Testimony of the ANSI Accredited National Council for Prescription Drug Programs
Administration Simplification Subtitle- Health Insurance Portability and Accountability Act of 1996 (P.L. 104-191)
Meeting of the National Committee on Vital and Health Statistics (NCVHS) Subcommittee on Health Data Needs, Standards, and Security
Good morning. Thank you for the opportunity to present to this panel security standards recommendations of the National Council for Prescription Drug Programs (NCPDP), an ANSI Accredited standards development organization. I am Dan Staniec, RPh. MBA, NCPDP Executive Vice President of External Affairs. I am member of a number of pharmacy organizations, including the American Pharmaceutical Association (APhA), National Community Pharmacist's Association (NCPA), the Academy of Managed Care Pharmacy (AMCP), as well as ASC X12, HL7, the Work Group for Electronic Data Interchange (WEDI), the Health Informatics Standards Board (HISB), the Object Management Group (OMG), and a participant at UN/EDIFACT meetings. I am also a Board member of the Computerized Patient Record Institute (CPRI), and the University of Arizona College of Pharmacy.
NCPDP is an ANSI accredited standards development organization for the pharmacy services sector of the health care industry. Our ANSI approved scope statement reads: "The scope of the standards that NCPDP develops are those for information processing for the pharmacy services sector of the health care industry."
Regarding the development of pharmacy standards, NCPDP is the forum where pharmacy meets four times per year to develop standards. Our 1159 members are employed by organizations from virtually every type of pharmacy organization in the United States. Some examples of these types of organizations include: chain pharmacies, independent pharmacies, drug manufacturers, BCBS organizations, Federal/State Agencies, health maintenance organizations, pharmacy benefit management companies, telecommunication and systems vendors, and wholesale drug distributors.
Our membership consists of three specific categories, with a fairly equal number of members in each category. These categories are l. Provider/Producer (321 members) 2. Payer/Processor (437 members) 3. Telecommunication System Vendor/General Interest. (401 members). As you can see, NCPDP does represent the voice of pharmacy in the standards development arena.
We have submitted NCPDP's telecommunication standard to ANSI to become an American National Standard (ANS) and look for this transaction to be one of the first health care transactions being considered this honor.
I would like to respond to the last few questions on your list addressed to the Standard Development Organizations. With the limited time frame to present, I cannot discuss company specific (business partner) issues related to security. Our answers will address the concept of the actual transmission of pharmaceutical claims utilizing NCPDP's Telecommunication claim standard from as an industry as a whole.
QUESTION #1
WHAT STANDARDS PRESENTLY EXIST REGARDING SECURITY?
NCPDP RESPONSE #1
The NCPDP Telecommunication Claim standard does not define security standards. As you may know, the International Standards Organization (ISO) has defined a framework for the definition of telecommunications standards. This standard, known as the "open systems interface" standard, delivers a seven layer hierarchy of functions with a telecommunication network. The applications layer provides all services directly "comprehensible" to the users applications, in other words, this is the level that interfaces with the users application. The applications layer identifies the user and sets an agreed upon level of security and makes one user responsible for error recovery. The existing standards development organizations define the presentation layer, which restructures data in the required format.
There is no known problem in the pharmaceutical benefit industry with respect to the transmission of data. The exchange of roughly 6 billion prescriptions sent electronically using the NCPDP Telecommunication Claim standard has occurred over the past few years.
The data that is transmitted electronically using the NCPDP Telecommunication standard is all coded. The data that is coded includes, but is not limited to:
QUESTION #2:
WHAT PLANS ARE UNDERWAY TO ADDRESS SECURITY REQUIREMENTS?
NCPDP RESPONSE #2:
Various companies, such as Pharmacy Benefit Management Companies, continue to enforce existing security standards at the company level as the new technology evolves.
QUESTION #3
DO YOU FEEL THAT THERE IS A NEED FOR THE FEDERAL GOVERNMENT TO PROVIDE LEADERSHIP IN THIS AREA?
NCPDP RESPONSE #3:
Yes, there is a need for the federal government to provide leadership in this area, but only from an enforcement perspective. It is imperative that the private sector should create security standards for the healthcare industry.
NCPDP thanks you for the opportunity to testify today. I look forward to responding to any other questions that you may have.