High administrative costs affect everyone involved in the health care system. To reduce these costs through the use of electronic data interchange, the industry asked Congress to pass legislation that would establish national data standards to support administrative and financial transactions in health care. In August 1996, Congress enacted the Health Insurance Portability and Accountability Act (HIPAA). Title II, Subtitle F of Act, Administrative Simplification, directly addresses the adoption of electronic health data standards in the health care system.
The Administrative Simplification provisions require the Secretary of Health and Human Services (HHS) to adopt standards to support the electronic exchange of administrative and financial health care transactions within 18 months of enactment. These standards are to include data elements and code sets for those transactions; unique health identifiers for health care providers, health plans, employers, and individuals for use in the health care system; and security standards to protect individually identifiable health information. Within 24 months of their adoption, i.e. by mid-2000, the standards would be required for use by health plans, providers and clearinghouses. Small plans would have another 12 months to comply.
Privacy protections play a prominent role in the law as well. Recognizing the importance of protecting the privacy of individually identifiable health information, the law also requires the Secretary to submit recommendations for federal health privacy legislation to the Congress. Secretary Shalala forwarded these recommendations to the Congress on September 11, 1997.
In addition, the statute gives expanded responsibilities to the National Committee on Vital and Health Statistics (NCVHS), including advising the Secretary on health information privacy and on the adoption of health data standards. The Committee is further directed to submit an annual report to Congress on the status of implementation of the Administrative Simplification effort. This report is the first of those annual reports on implementation. Because of its extensive consultation with the industry and the research and public health communities, its close involvement with the Department and its intense focus on administrative simplification issues during this past year, the NCVHS is well positioned to comment on the progress of the implementation effort as well as related health information policy. The Committee is committed to improvements in the national health information infrastructure that will enhance quality, lower costs, and facilitate access to care.
Given the implementation steps and schedule outlined in the law, HHS and NCVHS efforts during the past year necessarily focused on the identification and evaluation of the potential standards to be adopted, as well as the development of health information privacy recommendations to Congress. Accordingly, this first report focuses on these efforts, as well as on the development of privacy recommendations. Subsequent reports will describe progress on later stages of implementation.
To address the requirements of the law during the past year, HHS developed an implementation strategy that assured coordination among HHS agencies, participation by other Federal departments, and extensive interaction with the private sector. This strategy afforded many opportunities for interested and affected parties to participate in and influence the standards development and adoption processes, by participating with standards development organizations, providing testimony at NCVHS public meetings, inviting HHS representatives to speak at various meetings, and providing comments on proposed rules. As an integral part of this strategy, the HHS Data Council, the Department's senior level internal data policy body, played a critical role in the implementation of administrative simplification and worked closely with the NCVHS. As required by the statute, the Department also consulted with the National Uniform Billing Committee, the National Uniform Claim Committee, the Workgroup for Electronic Data Interchange, the American Dental Association, and a number of other private sector organizations.
The NCVHS has been an active partner with the Department in every aspect of the standards adoption process. As the Department's primary liaison with the private sector, the NCVHS held a number of public hearings to obtain the views, perspectives, and concerns of organizations and individuals, as well as their input and advice on health data standards and privacy. As required by the statute, the NCVHS has submitted recommendations to the Secretary for standards to be adopted and on privacy guidelines and has commented on HHS draft data standards proposals. These recommendations are described in this report. The full text of the recommendations is available from the NCVHS web site at http://www.ncvhs.hhs.gov/. In its privacy recommendations, the NCVHS recommended that the Administration assign the highest priority to the development of a strong position on health privacy and that the 105th Congress enact a health privacy law before it adjourns in the fall of 1998.
Based on the results of the analyses performed by HHS Implementation Teams, the recommendations received from the NCVHS, the extensive consultation and input received from the industry, and the public testimony provided at the NCVHS hearings during the past year, proposed regulations to adopt the standards are being prepared by HHS for public review and comment in the Federal Register. Those standards relate to the administrative and financial transactions and related code sets; for national identifiers for health care providers, health plans, and employers; and for security standards. The proposed regulation for claims attachments is scheduled to be published in the summer of 1998. The public will have sixty days to provide comments to HHS on the proposed standards. Based on the comments, HHS will issue final regulations.
Because of the controversy and lack of consensus surrounding the selection of a unique health identifier for individuals, the Department has decided to issue a Notice of Intent to maximize public involvement in the process. The Notice of Intent will seek public input on several options for individual health identifiers without presenting a specific option as the preferred direction. The NCVHS has identified a number of special privacy and security concerns that relate to the adoption of a unique individual identifier. These include the importance of Congressional action on privacy legislation, the linkage of the individual identifier standard to privacy protections, the need for privacy protections to deal with fair information practices as well as antidiscrimination provisions, and the need for better implementation of security standards. The Committee will continue to examine this issue with public hearings, and it is likely that additional recommendations will be forthcoming.
HHS and the NCVHS, in partnership with private sector organizations, are also developing an integrated communication strategy to ensure that the industry will continue to receive all the information and assistance that it needs to implement the proposed standards. Once the standards have been adopted, the health care community will be encouraged to notify the Department or the NCVHS of any issues or concerns with the implementation of the standards.
During the next several years, the NCVHS plans to conduct public hearings to obtain additional input from a broad cross section of users in both the public and private sectors. The NCVHS will also seek input from the public on additional standards that may be appropriate, as well as the need to modify existing standards, and will provide timely recommendations to the Secretary.
In later stages of the standardization effort, the Committee plans to obtain information on the extent to which the adopted standards are being implemented, and to solicit reports on the progress of standards implementation from the industry as well as federal and State agencies for the health care programs under their jurisdictions. These agencies, as well as industry representatives, will be asked to provide public testimony at NCVHS hearings, where appropriate. The Committee will also make substantial use of industry data sources to assess major trends in the application of information technology in health care.
To date, the process of adopting health data standards has been extremely open, collaborative, and productive. The success of the process up to this point bodes well for the success of the ultimate implementation of these standards.
A considerable portion of every health care dollar is spent on administrative overhead. In health care, this overhead includes many tasks, such as:
Today these processes involve numerous paper forms and telephone calls, non-standard electronic commerce, and many delays in communicating information among different locations. This situation creates difficulties and costs for health care providers, health plans, and consumers alike.
The burden of these costs affects everyone involved in the health care system. For example:
To address these problems, the health care industry has worked to develop standards to improve the way in which transactions are exchanged and processed electronically. However, economic pressures have prevented competing parties from adopting a uniform set of such standards. At the request of the industry and with bipartisan support, Congress enacted the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The industry has estimated that full implementation of these provisions could save up to $9 billion per year by reducing administrative overhead, without reducing the amount or quality of health care services. In fact, such savings raise the possibility of helping to improve the quality of health care by freeing up resources now devoted to paperwork and administration.
The purpose of this report is to describe the status of implementation of the administrative simplification provisions of HIPAA during their first year. Congress gave the NCVHS the role of advising HHS on the adoption of standards, monitoring implementation of Administrative Simplification, and reporting annually on its progress. During this first year, the Committee has monitored the process of standards adoption, as carried out by the Government and its advisory bodies. In the future, we will report on the rate of implementation and the growth of electronic data interchange (EDI) in the health care industry.
The Committee is pleased to report that the process of implementation to this point has been extremely open, collaborative, and productive. We believe that the success of the process to date bodes well for the ultimate success of the implementation of these standards.
Although this report was requested by the Congress, it is directed at the industry and the public as well. In this report, we discuss first the requirements of the statute, including the implementation timetable required by the law, and the expanded responsibilities of the National Committee on Vital and Health Statistics (NCVHS). Then, we outline the implementation process, which involved the Department of Health and Human Services, other Federal agencies, the NCVHS, the industry, and the public health and research communities. The report includes the NCVHS recommendations for each of the required standards and the progress to date on the development of the regulations required to adopt the standards. Following this discussion is a section in which the NCVHS highlights a few issues that deserve particular attention by HHS and by the Congress. Finally, the report concludes with a discussion of implementation issues and how the NCVHS intends to monitor implementation in the future.
The Administrative Simplification provisions, Title II, Subtitle F, of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) require the Secretary of Health and Human Services (HHS) to adopt standards for the electronic transmission of administrative and financial health care transactions, including data elements and code sets for those transactions; for unique health identifiers for health care providers, health plans, employers, and individuals for use in the health care system; and for security standards to protect individually identifiable health information. The law also requires the Secretary to submit recommendations for Federal health privacy legislation to the Congress within one year. Additionally, these provisions gave special responsibilities to the NCVHS to advise the Secretary on privacy and on the adoption of standards and to submit to Congress an annual report on the status of the Administrative Simplification effort.
The purposes of these provisions are to improve the Medicare and Medicaid programs in particular and the efficiency and effectiveness of the health care system in general by encouraging the use of electronic methods for transmission of health information through the establishment of standards and requirements for covered electronic transmissions.
The standards required under the law include:
Under the law, the Secretary may also establish standards for other financial and administrative transactions that she determines to be appropriate and that are consistent with the goals of improving the operation of the health care system and reducing administrative costs. This provision permitted designation of coordination of benefits as one of the standard transactions being adopted.
The standards will apply to all health plans, health care clearinghouses, and health care providers that transmit health information in electronic form. Health plans are required to accept standard transactions submitted electronically by health care providers, and health plans cannot delay or otherwise adversely affect such transactions. Health plans and health care providers may submit or receive transactions directly or indirectly through the use of health care clearinghouses.
In addition to the requirement for security standards, the statute also requires the Secretary to submit to Congress detailed recommendations on standards with respect to the privacy of individually identifiable health information. These recommendations were delivered to the Congress on September 11, 1997.
The statute, which was enacted on August 21, 1996, specifies an aggressive implementation schedule:
The NCVHS and the Department have worked diligently to meet the schedule required by the statute. As noted above, the Secretary's recommendations for Federal privacy legislation have been delivered to the Congress. Notices of Proposed Rule Making for the transactions, code sets, identifiers, and security standards are being prepared, and a public, open process for dealing with the controversial unique health identifier for individuals has been decided upon. However, because of the extensive and unprecedented level of industry consultation and the number of issues that need to be resolved before final standards are selected, the requirement to publish the final rules for the first set of standards by February 21, 1998 will not be met. Publication of the proposed rules is expected by the end of February. It is anticipated that the required standards will be published in final form in the Spring of 1998.
The statute significantly expanded the responsibilities of the NCVHS. In selecting standards for adoption, the Secretary is required to rely on the recommendations of the NCVHS. Subtitle F also requires the NCVHS to report to the Secretary, within 4 years of the passage of HIPAA, with recommendations and legislative proposals for the adoption of uniform data standards for patient medical record information and the electronic exchange of such information. Finally, Subtitle F requires the NCVHS to submit to Congress an annual report on the status of the Administrative Simplification effort.
Specifically, the requirement for the annual report states:
SEC. 263 (7) Not later than 1 year after the date of enactment of the Health Insurance Portability and Accountability Act of 1996, and annually thereafter, the Committee shall submit to the Congress, and make public, a report regarding the implementation of Part C of title XI of the Social Security Act. Such report shall address the following subjects, to the extent that the Committee determines appropriate:
(A) The extent to which persons required to comply with part C of title XI of the Social Security Act are cooperating in implementing the standards adopted under such part.
(B) The extent to which such entities are meeting the security standards adopted under such part and the types of penalties assessed for noncompliance with such standards.
(C) Whether the Federal and State Governments are receiving information of sufficient quality to meet their responsibilities under such part.
(D) Any problems that exist with respect to implementation of such part.(E) The extent to which timetables under such part are being met.
Since the first standards are not scheduled for adoption until 1998 with implementation two years thereafter, this first annual report focuses on the activities of the Federal Government, industry, and the NCVHS during the past year to identify, select, and publish the required standards. Subsequent annual reports will focus on implementation issues.
The Secretary of HHS formulated a 5-part strategy for developing and implementing the standards mandated under Administrative Simplification.
While not a part of the 5-part strategy, a critical sixth step that will be implemented once the standards have been put in place will be the ongoing monitoring of the implementation of the standards to determine if additions or modifications to the standards are needed.
This implementation strategy was designed to assure coordination among HHS agencies, participation by other Federal departments, as well as interaction with the industry and the research and public health communities. Responsibilities within HHS were distributed across three interrelated organizational components: the HHS Data Council, the Data Council's Health Data Standards Committee, and the Implementation Teams.
The HHS Data Council, the Departments senior internal data policy body, was given the responsibility to oversee implementation of Administrative Simplification by the Secretary. The Council consists of representatives from each major operating and staff division within HHS. The Council, as a senior policy guidance and decision making body, has been designated to guide the process and report to the Secretary on the progress of the standards and privacy efforts. During the past year, the co-chairs of the Data Council have been the Assistant Secretary for Planning and Evaluation and the Administrator of the Health Care Financing Administration (HCFA). The Data Council serves as the contact point for the NCVHS and resolves disputes that cannot be resolved by the Data Council's Health Data Standards Committee.
The Data Council's Health Data Standards Committee (HDSC) is responsible for the daily operation and management of the standards activities. The membership of the Health Data Standards Committee includes representatives from the Executive Office of Management and Budget, HHS components and other affected Federal Departments, including the Department of Defense, the Department of Veterans Affairs, and others. The HDSC determines the membership and coordinates the activities of the Implementation Teams. It is also responsible for ensuring that external groups -- NCVHS' Committee on Health Data Needs, Standards, and Security; the Workgroup for Electronic Data Interchange (WEDI); the American National Standards Institute's Healthcare Informatics Standards Board (ANSI HISB); the National Uniform Claim Committee (NUCC); the National Uniform Billing Committee (NUBC); the American Dental Association (ADA); and the National Council for Prescription Drug Programs (NCPDP) -- are appropriately consulted and involved in the development process. The HDSC resolves issues that cannot be resolved by the Implementation Teams.
Seven Implementation Teams (ITs) are responsible for the research, analysis, and development of recommendations for national standards for consideration by the HDSC and the Data Council. These teams are made up of representatives from HHS and from a number of other government Agencies that will be affected by the standards or have specific expertise necessary for development of the recommendations. These include the Department of Defense, the Department of Veterans Affairs, the Department of Labor, the Department of Commerce, the Social Security Administration, the Department of the Treasury, the Office of Personnel Management, and CHAMPUS. A member of the NCVHS has been assigned as liaison to advise and assist each of the Teams and to monitor their progress. To assure a broad perspective, each Team is headed by two co-chairs, one selected from the Health Care Financing Administration and the other from another Federal agency.
The subject matter of the teams includes (1) claims/encounters, (2) identifiers, (3) enrollment/eligibility, (4) systems security, (5) medical coding/classification, (6) claims attachments. A seventh team addresses cross-cutting issues and coordinates the subject matter teams. The teams have consulted with external groups such as the NCVHS Workgroup on Data Standards, WEDI, the ANSI HISB, the NUCC, the NUBC, and the ADA.
With significant input from the health care industry, the Implementation Teams charged with developing recommendations for national standards defined a set of principles for guiding their choices for standards to be adopted by the Secretary. These principles are based on direct specifications in HIPAA, the purpose of the law, and generally desirable principles. To be designated as a HIPAA standard, each standard should:
The HHS implementation strategy was designed to afford many opportunities for interested and affected parties to participate in the standards development and adoption processes. They can:
Early on, ANSI HISB provided the Department with an inventory of standards that currently exist in the health care industry. This inventory served as the starting point for the Implementation Teams' evaluation of existing standards to identify candidate standards for adoption.
In response to its new responsibilities, the NCVHS achieved an unprecedented level of activity and output during the first year of HIPAA implementation. The NCVHS formed the Subcommittee on Privacy and Confidentiality; the Subcommittee on Health Data Needs, Standards, and Security; and the Workgroup on Data Standards and Security within that Subcommittee to conduct extensive hearings, coordinate with the Department, and develop the recommendations to the Secretary required by the law. The NCVHS also formed the Subcommittee on Population-Specific Issues, which has been instrumental in seeking out the perspectives of populations at risk to determine the impact of administrative simplification on those populations.
The NCVHS has served as the Department's primary liaison with the private sector and has held a numerous public hearings to obtain the views, perspectives, and concerns of interested and affected parties, as well as their input and advice on health data standards and privacy. In addition to providing numerous opportunities for the private sector to participate in the standards adoption process, these public hearings sponsored by the NCVHS helped shape the belief that this was indeed an open process.
The Full Committee held public hearings on:
Topic: Implementation of administrative simplification provisions of P.L. 104-191: research, public health, and quality assurance perspectives and perspectives on administrative transaction standards.
Participating Stakeholders: Joint Commission on Accreditation of Healthcare Organizations, National Committee for Quality Assurance, Urban Institute, National Association of Health Data Organizations, ANSI HISB, WEDI, NUCC, NUBC, Association for Electronic Health Care Transactions, Computerized Patient Record Institute.
Topic: Issues surrounding unique identifiers, privacy and confidentiality, and the conceptual framework for coding and classification.
Participating Stakeholders: Christopher Chute, M.D.; James Cimino, M.D.; Karen Weigel, R.R.A.; DHHS and NCVHS staff.
Topic: State-based standards and privacy issues and discussion of privacy and health data standards recommendations.
Participating Stakeholders: Minnesota Health Data Institute, Foundation for Health Care Quality, and Massachusetts Health Data Consortium, Inc.; DHHS and NCVHS staff.
Topic: Discussion of privacy and health data standards and public education recommendations.
Participating Stakeholders: DHHS and NCVHS staff.
Topic: Discussion of privacy and health data standards and public health data issues.
Participating Stakeholders: DHHS and NCVHS staff.
The Subcommittee on Population Specific Issues and the Executive Subcommittee held joint public hearings in San Francisco, California on:
Topic: Perspectives on privacy, confidentiality, data standards, and medical coding and classification issues in implementation of the administrative simplification provisions of P.L. 104-191.
Participating Stakeholders: The panelists included representatives from insurers, health plans, providers, public health and research, public hospitals, community health centers, academic centers, patient advocacy groups, integrated health systems, employers, and State health departments.
The Subcommittee on Health Data Needs, Standards, and Security conducted hearings on:
Topic: Perspectives on implementation of the administrative simplification provisions of P.L. 104-191.
Participating Stakeholders: The panelists included representatives from health care purchasers, professional health care providers, health care facilities and other providers, health plans, and payors.
Topic: Perspectives on implementation of the administrative simplification provisions of P.L. 104-191.
Participating Stakeholders: The panelists included representatives from health care oversight and management organizations, experts on the electronic transmission of health care transactions, software vendors, and representatives from ANSI HISB and ANSI SDOs.
Topic: Perspectives on medical/clinical coding and classification issues in implementation of the administrative simplification provisions of P.L. 104-191.
Participating Stakeholders: The panelists included representatives from professional health care providers, health care facilities, special data users, providers, health plans, public health and research, Federal agency data users, and developers of coding and classification systems.
Topic: Perspectives on security issues in implementation of the administrative simplification provisions of P.L. 104-191.
Participating Stakeholders: The panelists included representatives from providers, payors, professional associations, vendors, standards development organizations, and accreditation organizations.
Topic: Development of recommendations for security and payer ID to the Secretary.
Participating Stakeholders: DHHS and NCVHS staff.
The Subcommittee on Privacy and Confidentiality conducted hearings on:
Topic: Privacy issues and concerns related to research, public health, and health oversight.
Participating Stakeholders: The panelists included representatives from research, public health, and health oversight organizations.
Topic: Privacy issues and concerns related to insurers and employers, claims processors, and other intermediaries, the pharmaceutical industry, and social welfare agencies.
Participating Stakeholders: The panelists included representatives from insurers, employers, claims processors and other intermediaries, the pharmaceutical industry, Federal agencies, and social welfare agencies.
Topic: Privacy issues and concerns related to law enforcement agencies, health care providers, privacy and patient advocacy groups, and privacy enhancing technologies.
Participating Stakeholders: The panelists included representatives from law enforcement agencies, health care providers, privacy and patient advocacy groups, and privacy-enhancing technology experts.
In all, more than 200 witnesses from across the health spectrum presented testimony at these hearings. To enhance participation further, NCVHS public meetings are now routinely broadcast live on the Internet with the help of the Department of Veterans Affairs. For those unable to attend or listen to the meetings as they occur, recordings of the live broadcasts are available also on the Internet. Agendas and transcripts of these hearings, minutes, announcements of public meetings, and schedules for future hearings are distributed through the NCVHS web site at:
The NCVHS has participated with the Department in every aspect of the standards selection process. Through the Data Council, the NCVHS has submitted recommendations to the Secretary for standards to be adopted and on privacy guidelines and has commented on HHS draft proposals for data standards. The NCVHS Workgroup on Data Standards has worked closely with the HDSC and the ITs.
The NCVHS provides to, and receives from the Data Council, the HDSC, and the ITs regularly scheduled reports and informal communications on their respective activities. The Data Council Chairs attend NCVHS meetings, and the NCVHS Chair attends the monthly meetings of the Data Council. Each IT has a liaison from the NCVHS who participates in Team meetings and provides advice and guidance. Upon request, the NCVHS also advises the Secretary on particularly sensitive and controversial issues.
The recommendations of the NCVHS to the Secretary have been based in large part on testimony received during the numerous public hearings discussed above. The full text of these recommendations is available from the NCVHS web site. Following are summaries of these recommendations.
On June 25, 1997, the Committee recommended that HHS adopt the proposed National Provider Identifier (NPI) as the unique identifier for health care providers. The NPI is an eight-digit alphanumeric identifier that would be assigned to all providers, upon receipt and validation of essential identifying information. The Committee found broad support for the NPI and urged HHS to publish the proposal for public comment without delay.
On June 25, 1997, the NCVHS recommended the adoption of the following standards for transmission of administrative and financial transactions:
Pharmacy -- NCPDP Telecommunications Standard Format
Institutional -- ASC X12N Health Care Claim (837)
Professional -- ASC X12N Health Care Claim (837)
Dental -- ADA Implementation Guide for ASC X12N 837
* the X12N standard for claims includes standard information for coordination of benefits.
ASC X12N Benefit Enrollment and Maintenance (834)
ASC X12N Health Care Eligibility/Benefit Inquiry (270)
ASC X12N Health Care Eligibility/Benefit Information (271)
ASC X12N Health Care Claim Payment/Advice (835)
ASC X12N Consolidated Service Invoice/Statement (811)
ASC X12N Payment Order/Remittance Advice (820)
ASC X12N Report of Injury, Illness or Incident (148)
ASC X12N Health Care Claim Status Request (276)
ASC X12N Health Care Claim Status Notification (277)
ASC X12N Health Care Service Review Information (278)
The Committee also recommended that HHS specify the acceptable versions and implementation guides for these standards at the time the final rules are issued.
Finally, recognizing the concerns of providers that technical problems associated with the conversion to these standards could delay payments and cause significant financial harm, the NCVHS recommended a transition strategy, whereby willing trading partners, by mutual agreement, could continue to use existing flat-file mechanisms until February 2002.
On June 25, 1997, the Committee recommended that ICD-9-CM diagnosis codes, ICD-9-CM Volume 3 procedure codes, and HCPCS (including CPT and CDT) procedure codes be adopted as the standards to be implemented by February 21, 2000. The Committee further recommended that HHS advise the industry to build its information systems to accommodate a change to ICD-10-CM diagnostic coding in the year 2001 and to anticipate a major change to a unified approach to coding procedures (yet to be defined) by the year 2002 or 2003. The Committee recommended that HHS identify and implement an approach for procedure coding that addresses deficiencies in the current systems, including issues of specificity and aggregation, unnecessary redundancy, and incomplete coverage of health care providers and settings.
The Committee has a long-standing interest and involvement in coding and classification issues. Given the need for a major change in the mechanisms for coding procedures, the Committee's active involvement in this area will continue.
On September 9, 1997, the Committee submitted a number of technical security principles and recommendations for organizational practices for the Secretary's consideration. The Committee did not recommend the adoption of specific standards because standards in this area are not fully mature and have not been extensively implemented by the health care industry.
In order for health information systems to be secure, there must be:
a. Individual authentication of users
b. Access controls
c. Monitoring of access
d. Physical security and disaster recovery
e. Protection of remote access points
f. Protection of external electronic communications
g. Software discipline
h. System assessment
i. Monitoring of integrity of data
A number of organizational practices are recommended to promote security:
a. Scalable confidentiality and security policies and procedures
b. Security/confidentiality committees
c. Designation of an information security officer in health care organizations
d. Education and training programs for all employees, medical staff, agents, and contractors
e. Organizational sanctions for violation of policies and procedures
f. Improved patient authorization forms for disclosure of health information
g. Patient access to audit logs
Finally, the Committee recommended that, in the short-term, health care organizations institute a risk assessment of their current state of compliance with these organizational and technical practices and, in the longer term, the development of criteria to evaluate and monitor compliance and the incorporation of these requirements in the standards of organizations that license or accredit health care organizations.
On June 27, 1997, the Committee presented a set of privacy recommendations to the Secretary. The Committee recommended that the Administration assign the highest priority to the development of a strong position on health privacy and that the 105th Congress enact a health privacy law before it adjourns in the fall of 1998. The Committee called for a law that requires creators and users of identifiable health care information to establish a full range of fair information practices, including a patient's right of access to records, right to seek amendment of records, and right to be informed about uses of health information. The Committee felt that the law must also impose restrictions on disclosure and use of the information, require adequate security, impose sanctions for violations, and increase reliance on non-identifiable information whenever possible.
In its recommendations, the Committee strongly supported the use of health records for health research, subject to independent review of research protocols and other procedural protections for patients. The Committee also strongly supported the use of health records for public health purposes, subject to substantive and procedural barriers commensurate with the importance of the public health functions. The Committee stated that patients need strong substantive and procedural protections if their health records are to be disclosed to law enforcement officials.
The Committee strongly supported limiting use and disclosure of identifiable information to the minimum amount necessary to accomplish the purpose. The Committee also indicated that when identifiable health information is made available for non-health uses, patients deserve a strong assurance that the data will not be used to harm them.
On September 9, 1997, the Committee endorsed the proposal for the national standard for identifying health plans or PAYERID. The Committee suggested that the Department leave open the option of moving to an alphanumeric identifier in the future.
On September 9, 1997, the Committee recommended that the selection of a unique health identifier for individuals be delayed until the passage of legislation to assure the confidentiality of individually identifiable health information and to protect an individuals right to privacy. The Committee also recommended that alternative methods of identifying individuals and linking health information of individuals for health purposes be evaluated on the basis of the American Society for Testing and Materials criteria coupled with a cost-benefit evaluation and public comment. The Committee stated its intention to continue to receive public comment on this issue.
During the coming year, the NCVHS is planning to conduct additional hearings on the Unique Health Identifier for Individuals, Security, and Claims Attachments, as well as other standards-related issues, as necessary.
Following the recommendations of the Implementation Teams and the NCVHS, Notices of Proposed Rule Making (NPRMs) are being prepared for three of the four identifiers required by the statute: the National Provider Identifier (NPI), the PAYERID for health plans, and the Employer ID.
Because of the controversy and lack of consensus surrounding the selection of a unique health identifier for individuals, the Data Council recommended that the Secretary not go forward with a NPRM on the individual identifier at this time. Instead, the Data Council recommended publication of a Notice of Intent (NOI) to maximize public involvement in the selection process. The purpose of the NOI is to seek public input on a variety of options and approaches for individual health identifiers without presenting a specific option as the preferred direction, and to invite comment on privacy issues. Comments will be due 60 days after publication of the NOI. Once the public comments have been received and analyzed, the Secretary will decide whether and how to proceed with the selection of the identifier.
This means that the selection of the unique identifier for individuals will be delayed relative to the deadline established by the statute. The NCVHS strongly believes that the delay is warranted and that additional public involvement in this very sensitive area is imperative.
Based on the results of the analyses performed by the Implementation Teams, the input received from the Committee, and the public testimony provided at the NCVHS hearings during the past year, a Notice of Proposed Rulemaking is being prepared for the HIPAA transaction standards and data content and code set standards. Publication of the NPRM will be followed by a 60-day comment period.
HHS has taken a step in the right direction toward a rational framework for coding procedures and associated products. The improvement involves deleting a section of HCPCS codes and using NDC codes for drugs in the place of the deleted codes.
The First Report of Injury transaction has been removed from the HIPAA transaction standards regulation at this time because there is neither a millennium-compliant version of an implementation guide nor a complete data dictionary for the ASC X12N 148 - Report of Injury, Illness, or Incident transaction. The Secretary will issue a separate Notice of Proposed Rulemaking at a later date after the implementation guide and data dictionary have been completed.
Based on the results of the analyses performed by the Implementation Teams, the input received from the Committee, and the public testimony provided at the NCVHS hearings during the past year, a Notice of Proposed Rulemaking is being prepared for the security standards. Publication of the NPRM will be followed by a 60-day comment period.
As noted above, the statute gave an additional 12 months for the adoption of standards for claims attachments. The Implementation Team for claims attachments was formed in October 1997. NCVHS hearings on claims attachment issues began in November 1997. The Notice of Proposed Rulemaking is due in August 1998, and the Final Rule is scheduled to be published by February 21, 1999.
On September 11, 1997, Secretary Shalala delivered to Congress her recommendations for Federal privacy legislation to protect individually identifiable health information. In her recommendations, she urged Congress to pass without delay privacy legislation that would be based on five key principles:
1. Boundaries - An individuals health care information should be used for health purposes and only those purposes, subject to a few carefully defined exceptions.
2. Security - Organizations to which we entrust health information ought to protect it against deliberate or inadvertent misuse or disclosure. Federal law should require such security measures.
3. Consumer Control - Patients should be able to see what is in their records, get a copy, correct errors, and find out who else has seen them.
4. Accountability - Those who misuse personal health information should be punished, and those who are harmed by its misuse should have legal recourse.
5. Public Responsibility - Federal law should identify those limited arenas in which our public responsibilities warrant authorization of access to our medical information, and should sharply limit the uses and disclosure of information in those contexts.
In addition, the Secretary recommended that Federal privacy legislation not preempt or supersede other State or Federal laws that are more protective of individual privacy. The full text of the Secretary's privacy recommendations is available in the HHS administrative simplification website: http://aspe.os.dhhs.gov/admnsimp/.
The Department has taken very seriously its responsibilities to ensure that the industry will be able to receive all of the information and assistance it will need to implement the standards. The statute requires that the Department provide a low-cost distribution method for the implementation guides for these standards.
The X12N standards committee has a long-standing agreement with the Washington Publishing Company (WPC) to develop and maintain official implementation guides for the X12N transaction sets that are being recommended for adoption in the NPRMs. In order to meet its low-cost distribution requirement, HHS has established a contract with the WPC, and implementation guides will be available for downloading from the WPC web site at no charge. Paper copies will be available for purchase from WPC. Guides for the retail drug claim standards will be available from the NCPDP web site.
In addition, HHS and the NCVHS have recognized the importance of developing a comprehensive communication strategy to increase the quantity and availability of information on administrative simplification. On July 9, 1997, HHS sponsored a public meeting at the National Institutes of Health at which members of the Implementation Teams presented their recommendations for standards to be adopted and answered questions posed by the audience. This meeting, which was open to the public, drew an audience of about 200 individuals. For those who could not attend, the meeting was broadcast live on the Internet. Those who listened to the broadcast were able also to view the presentation materials being displayed at the meeting. This was one of the Department's first attempts at using the Internet in this manner. Because of the success of this Internet broadcast, the NCVHS now broadcasts its public meetings on the Internet as well.
Despite our many efforts, discussions with the health care industry about administrative simplification continue to reveal that many in the health care industry do not realize how these standards will affect them. To address this problem, the NCVHS has formed a work group and the Department has established a public education group to develop a coordinated and comprehensive outreach and communication strategy. The strategy includes the development of print materials for publication in periodicals and for distribution to the press and the public, direct mailings to affected groups, the coordinated scheduling of presentations to interested groups, press interviews, and the development and distribution of videotaped products.
In addition, information on the current status of these standards is available on the HHS Administrative Simplification web site:
Information on the web site is updated frequently. For example, the Secretary's privacy recommendations and her testimony to the Congress were available from the web site the same morning that she delivered them to the Congress.
Agendas and transcripts of the Committees hearings and copies of its recommendations to the Secretary are available on the NCVHS web site:
These sites will be continue to be maintained and updated throughout the implementation of administrative simplification. The Department is also exploring the possibility of using a web site to receive comments on the NPRMs.
The Committee has a number of special privacy and security concerns that it wishes to highlight for the Congress and the public.
The United States is in the midst of a health privacy crisis. The protection of health records has eroded significantly in the last two decades. Major contributing factors are ongoing institutional changes in the structure of the health care system and the lack of modern privacy legislation. Without a federal health privacy law, patient protections will continue to deteriorate.
Delays in passing privacy legislation will allow additional and uncontrolled uses of health information to continue to develop. Failure to address health privacy will also undermine public confidence in the health care system, expose patients to continuing invasions of privacy, subject record keepers to potentially significant legal liability, and interfere with the ability of health care providers and others to operate the health care delivery and payment system in an effective and efficient manner. The greater the delay in imposing meaningful controls on the inappropriate use and disclosure of identifiable individual information, the more difficult it will be to overcome institutional resistance to restrictions on use and disclosure or changing the way that information is acquired and used.
We urge the Congress to act quickly to pass Federal privacy legislation to counter these disturbing trends.
The Committee believes that any discussion of a unique patient identifier for health care is incomplete without substantive privacy protections. The identification of patients is a constant issue in health treatment, payment, and administrative activities. The choice of a unique patient identifier will affect every health care transaction, provider, and institution. Patient privacy will be directly affected by any decision about the adoption of a unique patient identifier.
Selection of a patient identifier will have significant consequences both within and outside the health care system. A properly chosen patient identification system has the potential to enhance privacy. However, at its hearings, the Committee found no consensus on a patient identifier. Indeed, the testimony presented to the Committee reflected the extent to which public opinion is deeply divided on the approach for protecting privacy and on the issue of whether a unique patient identifier should be adopted at all.
As required by the statute, the Secretary has submitted to Congress recommendations for Federal privacy legislation, and she can provide leadership on the issue of the unique patient identifier as well. The Department and the NCVHS recognize the need for increased public education on both the benefits and the risks of having a unique health identifier for individuals. The Committee intends to continue obtaining additional public input on the individual identifier issue at future hearings. The Committee also intends to make a recommendation for a unique individual identifier in the future, recognizing that such a recommendation may not necessarily have the unanimous support of the Committee.
An issue of concern to consumers revealed during the Committee's hearings on privacy was the relationship between privacy (as defined by principles of fair information practices) and potential discrimination in employment, insurance, and elsewhere. The protection of individual privacy requires that this relationship be addressed. Part of the motivation for seeking protections for health information is to prevent the use of such information for purposes outside of health care delivery and payment. Patients receiving care for certain health conditions or who have been the subject of genetic testing are potentially subject to discrimination in employment, insurance, and elsewhere. Some patients are fearful of disclosing their full medical information to health care providers and thereby might unknowingly compromise the quality of medical care they receive. Several bills before the Congress address the possible use of genetic information to discriminate.
Privacy legislation that specifies legitimate uses of health data can prevent potential discrimination and reassure consumers by establishing a legal requirement that identifiable health information be used only for the purposes for which it was collected. Further, health care providers can be more assured of delivering quality health care services if they have more accurate patient medical information. This would be a major step toward preventing the use of health information for non-health purposes.
The Committee recognizes the fact that privacy issues and discrimination issues are complicated. An already complex health privacy bill may not be the best place to sort out responses to equally complex discrimination problems. The Committee suggests that privacy and discrimination issues deserve separate legislative treatment. The problems of discrimination are important, but further work needs to be done to more fully develop anti-discrimination legislation.
Security in the health care industry is a huge, but largely hidden, problem. Testimony before the NCVHS on security practices revealed an extraordinary lack of protection within and across health care organizations today. Currently, the practices used in the handling of paper-based health information are poor to nonexistent. The move toward electronic storage and transmission of health information adds to the Committee's concern that strong security procedures for sensitive information need to be implemented. Health care organizations have been slow to adopt strong security practices for a variety of reasons. Additionally, the lack of national privacy legislation or regulations to ensure the confidentiality of health information contributes to lax security practices.
While recognizing the poor state of information security today, the Committee also understands that for security standards to be followed they must be practical to implement in a variety of environments. Therefore, the Committee believes that any security standard that is adopted must be technology neutral and should promote interoperability among information systems. The cost of implementing specific solutions and the need for scalability based on the size of the health care entity must also be considered.
The Committee plans to continue to monitor industry compliance with and the development and maturation of security technology and standards, including electronic signatures. As standards that are fully mature and tested become available, we will review them and make recommendations for their adoption.
Once the Administrative Simplification standards have been adopted, the health care community will be encouraged to notify the Department or the NCVHS in writing or through our respective web sites of any issues or concerns with the implementation of the new standards. In addition, the Committee will conduct a number of public hearings to obtain additional input from a broad cross section of users in both the public and private sectors. Based on this input, the Committee will notify HHS of any problems that are presented and will provide recommendations on how to deal with those problems.
The statute requires the Secretary of HHS to review the standards and adopt modifications to those standards (including additions to the standards), as appropriate, but not more frequently than once every 12 months. The Committee will seek input from the public on additional standards or modifications to existing standards that may be needed and will provide timely recommendations to the Secretary.
The Committee will request timely reports on the status of standards implementation from Federal and State agencies for the health care programs under their jurisdiction. These agencies and representatives from the private sector will be asked also to provide public testimony at NCVHS hearings, where appropriate, at which they will be asked to indicate the extent of standards usage that they have observed.
We will also ask the applicable standards development organizations to provide regular status reports on the status of implementation of the new standards. We would also encourage them to provide advice as to how to increase the rate of compliance, if necessary.
Since security is a primary concern to the public, the industry, and the Committee, we will ask the appropriate private sector certifying bodies to monitor the status of the security measures that will be put in place and to ensure that adequate safeguards are in place to protect individually identifiable information.
In addition to these status reports and public hearings, the Committee will make substantial use of industry sources that provide information on and analyses of major trends in the application of information technology in health care. This information will include major trends in applying electronic data interchange; the development of computer networks; the growth of computer-based patient records; and trends in automation in health care organizations.
The Committee is charged to make sound recommendations on health information policy to the Executive and Legislative Branches of our nation's government. To accomplish this end, the NCVHS needs to draw upon all available reports and recommendations in order to develop a vision of the future relating to data needs for quality, costs and access to care as well as for the information infrastructure needed for both health care delivery and management.
To date, efforts to implement the Administrative Simplification provisions of HIPAA and to adopt standards stand apart from other government activity in several ways. They differ in:
In summary, the process of adopting health data standards has been extremely open, collaborative, and productive. The success of the process up to this point bodes well for the ultimate success of the implementation of these standards. The Committee is committed to improving the national health information infrastructure needed to enhance quality and access to care and reduce costs.
NATIONAL COMMITTEE ON VITAL AND HEALTH STATISTICS
First Annual Report to Congress on the Implementation of the Administrative Simplification Provisions of the Health Insurance Portability and Accountability Act
February 3, 1998