HIPAA regs
HIPAA dvisory
HIPAAdvisory > HIPAAregs > Claims Attachments Phoenix Health Systems
news
regs
action
tech
wares
alert
live
latest
online HIPAA training
HIPAAstore
HIPAA help desk
search
contact us
site map

Standards for Electronic Healthcare
Claims Attachments

D. Electronic Health Care Claims Attachment Business Use

A health care claims attachment conveys supplemental information pertaining to the services provided to a specific individual to support evaluation of a claim before it is paid. An attachment might contain iometric data; medical history; clinical data (reports, studies, notes); hospital discharge notes; laboratory results; medication information; rehabilitation plans; optical prescriptions; certifications made by the individual and/or the health care provider regarding sterilization, hysterectomy, or other services, as required by Federal or State rules; or other clarifying information for a particular service.

Attachments may be requested or submitted when the supplemental medical information is directly related to the determination of benefits under the subscriber's contract, or when directly related to providing medical justification for health care services provided to the individual when that medical justification can affect the adjudication of payment for services billed by the provider of health care services. Although additional clinical or administrative information may be required following adjudication of claims, such as for post-adjudication review to support quality control, fraud and abuse, or other post-adjudication reviews and reporting requirements, we do not consider these post-adjudication requests for claims-related data to be part of the claims payment process. Therefore, post-adjudication processes are not covered by this proposal. While covered entities may voluntarily choose to use the standard transaction format and structure for requesting and submitting these types of attachments, those transactions are not considered electronic claims attachments as defined in this proposed rule.

1. Electronic Health Care Claims Attachment vs. Health Care Claims Data

Electronic health care claims attachments must not be used to convey information that is already required on every claim. Information needed for every claim is "claims data" that must be conveyed in the appropriate standard claim transaction. The purpose of a claims attachment is to convey supplemental information that is directly related to one or more of the services billed on the claim submitted by the health care provider when further explanation of those services is required before payment can be made by the health plan. There are even some current business practices that include 100 percent pre-payment medical review. This is when a health plan requires a specific health care provider to include certain supplemental information with all claims for a certain type of service.

Over the past few years, health plan rules and policies regarding the additional data necessary to adjudicate a claim have evolved, and in fact, many health plans have begun to limit or reduce their requests for claims attachments. Therefore, it is critical that members of the health plan industry and the health care provider community actively engage themselves in the final development of this proposed rule so that the proposed attachments are indeed those which will yield significant benefits to health care providers and health plans alike.

2. Solicited vs. Unsolicited Electronic Health Care Claims Attachments

[If you choose to comment on issues in this section, please include the caption "SOLICITED vs. UNSOLICITED ATTACHMENTS" at the beginning of your comments.]

In general, health care providers will submit their electronic health care claims attachment information to the health plan for certain claim types, upon request, after the health plan has received and reviewed the claim. This follows the course of claims adjudication today. Health plans may also request, in advance, that additional documentation (the attachment) accompany a certain type of claim for a specific health care provider, procedure, or service. The ASIG refers to this scenario, of sending attachment information with the initial claim, as an unsolicited attachment because a request was not made after the fact, using the standard request transaction. We are proposing that health care providers may submit an unsolicited electronic attachment with a claim only when a health plan has given them specific advance instructions pertaining to that type of claim or service.

We are proposing such a restriction around "unsolicited" electronic attachments, because we believe that there are legal, business, and technical implications for health care providers, health plans, and their business associates for handling and processing unsolicited attachments without prior direction. If health care providers were permitted to submit unsolicited electronic attachments with any claim without prior arrangement with the health plan, there would be a number of issues, including compliance with the Privacy Rule's minimum necessary standards, and identifying the new business and technical procedures health plans would need to develop to review, evaluate, store, return, or destroy the unsolicited documents. Similarly, health care providers would need systems and processes to track submissions and returns.

We also propose that for each specific claim, health plans may solicit only one electronic attachment request transaction which would have to include all of their required or desired "questions" and/or documentation needs relevant to that specific claim. Health care providers would be required to respond completely to the request, using one response transaction. The intent of these proposed requirements is to avoid inefficient, redundant processes. A health plan would not be able to extend adjudication through a lengthy process of multiple individual attachment requests for the same claim: submitting one LOINC request code at a time, receiving the health care provider's response, and then submitting another transaction with another LOINC code for additional information related to the same claim. Nor would a health care provider be able to send bits and pieces of the requested information at different times or dates. We propose this because it seems contrary to the goals of administrative simplification for covered entities to engage in a continuous loop of query and response in order to have a claim processed.

We solicit feedback from the industry on this issue.

3. Coordination of Benefits

There is considerable variation in how health care providers and health plans handle Coordination of Benefits (COB) and the communication of related claims information. However, with respect to electronic attachment requests and responses in a COB scenario, we assume that the primary health plan will request only the attachments it needs to adjudicate its portion of the claim. The secondary health plan would request its own attachments in a separate (X12N 277) transaction sent directly to the health care provider. In health plan-to-health plan (also known as payer-to-payer) COB transactions, the primary health plan may not know the secondary health plan’s business rules, and therefore would not be expected or required to request an attachment on behalf of the secondary health plan.

4. Impact of Privacy Rule

Before implementation of the Privacy Rule in 2003, health care providers often sent the individual's entire medical record to the health plan for the purpose of justifying a claim. Health plans and health care providers indicated that this practice reduced instances for which follow-up requests for more information were needed, since all possible information was supplied at once. That practice was often wasteful and time consuming, and it is now generally inconsistent with the "minimum necessary" standards contained in the HIPAA Privacy Rule at 45 CFR 164.502(b) and 45 CFR 164.514(d). These standards require covered entities to make reasonable efforts to limit requests for, or disclosures of, protected health information to the minimum necessary to accomplish the intended purpose of the request or disclosure. In situations where the minimum necessary standard applies, such as when a covered health care provider discloses protected health information to a health plan for payment, the standards prohibit disclosure of the entire medical record unless the entire medical record is specifically justified as the amount that is reasonably necessary to accomplish the purpose of the disclosure (45 CFR 164.514(d)(5).

The Privacy Rule exempts from the minimum necessary standard any use or disclosure that is required for compliance with the Transactions Rule (45 CFR 164.502(b)(2)); thus, the minimum necessary standard does not apply to any required or situationally required data elements in a standard transaction. For example, if an identifier code were required on all electronic attachment request transactions to create a connection between the electronic attachment request transaction and the associated health care claim, then health plans would not need to apply the minimum necessary standard to that data element to determine whether they could request that information. However, the minimum necessary standard would apply to data elements for which health plans or health care providers may exercise discretion as to whether the information should be provided or requested in the transaction. For example, health plans must apply the minimum necessary standard when selecting the attachment information to be requested in a particular electronic attachment request transaction.

A health care provider may rely, if such reliance is reasonable under the circumstances, on a health plan's request for information, or specific instructions for unsolicited attachments, as the minimum necessary for the intended disclosure. Such reliance is not required, however, and the covered health care provider always retains the discretion to make its own minimum necessary determination.

For health care providers who choose to submit attachment information in the form of scanned documents, efforts will need to be made to ensure that those documents do not contain more than the minimum necessary information.

We solicit comments on the extent to which the use of the proposed electronic attachment standards will facilitate the application of the "minimum necessary" standard by covered entities when conducting electronic health care claims attachment transactions.

5. Impact of the Security Rule

All covered entities need to comply with the Security Rule no later than April 20, 2005, except for small health plans, which must comply no later than April 20, 2006. The Security Rule applies to all covered entities, and, therefore, will apply to the transmission of electronic health care claims attachments. There are four overarching security requirements with which covered entities must comply: (1) Ensure the confidentiality, integrity, and availability of all Electronic Protected Health Information (EPHI) that the covered entity creates, receives, maintains, or transmits; (2) protect against any reasonably anticipated threats or hazards to the security or integrity of EPHI; (3) protect against any reasonably anticipated uses or disclosures of EPHI that are not permitted under the Privacy Rule; and (4) ensure compliance with the security regulations by members of the workforce. The types of security measures required by the Security Rule fall generally into three categories: administrative, physical, and technical safeguards. The Security Rule also has standards for documentation and organization requirements. Since the requirements are intended to be scalable, each covered entity must take into account its size, complexity, capabilities, technical infrastructure, and hardware and software security capabilities; the cost of security measures; and the probability and criticality of potential risks to EPHI.

The systems used to transmit electronic claims attachments will likely be the same systems used for other electronic transactions. Therefore, any efforts to comply with the Security Rule should be effectively incorporated into electronic attachment processing.

Most covered entities (with the possible exception of small health plans) will be in compliance with the Security Rule by the time of this proposed rule; and all health plans will have fully implemented their security programs by the time the final rule is published for electronic health care claims attachments.

6. Connection to Signatures (Hard Copy and Electronic)

This regulation does not propose requirements for Electronic Signatures (e-signatures) because a consensus standard does not presently exist that we could propose to adopt, nor does any Federal standard currently govern the use of electronic signatures for private sector health care services. Federal agencies that are also covered entities have to comply with the Office of Management and Budget (OMB) guidance on e-signatures in the context of the Government Paperwork Elimination Act (OMB notice 5/2000, 65 FR 25508) and the Federal Information Security Management Act (Title III of the E-Government Act of 2002). And, while the OMB has responsibility for coordinating and implementing the adoption and use of electronic signature technologies for Federal agencies, this effort is not related to HIPAA transactions per se, and we do not have authority to require the private sector to comply with rules that are only applicable to Federal agencies. At the time of this proposed rule, other agencies and Federal initiatives involved in the evaluation and development of standards for electronic signatures include the Department of Defense (DOD), the National Institute for Standards and Technology (NIST), and the Federal Consolidated Health Informatics Initiative (CHI).

We are aware that virtually all health plans, including the Medicare and Medicaid programs, require signatures certifying certain types of services, such as sterilization, certain rehabilitation plans, and authorization for certain types of equipment. For example, health plans may request a paper copy of the signature page of a rehabilitation plan, or they may accept the response code indicating that the signature is on file. The CDA Release 1.0 requires the acquisition of the signature to be documented via the <signature_cd> component, so there is an accommodation for signature within the standard, but not a requirement for an electronic signature specific to HIPAA.

We solicit input from the industry on how signatures should be handled when an attachment is requested and submitted electronically.

7. Connection to Consolidated Health Informatics Initiative

Several agencies within the Federal government that deal with the delivery of health services, including the Departments of Health and Human Services, Veterans Affairs, and Defense, have adopted a portfolio of health information interoperability standards that will enable all agencies in the Federal health enterprise to "speak the same language" based on common, enterprise-wide business and technology architecture. This program is known as he Consolidated Health Informatics (CHI) initiative. In 2003, CHI targeted 24 "domains" for data and messaging, from laboratory results to vocabulary for nursing, to medications. The CHI initiative looked to the private sector to identify particular electronic health clinical data standards for adoption, researched these standards, and is now beginning to build the plan to implement them within Federal agencies as program requirements dictate. On May 6, 2004, the Secretaries adopted standards for 20 domains and subdomains; among others, these included: HL7 messaging standards for clinical data, NCPDP standards for ordering from retail pharmacies, IEEE1073 to allow health care providers to monitor medical devices, DICOM to enable images of diagnostic information to be retrieved and transferred between devices and workstations, LOINC for the exchange of clinical laboratory results, SNOMED CT for certain interventions, diagnosis and nursing terminology, and a variety of terminologies for medications. We include a reference to CHI here to clarify that while the Federal government is reviewing and adopting standards for its intra-agency communications, these are not inconsistent with the private sector, with whom significant transactions are exchanged, and that furthermore, the work and outcome of CHI related activities do not conflict with HIPAA. Indeed, CHI has adopted HIPAA standards as the standards for the exchange of administrative information. The complete list of adopted standards and other details about CHI may be found at http://www.egov.gov or http://www.whitehouse.gov/omb/egov/gtob/health_informatics.htm.

8. Health Care Provider vs. Health Plan Perspective

[If you choose to comment on issues in this section, please include the caption "PROVIDER VS PLAN PERSPECTIVE" at the beginning of your comments.]

Health care providers and health plans regard claims attachments quite differently. Health care providers would prefer to keep attachments to a minimum and regard requests for additional claims-related information as unnecessarily lengthening the payment cycle. Health plans consider the use of attachments as a necessary tool to ensure appropriate payment decisions, maintain quality assurance, and minimize fraud and abuse. What a health care provider may regard as an unnecessary and/or onerous request for information may be viewed by the requesting health plan as critical to ensure that payment is being made according to the provisions of the patient’s policy and benefits, for which the health plan pays. This rule does not propose to set out requirements for the appropriateness of requests for additional information. However, the proposed attachment standards are designed to reduce miscommunication and multiple requests for information by providing specificity to both the request for information and the response, and by establishing specific limits to the content of the attachment.

Health Care Provider vs. Health Plan Implementation: In accordance with 1175(a) of the Act and 45 CFR part 162, §162.923 and §162.925, health plans may not reject any electronic transaction simply because it is being conducted as a standard transaction. This applies to the proposed transactions for electronic health care claims attachment requests and responses. So, for example, a health care provider may direct a health plan to send any request for additional documentation to it or its business associate in standard form, for those attachment types for which a standard has been adopted here, and the health plan must do so. The health care provider may also request that the health plan accept the attachment information in the standard response transaction.

However, as we have stated in the past, we do not believe that the use of a standard transaction can create a business relationship or liability that does not otherwise exist.

9. Health Care Clearinghouse Perspective

Health care clearinghouses are covered entities under HIPAA, and must be able to accept and transmit a standard transaction when asked by a health care provider or health plan for whom they serve as a business associate for those functions. Since both health care providers and health plans have dependencies on the health care clearinghouses, it is imperative that the health care clearinghouse industry participates actively in the rulemaking process, standards review, and implementation assessment as well. It would be helpful if health care clearinghouses were among the first of all entity types to come into compliance with these standards so that testing between trading partners—health care providers and health plans—could be executed in a timely fashion.

[Top of Page] [Previous] [Next: Content & Structure]