Proposal Summary: Entities that offer on-line interactive transmission of the transactions described in section 1173(a)(2) of the Act, would have to comply with the standards (63 FR 25276). For example, the Hypertext Markup Language (HTML) interaction between a server and a browser by which the data elements of a transaction are solicited from a user would not have to use the standards, although the data content must be equal to that required for the standard. Once the data elements are assembled into a transaction by the server, the transmitted transaction would have to comply with the standards.
a. Comment: Several comments recommended that electronic transmissions should be classified as “computer to computer without human interaction” (i.e., batch and fast batch transmissions) and be subject to the national standards. They also recommended that transmissions involving browser to server (Internet, Extranet, HTML, Java, ActiveX, etc.), direct data entry terminals (dumb terminals), PC terminal emulators, point of service terminals (devices similar in function to credit card terminals), telephone voice response systems, “faxback” systems, and any real-time transactions where data elements are directly solicited from a human user, be classified as “person to computer” transmissions. Moreover, “person to computer” transmissions should be supplemental to the national standards, but the data content of these transmissions should comply with the HIPAA electronic standards as they apply to data content.
Several commenters questioned whether HIPAA requires a health plan to support “person to computer” methods. Several commenters suggested that we should only except HTML web sites from the transaction standards if the web browser is used in HTML passive mode without plug-ins or programmable extensions and that the response times must be the same or faster than that of the HIPAA electronic standards.
Commenters also recommended that we permit the use of a proprietary format for web-based transactions if the transactions are sent to an entity’s in-house system for processing, and the entity’s web browser is under the control of a back-end processor, as well as part of the same corporate entity, and does not serve other back-end processors. They recommended that the HIPAA standards be used if the transactions are sent externally (outside of that entity’s system) for processing, and the entity’s web browser is under a contract with a back-end processor that is not under the same corporate control, and that serves more than one back-end processor.
Response: We are pleased that commenters support the use of the national standards for electronic transactions since this outcome is required by section 1173 of the Act. For each designated transaction, these standards specify the format, the data elements required or permitted to structure the format, and the data content permitted for each of the data elements, including designated code sets where applicable.
Certain technologies present a special case for the use of standard transactions. We proposed that telephone voice response, “faxback”, and Hyper Text Markup Language (HTML) interactions would not be required to follow the standard. We have since reevaluated this position in light of the many comments on this position and on developments in the EDI industry which continue to expand the options in this area. We have decided that, instead of creating an exception for these transmissions, we will recognize that there are certain transmission modes in which use of the format portion of the standard is inappropriate. However, the transaction must conform to the data content portion of the standard. The “direct data entry” process, using dumb terminals or computer browser screens, where the data is directly keyed by a health care provider into a health plan’s computer, would not have to use the format portion of the standard, but the data content must conform. If the data is directly entered into a system that is outside of the health plan’s system, to be transmitted later to the health plan, the transaction must be sent using the full standard (format and content). We have included this clarification in§162.923 (Requirements for Covered Entities).