Proposal Summary: We identified three levels of testing that are typically performed in connection with the adoption and implementation of the proposed standards and their required code sets:
- Level 1--developmental testing, the testing done by the standards setting organization during the development process
- Level 2--validation testing, the testing of sample transactions to see whether they are written correctly.
- Level 3--production testing, the testing of a transaction from a sender through the receiver’s system.
Pilot production--Because of the billions of dollars that change hands each year as a result of health care claims processing, we stated that we believe the industry should sponsor pilot production projects to test transaction standards that are not in full production prior to the effective date for adoption of the initial HIPAA standard formats.
We also stated that it would be useful to all participants if pilot production projects and the results of pilot projects were posted on a web site for all transactions. For the health care claims or equivalent encounter information transactions, we believe that posting pilot production projects and the results of pilot projects on a web site must be mandatory.
Comments and Responses on Compliance Testing
Comment: The majority of commenters recommended that the posting of pilot production results should be voluntary, not mandatory.
Several commenters suggested that all HIPAA standards projects be posted and that the government should provide funding or at least publicly advertise the results of all compliance testing projects. It was suggested that the Electronic Healthcare Network Accreditation Commission (EHNAC) could host a bulletin board or web site in which tests results could be published.
Several commenters asked whether entities providing validation testing will need to be certified. They stated that validation testing is only useful if certification is obtained. Several commenters recommended that the Secretary endorse the Standard Transaction Format Compliance System (STFCS) process established by EHNAC for validation testing, suggesting that EHNAC certification lends credibility and reliability to the process. However, other commenters wanted certification for compliance to be voluntary.
Several commenters recommended that WEDI, X12, or some other group further develop the various types of testing situations which might occur as well as tentative protocols for handling such tests.
Several commenters wanted the testing processes thoroughly defined prior to the implementation of the standards. For example, commenters wanted costs defined, and testing time frames, scheduling, and turn around times established. Others wanted to gain experience using the transactions first and allow testing to be done on a good faith effort basis.
The majority of commenters recommended that all of the transactions should be tested and any necessary modifications made prior to the publication of the final rule and as early as possible.
Response: We agree that posting of results for any HIPAA standard should be voluntary. As long as the transactions are successfully implemented in production, posting of the results is more of a marketing, advertising, and sales issue than a technical concern.
Since the HIPAA provisions do not require the Secretary to certify compliance with HIPAA standards, the Secretary is not conducting certification reviews or recognizing private organizations that have decided to conduct such reviews. Therefore, any certification of commercial entities performing validation testing will remain in the private domain and be voluntary. While receivers of transactions are likely to test whether a vendor that claims to be HIPAA compliant is, in fact, producing compliant transactions, this is a matter of business practice, and such tests are not being mandated in this rule.
The HIPAA provisions require the Secretary to adopt standards developed by standards setting organizations (SSOs) whenever possible. With this approach, the standards developed by a consensus of the health care industry will be implemented by the health care industry at large. Consistent with this approach, the Secretary is relying on those in the health care arena to come forward and test the designated standards. All of the standards have completed levels 1 and 2 of testing. Some of the standards have completed all three levels of testing and are in full production (for example, the NCPDP standard and many of the data code sets). We urge the health care industry to work in concert with the DSMOs. Health plans and vendors currently define their own test plans and conduct their own tests. We urge health plans to develop pilot test plans using the implementation specifications specified by the Secretary.
Certain types of testing are commonly conducted by organizations that transmit transactions electronically. These include site, unit, integration, connectivity, end to end, and parallel testing. ASC X12N has agreed to solicit private individuals, organizations, vendors and other interested parties to facilitate these types of testing and document their results and conditions on the X12N web site. Many government agencies will test and post results as well. X12N intends to continue to review and refine its testing process to make sure it continues to meet the requirements of the health care industry.