1. Who must comply?
2. What transactions are covered?
3. What transmissions must comply?
4. When will the standards become effective?
5. How will confidential health information be protected?
6. Does the law require physicians to buy computers?
7. How will the standards affect data stored in my system?
8. Can health plans require changes or additions to the standard claim?
9. Is the government creating a centralized database with everyone's health records?
10. What does the law require of state Medicaid programs?
11. Are the standards voluntary?
12. The Rule Making Process for Administrative Simplification: What Takes So Long?
13. Should health plans publish companion documents that augment the information in the standard implementation guides for electronic transactions?
14. Could companion documents from health plans define cases where the health plan wants particular pieces of data used or not used?
15. May health plans stipulate the codes or data values they are willing to accept and process in order to simplify implementation?
16. May health plans stipulate the number of loop iterations or the file sizes they are willing to accept?
17. Should health plans communicate edits or actions they will perform on data elements or segments?
18. What level of detail should be included in the X12N implementation guides? Would it be inappropriate for X12N to try to integrate payer-specific communications into the IGs?
19. Who determines whether the implementation guides are ready for public review or use?

1.Who must comply?

The HIPAA law was passed at the request of the health care industry, and the standards to be adopted by the Secretary (see FAQ 2) apply to the whole industry, not just Medicare and Medicaid.

All health plans, all payers, and all clearinghouses that process health data must comply. This is not optional (see FAQ 11). It applies for every transaction that these organizations conduct for which such a standard has been adopted. Health plans, payers, and clearinghouses must be able to send or receive the designated transactions in standard electronic form no later than 24 months after the standard is adopted by the Secretary (36 months for small plans). Health plans and payers that cannot perform these standard electronic transactions may comply by contracting with a clearinghouse to perform them. However, the responsibility for compliance remains with the primary entity.

All health care providers who elect to conduct these specific transactions electronically must conduct them according to the standards as well. Health care providers may also contract with a clearinghouse to conduct standard transactions for them.

When employers act in the roles of a health plan or a health care provider, they too must comply with the standards and may contract with a clearinghouse or third party administrator (TPA) to conduct the standard transactions for them.

Health plans may not refuse to accept standard transactions submitted electronically (on their own or through clearinghouses). Further, health plans may not delay payment because the transactions are submitted electronically in compliance with the standards.

There are a few exceptions:

Non-standard transactions. The standards for the designated transactions apply when those transactions are transmitted electronically, but not to transactions conducted by paper, telephone or personal interactive systems. Specific programs such as Medicare may elect to extend the standard requirements to paper-based transactions, but this is not required by HIPAA.

Transmissions within corporate entities. Clearly, electronic transmission of any of the specified transactions between corporate entities must comply with the standards adopted by the Secretary. However, transmissions of these transactions within a corporate entity are not required to comply with the standards. For example, a hospital that is wholly owned by a managed care company would not have to use the standards to pass encounter information back to the home office, but it would have to use the standard claim transaction to submit a claim to another payer.

Small health plans. HIPAA gives small health plans 36 months from the date of adoption of a standard to come into compliance. We are proposing to define a small plan as one with fewer than 50 participants.

Workers Compensation. The HIPAA definition of a health plan does not specifically include Workers Compensation programs or carriers. However, the list of designated transactions for which the Secretary must adopt standards for electronic transmission includes "First Report of Injury" which is the primary transaction used to initiate Workers Compensation actions. For this reason, the Secretary will be proposing a standard for First Report of Injury and will be considering different ways of achieving compliance with this standard.

Health Plan Sponsors. Health plan sponsors, including employers when they act in the role of  a sponsor, are not covered explicitly by the law but may benefit from the adoption of standards and electronic transactions. Sponsors may elect to use standard enrollment, disenrollment, and premium payment transactions, which must be accepted by all health plans when submitted electronically. Market forces may move health plans to require sponsors to use the standards for electronic transactions, although this is not mandated by the law.

back to top

2. What transactions are covered?

HIPAA requires the Secretary of Health and Human Services to adopt standards for the following 9 administrative and financial health care transactions:

1. Health claims or equivalent encounter information.
2. Health claims attachments.
3. Enrollment and disenrollment in a health plan.
4. Eligibility for a health plan.
5. Health care payment and remittance advice.
6. Health plan premium payments.
7. First report of injury.
8. Health claim status.
9. Referral certification and authorization.

HIPAA also directs the Secretary to adopt standards for unique health identifiers for:

1. Individuals.
2. Employers.
3. Health plans.
4. Health care providers.

and standards for:

1. Code sets for data elements in the transactions above.
2. Security.
3. Electronic signatures.
4. Coordination of benefits.

The Secretary is also required to submit to Congress detailed recommendations on standards to protect the privacy of individually identifiable health information.

back to top

3. What transmissions must comply?

All electronic transmissions of the specified transactions from one computer to another must comply with the standards (assuming the conditions under FAQ #1 are met). Electronic transmissions include transmissions using all media, even when the transmission is physically moved from one location to another using magnetic tape, disk, or CD media. Transmissions over the Internet, intranets, leased lines, dial-up lines, private networks, etc. are all included. Telephone voice response and faxback systems would not be included. The HTML interaction between a server and a browser by which the elements of a transaction are solicited from a user would not be included, but once assembled into a transaction by the server, transmission of the full transaction to another corporate entity, such as a payer, must comply.

The only exception involves the use of clearinghouses.

• Providers may submit non-standard transactions to clearinghouses, who must convert the data into the standard transaction before forwarding it on to the payer.

• Payers may submit non-standard transactions to clearinghouses, who must also create the standard transaction before forwarding it on to the provider.

• A clearinghouse may convert standard transactions into paper or other non-standard format for receipt by a provider or plan which does not have the capacity to receive such transactions in standard format.

  back to top

4. When will the standards become effective?

The standards become effective 24 months after adoption for most organizations; 36 months after adoption for small health plans. Delays in adoption of the standards will not shorten these periods for implementation.

Several steps precede the implementation date. These steps began when Congress enacted HIPAA on August 21, 1996.

Under the law, the Secretary was required to adopt the standards for transactions within 18 months (within 30 months for claims attachments). The process is on-going and is designed to assure consensus within the government before the proposed standards are published.

Notices of Proposed Rule Making (NPRM) will be published in the Federal Register. These will be followed by a 60-day public comment period on the proposed standards. Final regulations will be issued after the comments have been received and analyzed and Final Rules developed. Implementation Guides for X12N transaction standards, which will be incorporated into the NPRMs, are available now.

NPRM publications will be announced and available on the Administrative Simplification website.

After the Final Rules on the standards are issued, health plans have 2 years to begin to comply. Small health plans have 3 years. Any health plan can begin to comply voluntarily before the deadlines.

One other important deadline: Within 12 months of enactment, the Secretary was required to submit to Congress detailed recommendations for Federal legislation to protect the privacy of individually identifiable health information. These recommendations were delivered on September 11, 1997.

back to top

5. How will confidential health information be protected?

The HIPAA law recognized the importance of protecting confidential health care information and specified 2 methods of protection: security standards and Federal privacy legislation. Today such protections are not uniformly or universally applied. Instead, security practices are largely unregulated, and privacy laws vary widely from state to state.

The law directs the Secretary of Health and Human Services to adopt security standards for all health plans, clearinghouses, and providers to follow. These standards will be required at all stages of transmission and storage of health care information. To be in compliance, health plans, clearinghouses, and providers will be required to protect health information before, during, and after electronic transmission. The Secretary is directed to adopt standards that are reasonable, taking into account technical, financial, and educational issues as well as the potential impact on small and rural health care providers. The law recognizes that, for the security standards to be followed, they must be reasonable. At the same time, the integrity and confidentiality of the records must be ensured.

Privacy is addressed separately by HIPAA. The Secretary is required to submit recommendations for Federal legislation on privacy to the Congress by August 1997. Privacy legislation and regulations will define in the future what are appropriate and inappropriate disclosures of this health information and how patient rights are to be protected.

back to top

6. Does the law require physicians to buy computers?

No, there is no such requirement. However, more physicians may want to use computers for submitting and receiving transactions (such as health care claims and remittances/payments) electronically, once the standard way of doing things goes into effect.

The Administrative Simplification provisions of the HIPAA law were passed with the support of the health care industry. The industry believed standards would lower the cost and administrative burdens of health care, but they needed Government's help to get to one uniform way of doing things. In the past, individual providers (physicians and others) have had to submit transactions in whatever form each health plan required. Health plans could not agree on a standard without giving their competitors a market advantage, at least in the short-run. The law, which requires standards to be followed for electronic transmission of health care transactions, levels the playing field. It does not require providers to submit transactions electronically. It does require that all transactions submitted electronically comply with the standards.

Providers, even those without computers, may want to adopt these standard electronic transactions, so they can benefit directly from the reductions in cost and burden. This is possible because the law allows providers (and health plans too, for that matter) to contract with clearinghouses to conduct the standard electronic transactions for them.

back to top

7. How will the standards affect data stored in my system?

The transaction standards will apply only to electronic data interchange (EDI) -- when data are transmitted electronically between health care providers and health plans as part of a standard transaction. Data may be stored in any format as long as it can be translated into the standard transaction when required. Security standards, on the other hand, will apply to all health care information.

To comply with the transaction standards, health care providers and health plans may exchange the standard transactions directly, or they may contract with a clearinghouse to perform this function. Clearinghouses may receive non-standard transactions from a provider, but they must convert these into standard transactions for submission to the health plan. Similarly, if a health plan contracts with a clearinghouse, the health plan may submit non-standard transactions to the clearinghouse, but the clearinghouse must convert these into standard transactions for submission to the provider.

back to top

8. Can health plans require changes or additions to the standard claim?

Currently, some insurers accept the de facto standard claim (e.g., UB-92) but also require additional records (e.g., a proprietary cover sheet) for each claim submitted. Others have special requirements for data entered into the claim which make it non-standard.

Under the law, health plans are required to accept the standard claim submitted electronically. They may not require providers to make changes or additions to the standard claim. They must go through the private sector standards setting process to get their requirements added to the standard in order to effect desired changes. Health plans may not refuse the standard transaction or delay payment of a proper standard transaction.

An additional standard will be adopted for electronic health claims attachments, which health plans will be required also to accept. Until that standard is adopted (by February, 2001), health plans may continue to require health claim attachments to be submitted on paper. No other additions to standard claims will be acceptable.

back to top

9. Is the government creating a centralized database with everyone's health records?

No. There are no provisions in the HIPAA law that create or propose to create such a database.

The purpose of the Administrative Simplification standards under the HIPAA law is to improve the functioning of the health care system by reducing costs and administrative burden. The government will not have access to the health care records that go between health plans and health care providers. Some states that already collect information about health care will continue to do so, but this is not a change caused by HIPAA.

The HIPAA law recognized the importance of protecting personal health information. The law requires new security standards and recommendations for more effective privacy legislation, all to protect the confidentiality of health care information. These requirements mean better protections for health care information than currently exist.

back to top

10. What does the law require of state Medicaid programs?

Section 1171(5)(E) of the Social Security Act, as enacted by HIPAA, identifies the State Medicaid programs as health plans, which therefore must be capable of receiving, processing, and sending standard transactions electronically. There is no requirement that internal information systems maintain data in accordance with the standards. However, Medicaid programs will need the capacity to process standard claim, encounter, enrollment, eligibility, remittance advice, and other transactions. In addition, as health plans, the State Medicaid programs will be required to comply with other HIPAA standards two years after adoption of the standards.

The standards should benefit Medicaid programs in multiple areas. Here are a few examples:

• A national standard for encounter transactions will provide a much-needed method for collecting encounter data on Medicaid beneficiaries enrolled in managed care. Because of the standards, it will be possible to combine encounter data from managed care with similar claims data from fee-for-service, thus enhancing the ability to monitor utilization, costs, and quality of care in managed care and to compare managed care with fee-for-service.
• The standard transactions will include methods for electronic exchange of enrollment information between the Medicaid program and private managed care plans enrolling Medicaid beneficiaries. This will reduce administrative costs of exchanging such information and enhance the reliability of such information.
• The conversion to national standards provides an opportunity for Medicaid programs to shift to commercial software or clearinghouses and to stop the expensive maintenance of old, customized transaction systems.

  back to top

11. Are the standards voluntary?

For health care providers, transactions submitted electronically must follow the standards.

For health plans, the standards are mandatory. If a person (such as a provider or employer) chooses to conduct a transaction electronically with a health plan, the health plan may not refuse a standard transaction and may not delay or otherwise adversely affect the transaction (Section 1175(a)(1)). The law specifies monetary penalties for non-compliance.

On October 22, 1997, Representative Hobson clarified these requirements for health plans. He said:

I want to make it clear that, although voluntary standardization was considered in the past, it was judged to be unworkable in the real world and is not a part of the law today for that reason. ... The intent of the law is that all electronic transactions for which standards are specific must be conducted according to the standards.

back to top

12. The Rule Making Process for Administrative Simplification: What Takes So Long?

The goal is simplification, but the process is far from simple. It is a deliberate process designed to achieve consensus within HHS and across other Federal departments. The process is important because the final rules will have the force of Federal law.

HHS Implementation Teams have drafted Notices of Proposed Rule Making (NPRMs) for the:

1. Administrative and Financial Transaction Standards and Code Sets;
2. National Provider Identifier for health care providers;
3. Identifier for Health Plans;
4. Identifier for Employers;
5. Security Standards to protect health care information.

Before an NPRM can be published in the Federal Register, it must be reviewed and approved within the Federal government. Questions and concerns from within the government must be answered and resolved before the NPRMs can be published for public comment.

This within-government review is a 3-stage process. The NPRMs must be approved by:

1. The HHS Data Council's Committee on Health Data Standards. This Committee is responsible for overseeing the entire AS implementation process for the Secretary of HHS. This Committee, composed of members from many Federal agencies, must approve the content of the NPRMs before they go to the next review step.
2. Advisors to the Secretary within HHS. HHS consists of several divisions that may be affected by the proposed standards or that are responsible for particular issues, such as the impact of the standards on the Federal budget. Agency heads also act as formal advisors to the Secretary of HHS in the rule making process. Agreement among the Secretary's advisors must be reached before the NPRMs go to the next review step.
3. The Office of Management and Budget. OMB reviews the NPRMs from a government-wide perspective and circulates the NPRMs for review by Federal departments other than HHS. These departments, which will also be affected by the proposed standards, include the Departments of Defense and Veterans Affairs. In addition, OMB reviews the NPRMs for their potential impacts -- e.g., on the Federal budget, on intergovernmental relations, and on small business -- and for their compliance with the principles of regulation set out in Executive Order 12866.

When published in the Federal Register, the NPRMs will be available directly from the Administrative Simplification homepage.

Delays in adoption of the standards will not shorten the period for implementation. The standards will become effective 24 months after adoption for most organizations; 36 months after adoption for small health plans.

back to top

13. Should health plans publish companion documents that augment the information in the standard implementation guides for electronic transactions?

Additional information may be provided within certain limits.

Electronic transactions must go through two levels of scrutiny:

1. Compliance with the HIPAA standard. The requirements for compliance must be completely described in the HIPAA implementation guides and may not be modified by the health plans or by the health care providers using the particular transaction.
2. Specific processing or adjudication by the particular system reading or writing the standard transaction. Specific processing systems will vary from health plan to health plan, and additional information regarding the processing or adjudication policies of a particular health plan may be helpful to providers.

Such additional information may not be used to modify the standard and may not include:

• Instructions to modify the definition, condition, or use of a data element or segment in the HIPAA standard implementation guide.
• Requests for data elements or segments that are not stipulated in the HIPAA standard implementation guide.
• Requests for codes or data values that are not valid based on the HIPAA standard implementation guide. Such codes or values could be invalid because they are marked not used in the implementation guide or because they are simply not mentioned in the guide.
• Change the meaning or intent of a HIPAA standard implementation guide.

  back to top

14. Could companion documents from health plans define cases where the health plan wants particular pieces of data used or not used?

The health plan must read and write HIPAA standard transactions exactly as they are described in the standard implementation guides. The only exception would be if the guide explicitly gives discretion regarding a data element to a health plan. For claims and most other transactions, the receiver must accept and process any transaction that meets the national standard. This is necessary because multiple health plans may be scheduled to receive a given transaction (e.g., a single claim may be processed by multiple health plans).

For example: Medicare currently instructs providers to bill for certain services only under certain circumstances. Once HIPAA standard transactions are implemented, Medicare will have to forego that policy and process all claims that meet HIPAA specifications. This does not mean that Medicare, or any other health plan, has to change payment policy. Today, Medicare would refuse to accept and process a bill for a face lift for cosmetic purposes only. Once the HIPAA standards are implemented, Medicare will be required to accept and process the bill, but still will not pay for a face lift that is purely for cosmetic purposes.

back to top

15. May health plans stipulate the codes or data values they are willing to accept and process in order to simplify implementation?

The simplest implementation is the one that is identical to all others. If the standard adopted stipulates that HCPCS codes will be used to describe procedures, then the health plan must abide by the instructions for the use of HCPCS codes. A health plan could refuse a code that was not applied in accordance with the HIPAA national standard coding instructions, but could not refuse a code properly applied for reasons of policy unrelated to the standard.

For example, if the standard stipulates that the most specific code available must be used, then a health plan would be right to refuse a code that does not meet that criterion. The health plan would need to work with the committee(s) governing the particular coding scheme to have codes adopted that meet its needs.

back to top

16. May health plans stipulate the number of loop iterations or the file sizes they are willing to accept?

Any loop iterations, file sizes, etc. stipulated in the standards must be honored by all players. If any health care electronic data interchange participant cannot live with the numbers stipulated in the HIPAA implementation guides, then the participant needs to work with the implementation guide author(s) to get numbers that all players can live with

For example, there are up to 99 service lines in a professional claim. The provider need not write 99 service lines, but the health plan must have the capability to accept that number when presented. If that is not the right number for all players, it should be changed. But the number identified in the implementation guide must be adhered to.

back to top

17. Should health plans communicate edits or actions they will perform on data elements or segments?

It would be helpful for health plans to disclose, to the extent that their internal policy permits, any edits or actions performed on the transaction sets they receive

back to top

18. What level of detail should be included in the X12N implementation guides? Would it be inappropriate for X12N to try to integrate payer-specific communications into the IGs?

The implementation guides developed by X12N and proposed for adoption by HHS as national standards are intended to be at a level of detail sufficient to assure identical implementations by every entity regarding the data content and format of transactions. We must all work together to make sure that the documentation is adequate to meet this purpose, as intended by the Congress. Communications between trading partners about how internal processing of the data may occur must be clearly differentiated from the implementation of the data standards themselves.

On the other hand, companion documents, which could be described as “Payer-Specific Processing Guides,” could be helpful to providers. For example, there may be procedures that are not covered or that are covered only under certain circumstances. It would be useful to a biller to understand this, so that the biller would not prepare a claim for such procedures unless a denial letter was needed to send to a next-to-pay health plan. However, if sent, the actual claim would be the same as any other claim.

back to top

19. Who determines whether the implementation guides are ready for public review or use?

This determination would best be the result of a joint DHHS/X12N decision making process. DHHS has an interest in ascertaining that certain principles are applied to the standardization of electronic health care transactions. We would expect that the X12N workgroups would continue to work on the guides until they are as perfect as human beings can make them, or until the proposed rule is published, whichever comes first. Any decisions by X12N to improve the guides must be made available to the public during the comment process.

Draft implementation guides have been made available well before publication of the proposed rules. As a courtesy, new material should be pointed out for reviewers, who may have done detailed reviews prior to the publication of the proposed rule.

back to top