Washington, D.C.
The Subcommittee on Standards and Security of the National Committee on Vital and Health Statistics held hearings on February 1-2, 2001, at the Hubert H. Humphrey Building in Washington, D.C.
The Subcommittee on Standards and Security held two days of hearings on February 1-2, 2001 in an ongoing process focused on HIPAA administrative simplification and implementation. During the two days, the Subcommittee heard 16 presentations and talked with three panels representing various health care industry segments to learn about problems impairing implementation and tools and solutions for these issues.
Ms. Trudel recounted the status of the HIPAA regulations. The first Final Rule for the Transactions and Code Sets became effective in October 2000, starting the two-year implementation. The Security Rule and the notice of proposed rulemaking for claims attachments were expected to go into clearance at HCFA in February. The National Provider Identifier and National Employer Identifier Final Rules were already in Department clearance. Development continued on the Plan Identifier Proposed Rule and publication of an NPRM proposed rule was anticipated later this year.
Mr. Scanlon noted that the HHS Secretary designate, Governor Tommy Thompson, took office that day. The Executive Order indicated that recent and pending regulatory issuances were to be reviewed; each agency would brief the new leadership on regulatory proposals in development. Hopefully, the Department will see action within a few weeks.
Ms. Ward gave a progress report on the DSMO change process. Use of the Web site, notification of calendar events and processing of change requests had gone well. With the DSMO process, organizations had opened lines of communication and become more involved in each other's industry-related efforts. Two organizations had to modify current internal request processes; four others had to develop them.
Ms. Weiker demonstrated the DSMO Web site, showing how one can request a change, view a request or the monthly batches, express interest in a change, or review a compilation of all requests and who has expressed interest in developing a solution to any of them.
Ms. Emerson detailed processes laid out in the Final Rule for Electronic Standards for electronic transactions to maintain and modify standards and explained constraints applying to each. The Standards Development Organizations (SDOs) maintain those standards. Modification, a major change, is adopted through a regulatory process. She noted there was some question about whether the DSMO process for modifications could be completed within the first year.
Mr. Moertel discussed a gap analysis conducted at Mayo that found a large number of new data requirements in the HIPAA implementation guides and determined extensive infrastructure changes are required. He noted the provider group that Mayo convened believes that most of these new required data elements that are a concern do not reflect universal business need. He said it is unreasonable to expect every provider to modify their systems and collect and report data elements to accommodate a single or a few payers.
Mr. Bechtel testified on issues related to WEDI/SNIP’s analysis and work to resolve implementation issues by identifying work-around solutions and best practices. He noted the three most critical implementation barriers are cost, limited time, and elimination of local codes. And he discussed a sequencing proposal WEDI/SNIP presented to the industry.
Ms. Schulten represented the Administrative Simplification Print Image Research Effort’s project that involves providers, payers and clearinghouses in an effort designed to identify data content gaps between the traditional paper claim formats and HIPAA-compliant Version 4010 837 professional and institutional electronic claim formats. She detailed gaps between mandatory data content and suggested the largest implementation issue is education and awareness.
Mr. Arges conveyed the National Uniform Billing Committee’s concerns about the ambiguity of the Final Rule and the intended use of NDCs for reporting drugs and biologics. He noted NUBC’s primary concern was the significant cost associated with widespread adoption of a new code; NDC would add significant new operational burdens for caregivers without corresponding savings. NUBC asked for a correction to the Final Rule; they recommended that institutional and professional claims be allowed to continue to use J Codes for reporting outpatient pharmaceuticals and biologics and that NDC only apply to retail pharmacy claims.
Ms. Humphreys recounted how, after receiving the comments from the NUBC and other groups, the Department and those involved with developing the Final Rule for Standards for Electronic Transactions reanalyzed all the comments submitted in response to the NPRM and the publishing of the Final Rule and realized that more research and evaluation was warranted. While still adhering to the goal of a singular, more granular and frequently updated code for drugs and biologics, the Department concluded, like many commenters, that more evaluation was called for. Meanwhile, she suggested the advisable course might be to leave the J Codes for the institutional and professional claims.
Mr. Bechtel expressed concerns from HDX and their parent company Siemens Medical Solutions Health Services Corporation about using the NDCs in place of HCPCS J Codes when reporting drug charges on an institutional or professional claim. Systems could be modified to support NDC codes--but at what cost and for what benefit? HDX believes the implementation guidelines need to be improved to address implementation issues between vendors and transaction trading partners. They recommended that J Codes should not be eliminated for institutional or professional claims.
Mr. McLaughlin said the elimination of J Codes will be a major issue for the payer as reimbursement and benefit adjudication are tied to HCPCS J Codes. Many problems are associated with this change--lengthened development times, usage and functionality problems, extended implementation time frames--and potential distribution issues need to be resolved. Converting to NDC codes would cost millions of dollars in development time alone; revising the standard to allow J Codes to be used for institutional and professional identification of drugs would eliminate all that development time for each product.
Ms. Miller said the change for professional and institutional 837 is a significant barrier to IDX and its customers. She cautioned that complexities of the new regulation might make it difficult for many customers to meet the implementation date. Substantial changes will have to be made to the products and their associated databases. Ms. Miller contended that if the standard were revised to continue letting J Codes be used for institutional and professional identification of drugs, some in the industry would be further confused by an already complex situation, especially if the ultimate goal is to move wholly to NDC codes. She said IDX supported a considered and time sensitive move from HCPCS J Codes to NDC, provided the additional items that can now be included in J Codes will be included in another code.
Without an electronic signature standard that met health care requirements and could be widely implemented, Mr. Marshall said any HIPAA rule would require trading partners to integrate one-of-a-kind software and/or develop bilateral specifications to interpret the standard. He noted this was contrary to the spirit of administrative simplification and was likely to cause provider organizations to opt out of underlying transactions. He called for a proactive effort by SDOs to develop and deploy a comprehensive standard that could be implemented within the compliance time frame.
Mr. Lundie noted that the health care community already uses EDIINT to encrypt, sign and transport any data payload over the Internet. EDIINT currently uses corporate signatures to ensure that a document came from a specific trading partner. He noted a generic signature standard already exists and said a HIPAA standard was possible. He said the task force is working with the health care SDOs to ensure that the EDIINT standard will support whatever payload is defined for the personal signatures. And he suggested that the technical advantage of any one approach was not as important as specifying a viable solution and moving forward.
Ms. Lovorn, past chair of the ASTM Subcommittee that wrote the ASTM standards, noted that four primary standards in response to the original HIPAA legislation were developed in 15 months. She said this is a doable effort in much less time. She said ASTM would attend the joint development meetings, work on joint products and review all the standards. Ms. Lovorn encouraged NCVHS to advocate adoption of an electronic signature standard. She also urged the Subcommittee to provide encouragement and additional guidelines so SDOs could come together to meet the needs of the health care industry.
Mr. Staniec said a HIPAA standard for electronic signatures would benefit the health care industry by mandating one standard to be used by everyone, versus the multiple standards currently in use. Costs would be reduced over the long term with only one implementation. A HIPAA standard for signatures is possible, but issues must be addressed for business functionality to succeed. NCPDP agreed to participate with the Multi-SDO Digital Signature Project. NCPDP encouraged NCVHS to work with SDOs and help monitor the process. Mr. Staniec asked for time to reach consensus, rather than putting out a standard with problems and high costs.
Mr. Waegemann noted that the claim standard is a priority and has benefits. He said the signature system was not as simple as some indicated. But what they really had to focus on was the international standards work; it was time that independent efforts were coordinated. Mr. Waegemann discussed the March 7th ANSI HISB meeting’s objectives: developing this coordination process and creating a time frame and coordination plan that addresses practical implementation within the framework of ANSI accredited standards organizations. Short term, he recommended taking current standards that work and developing an implementation guides for HL7 and for X12N, which could include HIPAA transactions with input from the security experts of ASTM, but within the framework of each of the syntaxes and the communications that apply to NCPDP. Mr. Waegemann emphasized that looking at the whole PKI was a long-term project.
The group discussed writing a letter to the SDOs expressing appreciation for their involvement. Dr. Zubeldia will talk with X12N to ensure the letter is properly written and goes to the right person. Dr. Cohn said, if there is an issue, they will invite a representative from X12N to discuss it with the Subcommittee during a breakout at the full NCVHS meeting. Hopefully, they will arrange a presentation of the project plan at the March or subsequent meeting. The group discussed the morning’s activities, the data issues and next steps. The Subcommittee plans to move forward on a fast track to HHS with a letter on the NDC codes. Ms. Weiker said the change requests will be sent to the DSMOs no later than Monday, so they can decide about collaborating. The next step is to determine definitions of maintenance and modification and communicate these to X12N, NCPDP, and HL7. The main issue for the Subcommittee is making sure implementation proceeds well. Dr. Cohn asked for a status check, during a breakout of the Subcommittee at the February 21st Committee meeting, on the emerging process and how modifications and other things align around the time frame for resolution and recommendations.
Guided by an emerging work plan, the group concentrated on criteria and areas of focus for the selection of PMRI standards and a questionnaire to help evaluate message format standards. Using matrices, they had “boiled down” the 15 criteria for selection in their report to the Secretary to eight measurable criteria. The initial approach was to “hit the low hanging fruit,” tackling the least controversial, most easily implemented standards. The consensus was to cast a wide net in that area that handles both codified and non-codified information, winnowing down as they received more information. Noting that they faced open issues and were called upon to be cautious in terms of scope, balance, framework and cost, they discussed the importance of selecting standards that had reasonable market acceptance and not imposing a timetable. The group discussed gaining input at the March 19-20 hearings from the SDOs, the marketplace, and the health care industry. Testifiers would be picked with both the group’s specifically focused and broader questions in mind. The questionnaire could be honed after the hearing; the group discussed moving it up a level to realize the market research evaluation needed. In the fall, the group will determine their decisions, making their report to the Secretary on the first iteration next February. Dr. Cohn observed the Committee and HHS strove to assure the industry that it was making the right investments, had government backing, and that, together, they could reduce the risk of health care institutional investments in information technology.
The Subcommittee reviewed the second version of the fourth annual report to the Secretary of HHS and Congress on the implementation of the Administrative Simplification Provisions of HIPAA. They decided to highlight the signing of the DSMO agreement in March 2000 and expand a section that touched upon implementation issues to address the DSMO formation, WEDI/SNIP and industry activities. The group discussed expanding the section headed "Standards for Patient Medical Record Information,” to include a segment resembling an abridged executive summary from the PMRI standards that pointed out the issues and how they were moving forward. Mr. Scanlon, reflecting on the past two days, said they might want to extend the next section that looked ahead and addressed implementation issues the Subcommittee had identified. They were gratified to note that, after Y2K and the struggle to get the two final rules out, implementation of HIPAA regulations was probably the health care industry’s highest priority. The group discussed the industry’s concern about the transactions and privacy and agreed to briefly explain the rationale and need for a foundation for all the standards and requirements based on security and privacy laws. Ms. Trudel said that while the security and privacy regulations are supported, there are concerns about their very significant workload and time frame as well as concerns about enforcement.
The group discussed the February breakout. Mr. Scanlon would draft a third version of the annual report for review. Based on what was heard yesterday, the Subcommittee had decided to have the DSMOs and a representative from X12N return with feedback on what was happening with changes and modifications to the X12N standards. The next item was the annual report and whatever the full Committee decided that day. Dr. Cohn said he had a list of available dates for additional hearings between the March PMRI meeting and the June full Committee meeting.
Dr. Cohn convened this hearing of the Subcommittee on Standards and Security of the National Committee on Vital and Health Statistics (NCVHS), noting that the National Committee is the main public advisory committee of HHS on issues of health information policy with a major role in HIPAA administrative simplification and implementation. Dr. Cohn stated that the purpose of the administrative simplification provisions of HIPAA is to improve the efficiency and effectiveness of the health care system by establishing standards and requirements for electronic transmission of certain health information.
He explained that the role of NCVHS and the Subcommittee in HIPAA is twofold. In complying with HIPAA administrative simplification, the Secretary is to rely on recommendations of NCVHS. NCVHS has been asked to: track implementation for HHS and Congress, identify implementation issues and barriers, and recommend ways to mitigate these issues.
Dr. Cohn said the purpose of these two days of hearings is to talk with representatives from various health care industry segments, learn about the problems impairing implementation and tools and solutions for the issues identified. This testimony will help develop sound, informed recommendations for the Secretary. He said they would begin with a briefing from HHS, then talk with DSMOs concerning the status of the DSMO Web site and the progress of their activities, move into hearings and panels identifying issues and review the status of the industry in relationship to implementation and identification of issues. The first day’s final session would be on electronic and digital signature. The next day they would address next steps for patient medical record information (PMRI) standards and discuss the annual report to Congress and HHS.
Ms. Trudel recounted the status of the HIPAA regulations. The first Final Rule, for the Transactions and Code Sets, published in August 2000, became effective in October, starting the two-year implementation. Technical corrections were published in November and the rules were being updated to revise references to the NCPDP Standard. The notice of proposed rulemaking for claims attachments was expected to go into clearance at HCFA early this month; the final review package was being prepared. The National Provider Identifier and National Employer Identifier Final Rules were in Department clearance. Development continued on the Plan Identifier Proposed Rule at HCFA. The Security Rule was also being completed at HCFA; that clearance process was expected to begin that month. The Privacy final rule was published in December; OMB had yet to say whether the new Executive Order placing a hold on regulations while the incoming administration reviewed them had postponed its effective date. An NPRM on enforcement was being drafted and publication was anticipated later this year. A temporary hold on sending regulations to the Federal Register was expected to be lifted soon. The final rules in process might be held until then. Ms. Trudel noted that the Secretary had authority, based on the statute, to amend regulations within the first year, if necessary, to facilitate implementation of the standards. One thing the Subcommittee would be listening for very hard today was whether that kind of amendment would be needed for the transactions and code sets.
Mr. Scanlon noted that the HHS Secretary designate, Governor Tommy Thompson, would take office that day. The Executive Order indicated that the regulations were to be looked at by the new appointees. Mr. Scanlon observed it was common, at the beginning of an administration, to look at recent and pending regulatory issuances; every agency in the Executive Branch had been asked to report regulatory actions that fit that Executive Order to OMB. He anticipated a formal announcement about which would proceed. Some would not be held up long; others would be worked through. Each agency would brief the new leadership on regulatory proposals in development. Hopefully, they would begin to see action within a few weeks. Ms. Fyffe expressed concern that this might send a message to the industry that things had slowed down. If they were not slowed, she said they needed to communicate that strongly and widely. Mr. Scanlon observed that the industry could convey to the White House that it was eager to see this effort proceed.
Ms. Ward, co-chair of the DSMO Steering Committee, gave a progress report on the DSMO change process and answered the Subcommittee’s questions. She reported the process was still in its early stages with only two batches of requests received. Use of the Web site, notification of calendar events and processing of change requests had gone well. The first batch of requests was entered into the Web site in December. Three of the other four batches were related to National Drug Code (NDC) and HIEC code sets. She said the DSMO process had increased opportunities for organizations to interact. The DSMO organizations had become involved in each other's specific industry-related efforts, further opened lines of communication, and provided support for one another. Two organizations (HL7 and NCPDP) had to modify current internal request processes and four others (X12N, NUBC, NUCC and DeCC) had to develop them.
To date, the impact of the Errata Work Group in X12N on the DSMO process appeared to be some confusion in the industry about what was an appropriate entry for the errata Web site versus the DSMO Web site. The errata effort was strictly aimed at addressing the X12N 004010 version of the implementation guides, while the DSMO process addressed changes to future versions of these guides.
Ms. Ward recommended improving education at the industry level of the DSMO process. She suggested HHS incorporate information about the DSMO process on the Administrative Simplification Web site and discuss it when presenting general HIPAA information at industry events. She encouraged continuing to improve communication between government and the DSMO Committee (e.g., HIPAA-related efforts underway with HHS that might affect work in progress in the DSMO process or in member organizations). She noted funding was needed to make the Web site fully functional. Funding could enable members of the DSMO to educate the public at the appropriate venues, contributing to successful, timely implementation.
Ms. Weiker, co-chair of the DSMO Steering Committee, demonstrated the Web site. The first screen offers a high-level overview of HIPAA; the second introduces the Change Request System. There are links to Frequently Asked Questions, the six DSMO organizations, the Workgroup for Electronic Data Interchange (WEDI), the Washington Publishing Company's Web site and the X12N implementation guides, and NCPDP's Web site and its implementation guides. There are also an overview of the process, instructions for sending in paper requests, and a privacy policy. One can request a change in X12N, NCPDP (labeled retail pharmacy,) claim attachments and overall HIPAA policy (e.g., consideration of a new transaction as part of HIPAA). One can also view a request or the monthly batches, go to the ten-day window in the SDO area and express interest in a change, or go to the develop site and view a compilation of all requests and who has expressed interest in developing a solution to any of them. A calendar shows the day each month’s change requests are batched together and sent, and when the DSMOs have to go through them and indicate interest, as well as the organizations’ meeting schedules.
Ms. Weiker observed that, at this point, HHS served as a non-voting liaison to the DSMO and they worked together to determine criteria for what was maintenance (e.g., a technical correction) and what was modification (e.g., needing to increase the number of repetitions of a segment or change a data element in X12N from situational to required). The Final Rule on Standards and Code Sets defined the terms maintenance and modification. The DSMOs were working with HCFA to determine clear-cut definitions everybody in the industry would understand and whether this went through the DSMO, HHS, or an SDO regulatory process. The DSMOs met once a month, per the MOU, unless there was an emergency.
Ms. Ward, HL7’s Claims Attachment Work Group co-chair, reported the group followed a consensus industry-based process, forwarding everything through the DSMO so everyone had an equal opportunity for input even though an NPRM had not yet been published. For all intents and purposes, they were “at the table equally” in their development process. The DSMO web site had a link to the HHS Administrative Simplification site, but there was no link from the HHS site to the DSMO site. Ms. Weiker noted a link from the HHS site and description and explanation of the DSMO process on the HHS site would be helpful. Mr. Scanlon said he thought the Committee would be receptive to working out some language with them.
Ms. Weiker noted that each organization had established a mechanism on the Web site to answer questions. Asked about coordination, Ms. Ward explained that HHS holds a non-voting position on the DSMO steering committee and is included in conference calls and involved in the discussions about how to respond to questions. The requester has the opportunity to indicate this a policy question or a question for NUBC or NUCC. Policy questions are routed directly to the Department through the representative on the steering committee.
Ms. Weiker said there might or might not be an onslaught of change requests once the X12N errata process was completed and people could work their way through the implementation guides and what they believe the changes should be. A lot of errata entered were typos or requests to remove alleged extraneous data elements. The site was up and functional and could handle all the requests received. The DSMOs had discussed fast tracking at their last meeting and believed they could cut time in both the 90-day process and the 15-day period set aside for analysis.
Ms. Ward explained that HL7, NCPDP, and X12 each put up $5,000 to build the Web site. Funding to maintain it on an ongoing basis came from the WEDI Foundation and was reevaluated on an annual basis. The Web site could have more functionality if there were development funds. She noted that a more robust Web site could provide a more effective way of gathering information and publishing the implementation guides.
Ms. Weiker described the process for publishing the resolution of issues. Each collaborating organization has 90 days to enter their business analysis. They then determined if they had reached consensus. If so, it was posted on the Web site. After 15 days for analysis and discussion, it was forwarded to the appropriate SDO to make the changes. Once the business analysis and the technical design were completed, the recommendation was again posted on the Web site and the DSMOs forwarded it to the Subcommittee. Dr. Zubeldia observed that people would be looking on both sites for progress or answers; he recommended having the link between the answers on both sites.
Noting that in the next panel they would hear about a myriad of issues, Dr. Cohn suggested that, afterwards, they could reflect upon what the DSMOs needed to handle the process and what should happen at the NCVHS level. Ms. Ward observed that, while everyone talked about the DSMO process, this Web site, and the steering committee’s ability to control the process, the real work was done by the individual organizations. It was X12N, HL7, NCPDP, and the data content committees that need to be certain they are prepared. The Web site is a funnel—but are the processes in place within each organization to handle the downstream effect? Dr. Cohn agreed: the MOU was not about a Web site or technology, but an agreement for all DSMOs to work together to meet legitimate business and national needs. Ms. Ward emphasized that when everyone went off to do his or her individual 90-day analysis, what would matter was that there was an infrastructure in place so each organization could be effective in a timely manner. She said there has been a tremendous effort within HL7 to ensure that will happen. The rest of the organizations need to be as confident. Assuring everyone that NCPDP was ready, Ms. Weiker rejoined, “Bring it on.”
Asked if the organizations were talking to each other or only trying to resolve issues through this virtual medium, Ms. Weiker reviewed the first batch of change requests, noting that X12N and NUBC have opted in regard to the institutional claim changes. The NUBC tends to go to the X12N meetings and X12N is represented on the NUBC. Cross discussions occur. Once perspectives are entered, they all meet and try to iron out a resolution. She pointed out they were still in the first 90-day period of the first batch. At the next hearing, they would be farther along and have a better sense of the collaboration and how it needs to be done.
Ms. Emerson detailed the processes laid out in the Final Rule for Standards for Electronic Transactions to maintain and modify standards and explained constraints (e.g., compliance dates and frequency of changes) applying to each. The final rule established that maintenance is a minor change (e.g., correction of typographical errors) that does not result in a substantive change to that standard. The Standards Development Organizations (SDOs) maintain the transaction standards. For maintenance changes there is no need for a federal regulatory process or publication of a proposed or final rule. Adding a new code to an existing code set or marking certain codes as deleted or phased out at a certain date were maintenance and normally done by the code set maintaining organizations. Modification, a major change, is adopted through a regulatory process.
Ms. Emerson explained the kinds of regulatory changes that might be made to the standards. Modification of the transactions include: adding new data elements, changing the number of repeats of a loop, or changing which kinds of code sets are allowed for a data element. Modifications normally result in a new version of the implementation guide. The compliance date is set in the regulation and, for modifications, can be no earlier than 180 days after the final rule’s effective date. People must have at least six months to implement modifications, which can be done on an annual basis. Modifications follow the Designated Standards Maintenance Organization (DSMO) process. Normally, the DSMOs make recommendations to NCVHS, which makes recommendations to the Secretary. The Secretary could publish a regulation adopting the modification to the standard.
Another kind of modification is to a code set standard already adopted. The same constraints in terms of compliance date and the same process apply as for a transaction modification.
Only when necessary in order to permit compliance, may the Secretary adopt a modification within the first year.
Adoption of a new standard is different from modification. The compliance date for all covered entities, except for small health plans, is no later than 24 months after the effective date of the standard. The date for small health plans is no later than 36 months.
Ms. Emerson discussed the exception process laid out in the final rule for testing a modification to a standard. People wanting to test make a request to the Secretary of HHS, who may consult with the DSMOs. The Secretary may grant an exception period of up to three years. Upon request, the Secretary could grant an extension.
She noted that promotion of best practices would not require any regulatory process and would probably be an industry process (e.g., WEDI/SNIP groups trying to find work-arounds for difficulties with the adopted standards).
Ms. Emerson pointed out considerations that surfaced in conversations about the modification process. The type of regulatory process HHS would be required to use depends on the significance and impact of the change. It might be a notice of proposed rulemaking followed by a full comment period and a final rule. In other cases, more expedited processes could be used. She noted that in order to meet the 180-day compliance period, the effective date of a modification of a standard adopted on August 17th, 2000 has to be around April of 2002 in order for the modification to obviate the requirement to comply with the original standard.
Ms. Emerson described the errata process that the Accredited Standards Committee, X12N Work Groups undertook identifying errata in the Version 4010 Implementation Guides. Some errata may require changes to permit compliance, and meet the test for modifications within the first year. Members of the X12N Work Groups have discussed two possibilities for modifying the 4010 Implementation Guides. One possibility proposed is to publish corrections to the errata as an addendum to the 4010 Implementation Guides; another possibility is to republish the 4010 Implementation Guides.
She noted there was some question about whether the DSMO process for modifications could be completed within the first year. An expedited process as discussed in the earlier DSMO briefing, might be necessary.
The Final Rule stated that the DSMO process would be used for adoption of additional code sets. Thus the DSMOs could be called upon in determining if a proposed new code set overlaps with a standard or might more properly be included in an existing standard.
Ms. Emerson discussed complexities in questioning the adoption of a new code set. The code set could be recommended to be adopted and not even be in the X12 standard at that time. The X12 standard would need to be changed to include it. The implementation guide might then need to be changed either to include that code set or make it usable in the transaction. The code set would then need to be adopted as a standard by the Secretary. Noting a chicken-and-egg situation where the code set is put into the transaction and not adopted, yet people are already using it, she pointed out the need to deal with complexities of timing.
Mr. Moertel, manager of electronic commerce for the Mayo Foundation, said “the flood of comment” on the DSMO site had already begun and he predicted the group would be active. He reported that Mayo had created a HIPAA compliance team focused on reviewing the HIPAA implementation guides. The team created a gap analysis comparing the data available electronically with data contained in the HIPAA transactions. They found a large number of new data requirements and determined extensive infrastructure changes are required. Based on this analysis, they convened a meeting of provider groups and representatives from HCFA to review these data elements. The group determined that the gaps were common issues for the provider industry. Some 29 of the issues from the Professional Guide and 15 issues from the Institutional Guide were considered priority 1 or high-priority issues that create barriers to the implementation of HIPAA. Even low-priority issues, viewed as a whole, create a barrier.
The provider group discussed whether new required data elements reflect universal business needs or were requirements expressed by only a single payer or state agency. A major issue is that the burden falls on the providers to report all the requirements in claim transactions. They are obligated to provide required elements on all claims to all payers, even if no business partner needs it. Payers who do not need that data element must process the claim and maintain the element, either passing it on the remittance advice or to a secondary payer as part of the COB process. The 837 Implementation Guides were developed for reporting claims services from providers to payers. Noting that some of these data elements do not reflect a universal business need or are requirements expressed by only a single entity, Mr. Moertel conveyed the provider group’s opinion that elements included to fill other needs (e.g., state public health reporting) should not have to be reported on claims transactions. The group supports utilizing the 837 standard as the transaction to report data for public health purposes, but believes a separate implementation guide should be developed for those needs.
Mr. Moertel observed that often other more widely accepted methods are available for capturing the same information. He suggested that some data elements will require compromise in order for administrative simplification and HIPAA health data standards to be successful. Implementation guides for the transaction must be adopted consistently across the industry, he emphasized, reiterating that it is unreasonable to expect every provider to modify its system and collect and report data elements to accommodate a single or a few payers. In many cases, it may be impossible to collect required data element information. In some cases, providers would have to modify their systems to comply with requirements of the new standards. In others, an industry review must be done to identify the percentage of the industry that required certain data elements. When that percentage is low, Mr. Moertel asserted, the requirement should be removed.
Noting certain state laws require other data elements and therefore every provider in the country was required to report them (even if neither their or the payer’s state required it) Mr. Moertel observed this defied HIPAA’s intent to create a universal national standard. With establishment of the DSMO process, the provider group believed future requests to fulfill requirements of an individual payer or provider would not be accepted. Mr. Moertel reported they were already sending all of their issues through the DSMO review process.
He stated that the DSMO process is set up to handle issues with new versions of the guides. He emphasized that compliance with the current data element requirements would impose substantial financial risk on the health care industry. He expressed concern that if the DSMO process must be used for changes to the current data element requirements, changes will take too long, and health care participants will be required to make costly infrastructure changes to be in compliance with the data requirements of the current implementation guides. Noting that the Secretary may adopt a modification at any time within the first year, if the modification is deemed necessary for compliance with the standard, Mr. Moertel said they sought immediate relief from the Secretary.
Mr. Moertel said many of the organizations that MAYO works with are following the path outlined by the WEDI/SNIP process and their focus is on the claims transaction. They intend to analyze the other implementation guides and code sets in the order identified by the WEDI/SNIP implementation schedule. The group has discussed problems with the claim adjustment reason codes and CAS rejection codes.
The claim adjustment and service adjustment segments provide the reasons, amounts and quantities of any adjustment the payer made to the original submitted charge or units related to the claim or service. The standardized list of claim adjustment codes is to provide explanations of liability of the financial adjustment to the claim or service line. Use of OA or other adjustments make it difficult to ascertain the liability of the provider or the patient and necessitate follow-up telephone calls to the payers. The use of payer initiated reductions can also be difficult as they imply to the patient that the provider should take a reduction, even though the provider is not legally obligated to do so under a contract or government regulations. The implementation guide recommends that payers avoid the OA group, but does not prohibit payers from using that group code. Similarly, the CAS rejection codes, No. 16 and 125, are oblique, requiring a follow-up phone call if the proprietary information is not transmitted or understood by the provider.
The provider group also foresees problems if providers are required to report taxonomy codes to the payers. The list is extremely granular and out of date and providers and probably payers will face costly infrastructure changes if they use the provider taxonomy codes. Payers are asking providers to report information (e.g., provider specialty) that should already be in the payer’s system. This is an adjudication problem with the payer’s system. A physician could be board certified in several specialties or subspecialties and the billing department may not know which specialty to submit for services. Provider specialty is not currently reported, Mr. Moertel noted, and should not be a required HIPAA data element for providers.
The group determined NDC codes will present major problems for both professional and institutional claims reporting. The 11-digit length of the NDC code is an issue, and the mapping of the J codes to the NDC codes would be a manual process in the clinic setting. Clinic personnel would need training to identify NDC codes for every drug supplied to each patient and this responsibility might go beyond the scope of their licensure or training. Would separate NDC codes be required for each drug in drug “mixes” or “cocktails” or would only one drug be identified? Would the clinic or hospital be considered a manufacturer and need its own manufacturing code? The provider group concluded that the NDC codes should not be used for professional and institutional HIPAA claim reporting purposes.
Mr. Moertel said the provider community faces a significant education issue. And many of the providers who do become aware of these issues may not have the financial resources to make the required system changes necessary for compliance. He said the group views the X12N formatting and structure as a simple mapping issue. The big issue is having the data available. The gaps identified will require significant changes throughout provider systems, beginning with the physician, nurse or paramedical staff charting the information, and need to be carried through to the patient accounting system.
Mr. Moertel stated the Mayo Foundation’s and the other participants’ shared commitment to advancing standardization and administrative simplification. But he emphasized that there are issues that need to be addressed. The group evaluated the Mayo analysis and determined that gaps identified were common issues for the industry. One common question discussed was whether or not the new required data elements reflect a universal business need for the health care industry or were requirements expressed by a single payer. The group believes that most elements that are a concern do not reflect universal business need.
Second, the HIPAA 837 Implementation Guides were developed for reporting claims services from providers to payers. Mr. Moertel said that if the inclusion of some of these elements was to fulfill other needs (e.g., state public health reporting), they should not be required data elements. The provider group supports the position that the 837 standard should be utilized as the transaction to report data for public health purposes; however, they believe that a separate implementation guide should be developed to fulfill those needs.
Third, in some cases, providers would have to make modifications to their systems to comply with the requirements of the new standards. In others, they believe that an industry review should be done to determine the percentage of the industry that requires certain data elements. If that percentage is low, based on the number of payers or the volume of claims, then the requirements should be removed.
Mr. Bechtel, an advisory analyst focusing on strategic issues related to administrative simplification, presented in his capacity as co-chair of the Transactions Work Group for WEDI/SNIP. He testified on issues related to WEDI/SNIP’s analysis and early implementation experiences with HIPAA X12N Transaction Standards. SNIP works to resolve implementation issues related to implementation requirements set forth by the law, regulations and implementation guides by identifying work-around solutions and best practices. Issues that may require changes to the regulation are noted and passed on to the appropriate DSMO, HHS, or to the WEDI HIPAA Success Task Group. WEDI/SNIP’s sequencing sub-Work Group strives to advance a deployment schedule for an orderly sequenced implementation that addresses industry concerns and is logical and effective for most organizations. The group also considers return on investment, putting transactions that offer the most benefit up front to help fund development of the other transactions. A sequencing proposal was presented to the industry via their Web site and e-mail announcements asking organizations to review the proposal and comment on their ability to follow it.
The group also surveyed for other information: e.g., projected cost to implement expected resource commitments, implementation strategies, and implementation barriers that might be addressed within WEDI/SNIP to keep implementation moving. The three most critical implementation barriers are cost, limited time, and elimination of local codes. NDC codes and new transaction content also ranked high. About 15 percent of the organizations responding agreed to follow the WEDI/SNIP proposal; 40 percent were still evaluating their plans, and 45 percent offered different alternatives--few matched anyone else’s. Many organizations are still doing their gap analysis and noted that their implementation plans might change. Others couldn't respond because they were only beginning the process.
Mr. Bechtel noted concern that the staggered release of final rules will impact compliance work already completed, forcing revisions and making further changes, further increasing the costs. Some organizations feel compelled to wait until all the rules are final and published.
A number of organizations commented on the scope and complexity of the changes and the tight time frame for development, testing and implementation. They expressed concern that this work could interfere with the health community’s short-term ability to provide good, timely processing for the transactions. Issues that cannot be addressed by WEDI/SNIP will be reviewed and considered by the WEDI HIPAA Success Task Group, which provides input to HHS and this Subcommittee.
Work being done by the Data Review Sub-Work Group is focused mostly on transaction inconsistencies and ambiguities. Relying on volunteers to come forward with issues uncovered during their own analysis, WEDI/SNIP strives to bring these forward and work through them.
Many of the implementation problems are within the implementation guides and are being addressed by X12N via their errata process. They do not involve a work-around or best-practice solution, but fixes to the implementation guides. Those not fixed find their way to this Work Group that has identified a number of issues.
The Translations Sub-Work Group is looking at issues related to problems of translating data elements from one code set to another. NDC codes do not crosswalk well with the HCPCS J Codes. While it is possible to translate from the NDC Code to the J Code, it is not possible from the J Code to the NDC Code (many possible NDC could be described by one J Code). Mapping taxonomy codes to the HCFA specialty codes causes a similar problem.
The Testing Sub-Work Group is looking at ways to improve the implementation validation process. The amount of time and testing it takes to implement new transactions between trading partners is a major industry concern. WEDI/SNIP cautions that mandated time frames will not be met unless implementations are conducted in more efficient ways.
The Business Issues Sub-Work Group’s main concern is that no formal mechanism for resolving interpretation issues exists today. Mr. Bechtel predicted the number of issues will expand rapidly as organizations begin or complete analysis of their requirements and determine the data gaps and their questions. Many issues center on roles of clearinghouses, coordination of benefits, and permissible implementations of direct data entry solutions.
Ms. Schulten, a HIPAA product manager with New Era of Networks and co-chair for WEDI/SNIP’s Translation Sub-Work Group, represented the Administrative Simplification Print Image Research Effort’s (ASPIRE) project. The demonstration project involves providers, payers and clearinghouses in an effort designed to identify data content gaps between the traditional paper claim formats and HIPAA-compliant Version 4010 837 professional and institutional electronic claim formats.
The HCFA 1500 paper claim forms, which can be turned into an electronic print image to facilitate mapping from the paper to the electronic claim format, contain a subset of data present in the 837 professional transaction. Other data is not present on the 837. The UB92, a print image form, also contains a subset of data present on the 837 institutional transaction, as well as other data. There are gaps between mandatory data content. Provider taxonomy code does not exist on the paper claim form to facilitate mapping to the electronic format. Another gap is payer responsibility sequence. Whether the payer is primary, secondary, or tertiary is not explicitly stated on the HCFA 1500 claim form. Data specificity is another gap. The 837 makes very clear distinctions between bill to, pay to and rendering provider; the HCFA 1500 does not. Ambiguity exists within the data element crosswalks (the J and NDC code one-to-many issue). Another issue is with blank fields defined by the payer with nonstandard use of the paper claim format. Solutions or work-arounds include: precise implementation guides, industry-wide accepted crosswalks, trading partner agreements, data enrichment, publication and acceptance of best practices.
Payers will have to handle electronically and manually two feeds of information in a consistent manner, including uniform policies and procedures for handling both HIPAA and traditional phone/fax requests from providers. They need to develop an appropriate system infrastructure to handle the expected increased transaction demands and reengineer systems for high speed, high volume throughput. They need to be able to archive all incoming 837 claims, then link the data as submitted with the 835 payment response. Hopefully, the mandated standards will make it easier and more cost effective for the provider’s practice management system to accommodate HIPAA transactions. Vendors, however, will be pushed to supply this new functionality. Lag time in system development might impact the compliance deadline for some providers. Also, traditional practice management systems developed to facilitate claims submission and the posting of the remittance are not supportive of this new interactive environment and providers might have to replace existing systems. Providers, too, will face challenges in establishing a business design that takes advantage of the HIPAA transaction standards without overwhelming system upgrade costs or clearinghouse fees.
Ms. Schulten said the largest implementation issues facing the industry are education and awareness. Industry-wide education and consistent communication, especially in the small physician practice, continues to be a problem. She recommended the creation of continuing education courses that address HIPAA requirements, online course offerings and tests to provide accreditation
Dr. Cohn noted he heard little intersection between the discussions, priorities and issues. He cautioned that, unless everyone aligned, implementation could not be successful. Mr. Moertel observed that a number of issues would flow through the “normal” process, aligning as they came forward. He noted the gap analysis flagged coding issues--not issues with the transactions. He said these issues impact medical practice all the way back to the provider who “captures a baby's birth weight.”
Mr. Moertel remarked that he could map a HIPAA transaction--the problem was getting the data to process. Implementing new transactions and requirements, he pointed out, would involve provider groups unfamiliar with these issues. Coders and health care practitioners had not focused on electronic communications and transactions. Now that the rules were finalized, there was a wake-up call and the issues were on the DSMO site. Providers were realizing there would be significant changes. They would be telling WEDI/SNIP and the ASPIRE team what they thought and working together to resolve these issues.
Dr. McDonald said that the hot issues were the NDC codes, the provider classifications and number of required fields. He suggested shortening the list of required fields. Ms. Trudel reflected that she had heard a number of problems with different solutions. Ms. Schulten supported the need to reassess the correctness of the field sizes, the field repeats and the data elements that were errors in the implementation guides. Mr. Moertel recommended assessing the business need of some of the data that is either required or situational. There was a need to look for work-arounds and, possibly, situational definition changes (e.g., the one indicator only used in Indiana). Ms. Trudel remarked that left “a small universe of things people need.” At this point, she said vendors had to take over.
Mr. Moertel observed that Mayo provides coverage to people throughout the world. If Indiana Medicaid had an issue, there was an issue for the foundation--Mayo’s system had to deal with that requirement. Ms. Fyffe expressed concern that, in situations like this, it could be years before electronic claims would be sent to the Indiana Medicaid program. Mr. Moertel said a vendor will probably have a product in Indiana and have to make modifications. Every payer will have to modify; if they receive a claim as primary to their insurance and the secondary insurance is Indiana Medicaid, they have to be able to respond.
Noting that traditional practice management systems developed to facilitate claim submission and posting of the remittance did not support an interactive environment, Ms. Fyffe asked what it would cost a physician's office to upgrade. Ms. Schulten reported that some physicians with tight budgets purchased software to do claims submission; their palm pilot costs more than what they used for submissions. Other, larger physician practices had already invested several hundred thousand dollars in a system; concerned about security and privacy issues, they were looking to a new version of software. Smaller providers were the hardest hit. Practices a bit larger did not want to spend much more than $10,000. Ms. Fyffe commented that then they would send in paper. Ms. Schulten pointed out a catch-22 for smaller vendors who do not have the development staff to make it cost effective to provide systems the industry wants; some might opt out of this business or become paper claim submission systems. Mr. Bechtel noted some vendors provide an interface for their applications to extract and import the data; clearinghouses also offer more affordable and attractive options; and browser solutions help low-end or small providers access information and interface.
Dr. Zubeldia agreed that the standards “look like a Trojan horse that needed to be opened and shaken.” But he emphasized that everyone knew some things were not going to be modifications. He suggested dividing the errata discovered in the implementation guide into maintenance and modifications items. Modifications (e.g., NDC versus J Codes) needed to be looked at. Maintenance items should be fixed, without going into a complicated process. Ms. Emerson said reported errata had been sorted into showstoppers to get to those clearly requiring correction in order to permit compliance that could be adopted in the first year. People had complained that the definition of maintenance in the Final Rule ("Technical corrections to an implementation specification.") was not helpful. She said the thought had been: if taking action results in a new version of the implementation guide, than consider it a modification. The Secretary had adopted a particular version and publication date of the implementation guide, so any modification would require a regulatory process.
Dr. Zubeldia and Ms. Emerson clarified that maintenance, since it was by definition correction of minor errors, was not necessary to permit compliance and could be done any time without a regulatory process. Dr. Cohn noted the consensus was that there would be a cleaned up next-version of the implementation guide with the modifications and the errata maintenance in place. Dr. McDonald cautioned that people were worried about this shifting too far and getting gridlocked; he encouraged everyone defining these lines to keep this concern in mind. Mr. Moertel concurred. Getting providers to look at these implementation guides, given their size, was “like pulling teeth.” He emphasized that the implementation guide had to be clear; one should not need the addendum to understand it. The DSMO group should work with maintenance items--and move quickly.
Dr. McDonald identified opposing thoughts. He heard they should get a statistical "boil down" of the 90th percentile everybody uses and throw out the rest of the data from the transactions. He also heard “if someone announces it, they had to have it.” He pointed out the logical conflict: everybody couldn’t have everything and simplification. Dr. Cohn noted agreement: misspellings and bad examples needed to be cleaned up, but a new implementation guide was not needed if they misspelled something. He also heard a lot of business issues. Dr. McDonald commented on the ongoing view that, “now that we have standards, we can get all the data we want in.” They heard this throughout the testimony, he observed, adding it probably was linked with Medicaid’s variant inputs. Some data requests were impossible, he remarked, because of work-load realities. (e.g., the ambulance attachment had sought input from the driver on whether the patient was admitted, something that would only occur hours later). Dr. McDonald encouraged cutting back to some high percentile need, after hearing from everyone involved. Dr. Cohn suggested Mr. Moertel had proposed much the same thing, but Dr. McDonald said he worried they were all nodding over different things. Ms. Schulten noted that unique business issues, that were not relevant to 90 percent of the industry, got forced into transactions and she wondered where they could go. Mr. Bechtel pointed out these were not required elements. The transaction was built to accommodate elements, but they are not always required.
Dr. Fitzmaurice pointed out that systems provided benefits. He asked everyone to imagine the problems and manpower that would be “chewed up” without a system to prompt, alert and remind them “this fellow is from California.” Some of these business issues showed the advantages of systems and standards, they were not just glitches to be overcome by changing standards unnecessarily. He agreed with Dr. McDonald on the need to balance out making systems do everything with making them work for 90 percent of the people. He pointed out the tradeoff in the cost of manually processing exceptions versus systems processing and encouraged making a business decisions.
Mr. Moertel concurred; exceptions had to be handled manually. To accommodate situational elements, all the systems (practice management, medical review, patient accounting) had to be aligned and have data available. He emphasized there was no problem creating a map to transport information and including situational data elements. The difficulty was having that situational data element available in all systems. While acknowledging that situational elements had to be manually handled, Mr. Moertel asserted this could not be what they were meant to achieve. Dr. Fitzmaurice noted that this dilemma was not caused by the standard. Indiana Blue Cross mandating a certain element before they would pay the claim had caused it, and that had to be handled manually, one way or the other. But a system that prompts an alert reduced manual processing. Mr. Moertel said he still hoped to achieve systems that would not require manual intervention.
Asked how the DSMO organization would assess significant or universal business need, Ms. Weiker explained that would be done by each individual SDO and group. At times, a group might be more heavily payer or provider represented, but this had to be done in a consensus manner. Dr. Cohn said he heard a complex milieu of maintenance issues and that it was not the role of the DSMO to decide all the business needs; yet, the process did need to facilitate a discussion with the right SDO so issues could be identified and reflected upon. He asked if a process could occur within the SDOs, facilitated by the DSMOs, in a reasonable time frame.
Dr. Zubeldia clarified that the standards preempt state requirements in terms of additional data elements for the claims. He noted this had happened with the type-of-service code; the states found their way around it; they had not needed the code. He said if the pregnancy indicator is requested in Indiana, they probably do not need it because it is something that doesn't change more often than every nine months. The SDOs could remove it from the implementation guide and the state would find a way around it. Ms. Ward observed that the lines were gray between an errata initiative and whether their role, as laid out in the MOU, had expanded to take on changes to the existing implementation guides within the first year time frame. She said they were working closely with HHS and X12N, as a member of the DSMO steering committee was involved in everything from an X12N perspective. They needed to determine what was a modification or showstopper and what was maintenance or a technical correction, which needed to be done now and which could be in the next subsequent versions. Vendors were considering design and system specifications to create HIPAA compliant solutions. If they were going to change references to external code sets and remove data elements, it had to happen quickly. Ms. Weiker concurred. Everybody was at different stages in this analysis; people were already modifying systems. They had to get all of it identified now. Mr. Moertel encouraged consensus. There were work-arounds; nobody would “be left out in the cold.”
Dr. Zubeldia said he would like to see if the DSMOs could do this. There was a process to request modifications. They could always direct questions on policy issues to the Department. A process could be set up to deal with maintenance requests. Ms. Trudel noted that, based on the matrix that Ms. Emerson presented and the regulation and definitions of maintenance and modification, the maintenance of the implementation guides, which belong to the SDOs who develop them, was appropriately in that venue. Those organizations had existing processes for taking care of maintenance items. Dr. Zubeldia remarked it was a very short definition of maintenance; he suggested everything short of adopting a new standard or a modification to a standard be maintenance, including code sets. Dr. Cohn disagreed. He said Dave Moertel’s testimony sounded like modifications. Eliminating taxonomy codes or the taxonomy field was not a maintenance item. Dr. Zubeldia acknowledged that taxonomy codes, the birth weight and the pregnancy indicator were modifications, but he indicated that the bulk of the errata were maintenance. Ms. Ward concurred that the SDOs should handle the issues they could. Technically, it was not a DSMO process issue if it fell under the maintenance definition. The problem, she said, was educating people to understand the terms, the DSMO process and how it worked.
Mr. Bechtel explained WEDI/SNIP was looking for a way to certify that the work being done with a trading partner was compliant and met HIPAA requirements, so they did not have to repeat their test with every trading partner. They put out a sequence proposal that met the HIPAA completion date and worked backwards. The push back they got was that they were trying to start the testing and implementation cycle too soon; some organizations “couldn't get there,” because they were waiting for vendor systems.
Mr. Arges conveyed the National Uniform Billing Committee’s concerns about the ambiguity of the Final Rule and the intended use of NDCs for reporting drugs and biologics. He noted the letter NUBC wrote to the Secretary in September stating their belief that the NDCs should not replace the HCPCS drug codes used on inpatient claims. He said the National Uniform Claim Committee voiced similar concerns at a joint meeting. He then answered questions the Committee had asked, saying he believed they would help NCVHS have a better understanding of the issues and problems they were facing.
In his responses, he pointed out that institutional and professional providers were already reliant on J Codes to report drugs and continuation of this would not pose any major problem. In contrast, changing from the J Code to the NDC would impose significant hardship on both providers and payers. He remarked that the primary reason for NUBC’s concern was the significant cost associated with widespread adoption of a brand new code set like NDC. Its adoption would require extensive conversion and replacement of existing information systems and entail associated training costs. He said cost estimates indicated that adopting the NDC alone could easily exceed the conversion costs of adopting the new transaction standards. Some estimates from hospitals put the price at a minimum of $200,000 per facility.
Mr. Arges explained that NUBC found that NDC had very limited use within hospital pharmacy departments. It primarily referenced purchase orders, and was used mostly for inventory control. However, he noted that people had brought to NUBC’s attention the potential harm that could occur to patients as hospital pharmacies tried to transition their systems to NDC. Pharmacy departments reported the conversion would require building new interfaces with their dispensing systems. The concern was whether the dispensing systems that would be required to adopt the NDC would get the job done correctly. Failure to reference the correct NDC could cause medication errors.
Mr. Arges noted that hospitals often repackage and provide unit dosage and provide drugs compounded from different drugs. Under these circumstances, the NDC may not be accurate, readily available or even exist; NDC would add significant new operational burdens for caregivers without corresponding savings. Payer representatives told NUBC that they had no particular use for the NDC and felt comfortable using existing J Codes. Generally, the payers were satisfied with the current reporting of the J Codes and pharmacy revenue codes. For inpatient hospitalizations, the ICD-9-CM codes were key. The only time payers needed drug specificity was when a particular type of drug or biologic item was furnished under special circumstances. Generally, for these situations, the trading partner agreements define what is reported. J Codes are primarily used for this purpose.
Remarking that NDC was designed for out-of-hospital settings, primarily retail pharmacy, and never intended for hospital use, Mr. Arges said NUBC was asking NCVHS to make a recommendation for a modification to the Final Rule. The NUBC recommended that institutional and professional claims be allowed to continue to use J Codes for reporting outpatient pharmaceuticals and biologics and that NDC only apply to retail pharmacy claims.
Ms. Humphreys recounted how, after receiving the comments from the NUBC and other groups, the Department and those involved with developing the transaction Final Rule reanalyzed all the comments submitted in response to the NPRM and the publishing of the Final Rule and realized that more research and evaluation was warranted. She said the Department still adhered to the goal of a singular, more granular and frequently updated code for drugs and biologics. But based on the comments that came in from the industry as it grappled with implementation, it was clear there were serious issues, in terms of the timetable for moving toward a single drug code. She said she didn’t think anyone was arguing that the NDC code wasn’t appropriate for prescription drug and retail pharmacy transactions. But, like many of the commenters, the Department had come to the conclusion that more evaluation was called for. Meanwhile, she said the most advisable course might be to change the recommendation and leave the J Codes for the institutional and professional claims.
Ms. Humphreys commented that the process being put in place for reasonably prompt development of national interim HCPCS codes will address the issue of the fairly high percentage of local HCPCS codes being developed across the country that are drugs.
Mr. Bechtel said HDX and Siemens Health Services Corporation had analyzed the impact of administrative simplification on their services and products since the initial NPRM was issued for transactions and code sets and were generally pleased with the rules and looked forward to full implementation and improved efficiency and effectiveness at handling associated business functions. But Mr. Bechtel expressed their concern about using the NDCs in place of HCPCS J Codes when reporting drug charges on an institutional or professional claim. The J Codes provide a simple way to report high-cost drugs and biologics generically with reference to administered dosage. In the institutional and professional settings, this is simple, efficient and effective. The NDCs lack specific information related to dosage and the X12N transactions that will utilize them lack instructions for specifying dosage administered or dispensed. Other issues related to NDCs include: the field length differences between NDC and J Codes, frequency of changes to the codes and code reuse. Storing codes double in size will impact storage requirements and require application file enhancements to accommodate field length and granularity of information. Maintaining these files will require more frequent updates to the code sets to stay current with coding additions and deletions. These issues will require changes to many systems and may increase operational costs to the provider.
Mr. Bechtel noted there are advantages to using the NDC code, especially in the pharmacy environment. Some payers may be able to determine more accurate reimbursement for providers based on drugs dispensed or administered. However, he saw little benefit for institutional and professional providers for the application enhancements and operational procedures that will be required. Mr. Bechtel discussed several perspectives in this environment.
He noted that most hospital enterprises are complex environments composed of multiple applications and systems. These are focused on specific functions (e.g., laboratory, radiology, pharmacy, patient accounting and patient billing applications) within a hospital unit or area of business and often are supported by different vendors. Systems and applications normally exchange information between certain processing or trigger events (e.g., a physician's medication order entered into the patient care system generates a message to the pharmacy system to fill the order). HL7 messages accommodate the above processing between applications and can support the NDC to report the drugs dispensed and/or administered. Many vendors support these various systems, but not all use HL7, leaving proprietary messages to be changed or HL7 to be implemented to accommodate NDC. This not so simple task requires cooperation between multiple systems and vendors, who may choose to solve interface solutions differently (there are no governing implementation guides). Mr. Bechtel emphasized that implementation will require application changes, time, and a lot of coordination from the provider.
Several processing flows capture pharmacy and drug charges utilized by different providers, depending on the level of sophistication implemented with these interfaces. When the pharmacy system sends a charge record to the patient accounting system, the NDC information can be captured easily. When the system sends the order fill information and administration instructions to the nurses’ station, once the nurse administers the medication, the patient care system sends the charge record to the patient accounting system. If the NDC code is included in the order fill information, NDC information may be available to the accounting system. In some systems, when the clinician enters the medication order into the patient care order entry system, an order is sent to the pharmacy system and a charge record is sent to the patient accounting system—no NDC information can be included. Another method needs to be created to get the NDC information. The pharmacy system could send the NDC information to the patient accounting system when it fills the order; patient accountings would have to associate the NDC information from the pharmacy to the charge record sent from the patient care order entry system. Mr. Bechtel noted this would be a significant task and not one he would recommend. Implementing this approach would require re-engineering of many interfaces within the enterprise and, probably, application enhancements throughout the environment.
An institutional pharmacy system will know the NDC code and can send the information to the patient accounting system when the drug is dispensed. But the patient accounting system will have problems whenever the package has been subdivided and the pharmacy system will have trouble reporting an order split between two packages of different sizes or manufacturers or one for drug “cocktails.” Mr. Bechtel also noted the need to clarify which drugs require NDC information: would this be limited to J Codes, the only drugs reported in an institutional setting? He added that application changes to support NDC information with ordered, dispensed or administered medicines will require changes to HL7 implementations or proprietary systems, which could be expensive, complicated to implement, and will probably require process re-engineering.
In the institutional setting, most charges are summarized into a revenue code assigned for a Diagnosis Related Group (DRG) or an APC that include medications. J Codes are used to report certain high cost injectable drugs for chemotherapy on outpatient bills. Most Hospital Information System patient accounting systems do not capture NDC codes and will require changes to the interfacing systems. The NDC is not easily captured at the nurses’ station. Often, packaging is unavailable and generic brands may have been substituted. Extensive use of HL7 or proprietary messages may need to be implemented between the pharmacy, patient care, and patient accounting applications. Algorithms will need to be developed in the patient billing applications to determine unit pricing based on dose administered. There are no standard implementation guidelines on how HL7 or proprietary records should be implemented by various systems or vendors, but application changes will be needed in several systems. Mr. Bechtel noted this can be complicated and that implementation specifications might not be known for some time, while vendors develop solutions.
Reporting drugs on an institutional X12N 837 claim is problematic. Drugs are not normally listed as a line item and, again it is unclear how to report partially used packages or whether only high-cost drugs or all drugs are considered.
Practice management systems in the professional environment face the same issues as patient accounting. Also, in many cases not interfacing with institutional pharmacy systems, NDC information will need to be entered manually. As in institutional settings, using NDC codes will be troublesome for billing injectable and intravenous drugs.
For both institutional and professional settings there would be no problems or expenses incurred if the J Codes were used in place of NDC, since they currently support the J Codes today. However, a quick decision will be helpful, as they have initiated system modifications. If change is not necessary, they want to stop.
Mr. Bechtel summed up: systems could be modified to support NDC codes--but at what cost and for what benefit? He said HDX and Siemens Health Services plans to build the necessary support to handle these processes, but believes there will be implementation issues between vendors and transaction trading partners and the implementation guidelines need to be improved to address these issues. He recommended J Codes should not be eliminated for institutional or professional claims. They were created to specify high-cost drugs administered in a generic way, and had already simplified billing. Replacing them with NDC codes would muddle a simple process.
Mr. McLaughlin, a regulatory policy analyst with McKessonHBOC, which offers software solutions for payers, hospitals and providers, as well as claims clearinghouse services, said their systems have performed a gap analysis on issues surrounding the transformation from J Codes to NDC codes. He said pharmacy and home health systems will see little impact dealing with the NDC codes and that there will be a moderate impact on the clearinghouse as output to all the payers will need to be changed. The interfacing system from the hospital information system (HIS) to the clearinghouse will simply pass through what is sent. But he noted the impact is larger with the hospital information system and payer and clinical practice management software.
The NDC information will have to originate from the pharmacy systems. Charge interface records for McKessonHBOC HIS systems will be changed to include NDC codes from the pharmacy, and the pharmacy system will be modified to send NDCs. Mr. McLaughlin said some pharmacy systems might also send along J Codes rather than doing the look-up later. Almost all HIS systems will carry both throughout their system. While this enables easier tracking and history archive capabilities, he noted development will have to be duplicated as it relates to both code fields. Allowances for interaction with non-integrated systems is a key concern for SDOs.
Some systems will have to require that any third party pharmacy system sending a charge record include NDC codes in the record. The NDC codes will be stored for the patient's charge in the patient accounting system and passed to another system for distribution to the clearinghouse or the payer.
McKessonHBOC’s customers, who typically choose what module modifications they implement, will be required to be on the latest main release for implementation for this change, which is widespread throughout the product. Mr. McLaughlin said it will be a major effort for them to implement this change. Customers that use another internal pharmacy product, with an in-house written interface to send charges, will also need to change interfaces. A normal time frame for implementation is six months. He said a typical time frame for development from the HIS standpoint may run up to 190-person days per product.
Mr. McLaughlin said the development effort is largest for payers, who also must deal with issues related to the cross reference of NDC and J Codes. The elimination of J Codes will be a major issue for the payer as reimbursement and benefit adjudication are tied to HCPCS J Codes. Changing these to NDC codes will require considerable configuration by the payer's customers. In an effort to enable clients to be compliant with the Transactions and Code Sets Final Rule as soon as possible, some payers will initially translate from NDC to J Codes to continue adjudication from the J Code. They will need the capability of translating back to NDC in order to retrieve the original NDC code when necessary. As the payer customer services area handles inquiries from customers or submitters, they will need a tool for looking up cross-reference information. If the code set is an NDC converted to a J Code, they may need access to the original data. In the long term, the payer systems will change to adjudicate from the NDC codes. The typical time frame for development from the payer system standpoint will run between 50 and 180 person-days per product.
The practice management systems will require a major effort to allow NDC codes to be processed. Fields will need to be expanded in nearly every module. NDC codes will be stored within the system and the system will have the capability to display the NDC code, so customers can match the line item to the payer remittance. These systems will pass the NDC code through the charge record to the clearinghouse and on to payers. Subsequent maintenance and distribution of the NDC tables is a concern. Unanswered questions include how updates to NDC codes will be distributed, how often customers will need to run updates, and how long updates will take. These answers will be critical to both the development group’s and the implementation team’s plans. The typical time frame is nearly 395 person-days per product.
Mr. McLaughlin said there is a fairly substantial impact on their software development efforts. Utilizing duplicate drug codes may not be the most efficient use of a developer's or a provider's time. Continued use of existing J Codes might help ensure timely implementation.
Mr. McLaughlin mentioned other issues that will be shared by developers, providers, and payers. HCFA has contracted with a third party to produce a cross-reference table to enable a person or systems to access a J Code and cross reference to NDC codes. This extends development time and systems may need to resolve issues in different ways.
If a provider has non-integrated vendor systems in place, the interfacing systems also need to be modified. One system's solution might be to determine the correct NDC code through a look-up and selection process, passing the single code through to the next system. If the receiving system can accept both the J Code and the NDC code, important information (the original J Code) is omitted that might be needed later. This issue becomes increasingly complicated with each additional system involved in the transaction. If, for example, the systems only send one NDC code throughout the process, the payers system may convert that NDC code back to a J Code for internal processing and benefit adjudication. Reconverting the transaction information would be impossible without the original NDC code.
The NDC number is a smart number that designates the manufacturer, product name and packaging information. Commonly used by pharmacists, the packaging information is meaningful in that setting, but there are problems with its usage in the hospital and clinical settings. (e.g., if an NDC is designated for a particular box of ten vials of a drug, the pharmacist may dispense the box or 1/10th of a box--a vial. However, in a clinical setting, the provider is giving an injection from one of the 10 vials and the NDC number can no longer be used for billing. Units might be issued by the fractional unit, but not all drugs are billed at the service line level so the solution is only selective.)
He said he was not sure how effective HCFA’s cross-reference file would be. If nothing more than a one-to-many cross-reference developed, its use might be limited. If HCFA is successful in developing a useful cross-reference file, however, other issues (e.g., distribution of the NDC codes) will rise to the surface.
Mr. McLaughlin noted that NDC codes change on a more frequent basis than the J Codes. How changes would be distributed (and how frequently) remains to be determined. Frequency will have a large impact on the effort imposed on the provider and payer organizations.
Today, NDC codes are distributed through First DataBank (the Red Book). Licensing is required and distribution methods are not perfect. (e.g., a tray of ten 1-gram vials of any drug would use the NDC tray number, indicating it represented ten times 1-gram vials. The same NDC number would also be used on each vial. Before First DataBank can send pricing information, it must decide if the NDC number represents the tray or a vial.
Mr. McLaughlin noted that many problems are associated with this change--lengthened development times, usage and functionality problems, extended implementation time frames--and potential distribution issues need to be resolved. He encouraged the Subcommittee to consider utilizing a code that works for the pharmacies, providers and payers and also utilizing the functionality available today by retaining the J Codes. He said converting to NDC codes would cost millions of dollars in development time alone. Revising the standard to allow J Codes to be used for institutional and professional identification of drugs would eliminate all that development time for each product.
Ms. Miller, corporate regulatory and compliance manager, IDX and co-chair for privacy and security with WEDI/SNIP, said IDX fully supports the intent of the Electronic Transactions and Code Sets Final Rule. But she cautioned that complexities of the new regulation might make it difficult for many customers to meet the implementation date.
A survey of IDX’s customer base indicates their physician practice customers use J Codes almost exclusively. Hospitals and specialty groups use both codes. IBXtend, IDX's practice management product whose current version only uses J Codes, is the most heavily impacted.
She reported that IDX is in the middle of the gap analysis of its product sets and remarked that the requirements to move to NDC had a significant impact on IDX software and their medical group practices customers' processes. The IDXtend product line, used by some 100,000 physicians, is directly impacted by the mandated code set change. Ms. Miller said the change for professional and institutional 837 is a significant barrier to both IDX and its customers. Substantial changes will have to be made to the products and their associated databases. IDX must add new dictionary and screen/report fields and field lengths in the database to support the NDC codes.
Noting that currently there is no cross walk or conversion table, Ms. Miller said the temporary “fix” is the ANSI ASC X12N "fudge" of assigning a new manufacturing code to a J Code to make it “look like” an NDC code.
Ms. Miller contended that if the standard were revised to continue letting J Codes be used for institutional and professional identification of drugs, some in the industry would be further confused by an already complex situation, especially if the ultimate goal is to move wholly to NDC codes. She noted vendors had already initiated this process. Citing the need for an industry approved crosswalk between the two code sets and more work at ASC X12N before the NDCs could be of value to many covered entities and support the efficiency and the interoperability goals of the HIPAA administrative simplification, Ms. Miller emphasized that the "how" and the time frame of implementation should be carefully considered. She said IDX supported a considered and time sensitive move from HCPCS J Codes to NDC, provided the additional items that can now be included in J Codes will be included in another code so that its customers will be paid for the provision of those services.
Dr. Zubeldia asked the panel if it was possible to send an 837 claim with the J Code in the service element and an NDC code in the “ref” segment indicating this is the drug or biologic used for this J Code? Home infusion was vocal about needing the additional information that the NDC codes could provide; it would only be for them. Mr. Arges said the real question was the cost associated and the value derived. Not all departments, at least at the hospital level, would have the information for the code. The charge master might not have the specific level of detail to know the manufacturer. If the unit was indicated and there was a need to report a specific J Code, it was reported. Otherwise a revenue code was reported.
Dr. Cohn sought clarification that J Code or NDC code were rarely used on a hospital inpatient UB92 and that, in the case of hospital outpatients, with the advent of the APC rules, J Codes typically aren't being asked for, but are being rolled up into APCs. Certain high-pay biologics and drugs are in the HCPCS C Codes and need to be listed, but under the new APC rule it is likely that, eventually, they too won't be required. Mr. Arges confirmed that C Codes are used for the APC outpatient that are basically drugs or biologics. Typically, a third party payer doesn't need that level of specificity to make payment for the treatment of a disease or illness—"You are not paying for a drug on its own.” In the outpatient setting J Codes are used for new or high cost items, but eventually they will find their way into the APC payment and the need for specificity will again drop. David White, who introduced himself as a pharmacist by background who “lived OPPS and APC coding everyday” in the corporate environment, discussed how some 200 codes sets (J, Q, C and A Codes that were “carve-outs” for additional reimbursement) reported on the outpatient claims were being switched over to NDC numbers. The problem was that the NDC number was not compatible with current patient accounting systems within a number of environments including large multi-hospital networks. A few pharmacy systems allowed them to pass, but generally, like the HCPCS codes, they had to be hard coded in a patient accounting system, adversely affecting internal charge capture.
Dr. McDonald said he heard that the solution was not useful as currently constructed. Everyone thought a good drug code would be wonderful for clinical as well as, eventually, billing management and outcomes management purposes. And NDC was useful. He suggested that maybe they should wait until “this better thing” came along in a year or so, giving the system time to adapt, and then find a way that information could be delivered within the clinical data. He noted that no one disputed having NDC in community pharmacies. And he pointed out that the regulation states NDC had to be used everywhere in the HIPAA standards, which created problems with some proposed attachments.
Dr. Cohn explained that he had been digging to determine “whether the world would be fine if we got rid of J Codes, but allowed people to use other parts of HCPCS.” He heard there was an internal billing issue--the data had to be tracked. Mr. White concurred. In order to bill under OPPS, they had to code with whatever HCFA defined as the billing increment for that product, underneath that J Code. Dr. Zubeldia recalled Ms. Trudel’s remarks on the maintenance of the code sets: if J Codes were used, somebody had to maintain the high-volatility J Code table.
Mr. Levin said the FDA had been hearing issues about NDC codes and were working on FDA regulations. He added they were also looking at the possibility of the NDC number being helpful in medication errors and the possibility of bar coding the NDC number on the end of control unit doses. He suggested that, in time, the NDC number might have more of an advantage in the hospitals. Mr. Arges recommended focusing on the physical structure itself; the NDC number could at least identify the type of drug being issued. At the same time, he expressed concern that some physical structures had to be rewritten, based on the physical size of the number itself.
Noting that a drug code is needed for tracking business inventory, clinical treatment, and billing purposes, Dr. Fitzmaurice pointed to the need for a number that--although it might have to be adjusted, based upon dosage--identified a drug at all stages, linking it with information fed back to the decision-maker to reduce overdoses, increase legibility, and monitor complications from that drug. HIPAA was focused on billing and streamlined transactions. But Dr. Fitzmaurice observed that it was good business to: track inventory through to billing, identify the drug and get information to take better care of the patient, and pay people what they should be paid. He asked, “Who should design the better drug coding system and how should it be pulled together? Is this something for the industry to do or the government?”
Mr. Arges remarked on the cost associated with taking this to the nth degree. Fundamentally, the commodity being purchased wasn’t the drug, but the treatment of the disease and illness in its entirety--and many payers had set limits around that payment method. On the inpatient basis, they looked at it based on the ICD-9 codes, in terms of the entire set of resources, not as a component of an item. He said outpatient was moving in the same direction. Mr. Arges acknowledged there might be value in doing more, but contended the high cost must be weighed in the long run against the objectives achieved in the end and whether they were worth it. Dr. Fitzmaurice agreed that efficiency in billing was important, but pointed out it is hard to get good clinical and business efficiency unless somebody looked at the details of the drugs given to the patient, tracking that through the process by which it is given and the payment is made. He said that might be beyond the scope of HIPAA, but maintained it was within the sphere of advice that the National Committee was to give to the Secretary in terms of the needs for health care data and data policy.
Mr. Blair sought to clarify the short-term immediate problem with respect to the financial and administrative transactions and the specification of the NDC codes in acute care institutional environments. Three major vendors representing a sizable portion of the market had told them they needed relief and at this point did not see the value in NDC codes. If an answer wasn’t provided shortly, they and their customers would invest considerable money and time. Mr. Blair said he also sensed the validity of Dr. Fitzmaurice’s point about the need for a clinically specific reference terminology that supported applications beyond billing. But he cautioned that if they tried to tackle that now, they would not answer the pressing need of everyone testifying about needing the J Codes until there was something more clinically specific. Dr. Fitzmaurice agreed, noting a short- and a long-term problem. He said that he wanted everyone to also be aware there could also be a long-term cost to adopting a short-term solution that did not fit.
Mr. Levin commented that the FDA and NLM were looking into a way to code based on the structure of the ingredient. They took the ingredient at the ingredient level and provided a code from the structure that identified features like dosage and mechanism of action to provide some of the things Dr. Fitzmaurice mentioned. He clarified that the NDC number incorporates the dose, potency and active ingredient. Change that and “You change that NDC number.” Two parts of the NDC number, the labor and the product codes, had nothing to do with packaging. He said they were correcting the issue of external and internal packaging and unit doses. Inside doses will have their own NDC number. The other ingredient code would be incorporated or joined with issues like dose and dosage form, making it possible to have all that information.
Ms. Humphreys said the long-term solution would be far better than the J Code, which was wholly a billing code only addressing a fraction of what is delivered and insufficient for any clinical purpose. The NDC code was down at a level of specificity so product oriented that it was alien to how many practitioners prescribed. With “the thing in the middle” that related NDC codes to what was clinically meaningful, they could automatically generate a proper billing code and the clinical aspect would be connected. She noted this left a stress point: if there was potential for an easier-to-implement solution, no one wanted to spend millions implementing a less desirable short-term “fix.”
Reflecting on the previous panel and the comment that the patient's birth weight was unnecessary because “we have done without it for so many years,” Dr. Zubeldia considered that perhaps what they heard wasn’t questioning whether NDC was a good solution, but asking, “Why change the billing practice of the J Code that has been used all along--Why force a change on us?” Mr. Arges pointed out that only a limited number of drugs were reported; there wasn’t a litany of drugs that might apply to the business side of the transaction standards.
Ms. Humphreys emphasized the importance of understanding what the impact would be for everyone of changing the physician claim. Mr. Moertel remarked that his testimony included an appendix that looked at professional claims aspects of using or not using NDC codes and outlined in detail a number of issues the physician practice would face that could be viewed as either HCFA 1500 or X12N professional claim issues. He noted 10 issues were very difficult for the professional practice to deal with at this point and stated he did not believe the NDC code was ready for the professional claim. He acknowledged there were good reasons for more specific coding, but he emphasized they had just been through the Y2K upgrade, were continuing to upgrade for the APC process, and at this point did not see a reason for another change. He said Dr. Zubeldia had a very reasonable solution. If home health was determined to have NDC codes in the 837, it could be included as a situational element put in the REF segment. Mr. McLaughlin and Mr. Bechtel concurred. Mr. McLaughlin noted that his testimony indicated that the most time would be spent on clinical practice management systems, because they did not interact with hospital pharmacy systems. Dr. Zubeldia remarked that the Home Infusion EDI Coalition contended that having NDC codes in addition to a J Code would solve their problem.
Ms. Humphreys provided a brief background on the issue. Two federal agencies were assigning codes to the same drugs in succession, and across the country people created local drug codes because HCPCS could not get them fast enough. In the original analysis, she said weight was given to the level of duplication and administrative problems that exist in the creation and maintenance of the two systems. The impact on the industry had not been fully understood.
Asked if the J Codes could be supported in the maintenance of national HCPCS codes, Ms. Trudel noted that, when the HCPCS group in HCFA determined they could handle the elimination of local codes in a two year period, they assumed they no longer had to bear the burden of drug codes. She said she would take that question back to the group.
Ms. Weiker agreed with what had been said in terms of the institutional setting, but noted instances where EDS was dealing in NDC codes and health plans were paying on professional claims. There was confusion in the industry; dispensing physicians sometimes were told they had to bill on an 837--the capability to bill NDC was needed. One solution, she agreed, would be to amend the guide and use a J Code, J9999 to indicate the location of the NDC code. Mr. Arges reported that many Medicaid agencies are big users of the HCPCS J Codes and a lot of them fall into level 3 local codes. Standardizing these would eliminate local use codes as well. Mr. Levin expressed an interest in hearing more about the ingredient code, which he said sounded like it might be a direction to go in. Mr. Blair remarked that he was pleased that FDA was participating in these SDOs; there was a good deal of information to be gained from those groups. Mr. Moertel reported that there were two comments pieces on the DSMO site; one for the institutional, the other for the professional.
Dr. Cohn summarized that he heard a need to recommend to the Secretary a change in the Final Rule regarding use of HCPCS codes for drugs and biologics and that they might want to have HCPCS in the main segment. He said he also heard them reaffirming development and testing of a new drug terminology and implementation when something was shown to be of greater value than the HCPCS codes. Mr. Blair added that testifiers indicated the domain in which the J Codes or other HCPC drug codes were appropriate; he suggested binding the letter to what was referenced because NDC codes were helpful in other domains. Members concurred. It was decided to make this modification suggestion in a separate letter from the other recommendations. Dr. Greberman called for additional discussion and specific proposals about next options. Dr. Cohn said the final paragraph should talk about the need for development and pilots. Dr. Zubeldia noted that the uses Dr. Fitzmaurice had described (tracking business inventory, clinical treatment, and billing) should be reflected there.
Mr. Marshall, a health care systems architect with Siemens Health Services, spoke for Health Level Seven (HL7), an ANSI-accredited SDO, as co-chair of its security and accountability special interest group. Responding to questions, he said although HIPAA transaction standards, including the proposed claims attachment standard, do not currently require electronic signatures, HL7 believes future transactions will ultimately include this requirement. Electronic signatures will facilitate mutual authentication, data privacy, confidentiality, integrity and nonrepudiation. They also enable clear representation of the authority and intent of those accountable for the data. Without an electronic signature standard that met health care requirements and could be widely implemented, Mr. Marshall said any HIPAA rule would require trading partners to integrate one-of-a-kind software and/or develop bilateral specifications to interpret the standard. He noted this was contrary to the spirit of administrative simplification and was likely to cause provider organizations to opt out of underlying transactions. The current state of electronic signature standards and technology demands a proactive effort by SDOs to develop and deploy a comprehensive standard implementable within the compliance time frame.
He said electronic signatures are most typically used when establishing a secure connection over the Internet, rather than in conjunction with any given messaging or transaction standard. At least one of the computers in the connection possesses an X.509 digital certificate and uses a public/private key scheme to establish an encrypted connection. A key, known only to the connected machines, secures the confidentiality and integrity of data communicated over the channel by assuring that any change, whether accidental or intentional, results in a clearly invalid result upon decryption.
Today's secured connections lack mutual authentication and the ability to assert nonrepudiation unless both endpoints possess a digital certificate. Mr. Marshall emphasized both are important attributes for health care data. Currently implemented standards only authenticate the computing device. They cannot convey the credentialed authentications of end-users in a data exchange nor the intent, attestation, authority and accountability of the sender. Some individual health information systems provide electronic signature capabilities that apply to data stored in their databases, but in the absence of implemented standards, the signatures are not represented in a manner persistent, portable and capable of detecting subsequent alteration of the information putatively signed. As stated in the NPRM, electronic signature standards that meet these requirements require the digital certificates. They must also handle the use case where the signer is a consumer who does not have a portable digital certificate.
Mr. Marshall cautioned the savings desired from HIPAA administrative simplification cannot be attained without a systematic reduction in the latencies and costs of manual and paper-based processes for the transmission and retention of information. He noted electronic signature technology could substantially reduce both. A standard for health care electronic signatures would support this solution, assuming requirements for privacy, confidentiality, credentialed authentication, integrity, nonrepudiation, intent, authority and accountability. Today, only machine-to-machine confidentiality, authentication and integrity (insufficient to the requirements of health care privacy and accountability) can be achieved.
Mr. Marshall said a HIPAA standard for electronic signatures was possible, presuming cooperation among SDOs. Cooperative efforts should aim at using existing standards, creating implementation guidelines and an interoperability pilot project among vendor participants. Existing standards may suffice; all that might be needed are proofs of implementation and interoperability.
Representatives from HL7, ASTM, X12N, NCPDP and IETF EDIINT agreed in January to produce a consensus scope statement and work plan by the end of March. Mr. Marshall said they might determine a need to update standards. This would require action by the responsible SDOs, using their own processes. A HIPAA electronic signature standard, referencing the resulting standards used in the interoperability pilot and any updates, could evolve. He noted that NIST, which did not participate in the January meeting, was identified as a source of input and its participation is considered an element of the work plan.
Mr. Marshall noted that current digital signature software does not support existing digital signature standards, either industry-wide or health care-specific. He said active involvement of vendors will be required in an interoperability pilot to demonstrate workable implementations meet the health care requirements, based on existing standards. Recruiting vendor participation is part of the work plan.
Mr. Marshall said HL7 will support the outcome of joint SDO efforts toward a recommended HIPAA standard for electronic signatures and that he would personally be involved in that effort. He estimated a completion date some 9 to 12 months from the publication of the work plan, assuming a high level of effort from each participant. By then, the implementation guides and related updates to standards should be ready to be balloted. Actual adoption depends on the meeting schedule and standards approval process of each SDO. HL7 could conduct a ballot over the Web without requiring a face-to-face meeting, consistent with the policy of the American National Standards Institute. The implementation guide for HIPAA claims attachment was balloted in two months.
Mr. Marshall said he saw HISB providing direct coordination of the multi-SDO project and NIST providing technical guidance and coordination with other government electronic signature projects. He said NCVHS should review the work to ensure that the requirements of health care and HIPAA were met by the project. He said NCVHS help was needed to advocate adoption of an electronic signature standard.
Mr. Lundie, director of health industry marketing for Cyclone Commerce and a liaison between the various health care SDOs and EDIINT represented the EDIINT task force, which was commissioned by the Internet Engineering Task Force to create a standard for sending EDI data securely over the Internet. An existing standard with hundreds of implementations, EDIINT can be leveraged, and is being utilized by the health care community to encrypt, sign and transport any data payload over the Internet. EDIINT currently uses corporate signatures to ensure that a document came from a specific trading partner. The task force believes security concepts developed for use with EDIINT may be leveraged to support personal signatures required by HIPAA and intends to work with the SDOs to create an end-to-end solution that meets their specific needs. Although the standard permits PGP/MIME and encourages the use of certificate authorities, most installations use S/MIME as a packaging standard and allow self-signed certificates. Companies who already trust each other exchange public keys by trading X.509 certificates.
Mr. Lundie said EDIINT’s only limitation is that it does not provide direct support of personal signatures. He remarked that the theory behind the technology is considered sound and, when coupled with a Certificate Authority, is infinitely scalable. He said the most immediate advantage of HIPAA may be its ability to leverage the Internet to securely transfer health care documents. A generic signature standard already exists; a HIPAA standard was possible. The problem was not inventing a reliable signature, but identifying, then defining, an implementation for each signature use case. The ASTM identified the use cases (Standard Guide on Security Framework for Healthcare Information: E2085-0), but work needed to be done on a standard for implementation of each use case. He said it was not clear if EDIINT would have a direct role in defining use case implementation standards, but the task force stood ready to make any modifications necessary to ensure payloads defined by the SDOs could be transmitted via EDIINT.
Mr. Lundie said EDIINT supports digital signatures created by signing an electronic document with a private key. Certain algorithms are explicitly supported; none are disallowed. Vendors, however, had not elected to support all standards. All interoperability trials used RSA as the signing algorithm. EDIINT is not opposed to other signature algorithms, but Mr. Lundie said the disadvantage of something else is the lack of vendor support.
He noted that the task force is working with the health care SDOs to ensure that the EDIINT standard will support whatever payload is defined for the personal signatures. Members of EDIINT are working with the SDOs to define standards for each signature use case.
Mr. Lundie said defining an algorithm should not take long. The biggest effort is defining an implementation for each signature use case, which could take 5-to-10 months for a committee to complete. He advised that a phased deliverable could be defined so more important or common use cases were defined first.
He remarked that EDIINT had been invited by the SDOs to assist in meeting HIPAA requirements in a timely manner. He advised HISB and NIST to set specific, aggressive targets for delivering a specification. He recommended that, when possible, milestone targets occur every few months. The question was not whether the technology was up to the task, but which to use. And he suggested that the technical advantage of any one approach was not as important as specifying a viable solution and moving forward.
Ms. Lovorn, chief privacy officer for Protegrity and past chair of the ASTM Subcommittee that wrote these standards, noted that four primary standards in response to the original HIPAA legislation were developed in 15 months. She said this is a doable effort in much less time.
She explained that the Standard Guide on the Authentication of Healthcare Information, published in 1995, was revised last year with no substantial changes, other than to update references performed on that standard. Its criteria and requirements are listed in the draft NPRM on security for digital signature. ASTM developed the standards as a result of HIPAA and the recurring and increasing need to protect health information. The committee, composed of health care providers/organizations, computer security implementers and others interested in the protection of health care information, is driven by requirements of the regulatory environment and by what users and participants need to help them do their everyday business. Other standards for development that apply to digital signatures are the technical security framework, ASTM E2085, and the digital signature guideline, E2084.
ASTM early on saw the health care industry’s need for ways to provide authentication of health care information, data integrity, and nonrepudiation of actions on that information. She noted requirements in the guide for electronic authentication of health care information, ASTM E1762, are only met now by digital signature technology and so those two standards were developed.
ASTM E2084 is based on security industry standards developed by ANSI, INSEL, and NIST. Standards used include: ASTM E1762, ANSI X9.30 on using algorithms. RSA, ANSI X9.31, and the elliptical curves (a new technology for doing digital signatures on systems without large processing capability). The ISO standards 9796 and 9594 deal with authentication and with digital signature. RFC was used to base the digital signature on cryptographic message syntax. Working with the ongoing standards developing Internet information security, ASTM identified those parameters that needed to be addressed to solve the requirements of health care and set up and defined minimum standards.
Ms. Lovorn said key length may need to be increased due to advances in technology and processing power, but several implementations, mainly requirements of the ANSI and ISO standards, have been available for several years in other markets. She advised verifying implementation against the ASTM standards, but said the committee foresaw no problems due to its diligence in following existing standards. Minor changes might be needed as a result of this common SDO effort, but they were in concert with what was happening in information security.
ASTM Committee E31 believed it had developed a standard of digital signatures that could be used by HIPAA implementers to meet the requirements identified in the security NPRM and in privacy final regulations. Some requirements were taken from E1762 for electronic signatures. Only digital signatures meet all the requirements identified in E1762 and in the security NPRM.
Ms. Lovorn noted that significant differences in a HIPAA standard and events in the information industry could have significant impact on markets and vendors that provide information security. But using approaches successful in other industries and requiring minimal changes, in conjunction with administrative simplification, could make for less costly implementation.
Ms. Lovorn said ASTM was pleased to work with the other SDOs. She noted they participated in the January meeting in Orlando to develop additional standards and implementation guides for digital signature. They also assisted with the technical standards developed by E3120, the Subcommittee on Data and System Security for Health Information and E3117, the Subcommittee on Privacy, Confidentiality and Access. She said ASTM would attend the joint development meetings, work on joint products and review all the standards. ASTM was willing to revise existing standards to meet consensus.
“Starting from scratch,” she said it could take 18 months. But she noted that, if there was already a foundation document developed in the E1762, E2084 and E2085, the time frame could be cut back to under a year. Individual Standards might be implemented in six months. Other industries did this. She pointed out that they could build on other foundations, experiences and marketplaces.
ANSI has begun to provide coordination for SDOs and development of implementation guides identified in the January meeting. NIST, no longer in the standards development process for information security, participates with ANSI X9, IEEE and IEPS in the development of standards. Primarily its mandate is to oversee development in the marketplace. Even with the advanced encryption standard announced last fall, the final document will probably be handled more as an ANSI standard than a NIST publication.
Concurring with Mr. Marshall, Ms. Lovorn encouraged NCVHS to advocate adoption of an electronic signature standard. She also urged the Subcommittee to provide encouragement and additional guidelines so SDOs could come together to meet the needs of the health care industry.
Mr. Staniec, executive vice president of Business Development and External Affairs, NCPDP, discussed the status of digital/electronic signatures in the pharmacy services sector of the health care industry. NCPDP's Data Security and Patient Confidentiality Work Group created a task group to evaluate electronic signatures/digital certificates used today in retail pharmacy and other SDOs’ standards. Mr. Staniec said NCPDP is committed to cooperatively working with all the SDOs on a product that benefits everyone in health care.
NCPDP’s ANSI- accredited standard, SCRIPT, is an electronic prescriber/pharmacist interface standard used for transmitting electronic prescriptions. NCPDP also has a telecommunication claim standard 5.1, mentioned in the HIPAA Final Rule on Transaction Code Set. Only the SCRIPT standard would be directly affected near term by digital signature legislation. NCPDP developed SCRIPT, but state laws determine rules and regulations governing its usage. Some states Boards of Pharmacy do not allow electronic prescribing. Only a few address electronic signatures. Mr. Staniec said implementing digital signatures might induce other states to allow online prescription submission. On the pharmacy side of the prescriber/pharmacy transaction, one of the biggest challenges is authenticating a prescriber. NCPDP is aware that the DEA is looking into this issue and has posted documents on its Web site about their work on prescribing controlled substances that will require electronic signatures. Mr. Staniec noted NCPDP was interested in other potential use cases: e.g., prior authorization and medical necessity issues.
NCPDP does not have an electronic signature standard. A small number of member companies, when allowed by state law, use a variety of identification and authentication methodologies. Mr. Staniec noted widespread confusion over what constitutes an electronic signature. Most of NCPDP’s constituents use more secure value-added networks or dedicated telephone lines, and prescriber/pharmacist transactions are often transmitted via fax. Some companies argue that via these channels digitized images of a physician's signature or codified identifiers constitute a physician's signature and some state Boards of Pharmacy agree. This needs clarification.
A number of companies offer digital certificates, complicating the issue even further. Will pharmacists and pharmacy technicians be required to have more than one electronic signature? If a pharmacist or physician works in different settings (i.e., hospital versus retail), will he need multiple digital certificates? Who will act as certificate authority? Mr. Staniec expressed concern about future regulations that require such certificates and the burden they would impose. NCPDP will discuss these issues in detail at Work Group and joint SDO meetings.
A HIPAA standard for electronic signatures would benefit the health care industry by mandating a federal law, one standard to be used by everyone, versus the multiple standards in use. Costs would be reduced over the long term with only one implementation. A HIPAA standard for signatures is possible, but issues must be addressed for business functionality to succeed. Interoperability issues must be resolved. The WEDI AFEHCT interoperability project had challenges with interoperability and everyone could learn from their experiences.
NCPDP is concerned with multiple certificate authorities. What happens when you have multiple pharmacists and technicians in the pharmacy? How will pharmacies verify physicians that are at different sites? How many negative files will be stored and where? The certificate authority issue needs to be addressed along with the electronic signature standard issue.
NCPDP members will have to make modifications (machinery, software enhancements, digital certificates) that will increase costs initially. Adopting one standard, however, will be cost effective over the long term. One signature would eliminate the need to deal with a plethora of formats. NCPDP will work with the other SDOs to resolve the certificate authority and other interoperability issues. Pharmacy will have to deal with some up-front costs (programming, purchase of machinery and staff training). More transport methods are used today than just the Internet and have to be considered. And not all pharmacies have Internet access.
NCPDP will support such a standard, so long as it meets business and technical needs of the pharmacy services sector of the health care industry.
NCPDP agreed to participate with the Multi-SDO Digital Signature Project. Mr. Staniec said he will be the primary contact for NCPDP. He agreed to participate, along with NCPDP members, on joint meetings between the SDOs, conference calls and e-mails. A project plan document is targeted for March 31. After review, the implementation guides will be created, complying with past HIPAA regulations. Anticipated development time frames will be included in the project plan. Factors affecting that time frame include the costs of implementing the standard. For example, software for encryption scanners will be needed in retail pharmacies. These devices and other software enhancements must be integrated in pharmacy practice management systems. Costs for storage of scanned material must also be addressed. HL7 agreed to fund this project. NCPDP offered conference calls in a round robin fashion. The private health care industry has the burden of paying the cost of implementation. NCPDP asked for federal funding to help pay for implementing this standard. Mr. Staniec also suggested that the certificate authority companies provide funding.
HISB does not develop standards in the health care industry and NIST does provide security standards for the Federal Government. NCPDP encourages members to join the multiple SDO digital signature group and appreciates feedback on these issues.
NCPDP encouraged NCVHS to work with SDOs and help monitor the process. Noting it takes time to reach consensus, Mr. Staniec asked for time for consensus, rather than putting out a standard with problems and high costs. Mr. Staniec noted that state laws via the State Board of Pharmacies dictate the rules and regulations of NCPDP standards, but said NCPDP would appreciate guidance regarding federal preemption and interstate commerce.
Mr. Waegemann reiterated his belief that claim standards in health care are a priority and have benefits. He noted that this panel, like earlier ones, had a short-term and a long-term issue. He said the short-term issue was twofold. One side recommended HIPAA electronic signatures or digital signatures. And the other countered how, with a volume of over a trillion dollars, could they send out claims that were not authenticated? He said putting both views on the table and coming up with some solution is the short-term issue.
Mr. Waegemann said he was pleased with the request from HL7 and that people were starting to get involved. He emphasized two points. The signature system was not as simple as some people at the table indicated. And what they really had to focus on was the international standards work. Remarking that ASTM standard E1762 and other ASTM standards are “the tip of the iceberg,” Mr. Waegemann described a document detailing how some 30 countries create 20 signature systems for health care and its 17-page, single-spaced background paper on standards in the world on security and confidentiality in health care affecting signatures. He said it is time that these independent efforts are coordinated.
Mr. Waegemann discussed the March 7th ANSI HISB meeting’s objectives: developing this coordination process and creating a time frame and coordination plan that addresses practical implementation within the framework of ANSI accredited standards organizations. He said they would start the process and that he was confident that it could be addressed and resolved.
Responding to queries, Mr. Waegemann said the international medical informatics community had a consensus that a health care signature is different than an e-commerce signature and has different requirements based upon ASTM standards E1762, E2085, and E2084. He advised against specifying an algorithm or any specific technology, which could change within two or three years. Short term, he recommended taking current standards that work and developing an implementation guide, maybe one for HL7, one for X12N, and one for NCPDP, which could include HIPAA transactions with input from the security experts of ASTM. Mr. Waegemann emphasized that looking at the whole PKI was a long-term project. He said he was confident, as everyone started on the short-term project, that they will go the distance.
Mr. Waegemann noted that HISB was also coordinating some PKI efforts and had identified 12 in the United States. He noted there were at least an additional 20-30 worldwide in the health care field. He said what was needed was a framework of acceptable ways for PKI and digital signatures-- “So Kaiser Permanente can accept some signature from London or Tokyo.”
Remarking that PKI takes time, he advised focusing on coordination. HISB was willing and ready to coordinate between ASTM, NCPDP, X12N, HL7 and others working toward the short-term solution. He encouraged everyone to pick the short-term issue and start working.
Dr. Zubeldia thanked everyone for testifying, noting the reason for calling upon them and the multi-SDO PKI signature coordination was to move this digital signature aspect forward. He said he was concerned about several things he had heard and disturbed that X12N was not there. He said he hoped people in the room would make a special effort to reach out and work with X12N in this project; the last thing they wanted was a multi-SDO signature that did not include X12N. Dr. Zubeldia agreed with Mr. Waegemann’s view of one standard and multiple implementations to satisfy different needs. Mr. Marshall explained that the one standard with one implementation guide he spoke of was not monolithic; he envisioned multiple-use cases. Asked about the interoperability pilot, he said it would consist of a matrix showing who speaks to whom for what use cases; it would be a three dimensional matrix. Dr. Zubeldia noted they heard HL7 didn’t have one standard for health care, NCPDP didn't have one for signatures, and ASTM did have one for health care signatures. He asked if the other SDOs intended to adopt the ASTM signature standard and express it in a manner that satisfied their SDO needs. Mr. Marshall replied they have been reading the E1762 and E2084 for HL7. Mr. Moertel noted that HL7 had expanded much effort to put forth a framework workable for the health care community and he asked if they were engaged. Mr. Waegemann said HL7 was one of 12 organizations they were talking to in HISB.
He also noted that the March 6th HISB meeting would deal with XML coordination and PKI; March 7th would be for signature coordination. Ms. Lovorn mentioned that March 5th was the U.S. TAG meeting for ISO-02C215 and a discussion of the PKI documents already presented in Stockholm and scheduled for Seoul in March on adoption as an international standard. Mr. Waegemann pointed out that the importance of the U.S. TAG was often overlooked. At that meeting they would vote on a U.S. position on signatures and on PKI that could not be reversed. He encouraged everyone to be there because that is where they would come up with a national consensus.
Dr. Fitzmaurice remarked that discussions with Mr. Waegemann over the years impressed on him that health care has unique requirements not met in any other commercial digital signatures. He asked the panel if any other commercial digital signatures came close?
Ms. Lovorn reported ASTM found that there are differing requirements, but that they are similar. The structures identified were expandable or changeable, configurable or selectable. In defining the roles and purposes, they could be set up for the environment one was in. Speaking as a Siemen's employee with “over a half-million desktops involved,” Mr. Marshall said he was brutally aware of scalability issues and did not know of any current commercial implementation that provided a level of interoperability, portability and scalability to meet just the business needs in cases. Right now, he said the set of standards were paper documents without the degree of scalable, robust implementation needed for the business. As an implementer, as well as a standards developer, he expressed interest in getting this work done because it was necessary for the health care IT industry.
Dr. Zubeldia remarked that what they said was extremely disturbing and asked their advice. The Subcommittee could recommend that the Secretary adopt this paper standard put together by the multi-SDO. But it could be the wrong standard; by the time it was implemented, it could be out of sync. He asked if they should instead have another mechanism as an industry target and when there was something more solid, adopt it as a HIPAA standard. Mr. Marshall advised staying within the HIPAA standard that drove a large number of industry decisions. He said the necessary structures existed; it was a matter of “lighting a fire under the industry.” He reiterated the need for an interoperability pilot. Vendors expressed considerable interest in pursuing this work; he was confident they could be recruited to produce the necessary commercial components. Ms. Lovorn proposed looking at the short-term solution: digital signatures could be implemented without an infrastructure. She mentioned the different MIME implementations, noting it takes time to work out the bugs; that was how technology moved forward. But this would not interfere with what health care needs and requires to support the electronic exchange of information. Mr. Waegemann remarked that people tell him that HIPAA is one of the most outdated technologies. They were basing everything they were doing on an EDI standard from 1994; e-commerce was more elegant, more commercial, and a much better solution today.
Mr. Lundie acknowledged the points they heard were extremely complicated and problems needed to be resolved. But he pointed out that interoperability between multiple entities was done every day in commercial applications dealing with procurement and e-commerce initiatives. And this worked well with self-signed certificates, where there might not be a certificate authority. He affirmed there was a framework, practices and use cases to build upon and implement through interoperability pilots. He recommended getting vendors involved and health care providers and institutions working through the bugs, mechanics and issues. Standards had to be there for the industry to move. Otherwise, there was no impetus, only push back. Dr. Zubeldia said he heard them advocating an environment with full international PKI and digital signatures, but Ms. Lovorn and Mr. Marshall also wanted a development product used today to improve upon while the full blast PKI is deployed. Under HIPAA, that can be changed every year as they learned from it. Mr. Marshall concurred. PKI and digital signatures were not a chicken-or-egg sequential process. Two fundamentally different issues are happening simultaneously. PKI becomes a formal structure in which trust can be established and exchanged. It does not require a specific digital signature technology or standard. Within a small-scale implementation, trust can be established by bilateral agreement less formal than full-scale PKI, enabling an interoperability test.
Mr. Waegemann agreed that both had to be done in parallel. He noted that PKI was a complex issue involving credentialing organizations at a much deeper level than what was done now. For signatures, one needed to not only know this is an M.D. but that this is a pediatric psychiatrist with fees credentials and specific privileges for accessing information and signing. It is a question of smart cards, biometric identification, shared secret, or software approaches; certificate authority standards and registry authority standards. A different infrastructure and a whole framework of many detailed standards are needed long term.
Dr. Zubeldia summarized: the three SDOs agreed to work together on a short term solution for signatures, under the coordination of HISB; Mr. Waegemann agreed to coordinate that effort, including X12N and potentially others they discovered through HISB, with the assistance of NIST, FDA, DEA. They will lead a long-term effort in parallel. Mr. Waegemann would reflect consensus in a letter to the Committee. X12N was not present and had not participated in the multiple joint meeting; nobody knew his or her position.
Dr. Cohn noted normally the Subcommittee would draft a letter supporting the effort and thanking the SDOs for collaborating on this important HIPAA initiative; it would be useful to know before the Subcommittee presented a letter to the full Committee in two-and-a-half weeks if, in fact, all the SDOs were participating. Mr. Blair asked what the Subcommittee might do to encourage X12N to participate. Dr. Zubeldia said there was a SDO meeting next week in Seattle and he intended to convey their disappointment and encourage X12N to fully participate.
Mr. Staniec pointed out that there was not a Security Final Rule and knowing the policies in certain use cases was essential in developing a project plan; anything the Subcommittee could do to get it published would help immensely. Dr. Cohn noted that they were considering the annual report to Congress tomorrow and that might be reflected in that. Ms. Lovorn commented on how everything was interwoven and it was hard to take on one part without some hope of the others happening.
Mr. Waegemann asked if it was possible to create a white paper on whether signatures should be included in HIPAA. Dr. Cohn recounted that at the hearing they heard that this was an important industry issue, but there was no industry agreement and certainly no SDO consensus on any approach or solution. They needed to demonstrate something worked and was implementable. Dr. Zubeldia remarked that they didn't have a choice; the HIPAA law said they shall adopt the standard for signatures. Ms. Trudel noted that electronic signatures were important in theory, but that none of the HIPAA standards adopted so far had a requirement for an electronic signature. Until there was a workable standard and a particular articulated business case, transaction by transaction, she doubted how practical the approach was. She suggested the DSMO process was where to say: “Now is the time, the claim needs an electronic signature.” Dr. Zubeldia remarked that the only business case they had heard today could be for the prescriptions, and even that was doubtful. Mr. Staniec acknowledged the volume was low, but emphasized it was of great interest. Ms. Ward said they had a business case. State Medicaids came to the HL7 meeting and requested three attachment types: abortion, sterilization and hysterectomy to be developed, all requiring signatures. Dr. Zubeldia said it would be helpful in putting those business cases together, to build a case on how a Medicaid beneficiary is going to get a digital certificate to sign with a digital signature. Ms. Ward said that was already part of their discussions. Mr. Moertel said they were already doing public/private key encryption with the claims transaction and a signature on file. They had an X12N transaction that provided an envelope for any one of their transactions that they secured with the transaction and the envelope and sent it. It was decrypted and opened up. That was already being done. Ms. Trudel explained she was not talking about encryption, but about a need for an electronic signature. Mr. Moertel asked if her expectation was having an electronic signature within the claims transaction or continuing with a signature on file. Ms. Trudel said this was the business decision people needed to think about and bring forward. Mr. Moertel remarked he was hearing two very different situations. One had a signature that provided the encryption for a data file and packaged a batch of claims. With the other, each individual claim had an electronic signature associated with it. Dr. Cohn noted this was an industry decision; he said Ms. Trudel was trying to point out that the industry needed a reason to have a digital signature. Ms. Fyffe suggested what they were talking about, in theory, was the incentive that might move the industry toward electronic signatures.
Mr. Moertel posed another business case. They were trying to pass claim files over the Internet with government organizations, but could not because recommendations for securing transactions had not been finalized. They were not authorized to use the Internet, even though they had encryption. He suggested the business case for the claims transaction was his need to get away from async communication, fraught with problems, and use the Internet—but he cannot do it without this process. The business case for the claims transaction was not digitally signing each claim, but signing the package, yet having it in an environment acceptable to HCFA, HHS and the health care industry.
Mr. Alan Zuckerman, Georgetown University Medical Center, noted the HIPAA Security NPRM, and ASTM standards mention continuity of signatures, but he had not heard anything from the SDOs about what this involved. He said extending interoperability beyond bankruptcy, technology change, and ownership of intellectual property was a major issue for NCVHS. He suggested that government should develop repositories of cryptographic algorithms, certificate reauthentication and revocation lists that would survive beyond the life cycle of the organizations involved. Ms. Lovorn acknowledged this was an important issue, particularly in states like Minnesota, which requires keeping medical records for 70 years. She said ASTM recognized this and a Subcommittee was looking at those issues to come up with a draft standard.
Dr. Cohn summarized: Mr. Blair had suggested a letter to the SDOs expressing appreciation for their involvement and Dr. Zubeldia said he would talk with X12N to ensure the letter was properly written and went to the right person. Dr. Cohn said, if there was an issue, they would invite a representative from X12N to discuss it with the Subcommittee during a breakout at the full NCVHS meeting. Understanding why X12N was not fully involved, they could seek ways to mitigate barriers to implementation. He said, hopefully, they could arrange a presentation of the project plan at the March or subsequent meeting; Mr. Lundie noted he had to transform his personal intent into one with HISB support. Mr. Scanlon suggested the annual report to Congress on administrative simplification of health care was another vehicle to raise these issues. And Mr. Waegemann noted that extending these conversations to the neutral ground of the coordinating organization might make it easier for everyone to come to the table. He volunteered to work with Mr. Marshall. Mr. Waegemann asked anyone familiar with benefits of signatures to contact him; he was working with a coalition developing a white paper that hopefully would be neutral and basic enough to present a business case for signatures. Dr. Zubeldia said letters from the SDOs saying they were voluntarily participating should be addressed to Mr. Waegemann.
The group discussed the morning’s activities, the data issues and next steps. They hoped to move forward on a fast track to HHS with a letter on the NDC codes. But Dr. Cohn noted they were aware that the DSMOs probably had a bunch of escalating concerns that were a combination of business and maintenance issues; HHS doubtlessly had received similar data items. The question was how to efficiently ensure that these issues got the attention of the right people, so investigation could occur and a response be brought to NCVHS. Dr. Cohn asked if they were willing to facilitate that process or if some of this should be sent directly to X12N. Ms. Weiker noted that the time frame for entering the February batch of change requests for the DSMOs had expired at midnight. She said she would ask that the requests be sent to the six organizations no later than Monday, so they could decide whether they wanted to collaborate. She noted X12 met the following week. The next step was to determine a definition of maintenance and modification and communicate that to X12N, NCPDP, and HL7. The Work Groups in X12N looking at these requests (whether they came in through the errata or DSMO process) would then know how to categorize them and what paths to follow: when to update the guide with an addendum and when to go back through the DSMO process. Ms. Weiker said all the change requests done at the time that they meet would get addressed. They might not have the technical solution, but the business analysis would be done and posted on the Web site. Noting that NUBC and NUCC expressed interest in several requests in the first batches, she said she would talk with them about getting their analysis moving. She remarked that Ms. Trudel and Ms. Ward obviously understood the urgency and that it would be communicated to the leadership of X12N, as well as to the co-chairs. Ms. Weiker said she would see if the 90-day time frame was doable in 30-to-45 days.
Dr. Cohn said he doubted that errata and minor maintenance issues would take much of X12N’s time. But significant business issues were also mixed in and doing the business analysis they needed to be aware of the business needs. Noting there might be other ways to handle the business need with some requirements and that other issues might no longer exist, Dr. Cohn welcomed guidance from X12N and the DSMOs. Dr. Zubeldia said it was clear that the business issues were all going to be modifications. As modifications, any business issues in the errata list needed to be sent through a DSMO process. X12N needed to go through the errata list, looking, not for showstoppers but for business issues to take through that process. Ms. Ward reiterated Ms. Weiker’s point: they could not just keep fast tracking everything. This batch cycle resurfaced every month. At some point, they had to say everything that precedes a certain date “goes down a different path.”
Dr. Zubeldia addressed concern about a fundamental change in the process. The errata list had been sent through the Washington Publishing Company Web site with an intent to identify showstoppers, not to correct little things. Now the intention was to correct everything that was maintenance and send changes through a DSMO process. Ms. Ward observed that a number of members of the Subcommittee also wore X12N hats. She co-chaired a Work Group in X12N, just like she did in HL7. They treaded lightly in committing X12N because that was not their job, but they did everything in their power to make sure the X12N management team was aligned to realize the results everyone needed. They would be at X12N’s management meeting next week, represent this group’s opinions and recommendations and hope that they could pull together, because most of this fell in X12N's lap. Ms. Emerson said that if the Work Groups were not trying to meet this first-year deadline, they might not have concentrated on showstoppers. Dr. Cohn countered that he heard stuff needed to be cleaned up as much as possible, so people could develop software to implement--that redoubled the issue. Ms. Weiker suggested that if the list were ready slightly after the first year, there would be more flexibility in what could be included; they would not be limited to showstoppers.
Ms. Ward observed that when it was a question of changing syntax or adding a data element the distinction was fine. Substantive issues (e.g., is it NDC or HCPCS) could not wait. She suggested the Subcommittee had only changed the terminology and were now calling what was put into the DSMO “modifications.” But the errata Work Group was working under the concept that showstoppers did not have to go through a DSMO process, Dr. Zubeldia responded. They were going to be addressed only within X12N and the rest would be ignored. Now, these changes had to go trough the DSMO process. Ms. Ward doubted that the errata Work Group was working under that premise; the errata group had been focused on what they thought they needed to do and the DSMO Steering Committee did what it did--and now everyone saw the overlap. Ms. Weiker suggested this could be cleaned up with clear definitions: maintenance and modification. The point was to move forward quickly.
Dr. Cohn said it made sense to have somebody who could speak for X12N at the February breakout meeting, so all this was straightened out and the process worked optimally. The main issue for the Subcommittee was making sure implementation proceeded well. Without it, he observed, there wasn't much to HIPAA--“We are at the “rubber meets the road stage.” Serious analysis was being done in multiple different environments at high levels; the group needed to make sure issues were handled reasonably quickly and thoroughly.
Ms. Trudel observed that guidance on the difference between maintenance and modification was at the crux--and decisions on who needed to participate and the process for developing definitions were central to the next steps. Ms. Ward urged everyone to resolve this before Sunday’s X12 meeting. The guidelines had to be clear before the Work Group co-chairs in X12N began their evaluations. Dr. Cohn asked for them to return for a breakout of the Subcommittee at the February 21st Committee meeting. He requested a status check from them and X12N to understand the emerging process, how modifications and other things were aligning around the time frame for resolution and recommendations. The Subcommittee was not looking for the final answer then, just enough to set the stage for an agenda to deal with as possible in the March-early April time frame. Ms. Ward noted that NUBC and NUCC opted in a lot and met the prior week. She said they would get input from them as well. Ms. Ward said she would make a formal request at X12N that somebody either from the health care task group or X12N attend the February 23rd meeting.
Dr. Cohn expressed concern that there is such a short space between February and the June NCVHS meeting. But he said they probably could get leave from the Committee to begin to process these issues, develop interim letters, and begin to give industry guidance. Things did not have to be held up until the June full Committee meeting. He thanked everyone for their determined participation and involvement in a long meeting. He observed things were getting interesting. He was confident they were going to be successful, but obviously they needed to move quickly. The meeting was recessed at 5:25 p.m., to reconvene the following morning.
Mr. Blair began by noting that in January members of the Subcommittee received two working documents. They took up the first, the draft work plan, in the November meeting as they defined areas of focus and criteria for selecting PMRI standards. Members had been asked to review it, prior to this session, so they could move through the second distilled work which concentrated on: areas of focus, criteria of selection and a draft questionnaire. Mr. Blair summarized their activities and that last meeting. Last year the Committee gave a report to the Secretary conveying recommendations and guiding principles for selecting PMRI standards. One recommendation was to select PMRI standards 18 months after the release of that document. At the last meeting, the group agreed to begin their first iteration with the least controversial, most easily implemented standards. The work plan calls for at least a first cut at the criteria and areas of focus by the end of March. Based on comments at upcoming hearings, they will send questionnaires to SDOs built on the criteria and compile responses this summer. In the fall, the group will determine their decisions and make their report to the Secretary on the first iteration next February. Mr. Blair noted they were not limited, as they had been with other standards: nothing in the law stated there had to be an NPRM. They could recommend whatever mechanism offered the best way forward.
Mr. Blair said they would briefly review that original work plan to make sure everyone felt comfortable with it as a foundation. Dr. McDonald had offered some areas they might focus on, which he had expanded a bit and which they would discuss. Using matrices, they had “boiled down” the 15 criteria for selection in their report to the Secretary to eight measurable criteria. Four different levels of measuring and weighting factors were developed to compare candidates on a fair, equitable, meaningful and documented basis. Dr. McDonald noted they talked about working in two stages; in this first they “wanted to hit the low hanging fruit”-- the least controversial, most easily implemented standards. Because of the complexity, what they crafted probably would not be as strong as the administrative standards, but might be recommendations or an NPRM with encouragement. Mr. Blair concurred. Given the choices available, the Subcommittee would be more cautious with these mission-critical applications that dealt with patient care; what they recommended probably would not have “the same teeth” as previous standards.
Noting their discussion could become complex quickly and that by the end of it they had to feel prepared for the March hearings, Dr. Cohn focused on what they needed to do this second day. They did not have to come up with all the answers or reach consensus, but they needed to know what feedback and views from the industry they sought. Returning to the emphasis on low hanging fruit, he said they needed to acknowledge and reassure the industry about areas with fairly significant market acceptance where it should invest in these implementations and standards. He pointed out that they needed to think about catalysts--areas still undeveloped in the marketplace where NCVHS and HHS could provide leadership and direction preventing multiple, inconsistent standards. And he said they needed to look hard at the transactions: clinical, administrative and financial all merged and became confusing.
Ms. Fyffe reiterated the importance of this focus and having rigorous presentations and discussions in the hearings about what this will cost. She noted the American Hospital Association requested that the White House review the privacy rules because of the enormous cost to the hospital industry. There had been criticism about the cost estimates of administrative simplification and the Privacy Regulations. They had to be cognizant and careful as they proceeded. Dr. McDonald reflected on yesterday’s lesson about NDC versus J Code, remarking that, to the degree they went with the market or the absolute requirement, they would “get into trouble.” Ms. Fyffe noted a third of the hospitals in the United States were in the red. Mr. Blair observed that no matter what standards they picked or how high market acceptance might be for some of them, they were going to face open issues and would have to be cautious in terms of scope, balance, framework and cost. Hopefully, they had built this six-page work plan they were considering so it raised the right questions and they could think through at least some of them.
Ms. Humphreys emphasized the need for a different approach than with HIPAA. They needed to select a standard that had reasonable market acceptance or looked like it was going the right direction. Then, they could say, “If you do this electronically, you must use the standard--But there is no timetable forcing you to do it.” A timetable could always be reevaluated, as acceptance broadened. Dr. Cohn remarked that was a useful framework they might want to recommend to the Secretary. Ms. Humphreys said Mr. Blair offered a potentially useful strategy for some standards; maybe they would think of others, after hearing from everyone. Dr. Zubeldia wondered if their approaches could be supplemented by the government entities adopting recommended standards and encouraging the industry, but saying, “It’s up to you.”
Dr. Shortliffe suggested that for himself, as a new member, and for many on the Internet it might be helpful to hear why they wanted to see the development of standards for medical records and the data in them, how the group views their role relative to the development of these standards, and how this would benefit the way in which health care related to these issues. Mr. Blair explained that the administrative simplification provisions of HIPAA charge the NCVHS with studying issues related to the adoption of uniform data standards for PMRI and the electronic exchange of that information. The Subcommittee and the full NCVHS approved a 60-page document submitted to the Secretary last July stating the need to focus on impediments to uniform data standards for PMRI. The major impediments identified were interoperability, comparability, data quality, accountability, and integrity. Recommendations were made but the Subcommittee chose not to select specific standards at that time, but to ask the Secretary for support in going forward, based on the set of guiding principles.
Mr. Blair encouraged the group to continue with this second work plan and a detailed fax Dr. McDonald had prepared. They might build consensus, he suggested, if they stepped through the process. Dr. Cohn read the list they had compiled of possible areas to focus on in testimonies: the admission discharge transfer laboratory orders; laboratory observations and results; organizational charge information; master file delivery; radiologic images; decision support; prescriptions to retail pharmacies; vital signs monitoring, ICU; medical transcriptions; and code sets for diagnoses. Starting broadly, Mr. Blair commented, helped ensure that they included all possibilities. They could solicit feedback from SDOs and do a first cut. Once they set up criteria and people responded, the list would narrow.
Dr. Cohn noted ICD-9 did not need further investigation at this point. Dr. McDonald said ICD-10 was already in as part of the administrative standards and the NPRM; Mr. Blair noted they could address that when they looked at medical terminologies after this initial cut. Dr. Cohn suggested prescriptions through retail pharmacies might be important to be recommended as an administrative or financial next step HIPAA transaction. Dr. McDonald reflected it would be better in the second round, since it was in flux and there was not yet strong market consensus; a second round offered time for hearings and gaining a sense of the market. Dr. Cohn concurred. The answer might be to ask the market.
Ms. Greenberg noted that the Subcommittee on Populations was working on its report on functional status, the ICIDH2, which had been approved by the World Health Organization to take to the World Health Assembly in May with an assumption it will be approved, published, and included among PMRI code sets for PMRI standards. Noting she heard that terminologies would be deferred, Ms. Greenberg said that, as the classifications for functional status information likely to be included in PMRI, the Subcommittee would like at least to consider this. Dr. McDonald cautioned about mixing the code sets into this discussion, because of their different HIPAA rules. Ms. Humphreys suggested looking at ICIDH2 later, along with additional code sets that might be approved, as regular HIPAA follow up.
Dr. McDonald noted that laboratory orders made a narrow category; talking about diagnostic test orders might be more sensible. Results and observations also needed to be expanded, including at least those with numerical and current coded responses. He questioned why institutional medication prescription orders were not included and noted a query about J Codes also belonged in the list. If prescriptions had market penetration, they too should be added. The question with medical transcription was did that go to HISs--was it just text reports? They would end up with different standards, depending on which scope they addressed.
Ms. Humphreys suggested if the group concurred with Dr. McDonald’s sense of influx and market penetration, those issues could be put at the end of the list. Mr. Blair said his inclination at this stage was to let the process do the winnowing. Dr. McDonald responded they had to prioritize; they couldn't spend six months on hearings. Dr. Shortliffe proposed casting a wide net on the questionnaire, recognizing that by the time things were prioritized, there would be a de facto second round. Noting Dr. McDonald’s counsel against moving beyond numeric or other clearly codifiable results, he suggested this might be a way to think about how to design the questionnaire and specify areas of interest. Codified results of pathology and histology reports with real codes associated with diagnoses might be the kind of reports they wanted to be able to manage--and where they might want to look for standards for transmission and management.
Remarking on another of Dr. McDonald’s points (the purpose information serves), Dr. Kolodner commented on experiences with VA and DOD where they optimized (e.g., a pharmacy system) and then had to go back and realign in order to sustain patient care and decision support. The group heard yesterday about similar experiences with the code set. He said he found with DOD that moving textual information back and forth (at least being able to interdigitate dates, identify signers, and read text) helped clinicians and improved patient care. Although not great for decision support, it was something that could be done sooner rather than later among the different hospital information systems. Discharge summaries and path reports were passed over and transcription groups had defined templates. He expressed concern that where they had “the waterfront” they hadn't decided what to move forward. Choosing what helps improve clinical care and making sure it also supports the business processes, whether billing or ordering, might provide keener focus than only low hanging fruit. Dr. Shortliffe said the comments were important and valid; he clarified that he only meant to distinguish these two kinds of reports and put one in a different category. Whether medical transcription was low hanging fruit was a subject for discussion. Dr. McDonald advised to cast the net as well as the transcription; that way they got the difference between what happened inside the transcription system and what occurred in reporting things to the boards. Dr. Cohn summarized: the consensus was to cast a wide net in that area that handles both codified and non-codified information; they would all rather narrow down as they get more information.
Dr. McDonald spoke about balance and choosing between future possible versus present realities. He cautioned about hubris and recommended not getting “too hung up on vaporware.” Hundreds of speculative decisions and standards of activities went on across the industry and many organizations were concerned about them. They should be speaking out with them. Dr. Cohn agreed. He said the issue usually was when they talked about standards in plural, rather than with a zero in front of it. Mr. Blair said he thought they had widespread agreement on that as they went for the low hanging fruit. But he cautioned that when they got into medical terminology and areas where things are needed they would have to struggle with that. They might not be able to recommend a standard, but they could recommend support for the development of standards.
Mr. Blair noted the strategy within HL7 to build reference information models and asked about the capability of models to enable and facilitate faster development of standards. Dr. Fitzmaurice recalled that in hearings over the two years they asked SDOs what model they used and got different answers. It was important to think in an orderly manner, yet not get bogged down in detail. Something that communicated to congressional staff, bosses and the administration might not be useful for the coding people. He said he would like to know what coordination SDO’s thought would be useful. Mr. Blair noted they had considered reference information models an important enabler when they did the report to the Secretary, but did not address them because of the complexity. He said it was important not to gloss over them this time. Ms. Humphreys read a comment on Dr. McDonald’s fax: “It was easy to say they were important, but difficult to endorse any one model.” He suggested delaying the question until they had a better understanding of what message standards were included. Dr. Shortliffe recommended asking each testifier about their “view of the room they were using” as they testified. Dr. Kolodner observed the difference between endorsing a particular set of models and acknowledging the importance of modeling in retaining meaning over a lifetime, given the changing medical knowledge base. He advised stating simply that models will be important, but not something to get hung up on in the current realm.
Dr. McDonald counseled being cautious about incentives for structured document standards (XMLDTD), which he noted was a standard for writing standards, not a standard in itself. He derided locally defined XML messages for leading to wanton non-standardization, stating most had no relationship to ANSI as required by HIPAA regulation. Any current message standards could be converted to XML, so there was no need to encourage the encroachment just to get XML syntax. And if it ever was important to get to XML, they should encourage evolving industry-adopted standards to XML syntax before using a common model, so they could interoperate. Mr. Waegemann disagreed. XML was a standard syntax and you could express standards in that standard syntax. He pointed out that HISB coordinated the XML standards work, ANSI accredited standards organizations engaged in XML standards work, and other countries had the lead in this process. He suggested addressing this again in three-to-six months when they knew more about what was going on in HISB. Mr. Blair responded that they were really talking health care DTDs. Dr. Cohn observed that they were talking about the wider view of results in non-codified text, and XML and DTDs get involved in that discussion. It gave them an opportunity to see, in that context, what was going on. Dr. Cohn noted that the next issue probably dealt with terminology and reminded everyone that he had spoken vigorously against dealing with terminology in a vacuum at this point. Dr. Fitzmaurice agreed, but added that what was important was not so much the syntax of XML, but variable definitions and the labels put on them. If “you get a bunch of labels with different definitions, you don't have a hope” of having the syntax join common meetings and concepts. Dr. Cohn asserted that the focus, at this point, was not on terminologies.
Mr. Blair remarked that the criteria they discussed in November heavily weighted market acceptance, which he equated with many of the HL7 message transactions in the version 2X viewpoint. HL7 has been working to correct interoperability limitations and improve comparability and the data quality with HL7 Version 3, which they hope to get balloted by January. If they did, the application that might add value is the clinical data architecture, which are the DTDs' defining documents. He predicted both versions would be around for many years.
Dr. Zubeldia reported that NCPDP had developed a script standard that had relatively low implementation at this point and XML and others were working on a number of ad hoc proprietary standards that, because they were commercial ventures, might have more market penetration than the NCPDP standard. However, they were proprietary, not ANSI, and not standards. He cautioned they had to look carefully at market penetration of non-proprietary things.
Mr. Waegemann suggested the question was whether NCVHS should recognize imperfect standards or consider work on better standards for the future. They had to recognize that the industry was changing, and so, what they had currently was very imperfect. He noted all the calls from people who bought systems they were told were compliant, and then bought another and they couldn’t work together. The main criterion missing was how much interoperability does the standard provide. Dr. Cohn said he heard the need for them to remind themselves that interoperability and comparability were the key issues in looking at the standards. Unfortunately, even new standards were imperfect.
Dr. Zubeldia said Claredi had the same situation with their administrative simplification standards. They had the NSF and the UB92 with 400 different implementations of the standard, which didn't talk to each other, and they had a similar situation with the signature standards where they needed an implementation. He emphasized that to have clinical standards they needed implementations. In order to achieve comparability, the SDOs had to get implementation guides adopted by the industry, not just the standards.
Dr. Braithwaite noted it was important to keep in mind what users want and need and that most people developing the standards are not users, but implementers for proprietary vendor solutions. Users do not want to have to deal with multiple proprietary implementation; they want total interoperability. Dr. Fitzmaurice reflected that when the Department heard from people who were developing (or using) a standard, they needed to ask what functions people wanted it to serve, how would it improve health care, efficiency, delivery of care and patient outcomes. What criteria did people need in a standard for it to work best for them? The Department needed to be able to say a standard for this particular use should meet the following criteria, as told to us by the industry.
Deliberating what emphasis should be put on institutional, hospital-based care versus ambulatory care, Ms. Fyffe observed that with the aging population, there were going to be people moving in and out of acute care facilities versus ambulatory care versus long-term care. Dr. Braithwaite suggested the underlying issue was interoperability. He advised focusing on how patients will be moving across these environments and they have to be as compatible as possible.
Mr. Blair asked the group to consider whether, in going forward, they should define areas of focus in terms of existing transactions or applications. Each application offered a different perspective. Dr. Fitzmaurice observed that to make a clinical decision or affect choice, one needed to move information. One could call that a transaction. The particular function it served (e.g., to judge whether a patient has a particular condition or not) could be called an application. A transaction might be larger or smaller, depending on what was already known about the patient. Dr. Fitzmaurice said it was more useful for him to think of what he was trying to do, what information he needed. Was that information content defined enough that they could put a standard on it and move it in a transaction? Dr. Zubeldia said the focus probably should be on applications, asking SDOs what transaction they had that supported those applications, and having the standard in the transactions themselves. If they focused on admission discharge transfer as an application, several messages could support that function; to get full function implemented, probably they would need them all. Focusing on transactions alone would not result in an implementable functional unit. Mr. Blair remarked that a benefit might be that it identified gaps and got them to look “out of the box.” Dr. Zubeldia observed that they could not do much about it unless SDOs defined additional messages to cover the gaps. He said they should look at how they might have a standard AAT. If they identified the gaps, they could take care of them.
Dr. Shortliffe said he did not understand the distinction. He said the standards became important with the “handshaking” and communication between applications. They had defined their list of applications of interest and each, in order to share information, had to have some standard message format. Dr. Shortliffe suggested that was what they ended up talking about when they discussed standards. What drove this interest in specific applications was the need to communicate. Dr. Braithwaite agreed. The interoperability of information exchange between applications was the critical thing, the focus of the standards themselves. They could lose sight of the fact that they needed to define in the regulation, the transaction standard in terms of who was sending what information to whom and for what purpose. He said the definition of the application was critical to how they perceived mandating use of these transactions, because it expressed the purpose. He said they could not be separated, but had to be viewed as a whole.
Dr. Cohn observed that that interoperability was the bottom line. He noted the guiding principles did not explicitly state interoperability, but he said he saw specificity, interoperability and having a specific implementation guide as criteria for selection. Dr. Fitzmaurice said he was comfortable with interoperability and comparability as overall goals and with using the guiding principles to lead them. Strict compliance with the 40, 30 or 15 percent scale was questionable. They needed to focus on what information they needed from the testifiers. Dr. Shortliffe noted a problem with the numbers. Consistency with other HIPAA standards was mandatory. It was not just 20 percent of a tally. The group agreed to have criteria without specific weighting factors. Dr. Braithwaite noted this made adding interoperability and comparability easier. Dr. Fitzmaurice said they should be an overarching goal, with the criteria developed to satisfy interoperability and comparability. Dr. Cohn cautioned that they still had not “hit them head on.” If they didn’t, they might forget that they had a specific implementation guide. Mr. Blair suggested that a number of questions in the questionnaire could be grouped under interoperability and comparability headings.
Mr. Blair explained that the questionnaire, based on an inventory-of-standards survey developed by ANSI HISB specifically for SDOs, was derived from the guiding principles. It was designed to capture documented, comparable information, which was to some degree measurable in terms of those principles, to help evaluate message format standards. The group discussed gathering input from a broader group of testifiers than just SDOs, inviting respondents to critique the group’s criteria and areas of focus, and moving the questionnaire up a level to realize the market research evaluation needed. Dr. Shortliffe suggested asking SDOs about the degree of industry implementation of their standards. Dr. Cohn noted SDOs are not always aware of the market acceptance. Mr. Blair pointed out subsets of questions under market acceptance on vendors, providers and government agencies and said everyone had the opportunity to express any answers they might have to questions the group had not been able to identify.
Dr. Cohn noted again that by at the end of this session they had to be able to move forward with a useful March hearing. The purpose of the March 19-20 hearings was to have people from the marketplace and from the health care industry critique the areas of focus, criteria for selection, and a draft of the questionnaire. Dr. Fitzmaurice said they should also use the opportunity to ask questions about the SDO standards, functional areas they were directed toward, and how they saw the role of NCVHS in PMRI standards. Dr. Zubeldia proposed focusing the questionnaire with questions about how the SDO’s standards apply to the low hanging fruit and mature areas their standards had that were not on the list but might be adopted. He said they could hone the questionnaire after the hearing. Dr. Cohn noted there would be a vetting process and people could e-mail Dr. Fitzmaurice or Dr. Zubeldia about issues. Feedback could be provided off line if anything was grossly inappropriate. The group mentioned the need for broader, general questions about the appropriateness of what they were doing, their basic assumptions and ideas about low hanging fruit. Dr. Shortliffe suggested they pick testifiers for March with these broader questions in mind: what folks saw happening in SDOs, which standards they were adopting, and which felt mature enough to put into products. They should also seek input that major vendors using and implementing the standards will find most valuable in coalescing their market and product development efforts. Dr. Cohn noted that academic medical centers with independent development efforts, large HMOs, and hospitals focused on cost and benefits would have views about what works and what doesn't.
Dr. Cohn observed the Committee and HHS strove to assure the industry that it was making the right investments, had government backing, and that, together, they could reduce the risk of health care institutional investments in information technology. Dead ends cost the industry hundreds of millions of dollars. Dr. Shortliffe said that was why doing this right “is a win-win”. The industry, the quality of care, and the data all benefited.
Mr. Scanlon suggested an industry overview session for the March hearing with a market or industry analyst. Dr. Zubeldia remarked that if testifiers were given questions far enough in advance, they would research any they could not answer. Dr. Cohn said that at their breakout during the full NCVHS meeting, they could wordsmith questions, identify areas missed, and compile their list of people to testify. Mr. Blair said he hoped to get some outside critiques of the areas of focus, criteria for selection and the questionnaire. The group summarized that they should be hearing from market analysts, financial rating services, academic medical centers, vendors, public health, large HMOs, hospitals and physicians. They discussed inviting the American Medical Association, NCQA, the Association of Public Health Laboratories, the Council of State and Territorial Epidemiologists, and the Public Health Data Standards Consortium Steering Committee.
Mr. Blair noted that the hearing was focused on the mechanisms and criteria for specific selections of message format standards; he hoped people invited from public policy and other areas would be familiar with these standards and issues of interoperability and comparability. Dr. Shortliffe said they could ensure that through the questions they asked them to respond to. People self-select. “You’ll get the right folks, if you have the right questions.”
Dr. Cohn commented that might want to talk with the ASPs developing Web solutions about the issue of interoperability. Dr. Shortliffe suggested inviting some of the Web companies amassing data or providing services to physicians or patients who care a lot about the standards and are beginning to worry and wondering how HIPAA applies to them.
Noting that some people can only “zip in” for one day and that sometimes it makes sense to discuss and craft things right away, Dr. Cohn proposed hearing testimony early each day and later reflecting on what they have heard
Dr. Fitzmaurice asked everyone to send names and telephone numbers of people or contact points in associations that fit the hearing categories. The group discussed a list serve and an up-to-date distribution list as ways of making sure that everybody sees everything.
The meeting adjourned for about half-an-hour so everyone could welcome the new Secretary, Tommy Thompson, and hear his address in the Great Hall.
The Subcommittee reviewed the second version of the fourth annual report to the Secretary of HHS and Congress on the implementation of the Administrative Simplification Provisions of HIPAA, beginning with the executive summary and moving from header to header. A short overview of what the original law required and the role of the NCVHS was followed by the first item of progress on the standards: issuance in December of the Final Regulations for Privacy of Individually Identifiable Health Information. The effective and ultimate compliance dates and a description of the status of the new administration's regulatory review program indicated that the regulation was still in review. The Privacy Rule was described briefly. Mr. Scanlon noted that a comment carried over from prior years expressing a desire for a statute had been deleted as it raised issues that “complicated the message.” The group considered this in the context of the new and more comprehensive Final Rule, noting they would know more about the status of the “reg” after the February 8th hearing on the Hill.
The report described progress on issuance of the final and proposed rules. It noted that the Final Rule on Transactions and Code Sets was published and mentioned the requirements and effective and compliance dates for Small Plans. The figures on cost savings were updated, comporting with estimates published in the Privacy Rule. Dr. Zubeldia suggested separating out the Transaction and Code Set Rule from the section headed, "Progress continuing on the adoption of other HIPAA standards," and giving it its own heading. The group discussed expanding comments on industry implementation to commend volunteer participation in developing best practices and address implementation issues under the heading "Industry Initiative." The section on the status of the various proposed rules and the Final Rules and an update on when each is expected was edited to close on a bold-faced statement about the need to bring them altogether.
Ms. Trudel noted they might want to highlight the signing of the DSMO agreement in March. Dr. Cohn suggested they expand a section on implementation issues to address the DSMO formation, WEDI/SNIP and industry activities. The group discussed expanding the section headed "Standards for Patient Medical Record Information,” to include a segment resembling an abridged executive summary from the PMRI standards that pointed out the issues and how they were moving forward.
Ms. Greenberg proposed mentioning all the DSMOs under the next heading, which dealt with continuing consultation and the implementation effort. Mr. Scanlon suggested adding a paragraph on the DSMO process. Reflecting on the past two days, he said they might want to extend the section that looked ahead to include implementation issues the group had identified. Dr. Cohn advocated addressing implementation issues identified beyond January of 2000, as well as recommendations related to mitigating those issues. He said the section probably was not strong enough. The main issues identified for implementation were: (1) HHS resources in promoting HIPAA implementation, (2) the need for funding to deploy and implement the national identifiers, (3) testing in compliance with HIPAA standards (now being recast as the data gap), (4) concern about the progress on the electronic signature standards, (5) issues related to code set standards, and (6) issues related to externally maintained codes. Dr. Cohn commented on the need to mention that HCFA Level 3 codes have been given an extra year of life, noting this did not apply to industry usage of their own non-standard code. Noting also that the electronic signature was one of the areas mentioned, he said they needed to look closely to make sure the group’s thoughts were adequately reflected.
The Subcommittee discussed how they might handle issues, like yesterday’s data gap issue, that had surfaced since January 1st. Dr. Zubeldia suggested making the part on the vendors and provider systems and testing in compliance with HIPAA standards separate headings. Ms. Bebee remarked that the section on PMRI information made no mention of ongoing activity. Dr. Cohn said Dr. Fitzmaurice and Mr. Blair were being asked to come up with something suitable and would probably insert much of the executive summary. The group discussed whether it was appropriate to refer the privacy piece to the Subcommittee on Privacy and Confidentiality, which had an interim chair and (like most the industry) was still trying to comprehend the regulation.
Dr. Cohn noted that they had to review the minutes for anything else that needed to be reflected in the report. Earlier in the year, they had sent correspondence to the Secretary asking to expedite publication of the first rule on Financial and Administrative Transactions. Dr. Cohn said that did not need to be referenced, beyond a strong statement that we needed to expedite publication. Mr. Scanlon noted that in the transmittal letter they had underscored the importance of moving forward with the rest of the standards. He noted, too, that it sounded like the industry still would like more time. Dr. Braithwaite suggested noting that the law, first written in 1994, passed in 1996, and both rules in 1998. Their rule started in 2000 and the Subcommittee believed this ongoing process ought to move as fast as possible. Dr. Cohn suggested they note this history in the executive summary. Mr. Scanlon observed they had often said the reason some of this took so long was because of their extensive consultation with the industry. Concurring that they wanted to reaffirm this process, the group inserted that they were gratified to note that, after Y2K and the struggle to get the two final rules out, implementation of HIPAA regulations was probably the health care industry’s highest priority. Mr. Blair suggested that industry priorities for implementation could be found in the annual HIMSS leadership survey that he would obtain by February 13th. Dr. Braithwaite said they would roll it into a revision.
Ms. Greenberg noted the need for a strong statement supporting the importance of privacy. The group discussed the industry’s concern about the transactions and privacy and agreed to briefly explain the rationale and need for a foundation for all the standards and requirements based on security and privacy laws. Dr. Zubeldia noted they should acknowledge that the industry, in general, is very supportive of the Transactions goal and is forging ahead with a strategic implementation plan to coordinate the implementation of the transactions and code sets for the entire industry. Ms. Trudel suggested adding to the paragraph in the executive summary on industry response and initiatives the concerns about their very significant work load and time frame as well as concerns about enforcement. Mr. Blair encouraged the group to refer to the first rule as the Financial and Administrative Transactions, not just Transactions, because, hopefully, they will also be looking at Clinical Transactions. Dr. Braithwaite remarked that they probably could not say much about the Privacy Rule, since it was published on December 28th. Dr. Zubeldia said they wanted to make sure that any changes in the executive summary are reflected in the body. Noting that they had provided more detail to the implementation issues, Mr. Scanlon suggested cutting back some detail about the code sets. Ms. Greenberg updated the Section on "Outreach to Public Health and Health Services Research" to include the Public Health Data Consortium.
The group commented on a need for expanding the PMRI piece both in the body and the executive summary to make it more like the executive summary in the PMRI report. Dr. Zubeldia noted the Vision for the 21st Century and NHII interim reports, which had been posted on the Web site and broadly circulated after being rolled out at the 50th Anniversary, provided a perspective on the future that could influence HIPAA decisions; Dr. Fitzmaurice and Mr. Blair would provide a couple sentences noting broader NHII issues the committee continued to focus on. The group discussed addressing the unique health identifier status in the progress-to-date section of the report and including updates on outreach and education and the DSMO Web site under standards for security and electronic signatures. Dr. Cohn suggested adding more about industry response, mentioned briefly in the executive summary.
The group noted the wide variety of industry responses (and issues) and discussed summarizing them. Clearly, while there were a wide variety of responses at high levels and many large providers, plans and vendors were aware and actively building HIPAA infrastructures, the group had heard the need to do more with small providers unaware of what must be done. Ms. Trudel said she would draft an insert. Observing that they did not yet have a solid balanced assessment, Mr. Scanlon said he didn't know how much they wanted to raise cost estimates and budget issues. Dr. Cohn predicted this issue would come to the floor as they moved to privacy. Administrative financial transactions and implementations cost a lot less. Observing concern about cost, time frames, and resources with the Privacy Regulations and another wave of concerns about when the security regulations would come out, Mr. Blair queried whether this document was an appropriate vehicle for an executive heads up for HHS and Congress. He suggested they could put these concerns in a perspective reflecting overall industry support, while encouraging help in addressing and moving through this transition. As the Privacy Regulation was only recently released, the Subcommittee was preparing to hold hearings to assess the potential impact of the rule and identify implementation issues and barriers. There would be similar oversight on the Security Regulation when it was finalized and published.
The group discussed the February breakout. Mr. Scanlon would draft a third version of the annual report for review, before sending it to the full Committee. In order to mail the agenda books on the 14th, Ms. Greenberg noted they needed to have everything by the 13th, at the latest. Recognizing that Dr. Fitzmaurice and Mr. Blair would be at HIMSS, Dr. Cohn noted they would need some input for the PMRI. Mr. Scanlon added that any material they had not received would have to be added later. Otherwise, the full Committee would be held up. Ms. Greenberg emphasized that, with the holiday, this mailing had to go out on the 14th; if people did not get it by Friday, they would already be traveling.
Dr. Cohn recapped that, based on what was heard yesterday, they had decided to have the DSMOs and a representative from X12N return with feedback on what was happening with changes and modifications to the X12N standards. He noted Ms. Trudel’s concern about their ability to make and expedite changes and said by then they might have further legal opinions. At the same time, he said they could ask the X12N representative to clarify the level of participation in relationship to digital and electronic signature efforts being worked on by the other SDOs, since there had been no one yesterday to report on their commitment.
The next item was the annual report and whatever the full Committee decided that day. Dr. Cohn anticipated that Dr. Fitzmaurice and Mr. Blair would come back with questions and a list of potential speakers for the March hearings related to PMRI. At that point they also needed to discuss any response or comments to the letter Dr. Lumpkin received from HHS related to the Subcommittee’s letter in September.
Dr. Cohn said he had a list of available dates for additional hearings between the March PMRI meeting and the June full Committee meeting and would e-mail a date to hold. Whether or not they did two dates still needed to be decided. Time permitting, they will also have a discussion on code sets strategies. An action item was developing a work plan for 2001 related to code set issues. He said a legitimate response might be there wasn't enough time, but they at least needed to discuss it and see if they did need to do anything. It was an issue of time and energy and an open discussion. He suggested Ms. Greenberg might want to develop a work plan. He identified two issues. One was the Subcommittee agenda, but they had also been asked to develop the full Committee agenda and strategy around code sets for the year 2001. And they needed to come back with a strategy.
Dr. Cohn said he wanted to draft a letter for the full Committee’s approval in February to the SDOs and DSMO expressing pleasure with the fact that they were working together on electronic standards. Ms. Greenberg said that could probably be done from the Subcommittee. Dr. Cohn noted that the letter to the Secretary on NDC was an action item. Ms. Greenberg said that maybe, when he presented the HIPAA report, he could also produce that letter. Dr. Cohn said they had a place holder for a digital signature letter, but as it turned out there was not an action item related to digital signature, unless they decided the letter expressing appreciation for the SDOs working together needed to be from the full Committee or the Subcommittee. They could do one or both. He agreed with Ms. Trudel; he, too, was uncertain whether they were waiting to hear from HISB. Dr. Zubeldia said he would let them know next week if X12N was on board. Dr. Cohn noted that would change the tone of the letter. Ms. Greenberg said the letters did not have to go in the agenda book; if they were less than five pages, they could be handed out at the meeting. Dr. Zubeldia said he was thinking of one or two paragraphs on the digital signature. The NDC would be a bit longer.
Dr. Cohn reflected that a couple of days ago he had wondered what they were going to talk about during their breakout later on February. Noting he could not think of any reason why he should ever have been worried about that, he adjourned the meeting at 1:20 p.m.
I hereby certify that, to the best of my knowledge, the foregoing summary of minutes is accurate and complete.
/s/ Simon P. Cohn, M.D. 5/31/01
_________________________________________________
Chair Date