SUPPLEMENTARY INFORMATION:

I. Background

[Please label written and e-mailed comments about this section with the subject: Background.]

In order to administer their programs, the Department of Health and Human Services, other Federal agencies, State Medicaid agencies, and private health plans assign identification numbers to the providers of health care services and supplies with which they transact business. These various agencies and health plans, all of which we will refer to as health plans in this proposed rule, routinely, and independently of each other, assign identifiers to health care providers for program management and operations purposes. The identifiers are frequently not standardized within a single health plan or across plans. This lack of uniformity results in a single health care provider having different numbers for each program and often multiple billing numbers issued within the same program, significantly complicating providers’ claims submission processes. In addition, nonstandard enumeration contributes to the unintentional issuance of the same identification number to different health care providers.

Most health plans have to be able to coordinate benefits with other health plans to ensure appropriate payment. The lack of a single and unique identifier for each health care provider within each health plan and across health plans, based on the same core data, makes exchanging data both expensive and difficult.

All of these factors indicate the complexities of exchanging information on health care providers within and among organizations and result in increasing numbers of claims-related problems and increasing costs of data processing. As we become more dependent on data automation and proceed in planning for health care in the future, the need for a universal, standard health care provider identifier becomes more and more evident.

In addition to overcoming communication and coordination difficulties, use of a standard, unique provider identifier would enhance our ability to eliminate fraud and abuse in health care programs.

• Payments for excessive or fraudulent claims can be reduced by standardizing enumeration, which would facilitate sharing information across programs or across different parts of the same program.
• A health care provider’s identifier would not change with moves or changes in specialty. This facilitates tracking of fraudulent health care providers over time and across geographic areas.
• A health care provider would receive only one identifier and would not be able to receive duplicate payments from a program by submitting claims under multiple provider identifiers.
• A standard identifier would facilitate access to sanction information.

A. National Provider Identifier Initiative

In July 1993, the Health Care Financing Administration (HCFA) undertook a project to develop a provider identification system to meet Medicare and Medicaid needs and ultimately a national identification system for all health care providers to meet the needs of other users and programs. Representatives from the private sector and Federal and State agencies were invited to participate. Active participants included:

• Department of Defense, Office of Civilian Health and Medical Program of the Uniformed Services
• Assistant Secretary for Planning and Evaluation, HHS
• Department of Labor
• Department of Veterans Affairs
• Office of Personnel Management
• Public Health Service, HHS
• Drug Enforcement Administration
• State Medicaid agencies and health departments including those of Alabama, California, Maryland, Minnesota and Virginia
• Medicare carriers and fiscal intermediaries
• Professional and medical associations, including the National Council for Prescription Drug Programs.

One of the group’s first tasks was to decide whether to use an existing identifier or to develop a new one. They began by adopting criteria recommended for a unique provider identifier by the Workgroup for Electronic Data Interchange (WEDI), Technical Advisory Group in October 1993, and recommended by the American National Standards Institute (ANSI), Healthcare Informatics Standards Planning Panel, Task Group on Provider Identifiers in February 1994. The workgroup then examined existing identifiers and concluded that no existing identifier met all the criteria that had been recommended by the WEDI and ANSI workgroups.

Because of the limitations of existing identifiers, the workgroup designed a new identifier that would be in the public domain and that would incorporate the recommendations of the WEDI and ANSI workgroups. This identifier, which we call the national provider identifier, or NPI, is an 8-position alphanumeric identifier.

B. The Results of the NPI Initiative

As a result of the project on the NPI, and before legislation required the use of the standard identifier for all health care providers (see section I.C. Legislation, below), HCFA and other participants accepted the workgroup’s recommendation, and HCFA decided that this new identifier would be implemented in the Medicare program. HCFA began work on developing a national provider system (NPS) that would contain provider data and be equipped with the technology necessary to maintain and manage the data. Plans for the NPS included assigning the NPI and storing the data necessary to identify each health care provider uniquely. The NPI was designed to have no embedded intelligence. (That is, information about the health care provider, such as the type of health care provider or State where the health care provider is located, would not be conveyed by the NPI. This information was to have been recorded by the NPS in each health care provider’s record but would not be part of the identifier.)

The NPS was designed so that it could also be used by other Federal and State agencies and private health plans to enumerate their health care providers that do not participate in Medicare.

C. Legislation

The Congress included provisions to address the need for a standard identifier and other administrative simplification issues in the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, which was enacted on August 21, 1996. Through subtitle F of title II of that law, the Congress added to title XI of the Social Security Act a new part C, entitled “Administrative Simplification.” (Public Law 104-191 affects several titles in the United States Code. Hereafter, we refer to the Social Security Act as the Act; we refer to the other laws cited in this document by their names.) The purpose of this part is to improve the Medicare and Medicaid programs in particular and the efficiency and effectiveness of the health care system in general by encouraging the development of a health information system through the establishment of standards and requirements to facilitate the electronic transmission of certain health information.

Part C of title XI consists of sections 1171 through 1179 of the Act. These sections define various terms and impose several requirements on HHS, health plans, health care clearinghouses, and certain health care providers concerning electronic transmission of health information.

The first section, section 1171 of the Act, establishes definitions for purposes of part C of title XI for the following terms: code set, health care clearinghouse, health care provider, health information, health plan, individually identifiable health information, standard, and standard setting organization.

Section 1172 of the Act makes any standard adopted under part C applicable to (1) all health plans, (2) all health care clearinghouses, and (3) any health care providers that transmit any health information in electronic form in connection with the transactions referred to in section 1173(a)(1) of the Act.

This section also contains requirements concerning standard setting.

• The Secretary may adopt a standard developed, adopted, or modified by a standard setting organization (that is, an organization accredited by the American National Standards Institute (ANSI)) that has consulted with the National Uniform Billing Committee (NUBC), the National Uniform Claim Committee (NUCC), WEDI, and the American Dental Association (ADA).
• The Secretary may also adopt a standard other than one established by a standard setting organization, if the different standard will reduce costs for health care providers and health plans, the different standard is promulgated through negotiated rulemaking procedures, and the Secretary consults with each of the above-named groups.
• If no standard has been adopted by any standard setting organization, the Secretary is to rely on the recommendations of the National Committee on Vital and Health Statistics (NCVHS) and consult with each of the above-named groups.

In complying with the requirements of part C of title XI, the Secretary must rely on the recommendations of the NCVHS, consult with appropriate State, Federal, and private agencies or organizations, and publish the recommendations of the NCVHS in the Federal Register.

Paragraph (a) of section 1173 of the Act requires that the Secretary adopt standards for financial and administrative transactions, and data elements for those transactions, to enable health information to be exchanged electronically. Standards are required for the following transactions: health claims, health encounter information, health claims attachments, health plan enrollments and disenrollments, health plan eligibility, health care payment and remittance advice, health plan premium payments, first report of injury, health claim status, and referral certification and authorization. In addition, the Secretary is required to adopt standards for any other financial and administrative transactions that are determined to be appropriate by the Secretary.

Paragraph (b) of section 1173 of the Act requires the Secretary to adopt standards for unique health identifiers for all individuals, employers, health plans, and health care providers and requires further that the adopted standards specify for what purposes unique health identifiers may be used.

Paragraphs (c) through (f) of section 1173 of the Act require the Secretary to establish standards for code sets for each data element for each health care transaction listed above, security standards for health care information systems, standards for electronic signatures (established together with the Secretary of Commerce), and standards for the transmission of data elements needed for the coordination of benefits and sequential processing of claims. Compliance with electronic signature standards will be deemed to satisfy both State and Federal requirements for written signatures with respect to the transactions listed in paragraph (a) of section 1173 of the Act.

In section 1174 of the Act, the Secretary is required to adopt standards for all of the above transactions, except claims attachments, within 18 months of enactment. The standards for claims attachments must be adopted within 30 months of enactment. Generally, after a standard is established it cannot be changed during the first year except for changes that are necessary to permit compliance with the standard. Modifications to any of these standards may be made after the first year, but not more frequently than once every 12 months. The Secretary must also ensure that procedures exist for the routine maintenance, testing, enhancement, and expansion of code sets and that there are crosswalks from prior versions.

Section 1175 of the Act prohibits health plans from refusing to process or delaying the processing of a transaction that is presented in standard format. The Act’s requirements are not limited to health plans; however, each person to whom a standard or implementation specification applies is required to comply with the standard within 24 months (or 36 months for small health plans) of its adoption. A health plan or other entity may, of course, comply voluntarily before the effective date. Entities may comply by using a health care clearinghouse to transmit or receive the standard transactions. Compliance with modifications and implementation specifications to standards must be accomplished by a date designated by the Secretary. This date may not be earlier than 180 days after the notice of change.

Section 1176 of the Act establishes a civil monetary penalty for violation of the provisions in part C of title XI of the Act, subject to several limitations. The Secretary is required by statute to impose penalties of not more than $100 per violation on any person who fails to comply with a standard, except that the total amount imposed on any one person in each calendar year may not exceed $25,000 for violations of one requirement. The procedural provisions in section 1128A of the Act, “Civil Monetary Penalties,” are applicable.

Section 1177 of the Act establishes penalties for a knowing misuse of unique health identifiers and individually identifiable health information: (1) A fine of not more than $50,000 and/or imprisonment of not more than 1 year; (2) if misuse is “under false pretenses,” a fine of not more than $100,000 and/or imprisonment of not more than 5 years; and (3) if misuse is with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, a fine of not more than $250,000 and/or imprisonment of not more than 10 years.

Under section 1178 of the Act, the provisions of part C of title XI of the Act, as well as any standards established under them, supersede any State law that is contrary to them. However, the Secretary may, for statutorily specified reasons, waive this provision.

Finally, section 1179 of the Act makes the above provisions inapplicable to financial institutions or anyone acting on behalf of a financial institution when “authorizing, processing, clearing, settling, billing, transferring, reconciling, or collecting payments for a financial institution.”

(Concerning this last provision, the conference report, in its discussion on section 1178, states:

“The conferees do not intend to exclude the activities of financial institutions or their contractors from compliance with the standards adopted under this part if such activities would be subject to this part. However, conferees intend that this part does not apply to use or disclosure of information when an individual utilizes a payment system to make a payment for, or related to, health plan premiums or health care. For example, the exchange of information between participants in a credit card system in connection with processing a credit card payment for health care would not be covered by this part. Similarly sending a checking account statement to an account holder who uses a credit or debit card to pay for health care services, would not be covered by this part. However, this part does apply if a company clears health care claims, the health care claims activities remain subject to the requirements of this part.”) (H.R. Rep. No. 736, 104th Cong., 2nd Sess. 268-269 (1996))

D. Process for Developing National Standards

The Secretary has formulated a 5-part strategy for developing and implementing the standards mandated under Part C of title XI of the Act:

1. To ensure necessary interagency coordination and required interaction with other Federal departments and the private sector, establish interdepartmental implementation teams to identify and assess potential standards for adoption. The subject matter of the teams includes claims/encounters, identifiers, enrollment/eligibility, systems security, and medical coding/classification. Another team addresses cross-cutting issues and coordinates the subject matter teams. The teams consult with external groups such as the NCVHS’ Workgroup on Data Standards, WEDI, ANSI’s Health Informatics Standards Board, the NUCC, the NUBC, and the ADA. The teams are charged with developing regulations and other necessary documents and making recommendations for the various standards to the HHS’ Data Council through its Committee on Health Data Standards. (The HHS Data Council is the focal point for consideration of data policy issues. It reports directly to the Secretary and advises the Secretary on data standards and privacy issues.)
2. Develop recommendations for standards to be adopted.
3. Publish proposed rules in the Federal Register describing the standards. Each proposed rule provides the public with a 60-day comment period.
4. Analyze public comments and publish the final rules in the Federal Register.
5. Distribute standards and coordinate preparation and distribution of implementation guides.

This strategy affords many opportunities for involvement of interested and affected parties in standards development and adoption:

• Participate with standards development organizations.
• Provide written input to the NCVHS.
• Provide written input to the Secretary of HHS.
• Provide testimony at NCVHS’ public meetings.
• Comment on the proposed rules for each of the proposed standards.
• Invite HHS staff to meetings with public and private sector organizations or meet directly with senior HHS staff involved in the implementation process.

The implementation teams charged with reviewing standards for designation as required national standards under the statute have defined, with significant input from the health care industry, a set of principles for guiding choices for the standards to be adopted by the Secretary. These principles are based on direct specifications in HIPAA and the purpose of the law, principles that are consistent with the regulatory philosophy set forth in Executive Order 12866 and the Paperwork Reduction Act of 1995. To be designated as a HIPAA standard, each standard should:

1. Improve the efficiency and effectiveness of the health care system by leading to cost reductions for or improvements in benefits from electronic health care transactions.
2. Meet the needs of the health data standards user community, particularly health care providers, health plans, and health care clearinghouses.
3. Be consistent and uniform with the other HIPAA standards --their data element definitions and codes and their privacy and security requirements--and, secondarily, with other private and public sector health data standards.
4. Have low additional development and implementation costs relative to the benefits of using the standard.
5. Be supported by an ANSI-accredited standards developing organization or other private or public organization that will ensure continuity and efficient updating of the standard over time.
6. Have timely development, testing, implementation, and updating procedures to achieve administrative simplification benefits faster.
7. Be technologically independent of the computer platforms and transmission protocols used in electronic transactions, except when they are explicitly part of the standard.
8. Be precise and unambiguous, but as simple as possible.
9. Keep data collection and paperwork burdens on users as low as is feasible.
10. Incorporate flexibility to adapt more easily to changes in the health care infrastructure (such as new services, organizations, and provider types) and information technology.

A master data dictionary providing for common data definitions across the standards selected for implementation under HIPAA will be developed and maintained. We intend for the data element definitions to be precise, unambiguous, and consistently applied. The transaction-specific reports and general reports from the master data dictionary will be readily available to the public. At a minimum, the information presented will include data element names, definitions, and appropriate references to the transactions where they are used.

This proposed rule would establish the standard health care provider identifier and is the first proposed standard under HIPAA. The remaining standards will be grouped, to the extent possible, by subject matter and audience in future regulations. We anticipate publishing several more separate documents to promulgate the remaining standards required under HIPAA.