[This Transcript is Unedited]
Hubert Humphrey Building
200 Independence Avenue
Washington, D.C.
Call to Order and Introductions - Dr. Cohn
Panel Discussion of Early Implementers:
Industry Solutions for Implementation of Administrative Simplification
Standards that will be Required by HIPAA
Panel Discussion of Early Implementers:
Geographic Perspective on Implementation of Administrative Simplification
Standards that will be Required by HIPAA
DR. COHN: Good morning. I want to call the meeting to order, if everyone will be seated. I think we are on the internet at this point. My name is Simon Cohn. I am the chair of the subcommittee on standards and security for the National Committee on Vital and Health Statistics. This is the second day of hearings on administrative simplification. I want to welcome the subcommittee members to the second day, as well as HHS staff, and others that are here in person, including our panelists. I also want to welcome those on the internet to this second day of hearings. I want to remind everyone, and remind everyone each day of the hearings that, because we have people on the internet, we need to remember to speak into the microphone, so that they can hear us, both when we are testifying, as well as when we are asking questions. Otherwise, we may all understand each other, but I think they are going to get a very garbled message over the internet. Obviously, as I have mentioned, the focus of the hearings, both yesterday and today is on administrative simplification.
Our role in all of this, as you know, is to both advise the Secretary on recommendations regarding HIPAA, as well as track implementation for both HHS and Congress, to identify implementation issues and barriers and recommend ways to mitigate these issues. I think we should now have introductions around the table and we will talk about the first of two panels this morning. For those on the internet and in person, we expect to be adjourning around 1:00 o'clock today.
I am Simon Cohn, chair, member of the NCVHS, national director for health information policy from Kaiser Permanente.
MS. FYFFE: Kathleen Fyffe, member of the committee, and I work for the Health Insurance Association of America.
MS. FRAWLEY: Kathleen Frawley. I am a member of the subcommittee and I work for St. Mary's Hospital in Passaic, New Jersey.
MS. BALL: Judy Ball from the Substance Abuse and Mental Health Services Administration, and staff to the subcommittee.
MS. STAHLECKER: Chris Stahlecker. I am with the Blue Cross Blue Shield Association.
MR. ZIMMERMAN: I am John Zimmerman from Health Care Data Exchange and Shared Medical Systems Corporation, subsidiaries of Siemens.
MR. BEATTY: Gary Beatty, president of Washington Publishing Company.
MS. KRATZ: Mary Kratz with Internet2.
MS. GALLAGHER: Lisa Gallagher, Exodus Communication.
DR. FITZMAURICE: Michael Fitzmaurice, Agency for Health Care Research and Quality, liaison to the National Committee on Vital and Health Statistics, co-lead staff on the computer-based patient record working group.
MR. GELMAN: I am Bob Gelman. I am a privacy and information policy consultant here in Washington. I am a member of the committee.
MR. BLAIR: Jeff Blair, member of the committee, and I am with the Medical Records Institute.
DR. BRAITHWAITE: Bill Braithwaite, office of the Secretary, HHS, and staff to the committee.
MS. TRUDEL: Karen Trudel, Health Care Financing Administration, staff to the subcommittee.
DR. COHN: Would those in the audience please come to a microphone and introduce yourselves?
MR. FINEMAN: Brad Fineman, Care First, Blue Cross Blue Shield.
MR. LANDEN: Richard Landen, Blue Cross Blue Shield Association.
MR. EMORY: I am Jack Emory with the American Medical Association.
MS. MEISNER: Debbie Meisner, with ENVOY Corporation.
MS. EMERSON: Mary Emerson, Health Care Financing Administration.
MR. CARTER: John Carter, Health Care Administration, and chairman, Oklahoma Uniform Billing Committee.
MR. TAVARES: Luis Tavares, practice director, Computer Science Corporation, national health care practice.
MR. BECHTEL: Don Bechtel with SMS and HDX.
MR. KILLIAN: Bart Killian, Utah Health Information Network.
MR. BARTHOLET: Eric Bartholet with Computer Sciences Corporation.
MS. GUILFOY: Helene Guilfoy with IMG Health Care Consulting.
DR. COHN: Thank you for all coming. Larry?
MR. WATKINS: I am Larry Watkins, Per Se Technologies.
DR. COHN: The purpose of this hearing is to really talk with the early implementers from various health care industry segments. We heard yesterday about problems encountered with implementation, either real or planned -- I guess identified problems is probably the best way to describe it. Hopefully today we are going to be able to begin to talk more about tools or solutions developed to address the issues. We are hoping that this panel may, among other things, help us with identifying some solutions to the problems we were hearing yesterday. With that, we should probably start the panel. Christine Stahlecker, would you like to begin?
MS. STAHLECKER: Good morning, Dr. Cohn, and members of the committee. My name is Christine Stahlecker, and I work for the Blue Cross Blue Shield Association as manager of the electronic commerce national standards unit within the interplan programs division. I very much welcome and appreciate the opportunity to be a member of this panel. My discussion today on HIPAA, early implementation and industry solutions, is from a payer perspective.
This discussion shows that the health care industry needs leadership for the implementation of the HIPAA administrative simplification standards. We propose and intend that that leadership be achieved by the WEDI strategic national implementation process, and we request the support of NCVHS in this effort. There have been two primary factors affecting my perspective and influencing this request. The first factor was the experience or lessons learned while working for the Empire Blue Cross Blue Shield Plan.
During my time with Empire, my responsibilities were primarily for the front end application systems and supporting business procedures. This experience is relevant, because the insights gained from developing and maintaining this environment over time mostly parallel the activities that will be faced by payers implementing the HIPAA standards.
The second factor has occurred since joining the Blue Cross Blue Shield Association, and that has been the responsibility to serve member plans by being responsive to their requests regarding HIPAA implementation and compliance. Some specific plan requests and the association response will be highlighted to share a sense of what steps the Blues are taking now toward HIPAA compliance.
The format of the lessons learned discussion is a chronology of events that will start with reference to a implementation of a HIPAA standard and point out conclusions from that project. These lessons learned, combined with an appreciation of the scope of HIPAA, resulted in the next discussion point, a search for industry coordination, a search for leadership for the implementation of HIPAA standards and those results will be reviewed. Next, the steps taken to initiate a collaborative effort surrounding HIPAA implementation will be discussed. That is the WEDI Strategic National Implementation, or SNIP, initiative.
Finally, the Blue Cross Blue Shield support services to member plans will be discussed as a parallel effort and a link back to WEDI SNIP. The experience referenced as lessons learned was part of a proof of concept project initiated by the Health Care Financing Administration, the long-time leader of health care EDI implementations.
The standard transaction involved was the claim status inquiry. The proof of concept project was conducted by a virtual project team made up of Medicare contractors that included the co-chairs of the X12N claims status work group, as well as several contributing authors of the implementation guide. Partner providers for each contractor were included, and vendors supporting those providers.
Meetings were held most often by conference call and project materials were posted on a web site. At Empire, the project included the receipt of the 276 inquiry transaction from both institutional and medical provider trading partners. Interfaces were built to both the Medicare Part A and Medicare Part B claims processing systems. Claims were located using the matching data from the inquiry retrieved, and the 277 response formatted and returned to the requestor. After assessing the project, five lessons learned are listed here. It is important to note that, although the claims status transaction is referenced, it is an example.
Similar situations are likely to occur with other HIPAA standards. The point is that implementation delays may be caused by reasons unrelated to the HIPAA standard. The delays we experienced represent opportunities for others to avoid the same pitfalls, if common solutions can be reached and communicated. Number one, there were interpretation issues that were not evident until data from the transactions was introduced into an adjudication system and/or returned from one.
Examples from the claim status implementation include provider number on the inquiry and claim status code on the response. For example, is the provider number supposed to be the billing number, the group number or servicing provider number, and can a billing agent inquire on a claim. Can a no-match-found status code be differentiated when there is a missing claim from when there is matching criteria that is unmet. Interpretations of such ambiguities and communication of processing solutions need to be shared across the industry to achieve maximum benefits and efficiencies of HIPAA standards, and to meet provider expectations of consistency.
The number two lesson learned, test environment was inadequate. This situation was totally unexpected, since the test environment at Empire had received recognition as an industry best-practice solution. However, the telecommunication connectivity protocol was being upgraded at the same time as a new claims status inquiry capability was being prototyped.
This situation required several work-around solutions that added to the overall elapsed time. A lesson to be learned is that payers and other entities may want to leverage the implementation of HIPAA standards as rationale to migrate from legacy telecommunication protocols to TCPIP or internet protocols.
This can be a valuable side benefit, but it should be part of the implementation strategy and plan, if there are dependencies on its availability. It can also be anticipated that payers and other entities may be required to enhance their trading partner test environments to accommodate the implementation of HIPAA standards. This resource requirement is incremental to simply testing the transactions for implementation. It may not be apparent when estimating and sizing the work effort. This can also be a valuable side benefit, if pursued, and should be part of the implementation plan.
The number three lesson is that on-line response time needed to be monitored, even though the transactions were batched. The claim status inquiry tests conducted by our institutional provider were well-planned, extensive and well-coordinated. However, the volume test required special monitoring to make sure that on-line response time for interactive users was not negatively affected.
Although the in-bound transaction was batched, it accessed data bases used in our on-line production environment, and therefore, had the potential to impact the response time of the interactive users. In a proof-of-concept environment, this situation was manageable. However, in a production environment, it would be too resource intensive to monitor each new user testing the claim status inquiry transaction. This reaffirms the need for end-to-end test systems and environments that simulate production.
The number four lesson learned, the telecommunication capacity was an issue. As a payer, we initially expected that the provider would send a submission with several inquiries on individual claims and expect to receive a single claim response for each inquiry. The medical provider, however, desired the ability to receive status on all claims for a particular subscriber within a date range. This resulted in several claims being returned for a single inquiry, and that complicated response time agreements and balancing procedures.
Traditionally, the drivers of new electronic capabilities that cause upgrades have been introduced slowly as continuous improvements. The HIPAA administrative simplification mandate requires the implementation of potentially nine new transactions, counting institutional, medical and dental claims separately, in a 24-month time frame over a telecommunication network, while maintaining production. Sizing the network upgrade, assessing the application performance, and modifying procedures such as balancing would be complex and costly, if many outlier situations occur. Realistic estimates and common work flow could be derived if there are consistent interpretations and agreed- upon implementation sequences for the standards, so that the industry focus could be maintained through issue resolution.
Number five and final lesson learned, EDI agreements, authorized signatures on file and security arrangements were given special consideration during this project. However, it is recognized that policies and procedures must be established for each new transaction. The claim status inquiry proof-of-concept project highlighted the potential requirement of contextual-based access authorization.
Can a billing service look at all claims for a contracted provider, or only those claims submitted by the billing service? Even though the final rule on security is expected to follow the final rule on transactions, existing security procedures must be followed at a minimum. This may result in a service bureau being given access by some payers and denied by others. However, such occurrences could be minimized with industry collaboration.
The claim status inquiry proof-of-concept project seemed to be a straightforward implementation, and well staffed, since the teams included members familiar with EDI and the standard. Yet, only the institutional transaction was successfully implemented into production, and the project required approximately nine elapsed months. Although successful as a proof of concept, when considering a national HIPAA implementation, such an elapsed lead time for each entity and for each transaction is completely unnecessary.
Why should each entity rediscover the complexities of every transaction? It is recognized that sharing interpretations and experiences among the members of the proof-of-concept project team had great value for all participants. The industry would benefit from a similar common forum to address issues related to the overall implementation of the HIPAA administrative simplification standards. If this approach could be applied to other standards, it could serve to shorten the learning curve, avoid different interpretations and different solutions to any ambiguities encountered.
This realization initiated a search for leadership of an industry-wide coordinated effort for HIPAA implementation. The Blue Cross Blue Shield Association representatives met with HCFA, the most likely leader, given their history of initiating such efforts, and inquired whether or not HCFA was planning to establish a HIPAA implementation team and, if so, could the Blue Cross Blue Shield Association and plans participate.
At that time, HIPAA did not expect to initiate such an effort and did not know of any organization working on such an initiative. HCFA thought that the idea had merit, expressed interest in being a participant, if such a group was created, and stated that all health care entities would need to be represented, not just the Blues and HCFA.
Further dialogue identified WEDI as the most appropriate organization to initiate such an effort. A similar conversation took place with HHS. Again, no coordination activities were planned. Such an effort would greatly benefit HIPAA implementation, but the responsibility would need to be within the health care industry. WEDI was again identified as the appropriate organization for this initiative.
The chair of WEDI, Lee Barrett, from CBSI, was approached with the idea of coordinating a HIPAA strategic national implementation process. He suggested that a proposal be made to the board of directors at their February meeting for their consideration. Association staff made the proposal to the WEDI board. It was approved and co-chairs named. I am pleased to serve in that role, along with my colleague, Larry Watkins from Per Se Technologies.
The strategic national implementation process, SNIP, was announced at the WEDI annual conference in March, and a brief impromptu meeting held to assess interest and to begin the forming process. Over the next several months, an informal outreach was conducted to seek out any industry activity regarding HIPAA implementation, to introduce SNIP and to request participation. This outreach activity is still in process and expected to continue.
We learned that many initiatives were underway, and all contacted expressed interest and willingness to contribute to SNIP from their experiences, and participate in issue resolution. In June, a WEDI industry forum was held to announce SNIP and share its vision, mission and purpose, which is attached. At that time, the three work groups -- security, education and transactions, and their co-chairs -- were introduced. The transaction group subdivided into five groups -- sequencing, translations, transactions, testing and business issues, and selected co-chairs. All groups convened work sessions.
The purpose of SNIP is to address HIPAA implementation obstacles by creating an industry collaborative effort to reach consensus surrounding the resolution of processing issues, structure, order and priority of the mandated standards, and to set trading partner expectations regarding this process change.
All of these activities are focused on the deliverable of implemented standards in an expedient manner with efficient use of resources. The communication approach of the strategic national implementation process is similar to the virtual project team used for the proof-of-concept project. However, this is not intended to be a test or a prototype. Communication will be primarily by conference calls and supported by a web site to distribute materials.
Initial steps to form the group of participants are to conduct an outreach that will identify existing implementation activities, seek out the experiences of those early implementers, and serve as an information of their lessons learned for other implementers. Attention will be focused where differing interpretations of the standards exist, and efforts directed toward reaching industry-recommended solutions and best practices.
The SNIP co-chairs look forward to keeping the NCVHS Subcommittee on Standards and Security apprised of progress and issues, and we seek your recognition of the WEDI SNIP to assist in drawing HIPAA implementers as participants. Without such a coordinated effort, the risk is high that inconsistent interpretation and implementations will occur.
Finally, what is the Blue Cross Blue Shield Association doing to support HIPAA implementation, industry solutions among its member plans? There are several initiatives that are direct responses to concerns raised by our members. Plans have requested HIPAA training for extended staff at the various locations.
The association has developed the HIPAA Institute that offered 15 sessions in the introductory series, including a HIPAA overview, a HIPAA assessment tool kit, tutorials on each of the 10 transactions, code sets and identifiers, security and privacy. Each of these sessions is attended by conference call, and the materials are distributed through our internet. Plans are encouraged to use these materials when training their trading partners, not only to reduce redundant development of training materials, but also to deliver a consistent message. With 13 sessions delivered, attendance is still high and feedback has been positive.
During the fourth quarter last year, an executive level HIPAA briefing was requested and, in April, the association held an executive briefing with a target audience of chief operating officers and chief information officers. Our CEO participated in that presentation, as well as our officer responsible for interplan programs and officer of senior markets. That includes Medicare. The conference was well attended and received favorable evaluations. Plan staff requested a HIPAA implementation team conference, targeting the plan's management personnel and direct reports that are charged with implementing HIPAA. This three-day conference will be held later in July, and registrations are high, with most plans sending several attendees. The conference agenda includes the introduction of Blue SNIP, that will include not only plans that are unable to participate directly with the WEDI SNIP effort, but also be a forum to address HIPAA issues related to Blue Cross Blue Shield business.
In summary, there are many activities moving forward with solutions for early HIPAA implementation, but the publication of the final rule is urgently needed to maintain this momentum and industry focus. Prior successful implementations were due, in part, to the opportunity for communication, sharing ideas and solutions, and a coordinated focused direction by a leader. We believe the WEDI strategic national implementation process can be that coordination point and seek support in making it so. I thank you again for this opportunity to address the subcommittee.
DR. COHN: Thank you very much. Larry Watkins?
MR. WATKINS: Thank you. I have actually given the committee two handouts. The first one is the testimony and the second is what we are calling report one for SNIP, which is really just a report of much of what Chris has said, and also what occurred at the first of many SNIP meetings. We are just getting started, as you heard from Chris' testimony.
I want to also thank you for the opportunity to testify today. I think you will see that there is a little bit of a different perspective between the two co-chairs, not disagreement at all, just a different perspective. I think that will be very clear. While some of this may seem redundant, I think you will appreciate the different approaches and different perspectives that we have.
We think the Work Group for Electronic Data Interchange, or WEDI, efforts that we have taken on for the national implementation coordination of HIPAA administrative simplification -- namely, the strategic national implementation process or SNIP -- by the way, I have gotten over the name. I hope you will get over it also.
My name is Larry Watkins. I am the director of e health and HIPAA strategies for Per-Se Technologies, which globally delivers integrated financial and clinical software solutions, business management services, and clearinghouse and e health services to about 33,000 physicians nationally. I am a member of the WEDI board and the co-chair of the WEDI SNIP effort, along with Chris Stahlecker. I also co-chair the ASC X12 health care task group and am the immediate past chairman of the board of the Association for Electronic Health Care Transactions, or AFEHCT.
WEDI formed the Strategic National Implementation Process task group to meet the immediate need to assess industrywide HIPAA implementation readiness, and to bring about the national coordination that is necessary for successful compliance. The purpose of SNIP is to identify implementation issues, best practices, model work flow scenarios, and to mitigate national deployment obstacles.
For the purposes of my testimony today, I am focusing primarily on the implementation of transaction sets, codes and identifiers within administrative simplification, and that is mostly just for the sake of time. As you are well aware, the health care industry has contemplated standards for EDI, now known as B2B e commerce, for as many as 25 years. We didn't always call it the same thing, but we have been doing this for a long time.
Within our industry, EDI has been indisputably cost justified. Standards have been developed, industry groups have collaborated, and many efforts have been made to deploy EDI standards. Much of this has been to no avail, in terms of an industry-wide use. WEDI said it well in its 1993 report. Mass deployment of EDI and health care introduces challenges not found in any other industry.
Why is this? Simply put, the number of industry stakeholders and the lack of consensus-based industry collaboration has led to industry fragmentation. That fragmentation goes all the way to the definition of individual data elements and codes within our standards, such as the national standard format which we call the non-standard format.
Health care is still a regional business and standards have been virtually impossible to deploy in a consistent fashion and to implement in this fragmented environment. The fact is, however, that the mere adopting of standards accomplished by HIPAA administrative simplification is only the beginning of the solution. Implementation of these standards is now the challenge faced by the industry, and we have only two short years to accomplish this seemingly insurmountable task.
Why is it such a challenge? We live in an administrative reality of non-standards and locally defined data and code definitions. Nationally deploying the transaction standards, code sets and identifiers will present a task of unprecedented scale in our fragmented industry. It simply has never been attempted before. Moreover, it dramatically affects the administrative processes, systems and information exchange that have a direct impact on the revenue and cash flow for most of the affected entities.
This process will clearly need strong industry- wide collaboration and coordination. As an example of the level of coordination necessary, I want to talk for just a minute about my own company, Per-Se Technologies. Per-Se is the largest physician billing service in the United States and the third-largest technology vendor in the industry. We provide services and systems to providers in 48 states.
So, as you can imagine, Per-Se is positively anticipating the standardization and simplification that HIPAA will bring to our everyday operations. However, without the national coordination that we believe WEDI SNIP will provide, the process of getting to these standards could greatly undermine our business.
Per-Se has three major concerns that we believe an effort like SNIP can help mitigate. First and foremost, we believe SNIP can provide a recommended deployment schedule for the transactions and code sets that will bring about industry-coordinated ordering, timing and grouping of transaction implementation. We believe that if such a recommended schedule exists, it will give Per-Se and other vendors the leverage that we need to encourage our trading partners, especially the health plans, to adopt this schedule as opposed to the hundreds of individuals processes and schedules that we would have to deal with, without it. While we know that implementation following such a recommended schedule will not be perfect, it will go a long way in setting expectations and providing the coordinated deployment that is critical for industry-wide success.
Second, we know that the X12N implementation guides and data dictionary are not perfect. It may come as a shock to some of you, but to the co-chair of the health care task group, it does not. There will continue to be ambiguities and gaps identified, particularly as implementation of these standards moves forward. We believe that it is critical that there be a nationally-recognized entity like SNIP to which the industry can bring these issues for coordination. In the initial deployment, the standards cannot be changed. So, the industry-wide need exists for coordination on definitions, clarifications and work-arounds, to bring solutions for the purpose, and only the purpose, of implementation. This process will not supersede the change process of the standards and data content organizations for the next iteration of the standards, although we would certainly expect to provide input into that system.
Third, the issue of testing is of critical importance to the vendor community. Aside from nationwide deployment itself, testing is the most time-consuming part of implementation. We believe that there can be reasonable recommendations made by WEDI SNIP to indicate appropriate levels and methods of testing for trading partners, without compromising the scrutiny that is essential. AFEHCT has been discussing the need for national implementation coordination for HIPAA for a few years now. Within the administrative simplification work group of AFEHCT, which I also co-chair, we have done quite a bit of work along these lines.
This work includes identifying national deployment issues and drafting five white papers addressing the following areas. This effort was led by Don Bechtel within AFEHCT, who you heard from yesterday. HIPAA awareness building and communication plan, sequencing of the implementation of HIPAA requirements, transactions and code sets, business front-end edits, model contract language clauses, and HIPAA testing and certification assumptions and work plan. These papers will be critical input pieces to the SNIP effort.
ASC X12 has also seen the need for implementation coordination for a number of years. The HIPAA implementation and coordination work group within X12N was established in 1996. This group was very involved in the development of the memorandum of understanding between X12 and the other associations designated within HIPAA for data maintenance. This work group also acts as a liaison between X12 and outside organizations for the implementation of HIPAA.
Even the National Committee on Vital and Health Statistics has discussed the need for an effort like WEDI SNIP, and I have included some comments in my testimony that I think relate very much to what we are trying to accomplish. So, just to quickly give you an overview of the SNIP organization and where we are today, WEDI SNIP is unique, we believe, from other industry efforts, in that it provides a coordination point for the industry for the formulation of solutions and recommendations in an ongoing fashion, specifically related to barriers to successful implementation.
To accomplish this, three work groups have been established within SNIP. The first is the transactions, code sets and identifiers group, whose purpose and scope is, first, to assure general industry readiness to implement the HIPAA standards, something that you all have talked about now since at least February. Second, recommend an implementation time frame for each component of HIPAA for each entity -- providers, payers, clearinghouses. Third, conduct testing and/or compile testing results for HIPAA transactions. Fourth, where there are interpretation issues or ambiguities within the HIPAA EDI component, establish opportunities for collaboration, compile industry input and document the industry best practice resolution or next steps.
Next is to identify and recommend resolution of transaction standard ambiguities. Finally, identify and recommend resolution of standard code set issues. The second work group is the education and awareness group, whose purpose and scope is, first, to identify education and general awareness opportunities for the health care industry to access. Second, create the SNIP web page as a single HIPAA site for administrative simplification awareness, and implementation issues and recommendations. This site would link to other key sites as well. Third, identify strategies for education and awareness to occur across the industry. Fourth, to identify and disseminate industry best practices identified by SNIP.
Finally, determine the appropriate communication vehicles to do all of the above. The third group is the security group, whose purpose and scope is, one, to identify issues and a process for establishing the HIPAA program management office, second, to identify issues related to conducting a HIPAA security assessment, and third, to identify other industry initiatives, some of which you will hear about in a moment, which are working on resolving ambiguities in the securities regulations.
As the industry begins to wrestle with the HIPAA requirements, SNIP plans to bring together different industry groups via conference calls and meetings, to identify, discuss and resolve HIPAA implementation issues. In addition, SNIP plans to disseminate the appropriate information via a series of periodic reports, list serves, and a planned web site.
We, within WEDI, believe that the SNIP effort will begin dialogue to address industry consensus on model processes and procedures, and that the work of SNIP will result in a long-term approach to addressing the significant changes occurring within our evolving health care environment.
Thank you for the opportunity to share our initial efforts with you today. If you want to highlight a sentence in this testimony, it is the last one. We would request that NCVHS allow us to regularly provide updates as we progress in this effort.
DR. COHN: Larry, thank you. Jon Zimmerman?
MR. ZIMMERMAN: Good morning, everyone. Mr. Chairman and members of the committee, I am Jon Zimmerman, the general manager of HDX and the senior manager of HIPAA initiatives for shared medical systems, both of which are wholly-owned subsidiaries of Siemens Corporation.
On behalf of HDX and SMS, I want to thank you for the opportunity to testify today, as an early implementor of administrative simplification. In the interest of brevity and your time, I would like to include, by reference, the descriptions of HDX and SMS, as presented yesterday by my colleague, Don Bechtel. To my knowledge, nothing of significance has changed between yesterday and today. [Laughter.]
What I will add is that, in the last year or so, I have directly spoken to, or been engaged in over 100 various provider, payer or industry forums or discussions. Many of these are working directly with the health systems senior management team to kick off their HIPAA preparation initiatives. Thus, I am bringing a significant amount of listening and collective practical experience in my remarks to you today.
What I will attempt to do today is to shed some light, based on our team's experience, on how we, as an industry, can cope with HIPAA's mandates in an economically challenged, highly fragmented, complex, technologically and culturally diverse environment. To do so, I will try to put my remarks in the context of our view of HIPAA, identify how this relates to the health industry, describe why it is important to fit with other relevant business and industrial environmental factors, provide some examples of progressive and valuable initiatives currently underway, and then provide a few observations and recommendations and tie it all back together.
Let's start with security of description. I know this committee is very familiar with HIPAA and its administrative simplifications. To set my remarks in context, I would like to just very briefly review administrative simplification's construct and specifically security.
First, I am hopeful and confident that we will be proven right in our support of the validity and construct of this legislation and attendant regulations. The fundamental approach of adopting standards has visionary aspects in its broad and long-term implications. To adopt means use what works. Do not create what you do not have to. Standards implies what has been agreed to, in either a formal or informal, de facto consensus process. HIPAA needs to stand the test of time in an era of unprecedented and rapid technological change. When HIPAA was in its formative stages, the commercial and consumer use of the internet was essentially non-existent.
Today, the internet has profoundly and irreversibly affected our economy, our culture and how information, knowledge and commerce are exchanged across the globe. Even with such a monumental change, HIPAA is extremely relevant, applicable and perhaps essential to the industry. My compliments to the visionaries who engineered legislation that is already proving that it can stand the tests of time and rapid change.
HIPAA's five security tracks, upon which I will based my remarks are, administrative procedures, how one defines, communicates, administers and monitors acceptable practices to protect the confidentiality of patient information and business operations. Physical safeguards, how the information is physically protected from disclosure or harm, destruction and damage. Technical security services, how to assess the information is enabled for only those who need to know, within the context of their responsibilities at a given point of time. Technical security mechanisms, how the information is properly protected during transmission and storage. Finally, electronic signature, how to ensure those who use electronic signatures as part of their business processes can irrefutably, uniquely and specifically be identified.
Let's talk for a minute about the affected parties. When one considers the scope and access to individually-identifiable health information, it is difficult to imagine how anyone is not affected by HIPAA security. Payers, providers, health information clearinghouses, plus their trading and business partners, encompass a wide spectrum of American industry. Most of us have had some sort of proactive or reactive health care in the last two years. Most of us have a doctor or a health care facility where we can receive care in a relatively short period of time. Most of these facilities have some sort of electronic processing for billing or other administrative functions. Many of these businesses are somehow electronically interconnected and getting more so every day.
The connections carry individually identifiable health information, and each of the systems, for some period of time, store and maintain these data for the purposes of delivering care and reimbursement for care delivery. Thus, the scope and complexity of securing information in this vast and dynamic environment is both daunting, yet imperative. Measured steps toward well-defined desired outcomes that allow the industry to leverage its existing practices and infrastructure are a critical component to our future security.
Further, we must be prepared to blend our industry's efforts with those of the rest of the American or international commerce, so we can quickly and confidently take advantage of proven advancements and economies of scale. HIPAA has its own dynamic tension. Like many great works of art, HIPAA possesses within itself a constant dynamic tension, two forces pulling against one another, eternally struggling for balance. These forces are those of efficiency and security. The nature of our health care delivery and payment systems demand that many parties be involved with each episode of care.
Each episode of care carries with it a certain amount of information. The more complex or unusual the case, the more data must be managed. Easy, open access to anyone who needs to see or use the data would logically be the best path to these new efficiencies. Interconnected networks of computers of any impacted parties would help improve access and efficiency while reducing costs. This is a recipe for privacy disaster. Information security, by its very nature, is intended to restrict access to the fewest number of possible parties.
So, how can one improve efficiency by providing efficient access, while improving security practices to improve individuals' rights and business operations. This is precisely why I am here. No one has figured it out yet. So, what is this relationship to the health industry. We need a base of security practices. Part of the good fortune we have is an environment where people inherently care about how they do their work and how they protect their patients.
To that end, protecting privacy via good security practices is somewhat institutionalized and ingrained in our culture already. Many of our payer and provider customers have solid security policies, procedures and practices in operation today. Certifying and monitoring them against defined and measurable standards is where much work lies ahead of us.
We have a head start, but a long race to run. Why? Because so many health businesses are reaching out further beyond their current systems and networks to attract new customers or reduce operational costs. Thus, we have a moving and expanding target, targets that will affect profound change in the operation of the businesses that make up this industry.
To illustrate these points, I have included a few of the following charts that contain data from studies by Cyber Dialogue, a company in New York, an internet consumer- based behavior research firm. What it essentially points out is that, about now, we are heading toward more and more e health consumers using the internet and open technology and providing wide and broad access.
Following that is a brief review of who we know today are the e health consumers and how they make up the industry. Many are women. Many purchase something off line after seeking information. The sweet spot is 51 percent between 30 and 49. Forty-one percent of the survey respondents are college graduates. Less than half do order products on line. A significant number are over 50, and the rest are between the ages of 18 and 29 with a very sizeable annual income.
The content they seek, by far, is about disease, followed by nutrition, drugs, women's, alternative, fitness, children's, providers and insurance information. What is interesting is that, as you drill deeper into this information, you find that what people seek is different based on their demographics, and fitness is one of the growing concerns in the geriatric field. Then, of course, there are trusted e health content sources. Where do people go to seek the information and how do you ensure that their seeking is private and so forth.
Well, most of them go to their own doctor, a national expert or directly to a hospital, demonstrating what was mentioned earlier about the regionalization and localization of health care, and how people are using the internet for that. This leads to some significant concerns. The most significant areas of concern are in how to change or enhance secure operations in this environment and the economic impact of doing so.
Changes require investment. Positive and progressive change requires solid understanding of one's current state of affairs, clear depiction of goals, and a solid set of interrelated steps forward. All these take time and cost money to do well. These changes fall upon the provider industry just as we are under some of the most severe economic constraints in history. Hospitals are running at their lowest margins in recent memory and more are in the red than ever before. Couple this with the impending effects of the outpatient prospective payment system, where top line revenue will be reduced with no attendant reduction in cost, thus, creating more pressure.
Of course, this follows a unique year, where much of the information technology investments went toward just staying in place -- that is, Y2K preparation -- as opposed to making investments to improve efficiency. We are now reaching the triple witching hour of thin or non-existent margins, declining reimbursements and increased demand for security investments to satisfy pending regulations. Thus, every drop of leverage or economic value we can squeeze out of HIPAA investments is vital to the overall success of the industry.
The relationship to our current business environment. Fortunately, the health industry is not alone. E business has invigorated our economy and exciting new innovations are boiling all around us. Moore's law of computing, where costs will drop 20 percent per year and speed will double every 18 months is still in effect. Interconnecting businesses, processes of suppliers, customers, partners, consumers, through standard- based computer networks is driving innovation and attracting investment across this country and the world.
What does this mean to us? Well, as other industries solve problems and create new efficiencies by adopting their standards, health care can reap the same rewards. Just look at the last two cover stories from Information Week. On July 3, they covered the federal legislation, raising the validity of electronic signatures to legal status of paper-based signatures.
This could relieve our industry of the burden of coming up with our own standard to develop, maintain and enhance. Now, look at the July 10 issue. There is a recognized gap between what the companies have in place for computer security and what they know they need. This breeds opportunity and attracts investment, yet another chance to leverage other successes for our own.
Finally, consider the impact and rapid proliferation of cell phones, the palm pilot and other hand- held devices in the last 18 months. We are clearly extending from our base as a mobile society, to a mobile work force, to mobile work that demands mobile data. Health care is no different, and we are compelled to learn better and faster about how to capitalize by adopting technologies and standards from any industry that makes sense. With so much of our national corporation information in assets traveling around on wires and through cellular networks today, it is easy to see why information security and privacy are emerging as national business priorities. This is evidenced by the news broadcast just on Wednesday of this week. At least two national news programs -- I can only reference two, because I can only watch two at a time -- featured privacy and security as featured stories.
Fortunately, there are some encouraging examples of leaders taking charge and moving forward today. On both a national and regional basis, there are a number of interrelated initiatives underway. I will mention just some of them, but by no means does my lack of inclusion of any particular initiative indicate a lack of respect or value for the works in progress.
A few that come to mind are the CPRI tool kit. This work has proven to be one of the definitive efforts on how to gather and document best practices as it relates to protecting computer-based patient records. Drs. Ted Cooper from Kaiser Permanente and Jeff Coleman from Georgetown continue to lead the efforts to attract examples of how people can protect, store, transmit and manage patient information safely and securely.
The security summit. This initiative was created as a result of the early industry broadcasts about what HIPAA security was all about, and how the industry should begin to prepare. John Parmagiani, at the time from HCFA, Barbara Clark, Bill Schooler and Pat Coomsey led a discussion over a thousand conference call attendees.
As a result of the call and at the suggestion and leadership of Johns Hopkins Medicine, WEDI and SMS put out a call to the industry to work together to develop implementation guidelines that are scalable, reasonable and implementable, regardless of the size and complexity of the business. Some key associations like the MGMA and the ADA, who brought a critical and valuable perspective to the effort, supported this group. In all, 173 participants, from payers to providers, to consultants to lawyers, to technology applications and service vendors came together to draft a document specifically to assist in providing the answer to a burning HIPAA security question. How do I know if I am doing it right.
Without HCFA's support, encouragement, guidance and participation, the security summit would not have near the impact that it has thus far. To them, once again, we all say thanks. The security summit and CPRI tool kit initiatives continue to work collaboratively, and we hope to generate complementary deliverables in support of HIPAA security. WEDI and AFEHCT also joined forces to work through a painstaking and illuminating process to define and document the issues associated with interoperability.
Choices are inherent in our culture, and our industry loves to make and defend their choices. While this has been valuable, too much of a good thing can hurt. There are many competing schemas and approaches for security. To enable exchanging information, the solutions must not only work within themselves, they must cooperate and interoperate with others. This is much easier said than done. With each state allowed to set its own security ceiling, this issue is far from going away. Many valuable lessons were learned from these initiatives, and these are well documented at the AFHECT and WEDI web sites.
We just heard about the strategic national implementation process from Chris and Larry. We are very, very much in support of that, and we look forward to helping them achieve the goals that they are setting out for all of us. There are also a number of regional activities. While we all know that health care is of national concern, it remains a local or regional issues.
Payers, providers, patients and consumers all live and work within a community structure that falls under state, federal and local jurisdiction and customs. Thus, we do not expect a HIPAA big bang. Rather, we expect to see HIPAA adopted in varying stages to varying degrees at varying rates in different geographic settings. All of them share the characteristics of having providers, payers and other members of their locale working in a structured manner to help the entire community prepare for, and embrace, HIPAA.
Some of the most prominent initiatives are listed below. I encourage us all to monitor their activities and progress over the coming months. I am very confident that many valuable lessons will be gained from each of them. Below is a short list of just three regional groups with whom I have interacted and have personal knowledge. For convenience, I have listed them and their web site addresses, and a key distinguishing feature or two of each. First is North Carolina Health Information and Communications Alliance. Early start, great structure, and a very effective security assessment tool that I encourage us all to take a look at. Next is the Greater Detroit Area Health Council, which has a group within it called the Health Information Action Group, and the Michigan Health Management Information Systems. They are also off to a solid start. What is unique about them is they have a very solid employer participation, and they are using the automotive network exchange, which is an extranet, which was created from GM, Ford and Daimler/Chrysler, again, borrowing success from another industry. Last but certainly not least is the Massachusetts Health Data Consortium, a very comprehensive, very active collaborative model with de-identified data.
I am aware of quite a few more regional activities in places like Minnesota, Utah and others. The good news here is that these folks are off and running and in compliance.
DR. COHN: Maybe you can jump to the recommendations, since we will be having hearings on the rest of them later on.
MR. ZIMMERMAN: Okay, sorry about that. Sure, I will jump right ahead. This brings me to recommendations we would like to offer the panel today. There are five that we have selected. Stretch the limit and take the bumps. With any progressive effort, people must extend beyond the status quo. You are hearing a lot about volunteer efforts of people devoting themselves, beyond their jobs, to help the industry. I encourage the members of the government agencies to continue to take prudent risk and follow their conscience, as they need to at times, stretch beyond the limits of their authority. Early warnings and good hints to the industry are most welcome and very constructive. Also, know that we will not execute with perfection. Please allow us to make good faith errors, gently point out suggested improvements, but do not punish the well intended. For malicious violators, hit them hard, but for those who slip, just be prepared to assist, not vilify. Sanction and promote cooperative processes. Get and stay in the game with us. I have seen some welcome assistance from the government in a number of situations. Please keep it coming. It gives us energy, validation, and helps us ensure we stay on the right course. The industry only wants to make these kinds of investments once. So, as much as you can, stay with us and help. I think that is very much reflected by Larry and Chris' remarks. When you like what is going on, tell someone. In fact, I have seen Karen do that on a few occasions, and this is precisely what is needed to provide the necessary assurance and stimulation to drive positive momentum.
Now, let's clarify the goals, objectives and expectations. Nothing drives inertia like uncertainty. This is one of the biggest challenges we face today. A lack of clarity begets both argument and debilitating confusion. The more that the government can provide precise or illuminating descriptions of the desired outcomes, the more accurately the industry can target our efforts. Shooting in the dark is a bad thing. You might hit something or someone you like. As our objectives become clear, measurable descriptions of bands of tolerable behavior would be very helpful. The adage, you can't manage what you can't measure, is very applicable here. We require some ability to know how and what to measure, so that we can gauge our success and compliance.
Again, actively support examples. Nothing is more illuminating and valuable in implementing complex systems than clear examples. The transactions have implementation guides because they are needed. The number of variables is too great to make the standards useful, unless applied to situations we can understand, digest and replicate. In this context, security is no different, and we urge you to continue to accelerate your work with industry in supporting valid how-to and what-if guidance. Finally, economically stimulate technology, industry and government collaboration. This is an industry under severe pressure, however you look at it, some for good reason, some not.
Consider ways to reward or provide incentives for achieving HIPAA compliance. Often we refer to the carrot and the stick. We need to spend more time on carrots. Enough people are focused on the stick. Two mechanisms the government has used in the past might well work in this situation. Please consider providing enhanced reimbursement structures or tax relief for demonstrated HIPAA compliance. We know that one of the stimulants or rewards of national HIPAA compliance is a more cost efficient health system. These improvements will yield benefits for patients, providers and payers. Since the federal and state governments carry so much of the fiscal burden of health care, it stands to reason that seeding initiatives now will accelerate the government's ability to realize savings and relieve some of the pressure.
So, let's find a way to put our money where our mouth is, and make industry make progress toward efficiency and security demonstrated so well by so many other industries. In conclusion, we firmly believe that we are doing the right thing. This, in itself, drives momentum through difficult or confusing situations. We must maintain a focus on our objectives and, regardless of parochial wrangling, stay the course. We must all be as clear and precise as we possibly can. That will allow us to establish and maintain traction with minimal distraction resistance. Timing and delivery against promised dates is critical. Delays destroy momentum. Please let us help you avoid them.
We should all not be overly concerned about stretching beyond our perceived limits to achieve a defined objective. As with anything new, we will make mistakes. Let us, but help us get back on course quickly. Punishment is not always the best stimulant to action. Sometimes economic incentives work well, too. Fostering cross pollination of ideas and progress across geographies will help propel us toward the goals we collectively establish. Finally, listening patiently to other perspectives is crucial. While addressing every potential situation or concern is not practical, listening has brought much light and fostered tremendous progress to date.
That is why this forum is so valuable and has proven to be a helpful instrument of progress. Mr. Chairman and members of the committee, this concludes my statement.
DR. COHN: Jon, thank you very much. I need a little guidance. Lisa, did you want to go next? Great.
MS. GALLAGHER: Good morning. My name is Lisa Gallagher. I am a senior director in the security practice at Exodus Communications. I am here representing the Forum on Privacy and Security in Health Care. We appreciate your invitation for a representative of the forum to address your committee regarding industry solutions for implementation of administrative simplification. It is a pleasure to be here in the company of these other panelists, whose experience and specific knowledge shall certainly bring illumination to issues surrounding health care and security and privacy.
Why is health care not just another major application of information technology concepts? after all, other huge organizations, even whole industries, have successfully standardized security requirements over very large integrated information systems. Health care is a unique environment with a variety of types of data, hierarchial requirements, a diverse set of stakeholders with unique needs, and a culture that prizes individualism. Implementation could not and did not wait for a system of standards to be produced by under-resourced standards development organizations.
Within this hugely complex environment, the development and implementation of standards has lagged far behind the actual implementation of systems. These systems were underappreciated for years, because health care was generally delivered at the community level, whatever the size of the community. Until recently, there was not a compelling argument for health care information systems that extended beyond the community. Organizations' resources were limited, and the communications infrastructure would not support simple cost- effective movement of large amounts of data. Thus, system developers were comfortable, or rather, not too uncomfortable, with the non-standard approaches, local structures, local systems, and even local languages and home-grown ideas of what their security processes should be.
In response to this situation, literally hundreds of develops sprung up to provide their customers with custom computer systems. Each medical specialty within a medical center might expect individual interfaces, languages, and even have distinct usage of common words. It is not uncommon for a single medical organization to have a variety of clinical and administrative systems that might run on the same network, but are not able to exchange data.
Standards development activities just couldn't keep up with the profusion of development activities and the rapidly changing environment. What has changed to prompt the need for information technology standards? In the last several years, organizational structure of health care has changed drastically, new larger organizations formed and old boundaries disappeared. For example, in New York City, Mt. Sinai merged with NYU. These are two large organizations with radically different security architectures now trying to have similar coherent policies along with a single mechanism to enforce or change the policies.
The current situation is difficult enough, considering the issues surrounding health care technology and medical vocabulary, but almost insurmountable in the areas of privacy and confidentiality, where individual circumstances, mold people's beliefs and even their specific idea of the meaning of their words. Patients, security experts and privacy advocates have all expressed concerns about the implication of the electronic exchange of patient health data.
The passage of the HIPAA regulation and the upcoming proposed rules will go a long way to defining the needed goals and requirements, but there are still gaps in the definitions and levels of understanding that we all need to have. These gaps are caused by the lack of an industry- accepted vocabulary for requirements expression, and a lack of industry-wide acceptance of values.
The difficulty of finding explicit vocabulary to express our security and privacy requirements, and the enormous variety of information environments has left security professionals with a daunting task. They must buy equipment, integrate systems and implement secure environments without a clear statement of what goals need to be achieved.
What are the compliance issues? Currently, many health care providers are considering the implications of implementing architecture, policy and procedure changes in order to establish compliance with the HIPAA security requirements. Chief among those concerns is how to establish and maintain such compliance in a manner meaningful to their patients, business partners and the public.
There are too many interdependent factors for the goal of compliance to be achieved by any one segment of the community in isolation. Stakeholders need a compliance mechanism that can satisfy all of their different but related requirements. Policy makers must have a way to state their security needs and concerns in a way that can be clearly understood and implemented. Product vendors and system integrators need guidance to help them translate policy into compliant technology, as well as a way to demonstrate that they have done so.
Those responsible for evaluating products and systems to confirm compliance need standards against which to evaluate, as well as mechanisms for doing so. The Forum on Privacy and Security in Health Care was created to address compliance issues in the health care industry by providing a venue and a mechanism for the exchange of ideas, technology and expertise. The forum is working on developing compliance blueprints for developers, health care organizations and accrediting organizations. The forum is currently involved in the development of standardized security profiles to specify and measure the security aspects of IT products and systems.
The forum's mission is to encourage the health care industry to develop more efficient methods of providing a secure environment for their commerce, promote the use of the common criteria -- that is ISO standard 15408 -- to aid in regulatory compliance, educate the industry about the worth of these standardized technology blueprints and catalyze the industry.
To accomplish these ends, an active forum has been created with a wide base of membership that will continue to provide structure for the many efforts to develop and articulate health care policy. The forum actively seeks involvement and commitment from providers, academia, industry and government. Vendors, hospitals, clinics, accrediting organizations are now struggling to develop strategies to implement policies pertaining to security and to develop methods to ensure compliance with security policies.
The forum participants believe that it is crucial that health care find coherent efficient ways to express security requirements. It is equally important to measure the compliance of hardware and software applications to the stated security requirements and policies. Health care organizations must have confidence that the security features of IT products and systems they build, buy or use are implemented correctly and completely, and that they behave as required.
One way to establish such confidence is the use of common criteria for IT security evaluation. The common criteria is the new internationally recognized standard for specifying and evaluating the security features of computer products and systems. This standard facilitates a common organized way to clearly and unambiguously articulate user security needs, as well as vendor security solutions for addressing the stipulated security dilemma.
For the health care community, the common criteria can provide a means to translate security policy into functional security specifications for products and systems, and to select the desired level of assurance defined as confidence in the correct operation of a product. It can allow prospective consumers or developers to create standardized sets of security requirements that meet their needs in the form of protection profiles that then can guide vendors and integrators in their efforts to produce compliance products and systems. It can provide an evaluation method, supported by the availability of commercial evaluation laboratories, that offers a consistent, independent and cost effective ways to help confirm compliance.
Common criteria-based specifications can be written to reflect all security aspects mandated by policies, regulations and law. They also articulate the desired level of assurance and correct and complete security that is to be demonstrated by implementations claiming compliance to the specifications. These kinds of specifications facilitate use of associated standard evaluation methods, in this case, the common evaluation methodology, by independent commercial security testing and evaluation laboratories that have been accredited by the government.
Such labs evaluate products and establish confidence that products are compliant with security specifications, policies, regulations and laws. Government validation of laboratory IT security evaluations allow health care professionals to confidently, reliably and consistently compare the security features of evaluated health care IT products and systems. The forum activity is based on the use of the common criteria and the creation of standardized security protection profiles.
These criteria can also be used to specify and measure the level of confidence or assurance that security implementations function as claimed. These criteria thus help measure IT equipment compliance claims with community-recognized security policy and requirements.
The forum is promoting community-wide use of common criteria concepts. The forum is working to have the common criteria technology and methodology recognized by accrediting organizations, insurers and others, as providing valid evidence, assurance and due diligence that security- enhanced IT products provide solutions compliant with stipulated requirements, policies, regulations and laws. Exodus is offering internet data center services to the increasing number of companies whose internet sites are integral to their business operations. Along with internet server hosting, Exodus also offers professional consulting services, to include security engineering consulting services.
Recently, Exodus has seen a surge in the number of clients seeking initial HIPAA compliance planning and security evaluation services. Exodus Security Services, part of Exodus Communications, joined the forum last year, after participating in a research contract with the National Institutes of Standards and Technologies, National Information Assurance Partnership to determine whether common criteria concepts were leverageable for use in addressing the health care security requirements compliance issue. This research convinced us that the common criteria approach is viable and worth investigating further.
Our participation in the forum thus far has centered on briefing, discussing and educating the health care community's forum participants about the usefulness of the common criteria technology. Our own work with helping health care providers, using this approach, is well underway. Currently, the health care industry is so huge and so fragmented that individual providers have difficulty seeing the benefits of implementing the HIPAA requirements or the benefits of helping anyone else implement the requirements.
Even when they are preparing to take action, the path to compliance, certification and due diligence is unclear at best. Industry providers of security services are currently attempting to bring to bear their expertise in technologies to help the health care industry prepare to establish and maintain compliance. Organizations such as the forum can be conduits for such collaboration, which is a primary reason for the participation of Exodus Security Services.
Our desire is to provide our services in the context of a well-established process for guiding health care providers toward full and ongoing compliance. The forum has advocated the use of the common criteria as one approach to the specification, evaluation and certification of health care solutions. This approach benefits not only health care providers and the public, but also product and system vendors, because it provides a means to clearly articulate the security requirements and standards that apply to health care systems and products, and provides an objective method for assessing how well their products or systems comply with those requirements.
The forum also believes that the entire health care community would benefit from standardized system evaluation and compliance certifications, perhaps from third party security evaluation facilities. This could enable health care IT purchasers to buy those products that have successfully achieved the security equivalent of a Good Housekeeping Seal of Approval, and also allow those same organizations to pursue a recognized third- party HIPAA compliance certification.
There is an incredibly complex set of issues and there can be no simple set of solutions. There are, however, potentially enormous benefits of tangible solutions that can be realized. All the health care informatics industry and health care in general would benefit enormously from clear direction in the use of established processes and stable, complete standards.
The Federal Government, as both the largest potential beneficiary and the most influential single entity, can become the instigator and motivator for government and industry partnerships to make progress. We would like to encourage the government -- in particular HHS -- to proactively participate in efforts such as the forum.
In this way, the government can serve as the facilitator to encourage industry to move toward a commonly understood set of processes and vette those organizations that have demonstrated the ability to do evaluations and certifications against those standards.
I, along with the forum members, appreciate the opportunity to comment on the work of industry to ensure that health care will be able to reap the benefits of information technology, while preserving the confidentiality and data integrity that the American people expect.
The Federal Government, just as it motivates and sponsors public health efforts, can help by active participation in government/industry partnerships, to facilitate progress in this area. Thank you.
DR. COHN: Lisa Gallagher, thank you very much. Mary Kratz, I believe you are next up.
MS. KRATZ: Thank you. Members of the Committee on Vital and Health Statistics, my name is Mary Kratz, and I am the manager of health science initiatives for the Internet2 project.
The Internet2 health science initiative is bringing industry associations in the health sciences, academic medical centers and medical schools, together with the internet community. Under the Internet2 health science initiative, guidelines are being developed for safe and effective use of the internet for clinical practice, medical and related biological research, education, and health awareness in the public. Internet2, more broadly, is a consortium of over 180 universities, working in partnership with industry and government to develop and deploy advanced network applications and technologies, accelerating the creation of tomorrow's internet. Internet2 is recreating the partnership among academia, industry and government that fostered today's internet in its infancy.
The primary goals of Internet2 are to create a leading edge network capability for the national research community, enable revolutionary internet applications, ensure rapid technology transfer of new network services and advanced applications to the broader internet community. Through Internet2, working groups and initiatives members are collaborating on advanced applications, middleware, networking, partnerships and alliances.
Thank you for the opportunity to be here today, to discuss issues faced by early adopters of new technologies and the impact of advanced technologies on the medical industry. I commend the subcommittee for undertaking a project to gather input from such a large and diverse group of health care participants.
The creation, gathering, organizing and promulgation of health data affect a wide variety of participants, each of which has its own set of issues. It is important, when providing leadership for the health care industry, that the various needs and uses of new technology are understood, in order to prevent the creation of mandates that interfere with the delivery of care. It is equally important to provide leadership that serves to catalyze technology transfer to new methodologies and mechanisms that benefit our industry.
My comments today will focus on the advanced application development under work by Internet2 members. Advanced network applications allow people to collaborate and access information in ways not possible using today's internet. Advanced applications are at the heart of the Internet2 project. Internet2 applications provide a revolutionary leap over those possible on today's internet. Advanced applications are about much more than faster web or e mail. Think, instead, of the difference between AM radio, today's internet, and HD TV, the kind of applications being developed and tested by the Internet2 community today.
Specific Internet2 application initiatives include efforts in technical areas such as digital video, digital imaging, data mining, tele-immersion, virtual laboratories, digital libraries and distance independent learning. Development is underway for collaborative efforts of academia, industry and government partners which address the application of advanced technologies. Internet2 members are also coordinating efforts around disciplines such as health care, the effort I am currently directly involved with.
Applications are being developed that address needs for integrated knowledge bases, distance education, training and information delivery infrastructures in these disciplines. Grids, or the web on steroids, are rapidly developing into a core technology for these data-intensive services. Resources needed to solve complex problems are rarely co-located, thus, the grid technologies are emerging to address advanced scientific instrumentation, large amounts of data storage, large amounts of computing power, and tools for collaborations between people.
Previously, the committee has heard testimony on the recent National Research Council report on networking health prescriptions for the internet. I have brought a copy of the report, in case anyone is not familiar with it. The Internet2 health science work group is well positioned to mobilize the recommendations in this report to action. We are using the NRC report to serve as a road map to organize the efforts of the Internet2 health science initiative. Many activities are already initiated.
Internet2 members and partners are currently discussing new initiatives to advance the medical domain's use of internet technologies. Middleware. Middleware is the layer of software between the application layer, which seeks to provide standard mechanisms for authorization, authentication, directory services and security. Internet2 middleware initiative seeks to define services for authorization, authentication, directory services and security for the academic community. The medical middleware group seeks to extend these services and work in partnership with the object management group's domain task force on health care, Corbamed, to apply these and other services to medical environments.
Middleware services have been improving to enable interoperability of distributed portions of the clinical record, including images. Complex medical business and clinical applications are able to interoperate through the application of middleware and medical middleware. Current implementations of this technology include core services to enable person identification, terminology immediation, information access and resource access for security. Developments are underway to complete image access specialization and an information locator service.
Middleware is a difficult but crucial area of importance. Simply put, it is the software neither the application developers nor the network implementors want to address. Middleware is the interface between the network and an application. This interface is essential for systems to interoperate in any reasonable, scalable manner.
Networking. Internet2 and its members are developing and testing technologies that will enable tomorrow's commercial internet to provide the reliable performance that advanced applications require. Capabilities such as multi-casting and quality of service will allow networks to work smarter and more efficiently. National, regional and campus networks provide end-to-end high performance required by advanced applications.
The high performance networks participating in the Internet2 project provide the environment in which new network applications and capabilities can be deployed and tested. Abilene, and the very high performance Backbone Network Services, or VBNS, are the advanced backbone networks connecting regional network aggregation points, called gigaPoPs, to support the work of Internet2 universities as they develop advanced internet applications.
These Internet2 backbones complement other high performance research networks. Internet2 universities are upgrading their campus networking capabilities and establishing high performance connections to these national and regional networks.
Partnerships and alliances. Internet2 works closely with U.S. Federal Government agencies engaged in advanced networking technology and application development. The next generation Internet initiative of the Clinton administration was announced almost in parallel with the formation of Internet2. NGI is a cross-agency effort that includes the National Science Foundation, DARPA, NASA, the National Institutes of Health, National Library of Medicine and the Department of Energy, focused on the advanced networking needs of the mission agencies and the research communities with whom they are engaged.
Specifically, Internet2 and NGI national backbone networks are interconnected at several high performance interconnection points, and the chief engineering personnel from these networks meet regularly to plan for better interconnection and interoperation. Likewise, the application's development effort of both Internet2 and NGI collaborate closely through events like the Washington D.C.-based application demonstration efforts and joint workshops.
Internet2 also collaborates with the Federal Government outside of the NGI initiative. Several government research laboratories are members of Internet2 and participate in the Internet2 Abilene network to achieve high performance conductivity between researchers at university campuses and national laboratories. The Internet2 middleware initiative and the federal public key infrastructure, PKI, initiatives, are synching up through joint meetings and collaborations.
Finally, many of the applications developed on Internet2 university campuses are funded by various programs of the Federal Government. For example, the National Institute of Health is funding several networked health applications.
To conclude, recommendations. Ensuring that the internet becomes a suitable, ubiquitous medium for supporting health applications is a challenging task. To ensure that the internet has the ability to support health applications, additional technical capabilities need to be developed and deployed. Collaboration between health and biomedical subject matter experts and the engineering community bring together the expertise required to address the next generation of the internet.
The goal is to assure that developers better understand the way in which the requirements needed for health care applications of the internet diverge from, or converge with, those needed to support internet applications in other sectors. To this end, Internet2 health science initiative participants are working in a variety of areas as recommended by the recent NRC report.
The health community is actively working to ensure that technical capabilities suitable for health and biomedical applications are incorporated into the test bed networks being deployed under NGI initiatives, and eventually into the internet. The Internet2 health science work group is currently forming collaborations and projects to address a variety of areas, including but not limited to quality of service, IP security, public key infrastructure, medical middleware, distance education and more.
To ensure that the internet evolves in ways supportive of health needs over the long term, the health community is actively engaged with the networking community to develop improved network technologies that are of particular important to health applications of the internet. Areas of interest include band width guarantees on demand, strong authentication, last mile issues, disaster operations and more.
Discussions to form project teams to address electronic health record architecture, issues related to the digital divide, use of open source methodologies for sharing of intellectual properties and appropriate uses of emerging technology capabilities are bringing together a dynamic community of academia and industry under the Internet2 project.
I am pleased that the National Library of Medicine is actively engaged with the Internet2 health science initiative. As we work together to forge stronger links between the health and networking research communities, these researchers ensure that the needs of the health community are better understood and addressed in network research, development and deployment of advanced application. The National Research Council also recommends incorporation of the NIH and its component agencies into development of next generation internet.
The Internet2 community has begun to work with the NIH to define the requirements for future funding of information technology research that will develop the complementary technologies needed to enable improved networking technologies for the health care community of the future. A member of the leadership committee for the Internet2 health science initiative told me just the other day that he was not sure if Internet2 was the appropriate community to address the difficult issues facing the medical industry in this age of digital revolution.
After engaging with the Internet2 health science initiative, he is now sure that Internet2 is the only community equipped to best address these very difficult issues. As we work with open standards organizations, academia, government and industry, collaborations form to enable the promise of new technologies. This emerging new economy represents a titanic upheaval in our commonwealth, a social shift that reorders our lives more than mere hardware and software ever can.
It has its own distinct opportunities and its own new rules. Kevin Kelly's new rules for the new economy tells us that our minds are naturally bound by old rules of economic growth and productivity. However, in the new network economy, we should not seek to solve problems, but to seek opportunities. I would like to conclude with some insights from Doug Van Houweling, president and CEO of Internet2.
The central theme of our description of the promise for advanced internet technology for health care is that it can facilitate broad, secure access to mission- critical health care delivery. The focus shouldn't be primarily on speed, but on the way that quality of service, multicasts, advanced video, remote instrument operation have the potential to transform the health care delivery, if we can combine with the right middleware and regulatory environment.
The fundamental limitations won't come from technology, but from the medical care system's ability to adapt to the new capabilities. Internet2 exists to create a high performance, robust and secure environment for those advances. Thank you for your consideration.
DR. COHN: Mary, thank you. Gary Beatty?
MR. BEATTY: Thank you. I would like to thank the committee for this opportunity to appear before you to testify on industry solutions dealing with testing and compliance verification. Again, my name is Gary Beatty. I am the president of Washington Publishing. I am also the chair of the insurance subcommittee, a member of the WEDI board of directors, a commissioner on the Electronic Health Care Network Accreditation Commission, and the Health Care Electronic Commerce Foundation.
I have been involved with implementation of electronic data interchange technologies for over 15 years, in various industries dealing with grocery, retail, manufacturing and then, in health care, from both a payer perspective and a provider perspective. As my background kind of points out, I have lots of personalities out there. Sometimes I suffer from multiple personalities. This presentation that I am going to be doing today somewhat shows that.
I will try to be as animated as possible, as I came off a red eye from San Francisco this morning. What I would like to start out and talk about, what I was asked to speak about, was one of the areas dealing with some of the tools that are available to the health care industry for testing compliance. One of those is from the Electronic Health Care Network Accreditation Commission, or e-NET and it is called the Standard Transaction Format Compliance System.
If you notice the picture on the bottom left corner, as a side note, those are vultures around the hippopotamus. I also share the concern for that poor hippopotamus there with the passage of the June date and not having final rules. One of the opportunities I get these days is to go out and speak to senior management within the health care industry about this legislation.
The concern I have recently is that some of the statements that have been coming out are that basically, if the rule didn't get published by June, that some organizations talked about pulling back funding and any development efforts toward implementation of HIPAA. In my mind, that is a very dangerous situation to be, because in looking at various organizations over the last six months, a lot of these organizations, essentially, are already too late if they haven't started already in implementing HIPAA, because it is a big challenge.
What I would like to do is start out by talking about STFCS, or standard transaction format compliance system, and what this system is. This is basically a compliance, verification and testing tool which is based upon the HIPAA implementation guides developed by the X12 insurance subcommittee.
Compliance verification is a process to ensure that standards are implemented in a uniform manner according to those HIPAA implementation guides, versus testing both internal and external between trading partners, that deal with issues relative to the quality, the quantity and the business issues relative to getting ready to implement and move toward compliance with the regulations and requirements within HIPAA.
When we talk about quality in testing, we look at different things like confirming the ability for an organization to map their application data to the ANSI X12N transactions and vice versa, from the ANSI X12 transactions into their applications. We look to assure they are cost effective and efficient transmission capabilities within an organization.
As we heard with Chris' testimony, this can be a big issue within an organization. So, as you move toward implementation, you need to be able to test whether or not you have the ability and the environment to satisfy the needs. The field will provide information for decision makers, those that have to be able to put into the budgets the necessary monies to create those environments, and the resources necessary to manage those environments to support the requirements of HIPAA.
They need to be able to validate the data dictionary, the utilization of code sets, and assure that the data context is unambiguous. They will need to identify changes relative to impacts on prior versions, releases and sub-releases because, as we move forward, change management will become an issue, when we change from one version of the standard to the next, and how do we test and do regression testing between one version and the next, to make sure that we are still compatible with the HIPAA implementation guides.
When we start taking about quantity, we have to look at being to assure translation performance. Recently, I was involved in an assessment of a particular payer organization that needed to be able to have several hundred thousand transactions a day. Their particular translator was only able to handle about 5,000 transactions per hour. They had a problem. They needed to find a better solution to their environment.
When people start testing these things, they have to start looking at testing based upon full potential volumes, to determine whether their current environment can support their needs. Field-approved, provider proof of concept mechanisms prior to development, this is part of the efforts that are going on within the standard national implementation process.
Another endeavor that is going on is that we also need to have that proof that this does, indeed, work. The field will provide information to determine the most feasible, tactical implementation plan. Again, tying back to some of the efforts within SNIP, you have to have a process in place, you have to have a plan in place, and be able to meet the deadlines set forth.
Be able to highlight issues prior to mass deployment. This provides a capability to address the various issues prior to implementation. When we look at testing from the business perspective, we have to assure that the industry business needs are met.
As Larry pointed out, we spent a lot of time developing these implementation guides. We have literally had hundreds of organizations participate within X12 in the development of those standards. Do those hundreds of organizations represent all of the business needs within the health care industry? Probably not.
What we need is, we need organizations, as they look at these implementation guides, to bring those business needs to bear, so that we can modify and enhance the standards to enhance those business needs. Provides an opportunity for basically the various stakeholders in the industry to work together. This can't be done in a vacuum. You have to work with your trading partners and your other vendors and consulting organizations to work through this implementation process.
We need to be able to develop a process to do end- to-end test looping between business partners. We know that we can test the transaction sets, but are we able to test from one application system to the other application system, to make sure that we convey appropriate business information to conduct business in the health care industry. Then, move into a parallel stage and parallel testing where we conduct business both in our traditional means, whether it is paper, phone or otherwise, as compared to the electronic environment and then finally, to go live between the business partners.
A little bit more about STFCS and how it works. Basically, this is a web-based tool that requires authentication based upon an ID and password of its user community. Once the person is authenticated, they have the ability to upload test files to a secure web site, which the kicks in a compliance testing software automatically, that analyzes the test file against the established HIPAA implementation guides, and then provides a digitally signed web page that flags any discrepancies between their test file and the HIPAA implementation guide.
Following its successful test, the reply will confirm that the submitted transaction set is syntactically correct, and therefore is validated for acceptance by any trading partner in the health care industry. This system also logs the subscribers that have passed compliance with each of the transaction sets, and then also has the ability, for those organizations that have non-human identifiable data in their test tiles, to volunteer those test files for other organizations to utilize, as a reference library for their internal testing and their process.
What does STFCS check? It checks basically information at three different levels within these transaction sets. In the EI environment there is the concept of envelopes which is the first level of validation, in that there is an ISA and an IEA envelope. Essentially, you almost can think of it as a company envelope or, in the paper world, going from one company to another.
It also checks the functional group envelope, which is comprised of the GS and the GE segments, which can be thought of almost as a department within a company envelope, for sorting and distribution within an organization.
Finally, at the ST and SE level, for the transaction set, the starting end of a transaction set. The second level of checking and validation deals with the actual structure of the transaction itself. That information, then, is contained between the start of the transaction and the end of the transaction set.
Finally, the third level, the actual data element level, validating the data content. There are some things that it does not check. It does not check the information contained in free-form notes. The data elements, basically that contains specific formatting information and X12 syntax notes.
An example would be, within the premium payment implementation guide, which is 0040X061, there is a note in there talking about the TRN segment, where TRN03, the third data element in the segment must contain the federal tax ID preceded by the value one.
There is another note that it has in there, basically that the TRN-3 is a situational alphanumeric string with a fixed length of 10 characters. STFCS will not validate that the value of one was on the front of that at this time. To best illustrate this, I have a short video as part of this. For those on the web, I will try to animate this as well.
This is a sample session, as best it can come out on the projector, of the web site for the standard transaction format compliance system. I will see if I can start it up here. Basically, what happens is that an individual can sign onto this site. There are certain pieces in here for administrative purposes, there is the registration button where a person can go in, establish their ID and password, their organizational name and so forth, and register for the usage of this system. There is an additional test request. When a person first signs up for this system, they are granted 250 tests, and the can also acquire blocks of additional 100 tests if they need that, and then an annual renewal process.
To start out with, what I would like to do is sign in or log into -- I am going to start out with the PGP key. The use, printing and privacy, 1,024-bit RSA key encryption for the encrypting of this information that was exchanged between the web site. So, that is available on the web site as a reference point for users of the system. Now, what I would like to do is go and log into the system. That lets you know that we are going into a secure site.
If you note, down at the bottom, we have now got our little locked key down on the screen. So, we are now in a secure environment and we are going to log in. I will put in my ID, my password. Then I will submit my log in. I have now successfully logged into the system. This screen here is actually where you actually submit test files to the system. Basically, I will just kind of describe some of this information.
Basically, an organization could give unique names to each of their tests, whatever they want to call the tests, and then be able to select whatever test file they want to submit. Test data is validated, as I mentioned, for the envelopes and the transaction sets. Test data, if the user does not select to do so, is destroyed after the completion of a test.
If they choose down at the bottom of the screen, and they are using information that is not related to human individuals or real people, I guess would be the best way of putting it, they can select, down at the bottom, yes, to actually submit this to the library of compliant transactions.
What I would like to do here, I am going to submit actually an 834 test. This is for an enrollment transaction, which is guide 95. This happens to be, I think, my sixth test of this transaction test. Then I am going to click the browse button to go out and select the file. Our here I have basically several different files I can test with, 837 professional claims.
I have two for enrollment, one that is a claim that doesn't have any errors and one that does have an error in it. I am going to select first the one that doesn't have any errors. I am going to open that file. I am not going to choose to submit this, even though it doesn't have identifiable data. What it has done now, it has gone through, I have submitted that file, and it has come back now with my compliance report.
Basically it is saying, I am Washa Publishing, GB for my initials. The date I did this was I think Monday this week. I have 242 tests left, I have my test name. I have the digitally signed message, this piece up at the top. Basically, I get this little message down here that says that this transaction set was compliant, and the digital signature at the bottom of the screen.
I am going to go back and I am going to submit another test. So, I am going to go up to test number seven now. I will submit the one that had the error in it. I want to go back and browse and select the 834 that had the error and hit the submit button. It has come back now and this one had some problems. I will pause this for a second and explain this. Again, we get the digitally signed message. This particular transaction set, in loop 2000, the member level detail in the INS segment, which is the member level detail -- this is a copy of the segment that had the error.
The piece with the error was this second piece, which is INS 02. In this particular case, that is the individual relationship code. The value it has is 02, basically the error it is pointing out is that this code is not a valid code, based upon the HIPAA implementation guide.
DR. COHN: Gary, I don't mean to in any way rush you, although we are beginning to run out of time, I think the system itself is important, but I am not sure that it creates a tremendous amount of value to the committee to actually see the demonstration of it.
MR. BEATTY: I think the next two parts will be important, that I am getting to next. You also have the ability to go back and look at previous test results, and I will just let it go through these. Basically, you can go back and see what your results were from prior tests and validate those. When you start getting into implementation, these next two things are probably the two key points from an implementation perspective.
As people utilize this system, it keeps track of the subscribers in the system and which transactions they have actually been able to test compliant. What this does, it lists each of the users of the system. It lists all of the HIPAA transaction sets. Those transactions that those trading partners have tested compliant have a little dot underneath them.
So, you can go through the list and actually see who has actually been able to generate and test HIPAA compliant transactions. This is very important from an implementation standpoint. As we heard earlier, one of the challenges is the time that it takes for doing testing within the health care industry for a lot of these transactions.
Where I see the biggest benefit of this type of thing is that you can go and work with your trading partners and ask them to test first, using a system similar to this, where they can validate that they have the ability to generate HIPAA-compliant transactions, using a neutral third party, without taking up the time and resources within your payer provider type of organization. Once an organization has their dot, then go into that parallel stage to do a quick parallel test and then go into live. This can dramatically reduce the implementation time frame for trading partners to implement these transactions.
The other thing that is of value here is also that library of compliant transactions. What it does, it lists each of the transactions out there, and these are all volunteered from people out there. This happens to be an eligibility transaction and the next one is a claim status transaction. Basically, you can view people's tests that they volunteered them. This happens to be a claims status transaction that somebody submitted, that other people pull in and used as an in-bound test.
If somebody wants to use this, they can just go up, hit the edit button, select all, go up into edit as well again and hit the copy. Then they can copy into their environment and use this as a reference test for their internal environment. That, again, those last two points are probably the biggest two points in aiding people in implementing these transactions.
One is the internal testing capabilities, and then the external issues dealing with who has tested compliant and then to be able to have a source of compliant transactions for internal testing purposes. So, some of the benefits, basically the STFCS establishes a single objective site to provide feedback and compliance transaction testing. This system can also be used to resolve disputes between organizations. One of the questions we have is, who are going to be the EDI police in the future.
We have already had situations where people have used this system to resolve a dispute, where one trading partner said a transaction was HIPAA compliant, another said it was not. They used this system to resolve the difference. So, this system can almost become that compliance testing and policing tool that can be utilized by the industry.
This system was developed by Washington Publishing, which publishes the HIPAA implementation guides and works closely with the electronic health care network accreditation commission. So, we have a unique insight into the data content and contents of these implementation guides and how these are implemented, and can lend validity to its implementation.
It verifies, basically, that the company can actually send and receive HIPAA-compliant transactions. As was pointed out by the little dots on the transactions, it can greatly increase the efficiency of implementation by reducing the time frame for testing and resources required within the various stakeholders IT environments. It provides also that reference library that people have used for testing purposes.
There is a cost associated with this system. There is a subscription fee of basically $595 a year, which includes the first 250 tests. Users can purchase additional blocks of 100 tests for $100, basically a dollar a test. Annual renewals are a little bit less at $395, which includes 250 more tests, and they can carry over previous years' tests.
Then one of the other thing that ENEC also does is, it certifies clearinghouses. Those clearinghouses that have achieved ENEC accreditation can also utilize this system for free.
This is just one of the tools that are available. There are other organizations that have testing tools available. For example, Foresight has a product called Provisto, that is a free web-based tool for testing. They also have other products like Edison. Edeffects is another organization that has tests, and a lot of the EDI software tools out in the industry are starting to build HIPAA tool kits and HIPAA compliance testing tools within their own products and services.
One of the other areas that I am very involved with these days is the issues, as I have transitioned from outside the health care industry, from a payer to a provider and then outside the payer/provider environment, is the huge need for resources in education in the health care industry relative to implementing EDI.
There are two unique skill sets required to implement these. First of all is a good health care background and knowledge and secondly, EDI knowledge. Resources with both of these skills are very scarce within the health care industry. One of the recommendations I have for organizations, as we go out and talk to them, is don't go out and try to hire EDI people from other industries.
First, find people that know and understand health care first. The learning curve to learn health care can take a significant amount of time. I like to quote about 18 to 24 months, based upon my past experience when I joined employers health insurance on the payer's side.
Then, once you have people who have those skills, be able to take them and train them on the EDI basic skills and the tools available, which can be learned within a very short amount of time, to the tune of three to four months to become productive with the tools. We only have two years to implement these standards. If you find people outside and it takes them 24 months to get up to speed to use their skills, what good are they.
Washington Publishing and EDI Partners, which is part of Research Triangle, we have recognized this a long time ago. We have developed a class called The Introduction to Health Care EDI. I was out at Santa Clara University yesterday teaching up near San Francisco.
This class is geared to provide that education for people who know and understand health care, give them the basic EDI skills and knowledge, so they can become productive very quickly. Other organizations have also stepped up to the plate. The work group for EDI, data interchange standard association, AFEHCT and others, are all offering educational opportunities to the health care industry.
We need to encourage the industry to take advantage of all these education opportunities because it is so necessary. In conclusion, compliance in testing tools does exist. EDB. It is a little bit different than B2B, buy, don't build. It is a recommendation we have for both testing compliance and translation tools.
There are lots and lots of good tools out there, leveraged to a knowledge of those organizations. Within the health care industry, if we are a payer provider, our business is not writing translation tools. Our business is providing health care and managing health care.
There are differences between compliance verification and testing tools. Choose your tools wisely. Different people have different levels of knowledge. As I went out and tested the various tools out there, I took the same test results and sent them across many of these testing tools. Unfortunately, they all came up with different results in different ways. Some were right and some were wrong. Education is extremely important. Organizations need to be working on training their staff now. With that, I would like to thank you and encourage any questions of the committee.
DR. COHN: I want to thank everyone. I think this was a very interesting panel and I think an overwhelming amount of information is sitting here. I realize we are a little bit over time. I would like to at least allow people to take the opportunity to ask a couple of questions.
MS. FYFFE: I appreciate the presentations by everyone. I am going to pick on Mr. Zimmerman for a few minutes. I was really looking forward to SMS' presentation this morning. Unfortunately, I am disappointed. I will tell you why.
Yesterday, Don Bechtel talked about SMS and HDX, and I will reiterate a few points. SMS operates health applications for over 1,000 health providers with connections to over 400,000 customer work stations, processes 80 million transactions each day and managed over 500 connections to payers representing 130 million covered lives. SMS has been around for three decades. It has been a very successful company in the Delaware Valley and throughout the country.
What I am really worried about is how committed you all are to being certain that the hospitals and other providers that you serve will be HIPAA compliant. You go on in your testimony to talk about, you don't expect a HIPAA big bang. Rather, we expect to see HIPAA adopted in varying stages to varying degrees, at varying rates in different geographic settings.
Well, it actually is going to be a big bang because, within two years of the final rule, all of your clients are going to have to be HIPAA compliant. Your title says that you are senior manager of HIPAA initiatives. That is nice, but what about HIPAA implementation. I mean, what are you all going to do? I also say this in the context that approximately a third of the hospitals in this country are in the red. So, if you have any of those hospitals among your client base, you know, we have some real challenges here. So, with that in mind, I would appreciate a few comments.
MR. ZIMMERMAN: Thank you for your questions. Let me address to you a couple of things that are in your testimony that hopefully will address some of your concerns. There is a broad initiative across SMS and, in fact, yesterday we had a checkpoint meeting. I would have to say there were at least 200 people in that meeting. We were getting ourselves together on a continuing basis.
As far as security goes, help me understand what you think would be appropriate in order to get the hospitals compliant. As you can see in the testimony, I personally have visited over 100. We have a completely trained services staff across the board.
We have an operations team fully deployed on ensuring that the hospitals that run in our data center are enabled to achieve compliance easily and quickly as a natural part of their operations within SMS. The challenge that we find, quite frankly, is on the administrative policies and procedures. We are not taking this as an IT challenge.
We very much believe that this is a business challenge within each of those hospitals where, as you so rightly point out, where a third of them are in the red. I know, quite frankly, that we are doing a tremendous amount from our applications technologies and services teams. I would invite you to come and visit with us further.
MS. FYFFE: The 80 million transactions that you process each day, I am ont talking about them adhering to security or privacy. I am talking about the 834, the 835, the 271, you know, the different transactions that are mandated by HIPAA.
MR. ZIMMERMAN: I was asked to present on security but I would be delighted to speak about the transactions. Let me get more specific. What we have done as a team is, we took a couple of approaches. One was, across the board, we decided to create a design team. The transaction design team -- we created three teams, transactions and code sets -- no, excuse me, code sets and IDs, transactions, and security and privacy.
The transaction team was led by Don Bechtel. What we are doing is, we have created an integration module within each of our application areas, to enable the processing, as part of the work flow. So, in order to enable HIPAA, if you will, people need to install a module that is build within their system, and enabled across all of what they can do, which then translates automatically in the 270 and 271, back and forth. We have also exported that to other applications across the industry, not just ours. We know that our customers have IDX, they have EPIC, they have HBOC.
So, we are exporting that technology to enable our customers, not just with SMS systems, but also with all the others. We have the 835s live in production. So, all the things that Don talked about we take extremely seriously across the board. It is part of HDX' mission, and place in life, in order to do just that, and we are rolling them out as quickly as we can.
Obviously, we have 450 and we have -- more than that, 500-plus clients doing that now, and it is enabled across our major systems. So, I guess that could be where the disconnect came from. I wasn't really prepared to talk about transactions, but I can talk about them all day long. [Laughter.]
MS. FRAWLEY: This question is for Larry and Jon. It follows up on a point that Gary made about education. I was curious, Larry, Per-Se has 33,000 physicians it provides services to and, of course, we know from Don's testimony yesterday the number of clients that HDX and SMS has.
I was curious as to what are your companies doing in terms of education to your clients. One of the things that I think that many of us are finding is that there still is a great unawareness of HIPAA, particularly among physicians, maybe more so than health care organizations. I was curious what you were doing in terms of education.
MR. WATKINS: That is an excellent question. There is awareness and then there is awareness. They might know it is out there, but not realize the implications, that it is actually multi-faceted. I always do the Christian hymn, Deep and Wide. It is broad and deep in its impact.
Anyway, we are being very aggressive in terms of education. We have a users conference coming up in September where I will be speaking and we have actually a number of our customers speaking. Frankly, our biggest problem -- I don't know if SMS can relate to this also -- but it is that our customers don't necessarily believe everything that we tell them, or at least as readily.
One of the things we are trying to do is to generate, to create experts within our customer base, and have them get in front of our clients. We also have a consulting division whose whole mission -- or there is one section now, the HIPAA division, whose purpose is to go out and educate our clients.
The other point I will make is that, when it comes to our IDN products, we have a clinical system and then also a patient management system. In both of those cases, we have deployed people within the organization to learn everything they can about HIPAA, and then go to our clients and talk to them, not just about HIPAA, but about how they can update their system specifically so that they can take advantage of the features and comply with HIPAA.
There is not a big audience for this yet, we are finding. So, I think most of the opportunities we have still taken advantage of are the industry opportunities such as what I participate in. I do a lot of educating and stand in front of a lot of folks to do that.
So, over the next couple of years, we think there is going to be a lot more. We are putting together seminars all around the country, and it is a very aggressive agenda of ours. We do have to be sensitive to what our customers are asking for, and that is not always highest on their list.
MR. ZIMMERMAN: Thanks, Kathleen. I will go through a couple of things that we have done recently. We always have HIPAA tracks at our health executive forums, which is chief medical officers and chief executive officers, and our financial health executive forums, which are for chief financial officers, so they can understand why this is important to them, that they have to invest in it now, and that it is related to their e business. We are kind of trying to drive those messages.
As I mentioned, I also have been on a number of visits just helping senior management teams in some pretty significant institutions just get started. That is a couple of hours of presentation and discussion, things like that. I have been working with the HFMAs, I have done a few of those as well.
We also, just recently, had our user summit, which is the user group funded and established by them, not us, and they asked us to put together a panel. I was very, very fortunate to have the following folks join us on stage to describe HIPAA from their perspectives. It was Lisa Aviola from Aetna. She is the head of their e health initiatives, Dr. Tom Sullivan from Partners in Massachusetts, a leader in the AMA and the Massachusetts Health Data Consortium, Sharon Klein who is an attorney with Pepper Hamilton, and Connie Consella, who is a patient accounting director at the University of Wisconsin.
So, people could get a broad perspective of what they have and what to do, and the audience was about 1,000 or 1,100. We just recently brought live, in the industry, something we call the HIPAA University. It is some very good, solid, interactive education available over the worldwide web. You can, if you will, just kind of rent it as you need it. You can establish that, you know, anybody can get to it. It has been well reviewed by a lot of folks and we hope people get value out of it.
We just recently made that available and you could get there by clicking on www.smed.com/hipaacentral, and follow the trail, and you will get right there. So, those are the kinds of things we are doing to make it easy to access the things that they need in a context that is helpful.
DR. ZUBELDIA: This question is for the four of you, except for security, or maybe security, too, to see where we are.
One of the intentions of this panel and these two days is to see where we are in the early deployment of HIPAA, to kind of get the pulse and the baseline of what has happened. HIPAA was signed four years ago. In all that, we don't have the rules yet, but we were supposed to have the rules two years ago.
We are looking at maybe a two-year delay. Lots of people, in fact, even yesterday we had a request for a two- year extension. Two years is not enough to implement the standards, we need two more years. What has happened in these last two years? Where are we today as far as HIPAA implementation?
For instance, Gary, your presentation, I understand it is a canned presentation, but looking at the dots, there were no more than a dozen submitters with dots on them, even with one dot on them, no more than a dozen of them.
Where are we? Are we five percent down the road, one percent, 10 percent? Where do you think we will be two years from now? Are we going to have time to do it in two years? Are people just waiting for the last minute to do this?
MR. BEATTY: If I had to take my guess on where the industry is, based on the discussions I have had, we are probably no more than five percent to 10 percent down the road. We do have a lot of organizations that are sitting on their hands, as I mentioned earlier, waiting for the final rule and are not going to do anything until the final rule comes out.
A lot of them are saying they are not going to put any money in their budget for 2001 because it didn't happen by June, because currently a lot of organizations are doing their budgeting for 2001. I also share Kathleen's concern, dealing with the vendor community. Recently I have been doing quite a few HIPAA assessments.
One of the assessments I was just doing, this particular vendor, we were curious, what is this customer, this vendor's position on HIPAA. He said, well, we will figure it out maybe in July of August and we will have the HIPAA compliant version ready for our customers, first release, the fourth quarter of 2001.
That gives those customers roughly nine months to implement the requirements of HIPAA. I share that concern greatly. I think we need to light a big fire underneath the vendor community to make sure that this happens sooner than later. We publish these implementation guides. These implementation guides have been available for a considerable amount of time.
There is very low risk for organizations to implement these transactions and to prepare the customer community to make this happen. Those customers are not going to be able to do it by themselves. They need the help of those vendors, and those vendors are not giving them the help they need.
MR. WATKINS: I think it is easy to look at what has happened the last couple of years, when we know we have had these implementation guides. One point I want to make is, there are transaction standards and then there is security. I am assuming that your question is mainly geared toward the transaction side.
DR. ZUBELDIA: Both.
MR. WATKINS: I am going to talk about the transaction side. We will let Jon talk about the security side. I think people underestimate the level of coordination that is necessary to really make this happen.
I know from my company's perspective, we are both a national billing service and a vendor. We have implemented the 4010 transactions. Apparently we have free access to this ENEC system, so we had better go ahead and submit some transactions so we can get some dots under our name. We will make sure we take care of that.
Anyway, I guess my point, since we really out of time here, my brief point would be that I think that to think that we can all just individually go out and implement HIPAA is insane. It will not happen. It has got to be an industry-wide coordinated effort, in order to deploy this technology.
If a vendor simply goes out and begins implementing transactions without payers to trade with and without providers demanding it and willing to deploy it and implement it and pay for it, then it is going to be almost impossible to do. While we as a vendor have implemented the 4010 and we have been obviously very involved in the industry and aware of what is going on and educating our customers, and I think as active in HIPAA as any vendor our there, we are very concerned about the mass deployment issue.
Without final rules, it is very difficult to get that process started. We are doing everything we can through SNIP and through AFEHCT and other organizations to try to encourage payers, particularly payers, to go ahead and implement. Where we have trading partners that have implemented 4010, we feel like we are as aware of that as anyone, and that we have begun those testings and are getting those transactions up and running. There are very few payers who have done it and it is very difficult to move forward without some of that.
The other issue is that, if I take it one payer at a time, we will never get this done in two years. We have to have a coordinated effort to make it occur. Again, that is much of the reason why we are so involved in this SNIP effort.
MR. ZIMMERMAN: I support many of the comments of these folks. Let me just give you a couple of salient examples, Kepa. It is a great question. Again, we believe and have demonstrated, all of us, that there is economic value in implementing these transactions, and the ones that we have done are unquestionable.
The value proposition changes a little bit, but I am encouraged by some of the discussions I have seen and heard from payers recently who say that the denial rates go down when eligibility gets implemented on the provider side. That is a really good thing. What we have got so far is, we have been integrated in the work flow to reduce the cost and increase the value of providing transactions.
Where we are right now, we have got all the SMS systems. We have got scheduling.com, we have got EPIC, we have got IDX, both bar and last word, Medipac, Meditech, HIE -- they used to be called that, now they are called HealthCare.com. They are the purveyors of Cloverleaf, in integration engine.
MR. BLAIR: Excuse me. I am listening real carefully here and I want to make sure that I understand, when you are saying we have, are you talking about 835 transactions with all of these? Is that what you are referring to?
MR. ZIMMERMAN: No, I am talking about the 270, 271, Jeff. The other ones, we would like to work with them, but we don't have as much control or integration into their back end billing systems.
We can take the transactions that we get and provide them in a way, but the value of the 835s that we have experienced and the SMS systems really shows itself when you can automate the application of the data back into the patient accounting systems. That is where the value comes in. So, we have been working very, very hard to get there. I think that it depends on the maturity of the transaction, Kepa, will define where we are.
If they all come out at the same time, I think the industry is further ahead on 270 and 271s. The 837s require different data elements, which means that they are going to have to change their data capture mechanisms when they are creating the claims or the encounter information. So, that is going to take some work flow process. On those, we are less further ahead, if you will.
I would just like to further add to the discussion that people don't believe it is serious until they see the final rules. I know there is pressure on a number of people in this room. I volunteer our assistance in any way that we can help create and close that equation. You can count on us to do that, and I think that is one of the key obstacles that this committee and us, together, can address.
On security, the things that I talked about in the testimony, the more clarification we have, the better we can hit it. That is where we are spending a lot of our efforts now, is creating our own clarification, thanks for the invitation to do so, but that is going to take a little more time.
DR. COHN: I think Gary has a comment and maybe we can move to the next question.
MR. BEATTY: Just one additional point. In looking at the various organizations, one of the challenges I have seen is that a lot of organizations, when they look at HIPAA, are only looking at the cost side. They are not doing a cost benefit analysis.
In a couple of assessments that I have looked at, those organizations chose to totally ignore the benefits side and only look at the cost side and leverage that against moving forward. You really have to look at both sides of the equation, the costs and the benefits. One of the things that I did recently -- going back to refresh my memory -- and what we had done with the WEDI white papers, both in 1991 and 1993, particularly the 1993 report -- I would suggest that people go back and pick that up and read that one more time, and read what was the basis for what went into HIPAA.
DR. COHN: Jeff, I am going to let you ask your question. I want to make a comment and then I think we will adjourn the panel since we are already half an hour late.
MR. BLAIR: My questions have pretty well been responded to and we are running late.
DR. COHN: Okay, first of all, I want to thank the panel. I mean, we have clearly over-filled this panel and this is not the last time we are going to be talking about these issues. I do want to make one or two comments, and I think I will first make them specifically to Larry Watkins and Christine Stahlecker.
First of all -- I think I am speaking for myself but I ask you to think I am also speaking for the subcommittee. They really do applaud your efforts. I think the attempt to try to organize the industry in the hope of implementation is well appreciated. Certainly, the committee saw yesterday that there are going to be some major implementation hurdles and we really do need to closely monitor this.
Now, I will speak to everyone who will be hearing from you all, I am sure, as we move along into this one. I am sure we will be having hearings on a regular basis, to try to identify the issues around implementation. Now, the one thing we did hear loud and clear yesterday, and I know that others have been commenting on this, listening to Larry and Christine now, is the dependencies on vendors.
We keep asking, gee, are the vendors going to be ready. We have one or two vendors here, but we are really looking at the vendors as an industry. Are they going to be ready, because everything else depends on the vendors being ready. You can't implement unless you have software that is capable of doing something.
Now, I would just comment, as I look at the HIPAA steering committee and the chairs of the activities, that while I am sure that the vendor issue is handled throughout the activities and the SNIP activity, that you may want to consider having a specific focused activity around the vendors, just because we are hearing that that is sort of one of the very first thing that needs to happen. That is just a suggestion from the subcommittee.
With that, I think I am going to give everybody a 10-minute break. We are running half an hour late. We want to thank the panel for a tremendous job.
[Brief recess.]
DR. COHN: We are going to continue, first with a comment from the audience.
MR. GILLIGAN: My name is Tom Gilligan, and I represent the Association for Electronic Health Care Transactions, many of whose members are in the room with you today.
Simon, I want to thank you for your comments relative to the vendor community, and I just wanted to say that AFEHCT and its members are going to step up to the request for the vendor focus on this issue. A lot of our vendor communities have been actively working on this thing and we just need to sort of broaden the scope and bring that information to you. We look forward to doing so.
DR. COHN: Okay, thank you. We will be, I am sure, in the fall focusing in on that issue.
Now, with that, we want to welcome the last panel for our hearings and we appreciate your coming and giving us sort of a geographic perspective on what is going on in relationship to implementation. We recognize this is a relatively full panel and we actually really would like the opportunity to be able to talk with you and ask you questions and all of this.
We would ask, if possible, if you could -- we recognize we asked you to keep your comment to 15 minutes. If you could even abbreviate them down to 10, that would even be better. What is most important, of course, is that you give us the information that you came here to present, recognizing that we also want to remind you that anything that you have presented to us in written testimony, of course, is analyzed and considered as though you said it also.
With that, Dr. Suarez, would you like to start the presentations?
DR. SUAREZ: Thank you very much, Mr. Chair, members of the subcommittee. It is indeed a pleasure to be here to talk about some of the regional perspectives in implementing HIPAA. I am very pleased to also be sitting next to my colleagues from all the other sites that have been working on this, and other projects we have been working together. So, it is indeed a pleasure.
If, perhaps, I can start with the message I want to leave you all with, it would be to think nationally but act locally. That is, indeed, what we are here to talk about, at least myself, to talk about how this needs to be a local issue as much as we recognize it is a national issue.
We are very much in support of the activities that are going on at the national level, very much actively participating in the SNIP project and other national efforts. We will continue to support that, but the reality is that this implementation has to take place locally in the hospitals and in the clinics in rural Minnesota, rural Montana, rural South and North Dakota. Indeed, what we do locally is of utmost importance.
I shall start with briefly giving you some background of where Minnesota started with this. Minnesota has quite a bit of history on working toward electronic commerce in health care. I should go back to the early 1990s, when Minnesota started talking and looking into the activities that were going on around the country.
I would probably say that the very start of all this can be traced back probably to the creation of the work group on electronic data interchange, WEDI. Minnesota played a critical role there, too, actively participating in it. We also participated actively in national standard setting organizations in the early days of those groups.
Locally, we organized something called the administrative uniformity committee, which was looking back then, and continued to look at administrative uniformity issues, and electronic commerce being one of them. Perhaps the most significant piece of all he evolution of electronic commerce in Minnesota was the passage, in 1994, of a major legislative initiative at the state level called the Minnesota Health Care Administrative Simplification Act, quoted as Minnesota statute 62-J.50.
This included pretty much all the same components that you and I all recognize today under HIPAA. We had the same expectations of implementation of electronic standards, using the same standards that we all talked about today, X12. We looked at unique identifiers as well, and tried to move forward with ideas, using mostly the recommendations of the WEDI reports, the 1991-1993 reports.
Inside that legislation, we included also the creation of something that was new and continues to be a pivotal element of our efforts in the state, was the Minnesota Center for Health Care Electronic Commerce, back then the health care electronic data interchange.
It was given the mission, the responsibility, of primarily promoting and educating the health care industry in Minnesota about the benefits, about the importance of moving toward electronic commerce. Between 1995 and 1998, the center was established really truly as the first independent center dedicated exclusively to these two activities of getting and promoting the health care industry on electronic commerce.
We prepared and put together a curriculum that was endorsed by WEDI and others as a national model for a curriculum on health care electronic commerce. We deployed that and conducted a number of seminars around the state, as well as in other states.
We also, in Minnesota, established an electronic commerce health care users group, we call it MEHUG, and established a number of work groups to begin assessing, back then, the proposed regulations that were coming out from DHHS, and submit comments back to DHHS.
Then Y2K, as we all know, came across and derailed all the activities that we were doing, for the most part, in terms of preparing the health care industry. It was an important step because actually, today, Y2K has given us the opportunity to say we had a success and we can build upon that success and upon that experience, and work toward the same goals that we had in Y2K, except now expanded to other requirements and the expectations of electronic commerce.
After that, after we survived Y2K as an industry and as a world, I guess, we refocused our activities. Earlier this year, we established a number of efforts in the state to try to move forward with the implementation of the HIPAA requirements.
So, how we are doing it in Minnesota is basically this way. We are focusing on three major areas, primarily. The first one is electronic transactions, core sets and unique identifiers. The second area is security and the third one is data privacy.
At the same time, we are working on two fronts. One is education and awareness. That has been mentioned earlier and I will mention some other things. The second front is really for those that are beyond education and awareness -- and there are a number of those in Minnesota -- really getting into planning, piloting and beginning to early implement all these requirements.
That is one of the things I want to emphasize really today, that there is that separation, if you will, of organizations locally and, I would assume, probably around the country. There are organizations that are already tired, if you will, of hearing the definition of HIPAA and they are ready to really jump in and do it and are, indeed, beginning to do it.
There are some other organizations, primarily provider organizations in rural communities, who have not really even heard about HIPAA or, if they have heard about it, they are not really aware of the impact that it will have in their business.
That is why we are working those two fronts, taking education throughout the state and making a major effort to try to make organizations -- again, primarily providers, more rural providers -- aware of the HIPAA requirements.
Then at the same time in a parallel mode, we are working with the more advanced organizations, if you will, or more proactive or more ready to do organizations, to try to coordinate locally the implementation of these requirements. So, in education, what we are doing is a series of statewide workshops. A lot of things have been said about having to educate organizations.
The one thing I want to say here is that we are going to go out and talk to them. We are going to have about 12 statewide workshops, going to Duluth, Minnesota and St. Cloud, Minnesota and Moorehead and other sites in the state. We will be bringing the message to the people rather than having them pull it out of different sites and different places. We are going to go beyond just purely educating or making them aware. What they need is not just to be aware of what is happening.
They need something that can help them get ready and prepare. We are going to provide them, besides the education component, with a series of very simple tool kits that they can use to begin to make their own assessment of where they are in terms of implementing, or working toward implementation of HIPAA. Then we are going to be available for them to take the next step of beginning to help them actually implement HIPAA locally at these sites.
We are really concentrating a lot of efforts over the next nine months, basically, on these statewide workshops, going around the states and talking to the provider groups. We also are going to be using our users group to disseminate information, to assemble the experiences that different organizations locally have had in implementing all these standards, or beginning to implement all these standards, and I will talk about the activities that we are doing under that in a minute.
We have a lot of activity going on regarding this usage group effort. So, that is what we are doing in education and now, with the groups that have already heard the message and are aware of it, and are ready to jump, what we have done is, we have established a series of work groups. I am going to talk about the transactions first.
We have established a series of work groups. The message here is that, as much as we want to think that we will have to really implement all these transactions, because of resource restrictions, organizations cannot devote resources to have everybody working on the everything at the same time.
There are nine or ten transactions and many other things and the disregulation. So, the first step we did was prioritize what kind of activities we can do and put some time lines and sequence them appropriate according to our perceptions, according to our needs, and begin to work on those. So, we established these work groups to specifically look at the transactions, the first three transactions, eligibility, claims and the remittance advice. Then we expect to move quickly into the other transactions and get into the code sets and unique identifiers.
The objectives are primarily to evaluate the actual implementation guide. As someone said, the good news is we do have now a standard implementation guide. The bad news is there might be 400 flavors of that guide out there. So, what we want to do as a community, in one state at least, is to try to get payers and providers together and to try to come to consensus on a standard guide, as much as we can.
We are seeing a lot of very positive movement toward that. Providers don't want to have to submit multiple, or program multiple requirements under systems to try to send a claim with this flavor to this payer and this claim with this other favor to this other payer. Payers are interested and committed to compromise on that and come together and try to develop this common implementation guide that everybody can agree on.
Then later on -- we are working on it right now actually in this process. We expect to spend about three to six months on that process, basically taking us to the end of the year. We are going to be later on planning and beginning to implement some of these pilot testings of these transactions.
The way we are going to be doing that is, with the organizations that are willing to test and participate in this phase, we don't expect everybody testing everything at the same time, but the fact is that we are going to have groups working on different activities. The idea is to really, after this process is done, exchange really the experiences, share the results. So, we will move into that phase next year. Hopefully by the end of next year, early 2002, we will begin really the actually full implementation of the transactions.
So, that is the transactions side. The security standards, like with the transactions, we have established a work group in Minnesota. It is formed by the security officers and they have reviewed the proposed rules, submitted comments, and we are just kind of looking for the final rules to come out.
In the meantime, we are working on a number of things, including a consensus around the standard certification policy statement and looking at best practices and standard policies and procedures on security. We are looking at the security tool kit that was available in NCHICA and using that as a means of assessing where organizations are in security.
Then, we also have a project that we participated in, called Health Key Minnesota and Health Key national project. This project is the one that is overseeing that. So, that is what we are doing in terms of security. Then finally, in data privacy, there is primarily an expectation that once we have the final rules we will be looking at those from a multi-stakeholder perspective.
Basically we have six core constituencies represented under the health data institute, that covers from consumers and employers to providers, health plans, policy makers, public health and researchers. Each of those constituencies are going to be looking at the final data privacy rules and really assessing the impact that they will have.
In the meantime, we are also working with the organizations, primarily providers and the health plans, to come together and to come to some consensus on a set of data privacy policies and procedures, to come up with the best data privacy policy and procedure standards that we can all share and build upon.
So, we are coordinating with other activities in Minnesota, as well as actively participating in SDOs and standard data organizations and data content committees. That is another basic element of all this. If you want to be active, you need to be active and you need to participate in these activities.
Just to conclude, basically, some of the early lessons learned, we have been able to establish this community organization that facilitates the process locally in this state. We have identified and worked with the early adopters and the leaders and those are the ones that are kind of pushing the envelop, if you will. Prioritizing the work has been one of the most important elements in this. The resources are not there to do all the activities at the same time.
Coordination, coordination, coordination, that is the message that we have today here, too, as well as what I started with, which is we need to think nationally but certainly act locally.
I thank you for the attention and I will pass along the podium.
DR. COHN: Thank you. Holt Anderson?
MR. ANDERSON: Mr. Chairman and members of the committee, thank you very much for allowing me to speak for the North Carolina Health Care Information and Communications Alliance. My name is Holt Anderson and I am the executive director of that organization.
NCHICA is a 501(c)(3) non-profit research and educational organization that was formed by our governor, by executive order, in 1994, and taken outside of state government as a private non-profit. Currently, we have more than 150 members, many of whom call in from time to time, including providers, health plans, clearinghouses, professional groups, research and pharmaceutical companies, government agencies and vendors.
I might say that the vendors have been very important to us, in response to an earlier comment, with respect to HIPAA. Our mission is to implement secure technology and health care, or to implement technology securely in health care, and you can flip the words around.
Last year, about this time, there was a golf game in North Carolina. It involved myself and Blue Cross Blue Shield and UNC. We started -- I guess golf was boring and we started to talk about HIPAA. It became a realization that this was going to be a big deal. About the 18th hole, we started talking about the 19th hole. We decided it was pretty important that we get together and form a task force.
This was what evolved as the mission of that task force, to develop an overall strategy for addressing HIPAA compliance in an orderly and most efficient manner possible. If everybody went off and tried to implement it on their own, they just couldn't do it. One of the individuals involved in this, one of the co-chairs said, Y2K, an enterprise, could pretty much be successful itself in coping with this. In HIPAA, you cannot succeed alone with HIPAA.
It began by setting up work groups. We took the HIPAA proposed regs and we merged into one group transaction codes and identifiers. We felt that was a good grouping from an administrative standpoint. We took the security proposed reg and broke it into two pieces, state of security and network interoperaibility and had different groups working there. Privacy was a stand alone task force focus group that we had previous to the regs coming out. Then we formed, in the last two months, an awareness, education and training work group.
So far, there are more than 50 of our members who are actively engaged in this process, and they have committed 100 individuals to work on these work groups. So, it is a very broad group, a very deep group. I want to take each one of the work groups and tell you a little bit about them.
The transactions codes and identifiers has been the longest active group. It is very much involved in developing a consensus among the providers, the health plans and the vendors on the sequence and timing for how are we going to implement the transactions and codes.
Let's put a schedule together, let's all agree that on a certain date we are going to test a transaction. That means the health plans need to be ready, the providers need to be ready and the vendors need to be ready. So, build a consensus on a set of dates. Then publicize these dates. What is really critical to us is building a critical mass of the providers and the health plans and the clearinghouses, the vendors and government agencies.
A vendor, dealing with 50 states, or a government intermediary dealing with 50 states doesn't care what North Carolina does. So, we need to be aligned with what is going to be happening on a national basis. That is why it has been very important for us to be invited and feel welcome at WEDI and AFEHCT and the other organizations, the SNIP and those initiatives. The fact that we have been welcome there has assisted us in bridging into those national efforts.
Most recently, there was a document prepared actually with a significant amount of help from Don Bechtel, a document for our business partners on what are the issues with code sets and what are the issues with the transactions, so they can begin to grapple with the significant issues on codes. The network interoperability work group is trying to understand the requirements for the use of secure communications.
They are really grappling with this and trying to figure out how we can qualify and select vendors, not NCHICA but each separate member of NCHICA is going to contract with a vendor themselves. So, how do they do that? We need a process by which they can qualify and bench mark vendors. So, they are trying to develop this basis for secure transaction interoperability among our own members and how we are going to figure out that piece.
The privacy and confidentiality focus group took the proposed privacy reg, analyzed it, and then provided our comments during that period. The next task will be when the final rule comes out. We have got to map those differences and understand very quickly where there are gaps, or where they fit together and where they don't.
We don't believe that there will be a total preemption of state law and we think there will be some significant differences there. So, we have been working on privacy legislation in North Carolina since 1995 and we responded to the proposed privacy regs.
The most recent of our work groups, the awareness education and training, in conjunction with the state division of facility services that licenses all the facilities in the state, is going to put out a series of surveys to assess the degree of readiness in the community. It is being used as much as an educational tool as to just let them know, this is out there, as it is to get data back. We are doing both of those.
They are developing programs to share HIPAA information, both at an awareness level, and there is a speakers bureau that has been put together to go out and do 45-minute presentations, developing educational programs that will be half day or day-long workshops, and then specific training programs for implementations for specific transactions or a specific code set.
I might say -- let me back up one. What is very significant here is that we have the buy in and the participation of the medical society, the nurse's association, the health information management association, the association for practice management.
So, we are getting to that very vulnerable part of the community that we think are going to be the toughest ones to bring along, the physician practices and the small practices and nurse practitioners. I can tell you, when you go before a group of nurse practitioners who have never heard about HIPAA at 5:00 o'clock before their cocktail hour, Bill, I am taking some arrows for you.
They don't know about HIPAA and then, when they are told about it they say, gosh, what are we going to do Recently, they have developed a survey instrument to determine the state of awareness and readiness and are planning for regional programs this fall.
The data security work group, I think the inspiration for this came from the security workshop that was held in Baltimore last November. From that, this group started thinking and working and they started putting together a checklist.
They took the security regs, divided it up, gave everybody a section and said, okay, go give us a set of closed end questions. Are you doing this. Yes, I am doing it, no, I am not doing it, for each of the implementation steps in the security reg.
The intent was to get a gap analysis out of that. So, they developed a tool that has 521 closed end questions that directly map the proposed requirements and we have made it available through our web site. Key issues that have been raised in our process, there are a few of these that I wanted to bring to you.
The State of North Carolina and all of our members, last year, when we started this process, lined up resources, not only financial resources, but contractor resources and internal manpower resources, based on what we thought the final rules issuance would be. The delays have gotten us out of budget cycles. So, it is putting a real crunch on going back in and getting new resources allocated.
We keep preaching to them, we need to start now, we think we know 95 percent of what is going to happen in security. We are pretty certain, on transactions, what is going to happen. Let's don't stop. We don't want all the rules coming out at one time. You couldn't implement them if they all came out at one time. So, please don't do that.
The cost concerns, especially when we talk to the practices and the nurse practitioners and that 30 percent of the hospitals who are in rural areas who are underwater, how do they get the resources, not only the financial resources, but the technical resources to do that. There are real concerns there. The privacy regulations are even the most concern of all because they are so unknown and so ambiguous. They just don't know how they are going to do that. So, the lack of resources is a real issue there.
Now, we have tried to bring consensus many times in our group. If you are dealing with health plans and research organizations and pharmaceutical companies and providers and government agencies, it is somewhat difficult to do that.
So, when you are trying to get a commitment for a community movement to implement HIPAA, you start getting into arguments about, well, my group wants to do this one first, and no, my group wants to do this one first. That discussion is not over, obviously.
I have provided some additional materials for you. One of the first outputs of the group was to develop a top 10 planning points for HIPAA compliance. This was developed by the CIOs and the medical records people who needed to go to their top management to get resources to implement HIPAA. So, they developed these top 10 points as a simple way of explaining to their to management why they needed it, why it was important.
Then there is an organization chart. I would ask you to note that we have tried to have co-chairs from industry, from provider, from health plans, and from government wherever possible, to get a mix and a balance in the way that we are approaching it. That concludes my presentation. I thank you for your time.
DR. COHN: Thank you very much. Elliot Stone?
MR. STONE: I will change my testimony to good afternoon, Mr. Chairman, and members of the subcommittee. My name is Elliot Stone. I am the executive director and the CEO of the Massachusetts Health Data Consortium. We are a non-profit public private partnership created 22 years ago as a non-partisan site for data collection and dissemination. We now have over 105 members.
Now, three years ago, June 24, 1997, I opened my testimony to the national committee by trying to persuade the federal officials in the room that we are from the states and we are here to help, and the offer still stands. I would like to use my time to highlight our success in New England in identifying and assisting health care organizations to become early adopters of the HIPAA standards.
The consortium has adopted a three-phased strategy for HIPAA compliance in our region, education, communication and resource sharing. We think these three are an effective blend of process and content. The attachment in my testimony describes each of more than 20 activities that are part of this compliance strategy.
Before I give you some highlights of these three phases, I would like to explain why the consortium took the lead as the convenor and the catalyst for HIPAA. Well, first, it was our noble wish to improve the health care of our community. We think it will especially improve the mental health care of our community, if we can do something about the administrative hassle factor that is out there among employers and physicians and insurers.
The second is undoubtedly a selfish wish. We are a health data organization and we saw that there were barriers out there for us to succeed as a health data organizations, a lack of interorganizational rules for confidentiality, for security, for electronic transaction standards.
We needed to find a way to exchange clinical and administrative data among health care organizations in our region and to the public and the community.
So, our first lesson in all of this and our recommendation to the committee is that, since health care and HIPAA are implemented at the local level, that the Department of Health and Human Services should develop partnerships with trusted regional and local organizations to build awareness of, and compliance with HIPAA standards at the community level.
Our first major activity in our three-phased approach has been to educate the community about the value of standards, through the creation of what we have called the CIO forum. It was created six years ago with an alternate vision of what we call the network of networks, a decentralized approach, instead of what was then all the rage five years ago, CHINS, community health information networks. We did not agree with the centralized data base approach at that time, and still don't.
The CIO forum now includes eight information technology companies and the chief information officers of 27 health care organizations. Half of them are from provider systems and half of them are from health insurers. Several of them are national plans. I have provided our annual report -- I think Jackie has passed this around to the committee members.
On the inside back cover, we salute the members of that CIO forum. You can see their photos. Those are the early adopters. Those are the leaders who give me my marching orders. These CIOs agree on the annual projects and suggest topics. HIPAA is actually only one of many common themes for research and education. Before the consortium convened them, these leaders rarely met their CIO counterparts in the community.
The CIOs are extremely busy executives. The regional convenor must be persistent at getting the CIOs out of the trenches, to foster collegiality and collaboration and meeting the needs of the business units within their organizations. That is actually their shared misery. They like talking mostly about the pressures they are getting from the business units within their organizations and shared misery is a major portion of each of our meetings.
The task forces that we have created have also been an effective forum. Each task force has a CIO executive sponsor. For example, we have been working on the electronic enrollment task force. We have invited major employers to meet with the health plans to describe the benefits of a single electronic format, the 834, to replace the variety of formats that employers are asked to use, especially those employers who have health plans in multiple states.
Now, previous to these task force meetings, the health plans stated that there was low interest for the 834 among the employers. We have found the opposite to be true. The employers need to be convened and educated and provided the tools, such as contract language about HIPAA, for their negotiations with the health plans.
Each task force regularly reports its progress, first to the CIO forum, and then in the annual report, there are case studies in this annual report for each of the transactions and other HIPAA activities that we are working on. We have HIPAA tracks at all of our regional conferences and content on our web site.
Our next educational forum will be to convene the directors of operations as a companion group to the CIO forum. The operations executives within the hospitals and the health plans have direct responsibility for claims and admitting and eligibility.
Most of the HIPAA compliance activities are non- strategic. That is, we don't think we are going to have to have an anti-trust lawyer in the room for these deliberations among the competitors, although the anti-trust lawyer will be at the first meeting to reassure them that she doesn't have to be at future meetings, we hope.
We have found that these operations executives rarely meet with their counterparts and are anxious to develop a shared agenda due to the obvious efficiencies of HIPAA. The CIO forum and task force participants have impressed upon us the need to make the business case, and explain the return on investment for standards.
For example, the recently findings from a Massachusetts Hospital Association survey shows that HMOs owe hospitals $193 million in claims which are over 90 days old. The health insurers, for their part, however, are prevented from increasing their rates of auto-adjudicating these claims.
I am told that the range for auto-adjudication is somewhere between 15 percent and 80 percent and that most health insurers are at about a 45 percent rate of auto- adjudicating claims. The reason for that is incomplete data, inaccurate data on the claims coming in from the provider.
So, the business case can be made for standards and we believe that that business case will show that it will facilitate prompt payment. However, we will never stop including in the business case the fact that we think the most important aspect of the business case is that standards will continually improve outcomes, error prevention and efficiencies.
So, our lesson regarding education and bringing the CIOs together has been that communities need to identify and convene their opinion leaders in their community, the opinion leaders on technology in particular, and to gain consensus on the return on investment and benefits of HIPAA compliance through the IT and business departments, and to provide neutral forums to educate them and their managers.
Michael Dertouzos at MIT's media lab for computer science comments on this. He says, when talking about the future information marketplace, that instant organizations of people who have never met their peers, let alone built some mutual trust, won't work. We have spent a lot of time developing that mutual trust and collegiality among these CIOs and directors of operations.
Our second major activity has been to communicate HIPAA resources on the consortium's web site and to alert our members and colleagues, through weekly e mails, whenever new content is added to the web site. To date, our web site includes -- I have provided a list here of things like work sheets on how to prepare a HIPAA compliance budget, articles by local and national experts.
We have links to client advisories from the major law firms. As you can imagine, everybody is in the act. We have tried to provide links to all the actors. On our web site, you will find guidelines that we have initiated on patient-centered e mail between physicians and their patients.
We have confidentiality guidelines on patient consent. We have our own summaries and comments that we have made on the HIPAA NPRMs and links to other organizations who have made comments on the NPRMs. We have a compendium of privacy principles. There is no lack of principles out there, from many different sources.
As organizations are trying to develop their own privacy policies, we tried to give them the ammunition to do that. We have sponsored papers on privacy by Professors Paul Starr and Amitai Etzioni that sit on our web site. We have created what we call the privacy resource center on our web site, which is a centralized portal for information about privacy, confidentiality and security.
You will see things out there, for example, in a presentation we have made with Dr. Cohn, the VP of legal services at Lahey Clinic in Boston has put out an implementation plan for privacy for her hospital and for her group practice, how they intend to implement the privacy regulations in a large teaching hospital.
So, the lesson in communication from us to you is that it is important to communicate very practical, very useful information and tools for the project leaders back at the hospitals, back at the health plans and other provider groups, who are charged with HIPAA implementation.
A third major activity has been resource sharing, our library researchers questions from our members about HIPAA. Based on those questions, we prepare white papers, research reports, literature packets. We participate in the five-state Robert Wood Johnson grant on PKI and describe the activities going on in each of the state with links to that web site, www.healthkey.org.
The consortium has fostered two collaborative organizations that have spun off from us. You are going to hear more about the first one from Eric. This is the New England Health Care EDI Network. They are working on the eligibility inquiry and response transaction, 270, 271, and the referral, the 278, with six hospitals and two health plans.
We have also spun off a group called the community health center network. This has been fabulous because this is a group that we would normally consider to be the have nots in the process. They are, in fact, the early adopters, working on the 278 transaction with a health plan, the neighborhood health plan in Boston, whose constituency mostly is Medicaid recipients and community health centers.
Here we have got community health centers as an early adopter with their health plan and we are very proud of that. We have also brought Medicaid into the fold and linked them to this NEHEN project, the New England Health Care EDI Network. We facilitated meetings between Medicaid, one of the large teaching hospitals -- the Boston Medical Center -- two of the vendors, EDS and CSC, and the NEHEN project.
We linked Medicaid's recipient eligibility verification system to the pilot project. The value of that has been that the Medicaid staff are now alerted to the transactions and to -- it was very instructive to Medicaid about whether their vendors were HIPAA compliant or not.
We really pushed the vendors to the test because the hospital was ready and the health plans were ready and Medicaid was asking its vendor to get ready and do it, and they did. They key player there was the Boston teaching hospital, the Boston Medical Center. They wanted to make this happen and they helped us convene everybody. So, the lesson there was that the participants in research and pilot projects should agree to share their findings with the community.
We encourage fewer members-only sections on these things. If they are great tutorials, we would like to see lots of people have access to good tutorials, wherever they may be. So, we tend not to have too many things in our members-only section. These past few years have been a very rewarding time for those of us who have been advocating standards for a long time, and we look forward to helping the national committee with the implementation of the final regulations.
To paraphrase a book that I have been trying to read on the plane these days, The Tipping Point by Malcolm Gladwell, he has some ideas about how to start word-of-mouth epidemics and why some word-of-mouth epidemics work and why other word-of-mouth epidemics don't work, and what we can do to deliberately start word-of-mouth epidemics and control them.
So, in the words of Malcolm Gladwell, let's hope for an epidemic of standards. Thanks for the opportunity to provide this testimony.
DR. COHN: Elliot, thank you very much. Eric Bartholet?
MR. BARTHOLET: First, I would like to thank you for giving me this opportunity to testify to your committee this afternoon. My name is Eric Bartholet and I am a health care consultant with Computer Sciences Corporation.
I am here today representing a regional perspective in the implementation of the HIPAA administrative simplification EDI transactions, based on our experience as the program managers for NEHEN, or the New England Health Care EDI Network, as Elliot had referred to earlier.
In my comments this afternoon, I hope to provide the committee with an understanding of the challenges and issues that we faced in implementing the HIPAA transactions. The focus of my comments will be to provide you with an overview of who NEHEN is, the status of our implementation and the technical and process-related issues that we have had to overcome.
I have also submitted a brief white paper separately that discusses in greater detail the history of NEHEN, how we are organized, and the specifics of our technical approach. In terms of NEHEN background, NEHEN is a consortium of payers and providers located in eastern and central Massachusetts, who are collaborating on the implementation of the HIPAA EDI transaction sets.
It was started in 1997 from a subgroup of the Massachusetts Health Data Consortium, headed by my colleague and fellow panel member, Elliot Stone. NEHEN is currently comprised of most of the region's largest provider networks, and two of the regions largest managed care organizations.
The founding members of NEHAN include Partners Health Care, Care Group, Lifespan, Harvard Pilgrim Health Care and Tufts Health Plan, but membership has rapidly grown to include Boston Medical Center, Boston Children's Hospital and the University of Massachusetts Memorial Medical Centers. It is an open organization and any payer or provider is welcome to join for a low monthly fee.
One thing that is a little bit unique, I think, about NEHEN is that there are no transaction fees. There is just a flat monthly fee. The net result is actually the average cost per transaction for a NEHEN member today is 13 cents, and it is forecast to be about six cents, a year from now, which is considerably lower than the other options available in the market. Additionally, NEHEN provides conductivity to Medicare and Medicaid in a seamless and integrated manner, so that the provider members have access to all four payers through a consistent user interface.
In all, NEHEN membership represents over 25 hospitals, over 6300 licensed beds and over two million covered lives. The primary objectives of NEHEN are, first, to address HIPAA compliance issues. All transactions currently flowing over NEHAN network are HIPAA compliant.
Second, improve service efficiencies through EDI, exchanging HIPAA-mandated transactions, lets participants realize significant improvements in the speed and uniformity of many core administrative processes, to shorten the elapsed time to achieve widescale use of EDI in payer and provider organizations and, finally, to reduce the cost of EDI implementation through coordination and standardization.
In terms of implementation status, NEHEN went live with eligibility verification back in 1998, and has recently gone live with a specialty referral in a pilot project started last week. The next planned transaction is the claims status inquiry, which is scheduled for August of this year. Although it took about a year to develop the necessary infrastructure, new members are now able to begin trading transactions within a few months of joining NEHEN. Our current transaction volumes are approximately 220,000 a month and are expected to triple over the next year.
There are two key implementation issues that have affected our progress that I would like to make this committee aware of. The first is that the providers have typically required a significant amount of redesign of their patient access processes prior to implementing eligibility transactions. For example, there is considerable value in moving the eligibility verification to the front end of the patient access process, or in other words, verifying eligibility at the time of appointment, rather than waiting until the patient arrives for service.
Currently, this is not done in a consistent manner, due to the time required to mainly verify a patient's eligibility. By significantly reducing the time it takes to verify eligibility, NEHEN members have greater flexibility in determining when the eligibility verification occurs in their patient access process. As a result, schedulers are now able to resolve any eligibility discrepancies while the patient or the physician's office is still on the phone.
The effect of this redesigned process has been higher quality data and fewer rejected claims. The challenge has been that scheduling functions are often supported by individual departments in a hospital, and is highly decentralized. Since the new verification process adds to their existing work loads and requires additional training, our provider members have found it necessary to, at a minimum, develop education programs for their staff, and on occasion have decided to develop new organizational models that centralize the scheduling function. Although these redesigned processes add considerable value, they also take time and affect the speed at which providers can effectively implement the HIPAA transactions.
The second issue is that we discovered early on that the key to maximizing the value of the eligibility transaction for providers is to integrate the function within their core information system, and this is something that has been raised several times, I think, in this past day and a half. One of the greatest challenges that our provider members have had is that our regent's payers all offer unique technologies to accessing their member data. The current local access methods include card swipe devices, PC dial-up technologies and IVR or interactive voice response units.
The promise of HIPAA's administrative simplification is to consolidate all of these unique communications methods into a single standards-based approach, allowing the providers to access all payers from a single user interface. What we have learned is that providing a single user interface does not go far enough. What is really necessary to maximize the value to our providers is to fully integrate the HIPAA transactions into the core application work flows, thereby eliminating the need for multiple data entry.
For example, someone registering a patient in a high volume ambulatory clinic often does not have time to capture the patient information in their core registration system, re-key the data into a separate system in order to verify eligibility, and then re-key the response into the registration system. Instead, the eligibility transaction must be integrated into their core systems, and become a natural system of the registration process.
The challenge we have had at NEHEN is that very few vendors fully support the HIPAA transactions. This challenge is further compounded by the fact that a typical large IDN often has multiple registration systems from multiple vendors that need to be integrated.
Overall, I would like to emphasize that NEHEN's experience with the implementation of eligibility and specialty referral transactions has been very positive. Both payers and providers in the network have seen significant financial and operational benefits from their early implementation.
Some of the benefits achieved include reduced telephone-based customer-service support requirements for the NEHEN payer members, reduced average eligibility verification time from seven minutes to one minute. What this has done, it has allowed providers to verify nearly 100 percent of all patient visits.
We have reduced claims rework by as much as 20 to 25 percent in one study of a provider organization in NEHEN, upwards to 30 to 35 percent of their rejected claims were directly attributable to incorrect eligibility information. An audit trail of all transactions was created, facilitating better management of the verification process.
In conclusion, while we recognize that there is little effect that this committee may have on the process redesign issue, we would like to recommend that you explore ways to encourage vendors to make their products HIPAA compliant sooner rather than later, in order to reduce the costs and time associated with implementation. One potential way, or our suggestion to do this, is to encourage vendors. It might be to have HCFA compile and disseminate information on vendor compliance efforts.
Once again, thank you very much for allowing me to share with you our experiences at NEHEN.
DR. COHN: Eric, thank you very much. Our next speaker is Mark Gordon.
MR. GORDON: Good afternoon, Mr. Chairman and committee members. I would like to thank you for inviting me today to speak to you regarding New Jersey's proactive approach to achieve health care administrative simplification.
Just a little background, the Health Information Networks and Technology Study was a collaborative effort between Thomas Edison State college and NJIT, at the request of the state legislature and the governor in 1993, to determine ways to reduce administrative health care costs in New Jersey.
One may ask why the two colleges were asked to do this. We were considered honest brokers. We had no product to sell. We had no connection to the health care industry. The 1994 HINT study found that EDI technology and national health care transmissions standards could result, in New Jersey, with as much as $760 million in annual cost savings or cost avoidance in New Jersey alone.
The HINT study suggested areas of legislation and pilot projects for the state. I am glad to report that this study was not something that was put on a shelf but developed into a proposed legislation introduced by Senator Robert Luttell on the Senate and Assemblyman Nicholas Felice.
That resulted in bipartisan leadership, sponsorship, and passed unanimously in both houses in New Jersey earlier in 1999, and was signed into law by Governor Whitman on July 1, 1999. I have provided you with a copy of this public law in 1999, chapter 154, for your reference.
The law promotes the use of EDI technology in New Jersey, along with the national health care standards, specifically HIPAA, wherever possible, and to additionally achieve administrative simplification and cost efficiencies for both the public and private sectors in New Jersey.
Just as some more background, I will go through this fairly quickly as to the background, because of time and my sharing this time slot with Mr. William O'Byrne from the Department of Banking and Insurance from New Jersey.
This key group that is a public/private partnership, as I refer to it, was an advisory council that was very useful to the two colleges in the development of this HINT study, which provided us expertise and access, both in the public and private sector, as key steps or bench marks of the study progressed and also access to experts at both the federal and national level. The survey that we did was a mail survey which had major research objectives of health care processing and costs in New Jersey.
At that time, there was no idea of what that existed for New Jersey. Generally, the only published documents that were available were basically WEDI at the national level. This survey assisted in making recommendations about electronic data processing and reduced costs for health care information in the state. We also wanted to better understand how the health care information was processed and to estimate associated costs, also identify obstacles that would be barriers for the implementation of EDI.
The survey was mailed out to 1,250 different participants. We had a very good response rate of 34 percent from seven segments of the health are industry in New Jersey. This was the first in the nation statewide survey conducted on the use of current information technology, associated costs and defining barriers to the use of information technology.
For your information, the major barriers that we found, the three top were costs associated with change, the lack of national standards at the time, and the concern about confidentiality of health care information in computer networks and data bases.
There is just a short comparison on the annual health care costs, both at the national and the New Jersey level. On the administrative cost side, we used the conservative number of 17 percent in New Jersey. As the WEDI report showed, that could be as high as 25 to as high as 40 percent for small business plans that were reported by WEDI. Claims processed, we found, based on some national figures we extrapolated, we found that New Jersey had about 150 million claims per year, based on our statewide survey. We mirrored what was happening at the national level at that time, which was 85 percent paper based of these claims and 15 percent were estimated to be electronic.
I just wanted to show you, by the sample group on the next slide, the average cost per claims uniformly was less by using electronic processing than paper, and this is based on these individual sample groups reporting back in our survey what they anticipated their costs were at that time.
There is another slide, costs based on estimates, since there is no agreed-upon definition of what ought to be included for the cost. We tried to keep it simple, let them estimate what it was and report back. As you can see, the costs to the payer was less for electronic, the cost to the provider was less. The error rate was less for electronic, 30 percent versus paper.
Interestingly enough, also on the follow up of what happened on that claim, on the follow up, on the inquiries, it turned out from our survey that that was 44 percent less costly for electronic than paper. From a business side, the accounts receivable, on average, was almost twice as fast for electronic than paper, the 30 days versus the 57 days.
Again, I want to show you, for the business side, the average age on accounts receivable. The next slide shows that the physicians, hospitals and labs had a much more favorable time frame for electronic processing than paper based systems.
On the next slide, we took all the data that was available from our survey and also the federal level at the time, which was basically WEDI. We estimated for New Jersey alone, based on our own survey results, for EDI claims processing, $267 million. If we could migrate that 85 percent that was still paper based to electronic, that would be our estimate for cost savings or avoidance in New Jersey.
Reduced claims rejection with EDI was nearly $24 million. Verification of insurance with EDI was $7 million, decreased accounts receivable was $102 million. That goes back to the almost 30-day sooner payment, which would be either cost avoidance of borrowing money or having that money in the bank to invest at a nominal let's say five percent rate.
Other EDI applications in that figure should be $360.4 million. That includes migrating the other areas, such as materials management, test ordering, coordination of benefits, referrals, scheduling, medical records exchange, et cetera. The total savings for the state of New Jersey at that time would be an estimated $760 million.
Based on the study that went back to the state legislature and the governor -- it is over 400 pages long -- the official title is Electronic Network Solutions for Rising Health Care Costs. I have a copy here if somebody would like to look at it later. That is commonly referred to as the HINT study. That evolved into a very positive reaction from the state legislature and the governor's office. What evolved was the adoption of the HINT law. Some of the highlights there are the standardization of health care enrollment claim forms.
What we found from our survey was that employers had two to five different health care plans, but they also had two to five different enrollment forms. It made absolutely no sense. Hospitals had similar claim form variations from payers that they have contracts with. The other highlights were to standardize the health care data transaction versus EDI using national HIPAA standards.
Since the study showed that there are potentially great savings here, the legislature felt, why wait if there are potential cost savings. Let's implement early. So, there is the New Jersey public law chapter 154. It indicates that New Jersey should implement one year earlier than federally required.
They also have provider submission of health care claims on behalf of patients. Patients get lost or have difficulty in processing health care claims. So, this state law has the provider submitting on behalf of the client, unless the patient opts out of that and wants to file themselves. Also, another aspect is that the payers of health care claims in New Jersey have to receive and transmit health care transactions as a condition of continued authorization to do business in New Jersey.
That tightens up the process. So, if there are payers out there who have to accept electronically and there are providers, either hospitals and physicians who want to submit electronically, the payers cannot turn around and say, well, send us paper and we will let you know. Also, on the next slide, the state law creates a state advisory board in New Jersey to assist the state in information EDI technology policy, including measures to protect the confidentiality of medical information. It also requires an annual report back to the state on the use of health information in EDI technology in New Jersey.
If you don't have any tracking or trends, how are you supposed to know what is going on in the state. Thomas Edison State College will continue to study and monitor the use of EDI technology and report its effectiveness in reducing health care administrative costs in New Jersey. Also, an important part of the law was prompt payment of health care claims for EDI. The law indicates 30 days for that, and paper formats 40 days. Included in the state law is overdue simple interest at the rate of 10 percent per annum if the clean claims are not paid within those time frames.
The HINT law tightens the whole business process. It should make the whole process more efficient from the patient's point of view, for providing the paperwork to be filed on their behalf when there is a health care claim to be made for payment. Prompt pay will assist the providers in being reimbursed in a timely and proper fashion, as long as fraud is not involved. For the payers perspective, the providers will be required to promptly file health care claims to the payers, so that there is a tighter turn around on that whole process.
They are also required, under the state law, to accept electronic data interchange. New Jersey law is critical for the development of a statewide approach to health care EDI in administrative simplification. The aspect of the federal HIPAA law, I would like to point out, contains many of the same recommendations within the HINT study and legislation that was developed two years earlier in 1994 in New Jersey.
One of the projects that was identified in the HINT study that I am personally participating on is a data intermediary project on behalf of the New Jersey Department of Health and Senior Services. This is to streamline the current hospital patient discharge data reporting system, which will be based on electronic up front edit at the hospital site to transmit this data electronically to the state of New Jersey. We are in the pilot evaluation portion of the project, which started in January, ended June 30. We had five participating hospitals.
I would like to point out that this particular state project is the first in the nation to have the ANSI 837 version 4010-I, a HIPAA-required standard, certified as compliant by the electronic health network accreditation commission, ENEC, in January of 2000, of this year. We required the vendor to go out and have the transmission as they claim they were doing to be HIPAA compliant, certified by an outside certification firm.
Both the Department of Health and Senior Services in the state and the Department of Banking and Insurance are in the process of creating regulations to implement the HINT law and also have established the HINT advisory committee.
At this point, I will turn the comments portion over to William O'Byrne.
MR. O'BYRNE: It is a pleasure to be here with you today. I am appearing on behalf of Commissioner Karen L. Suter. She is the commissioner of the Department of Banking and Insurance for the State of New Jersey. I am a regulatory officer on her staff, and I am responsible for writing and drafting the rules and regulations to compel compliance by the people that we regulate.
This will be for the HINT law, which, if my friend from Minnesota will push the button, is our attempt at early implementation of HIPAA. New Jersey's experience with the concept of electronic transfer of health care information began several years ago.
The first meetings of the HINT advisory board that Mark has talked about took place in 1993. At that time, the HINT advisory council was sponsored by the Department of Health in conjunction with, and supported by Thomas Edison State College and the New Jersey Institute of Technology. The council was composed of members of government, payers, providers, significant stakeholders, from labor and industry.
Since that time, the efforts of the HINT advisory council have resulted in the HINT legislation, which is cited on the slide. The Department of Health and Senior Services is now partnered with Thomas Edison State College, the New Jersey Institute of Technology and my department, the Department of Banking and Insurance, and a new HINT advisory board, pursuant to the statute.
The HINT advisory board is also composed of all appropriate stakeholders as well as consumers. The purpose is to monitor the performance of HINT legislation, which I will talk about in a moment, and to make recommendations regarding HINT policy, and to address measures needed to protect the confidentiality of medical information.
Now, let us take a quick look at the efforts in New Jersey that we are taking to implement HIPAA. Implementation of HINT is dependent upon the adoption of the transaction and code sets by the U.S. Federal Department of Health and Human Services.
HINT requires my department, DOBI, as we commonly call it, to establish a time table within 90 days of the date that federal rules are adopted for transaction and code sets. This time table will fix the dates for the implementation of a system for the electronic receipt and transmission of health care claim information by payers who do business in the state of New Jersey, or wish to continue to do business in the state of New Jersey.
Thus, we have been following developments at HHS very closely. Sixty days after the standard HIPAA transaction and code sets are released, they will be considered to be adopted. From that date, my department will have 90 days to establish a time table for the implementation of HIPAA in New Jersey.
We have already drafted the proposed rules for the establishment of this time table, which will place us in a position to file our administrative rules in conformance with HINT pursuant to our administrative procedures act. However, before focusing on the time table, let us take a look at some of our new prompt pay requirements, which are also a large part of this picture.
These provisions require that all payers shall pay uncontested claims no later than 30 days following receipt, when filed electronically, or no later than 40 days if filed manually. An uncontested claim is one which is submitted by an eligible provider for a covered person which does not contain any material defect, has no dispute regarding the amount, there is no basis to suspect fraud and no special handling is required, thus, the requirements of a Medicare clam. Prompt payment requires that payers acknowledge receipt of these claims filed electronically no later than two working days upon receipt. In the case of manual filings, it is 10 days.
Regarding denial of claims, if any or any part of a claim is denied, the payer must notify the claimant within 30 days of receipt of the claim and provide specific reasons for the denial. The notification shall include information pertaining to the reasons for denial, the needed information to fix the claim and the amount disputed. Any portion of a claim that meets the standards established for payment of the claim must be paid within the required time frame. Only the non-conforming aspect of the claim can be denied. Overdue payments bear interest at a rate of 10 percent per year.
Where the patient has assigned his benefits to the provider, the provider must file the claim within 180 days of the last date or service, or the payer will be in a position to deny the payment in accordance with regulation and rules that we are drafting. The rules will require all payers to record and report certain information to our governor, to the legislature and to my department on an annual basis.
These reports will contain information which we deem to be essential and which is required by law, such as the number of claims denied, together with the reason for the denial. The payers will be required to report those instances in which timely payments have not been made, and provide a running amount of interest paid as a penalty. These reports should permit the department to judge the effectiveness of the application of our rules, together with a payment record of the filing. In appropriate cases, enforcement action can and will be taken against the payers.
The new rules will require payers to require providers to submit their claims on behalf of their patients, unless the covered person elects, in his or her own discretion, to file their own claim. Payers will also be required to give information to providers and to covered persons. This information will include material such as what information must be submitted with the claims, documentation that is required, including proper codes for diagnosis and procedures.
Covered persons and providers will also be required to provide a toll free number, which can be used for inquiries, which must be responded to within three business days. In those cases where the provider is filing claims on behalf of the patient, with no assignment of benefits, the provider must file the claim within 60 days of the last date of service in a course of treatment, or the payment may be denied again by the payer.
Health care providers that violate the provisions of these rules by not filing claims in a timely fashion on behalf of their patients may also be subject to civil penalties of up to $250 per violation plus $50 a day for every day over 50 days. There is no slide on that, but it is a strong enforcement action which can be taken by our professional boards against the providers that deviate from the required conduct.
In the case of health care facilities, it is the Department of Health and Senior Services that takes the enforcement action. As indicated previously, our time table for early implementation of HIPAA in New Jersey should be adopted within 90 days of the effective date of the HIPAA transaction and code set standards.
According to our administrative procedures act, we must publish the proposed rules in our New Jersey register and provide a 30-day comment period. Thereafter, the comments will be summarized and responded to. Necessary changes not requiring additional public comment will be made upon adoption. When deemed appropriate, a public hearing can be held at the discretion of the commissioner to provide all an additional opportunity to be heard.
Our time table will simply reflect the time tables that are already established in HINT legislation. That statute also requires that, unless otherwise provided, payers will be required to implement a system for the electronic receipt and transmission of health care information transactions within 12 months of the DOBI adoption.
This is well before the HIPAA standards become mandatory. What, then, of extensions of time and exemptions when compliance is not possible? It provides that payers may notify DOBI of the need for extensions and waivers within 180 days of the adoption of our time table. Extensions will be granted by the commissioner, but will require that the payer demonstrate that compliance will result in an undue hardship to the health care payer, to its subsidiaries or to the covered persons.
This 180-day report to DOBI will take the form of an operational status report. That comes 180 days after our adoption of the time table. In addition, DOBI is currently preparing a HIPAA HINT questionnaire that should be sent out shortly, and should be sent to all health care payers.
This questionnaire is designed to give our department an early opportunity to determine at which stage all payers are currently. This questionnaire will also serve as a wake-up call to payers who have not already taken active efforts to arrive at solutions to these problems.
After HIPAA is adopted, the proposed rules will be published. Unless excused or extended, 12 months after the adoption of DOBI's rules, all payers will be expected to handle claims transactions electronically.
DR. COHN: Thank you. Bart Killian?
MR. KILLIAN: I appreciate the opportunity to talk to you the second day in a row. This is the real reason that I was invited. I am Bart Killian. I represent the Utah Health Information Network. I am the executive director there.
I want to take a little different approach in my presentation, and I am sort of glad I am last, in that I want to tell you that HIPAA can, and should, be successful because, fortunately, we have been able to do that in Utah.
We began very differently than what you have just heard from New Jersey. We had a one-line attachment to an Insurance Commissioner law that says, all payers shall be able to accept electronic claims by July 31, 1995. UHIN had been ongoing since 1991. That was the amount of law. There is a lot of rule from that time to this, but that was where it was.
We actually began production of ANSI 835 and 837, and we used the 332 and 3051 things to our friends at Medicare since then. We now have about 90 percent of our provider base in the state of Utah. We have all of our hospitals. We have, I would say, 99 percent of our physicians. We have some 80 percent of our chiropractors, and something less for our transportation services and the other ancillary parts of health care. We include in our coalition all payers but one in the state of Utah, and we are currently reaching some 400 payers outside the state of Utah.
Now, I have to tell you about the outside of the state of Utah, or Kepa will. So, we will do it. We had to actually go backward from our X12 standard to NSF in order to reach most of the national payers. There were a couple of exceptions, but by and large, to provide the service to our provider group, we elected to do something that I told Kepa that we would never do four years ago, which is to translate backward. Again, we utilized the X12N transaction standard.
One of the reasons I think we have been successful -- and I think it is different from what you have heard -- is that we defined early on who our partners were going to be and we treated our partners as customers. If you can recognize that every entity in health care is a customer of the other entity, you are able to deal better. We put UHIN at the center of that just so there would be an arbitrator. There was somebody trusted that they could bring their problems to.
The second thing we learned right up front is, you can make all the laws you wish, you can do all of these great and wonderful things, but you must bring immediate and ongoing value to your partners. This is one way to do electronic commerce. You will see in a slide down here that we brought immediate value.
The other thing you had to do -- and it was one of our great problems is -- you have to have a process to identify and resolve issues quickly. If you don't have a procedure in place to resolve these issues, you lose what is happening.
The other thing we were able to do was leverage the synergy of the group, the fact that we took small steps and we had successes. We are to the point now, as Mary will tell you and Bill will tell you, we bother them incessantly, because we are ready to move on. The immediate value we created was by leveling the playing field for the providers in our state. I have heard over the last two days that rural and small town providers will not adopt.
I will tell you that our experience was that, in fact, by bringing value, our rural providers were the first ones to use electronic claims and among the first to use electronic remittance advice, because suddenly they had the same turn-around time for payment as the urban centers where the insurance was. So, you need to understand what the value parts are and how to do it. So, geography was no longer important.
The second thing is, we took this in steps small enough that we could use the old American value of return on investment. Every single step we have taken, we were able to demonstrate that our partners could recover their initial investment in less than six months.
Now you might say, that is a dream and you can't prove that. I would take you to any payer or provider organization in the state of Utah -- and fortunately one of your members has been there, Dr. Zubeldia -- and he will tell you that it is, in fact, true.
In every case, we need to demonstrate that we have decreased costs to the end users, me they payer, provider, government or industry. The other big thing that we brought for our particular association was the national involvement, bringing back what is happening at the national level to those organizations and then being able to take the understanding of a coalition of already payers, providers and government back and saying, we have tried this, it won't work, or if you think it will work, how will you make it work.
So, we have been able to be a conduit between the national level and the local level. We are involved in HL7 and WEDI and ANSI and Health Key and all the other things that you can get involved with. It is very important. We believe very strongly that you only get out of an organization or a group what you put into it, so we have been involved in that heavily.
How do you handle these problems? What is this process that it takes to solve problems quickly? It is one of the biggest fears we have in Utah with what is going on at the HIPAA level. Number one, there have to be open discussions. There has to be a consensus process. Those things are happening. The more you participate, which is one of the problems we had with certain industry segments nationally, I think, is if you participate, you are likely to get your needs met. If you are not there, somebody testified yesterday that they went to a meeting, they missed a phone call, and things changed. You have to be involved at all times.
This is the point we worry about nationally, flexibility. You need to be able to propose and modify your standards on a very short period of time. If you have a business need -- this should be business driven. I believe that strongly, not mandated by states or by government federally. This should be business driven. If you can't solve your business needs in a reasonable period of time, you will lose that synergy and that enthusiasm that your partners have.
We need to put in place nationally a process to resolve the problems we will have implementing HIPAA standards. For anyone to believe that there won't be problems, they haven't been through it, so we need to get that done. The other thing that we need to do, and I think it has been harped on 100,000 times in the last two days is education, education, education and more education.
We have recently put into process in Utah a survey that we have talked about that asks several questions about HIPAA and the implementation and the schedules and how it affects them. We only give that survey to entities that we know have been to another education seminar on HIPAA, either given by us or the medical association or the hospital association or some other place.
The unfortunate thing about education is that you can tell them but they don't hear. We are finding out, when we ask the question, what do you know about HIPAA, have you heard about HIPAA, we are getting less than one percent, understanding that the only people who have received that survey are people who have been -- not necessarily them, but their organization has been to another seminar.
Somehow, we need to catch the attention of the industry, particularly providers and vendors, so that they understand what HIPAA is and they talk about it inside their organization. So, as we talk about education, we need to make certain that this is going to take place.
What were our challenges? What did we fail at? Gaining the initial trust and buy-in was very difficult. We came at this from a very different way than mandating it. We came at it from a consensus coalition point of view. We had to prove our ally or we wouldn't be here today. So, that was a big problem.
Probably our biggest problem and the thing that I worry about most nationally is the process of being able to deal quickly with the problems that came up with our standards. Utah's standards, while they aren't exactly like HIPAA, are very similar. If you look at the statute of 36 standards, we had to be able to change those when business needs changed, when problems were identified. We had to have solutions out there.
We had to get this consensus business to make it happen. In Utah, the way it works now, even though we have insurance commission backing, in order to get the rule changed, it takes 100 percent of every vote in our coalition to change something, every vote, and that is payers, providers, government agencies and industry. We have never had a veto used in the eight or nine years that I have been involved with UHIN, but the threat of that is there. It causes us to do it.
The other thing that I know that vendors are looking at and is a hard job is the being able to rapidly incorporate the change or the rule into the vendor's product or into the coalition's product. It is the hardest thing we face. Hopefully that will be one of the advantages of HIPAA and one of the reasons that we push it. At least we are not the only one out there trying to deal with it.
The other big challenge -- and we discussed this at some degree yesterday but I am going to go over it for those that are new -- codes. There are different people using different national codes for the same purpose. There are the overlap just in the standard reason codes inside the new rule is tremendous.
I think there are 236 HIPAA standard reason codes or combinations of them. In our coalition, we have reduced them down to 90, which is something that a provider's office can pretty well memorize and understand what they are. Then the other big problem is this local codes issue that I will be interested to see how we get out of. After listening to yesterday, I am glad it is your job and not mine.
Probably another big issue that causes us deep concern is waiting for the national identifiers. Mary Emerson is sitting over there and she will tell you that we have been pushing her some five years to get a national provider identifier. We were going to do this before HIPAA came out.
We believe that our savings are something over 300 percent from where we were in 1995. We believe we can reduce that by at least that much by having single standard identifiers. That process needs to be brought forward in the rule making process at a very early stage.
We can all do the transactions. We can all make them work, because we do today. If we had the identifiers earlier, we would solve a number of problems. So, we would like to recommend that to you. Again, we believe that the success factors that will make HIPAA work is that they must be value driven and there must be an ongoing process that is reasonable and timely to make it happen.
I might suggest to you that we have changed our tone of what we are going to do. We have been waiting for the rule for a long time and it didn't come out in June. So, if the board will agree on Tuesday of next week, we are going to role on claims, remittance advices, unsolicited claim status and eligibility to a 4010 transaction that may or may not be HIPAA compliant.
That is one of the areas that we need to look at, is what is the change process and what happens if you find out the old rule doesn't work and you move on and you are no longer HIPAA compliant. Thank you very much for your time.
DR. COHN: Bart, thank you very much. I actually really want to thank all the speakers of this panel. As someone who is both a practicing physician, but also has spent a lot of his time in a large health care organization, I had sort of forgotten these issues of communication planning, change management, process redesign, things that you are all sort of reminding us about in this discussion. I really want to thank you.
We are not going to allow hours of questions. We probably have enough for five or ten minutes of questions. Then we need to finish the panel and go on for our internal discussions.
MS. FYFFE: I have two quick questions. In the New Jersey HINT study, the $760 million savings, is that estimated over a period of one year? I didn't get a sense of what your time frames were in that study. Is that an annual savings, in other words?
MR. GORDON: That is an annual savings, understanding that that would not be able to be accomplished in year one. We took a conservative approach similar to what WEDI did, was looking out over a five to eight year period, I think it was, for their overall cost savings, implementation costs and then a net, which we did use that for a basis.
That was taking all the state statistics. That was on an annualized basis if can migrate that 85 percent paper to electronics. That was the total potential annually.
MS. FYFFE: Thank you. The other question is for either Elliot or Eric. The New England Health Care EDI Network, you said there were four payers, two payers?
MR. BARTHOLET: There are two payers that are managed care organizations, Harvard Pilgrim Health Care and Tufts Health Care. NEHEN also provides access to Medicare and Medicaid through the same gateway. So, the providers have access to those four payers.
MR. STONE: They would appreciate HIA encouraging all their members to belong.
MS. FYFFE: Yes, thank you.
DR. ZUBELDIA: In the last two days, we have heard all kinds of things. For instance, Helene yesterday testified that in her study of the availability of data, she found that nobody has all the data for the HIPAA transactions.
Today we have heard that all the transactions are HIPAA compliant. I would like to get a better sense of what as involved to get the vendors and providers in New England collecting this additional data to make the transactions compliant.
After you tell us that, I would like to hear from New Jersey what the situation is in New Jersey as far as getting the data to be HIPAA compliant even before the transaction sets are in place, and what the plans are, and what is the concentration of HIPAA compliance as far as data is, in New Jersey.
MR. BARTHOLET: To address the question about HIPAA compliance and access to the data, NEHEN has eligibility verification live today. We don't have all the transactions available.
My guess is that part of the statement yesterday is that maybe everybody doesn't have all the data for all the claims transactions. There are other transactions that are part of the transaction sets. In terms of how do we make the transactions compliant, was that the other part of your question?
DR. ZUBELDIA: How did you make the vendors collect the data?
MR. BARTHOLET: That is an excellent question. What we have done, we have taken whatever EDI capabilities exist within the vendor's applications and whatever data we can get from them easily.
We then put it into a gateway where we actually do the mapping and conversion of the transaction into a HIPAA- compliant transaction. So, SCS puts a gateway, NEHEN puts a gateway at each one of the provider organization's sites.
DR. ZUBELDIA: If you don't have the data, you can't create it in the gateway out of thin air.
MR. BARTHOLET: We haven't had trouble getting the eligibility data out of the applications, if that is the question.
MR. STONE: Let me just add to that, Kepa, two things. In the Medicaid example that I mentioned in my testimony, the CIO of the teaching hospital brought her vendor there, Eclipsis, and CSE, which is the vendor to NEHEN and just said, make it happen.
Don't underestimate the clout in terms of asking their vendors. We think it is very important that there be a trickle-down clout effect here. That is why I mentioned the employers in my testimony. I think it starts with the employers saying to their health plans, let us know early in our contract negotiations what your plans are to be HIPAA compliant for at least the enrollment, A. B, what are your plans to help your vendors be compliant -- that is, hospitals, et cetera, et cetera, physicians.
We intend at our project to offer contract language to employers to use with their vendors, for health plans to use, for hospitals to use, for physicians to use, in their vendor contracts about compliance. We would like to have final regulations to help us along with that, but we will take that approach. That is why I have said we are going to work with the directors of operations.
In this case, the CIO said very clearly to her vendor, Eclipsis, you will make this happen. You will integrate. We have heard from Eric's testimony, it is the business processes that get affected here, and we learn a lot about the internal workings of the health plans and the hospitals for the transactions. This vendor was asked to comply and they did. The eligibility is now embedded in the up-front admitting process.
The idea of it is that it should be transparent. It is embedded in the system. There shouldn't be an add on new verification system for the 270, 271. It has got to be integrated and transparent to the staffs at the hospital.
MS. FYFFE: A follow-up question, Elliot. You talked about the importance of the employers. I am a little bit confused and also intrigued by that, because employers are not required to do anything.
MR. STONE: I thought you would be intrigued by that.
MS. FYFFE: This is something that is a weakness in the law.
MR. STONE: To me, the employers are the top of the trickle-down process.
MS. FYFFE: They are the lynch pin in all this.
MR. STONE: We have met with them and we have found them very receptive to including in their contract language that their health plans will be HIPAA compliant, and very receptive to the fact that they will comply voluntarily, the large group practices we have talked to, and especially the associations of small businesses that have to deal with many different health plans and would like to have one format.
We have found them extremely receptive. We are working with their technical people and we are going to develop companion guides to the enrollment transaction that explain, very simply, how to do it, and it will happen. This is a no brainer for the employers, especially those that have plans in multiple states.
MR. KILLIAN: I would like to add to that, if I can, Kathleen. The employers, the industry folks are the people who pay for health care. I will tell you what, once you get their attention -- which we have in Utah, they are the people who drive the whole process.
They will tell health plans, clearly -- we have had major employers tell health plans, if you are not electronic and you are not using UHIN and you are not dealing with providers who do the same, we will go someplace else. They are the ones who pay the bill.
DR. COHN: We have derailed Kepa's question a little bit.
MR. O'BYRNE: My department regulates health care payers. The health department regulates the providers and the facilities. So, your question falls right on the seam there.
The health department has more of the answers to HIPAA compliance of providers. My department is in the process of filing these rules and adopting these rules that will force the payers to make a system available.
They are coming to us right now and are requesting to raise their premium. That is the bottom of this picture. They are asking to accumulate more money so they will be able to get systems together so they will be able to go to HIPAA. One came in with a request for $30 million -- I won't identify who -- was in the last two weeks.
MS. FYFFE: I hope it works. You know, they could choose to leave New Jersey.
MR. O'BYRNE: I am sure they could. We are a good marketplace to be in, I think, and I don't believe any of them will leave. They have to do this within 180 days of the adoption. They have to demonstrate to us their ability to do it.
Quite frankly, that is going to be a quite difficult burden for them to do, or come and request additional time. So, there is more to follow. Doctor, I can't answer your question any better than that.
DR. COHN: Kepa, at least for the first go-around, has your question been answered.
DR. ZUBELDIA: Does anybody else have any comments how they do it in their state?
MR. BARTHOLET: The only other point that I might make, if I could is, if you do the eligibility transaction at the front end of the process, as I described it earlier, you are doing it when the patient is either on the phone with you or in front of you or when you have the physician's office still on the phone with you.
If there is information that you don't have available in your system, you are capturing it through that interaction, while you are doing the transaction.
DR. ZUBELDIA: My concern with what you are saying here is that it is not necessarily a good sample. You have one provider with one vendor and two payers, four payers.
MR. BARTHOLET: We have six integrated health delivery networks. We have over 25 hospitals.
DR. ZUBELDIA: All the same vendor?
MR. BARTHOLET: No, multitude of vendors.
MR. BLAIR: That gets to my question, unless you are about to ask it.
We have had testimony from SMS with their health data exchange and Per-Se and, in short, could you give us some feeling as to the variety of vendors that you might have been able to exchange the eligibility claims with?
MR. BARTHOLET: Sure, Medetech, IDX, as well as Eclipsis, and some home grown systems as well.
MR. BLAIR: How about our individual who was testifying for New Jersey? How about you?
MR. GORDON : I can only respond to the data intermediary project, which involves hospitals and vendors. The state has hired a vendor to coordinate what the state requirement is with the hospital. What we have found is that, within the hospital settings, they have a multitude of IT systems by other vendors.
Some vendors have been very proactive and have gotten the five pilot hospitals. There were two hospitals that we initially had that we thought would be in the pilot. Their vendor, for various reasons, could not get them into the pilot because of workload, or they were going to wait until mandatory regulations were going to be implemented before they did anything, or there were other system problems internally.
It has been a process where you need to have the hospital, even though, let's say they want to get in on the new system and save themselves some money financially, the coordination with the hospital and the vendor is integral to develop the new standard or have it in place.
DR. COHN: I was going to ask Utah to comment. Is that what you were going to do?
MR. BLAIR: Yes.
MR. KILLIAN: I have to be politically correct here. I am going to dissemble a little bit.
I believe that all of the hospital vendors and many of the large group practice vendors are quite cooperative and will help get you there. That accounts for, in our case, about 80 percent of all of the volume. Then you have this huge 20 percent of volume which is now 80 percent, in our case, of the end point.
MR. BLAIR: Are you talking about eligibility or claims?
MR. KILLIAN: Yes, both. The reality is, the smaller providers, the smaller group practices are in trouble right now. It is because the practice management systems they have dealt with either come shrink wrapped or they are home grown and they are not costly.
You can get Raintree and some forms of medical manager and some of these others at a very inexpensive rate. The problem with those is, they are not HIPAA compliant. They are not ready for 4010. They are not integrated and they probably won't be. The alternatives that we offer them are so costly, I mean, let's face it, IDX costs a lot of money, Medical Manager, the full blown, costs a lot of money, Per-Se Technologies, all of these.
The problem is going to be finding vendors who are willing to spend the amount of money it costs to implement HIPAA in the less costly practice management systems for those smaller provider groups. I think the bulk of it will happen with the big vendors. The problem is how do we get all these little vendors to pay, and 20 percent is a huge amount of your volume, when you get down to it. It doesn't sound like it until you are running this.
MR. GORDON: Another wrinkle that I have found from our small pilot is that the vendor has a multitude of versions of a program out there, which is going to be a major impact on what version they are going to make HIPAA compliant and how long they will support the other versions.
DR. COHN: Holt, do you have any comments?
MR. ANDERSON: No.
DR. COHN: I think we have one other question.
DR. FITZMAURICE: I will make mine fairly short. In fact, I might even forget the question just to make a general comment, to thank the panel, indeed, all the panels. We are just touching the tip of the iceberg, I am sensing, with all the issues that will come up once we get the final transaction and the code reg out, but you are giving us an awareness of what the major issues are.
You really have increased our awareness. I think we have to be prepared to make the annual adjustments that HIPAA permits as we continue to get this industry feedback through valuable forums, such as Simon's NCVHS hearings. The education is critical. I know you get on airplanes, you travel, you talk to a lot of people. You are virtually giving the shirts off your backs to inform us and your constituents.
The additional questions that I would have dealt with the national provider identifier and how the government would do that, but that is a time for another set of questions. We all really appreciate what you have given us, and not just you, but all of the panels we have heard from in the past two days.
DR. COHN: I agree. Kepa had one final question. Did you want to ask it, Kepa?
DR. ZUBELDIA: Yes, it is a question for Walter. You mentioned that in Minnesota -- and I understand Minnesota is different, too -- that in Minnesota you are evaluating and working toward a community consensus on a standard implementation guide.
DR. SUAREZ: Yes.
DR. ZUBELDIA: I thought we already had HIPAA implementation guides. Are you talking about something else here?
DR. SUAREZ: No, it is a good clarification point. We do have, and we do plan to work on the HIPAA implementation guide. What we are going to do is take it one step further and try to agree on what are the things that are optional, what are the things that are required.
The things that are required are required. The things that are operational or optional, I think there is an opportunity to come to some consensus between payers and providers, so that providers in Minnesota don't have to send situational things to different payers, if they can come to a consensus. That is what we are working on.
An example is what Bart mentioned in Utah, where there was some work and there is already some agreement on the reduction of the number of codes, for example, on certain codes and certain other pieces or reduced or can be agreed upon and everybody uses that same guide.
That is what I was referring to when I was saying, we take the guide, we look at the guide, we identifying the 90 percent or the 95 percent of things that everybody agreed on, and we look at the five percent of things where the payers, for example, each payer has a different perspective, and try to come to some consensus on what would be the set that would be required for the providers.
MR. STONE: Kepa, if I may, you heard me say in the Massachusetts testimony that -- we are careful with the words. We have talked to Steve Bass at Washington Publishing about this.
Our negotiated phrase with Steve is that we have a companion to the implementation guide. I think we need to seek some phrase, because we are all doing something like that, to make sure that, in terms of the things you have heard Holt say, the timing, the scheduling, the definitions, there are still a lot of local, local, local folks.
These things are being worked out. It is going to happen. We are reaching local consensus and we need to call it something. We will keep the guide sacred, the implementation guide sacred, but we will always have something that will be a companion to it.
MR. KILLIAN: I would agree with what they say. Let me give you a prime example. The implementation guide, the adopted implementation guide for eligibility is primarily situation. It goes all the way from yes/no, a long way to a lot of levels. In Utah, for example, we have created a standard that is an add-on to that guide, and we call them standards for the same reason that Elliot is talking about, to differentiate.
It says that, in our state for our coalition, our providers can expect this amount of the situational data to be available and come back to them in an eligibility response which is, in our state, required as opposed to being situational data. So, there will be -- I have to -- Walter said something to begin this with and we need to end it with. We need to have national standards, but I guarantee you, we have to implement locally. Medicine, and the payment of it, is a regional issue.
DR. COHN: I think Holt wants to have the last comment on this one.
MR. ANDERSON: Not on transactions, Mr. Chair, but I would want to point out that implementing the security regs is going to be a challenge for us all.
We are fortunate, at least in Utah and Minnesota and Massachusetts and North Carolina and Washington State in having a project funded by Robert Wood Johnson, which is to develop PKI technology and additional certificate technology and actually deploying that in clinical applications, so that we get some experience in deploying that before the reg comes into effect.
I think we are meeting together, we are sharing this information and I think some good will come of that as well.
DR. COHN: With that, recognizing that we are about an hour over time on this particular item, I want to thank you all very much. It has been a very useful panel.
We will take a one-minute stretch break and then reconvene to talk about what the next steps will be, and we will try to keep it brief.
[Brief recess.]
DR. COHN: This will be about, hopefully, a final 15-minute session to talk a little bit about what we have learned and, probably more important, identify next steps. I realize that we are running a little later than expected, but still, I think not too unreasonable. I guess it is beyond mentioning that I think we need to have Dr. Braithwaite traveling more to talk about this, more communication going on. [Laughter.]
I think there does need to be a letter that we produce on the basis of these two days. I am going to suggest that probably Karen, you have been taking notes and you can try to get a rough draft together for the September meeting, at least, and depending on what the issues are, it may go a little bit beyond that.
The issues that I was pointing out are, I think, very significant and include this issue of what I would describe as external code sets. There seems to be a fair amount of risk at issue with respect to maintenance and updating of things that aren't really the medical code sets but really aren't under the control of the SDOs, and there needs to be some attention paid to that. That was one thing that I jotted down.
I am just going to give you what I jotted down as important and everybody else, please jump in with what you thought was important. I also thought that there was an issue having to do with a timely process for getting codes for Medicaid and others. It seems to be partially being addressed, but there needs to be enough resources put into that effort, because there is some risk there, as we move from national to more local codes.
Certainly I think we heard, among other things, that the communication process around that seemed to be somewhat broken. Probably it needs to be expanded to be beyond Medicaid, since we see that there are a lot of local codes out there that need to be somehow included in the appropriate set.
Anyway, that is what I heard from the code piece. Do you want me to come up with the rest of the things that I think ought to be in the letter and then we can talk about them? I also thought that -- probably this is more for us than anybody else -- but clearly, there is a need for us to have ongoing comprehensive assessment of the industry in relationship to implementation.
This is going to have to be a much bigger activity than I think we had initially perceived and it is going to have to be sort of an ongoing effort to sort of track things. I am not sure that that is really a letter. It is more probably to us.
I also heard that we needed to, I think, be asking the Secretary to make sure that there was adequate funding in HHS to -- and I don't know what the right verb is, I am tending at this moment to think in terms of maybe facilitate -- implementation. I think that there -- I don't think they are going to do the implementation, but I think there needs to be some HHS help and participation. I just think that we need to make sure that there is enough funding to assure that that happens.
DR. FITZMAURICE: Simon, if I could just add to that, I think it is not just assisting with implementation, but there are specific duties that the government has, like identifiers, that have to be done.
DR. COHN: That was actually my next piece. I also heard very recently -- and I actually agree -- with one of our speakers, which has to do with funding to accelerate the whole identifier process.
I think we recognize for providers and health plans -- especially providers, that that is an important process, if there is no funding available, it is clearly at risk and needs to occur in expeditious fashion. Is that what you were going to say, Mike?
DR. FITZMAURICE: Yes, but it is not just no funding. It is just funding to make sure it does occur in an expeditious fashion.
DR. COHN: Okay, that is really what I captured as sort of the issues that need to be in the letter. I know that Karen has been writing a couple of pages of notes here, and there are probably a bunch of things that either I can't read my handwriting more any more or somewhere, in this foot-and-a-half pile -- what other things did others see or hear that are worthy, that should be brought to the Secretary's attention? Kepa, you are strangely quiet.
DR. ZUBELDIA: I think that the testing issue somehow needs to be helped. The compliance in testing, I think everybody was pointing out that it is a very long process. Maybe the establishment of a national testing center or uniform testing and certification policies, somehow that would help.
MS. FYFFE: I think that Kepa is absolutely right about testing, and that relates to the point that I was going to bring up. To a certain extent, we need to keep track of what I would call major implementation issues or obstacles. I think the testing will help surface those. This whole thing of local codes is only one example and I worry about what else might be out there.
MR. BLAIR: When you say testing, are you talking about compliance, are you talking about the application or are you talking about compliance with the standard?
DR. ZUBELDIA: I am talking about compliance with the transaction standards, more like what STFCS is doing. I don't know how long they have been running it, but there was only about a dozen companies that have tested that showed their dots.
If I had one of those vendors, I would want to make sure that my line shows a dot on every transaction. I think it is a fantastic marketing tool for the vendors and so on. In spite of that, they are not using it. Why? Because they are not ready.
MR. BLAIR: My understanding -- and it is partly answering your comment as to why they are not using it. It gets partially to Kathleen's observation that a third of the hospitals, especially the smaller hospitals, are having significant financial difficulties, even using money.
I almost wish that you could have shared in this conversation, but the representative from SMS was mentioning that, in many cases, SMS and other vendors, it is to their great advantage to move forward with standardization. They have applications. It is good for their business to move forward. They are very much incented to do so.
In fact, many of the providers are also. When they are this cash strapped, if they can't show a rate of return within the next six months, nine months or a year, then they wind up saving their expenses in the near term, until they can make that transition expeditiously.
For them, it is a good business decision to say, not only are they going to wait for the HIPAA regulations to be put into law, to become a regulation, but they may wait six months or 12 months afterwards, where they feel like they can make the transition in a short period of time, rather than be up front when the implementation guides aren't done quite yet, when the experience of the vendors and consultants isn't there quite yet, to help them to make that transition quickly.
I am saying all of this as a background. I think this refines what we need to recommend in terms of certification. We also, in terms of certification, apparently there are consultants out there and there are other entities out there that are beginning to provide tools and studies and capabilities and assessments to provide certification information.
I think the missing link is to get that information distributed widely to both especially the providers and the payers so that they could make good intelligent use of the choices of which vendor.
I think that is probably going to move very quickly. Six to 12 months from now, those decisions will probably move very quickly, and they need to choose the ones that really are compliant and are certified to be compliant.
I think things like Washington Publishing or some other vehicles to get the information out and distributed could be a great source, as opposed to having the government create its own certification program.
DR. COHN: I don't have a solution to this particular issue, although I think I have identified it as a vendor issue, which I think is really what we are talking about now. I think that is really the first major hurdle.
I think we have all said that the vendors don't have it in their systems and nobody can implement. I was sort of anticipating, either in September or October, that we have a focused panel hearing, something or other, not a full day, but a session that focuses in and again, keep sort of pressure on the vendor issue.
Now, I don't know if that is too late, but it is hard for me to imagine -- my bet is that most of the vendors haven't really -- realistically, many of the vendors have not really geared up yet. They are waiting for the final regs, just like everybody else.
So, if you have a two-year implementation, a couple of months into implementation is probably about the right time to be asking vendors to come forward and say, are they HIPAA compliant, how are they going to comply, how are they going to demonstrate compliance. Let's hear from the industry on that one. Does that meet your needs, Jeff, on that one? Is that something we should be doing in the September October time frame?
DR. ZUBELDIA: Yes. You are mentioning HIPAA compliant, HIPAA compliant, HIPAA compliant. Is there something we can do to prevent especially the providers from being mislead by vendors who say that they are HIPAA compliant, even today? Is there anything we can do about it?
DR. COHN: Maybe we can write this in our letter to the Secretary, our concern that there will be people saying that they are HIPAA compliant, who really aren't.
DR. ZUBELDIA: Everybody is HIPAA compliant.
DR. BRAITHWAITE: This is like the Good Housekeeping Seal of Approval. I don't know if it is even possible for us to like certify the certifiers and trademark HIPAA compliant to say you can only use it if a certified certifier has certified that you are certified. It is something that we should explore, though. I agree.
DR. COHN: I don't think you can certify good housekeeping.
DR. ZUBELDIA: Point well made.
MR. BLAIR: Let me ask you this. We have had a number of folks who have testified to us which, in one way or the other, was making an assessment of the readiness either of a vendor or of a provider or of a payer.
I don't have to repeat their names here. They testified today, at least two. One had a tool set to be able to verify compliance and the other one was doing surveys to verify compliance.
As an aid to vendors and providers that are beginning to go down this path -- and I don't want to limit it just to the two that testified -- but certainly I think it would be helpful to providers and vendors to move expeditiously if they knew the names of the folks that are beginning to offer services that do evaluations of compliance.
Maybe that could be on the web site and it not be limited to just the two that we have here, but any others that wind up providing aids and tools that could assess compliance.
DR. BRAITHWAITE: I agree, Jeff, but there was one problem that came up in the testimony, and that is that one of the certifiers tried to check on what other certifiers had certified, and they weren't all the same. Although the HIPAA standards are out there, apparently people are not certifying in a consistent way.
MR. BLAIR: Maybe we have to do it with a disclaimer, that these are not definitive, but these are various consulting companies and so forth companies that either have tools that may be of some help to people.
MS. TRUDEL: Jeff, I would be really concerned about us putting anything on the web site. I think it would almost be an endorsement of those companies of those tools.
MR. BLAIR: Yes, we can't do that.
MS. FRAWLEY: I think that would be very problematic. I think the problem that we have got is that providers are so uneducated about transaction standards that they are relying on their vendors to inform them and also maybe possibly misrepresent that they are HIPAA compliant.
That is where I see the big problem, is that we really need to see the professional associations and a lot of big groups out there doing more education, so that a provider can make an informed decision, whether or not the product their vendor has meets their needs.
That is really what I see the problem is, as I see it, for some of the testimony. We have a fairly uninformed physician community and probably I don't know what percentage of the hospitals, you know, are educated regarding these transaction standards.
MS. TRUDEL: Another possible way to address that issue might be to provide some sort of guidance for providers, for instance, to be able to go behind an allegation that someone is selling a HIPAA-compliant product, and provide them with additional questions to ask.
If it has to do with transactions, has the vendor tested with the STFCS system. You should be able to go and look to see whether they are there or not. If it is security, are they compliant with the common criteria or whatever.
MS. FYFFE: This reminds me of the nightmare that never happened a few months ago, are you Y2K compliant, is your software Y2K compliant. Everyone was saying yes. Well, either they were or the world just hasn't fallen apart yet.
DR. COHN: I will make a comment and then Mike Fitzmaurice will follow up. This is someone who is aware of the standards. I am not sure that education alone is the solution, since many of these things are relatively technical.
I will tell you, if I was out there looking for something to buy, which I am sure we will be, to fill in gaps and all of that stuff, as nice as it would be to understand the whole thing, I think I would really like to see some sort of a certificate of compliance.
Now, I don't think it needs to be a government certificate of compliance, but it would be nice if two different compliance groups did a test and it came out with the same result. I think that may be something that we may want to hear more from. Without coming to an answer, I would observe that this is an issue that we should be also hearing from the vendors.
I am sure from the vendor side, it must be very complex, if you are trying to do something that is HIPAA compliant and you go to compliance testing A and they give you certain answers and compliance B, different answers. I would complain, if I were a vendor. Mike Fitzmaurice, would you comment?
DR. FITZMAURICE: Some of the things I heard, one of them may be major and you might want to consider alerting the Secretary to is that delaying the publication of final HIPAA regulations has caused a decrease in the credibility of the people who urged the planning for these standards. It has also caused a decrease in resources budgeted for HIPAA implementation in 2000, and very likely in 2001, as corporations are getting their budget plans in now for 2001.
Another thing I heard was that the implication guides and the data dictionaries aren't perfect. Who is perfect? We may need to assess the role of the government versus the role of the market in doing this, and maybe there needs to be some support given for improving the implementation guides.
Thirdly, given just how much we learned at these hearings and how much more there is to go, I might urge you to consider having regular hearings over the next three years, maybe every four months, every so often, so that people can regularly have an assessment point for what are the now-current HIPAA implementation issues, and how are the ones that we identified three months ago handled. That may make its way into a good regular report to the Secretary or even to the nation.
A final point is -- well, this probably isn't final, but with all of this activity, there may be a need for a focal point that monitors, supports and leads health data standards processing generally in the United States, whether it is a private institute, whether it is a government agency or an office in the secretary of a government agency.
There may need to be a point of leadership to start assessing the private sector role, the public role and funding for things that are within the domain of the government, a place that can urge other agencies who also engage in health care transactions to coordinate their efforts, and to contribute to the leadership and the grunt work in getting these standards out and used.
DR. ZUBELDIA: This is a different topic.
DR. COHN: Before we go on, does that sound okay so far? Okay, Kepa, go ahead.
DR. ZUBELDIA: I have a couple of concerns on the data content itself. It looks like, because of an arcane, obscure and maybe foggy process to implement national HCPC codes, the states developed a local code mechanism that is very easy for them.
Instead of having to go to HCFA with a request for a national HCPC code, they just make a local code. Whether it is the same local code in all 50 states or not, it doesn't matter. It fits their need and it is expedient. It looks like we are getting into the same situation with implementation guides. Implementation guides are not perfect, everybody agrees to that.
There is a process that was just agreed to, that MOU or updating the implementation guides. But what I heard from the last panel, every state is developing their own local variation or adjustments to the implementation guide and they intend to continue that way, rather than taking them through the MOU process to refine the national implementation guides. I see a parallel between the two processes.
One of the concerns is that that could become a permanent variation state by state of the implementation guides because the other process, the national process, is too difficult, or at least it is perceived to be difficult. That is a concern on the implementation guide.
DR. COHN: Is that a letter to the Secretary issue or is that an issue for us to explore?
DR. ZUBELDIA: I think it may be an issue for us to explore rather than a letter to the Secretary. Now, another concern that I think we need to explore further and maybe at that point write a letter to the Secretary is the data requirements.
It seems to me that claims are being paid today, eligibilities are being responded, referrals are working, with the data we have today. Somehow the data needs are changing. 4010 requires more data than is being captured today to do the same function.
I am wondering if the data requirements in the implementation guides are too strict or they are trying to impose new requirements that don't exist today, and that is going to impede the implementation of 4010. Not only will we have to implement the standards, we are also having to implement new collections of data. I am wondering if it is reasonable to require anything beyond what is required in the NSF or the UB92.
DR. COHN: Which version, which implementation, is what I meant.
DR. ZUBELDIA: For the claim, for instance.
MS. TRUDEL: Which version of the NSF, which implementation.
DR. ZUBELDIA: That is tricky. Most NSF or UB92 required fields are the same across the country. It is the optional fields that change from state to state. There are a few additional requirements here and there, but it seems to me like 4010 is requiring a lot more from what we heard from Helene yesterday, than what is required today to pay the claims. Maybe that needs to be initially lowered to require the same things that are in the NSF and UB92. Maybe later it can be increased.
MS. TRUDEL: I know we heard that and I don't really have a good feeling what or how much additional data really is required. I would volunteer to have my group begin to look at that, to see what the gaps exactly are. If you all have experience that would feed into that, I would appreciate it.
DR. COHN: That is super. think that this is an important issue and it probably is one that is better handled by fact than by hearing.
MS. GREENBERG: I think both the NUBC and NUCC have been looking at this, so they could probably be of assistance. I know the NUBC is looking at it.
DR. COHN: I guess on that particular issue, I would say, let's put that on the agenda for the September breakout, not so much in the sense of a hearing, but let's find out what the results of looking into that area are. Then, depending on what we see, we may want to do a panel or a hearing on it or something like that.
Kepa, I agree with you. It is an issue that is worrisome from the testimony. It is hard to know the substance of it. I think we need a little more research to figure out what the substance of it is.
Now, I guess other things for this letter. We have a number of items we wanted to say. The timing on this letter is, we will draft something up, we will have it out to people for the breakout in September, which is the next time we really all get together, which unfortunately is probably a little late in terms of asking for additional funding for the 2001 fiscal year. I haven't figured out any better way to do this particular one. I don't think we can ballot it by mail or by conference call over the next month or two. Give that, we will do it this way.
Now, for the September meeting, I think we are already hearing this is one agenda. Do we have other items, please add them to the letter. I think we are going to be talking about a work plan for sort of next steps for the PMRI standards. Marjorie and I were talking about whether we would have a panel on ICD-10 for September or for November. November, okay. That will probably be on the November time frame.
I think in October it is very clear that, as part of the hearings in October, which obviously include digital signature, some discussion or changes or whatever for the standards, I doubt that is going to be a really big issue, because I think people are going to be overwhelmed with the current standards.
I think we will be asking, especially from some of the people we have heard today who are offering industry assistance and all of that, and updating on where we are, we certainly need, I think, a look from the vendors to understand where they are, where their issues are, how far they are in terms of being compared to HIPAA. I think that will be something for the October hearings.
With that, are there any other issues that we need to be addressing, either for September in a letter or otherwise?
DR. ZUBELDIA: Are we going to talk about the first report of injury at some point this year?
DR. COHN: That will be for the October meeting hearings, if anybody is coming forward with it.
DR. ZUBELDIA: Because the implementation guide is ready and has been ready for some time. Then there are some new X12 transactions that X12 is eager for us to recommend to the Secretary for adoption for a second round.
DR. COHN: Yes, the October hearings are really focused -- they will be a two-day hearings. Part of those two days will be spent asking people for anything new that needs to be recommended. That is just on the basis of what I have heard the last day and a half, and of course, it was sort of like trying to drink from a fire hydrant. The reality is that the industry is going to be very preoccupied with just trying to implement this and I just think we need to be aware of that.
Now, other issues that need to come up? Are we okay for the moment?
I actually just want to just take a moment, on the slightly lighter side, we had a really good set of hearings and I really want to thank Karen Trudel and Bill Braithwaite and Mary Emerson and Vivian Alt for their help in terms of really getting this together. I really want to acknowledge your help on this one.
[Applause.]
DR. COHN: Any final comments before we adjourn the hearing?
Okay, we are adjourned.
[Whereupon, at 2:03 p.m., the meeting was adjourned.]