The HIPAA Clock Is Running: Final HIPAA Transactions and Code Sets Standards Published
By Rebecca L. Williams and Paul T. Smith
[September 2000]

After much speculation and many delays, the Secretary of Health and Human Services (HHS) has published final standards for electronic health care transactions under the Health Insurance Portability and Accountability Act of 1996, or HIPAA. These final rules appeared in the Federal Register on August 17, 2000 and are available at http://aspe.hhs.gov/admnsimp/index.htm Health care providers who engage in electronic transactions, most health plans and health care clearinghouses will be required to use these standards beginning October 2002. These final rules are at the heart of the administrative simplification provisions of HIPAA.

These provisions are intended to create a standard format for electronic data interchange among providers and payers and their intermediaries. HHS estimates that about 400 proprietary formats currently are used for electronic health care data exchanges in the United States. The goal of the national standards is to save costs by simplifying the administration of electronic health care transactions. Of course, implementation of these standards will be costly and challenging. These final rules are at the heart of the administrative simplification provisions of HIPAA. Additionally, a separate regulation designates the groups that will serve as Designated Standard Maintenance Organizations (DSMOs).

The Clock Is Ticking Toward HIPAA Compliance
These transaction and code sets standards have been among the least controversial of HIPAA's proposed regulations, and they are the first to be finalized. They start the clock running on HIPAA compliance - by October 2002, providers, health care clearinghouses and most health plans will have to implement prescribed standards and code sets in electronic transactions, including transactions between commonly owned or related entities. Small health plans - with less than $5 million in annual receipts - will have an additional year to come into compliance.

Standard Transactions
The regulations establish standards for the following transactions. All of them affect health plans and clearinghouses; only the first four affect providers:

• Health claims or equivalent encounter information
• Eligibility for a health plan
• Referral certification and authorization
• Health claim status
• Enrollment and disenrollment in a health plan
• Health claims and remittance advice
• Health plan premium payments
• Coordination of benefits
• HHS plans to publish a separate rule setting standards for first report of injury.

The transaction standards for pharmacy are the National Council for Prescription Drug Programs' Telecommunications Standard and Batch Transaction Standard. For other transactions, the standards are the ASC X12N standards published by the Washington Publishing Company.

Implementation guidelines for the pharmacy standards are available at http://aspe.hhs.gov/admnsimp/index.htm and for the dental, professional and institutional standards at http://www.wpc-edi.com/hipaa.

Private arrangements among covered entities that would have the effect of changing or supplementing the standards will be prohibited.

Covered entities, however, will be permitted to use health care clearinghouses or other intermediaries to conduct transactions, and clearinghouses will be permitted to receive and transmit nonstandard transactions when acting on behalf of other covered entities. Health plans are subject to additional standards. They will be required to conduct electronic claims transactions in standard format with any person wishing to do so. This entails an obligation both to accept standard transactions and to process them promptly.

Health plans may not offer providers incentives to use direct data entry in an effort to circumvent the HIPAA rules.

Other standards have been proposed to protect the privacy and security of electronic data and to establish national identifiers, but they remain under review. The proposed privacy regulations, in particular, have prompted a record number of public comments. (For an overview of the draft privacy standards, visit http://www.dwt.com/related_links/adv_bulletins/HIPAAFeb00.htm). Interestingly, HHS states in the accompanying comment section that these regulations were developed in conjunction with the development of the privacy standards. HHS notes it may delay or withdraw these rules if the privacy regulations are "substantially delayed."

Code Sets. The final rules require health plans, health care clearinghouses and providers to use prescribed diagnostic and procedure codes on electronic transactions. The principal code sets are:

• ICD-9-CM: International Classification of Diseases, Ninth Revision, Clinical Modification, which classifies both diagnoses (Volumes 1 & 2) and procedures (Volume 3). It is used by hospitals and ambulatory care providers.
• CPT-4: Current Procedural Terminology, which is used by physicians.
• HCPCS: The Health Care Financing Administration's Procedure Coding System, which contains codes for medical supplies and equipment, injectable drugs, transportation services, and other services not found in CPT-4.
• The Code on Dental Procedures and Nomenclature, maintained by the American Dental Association, which is used for reporting dental services.
• DC: National Drug Codes for reporting prescription drugs in pharmacy transactions and some claims by health claim professionals.

Differences Between Proposed and Final Rules
Although the final regulations are substantially similar to the proposed rules, some important changes occurred. For example:

• The final rule does not specifically distinguish between internal and external transactions, with the result that transactions between a commonly owned provider and health plan, for example, would have to be in standard format. The comment notes, however, that many purely internal data operations may not constitute HIPAA transactions of the types covered by the regulations and, therefore, may not have to comply with the standards.
• The final regulations change the definition of small health plan to focus on receipts, not the number of members, as is consistent with the requirements of the Small Business Administration.
• The final rule distinguishes between maintenance and modification of a standard. HHS may modify - or make regulatory changes to - standards no more often than once every year, although it may make modifications during the first year if necessary to permit compliance. Maintenance, on the other hand, includes activities necessary to support the use of a standard adopted by HHS, such as technical corrections or enhancements.
• The final regulations introduce the terms "business associate," rather than business partner, and "trading partner agreement," instead of business partner agreement or chain of trust agreement.
• The final rule eliminates the exception for person-to-computer transactions, preferring to more specifically define a HIPAA-covered transaction. Under a limited exception, however, data keyed directly by a health care provider into a health plan system need not comply with the standard format requirements (although it still would have to comply with the data content requirements).
• The final rule names the NCPDP telecommunications standard 5.1 and batch equivalent instead of X12N standards for certain retail pharmacy transactions.

What Should Your Organization Be Doing?
Organizations that are covered by HIPAA would be wise not to wait until the eleventh hour to begin addressing the regulations. There is much to do in relatively little time. Although some uncertainty exists, HHS intends to finalize the privacy and security regulations this year - a schedule that would require full-scale HIPAA compliance around the end of 2002. The direction of the regulations is clear enough to permit covered entities to begin now assessing their health data technology and identifying potential compliance gaps. Many have already begun. Organizations that are covered by HIPAA would be wise not to wait until the eleventh hour to begin addressing the regulations.

A common first step is to form a multi-disciplinary HIPAA team to plan and implement the assessment and compliance project. The proposed mandate to protect health data in every aspect of operations, as well as in dealings with business associates, suggests that the HIPAA team should be broadly based and sponsored at the highest levels of the organization. Outside legal and consulting assistance should be brought in as appropriate, and technology and other vendors should be involved. We will keep you informed as other HIPAA regulations are finalized. In the meanwhile, if you need help in assessing the effect of HIPAA on your organization, please call your DWT lawyer or visit our eHealth Law Practice Group at http://www.dwt.com/practc/hc_ecom.htm.

ABOUT THE AUTHORS

Rebecca L. Williams, of counsel in DWT's Seattle, Washington office, is an experienced registered nurse and a member of the firm's eHealth and Health Law departments. She also serves as a co-chair of the firm's HIPAA Task Force. Her practice involves HIPAA, anti-kickback, Stark, tax-exemption, patient care, compliance and other regulatory issues as well as transactions and contracting. She is also the author of several published articles and book chapters. Becky can be reached in the Seattle office at (206) 628-7769 or rebeccawilliams@dwt.com

Paul T. Smith is a founding partner of DWT's San Francisco, California office and a member of the firm's Health Law department. He has been practicing health care law in California for over 18 years and represents hospitals, health care practitioners, medial groups and other provider organizations in corporate, transactional, financing, reimbursement and regulatory matters. Paul can be reached in the San Francisco office at (415) 276-6532 or paulsmith@dwt.com

return to Advisory Bulletins main page