The Congress included provisions to address the need for standards for electronic transactions and other administrative simplification issues in the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, which was enacted on August 21, 1996. Through subtitle F of title II of that law, the Congress added to title XI of the Social Security Act a new part C, entitled “Administrative Simplification.” (Public Law 104-191 affects several titles in the United States Code. Hereafter, we refer to the Social Security Act as the Act; we refer to the other laws cited in this document by their names.) The purpose of this part is to improve the Medicare program under title XVIII of the Social Security Act and the Medicaid program under title XIX of the Act, and the efficiency and effectiveness of the health care system, by encouraging the development of a health information system through the establishment of standards and requirements to enable the electronic exchange of certain health information.
Part C of title XI consists of sections 1171 through 1179 of the Act. These sections define various terms and impose several requirements on HHS, health plans, health care clearinghouses, and certain health care providers.
The first section, section 1171 of the Act, establishes definitions for purposes of part C of title XI for the following terms: code set, health care clearinghouse, health care provider, health information, health plan, individually identifiable health information, standard, and standard setting organization (SSO).
Section 1172 of the Act makes any standard adopted under part C applicable to (1) all health plans, (2) all health care clearinghouses, and (3) any health care provider who transmits any health information in electronic form in connection with transactions referred to in section 1173(a)(1) of the Act.
This section also contains requirements concerning standard setting.
- The Secretary may adopt a standard developed, adopted, or modified by a standard setting organization (that is, an organization accredited by the American National Standards Institute (ANSI)) that has consulted with the National Uniform Billing Committee (NUBC), the National Uniform Claim Committee (NUCC), the Workgroup for Electronic Data Interchange (WEDI), and the American Dental Association (ADA).
- The Secretary may also adopt a standard other than one established by a standard setting organization, if the different standard will reduce costs for health care providers and health plans, the different standard is promulgated through negotiated rulemaking procedures, and the Secretary consults with each of the above-named groups.
- If no standard has been adopted by any standard setting organization, the Secretary is to rely on the recommendations of the National Committee on Vital and Health Statistics (NCVHS) and consult with the above-named groups before adopting a standard.
- In complying with the requirements of part C of title XI, the Secretary must rely on the recommendations of the NCVHS, consult with appropriate State and Federal agencies and private organizations, and publish the recommendations of the NCVHS regarding the adoption of a standard under this part in the Federal Register.
Paragraph (a) of section 1173 of the Act requires that the Secretary adopt standards for financial and administrative transactions, and data elements for those transactions, to enable health information to be exchanged electronically. Standards are required for the following transactions: health care claims or equivalent encounter information, health claims attachments, health plan enrollments and disenrollments, health plan eligibility, health care payment and remittance advice, health plan premium payments, first report of injury, health care claim status, and referral certification and authorization. Section 1173(a)(1)(B) authorizes the Secretary to adopt standards for any other financial and administrative transactions as she determines appropriate.
Paragraph (b) of section 1173 of the Act requires the Secretary to adopt standards for unique health identifiers for each individual, employer, health plan, and health care provider. It also requires that the adopted standards specify for what purposes unique health identifiers may be used.
Paragraphs (c) through (f) of section 1173 of the Act require the Secretary to adopt standards for code sets for each data element for each health care transaction listed above, security standards to protect health care information, standards for electronic signatures (established together with the Secretary of Commerce), and standards for the transmission of data elements needed for the coordination of benefits and sequential processing of claims. Compliance with electronic signature standards will be deemed to satisfy both State and Federal statutory requirements for written signatures with respect to the transactions listed in paragraph (a) of section 1173 of the Act.
In section 1174 of the Act, the Secretary is required to adopt standards for all of the above transactions, except claims attachments, within 18 months after enactment. The standards for claims attachments must be adopted within 30 months after enactment. Modifications to any established standard may be made after the first year, but not more frequently than once every 12 months. The Secretary may, however, modify an initial standard at any time during the first year of adoption, if she determines that the modification is necessary to permit compliance with the standard. The Secretary must also ensure that procedures exist for the routine maintenance, testing, enhancement, and expansion of code sets and that there are crosswalks from prior versions. Any modification to a code set must be implemented in a manner that minimizes the disruption and the cost of compliance.
Section 1175 of the Act prohibits health plans from refusing to conduct a transaction as a standard transaction. It also prohibits health plans from delaying the processing of, or adversely affecting or attempting to adversely affect, a person submitting a standard transaction or the transaction itself on the grounds that the transaction is in standard format. It establishes a timetable for compliance: each person to whom a standard or implementation specification applies is required to comply with the standard no later than 24 months (or 36 months for small health plans) following its adoption. With respect to modifications to standards or implementation specifications made after initial adoption, compliance must be accomplished by a date designated by the Secretary. This date may not be earlier than 180 days after the modification is adopted by the Secretary.
Section 1176 of the Act establishes civil monetary penalties for violation of the provisions in part C of title XI of the Act, subject to several limitations. Penalties may not be more than $100 per person per violation of a provision, and not more than $25,000 per person per violation of an identical requirement or prohibition for a calendar year. With certain exceptions, the procedural provisions in section 1128A of the Act, “Civil Monetary Penalties,” are applicable to imposition of these penalties.
Section 1177 of the Act established penalties for any person that knowingly misuses a unique health identifier, or obtains or discloses individually identifiable health information in violation of this part. The penalties include: (1) A fine of not more than $50,000 and/or imprisonment of not more than 1 year; (2) if the offense is “under false pretenses,” a fine of not more than $100,000 and/or imprisonment of not more than 5 years; and (3) if the offense is with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, a fine of not more than $250,000 and/or imprisonment of not more than 10 years. We note that these penalties do not affect any other penalties that may be imposed by other federal programs.
Under section 1178 of the Act, the provisions of part C of title XI of the Act, as well as any standards or implementation specifications adopted under them, generally supersede contrary provisions of State law. However, the Secretary may make exceptions to this general rule if she determines that the provision of State law is necessary to prevent fraud and abuse, ensure appropriate State regulation of insurance and health plans, or for State reporting on health care delivery or costs, among other things. In addition, contrary State laws relating to the privacy of individually identifiable health information are not preempted if more stringent than the related federal requirements. Finally, contrary State laws relating to certain activities with respect to public health and regulation of health plans are not preempted by the standards adopted under Part C or section 264 of Public Law 104-191.
Finally, section 1179 of the Act makes the above provisions inapplicable to financial institutions or anyone acting on behalf of a financial institution when “authorizing, processing, clearing, settling, billing, transferring, reconciling, or collecting payments for a financial institution.”