NRPM: Security and Electronic Signature Standards. Definitions


[Please label written or e-mailed comments about this section with the subject: DEFINITIONS]


Section 1171 of the Act defines several terms and our proposed rules would, for the most part, simply restate the law. The terms that we are defining in this proposed rule follow:

1. Code set.

We would define "code set" as section 1171(1) of the Act does: "code set" means any set of codes used for encoding data elements, such as tables of terms, medical concepts, medical diagnostic codes, or medical procedure codes.

2. Health care clearinghouse.

We would define "health care clearinghouse" as section 1171(2) of the Act does, but we are adding a further, clarifying sentence. The statute defines a "health care clearinghouse" as a public or private entity that processes or facilitates the processing of nonstandard data elements of health information into standard data elements. We would further explain that such an entity is one that currently receives health care transactions from health care providers or other entities, translates the data from a given format into one acceptable to the intended recipient and forwards the processed transaction to appropriate payers and clearinghouses, as necessary, for further action.

There are currently a number of private clearinghouses that perform this function for health care providers. For purposes of this rule, we would consider billing services, repricing companies, community health management information systems or community health information systems, value-added networks, and switches that perform this function to be health care clearinghouses.

3. Health care provider.

As defined by section 1171(3) of the Act, a "health care provider" is a provider of services as defined in section 1861(u) of the Act, a provider of medical or other health services as defined in section 1861(s) of the Act, and any other person who furnishes health care services or supplies. Our regulations would define "health care provider" as the statute does and clarify that the definition of a health care provider is limited to those entities that furnish, or bill and are paid for, health care services in the normal course of business.

For a more detailed discussion of the definition of health care provider, we refer the reader to our proposed rule, HCFA-0045-P, Standard Health Care Provider, 63 FR 25320, published May 7, 1998.

4. Health information.

"Health information," as defined in section 1171 of the Act, means any information, whether oral or recorded in any form or medium, that--

  • Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and
  • Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.

We propose the same definition for our regulations.

5. Health plan.

We propose that a "health plan" be defined essentially as section 1171 of the Act defines it. Section 1171 of the Act cross refers to definitions in section 2791 of the Public Health Service Act (as added by Public Law 104-191, 42 U.S.C. 300gg-91); we would incorporate those definitions as currently stated into our proposed definitions for the convenience of the public. We note that the term "health plan" is also defined in other statutes, such as the Employee Retirement Income Security Act of 1974 (ERISA). Our definitions are based on the roles of plans in conducting administrative transactions, and any differences should not be construed to affect other statutes.

For purposes of implementing the provisions of administrative simplification, a "health plan" would be an individual or group health plan that provides, or pays the cost of, medical care. This definition includes, but is not limited to, the 13 types of plans listed in the statute. On the other hand, plans such as property and casualty insurance plans and workers compensation plans, which may pay health care costs in the course of administering nonhealth care benefits, are not considered to be health plans in the proposed definition of health plan. Of course, these plans may voluntarily adopt these standards for their own business needs. At some future time, the Congress may choose to expressly include some or all of these plans in the list of health plans that must comply with the standards.

Health plans often carry out their business functions through agents, such as plan administrators (including third party administrators), entities that are under "administrative services only" (ASO) contracts, claims processors, and fiscal agents. These agents may or may not be health plans in their own right; for example, a health plan acting as another health plan’s agent as another line of business. As stated earlier, a health plan that conducts HIPAA transactions through an agent is required to assure that the agent meets all HIPAA requirements that apply to the plan itself.

"Health plan" includes the following, singly or in combination:

a. "Group health plan" (as currently defined by section 2791(a) of the Public Health Service Act). A group health plan is a plan that has 50 or more participants (as the term "participant" is currently defined by section 3(7) of ERISA) or is administered by an entity other than the employer that established and maintains the plan. This definition includes both insured and self-insured plans. We define "participant" separately below.

Section 2791(a)(1) of the Public Health Service Act defines "group health plan" as an employee welfare benefit plan (as defined in current section 3(1) of ERISA) to the extent that the plan provides medical care, including items and services paid for as medical care, to employees or their dependents directly or through insurance, or otherwise.

b. "Health insurance issuer" (as currently defined by section 2791(b) of the Public Health Service Act).

Section 2791(b) of the Public Health Service Act currently defines a "health insurance issuer" as an insurance company, insurance service, or insurance organization that is licensed to engage in the business of insurance in a State and is subject to State law that regulates insurance.

c. "Health maintenance organization" (as currently defined by section 2791(b) of the Public Health Service Act).

Section 2791(b) of the Public Health Service Act currently defines a "health maintenance organization" as a Federally qualified health maintenance organization, an organization recognized as such under State law, or a similar organization regulated for solvency under State law in the same manner and to the same extent as such a health maintenance organization. These organizations may include preferred provider organizations, provider sponsored organizations, independent practice associations, competitive medical plans, exclusive provider organizations, and foundations for medical care.

d. Part A or Part B of the Medicare program (title XVIII of the Act).

e. The Medicaid program (title XIX of the Act).

f. A "Medicare supplemental policy" as defined under section 1882(g)(1) of the Act.

Section 1882(g)(1) of the Act defines a "Medicare supplemental policy" as a health insurance policy that a private entity offers a Medicare beneficiary to provide payment for expenses incurred for services and items that are not reimbursed by Medicare because of deductible, coinsurance, or other limitations under Medicare. The statutory definition of a Medicare supplemental policy excludes a number of plans that are generally considered to be Medicare supplemental plans, such as health plans for employees and former employees and for members and former members of trade associations and unions. A number of these health plans may be included under the definitions of "group health plan" or "health insurance issuer", as defined in paragraphs a. and b. above.

g. A "long-term care policy," including a nursing home fixed-indemnity policy. A "long-term care policy" is considered to be a health plan regardless of how comprehensive it is. We recognize the long-term care insurance segment of the industry is largely unautomated and we welcome comments regarding the impact of HIPAA on the long-term care segment.

h. An employee welfare benefit plan or any other arrangement that is established or maintained for the purpose of offering or providing health benefits to the employees of two or more employers. This includes plans that are referred to as multiple employer welfare arrangements ("MEWAs").

i. The health care program for active military personnel under title 10 of the United States Code.

j. The veterans health care program under chapter 17 of title 38 of the United States Code.

This health plan primarily furnishes medical care through hospitals and clinics administered by the Department of Veterans Affairs for veterans with a service-connected disability that is compensable. Veterans with nonservice-connected disabilities (and no other health benefit plan) may receive health care under this health plan to the extent resources and facilities are available.

k. The Civilian Health and Medical Program of the Uniformed Services (CHAMPUS), as defined in 10 U.S.C. 1072(4).

CHAMPUS primarily covers services furnished by civilian medical providers to dependents of active duty members of the uniformed services and retirees and their dependents under age 65.

l. The Indian Health Service program under the Indian Health Care Improvement Act (25 U.S.C. 1601 et seq.).

This program furnishes services, generally through its own health care providers, primarily to persons who are eligible to receive services because they are of American Indian or Alaskan Native descent.

m. The Federal Employees Health Benefits Program under 5 U.S.C. chapter 89.

This program consists of health insurance plans offered to active and retired Federal employees and their dependents. Depending on the health plan, the services may be furnished on a fee-for-service basis or through a health maintenance organization.

(Note: Although section 1171(5)(M) of the Act refers to the "Federal Employees Health Benefit Plan," this and any other rules adopting administrative simplification standards will use the correct name, the Federal Employees Health Benefits Program. One health plan does not cover all Federal employees; there are over 350 health plans that provide health benefits coverage to Federal employees, retirees, and their eligible family members. Therefore, we will use the correct name, the Federal Employees Health Benefits Program, to make clear that the administrative simplification standards apply to all health plans that participate in the Program.)

n. Any other individual or group health plan, or combination thereof, that provides or pays for the cost of medical care.

We would include a fourteenth category of health plan in addition to those specifically named in HIPAA, as there are health plans that do not readily fit into the other categories but whose major purpose is providing health benefits. The Secretary would determine which of these plans are health plans for purposes of title II of HIPAA. This category would include the Medicare Plus Choice plans that will become available as a result of section 1855 of the Act as amended by section 4001 of the Balanced Budget Act of 1997 (Public Law 105-33) to the extent that these health plans do not fall under any other category.

6. Small health plan.

We would define a “small health plan” as a group health plan with fewer than 50 participants.

The HIPAA does not define a “small health plan” but instead leaves the definition to be determined by the Secretary. The Conference Report suggests that the appropriate definition of a “small health plan” is found in current section 2791(a) of the Public Health Service Act, which is a group health plan with fewer than 50 participants. We would also define small individual health plans as those with fewer than 50 participants.

7. Individually Identifiable Health Information.

Section 1171(6) states the term 'individually identifiable health information' means any information, including demographic information collected from an individual, that--

a. Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and

b. Relates to the past, present or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and

(i) Identifies the individual, or

(ii) With respect to which there is a reasonable basis to believe that the information can be used to identify the individual.

8. Standard.

Section 1171 of the Act defines "standard," when used with reference to a data element of health information or a transaction referred to in section 1173(a)(1) of the Act, as any such data element or transaction that meets each of the standards and implementation specifications adopted or established by the Secretary with respect to the data element or transaction under sections 1172 through 1174 of the Act.

Under our definition, the security standard would be a set of requirements adopted or established to preserve and maintain the confidentiality and privacy of electronically stored, maintained, or transmitted health information promulgated either by an organization accredited by the ANSI or HHS.

9. Transaction.

"Transaction" would mean the exchange of information between two parties to carry out financial and administrative activities related to health care. A transaction would be (a) any of the transactions listed in section 1173(a)(2) of the Act, and (b) any determined appropriate by the Secretary in accordance with section 1173(a)(1)(B) of the Act. We present them below in the order in which we propose to list them in the regulations text.

A "transaction" would mean any of the following:

a. Health claims or equivalent encounter information.

This transaction may be used to submit health care claim billing information, encounter information, or both, from health care providers to payers, either directly or via intermediary billers and claims clearinghouses.

b. Health care payment and remittance advice.

This transaction may be used by a health plan to make a payment to a financial institution for a health care provider (sending payment only), to send an explanation of benefits remittance advice directly to a health care provider (sending data only), or to make payment and send an explanation of benefits remittance advice to a health care provider via a financial institution (sending both payment and data).

c. Coordination of benefits.

This transaction set can be used to transmit health care claims and billing payment information between payers with different payment responsibilities where coordination of benefits is required or between payers and regulatory agencies to monitor the furnishing, billing, and/or payment of health care services within a specific health care/insurance industry segment.

In addition to the nine electronic transactions specified in section 1173(a)(2) of the Act, section 1173(f) directs the Secretary to adopt standards for transferring standard data elements among health plans for coordination of benefits. This particular provision does not state that these should be standards for electronic transfer of standard data elements among health plans. However, we believe that the Congress, when writing this provision, intended for these standards to be an electronic form of transactions for coordination of benefits and sequential processing of claims. The Congress expressed its intent on these matters generally in section 1173(a)(1)(B)of the Act, where the Secretary is directed to adopt "other financial and administrative transactions ... consistent with the goals of improving the operation of the health care system and reducing administrative costs."

d. Health claim status.

This transaction may be used by health care providers and recipients of health care products or services (or their authorized agents) to request the status of a health care claim or encounter from a health plan.

e. Enrollment and disenrollment in a health plan.

This transaction may be used to establish communication between the sponsor of a health benefit and the payer. It provides enrollment data, such as subscriber and dependents, employer information, and primary care health care provider information. A sponsor is the backer of the coverage, benefit, or product. A sponsor can be an employer, union, government agency, association, or insurance company. The health plan refers to an entity that pays claims, administers the insurance product or benefit, or both.

f. Eligibility for a health plan.

This transaction may be used to inquire about the eligibility, coverage, or benefits associated with a benefit plan, employer, plan sponsor, subscriber, or a dependent under the subscriber’s policy. It also can be used to communicate information about or changes to eligibility, coverage, or benefits from information sources (such as insurers, sponsors, and payers) to information receivers (such as physicians, hospitals, third party administrators, and government agencies).

g. Health plan premium payments.

This transaction may be used by, for example, employers, employees, unions, and associations to make and keep track of payments of health plan premiums to their health insurers. This transaction may also be used by a health care provider, acting as liaison for the beneficiary, to make payment to a health insurer for coinsurance, copayments, and deductibles.

h. Referral certification and authorization.

This transaction may be used to transmit health care service referral information between health care providers, health care providers furnishing services, and payers. It can also be used to obtain authorization for certain health care services from a health plan.

i. First report of injury.

This transaction may be used to report information pertaining to an injury, illness, or incident to entities interested in the information for statistical, legal, claims, and risk management processing requirements.

j. Health claims attachments.

This transaction may be used to transmit health care service information, such as subscriber, patient, demographic, diagnosis, or treatment data for the purpose of a request for review, certification, notification, or reporting the outcome of a health care services review.

k. Other transactions as the Secretary may prescribe by regulation.

Under section 1173(a)(1)(B) of the Act, the Secretary may adopt standards, and data elements for those standards, and for other financial and administrative transactions deemed appropriate by the Secretary. These transactions would be consistent with the goals of improving the operation of the health care system and reducing administrative costs.