A History and Overview of HIPAA

Historical Background

In the early 1990s, the Bush Administration called a group of health care industry leaders together to discuss how health care administrative costs could be reduced. This group concluded that this could best be done by increasing the use of electronic data interchange (EDI) within the industry. This advisory group later organized as the Workgroup for Electronic Data Interchange (WEDI), which was initially co-chaired by the Presidents of the Blue Cross and Blue Shield Association (BCBSA) and the Health Insurance Association of America (HIAA), which represents commercial insurers.

WEDI conducted a number of studies to determine how this might be accomplished, and eventually recommended that Federal legislation be passed to ensure that a consistent set of standards could be used across all states. Many of WEDI's recommendations were included in the Clinton Health Plan, which failed to pass, and similar provisions were included in other draft legislation. They were eventually included in the House version of HIPAA under the sponsorship of Congressman Hobson (R-OH), and survived a House/Senate Conference thanks partly to extensive industry support. The Health Insurance Portability and Accountability Act (HIPAA) was finally signed into law on August 21, 1996.

General Provisions

The Administrative Simplification (A/S) section of this act required that the US Department of Health and Human Services (DHHS) mandate the use of specific electronic formats for a number of business purposes, and specify what administrative and medical coding schemes can be used within those formats. It also mandated the development and implementation of national identifiers for patients, providers, payers, and employers, and the adoption of security and privacy standards appropriate for the protection of individually identifiable health care information. And HIPAA instructed the National Committee on Vital and Health Statistics (NCVHS) to make recommendations for electronic medical record standards.

Developing the Regulations

Most of the HIPAA mandates were supposed to become effective in February, 1998, with compliance required by February, 2000. This didn't happen. There have been extensive and repeated delays in the development of the draft rules, or Notices of Proposed Rulemaking (NPRMs), within the Federal government. The government has also been deluged with thousands of comments on the initial NPRMs, and is struggling to evaluate those comments and come up with some final rules. The final regulations usually become effective 60 days after their publication, and compliance is required within 24 months of the effective date.

The law itself requires extensive consultation with industry groups regarding what standards should be used, and the government has made an impressive effort to comply with both the letter and spirit of those requirements. There have been numerous public hearings and briefings, and the government has asked WEDI and other organizations to consult with their members and make recommendations regarding many issues that have arisen during the development of the rules.

The rulemaking delays have been welcome to the extent that they have allowed the industry to postpone related systems changes until after Y2K work was completed. But, as they continue, they make it difficult for everyone, including the Federal Government, to make realistic plans and budgets for accommodating the HIPAA requirements. But these are legislated mandates, not voluntary initiatives, and they appear unlikely to be repealed or abandoned. And nearly all of the initiatives are still moving forward. Thus, the industry needs to make the best business plans that it can for use of the proposed data formats. And those plans should be informed about, but not conditioned on, the HIPAA regulatory schedule.

The provisions of HIPAA have come to dominate nearly all aspects of the health care data standards development process. HIPAA is forcing all of the standards developers and many industry sectors to rethink their plans, and, in many cases, to redefine their roles. We are still in the early middle part of this process, and it is not at all clear what the "final" landscape will look like.

The National Provider ID

The DHHS published an NPRM on May 7, 1998. The NPRM proposed a dataless 8-position alphanumeric identifier, with a check digit in the eighth position. Several major industry groups, such as WEDI and the BCBSA, have since urged that a longer purely numeric identifier be used, and that the identifier itself not include any information about practice locations. Practice location data would presumably be available via a national registry database. The same industry groups also recommend that the data in this national database be limited to the minimum needed to support the enumeration activities, and not include any credentialing or sanctions data. And they are also advocating that oversight of the registry and of the enumerating process be placed outside the Federal Government.

The National Employer ID

The DHHS published an NPRM on June 16, 1998. This has been the least controversial of the NPRMs released so far. This identifier is supposed to uniquely identify employers and other benefit sponsors who use electronic exchanges to enroll members in health plans and to pay benefit premiums. Industry comment has emphasized that this information is normally not available to the providers, and should not be collected from them as part of the billing process, since the NPRM suggests that this would happen.

The National Payer ID

This NPRM has not been released yet. Indications are that each Medicare Part A and B contractor, and each state Medicaid program, would have its own Payer ID. These are now usually referred to as Health Plan IDs. Generic ID's would be assigned to private plans. Separate ID's might also be assigned to distinct entities within a business, such as an HMO Plan or a provider network. There would also be a national payer registry and a registry database, including detailed information on what electronic addresses to use for various purposes. We are eagerly awaiting the details, of course.

The National Patient ID

This HIPAA initiative is the most controversial of the national identifiers by far, and has inspired the most serious expressions of concern in the media. As a result, Congress included provisions requiring additional Congressional approval of any proposed individual identification scheme in the Fiscal 1999 budget act. An anticipated Notice of Intent (NOI) on this initiative has been put on hold, additional hearings have been indefinitely postponed, and there is no currently available estimate of when or whether this initiative will get back on track. Thus, it is not clear whether or not it will be implemented at all, let alone when.

The Electronic Transactions

Enrollment & Disenrollment: The NPRM proposes that version 4010 of the X12 834 Benefit Enrollment & Maintenance EDI Transaction be used for this purpose.

Premium Payment & Remittance Advice: The NPRM proposes that version 4010 of the X12 820 Group Premium Payment EDI Transaction be used for this purpose.

Eligibility: The NPRM proposes that version 4010 of the X12 270/271 Eligibility & Benefit Inquiry & Response EDI Transactions be used for this purpose. A separate implementation guide for an eligibility roster, which is often preferred by HMO's, is under development.

Institutional Claims & Encounters: The NPRM proposes that version 4010 of the X12 837 Health Care Claim - Institutional EDI Transaction be used for this purpose.

Professional Claims & Encounters: The NPRM proposes that version 4010 of the X12 837 Health Care Claim - Professional EDI Transaction be used for this purpose.

Dental Claims & Encounters: The NPRM proposes that version 4010 of the X12 837 Health Care Claim - Dental EDI Transaction be used for this purpose.

Drug Claims: The NPRM proposes that the National Council for Prescription Drug Programs (NCPDP) Pharmacy Claim Telecommunications Standard V3.2 be used for retail pharmacy claims. The NCPDP Batch Standard V1.0 could be used by SNF's and others that have a low activity level. The X12 837 EDI Transaction supports drug claim processing for institutional, professional, and dental providers.

Claim Status: The NPRM proposes that version 4010 of the X12 276/277 Claim Status Inquiry & Response EDI Transaction be used for this purpose. This transaction can be used in either a batch or an interactive mode. A separate implementation guide for an unsolicited claim status transmission is also under development.

Claim Attachments: The legislation gave DHHS an additional 12 months to select this standard. It will probably be based on the X12 277 and 275, but will also involve some HL7 standards. A draft implementation guide is now available for review. This standard will take a long time to implement fully, since few providers have the necessary data in a form that could be readily incorporated into the transactions.

Claim Payment & Remittance Advice: The NPRM proposes that version 4010 of the X12 835 Health Care Claim Payment & Remittance Advice EDI Transaction be used for this purpose.

Coordination of Benefits (COB): The NPRM proposes that version 4010 of the X12 837 Health Care Claim & the NCPDP Telecommunications Standard V3.2 be used for this purpose. See the Claims & Encounters entries.

Referral Certification & Authorization: The NPRM proposes that version 4010 of the X12 278 Health Care Service Review EDI Transaction be used for this purpose.

First Report of Injury: This remains to be determined. It may be the X12 148 Report of Injury or Incident, but an International Association of Industrial Accident Boards and Commissions (IAIABC) standard is also under consideration.

The Administrative & Medical Code Sets

HIPAA also gives the DHHS the authority to specify what data coding schemes can be used in the health care transactions. People usually think of this in terms of what medical coding schemes can be used, but the authority is broader than that. There are national standard schemes for types of providers, types of services, claim status, claim adjudication results, and so on. I usually refer to these as "administrative coding schemes", to distinguish them from the more specifically medical schemes. These would all have to be used in place of proprietary coding schemes when using any of the mandated transactions. Some of these schemes are already in widespread use, while others would require substantial changes in business practices.

One of the more challenging requirements will be that all payers use the national standard Claim Adjustment Reason Codes, rather than proprietary codes, in their electronic payment and COB transactions.

The potential effects extend well beyond the boundaries of electronic commerce. If covered entities have to use these codes in their electronic exchanges, they may also need to use them on their hardcopy forms and reports as well. Otherwise they end up with dual coding schemes, which would complicate both their internal processing and our external education and support activities.

As for the medical coding schemes, the NPRM proposed the following:

• CPT Codes would be used for Physician Services
• CDT Codes would be used for Dental Services
• NDC Codes would be used for Drugs
• They propose removing both the CDT and the drug codes from HCFA Common Procedural Coding System (HCPCS)
• They propose that HCPCS Level III (local) codes be assigned nationally, rather than locally, but they may be reconsidering this.
• ICD-9-CM, Vol. 3, Codes, would be used for Inpatient Hospital Services until ICD-10-CM & ICD-10-PCS are ready.

Many organizations have expressed their concerns about the proposed nationalization of the assignment of the HCPCS Local Codes. Some industry comments have also noted the need for additional specialized codes for nursing services, home health, etc.

Security and Privacy

The DHHS published a Security NPRM on August 12, 1998. The NPRM was essentially a compilation of the typical recommendations of the many different industry standards groups. The most typical complaint has been that, while the goals described are terrific, the NPRM is far too specific regarding how they should be achieved.

The DHHS published a Privacy NPRM on November 3, 1999. The law itself anticipated additional Congressional action in this area by August 21, 1999, but gave DHHS the authority to issue regulations if no action was taken. Most sources in and out of government would prefer that Congress pass new legislation, rather than leave this up to the Administration. The Privacy NPRM's provisions are quite wide-ranging, and the BCBSA estimates that it will cost the industry over 40 billion dollars to comply. Many of the provisions are similar to those included in the recently enacted state privacy laws.

Compliance Certification & Enforcement

Certification is an especially sensitive issue, with few industry participants wanting to see an externally directed certification process. DHHS has suggested that enforcement actions will be deferred for a while until they see how things are going. The NPRMs suggest that some industry groups, such as the National Committee for Quality Assurance and the Joint Commission on Accreditation of Healthcare Organizations, might be interested in accrediting some of the affected entities.

One organization that is clearly interested is the Electronic Healthcare Network Accreditation Commission (EHNAC). This group has developed a Standard Transaction Format Compliance System (STFCS) that would be operated by the Washington Publishing Company (which publishes the HIPAA and X12 Implementation Guides), with the assistance of PaperFree Systems. EHNAC has been the key accreditation organization for the health care industry's VAN's and Clearinghouses. Health care entities would be able to use this facility to test any X12 HIPAA transactions that they create for compliance with the applicable technical syntax, and consistency with the associated implementation guide. This would provide specific objective feedback as to whether or not a transaction is compliant with the HIPAA implementation guides.

As for enforcement, Congress prescribed penalties for noncompliance with any provision of the HIPAA mandates. This includes civil fines of up to $100 per occurrence, with a maximum of $25,000 per calendar year for "... all violations of an identical requirement or prohibition...". Thus, with nine transactions included in the mandate, with four new national identifiers, and with a separate mandate on security and privacy, we were expecting that these penalties could total as much as $350,000 per year for up to 14 violations.

But the DHHS is reportedly interpreting the transaction mandates as worth up to four penalties each, with separate penalties for not using a transaction, for not using the standard data elements within a transaction, for not using the standard data values (or code sets) within the data elements, and for not using the transaction as described in the associated Implementation Guide. This interpretation gives you maximum annual penalties of up to (4 x 9 + 4 + 1) = 41 x $25,000 = $1,025,000 and counting. I say "and counting" because they are also considering imposing separate fines for each major component of the security requirements that is violated. At last count, there were 25 such components.

Implementation

In the May 1998 National Provider ID NPRM, the DHHS estimated that it will cost the typical Blue Cross or Blue Shield Plan or large commercial payer about $1,000,000 to comply with HIPAA. Of necessity, they made this estimate before many decisions had been made regarding who will have to do what, why, how, and when. And it is not a trivial amount. In fact, the first time that they did a cost/benefit analysis, their net benefit figures came out negative. With some help from WEDI they redid it, and the second time they estimated that there will be a net benefit of several billion dollars. The legislation requires that the individual mandates be cost-justified.

Such guesswork aside, many observers, are very concerned about how the overall process is working. It is not at all clear whether or not many of the hoped for benefits will be realized, since so much depends on details that remain to be decided. Unfortunately, when you multiply a detail, such as a $10 difference in what it costs to assign a National Patient ID to each individual, by 250 million affected individuals, or by 1.2 million affected providers, or by 4 million affected payers, you can quickly add billions of dollars to the implementation costs.

Thus, at a minimum, the health care industry is faced with a huge continuing education effort. If we are to make these provisions work for us (or for the US), every sector of our industry will have to repeatedly reevaluate how it does business, and make continuous efforts to educate the standards developers, the DHHS, and Congress regarding what makes either business or technical sense for health care. Thus, the initial HIPAA standards may be less important than the process put in place for updating them.

Go to TOP