NRPM: Security and Electronic Signature Standards. Provisions of this Proposed Rule


[Please label written comments or e-mailed comments about this section with the subject: INTRODUCTION/APPLICABILITY]

We propose to add a new part to title 45 of the Code of Federal Regulations for health plans, health care providers, and health care clearinghouses in general. The new part would be part 142 of title 45 and would be titled "Administrative Requirements." Subpart A would contain the general provisions for this part, including the general definitions and general requirements for health plans. Subpart C would contain provisions specific to securing health information used in any electronic transmission or stored format.

In this proposed rule, we propose a standard for security of health information. This rule would establish that health plans, health care clearinghouses, and health care providers must have the security standard in place to comply with the statutory requirement that health care information and individually identifiable health care information be protected to ensure privacy and confidentiality when health information is electronically stored, maintained, or transmitted. The Congress mandated a separate standard for electronic signature, therefore, this proposed security standard also addresses the selected standard for electronic signature. The proposed security standard does not require the use of an electronic signature, but specifies the standard for an electronic signature that must be followed if such a signature is used. If an entity elects to use an electronic signature, it must comply with the electronic signature standard.

A. Applicability

With the exception of the security provisions, section 262 of HIPAA applies to any health plan, any health care clearinghouse, and any health care provider that transmits any health information in electronic form in connection with transactions referred to in section 1173(a)(1) of the Act. The security provisions of section 262 of HIPAA apply to any health plan, any health care clearinghouse, and any health care provider that electronically maintains or transmits any health information relating to an individual.

Our proposed rules (at 45 CFR 142.102) would apply to the health plans and health care clearinghouses as well, but we would clarify the statutory language in our regulations for health care providers. With the exception of the security regulation, we would have the regulations apply to any health care provider only when electronically transmitting any of the transactions to which section 1173(a)(1) of the Act refers.

Electronic transmissions would include transactions using all media, even when the information is physically moved from one location to another using magnetic tape, disk, or compact disc (cd) media. Transmissions over the Internet (wide-open), Extranet (using Internet technology to link a business with information only accessible to collaborating parties), leased lines, dial-up lines, and private networks are all included. Telephone voice response and "faxback" (a request for information made via voice using a fax machine and requested information returned via that same machine as a fax) systems would not be included. We solicit comments concerning any adverse impact the above statement concerning voice response or faxback may have upon the security of the health information in the commenter’s care.

With the exception of the security regulation, our regulations would apply to health care clearinghouses when transmitting transactions to, and receiving transactions from, a health care provider or health plan that transmits and receives standard transactions (as defined under "transaction") and at all times when transmitting to or receiving electronic transactions from another health care clearinghouse. The security regulation would apply to health care clearing houses electronically maintaining or transmitting any health information pertaining to an individual.

Entities that offer on-line interactive transmission must comply with the standards. The Hypertext Markup Language (HTML) interaction between a server and a browser by which the data elements of a transaction are solicited from a user would not have to use the standards (with the exception of the security standard), although the data content must be equal to that required for the standard. Once the data elements are assembled into a transaction by the server, the transmitted transaction would have to comply with the standards.

With the exception of the security portion, the law would apply to each health care provider when transmitting or receiving any of the specified electronic transactions. The security regulation would apply to each health care provider electronically maintaining or transmitting any health information pertaining to an individual.

The law applies to health plans for all transactions. Section 142.104 would contain the following provisions (from section 1175 of the Act):

If a person desires to conduct a transaction (as defined in § 142.103) with a health plan as a standard transaction, the following apply:

(1) The health plan may not refuse to conduct the transaction as a standard transaction.

(2) The health plan may not delay the transaction or otherwise adversely affect, or attempt to adversely affect, the person or the transaction on the basis that the transaction is a standard transaction.

(3) The information transmitted and received in connection with the transaction must be in the form of standard data elements of health information.

As a further requirement, we would provide that a health plan that conducts transactions through an agent assure that the agent meets all the requirements of part 142 that apply to the health plan.

Section 142.105 would state that a person or other entity may meet the transaction requirements of § 142.104 by either--

(1) Transmitting and receiving standard data elements, or

(2) Submitting nonstandard data elements to a health care clearinghouse for processing into standard data elements and transmission by the health care clearinghouse and receiving standard data elements through the clearinghouse.

Health care clearinghouses would be able to accept nonstandard transactions for the sole purpose of translating them into standard transactions for sending customers and would be able to accept standard transactions and translate them into nonstandard formats for receiving customers. We would state in § 142.105 that the transmission of nonstandard transactions, under contract, between a health plan or a health care provider and a health care clearinghouse would not violate the law.

With the exception of the security standard, transmissions within a corporate entity would not be required to comply with the standards. A hospital that is wholly owned by a managed care company would not have to use the transaction standards to pass encounter information back to the home office, but it would have to use the standard claims transaction to submit a claim to another payer. Another example might be transactions within Federal agencies and their contractors and between State agencies within the same State. For example, Medicare enters into contracts with insurance companies and common working file sites that process Medicare claims using government furnished software. There is constant communication, on a private network, between HCFA Central Office and the Medicare carriers, intermediaries, and common working file sites. This communication may continue in nonstandard mode. However, these contractors would be required to comply with the transaction standards when exchanging any of the transactions covered by HIPAA with an entity outside these "corporate" boundaries.

The security standard is applicable to all health care information electronically maintained or used in an electronic transmission, regardless of format (standard transaction or a proprietary format); no distinction is made between internal corporate entity communication or communication external to the corporate entity.

Although there are situations in which the use of the standards is not required (for example, health care providers may continue to submit paper claims and employers are not required to used any of the standard transactions), we stress that a standard may be used voluntarily in any situation in which it is not required.

This proposed regulation would not mandate the use of electronic signatures with any specific transaction at this time. Instead, the regulation proposes that whenever an electronic signature is required for an electronic transaction by law, regulation, or contract, the signature must meet the standard established in the regulation at § 142.310. Use of this standard would satisfy any Federal or State requirement for a signature, either electronic or on paper.

We note that the ANSI X12N standards for individual transactions which have been proposed for adoption as national standards in a separate proposed rule do not require the use of electronic signatures. Standards for additional transactions that the Secretary may propose for adoption in the future, including one for claims attachments, may contain such requirements. We solicit comments on whether electronic signatures should be required for any specific transactions or under specific circumstances and what effect such requirements would have on electronic health care transactions.

We also note that the NCVHS is required by HIPAA to report to the Secretary recommendations and legislative proposals for uniform data standards for patient medical record information and the electronic exchange of such information, with the implication that HHS should rely on such recommendations to adopt such standards or propose the passage of such legislation by the Congress. We solicit comments on whether the standard proposed below for electronic signatures would be appropriate for consideration as part of such standards.