MR. MOORE: The purpose of the provisions, if you all didn't know, was to improve the efficiency and effectiveness of the health care system to our experiences, and HCFA and a number of people in the department have been working with the standard organizations, trying to achieve this for some time. We never expected the legislation; it was a surprise to us. It was a pleasant surprise in many ways, and it has become a burden in many ways.
It is to develop the transactions that are required to do electronic commerce, as I call it, between the principals, that is, the payers and providers in the health care business, and to protect the security and privacy of that information as it is transmitted and stored in different places along the way.
The Secretary was given the job. Prior to this, and one reason the Secretary got this mainly, back from the health care reform days, NIH was working on many aspects of this, including privacy and security. The Vice President back in March of '95 tapped the Secretary to be responsible for some of these things. When the legislation came out, it didn't surprise us to see that the Congress continued that with the standard transactions, the identifiers, and code sets, and security and privacy, which she was already being tapped for.
It will affect all health plans and clearinghouses, and the next statement is, and those providers who choose to conduct these transactions electronically. It will all be required, and I want to make sure that is clear. The standards are going to be required of all plans and clearinghouses, and only the providers who elect to do this business electronically. If the providers choose to do it still on paper, then the standards do not all apply to them. They will stay with the same standards that have been there, if there were any, in the past.
The standards will supersede most contrary provisions of state law. So these will be mandated to all. The legislation also expanded the scope and the membership of the National Committee on Vital and Health Statistics, which is an advisory body to the Secretary of health data issues.
The civil and criminal penalties that are prescribed in the law cover two areas. One, penalties for violating the standards and penalties for wrongful release of information concerning identifiable data.
In dealing with our Office of General Counsel, the penalties have been interpreted by many to be -- some have said that it is a $25,000 penalty. That is not necessarily true. It is $25,000 maximum per standard. Don't forget, there are ten transactions for identifiers, there are security standards as well, and code standards. So the violation could be mounted up to a sizeable amount, depending upon the organization and whether or not they used some or all of the standards.
For privacy within the law, the law is far more onerous on those who have been found not to comply with it, and you can see the penalty there being $50,000 to $250,000 and one to ten years in jail. One of the things that I have said is that this puts into the law a similar law that is imposed on federal employees for protection of privacy for health care information.
The transactions that were prescribed are going to be covered today. They will be covered in two different presentations. We tried to break them. These are the five here and five other ones here. We tried to break those into two groups, those that are related to claims and claims activity, and those that are related to individuals like enrollment, dis-enrollment, et cetera, and we will be covering the detail of where we are on that.
For unique identifiers, the four identified here, two are being worked on in HCFA. The individuals is yet to be worked on. That will be covered in greater detail, where we are. Employers' health plans and health care providers are two that we will go into in some depth today.
Code sets. There are two issues with the code sets. We are working with each of the teams. The code sets that are not medical or procedural are going to be worked with the teams as a separate group that is going to report today on the medical code set and where we are in coming up with a standard code set for procedures and diagnoses.
Security is one of the other supporting standards. It will include the confidentiality, privacy and electronic signatures. Low cost distribution mechanism. We are working to develop a mechanism that will allow you to pull the standards down off of a web, as low cost as possible. Our goal is to make it free, if possible, but that is yet to be decided, and it is not fully functional at this time in that method. The standards will be available at Washington Publishing on their website.
Time frame. The transaction sets, we are still shooting for February of '98 to have them adopted by the Secretary. Some of the barriers to getting that accomplished by this time is getting that through our Office of Management and Budget and back to the Secretary once it is released from the department. We feel confident that we can achieve that. The teams that have been established -- one that I will go into shortly -- has representatives from the Office of Management and Budget, which reviews all regs, and they have worked with us, so when the reg hits the Office of Management and Budget, they will not be totally surprised with what is there. They will understand the rationale and a lot of the thinking that went behind it within the department.
It says, HHS adopts claims standards. That is the claims attachment standard that we see out there in February of '99. That is one of the ten standards that we were given additional time to do. There is a special work group that has been created within X12 and HL7 to work on that standard, and trying to not be pressed like we are now in order to come up with a viable standard.
The goal is still February of the year 2000 that we will implement these standards. There is a lot of work that has to be done by you all, once the standards have been adopted between February of '98 and 2000, and we have gotten a lot of comments about the feasibility or the advisability of sticking with that date.
The process that we followed in general said that we looked at the SDOs and what was there in the marketplace and what had been developed, that was prescribed into law. We received from the health care informatics standards board back in February a compilation of all the work that was either accomplished, underway, or even being contemplated by the SDO for the future. This was a atomic bomb survivor document, about 250 pages. It is available to those who want to see it from ANSE. It served as our basis and our starting point as to what was available.
In doing the work, the law gave the Secretary the authority that she could not accept an SDO standard if she found that it was burdensome or it was expensive to process the data. If there were another way that was administratively cheaper and when compared to the other, we had the authority to go in that direction. Where we did that, the team will discuss how we went about making that decision, what the rationale for the choice was, and how we arrived at it.
If no SDO had adopted or was working or even contemplated the standard, the Secretary had the authority then to move into that area to do the groundwork that would become the basis for developing the standard, establishing it and explaining it and getting it into the community.
There were four organizations that were defined in the legislation that we are required to deal with. It so happens that the department and HCFA and others within the department were already dealing with many of these organizations prior to the legislation. The national uniform billing committee, the national uniform claims committee, the work group for electronic data interchange and the American Dental Association were those four.
All through this process, we have worked with them quite closely. We have representatives on all but the ADA. I don't believe that we have worked as closely with the ADA, but on the other three we have been working with them for at least -- on the NUBC and NUCC, since their existence, and on the WEDI we were part of the original work group that was created in '92 by Secretary Sullivan, and we have been on the board ever since.
We have also worked very closely with the National Committee on Vital and Health Statistics, keeping them aware of where we are and what we were doing and how we were accomplishing it, because that was part of the charge in the legislation. The Secretary will rely on their recommendation. The recommendation at the NCVHS is charged with making -- it is a separate independent decision from the teams that were working on this task.
What we did within the department to accomplish this was to establish a three-tier approach, if you will. The first level of this happens to be a group that had been established at least two years ago by the Secretary. That was a department Data Council. This council is made up of the direct reports to the Secretary.
We have also added to this council the Department of Defense and any other federal agency who believe that these standards will affect their activities, and made that offer.
This is a decision making body for these standards. The work that is being done will be and has been presented, as I said earlier. We had a meeting with this Data Council back in June to tell them where we were, a similar presentation as to what you are going to get today. The Data Council provides the senior policy making, and if there are decisions that are a little more political than technical, it would be made by this body as the final decision.
There is a health data standards committee that resides under the Data Council, that reports to the Data Council. Bill Braithewaite and I co-chair that committee. That committee has representatives on it across the federal sector. All the direct reports, NIH, NLM, CDC, FDA, the VA, DoD, OPM, all have representatives on this committee, and the level below that would be the implementation teams.
The teams themselves are going to make the presentations today. Their recommendations have been submitted to the Data Council. We have looked at those decisions, made modifications if we thought it was necessary, and through a consensus process reached a determination as to where we think we should be.
There are six teams that we established in order to address the complexity and breadth of this task. We felt that we had to have a team to look at issues that were cutting across all teams. That is what is called the infrastructure and cross-cutting issues team. This team is responsible for looking at the decisions that are made by each of the teams below them, the dictionary, the data elements, are the data elements the same, similar, et cetera, and handling and coordinating the efforts of the other five teams that are working on the direct standards.
The health insurance claims and encounter team is a team that is working with those transactions that are directly related to the receipt and processing and information concerning the claim.
The other team that is concerned with the transactions is the health insurance enrollment and eligibility team. This would be transactions that are for enrollment, disenrollment, eligibility, first report of injury, authorization, certification.
The fourth team is for all of the identifiers. There were four of those. The 15 concerns, the code sets and classification, and I want to make sure that we understand that this team is looking solely at the medical, procedural and diagnostic coding issues that are used by these transactions. Any code set where there is a data element within a transaction that has the potential for having more than one entry, sex, place of service, type of service, those types of codes are handled by the specific team. We felt that they would be the most knowledgeable to work with that transaction and determine what were the codes that were being proposed and how do they fit in with what was already there. Security and safeguards would be the team covering those recommendations.
The teams were charged with, one, making sure they looked at all the available standards that we had been made aware of, looking at those for candidates, identifying what were their weaknesses or something wrong with the standard as it existed, or if it was in conflict with another standard that performed the same activity or task, and presenting the findings that we had both in the NCVHS and the department. We are making recommendations for the adoption and presentation of those, and we submitted draft regulations to the Secretary and OMB for review and adoption.
Once the process has gotten through OMB and through the department, we will publish the proposed rule in the Federal Register for public comment. These rules we expect to be available at the end of October, beginning of November this year.
The normal comment period of 60 days, we would expect you to have from November through the end of December to comment on these rules and to get back to us, and we would take the remaining part of January and February with which to analyze the rules and prepare a final rule, which would be released the end of February.
One of the things that we did working with X12 to accomplish that first bullet of getting -- I'm sorry, the second bullet, of analyzing the comments, we worked with the X12 work group to identify and establish a work group that will help us with comments for transactions and issues that we are not familiar with in the government, because no one in the government handles that kind of transaction or does that kind of work, in the federal government. We felt that we needed some help and some expertise outside in the community that was responsible for developing some of the standards. So we will be working with them when we get comments in, and they set up a team of the different co-chairs for some of the transactions that are there, to help us with those comments, because a lot of the transactions came from the X12.
We then will distributed the adopted standards, and we expect that to be in February, early March of next year, and implementation guides.
We have also worked with the X12 to develop -- and they have done a lot of work since last September. I would like to thank them for that, to develop implementation guides on all of the transactions that are spelled out in the legislation.
Privacy goals. This may be covered far more fully when Dr. Detmer from the national committee presents the findings of the NCVHS or where they are, gives you an update on that. But I just want to cover some of the overview highlights of the privacy.
One of the things that the legislation tries to do is provide a patient with certain rights, that is, that they have informed consent to release information, that they understand how that information is going to be used potentially, and that they are aware of it. They have access to their own health information and they have the ability to correct erroneous information if they are aware of it, or if it is made known to them.
It establishes a process for exceptions to use the information, for example, and we give some examples there: research, law enforcement, public health, and it limits the amount of information that might be available to any of those entities, and access that might be given to it. It establishes the deterrents and penalties, and I covered those earlier, that one might be subjected to if one were to violate those rules or requirements of the privacy.
The privacy time line has a different time line than the standards that we have gone over briefly before. The department has been working very vigorously on this. The person within the department, John Fanning, before the legislation, he was identified as the privacy advocate. He sits on the Data Council that reports to the Secretary. He serves as the conscience to some degree, making sure that when we talk about data and we talk about information in the department, how we are going to use it, what we are going to use it for, how we are going to acquire it, et cetera, that we are aware that we are dealing with individual information, that the potential for this is very severe. He plays that role at that level. He is also the lead for developing the recommendations that are going to go to the Secretary next month.
He has developed a draft that is circulating within the department for these requirements to go to Congress. We expect to meet that date August of '97. The NCVHS has done a great deal of work in this same area. I think that they will also be making recommendations to the Secretary.
We expect to make the date. Whether Congress will make the date in August of '99 to have legislation on privacy, I can't speak to. That is going to be a very controversial and difficult task for them if they don't and they are unable to reach an agreement or some up with the legislation that is required. I think many of you are aware of the attempts, and what is going on within Congress to do that to date, and where they are on the various pieces of legislation. The task will be kicked back to us, and we have six months with which to develop privacy regulations. those will be released in February of the year 2000, the same date that we are destined to implement the standards that we are going to talk about today.
I want to go over some of the areas that you all have for opportunities to tell us what we should be doing. One, we think that if you are not participating, you should at least be aware or should have some representation with standard development organizations and the work that they are doing. They will affect your business.
We the government, we HCFA and a number of the other payer, industry, provider, et cetera, have been working with this community for quite awhile, and we think that that is one way to have input. The NCVHS has held at least a half a dozen public hearings on these standards, either on privacy or the standards themselves, and that is another way that you can have input.
You can also write to the committee and have input into their determination. Many of you as you well know could write to the Secretary and many of you have written to the Secretary before we have even reached this point about what you think the standards should be or should not be.
Also, you will get an opportunity after all of that input to comment on what we think the standards should be when we put out the notice of proposed rulemaking. Remember, what we come out with in October is not the rule, it is only the proposed rule, and that rule can change, based upon your comment in the latter part of this year.
From my experiences working in the Health Care Financing Administration, when we put out proposed rules, we have changed them as a result of the comments that have come into us from the public.
You can invite the teams. The teams have been on a regular tour in some cases, or representatives from different parts of the team, to meet with the public, to explain what we are doing, to deliberate, and today is just another example of that effort.