Act of 1977 and the Federal Crop Insurance Act). It may not be used in any activity otherwise prohibited by law. The use of the EIN for the purposes specified in this proposed rule is covered under the current approved uses for the EIN. Examples of approved uses included in this proposed rule are: Health care providers submitting health claims to health plans electronically would use the EIN to identify the employers of the participants in the health plan. Employers would use their EINs to identify themselves in electronic transactions making health plan premium payments to health plans on behalf of their employees. Employers and health care providers would use the EIN to identify the employer as the source or receiver of information about eligibility. Employers would use their EINs to identify themselves in electronic transactions to enroll or disenroll their employees in a health plan. IV. New and Revised Standards [Please label written and e-mailed comments about this section with the subject: Revisions.] To encourage innovation and promote development, we intend to develop a process that would allow an organization to request a revision or replacement to any adopted standard or standards. An organization could request a revision or replacement to an adopted standard by requesting a waiver from the Secretary of Health and Human Services to test a revised or new standard. The organization must, at a minimum, demonstrate that the revised or new standard offers an improvement over the adopted standard. If the organization presents sufficient documentation that supports testing of a revised or new standard, we want to be able to grant the organization a temporary waiver to test while remaining in compliance with the law. The waiver would be applicable to standards that could change over time; for example, transaction standards. We do not intend to establish a process that would allow an organization to avoid using any adopted standard. We would welcome comments on the following: (1) How we should establish this process, (2) the length of time a proposed standard should be tested before we decide whether to adopt it, (3) whether we should solicit public comments before implementing a change in a standard, and (4) other issues and recommendations we should consider in developing this process. Following is one possible process: Any organization that wishes to revise or replace an adopted standard must submit its waiver request to an HHS evaluation committee (not currently established or defined). The organization must do the following for each standard it wishes to revise or replace: + Provide a detailed explanation, no more than 10 pages in length, of how the revision or replacement would be a clear improvement over the current standard in terms of the principles listed in section I.B., Process for developing national standards, of this preamble. + Provide specifications and technical capabilities on the revised or new standard, including any additional system requirements. + An explanation, no more than 5 pages in length, of how the organization intends to test the standard. The committee's evaluation would, at a minimum, be based on the following: + A cost-benefit analysis. + An assessment of whether the proposed revision or replacement demonstrates a clear improvement to an existing standard. + The extent and length of time of the waiver. The evaluation committee would inform the organization requesting the waiver within 30 working days of the committee's decision on the waiver request. If the committee decides to grant a waiver, the notification may include the following: + Committee comments such as the following: - The length of time for which the waiver applies if it differs from the waiver request. - The sites the committee believes are appropriate for testing if they differ from the waiver request. - Any pertinent information regarding the conditions of an approved waiver. Any organization that receives a waiver would be required to submit a report containing the results of the study, no later than 3 months after the study is completed. The committee would evaluate the report and determine whether the benefits of the proposed revision or new standard significantly outweigh the disadvantages of implementing it and make a recommendation to the Secretary. V. Collection of Information Requirements Under the Paperwork Reduction Act of 1995, we are required to provide 60-day notice in the Federal Register and [[Page 32794]] solicit public comment before a collection of information requirement is submitted to the Office of Management and Budget (OMB) for review and approval. In order to fairly evaluate whether an information collection should be approved by OMB, section 3506(c)(2)(A) of the Paperwork Reduction Act of 1995 requires that we solicit comment on the following issues: The need for the information collection and its usefulness in carrying out the proper functions of our agency. The accuracy of our estimate of the information collection burden. The quality, utility, and clarity of the information to be collected. Recommendations to minimize the information collection burden on the affected public, including automated collection techniques. Section 142.604 Requirements: Health plans Health plans would be required to accept the EIN on all electronic transactions and transmit the EIN on all electronic transmissions that require an employer identifier. Section 3142.608 Requirements: Health care providers Each health care provider would be required to obtain and use the EIN of the employer on all electronically transmitted standard transactions that require it. Section 142.610 Requirements: Employers. Each employer would have to disclose its EIN, when requested, to any entity that conducts standard electronic transactions that require that employer's identifier. Discussion The emerging and increasing use of health care EDI standards and transactions raises the issue of the applicability of the PRA. The question arises whether a regulation that adopts an EDI standard used to exchange certain information constitutes an information collection subject to the PRA. However, for the purpose of soliciting useful public comment we provide the following burden estimates. In particular, the initial burden on the estimated 4 million health plans and 1.2 million health care providers to modify their current computer systems software would be 2 hours/$60 per entity, for a total burden of 10.4 million hours/$312 million. While this burden estimate may appear low, on average, we believe it to be accurate. This is based on the assumption that these and the other burden calculations associated with HIPAA administrative simplification systems modifications may overlap and is also based on the overwhelming extent to which the EIN is already in use in the health care community. This average also takes into consideration that (1) this standard may not be used by several of the entities included in the estimate, (2) this standard may already be in use by several of the entities included in the estimate, (3) modifications may be performed in an aggregate manner during the course of routine business and/or, (4) modifications may be made by contractors, such as practice management vendors, in a single effort for a multitude of affected entities. We invite public comment on the issues discussed above. If you comment on these information collection and recordkeeping requirements, please e-mail comments to JBurke1@hcfa.gov (Attn:HCFA-0047) or mail copies directly to the following: Health Care Financing Administration, Office of Information Services, Information Technology Investment Management Group, Division of HCFA Enterprise Standards, Room C2-26-17, 7500 Security Boulevard, Baltimore, MD 21244-1850 Attn: John Burke HCFA-0047, HCFA Reports Clearance Officer And, Office of Information and Regulatory Affairs, Office of Management and Budget, Room 10235, New Executive Office Building, Washington, DC 20503, Attn: Allison Herron Eydt, HCFA Desk Officer. VI. Response to Comments Because of the large number of items of correspondence we normally receive on Federal Register documents published for comment, we are not able to acknowledge or respond to them individually. We will consider all comments we receive by the date and time specified in the DATES section of this preamble, and, if we proceed with a subsequent document, we will respond to the comments in the preamble to that document. VII. Impact Analysis As the effect of any one standard is affected by the implementation of other standards, it can be misleading to discuss the impact of one standard by itself. Therefore, we did an impact analysis on the total effect of all the standards in the proposed rule concerning the national provider identifier (HCFA-0045-P), which can be found at 63 FR 25320. We intend to publish in each proposed rule an impact analysis that is specific to the standard or standards proposed in that rule, but the impact analysis will assess only the relative cost impact of implementing a given standard. As stated in the general impact analysis in HCFA-0045-P, we do not intend to associate costs and savings to specific standards. Although we cannot determine the specific economic impact of the standard being proposed in this rule (and individually each standard may not have a significant impact), the overall impact analysis makes clear that, collectively, all the standards will have a significant impact of over $100 million on the economy. Also, while each standard may not have a significant impact on a substantial number of small entities, the combined effects of all the proposed standards may have a significant effect on a substantial number of small entities. Therefore, the following impact analysis should be read in conjunction with the overall impact analysis. Unfunded Mandates This proposed rule has been reviewed in accordance with the Unfunded Mandates Reform Act of 1995 (UMRA) (2 U.S.C. 1501 et seq.) and Executive Order 12875. As discussed in the combined impact analysis to which we refer above (see 63 FR 25320), HHS estimates that implementation of the standards will require the expenditure of more than $100 million by the private sector. Therefore, the rule establishes a Federal private sector mandate and is a significant regulatory action within the meaning of section 202 of UMRA (2 U.S.C. 1532). HHS has included this statement to address the anticipated effects of the proposed rules pursuant to section 202. These standards also apply to State and local governments in their roles as health plans or health care providers. Thus, the proposed rules impose unfunded mandates on these entities. While we do not have sufficient information to provide estimates of these impacts, several State Medicaid agencies have estimated that it would cost $1 million per State or territory to implement all of the HIPAA standards. However, the costs that these standards impose on these entities are well below the UMRA section threshold that will require additional analysis and consultation; the Congressional Budget Office analysis stated that ``States are already in the forefront in administering the Medicaid program electronically; the only costs--which should not be significant--would involve bringing the software and computer systems for the [[Page 32795]] Medicaid programs into compliance with the new standards.'' The anticipated benefits and costs of this proposed standard, and other issues raised in section 202 of the UMRA, are addressed in the analysis below and in the combined impact analysis. In addition, pursuant to section 205 of the UMRA (2 U.S.C. 1535), having considered a reasonable number of alternatives as outlined in the preamble to this rule and in the following analysis, HHS has concluded that the rule is the most cost-effective alternative for implementation of HHS's statutory objective of administrative simplification. Executive Order 12866 In accordance with the provisions of Executive Order 12866, this proposed rule was reviewed by the Office of Management and Budget. Specific Impact of Employer Identifier This is the portion of the impact analysis that relates specifically to the standard that is the subject of this regulation-- the employer identifier. This section describes specific impacts that relate to the employer identifier. However, as we indicated in the introduction to this impact analysis, we do not intend to associate costs and savings to specific standards. 1. Affected Entities a. Health Care Providers Health care providers that conduct electronic transactions with health plans would have to obtain and use the EIN to identify the employer in those electronic transactions that require an employer identifier. In most cases health care providers currently obtain and use the EIN of the employer in those transactions that require an employer identifier. Any negative impact on health care providers generally would be related to the initial implementation period for providers that currently use an identifier other than the EIN to identify the employer in electronic transactions. They would incur implementation costs for converting systems from other employer identifiers to the EIN. Some health care providers would incur those costs directly and others would incur them in the form of fee increases from billing agents and health care clearinghouses. b. Health Care Plans Health care plans that engage in electronic commerce would have to modify their systems to use the EIN if they do not currently use the EIN to identify the employer in electronic transactions that require an employer identifier. In most cases health care plans currently obtain and use the EIN of the employer in those transactions that require an employer identifier. The conversion for health plans currently using an employer identifier other than the EIN would have a one-time cost impact. c. Health Care Clearinghouses Health care clearinghouses would have to modify their systems to transmit the EIN if they do not currently use the EIN to identify the employer in electronic transactions that require an employer identifier. In most cases health care clearinghouses currently obtain and use the EIN of the employer in those transactions that require an employer identifier. The conversion for health care clearinghouses currently using an employer identifier other than the EIN would have a one-time cost impact. d. Employers Each employer would have to disclose its EIN, when requested, to any entity that conducts standard electronic transactions that require the employer's identifier. Entities that conduct electronic transactions that require an employer identifier commonly obtain that identifier from the employer as a normal business practice. This practice would not change. Any impact on employers would be the one- time impact to disclose the EIN to entities that have previously used a different identifier for that individual. 2. Effects of Various Options a. Guiding Principles for Standard Selection The implementation teams charged with designating standards under the statute have defined, with significant input from the health care industry, a set of common criteria for evaluating potential standards. These criteria are based on direct specifications in the HIPAA, the purpose of the law, and principles that support the regulatory philosophy set forth in Executive Order 12866 of September 30, 1993, and the Paperwork Reduction Act of 1995. In order to be designated as a standard, a proposed standard should: Improve the efficiency and effectiveness of the health care system by leading to cost reductions for or improvements in benefits from electronic HIPAA health care transactions. This principle supports the regulatory goals of cost-effectiveness and avoidance of burden. Meet the needs of the health data standards user community, particularly health care providers, health plans, and health care clearinghouses. This principle supports the regulatory goal of cost-effectiveness. Be consistent and uniform with the other HIPAA standards-- their data element definitions and codes and their privacy and security requirements--and, secondarily, with other private and public sector health data standards. This principle supports the regulatory goals of consistency and avoidance of incompatibility, and it establishes a performance objective for the standard. Have low additional development and implementation costs relative to the benefits of using the standard. This principle supports the regulatory goals of cost-effectiveness and avoidance of burden. Be supported by an ANSI-accredited standards developing organization or other private or public organization that will ensure continuity and efficient updating of the standard over time. This principle supports the regulatory goal of predictability. Have timely development, testing, implementation, and updating procedures to achieve administrative simplification benefits faster. This principle establishes a performance objective for the standard. Be technologically independent of the computer platforms and transmission protocols used in HIPAA health transactions, except when it is explicitly part of the standard. This principle establishes a performance objective for the standard and supports the regulatory goal of flexibility. Be precise and unambiguous, but as simple as possible. This principle supports the regulatory goals of predictability and simplicity. Keep data collection and paperwork burdens on users as low as is feasible. This principle supports the regulatory goals of cost- effectiveness and avoidance of duplication and burden. Incorporate flexibility to adapt more easily to changes in the health care infrastructure (such as new services, organizations, and provider types) and information technology. This principle supports the regulatory goals of flexibility and encouragement of innovation. We assessed the various options for an employer identifier against the principles listed above, with the overall goal of achieving the maximum benefit for the least cost. We found that the EIN met all the principles. No other candidate employer identifier is in widespread use. No other candidate met a majority of the principles, especially those principles supporting the regulatory goal of cost-effectiveness. We are assessing the costs and benefits of [[Page 32796]] the EIN, but we did not assess the costs and benefits of other identifier options, because they did not meet the guiding principles. b. Need to Convert All health care providers, health plans, and health care clearinghouses that do not currently use the EIN to identify the employer in electronic health transactions that require an employer identifier would have to convert. Because the EIN is currently in widespread use as an employer identifier throughout the industry, adopting the EIN would not require conversion for most health care providers, health plans or health care clearinghouses. The selection of the EIN imposes a far smaller burden on the industry than any nonselected option and presents significant advantages in terms of cost-effectiveness, universality, and flexibility. c. Complexity of Conversion The EIN does not contain embedded intelligence. For those providers, health plans, and health care clearinghouses that must convert to use the EIN, the complexity of the conversion would be significantly affected by the degree to which their processing systems currently rely on intelligent employer identifiers. Converting from one unintelligent identifier to another is less complex than modifying software logic to obtain needed information from other data elements. However, the use of an unintelligent identifier like the EIN is required in order to meet the guiding principle of assuring flexibility. In general, the shorter the identifier, the easier it is to implement. It is more likely that a shorter identifier, such as the EIN, would fit into existing data formats. The selection of the EIN does not impose a greater burden on the industry in terms of the complexity of conversion than the nonselected options. List of Subjects in 45 CFR Part 142 Administrative practice and procedure, Health facilities, Health insurance, Hospitals, Medicaid, Medicare, Reporting and recordkeeping requirements. Accordingly, 45 CFR subtitle A, subchapter B, would be amended by adding Part 142 to read as follows: Note to Reader: This proposed rule is one of several proposed rules that are being published to implement the administrative simplification provisions of the Health Insurance Portability and Accountability Act of 1996. We propose to establish a new 45 CFR Part 142. Proposed Subpart A--General Provisions is exactly the same in each rule unless we have added new sections or definitions to incorporate additional general information. The subparts that follow relate to the specific provisions announced separately in each proposed rule. When we publish the first final rule, each subsequent final rule will revise or add to the text that is set out in the first final rule. PART 142--ADMINISTRATIVE REQUIREMENTS Subpart A--General Provisions Sec. 142.101 Statutory basis and purpose. 142.102 Applicability. 142.103 Definitions. 142.104 General requirements for health plans. 142.105 Compliance using a health care clearinghouse. 142.106 Effective date of a modification to a standard or implementation specification. Subparts B--E [Reserved] Subpart F--National Employer Identifier Standard 142.602 National employer identifier standard. 142.604 Requirements: Health plans. 142.606 Requirements: Health care clearinghouses. 142.608 Requirements: Health care providers. 142.610 Requirements: Employers. 142.612 Effective dates of the initial implementation of the national employer identifier standard. Authority: Sections 1173 and 1175 of the Social Security Act (42 U.S.C. 1320d-2 and 1320d-4). 4 Subpart A--General Provisions Sec. 142.101 Statutory basis and purpose. Sections 1171 through 1179 of the Social Security Act, as added by section 262 of the Health Insurance Portability and Accountability Act of 1996 (Pub. L. 104-191, 110 Stat. 2021), require HHS to adopt national standards for the electronic exchange of health information in the health care system. The purpose of these sections is to promote administrative simplification. Sec. 142.102 Applicability. (a) The standards adopted or designated under this part apply, in whole or in part, to the following: (1) A health plan. (2) A health care clearinghouse when doing the following: (i) Transmitting a standard transaction (as defined in Sec. 142.103) to a health care provider or health plan. (ii) Receiving a standard transaction from a health care provider or health plan. (iii) Transmitting and receiving the standard transactions when interacting with another health care clearinghouse. (3) A health care provider when transmitting an electronic transaction as defined in Sec. 142.103. (b) Means of compliance are stated in greater detail in Sec. 142.105. Sec. 142.103 Definitions. For purposes of this part, the following definitions apply: Code set means any set of codes used for encoding data elements, such as tables of terms, medical concepts, medical diagnostic codes, or medical procedure codes. Employer means the following: (1) The entity for whom an individual performs or performed any service, of whatever nature, as the employee of that entity except that: (i) If the entity for whom the individual performs or performed the services does not have control of the payment of wages for those services, the term ``employer'' means the entity having control of the payment of the wages; and (ii) In the case of an entity paying wages on behalf of a nonresident alien individual, foreign partnership, or foreign corporation, not engaged in trade or business within the United States, the term ``employer'' means that entity. (2) Any entity acting directly as an employer, or indirectly in the interest of an employer, in relation to an employee benefit plan and includes a group or association of employers acting for an employer in that capacity. Health care clearinghouse means a public or private entity that processes or facilitates the processing of nonstandard data elements of health information into standard data elements. The entity receives health care transactions from health care providers, health plans, other entities, or other clearinghouses, translates the data from a given format into one acceptable to the intended recipient, and forwards the processed transaction to the appropriate recipient. Billing services, repricing companies, community health management information systems, community health information systems, and ``value- added'' networks and switches that perform these functions are considered to be health care clearinghouses for purposes of this part. Health care provider means a provider of services as defined in section 1861(u) of the Social Security Act, 42 U.S.C. 1395x, a provider of medical or other health services as defined in section 1861(s) of the Social Security Act, 42 U.S.C. 1395x, and any other person who furnishes or bills and is paid for health care services or [[Page 32797]] supplies in the normal course of business. Health information means any information, whether oral or recorded in any form or medium, that-- (1) Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and (2) Relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual. Health plan means an individual or group plan that provides, or pays the cost of, medical care. Health plan includes the following, singly or in combination: (1) Group health plan. Group health plan is an employee welfare benefit plan (as currently defined in section 3(1) of the Employee Retirement Income and Security Act of 1974, 29 U.S.C. 1002(1)), including insured and self-insured plans, to the extent that the plan provides medical care, including items and services paid for as medical care, to employees or their dependents directly or through insurance, or otherwise, and-- (i) Has 50 or more participants; or (ii) Is administered by an entity other than the employer that established and maintains the plan. (2) Health insurance issuer. A health insurance issuer is an insurance company, insurance service, or insurance organization that is licensed to engage in the business of insurance in a State and is subject to State law that regulates insurance. (3) Health maintenance organization. A health maintenance organization is a Federally qualified health maintenance organization, an organization recognized as a health maintenance organization under State law, or a similar organization regulated for solvency under State law in the same manner and to the same extent as such a health maintenance organization. (4) Part A or Part B of the Medicare program under title XVIII of the Social Security Act. (5) The Medicaid program under title XIX of the Social Security Act. (6) A Medicare supplemental policy (as defined in section 1882(g)(1) of the Social Security Act, 42 U.S.C. 1395ss). (7) A long-term care policy, including a nursing home fixed- indemnity policy. (8) An employee welfare benefit plan or any other arrangement that is established or maintained for the purpose of offering or providing health benefits to the employees of two or more employers. (9) The health care program for active military personnel under title 10 of the United States Code. (10) The veterans health care program under 38 U.S.C. chapter 17. (11) The Civilian Health and Medical Program of the Uniformed Services (CHAMPUS), as defined in 10 U.S.C. 1072(4). (12) The Indian Health Service program under the Indian Health Care Improvement Act (25 U.S.C. 1601 et seq.). (13) The Federal Employees Health Benefits Program under 5 U.S.C. chapter 89. (14) Any other individual or group health plan, or combination thereof, that provides or pays for the cost of medical care. Medical care means the diagnosis, cure, mitigation, treatment, or prevention of disease, or amounts paid for the purpose of affecting any body structure or function of the body; amounts paid for transportation primarily for and essential to these items; and amounts paid for insurance covering the items and the transportation specified in this definition. Participant means any employee or former employee of an employer, or any member or former member of an employee organization, who is or may become eligible to receive a benefit of any type from an employee benefit plan that covers employees of that employer or members of such an organization, or whose beneficiaries may be eligible to receive any of these benefits. ``Employee'' includes an individual who is treated as an employee under section 401(c)(1) of the Internal Revenue Code of 1986 (26 U.S.C. 401(c)(1)). Small health plan means a group health plan or an individual health plan with fewer than 50 participants. Standard means a set of rules for a set of codes, data elements, transactions, or identifiers promulgated either by an organization accredited by the American National Standards Institute or HHS for the electronic transmission of health information. Transaction means the exchange of information between two parties to carry out the financial and administrative activities related to health care. It includes the following: (1) Health claims or equivalent encounter information. (2) Health care payment and remittance advice. (3) Coordination of benefits. (4) Health claims status. (5) Enrollment and disenrollment in a health plan. (6) Eligibility for a health plan. (7) Health plan premium payments. (8) Referral certification and authorization. (9) First report of injury. (10) Health claims attachments. (11) Other transactions as the Secretary may prescribe by regulation. Sec. 142.104 General requirements for health plans. If a person conducts a transaction (as defined in Sec. 142.103) with a health plan as a standard transaction, the following apply: (a) The health plan may not refuse to conduct the transaction as a standard transaction. (b) The health plan may not delay the transaction or otherwise adversely affect, or attempt to adversely affect, the person or the transaction on the ground that the transaction is a standard transaction. (c) The health information transmitted and received in connection with the transaction must be in the form of standard data elements of health information. (d) A health plan that conducts transactions through an agent must assure that the agent meets all the requirements of this part that apply to the health plan. Sec. 142.105 Compliance using a health care clearinghouse. (a) Any person or other entity subject to the requirements of this part may meet the requirements to accept and transmit standard transactions by either-- (1) Transmitting and receiving standard data elements; or (2) Submitting nonstandard data elements to a health care clearinghouse for processing into standard data elements and transmission by the health care clearinghouse and receiving standard data elements through the health care clearinghouse. (b) The transmission, under contract, of nonstandard data elements between a health plan or a health care provider and its agent health care clearinghouse is not a violation of the requirements of this part. Sec. 142.106 Effective date of a modification to a standard or implementation specification. HHS may modify a standard or implementation specification after the first year in which HHS requires the standard or implementation specification to be used, but not more frequently than once every 12 months. If HHS adopts a modification to a standard or implementation specification, the implementation date [[Page 32798]] of the modified standard or implementation specification may be no earlier than 180 days following the adoption of the modification. HHS determines the actual date, taking into account the time needed to comply due to the nature and extent of the modification. HHS may extend the time for compliance for small health plans. Subparts B-E [Reserved] Subpart F--National Employer Identifier Standard Sec. 142.602 National employer identifier standard. The employer identifier standard that must be used under this subpart is the employer identification number (EIN), which is the taxpayer identifying number of an individual or other entity (whether or not an employer) that is assigned pursuant to 26 U.S.C. 6011(b), or corresponding provisions of prior law, or pursuant to 26 U.S.C. 6109, and in which nine digits are separated by a hyphen, as follows: 00- 0000000. The EIN is assigned by the Internal Revenue Service, U.S. Department of the Treasury. Sec. 142.604 Requirements: Health plans. Each health plan must accept and transmit the national employer identifier of any employer that must be identified by the national employer identifier in any standard transaction. Sec. 142.606 Requirements: Health care clearinghouses. Each health care clearinghouse must use the national employer identifier of any employer that must be identified by the national employer identifier in any standard transaction. Sec. 142.608 Requirements: Health care providers. Each health care provider must use the national employer identifier wherever required on all transactions the health care provider transmits electronically. Sec. 142.610 Requirements: Employers. Each employer must disclose its EIN, when requested, to any entity that conducts standard electronic transactions that require that employer's identifier. Sec. 142.612 Effective dates of the initial implementation of the national employer identifier standard. (a) Health plans. (1) Each health plan that is not a small health plan must comply with the requirements of Secs. 142.104 and 142.604 by [24 months after the effective date of the final rule in the Federal Register]. (2) Each small health plan must comply with the requirements of Secs. 142.104 and 142.604 by [36 months after the effective date of the final rule in the Federal Register]. (b) Health care clearinghouses and health care providers. Each health care clearinghouse and health care provider must begin using the standard specified in Sec. 142.602 by [24 months after the effective date of the final rule in the Federal Register]. Dated: April 17, 1998. Donna E. Shalala, Secretary. [FR Doc. 98-15782 Filed 6-15-98; 8:45 am] BILLING CODE 4120-01-P