[Please label written and e-mailed comments about this section with the subject: BACKGROUND.]
When claims are filed, employer information is used by health plans to identify the employer of the participant in the health plan and to develop coordination of benefits information. Employers may transmit information to health plans when enrolling or disenrolling an employee as a participant in a health plan. Employers, health care providers, and health plans may need to identify the source or receiver of eligibility or benefit information. Although the source or receiver is usually a health plan, it could be an employer. Employers, health care providers, and health plans may need to identify the employer when making or keeping track of health plan premium payments or contributions relating to an employee. In all cases where information about the employer is transmitted electronically, it would be beneficial to identify the employer using a standard identifier.
The Congress included provisions to address the need for a standard identifier and other administrative simplification issues in the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, which was enacted on August 21, 1996. Through subtitle F of title II of that law, the Congress added to title XI of the Social Security Act a new part C, entitled “Administrative Simplification.” (Public Law 104-191 affects several titles in the United States Code. Hereafter, we refer to the Social Security Act as the Act; we refer to the other laws cited in this document by their names.) The purpose of this part is to improve the Medicare and Medicaid programs in particular and the efficiency and effectiveness of the health care system in general by encouraging the development of a health information system through the establishment of standards and requirements to facilitate the electronic transmission of certain health information.
Part C of title XI consists of sections 1171 through 1179 of the Act. These sections define various terms and impose several requirements on HHS, health plans, health care clearinghouses, and certain health care providers concerning electronic transmission of health information.
The first section, section 1171 of the Act, establishes definitions for purposes of part C of title XI for the following terms: code set, health care clearinghouse, health care provider, health information, health plan, individually identifiable health information, standard, and standard setting organization.
Section 1172 of the Act makes any standard adopted under part C applicable to (1) all health plans, (2) all health care clearinghouses, and (3) any health care providers that transmit any health information in electronic form in connection with the transactions referred to in section 1173(a)(1) of the Act.
This section also contains requirements concerning standard setting.
- The Secretary may adopt a standard developed, adopted, or modified by a standard setting organization (that is, an organization accredited by the American National Standards Institute (ANSI)) that has consulted with the National Uniform Billing Committee (NUBC), the National Uniform Claim Committee (NUCC), the Workgroup on Electronic Data Interchange (WEDI), and the American Dental Association (ADA).
- The Secretary may also adopt a standard other than one established by a standard setting organization, if the different standard will reduce costs for health care providers and health plans, the different standard is promulgated through negotiated rulemaking procedures, and the Secretary consults with each of the above-named groups.
- If no standard has been adopted by any standard setting organization, the Secretary is to rely on the recommendations of the National Committee on Vital and Health Statistics (NCVHS) and consult with each of the above-named groups.
In complying with the requirements of part C of title XI, the Secretary must rely on the recommendations of the NCVHS, consult with appropriate State, Federal, and private agencies or organizations, and publish the recommendations of the NCVHS in the Federal Register.
Paragraph (a) of section 1173 of the Act requires that the Secretary adopt standards for financial and administrative transactions, and data elements for those transactions, to enable health information to be exchanged electronically. Standards are required for the following transactions: health claims, health encounter information, health claims attachments, health plan enrollments and disenrollments, health plan eligibility, health care payment and remittance advice, health plan premium payments, first report of injury, health claim status, and referral certification and authorization. In addition, the Secretary is required to adopt standards for any other financial and administrative transactions that are determined to be appropriate by the Secretary.
Paragraph (b) of section 1173 of the Act requires the Secretary to adopt standards for unique health identifiers for all individuals, employers, health plans, and health care providers and requires further that the adopted standards specify for what purposes unique health identifiers may be used.
Paragraphs (c) through (f) of section 1173 of the Act require the Secretary to establish standards for code sets for each data element for each health care transaction listed above, security standards for health care information systems, standards for electronic signatures (established together with the Secretary of Commerce), and standards for the transmission of data elements needed for the coordination of benefits and sequential processing of claims. Compliance with electronic signature standards will be deemed to satisfy both State and Federal requirements for written signatures with respect to the transactions listed in paragraph (a) of section 1173 of the Act.
In section 1174 of the Act, the Secretary is required to adopt standards for all of the above transactions, except claims attachments, within 18 months of enactment. The standards for claims attachments must be adopted within 30 months. Generally, after a standard is established it cannot be changed during the first year except for changes that are necessary to permit compliance with the standard. Modifications to any of these standards may be made after the first year, but not more frequently than once every 12 months. The Secretary must also ensure that procedures exist for the routine maintenance, testing, enhancement, and expansion of code sets and that there are crosswalks from prior versions.
Section 1175 of the Act prohibits health plans from refusing to process or delaying the processing of a transaction that is presented in standard format. The Act’s requirements are not limited to health plans; however, each person to whom a standard or implementation specification applies is required to comply with the standard within 24 months (or 36 months for small health plans) of its adoption. A health plan or other entity may, of course, comply voluntarily before the effective date. Entities may comply by using a health care clearinghouse to transmit or receive the standard transactions. Compliance with modifications and implementation specifications to standards must be accomplished by a date designated by the Secretary. This date may not be earlier than 180 days after the notice of change.
Section 1176 of the Act establishes a civil monetary penalty for violation of the provisions in part C of title XI of the Act, subject to several limitations. The Secretary is required by statute to impose penalties of not more than $100 per violation on any person who fails to comply with a standard, except that the total amount imposed on any one person in each calendar year may not exceed $25,000 for violations of one requirement. The procedural provisions in section 1128A of the Act, “Civil Monetary Penalties,” are applicable.
Section 1177 of the Act establishes penalties for a knowing misuse of unique health identifiers and individually identifiable health information: (1) A fine of not more than $50,000 and/or imprisonment of not more than 1 year; (2) if misuse is “under false pretenses,” a fine of not more than $100,000 and/or imprisonment of not more than 5 years; and (3) if misuse is with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, a fine of not more than $250,000 and/or imprisonment of not more than 10 years.
Under section 1178 of the Act, the provisions of part C of title XI of the Act, as well as any standards established under them, supersede any State law that is contrary to them. However, the Secretary may, for statutorily specified reasons, waive this provision.
Finally, section 1179 of the Act makes the above provisions inapplicable to financial institutions or anyone acting on behalf of a financial institution when “authorizing, processing, clearing, settling, billing, transferring, reconciling, or collecting payments for a financial institution.” Although the provisions of the law are inapplicable to financial institutions when they are carrying out the listed financial functions, the provisions are applicable to financial institutions when they perform the functions of health care clearinghouses.
(Concerning this last provision, the conference report, in its discussion on section 1178, states:
“The conferees do not intend to exclude the activities of financial institutions or their contractors from compliance with the standards adopted under this part if such activities would be subject to this part. However, conferees intend that this part does not apply to use or disclosure of information when an individual utilizes a payment system to make a payment for, or related to, health plan premiums or health care. For example, the exchange of information between participants in a credit card system in connection with processing a credit card payment for health care would not be covered by this part. Similarly sending a checking account statement to an account holder who uses a credit or debit card to pay for health care services, would not be covered by this part. However, this part does apply if a company clears health care claims, the health care claims activities remain subject to the requirements of this part.”) (H.R. Rep. No. 736, 104th Cong., 2nd Sess. (1996) reprinted in 1996 U.S.C.C.A.N. 264, 265)
B. Process for Developing National Standards
The Secretary has formulated a 5-part strategy for developing and implementing the standards mandated under Part C of title XI of the Act:
- To ensure necessary interagency coordination and required interaction with other Federal departments and the private sector, establish interdepartmental implementation teams to identify and assess potential standards for adoption. The subject matter of the teams includes claims/encounters, identifiers, enrollment/eligibility, systems security, and medical coding/classification. Another team addresses cross-cutting issues and coordinates the subject matter teams. The teams consult with external groups such as the NCVHS’ Workgroup on Data Standards, WEDI, ANSI’s Healthcare Informatics Standards Board, the NUCC, the NUBC, and the ADA. The teams are charged with developing regulations and other necessary documents and making recommendations for the various standards to the HHS’ Data Council through its Committee on Health Data Standards. (The HHS Data Council is the focal point for consideration of data policy issues. It reports directly to the Secretary and advises the Secretary on data standards and privacy issues.)
- Develop recommendations for standards to be adopted.
- Publish proposed rules in the Federal Register describing the standards. Each proposed rule provides the public with a 60-day comment period.
- Analyze public comments and publish the final rules in the Federal Register.
- Distribute standards and coordinate preparation and distribution of implementation guides.
This strategy affords many opportunities for involvement of interested and affected parties in standards development and adoption:
- Participate with standards development organizations.
- Provide written input to the NCVHS.
- Provide written input to the Secretary of HHS.
- Provide testimony at NCVHS’ public meetings.
- Comment on the proposed rules for each of the proposed standards.
- Invite HHS staff to meetings with public and private sector organizations or meet directly with senior HHS staff involved in the implementation process.
The implementation teams charged with reviewing standards for designation as required national standards under the statute have defined, with significant input from the health care industry, a set of principles for guiding choices for the standards to be adopted by the Secretary. These principles are based on direct specifications in HIPAA and the purpose of the law, principles that support the regulatory philosophy set forth in Executive Order 12866 and the Paperwork Reduction Act of 1995. To be designated as an HIPAA standard, each standard should:
- Improve the efficiency and effectiveness of the health care system by leading to cost reductions for or improvements in benefits from electronic health care transactions.
- Meet the needs of the health data standards user community, particularly health care providers, health plans, and health care clearinghouses.
- Be consistent and uniform with the other HIPAA standards --their data element definitions and codes and their privacy and security requirements--and, secondarily, with other private and public sector health data standards.
- Have low additional development and implementation costs relative to the benefits of using the standard.
- Be supported by an ANSI-accredited standards developing organization or other private or public organization that will ensure continuity and efficient updating of the standard over time.
- Have timely development, testing, implementation, and updating procedures to achieve administrative simplification benefits faster.
- Be technologically independent of the computer platforms and transmission protocols used in electronic transactions, except when they are explicitly part of the standard.
- Be precise and unambiguous, but as simple as possible.
- Keep data collection and paperwork burdens on users as low as is feasible.
- Incorporate flexibility to adapt more easily to changes in the health care infrastructure (such as new services, organizations, and provider types) and information technology.
A master data dictionary providing for common data definitions across the standards selected for implementation under HIPAA will be developed and maintained. We intend for the data element definitions to be precise, unambiguous, and consistently applied. The transaction-specific reports and general reports from the master data dictionary will be readily available to the public. At a minimum, the information presented will include data element names, definitions, and appropriate references to the transactions where they are used.
This proposed rule would establish the standard health care employer identifier. We anticipate publishing several regulations documents altogether to promulgate the various standards required under the HIPAA. The other proposed regulations cover security standards, the transactions specified in the Act, and the other three identifiers.