NRPM: Security and Electronic Signature Standards. Background


[Please label written or e-mailed comments about this section with the subject: BACKGROUND]

In order to administer their programs, the Department of Health and Human Services, other Federal agencies, State Medicaid agencies, private health plans, health care providers, and health care clearinghouses must assure their customers (such as patients, insured, providers, and health care plans) that the confidentiality and privacy of health care information they electronically collect, maintain, use, or transmit is secure. Security of health information is especially important when health information can be directly linked to an individual.

Confidentiality is threatened not only by the risk of improper access to electronically stored information, but also by the risk of interception during electronic transmission of the information.

In addition to the need to ensure electronic health care information is secure and confidential, there is a potential need to associate signature capability with information being electronically stored or transmitted. Today, there are numerous forms of electronic signatures, ranging from biometric devices to digital signature. To satisfy the legal and time-tested characteristics of a written signature, however, an electronic signature must do the following:

  • Identify the signatory individual,
  • Assure the integrity of a document’s content, and
  • Provide for nonrepudiation; that is, strong and substantial evidence that will make it difficult for the signer to claim that the electronic representation is not valid. Currently, the only technically mature electronic signature meeting the above criteria is the digital signature. There is no national standard for security or electronic signatures. Of necessity, each health care provider, health care plan, and health care entity has defined its own security requirements.

A. Legislation

The Congress included provisions to address the need for security and electronic signature standards and other administrative simplification issues in the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, which was enacted on August 21, 1996. Through subtitle F of title II of that law, the Congress added to title XI of the Social Security Act a new part C, entitled "Administrative Simplification." (Public Law 104-191 affects several titles in the United States Code. Hereafter, we refer to the Social Security Act as the Act; we refer to the other laws cited in this document by their names.) The purpose of this part C is to improve the Medicare and Medicaid programs, in particular, and the efficiency and effectiveness of the health care system, in general, by encouraging the development of a health information system through the establishment of standards and requirements to facilitate the electronic maintenance and transmission of certain health information.

Part C of title XI of the Act consists of sections 1171 through 1179. These sections define various terms and impose several requirements on HHS, health plans, health care clearinghouses, and certain health care providers concerning electronic transmission of health information.

The first section, section 1171 of the Act, establishes definitions for purposes of part C of title XI for the following terms: code set, health care clearinghouse, health care provider, health information, health plan, individually identifiable health information, standard, and standard setting organization.

Section 1172 of the Act makes any standard adopted under part C applicable to (1) health plans, (2) health care clearinghouses, and (3) health care providers that transmit any health information in electronic form in connection with the transactions referred to in section 1173(a)(1) of the Act. The security standard to be adopted under Part C is not restricted to the transactions referred to in section 1173(a)(1) of the Act, but is applicable to any health information pertaining to an individual that is electronically maintained or transmitted. This section also contains the following requirements concerning standard setting:

  • The Secretary may adopt a standard developed, adopted, or modified by a standard setting organization (that is, an organization accredited by the American National Standards Institute (ANSI)) that has consulted with the National Uniform Billing Committee (NUBC), the National Uniform Claim Committee (NUCC), Workgroup for Electronic Data Interchange (WEDI), and the American Dental Association (ADA).
  • The Secretary may also adopt a standard other than one established by a standard setting organization, if the different standard will reduce costs for health care providers and health plans, the different standard is promulgated through negotiated rulemaking procedures, and the Secretary consults with each of the above-named groups.
  • If no standard has been adopted by any standard setting organization, the Secretary must rely on the recommendations of the National Committee on Vital and Health Statistics (NCVHS) and consult with each of the above-named groups.

In complying with the requirements of part C of title XI, the Secretary must rely on the recommendations of the NCVHS, consult with appropriate State, Federal, and private agencies or organizations, and publish the NCVHS recommendations in the Federal Register.

Paragraph (a) of section 1173 of the Act requires that the Secretary adopt standards for financial and administrative transactions, and data elements for those transactions, to enable health information to be exchanged electronically. Standards are required for the following transactions: health claims, health encounter information, health claims attachments, health plan enrollments and disenrollments, health plan eligibility, health care payment and remittance advice, health plan premium payments, first report of injury, health claim status, and referral certification and authorization. In addition, the Secretary is required to adopt standards for any other financial and administrative transactions that are determined to be appropriate by the Secretary.

Paragraph (b) of section 1173 of the Act requires the Secretary to adopt standards for unique health identifiers for all individuals, employers, health plans, and health care providers and requires further that the adopted standards specify for what purposes unique health identifiers may be used.

Paragraphs (c) through (f) of section 1173 of the Act require the Secretary to establish standards for code sets for each data element for each health care transaction listed above, security standards for health care information systems, standards for electronic signatures (established together with the Secretary of Commerce), and standards for the transmission of data elements needed for the coordination of benefits and sequential processing of claims. Compliance with electronic signature standards will be deemed to satisfy both State and Federal requirements for written signatures with respect to the transactions listed in the paragraph (a) of section 1173 of the Act.

In section 1174 of the Act, the Secretary is required to establish standards for all of the above transactions, except claims attachments, by February 21, 1998. The standards for claims attachments must be established by February 21, 1999. Generally, after a standard is established, it cannot be changed during the first year after adoption except for changes that are necessary to permit compliance with the standard. Modifications to any of these standards may be made after the first year, but not more frequently than once every 12 months. The Secretary must also ensure that procedures exist for the routine maintenance, testing, enhancement, and expansion of code sets and that there are crosswalks from prior versions.

Section 1175 of the Act prohibits health plans from refusing to process or delaying the processing of a transaction that is presented in standard format. The Act’s requirements are not limited to health plans; however, each person to whom a standard or implementation specification applies is required to comply with the standard within 24 months (or 36 months for small health plans) of its adoption. A health plan or other entity may, of course, comply voluntarily before the effective date. A person may comply by using a health care clearinghouse to transmit or receive the standard transactions. Compliance with modifications to standards or implementation specifications must be accomplished by a date designated by the Secretary. This date may not be earlier than 180 days from the notice of change.

Section 1176 of the Act establishes a civil monetary penalty for violation of the provisions in part C of title XI of the Act, subject to several limitations. Penalties may not be more than $100 per person per violation and not more than $25,000 per person for violations of a single standard for a calendar year. The procedural provisions in section 1128A of the Act, "Civil Monetary Penalties," are applicable.

Section 1177 of the Act establishes penalties for a knowing misuse of unique health identifiers and individually identifiable health information: (1) A fine of not more than $50,000 and/or imprisonment of not more than 1 year; (2) if misuse is "under false pretenses," a fine of not more than $100,000 and/or imprisonment of not more than 5 years; and (3) if misuse is with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, a fine of not more than $250,000 and/or imprisonment of not more than 10 years. Note that these penalties do not affect any other penalties which may be imposed by other Federal programs, including ERISA.

Under section 1178 of the Act, the provisions of part C of title XI of the Act, as well as any standards established under them, supersede any State law that is contrary to them. However, the Secretary may, for statutorily-specified reasons, waive this provision.

Finally, section 1179 of the Act makes the above provisions inapplicable to financial institutions or anyone acting on behalf of a financial institution when "authorizing, processing, clearing, settling, billing, transferring, reconciling, or collecting payments for a financial institution."

(Concerning this last provision, the conference report, in its discussion on section 1178, states:

"The conferees do not intend to exclude the activities of financial institutions or their contractors from compliance with the standards adopted under this part if such activities would be subject to this part. However, conferees intend that this part does not apply to use or disclosure of information when an individual utilizes a payment system to make a payment for, or related to, health plan premiums or health care. For example, the exchange of information between participants in a credit card system in connection with processing a credit card payment for health care would not be covered by this part. Similarly sending a checking account statement to an account holder who uses a credit or debit card to pay for health care services, would not be covered by this part. However, this part does apply if a company clears health care claims, the health care claims activities remain subject to the requirements of this part.") (H.R. Rep. No. 736, 104th Cong., 2nd Sess. 268-269 (1996))

B. Process for Developing National Standards

The Secretary has formulated a five-part strategy for developing and implementing the standards mandated under part C of title XI of the Act:

  1. To ensure necessary interagency coordination and required interaction with other Federal departments and the private sector, establish interdepartmental implementation teams to identify and assess potential standards for adoption. The subject matter of the teams includes claims/encounters, identifiers, enrollment/eligibility, systems security and electronic signature, and medical coding classification. Another team addresses cross-cutting issues and coordinates the subject matter teams. The teams consult with external groups such as the NCVHS’ Workgroup on Data Standards, WEDI, the ANSI’s Healthcare Informatics Standards Board (HISB), the NUCC, the NUBC, and the ADA. The teams are charged with developing regulations and other necessary documents and making recommendations for the various standards to the HHS Data Council through its Committee on Health Data Standards. (The HHS Data Council is the focal point for consideration of data policy issues. It reports directly to the Secretary and advises the Secretary on data standards and privacy issues.)
  2. Develop recommendations for standards to be adopted.
  3. Publish proposed rules in the Federal Register describing the standards. Each proposed rule provides the public with a 60-day comment period.
  4. Analyze public comments and publish the final rules in the Federal Register.
  5. Distribute standards and coordinate preparation and distribution of implementation guides.

This strategy affords many opportunities for involvement of interested and affected parties in standards development and adoption by enabling them to:

  • Participate with standards setting organizations.
  • Provide written input to the NCVHS.
  • Provide written input to the Secretary of HHS.
  • Provide testimony at NCVHS’ public meetings.
  • Comment on the proposed rules for each of the proposed standards.
  • Invite HHS staff to meetings with public and private sector organizations or meet directly with senior HHS staff involved in the implementation process.

The implementation teams charged with reviewing standards for designation as required national standards under the statute have defined, with significant input from the health care industry, a set of principles for guiding choices for the standards to be adopted by the Secretary. These principles are based on direct specifications in HIPAA, the purpose of the law, and generally desirable principles. To be designated as an HIPAA standard, each standard should:

  1. Improve the efficiency and effectiveness of the health care system by leading to cost reductions for or improvements in benefits from electronic health care transactions.
  2. Meet the needs of the health data standards user community, particularly health care providers, health plans, and health care clearinghouses.
  3. Be consistent and uniform with the other HIPAA standards--their data element definitions and codes and their privacy and security requirements--and, secondarily, with other private and public sector health data standards.
  4. Have low additional development and implementation costs relative to the benefits of using the standard.
  5. Be supported by an ANSI-accredited standards developing organization or other private or public organization that will ensure continuity and efficient updating of the standard over time.
  6. Have timely development, testing, implementation, and updating procedures to achieve administrative simplification benefits faster.
  7. Be technologically independent of the computer platforms and transmission protocols used in electronic health transactions, except when they are explicitly part of the standard.
  8. Be precise and unambiguous, but as simple as possible.
  9. Keep data collection and paperwork burdens on users as low as is feasible.
  10. Incorporate flexibility to adapt more easily to changes in the health care infrastructure (such as new services, organizations, and provider types) and information technology.

A master data dictionary providing for common data definitions across the standards selected for implementation under HIPAA will be developed and maintained. We intend for the data element definitions to be precise, unambiguous, and consistently applied. The transaction-specific reports and general reports from the master data dictionary will be readily available to the public. At a minimum, the information presented will include data element names, definitions, and appropriate references to the transactions where they are used.

This proposed rule would establish the security standard and electronic signature standard for health care information and individually identifiable health care information maintained or transmitted electronically. The remaining standards are grouped, to the extent possible, by subject matter and audience in other regulations. We anticipate publishing several separate regulation documents to promulgate the remaining standards required under HIPAA.