HHS ADOPTS FINAL SECURITY STANDARDS, TRANSACTION MODIFICATIONS FOR ELECTRONIC HEALTH INFORMATION UNDER HIPAA

HHS Secretary Tommy G. Thompson today announced the adoption of final security standards for protecting individually identifiable health information when it is maintained or transmitted electronically. At the same time, he also announced the adoption of modifications to a number of the electronic transactions and code sets adopted as national standards.

Both final regulations are required as part of the administrative simplification provisions included in the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

"Overall, these national standards required under HIPAA will make it easier and less costly for the health care industry to process health claims and handle other transactions while assuring patients that their information will remain secure and confidential," Secretary Thompson said. "The security standards in particular will help safeguard confidential health information as the industry increasingly relies on computers for processing health care transactions."

Under the security standards announced today, health insurers, certain health care providers and health care clearinghouses must establish procedures and mechanisms to protect the confidentiality, integrity and availability of electronic protected health information. The rule requires covered entities to implement administrative, physical and technical safeguards to protect electronic protected health information in their care.

The security standards work in concert with the final privacy standards adopted by HHS last year and scheduled to take effect for most covered entities on April 14. The two sets of standards use many of the same terms and definitions in order to make it easier for covered entities to comply.

"We took great care to address every detail and produce a rule that health care providers will find easy to understand and implement," said Tom Scully, administrator of HHS' Centers for Medicare & Medicaid Services (CMS).

The security standards will be published as a final rule in the Feb. 20 Federal Register with an effective date of April 21, 2003. Most covered entities will have two full years -- until April 21, 2005 -- to comply with the standards; small health plans will have an additional year to comply, as HIPAA requires.

In a separate final regulation, HHS adopted modifications to the transaction standards, which health plans, certain health care providers and health care clearinghouses by law must use for electronic health care transactions. Covered entities must comply with these modified transaction standards by Oct. 16, 2003.

The final transaction modifications rule, which will also be published in the Federal Register on Feb. 20, combines two proposed rules published May 31, 2002. HHS worked extensively with the Designated Standards Maintenance Organizations (DSMOs) to revise the proposed changes to the standards, as required by Congress as part of HIPAA.

Major provisions of the final rule include:

• Repealing the National Drug Code (NDC) as the standard medical data code set for reporting drugs and biologics in all non-retail pharmacy transactions.
  
• Adopting the proposed Addenda to the implementation guides with some technical revisions based upon comments received and consultation with the DSMOs.
  
• For retail pharmacy transactions:
  • Adopting the National Council for Prescription Drug Programs (NCPDP) Batch Version 1.1 to support the Telecommunications Version 5.1.
  • Adopting the Accredited Standards Committee (ASC) X12N 835 as the standard for payment and remittance advice and the NCPDP Telecommunications Version 5.1 and NCPDP Batch Version 1.1. Implementation Guides as the standard for the referral certification and authorization transaction.
  • Continuing the use of the NDC code set for the reporting of drugs and biologics.

The rule also adopts modified standards for two transactions that were not included in the proposed rules -- premium payments, and coordination of benefits. The modifications were approved by the DMSOs and merely provide explanatory guidance.

CMS is responsible for implementing and enforcing the security standards, the transactions standards and other HIPAA administrative simplification provisions, except for the privacy standards. HHS' Office for Civil Rights is responsible for implementing and enforcing the privacy rule.

The complete text of both final rules will be available at the CMS website at http://www.cms.hhs.gov/hipaa/hipaa2. The full text of the Addenda to the transaction modifications rule will be available at http://hipaa.wpc-edi.com/HIPAAAddenda_40.asp.

More information about HIPAA standards is available at http://www.cms.hhs.gov/hipaa and http://www.aspe.hhs.gov/admnsimp/. A fact sheet summarizing the administrative simplification standards required by HIPAA is available at http://www.hhs.gov/news/press/2002pres/hipaa.html.

###