Docstoc

HEALTH CARE CLEARINGHOUSE

Document Sample
HEALTH CARE CLEARINGHOUSE Powered By Docstoc
					                                                                               Policy Memorandum 2004-48
                                                                                                Exhibit 4
                                  HEALTH CARE CLEARINGHOUSE
                                      Background Document

                                                          TOC

TCS PROPOSED RULE – May 7, 1998 ............................................................... 3
  25276 ................................................................................................................. 3
  25288 ................................................................................................................. 3
  25290 ................................................................................................................. 3
  25293 ................................................................................................................. 3
  25306 ................................................................................................................. 4
  25307 ................................................................................................................. 4

STANDARD UNIQUE PROVIDER IDENTIFIER PROPOSED RULE – May 7,
1998 ...................................................................................................................... 5
  25325 ................................................................................................................. 5
  25335 ................................................................................................................. 5
  25348 ................................................................................................................ 5
  25355 ................................................................................................................. 7
  25356 ................................................................................................................. 7

SECURITY PROPOSED RULE – August 12, 1998 .............................................. 8
 43246 ................................................................................................................. 8
 43258 ................................................................................................................. 8
 43261 ................................................................................................................. 9
 43264 ................................................................................................................. 9
 43265 ................................................................................................................. 9

PRIVACY PROPOSED RULE – November 3, 1999 ........................................... 10
 59927 ............................................................................................................... 10
 59930 ............................................................................................................... 10
 60028 ............................................................................................................... 11
 60044 ............................................................................................................... 11
 60049 ............................................................................................................... 12
 60056 ............................................................................................................... 12

TCS FINAL RULE – August 17, 2000 ................................................................. 13
  50316 ............................................................................................................... 13
  50319 ............................................................................................................... 14
  50360 ............................................................................................................... 14
  50366 ............................................................................................................... 15
  50369 .............................................................................................................. 16

PRIVACY FINAL RULE – December 28, 2000 ................................................... 16
 82477 ............................................................................................................... 16
 82488 ............................................................................................................... 17



                                                                                                                           1
                                                                                 Policy Memorandum 2004-48
                                                                                                  Exhibit 4
   82509 ............................................................................................................... 19
   82572 ............................................................................................................... 19
   82717 ............................................................................................................... 22
   82720 ............................................................................................................... 22
   82799 ............................................................................................................... 24
   82829 ............................................................................................................... 24

STANDARD UNIQUE EMPLOYER IDENTIFIER RULE – May 31, 2002 ........... 25
  38011 ............................................................................................................... 25
  38018 ............................................................................................................... 25
  38020 .............................................................................................................. 25

SECURITY FINAL RULE – February 20, 2003 ................................................... 26
 8358 ................................................................................................................. 26
 8372 ................................................................................................................. 27
 8380 ................................................................................................................. 27

STANDARD UNIQUE PROVIDER IDENTIFIER FINAL RULE – January 23, 2004
............................................................................................................................ 28
   3443 ................................................................................................................. 28
   3450 ................................................................................................................. 31
   3460 ................................................................................................................ 31
   3468 ................................................................................................................. 33
   3469 ................................................................................................................. 33




                                                                                                                             2
                                                           Policy Memorandum 2004-48
                                                                            Exhibit 4
                       TCS PROPOSED RULE – May 7, 1998

25276 Federal Register / Vol. 63, No. 88 / Thursday, May 7, 1998 / Proposed Rules

4. Health care clearinghouse.

We would define ‘‘health care clearinghouse’’ as section 1171(2) of the Act does,
but we are adding a further, clarifying sentence. The statute defines a ‘‘health
care clearinghouse’’ as a public or private entity that processes or facilitates the
processing of nonstandard data elements of health information into standard data
elements. We would further explain that such an entity is one that currently
receives health care transactions from health care providers and other entities,
translates the data from a given format into one acceptable to the intended
recipient, and forwards the processed transaction to appropriate health plans and
other health care clearinghouses, as necessary, for further action.

There are currently a number of private clearinghouses that perform these
functions for health care providers. For purposes of this rule, we would consider
billing services, repricing companies, community health management information
systems or community health information systems, value-added networks, and
switches performing these functions to be health care clearinghouses.

25288 Federal Register / Vol. 63, No. 88 / Thursday, May 7, 1998 / Proposed Rules

ii. Health care clearinghouses.

We would require in § 142.1106 that each health care clearinghouse use the
standard specified in § 142.1102 for health claims or equivalent encounter
information transactions.
25290 Federal Register / Vol. 63, No. 88 / Thursday, May 7, 1998 / Proposed Rules

ii. Health care clearinghouses.

We would require in § 142.1206 that each health care clearinghouse use the
standard specified in § 142.1202 for payment and remittance advice
transactions.
25293 Federal Register / Vol. 63, No. 88 / Thursday, May 7, 1998 / Proposed Rules

ii. Health care clearinghouses.

We would require in § 142.1506 that each health care clearinghouse use the
standard specified in § 142.1502 for enrollment and disenrollment transactions.



                                                                                     3
                                                            Transactions and Code Sets
                                                                         Proposed Rule
                                                                           May 7, 1998
                                                           Policy Memorandum 2004-48
                                                                            Exhibit 4
25306 Federal Register / Vol. 63, No. 88 / Thursday, May 7, 1998 / Proposed Rules

Health care clearinghouse means a public or private entity that processes or
facilitates the processing of nonstandard data elements of health information into
standard data elements. The entity receives transactions from health care
providers, health plans, other entities, or other clearinghouses, translates the
data from a given format into one acceptable to the intended recipient, and
forwards the processed transaction to the appropriate recipient. Billing services,
repricing companies, community health management information systems,
community health information systems, and ‘‘value-added’’ networks and
switches are considered to be health care clearinghouses for purposes of this
part.

25307 Federal Register / Vol. 63, No. 88 / Thursday, May 7, 1998 / Proposed Rules

§ 142.105 Compliance using a health care clearinghouse.

(a) Any person or other entity subject to the requirements of this part may meet
the requirements to accept and transmit standard transactions by either—
       (1) Transmitting and receiving standard data elements, or
       (2) Submitting nonstandard data elements to a health care clearinghouse
           for processing into standard data elements and transmission by the
           health care clearinghouse and receiving standard data elements
           through the health care clearinghouse.

(b) The transmission, under contract, of nonstandard data elements between a
health plan or a health care provider and its agent health care clearinghouse is
not a violation of the requirements of this part.




                                                                                     4
                                                            Transactions and Code Sets
                                                                         Proposed Rule
                                                                           May 7, 1998
                                                           Policy Memorandum 2004-48
                                                                            Exhibit 4


  STANDARD UNIQUE PROVIDER IDENTIFIER PROPOSED RULE – May 7,
                            1998

25325 Federal Register / Vol. 63, No. 88 / Thursday, May 7, 1998 / Proposed Rules

2. Health care clearinghouse.

We would define ‘‘health care clearinghouse’’ as section 1171(2) of the Act does,
but we are adding a further, clarifying sentence. The statute defines a ‘‘health
care clearinghouse’’ as a public or private entity that processes or facilitates the
processing of nonstandard data elements of health information into standard data
elements. We would further explain that such an entity is one that currently
receives health care transactions from health care providers and other entities,
translates the data from a given format into one acceptable to the intended
recipient and forwards the processed transaction to appropriate health plans and
other clearinghouses, as necessary, for further action. There are currently a
number of private clearinghouses that perform these functions for health care
providers. For purposes of this rule, we would consider billing services, repricing
companies, community health management information systems or community
health information systems, value-added networks, and switches performing
these functions to be health care clearinghouses.

25335 Federal Register / Vol. 63, No. 88 / Thursday, May 7, 1998 / Proposed Rules

3. Health care clearinghouses.

Health care clearinghouses would be required to use a health care provider’s NPI
on electronic standard transactions requiring an NPI that are submitted on the
health care provider’s behalf.

25348 Federal Register / Vol. 63, No. 88 / Thursday, May 7, 1998 / Proposed Rules

2. Third Party Vendors

Third party vendors include third party processors/clearinghouses (including
value added networks), billing companies, and software system vendors. While
the market for third party vendors will change as a result of standardization,
these changes will be positive to the industry and its customers over the long
term. However, the short term/one time costs discussed above will apply to the
third party vendor community.

a. Clearinghouses and Billing Companies



                                                                                         5
                                                                                  Security
                                                                           Proposed Rule
                                                                          August 12, 1998
                                                     Policy Memorandum 2004-48
                                                                      Exhibit 4
As noted above, health care clearinghouses are entities that take health care
transactions, convert them into standardized formats acceptable to the receiver,
and forward them on to the insurer. Billing companies take on the administrative
functions of a physician’s office. The market for clearinghouse and billing
company services will definitely be affected by the HIPAA administrative
simplification provisions; however there appears to be some debate on how the
market for these services will be affected. It is likely that competition among
health care clearinghouses and billing companies will increase over time. This is
because standards would reduce some of the technical limitations that currently
inhibit health care providers from conducting their own EDI. For example, by
eliminating the requirement to maintain several different claims standards for
different trading partners, health care providers will be able to more easily link
themselves directly to health plans. This could negatively affect the market for
health care clearinghouses and system vendors that do translation services;
however, standards should increase the efficiency in which health care
clearinghouses operate by allowing them to more easily link to multiple health
plans. The increased efficiency in operations resulting from standards could, in
effect, lower their overhead costs as well as attract new health care
clearinghouse customers to offset any loss in market share that they might
experience.

Another potential area of change is that brought about through standardized
code sets. Standards would lower costs and break down logistical barriers that
discouraged some health care providers from doing their own coding and billing.
As a result, some health care providers may choose an in-house transaction
system rather than using a billing company as a means of exercising more
control over information. Conversely, health care clearinghouses may acquire
some short-term increase in business from those health care providers that are
automated but do not use the selected standards.

These health care providers would hire health care clearinghouses to take data
from the nonstandard formats they are using and convert them into the
appropriate standards. Generally, we would also expect health care
clearinghouses to identify opportunities to add value to transaction processing
and to find new business opportunities, either in marketing promotional materials
or in training health care providers on the new transaction sets. Standards would
increase the efficiency of health care clearinghouses, which could in turn drive
costs for these services down. Health care clearinghouses may be able to
operate more efficiently or at a lower cost based on their ability to gain market
share. Some small billing companies may be consumed by health care
clearinghouses that may begin offering billing services to augment their health
care clearinghouse activities. However, most health care providers that use
billing companies would probably continue to do so because of the
comprehensive and personalized services these companies offer.

                                                                                 6
                                                                          Security
                                                                   Proposed Rule
                                                                  August 12, 1998
                                                           Policy Memorandum 2004-48
                                                                            Exhibit 4
Value added networks do not manipulate data but rather transmit data in its
native form over telecommunication lines. We anticipate that the demand for
value added network services would increase as additional health care providers
and health plans move to electronic data exchange. Standards would eliminate
the need for data to be reformatted, which would allow health care providers to
purchase value added network services individually rather than as a component
of the full range of clearinghouse services.

25350 Federal Register / Vol. 63, No. 88 / Thursday, May 7, 1998 / Proposed Rules

c. Health care clearinghouses.

Health care clearinghouses would face impacts (both positive and negative)
similar to those experienced by health plans. However, implementation would
likely be more complex, because health care clearinghouses deal with many
health care providers and health plans and would have to accommodate both old
and new health care provider identifiers until all health plans with which they deal
have converted.

25355 Federal Register / Vol. 63, No. 88 / Thursday, May 7, 1998 / Proposed Rules

§ 142.103 Definitions.

Health care clearinghouse means a public or private entity that processes or
facilitates the processing of nonstandard data elements of health information into
standard data elements. The entity receives health care transactions from health
care providers, health plans, other entities, or other clearinghouses, translates
the data from a given format into one acceptable to the intended recipient, and
forwards the processed transaction to the appropriate recipient. Billing services,
repricing companies, community health management information systems,
community health information systems, and ‘‘value-added’’ networks and
switches that perform these functions are considered to be health care
clearinghouses for purposes of this part.

25356 Federal Register / Vol. 63, No. 88 / Thursday, May 7, 1998 / Proposed Rules

§ 142.105 Compliance using a health care clearinghouse.

(a) Any person or other entity subject to the requirements of this part may meet
the requirements to accept and transmit standard transactions by either—
       (1) Transmitting and receiving standard data elements, or
       (2) Submitting nonstandard data elements to a health care clearinghouse
           for processing into standard data elements and transmission by the
           health care clearinghouse and receiving standard data elements
           through the health care clearinghouse.

                                                                                         7
                                                                                  Security
                                                                           Proposed Rule
                                                                          August 12, 1998
                                                          Policy Memorandum 2004-48
                                                                           Exhibit 4
(b) The transmission, under contract, of nonstandard data elements between a
health plan or a health care provider and its agent health care clearinghouse is
not a violation of the requirements of this part.



                SECURITY PROPOSED RULE – August 12, 1998

43246 Federal Register / Vol. 63, No. 155 / Wednesday, August 12, 1998 / Proposed Rules

2. Health Care Clearinghouse

We would define ‘‘health care clearinghouse’’ as section 1171(2) of the Act does,
but we are adding a further, clarifying sentence. The statute defines a ‘‘health
care clearinghouse’’ as a public or private entity that processes or facilitates the
processing of nonstandard data elements of health information into standard data
elements. We would further explain that such an entity is one that currently
receives health care transactions from health care providers or other entities,
translates the data from a given format into one acceptable to the intended
recipient and forwards the processed transaction to appropriate payers and
clearinghouses, as necessary, for further action. There are currently a number of
private clearinghouses that perform this function for health care providers. For
purposes of this rule, we would consider billing services, repricing companies,
community health management information systems or community health
information systems, value-added networks, and switches that perform this
function to be health care clearinghouses.

43258 Federal Register / Vol. 63, No. 155 / Wednesday, August 12, 1998 / Proposed Rules

2. Health Care Clearinghouses

   a. We would require in § 142.306(b) that each health care clearinghouse
      comply with the security standard to ensure all health care information and
      activities are protected from unauthorized access. If the clearinghouse is
      part of a larger organization, then security must be imposed to prevent
      unauthorized access by the larger organization. The security standards
      apply to all health information pertaining to an individual that is
      electronically maintained or electronically transmitted.
   b. In § 142.310(a), entities would not be required to use an electronic
      signature. However, if a plan elects to use an electronic signature in one
      of the transactions named in the law, it would be required to apply the
      electronic signature standard described in § 142.310(b) to that transaction.
      In the future, we anticipate that the standards for other transactions may
      include requirements for signatures. In particular, the proposed standard
      for claims attachments, which will be issued in a separate regulations

                                                                                        8
                                                                                 Security
                                                                          Proposed Rule
                                                                         August 12, 1998
                                                          Policy Memorandum 2004-48
                                                                           Exhibit 4
       package later, may include signature requirements on some or all of the
       attachments. If the proposed attachments standard includes such
       signature requirements, we will address the issue of how to reconcile such
       requirements with existing State and Federal requirements for written
       signatures as part of the proposed rule.

43261 Federal Register / Vol. 63, No. 155 / Wednesday, August 12, 1998 / Proposed Rules

3. Clearinghouses

Health care clearinghouses would face impacts similar to those experienced by
health care providers and health plans.
Systems vendors, that provide computer software applications to health care
providers and other billers of health care services, would likely be positively
affected. These vendors would have to develop software solutions that would
allow health care providers and other billers of health care transactions to protect
the information in their databases from unwanted access to their systems.

43264 Federal Register / Vol. 63, No. 155 / Wednesday, August 12, 1998 / Proposed Rules

Health care clearinghouse means a public or private entity that processes or
facilitates the processing of nonstandard data elements of health information into
standard data elements. The entity receives health care transactions from health
care providers or other entities, translates the data from a given format into one
acceptable to the intended payer or payers, and forwards the processed
transaction to appropriate payers and clearinghouses. Billing services, repricing
companies, community health management information systems, community
health information systems, and ‘‘value-added’’ networks and switches are
considered to be health care clearinghouses for purposes of this part.

43265 Federal Register / Vol. 63, No. 155 / Wednesday, August 12, 1998 / Proposed Rules

§ 142.105 Compliance using a health care clearinghouse.

(a) Any person or other entity subject to the requirements of this part may meet
the requirements to accept and transmit standard transactions by either—
       (1) Transmitting and receiving standard data elements; or
       (2) Submitting nonstandard data elements to a health care clearinghouse
           for processing into standard data elements and transmission by the
           health care clearinghouse and receiving standard data elements
           through the health care clearinghouse.

(b) The transmission, under contract, of nonstandard data elements between a
health plan or a health care provider and its agent health care clearinghouse is
not a violation of the requirements of this part.

                                                                                     9
                                                           Transactions and Code Sets
                                                                            Final Rule
                                                                      August 17, 2000
                                                         Policy Memorandum 2004-48
                                                                          Exhibit 4




                PRIVACY PROPOSED RULE – November 3, 1999

59927 Federal Register / Vol. 64, No. 212 / Wednesday, November 3, 1999 / Proposed Rules

A health care clearinghouse would be a public or private entity that processes or
facilitates the processing of nonstandard data elements of health information into
standard data elements. See section 1171(2) of the Act. For purposes of this
rule, we would consider billing services, repricing companies, community health
management information systems or community health information systems,
‘‘value-added’’ networks, switches and similar organizations to be health care
clearinghouses for purposes of this part only if they actually perform the same
functions as a health care clearinghouse. See discussion of the definition in
section II.B.

59930 Federal Register / Vol. 64, No. 212 / Wednesday, November 3, 1999 / Proposed Rules

4. Health care clearinghouse. We would define ‘‘health care clearinghouse’’ as
defined by section 1171(2) of the Act. The Act defines a ‘‘health care
clearinghouse’’ as a ‘‘public or private entity that processes or facilitates the
processing of nonstandard data elements of health information into standard data
elements.’’ In practice, clearinghouses receive transactions from health care
providers, health plans, other health care clearinghouses, or business partners of
such entities, and other entities, translate the data from a given format into one
acceptable to the entity receiving the transaction, and forward the processed
transaction to that entity. There are currently a number of private clearinghouses
that contract or perform this function for health care providers. For purposes of
this rule, we would consider billing services, repricing companies, community
health management information systems or community health information
systems, ‘‘valueadded’’ networks, switches and similar organizations to be health
care clearinghouses for purposes of this part only if they actually perform the
same functions as a health care clearinghouse. We would note that we are
proposing to exempt clearinghouses from a number of the provisions of this rule
that would apply to other covered entities (see §§ 164.512, 164.514 and 164.516
below), because in most cases we do not believe that clearinghouses would be
dealing directly with individuals. In many instances, clearinghouses would be
considered business partners under this rule and would be bound by their
contracts with covered plans and providers. See proposed § 164.506(e). We
would adopt this position with the caveat that the exemptions would be void for
any clearinghouse that had direct contact with individuals in a capacity other than
that of a business partner.


                                                                                  10
                                                          Transactions and Code Sets
                                                                           Final Rule
                                                                     August 17, 2000
                                                         Policy Memorandum 2004-48
                                                                          Exhibit 4
60028 Federal Register / Vol. 64, No. 212 / Wednesday, November 3, 1999 / Proposed Rules

10. Clearinghouses and the Rights of Individuals
        The rights described below would apply with respect to protected health
information held by health care providers and health plans. We are proposing
that clearinghouses not be subject to all of these requirements. We believe that
as business partners of covered plans and providers, clearinghouses would not
usually initiate or maintain direct relationships with individuals. The contractual
relationship between a clearinghouse (as a business partner) and a covered plan
or provider would bind the clearinghouse to the notice of information practices
developed by the plan or provider and it would include specific provisions
regarding inspection, copying, amendment and correction. Therefore, we do not
believe that clearinghouses should be required to provide a notice or provide
access for inspection, copying, amendment or correction. We would require
clearinghouses to provide an accounting of any disclosures for purposes other
than treatment, payment and health care operations to individuals upon request.
See proposed § 164.515. It is our understanding that the vast majority of the
clearinghouse function falls within the scope of treatment, payment, and health
care operations and therefore we do not believe providing this important right to
individuals would impose a significant burden on the industry. We invite comment
on whether or not we should require clearinghouses to comply with all of the
provisions of the individual rights section.

60044 Federal Register / Vol. 64, No. 212 / Wednesday, November 3, 1999 / Proposed Rules

Clearinghouses and Nonprofit Entities

       We should note that the above discussion does not consider health care
clearinghouses, nonprofit hospitals, home health agencies, or nursing and skilled
nursing facilities. To the extent that clearinghouses and nonprofit facilities have
annual receipts of less than $5 million, they were included in the preceding
analysis. Although we do not have precise information on the number of
clearinghouses that qualify as small entities under the RFA, we believe that
approximately half would meet the criteria. As noted in the regulatory impact
analysis, as long as clearinghouses perform the function of merely reformatting
information they receive and transmitting the data to other entities, the cost of
complying with the proposed rule should be minimal.
       A similar logic applies for nonprofit health plans and hospitals. We do
know how many nonprofit organizations currently exist in the U.S., but do not
have reliable revenue and expenditure data for these entities. In the absence of
such data, we assume that nonprofit entities have a similar ratio of revenues to
expenditures as the for-profit entities we have examined. Thus, we believe that
the impact of complying with the proposed rule should be similar to that
described for-profit plans and hospitals. The preceding analysis indicates that the
expected burden on small entities of implementing the proposed rule would be
                                                                                  11
                                                          Transactions and Code Sets
                                                                           Final Rule
                                                                     August 17, 2000
                                                         Policy Memorandum 2004-48
                                                                          Exhibit 4
minimal. However, by necessity, the analysis is based on average costs, and as
such, they may not reflect the actual burden on some or even a substantial
number of small entities. Therefore, the Secretary does not certify that the
proposed rule will not have a significant impact on a substantial number of small
entities.

60049 Federal Register / Vol. 64, No. 212 / Wednesday, November 3, 1999 / Proposed Rules

§ 160.103 Definitions.

        Health care clearinghouse means a public or private entity that processes
or facilitates the processing of nonstandard data elements of health information
into standard data elements. The entity receives health care transactions from
health care providers or other entities, translates the data from a given format
into one acceptable to the intended payer or payers, and forwards the processed
transaction to appropriate payers and clearinghouses. Billing services, repricing
companies, community health management information systems, community
health information systems, and ‘‘value-added’’ networks and switches are
considered to be health care clearinghouses for purposes of this part, if they
perform the functions of health care clearinghouses as described in the
preceding sentences.
60056 Federal Register / Vol. 64, No. 212 / Wednesday, November 3, 1999 / Proposed Rules

§ 164.510 Uses and disclosures for which individual authorization is not
required.
(2) Health care clearinghouses. A health care clearinghouse that uses or
discloses protected health information it maintains as a business partner of a
covered entity may not make uses or disclosures otherwise permitted under this
section that are not permitted by the terms of its contract with the covered entity
under § 164.506(e).




                                                                                  12
                                                          Transactions and Code Sets
                                                                           Final Rule
                                                                     August 17, 2000
                                                             Policy Memorandum 2004-48
                                                                              Exhibit 4



                         TCS FINAL RULE – August 17, 2000

50316 Federal Register / Vol. 65, No. 160 / Thursday, August 17, 2000 / Rules and Regulations

5. Role of Health Care Clearinghouses

Proposal Summary: Health care clearinghouses would be able to accept
nonstandard transactions for the sole purpose of translating them into standard
transactions for sending customers and would be able to accept standard
transactions and translate them into nonstandard formats for receiving customers
(63 FR 25276).

        Comment: Several commenters believe health care clearinghouses are
excepted from accepting the standards. Other commenters believe that allowing
health care providers to use a health care clearinghouse will negate
administrative simplification. There was also concern that entities may designate
themselves as a health care clearinghouse to avoid compliance. Several
commenters also requested that we clarify who is responsible for health care
clearinghouse costs and state that contracts cannot require health care providers
to use nonstandard formats.
        Response: First, we clarify that a health care clearinghouse is a covered
entity and must comply with these rules. Accordingly, all transactions covered by
this part between health care clearinghouses must be conducted as standard
transactions. However, the statute permits a covered entity to submit
nonstandard communications to a health care clearinghouse for processing into
standard transactions and transmission by the health care clearinghouse as well
as receive standard transactions through the health care clearinghouse.
        If a covered entity (for example, a health care provider) uses a health care
clearinghouse to submit and receive nonstandard/standard transactions, the
health care clearinghouse is the covered entity’s business associate. If a health
plan operates as a health care clearinghouse, or requires the use of a health
care clearinghouse, a health care provider may submit standard transactions to
that health plan through the health care clearinghouse. However, the health care
provider must not be adversely affected, financially or otherwise, by doing so.
(For example, the costs of submitting a standard transaction to a health plan’s
health care clearinghouse must not be in excess of the costs of submitting a
standard transaction directly to the health plan.)
        In § 162.915, we clarify what a trading partner agreement that a covered
entity enters into may not do. Section 162.923 specifies that a covered entity
conducting a transaction covered under this rule with another covered entity (or
within the same covered entity) using electronic media must conduct the
transaction as standard transaction, with an exception for direct data entry.
Section 162.925 makes it clear that a health plan may not offer an incentive for a
                                                                                      13
                                                              Transactions and Code Sets
                                                                               Final Rule
                                                                         August 17, 2000
                                                             Policy Memorandum 2004-48
                                                                              Exhibit 4
health care provider to conduct a transaction covered by this part under the direct
data entry exception.

50319 Federal Register / Vol. 65, No. 160 / Thursday, August 17, 2000 / Rules and
Regulations

2. Health Care Clearinghouse

        Comment: Several commenters requested that the definition of a health
care clearinghouse be reworded. Of particular concern was the reference to
other entities, such as billing services, repricing companies, etc. Commenters
stated the definition would preclude these other entities from using a health care
clearinghouse for format translation and data conversion. Several commenters
stated health care clearinghouses play roles other than data and format
conversion as described in the proposed rule.
        Response: If an entity does not perform the functions of format translation
and data conversion, it is not considered a health care clearinghouse under our
definition. Billing services, for example, are often extensions of a health care
provider’s office, primarily performing data entry of health care claims and
reconciling the payments received from a health plan. Health care providers may
use health care clearinghouses for format translation and other services a health
care clearinghouse provides. We agree the definition should be reworded and
have revised the definition in § 160.103.

50360 Federal Register / Vol. 65, No. 160 / Thursday, August 17, 2000 / Rules and Regulations

2. Third Party Vendors

Third party vendors include third party processors/health care clearinghouses
(including value added networks), billing companies, and software system
vendors. While the market for third party vendors will change as a result of
standardization, these changes will be positive for the industry and its customers
over the long term. However, the short term/one time costs discussed above will
apply to the third party vendor community.

        a. Health Care Clearinghouses and Billing Companies. As noted above,
health care clearinghouses are entities that take health care transactions, convert
them into standardized formats, and forward them to the insurer. Billing
companies take on the administrative functions of a physician’s office. The
market for health care clearinghouse and billing company services will definitely
be affected by the HIPAA administrative simplification provisions; however, there
appears to be some debate on how the market for these services will be affected.
        It is likely that competition among health care clearinghouses and billing
companies will increase over time as standards reduce some of the technical
limitations that currently inhibit health care providers from conducting their own

                                                                                      14
                                                              Transactions and Code Sets
                                                                               Final Rule
                                                                         August 17, 2000
                                                           Policy Memorandum 2004-48
                                                                            Exhibit 4
EDI. For example, by eliminating the requirement to maintain several different
claims standards for different trading partners, health care providers will be able
to more easily link themselves directly to health plans. This could negatively
affect the market for health care clearinghouses and system vendors that do
translation services; however, standards should increase the efficiency in which
health care clearinghouses operate by allowing them to more easily link to
multiple health plans. The increased efficiency in operations resulting from
standards could, in effect, lower their overhead costs as well as attract new
health care clearinghouse customers to offset any loss in market share that they
might experience.
        Another potential area of change is that brought about through
standardized code sets. Standard code sets will lower costs and break down
logistical barriers that discouraged some health care providers from doing their
own coding and billing. As a result, some health care providers may choose an
in-house transaction system rather than using a billing company as a means of
exercising more control over information. Conversely, health care clearinghouses
may acquire some short-term increase in business from those health care
providers that are automated but do not use the selected standards.
        These health care providers will hire health care clearinghouses to take
data from the nonstandard formats they are using and convert them into the
appropriate standards. Generally, health care clearinghouses can also be
expected to identify opportunities in which they could add value to transaction
processing and to find new business opportunities, such as in training health care
providers on the new transaction sets. Standards will increase the efficiency of
health care clearinghouses, which could in turn drive costs for these services
down. Health care clearinghouses may be able to operate more efficiently or at a
lower cost based on their ability to gain market share. Some small billing
companies may be consumed by health care clearinghouses that may begin
offering billing services to augment their health care clearinghouse activities.
However, most health care providers that use billing companies will probably
continue to do so because of the comprehensive and personalized services
these companies offer. Value added networks transmit data over
telecommunication lines. We anticipate that the demand for value added network
services will increase as additional health care providers and health plans move
to electronic data exchange. Standards will eliminate the need for data to be
reformatted, which will allow health care providers to purchase value added
network services individually rather than as a component of the full range of
health care clearinghouse services.
50366 Federal Register / Vol. 65, No. 160 / Thursday, August 17, 2000 / Rules and
Regulations

Health care clearinghouse means a public or private entity that does either of the
following (Entities, including but not limited to, billing services, repricing
companies, community health management information systems or community
health information systems, and ‘‘value-added’’ networks and switches are health
                                                                                      15
                                                           Transactions and Code Sets
                                                                               Final Rule
                                                                        August 17, 2000
                                                            Policy Memorandum 2004-48
                                                                             Exhibit 4
care clearinghouses for purposes of this subchapter if they perform these
functions.):
(1) Processes or facilitates the processing of information received from another
entity in a nonstandard format or containing nonstandard data content into
standard data elements or a standard transaction.
(2) Receives a standard transaction from another entity and processes or
facilitates the processing of information into nonstandard format or nonstandard
data content for a receiving entity.
50369 Federal Register / Vol. 65, No. 160 / Thursday, August 17, 2000 / Rules and
Regulations

§ 162.930 Additional rules for health care clearinghouses.

When acting as a business associate for another covered entity, a health care
clearinghouse may perform the following functions:
(a) Receive a standard transaction on behalf of the covered entity and translate it
into a nonstandard transaction (for example, nonstandard format and/or
nonstandard data content) for transmission to the covered entity.
(b) Receive a nonstandard transaction (for example, nonstandard format and/ or
nonstandard data content) from the covered entity and translate it into a standard
transaction for transmission on behalf of the covered entity.


                    PRIVACY FINAL RULE – December 28, 2000

82477 Federal Register / Vol. 65, No. 250 / Thursday, December 28, 2000 / Rules and
Regulations

Health Care Clearinghouse
        In the NPRM, we defined ‘‘health care clearinghouse’’ as a public or
private entity that processes or facilitates the processing of nonstandard data
elements of health information into standard data elements. The entity receives
health care transactions from health care providers or other entities, translates
the data from a given format into one acceptable to the intended payor or payors,
and forwards the processed transaction to appropriate payors and
clearinghouses. Billing services, re-pricing companies, community health
management information systems, community health information systems, and
‘‘value-added’’ networks and switches would have been considered to be health
care clearinghouses for purposes of this part, if they perform the functions of
health care clearinghouses as described in the preceding sentences.
        In the final regulation, we modify the definition of health care
clearinghouse to reflect changes in the definition published in the Transactions
Rule. The definition in the final rule is: Health care clearinghouse means a public
or private entity, including billing services, re-pricing companies, community
health management information systems or community health information
                                                                                     16
                                                             Transactions and Code Sets
                                                                              Final Rule
                                                                        August 17, 2000
                                                            Policy Memorandum 2004-48
                                                                             Exhibit 4
systems, and ‘‘value-added’’ networks and switches, that does either of the
following functions:
        (1)       Processes or facilitates the processing of health information
                  received from another entity in a nonstandard format or
                  containing nonstandard data content into standard data elements
                  or a standard transaction.
        (2)       Receives a standard transaction from another entity and
                  processes or facilitates the processing of health information into
                  nonstandard format or nonstandard data content for the receiving
                  entity.
        We note here that the term health care clearinghouse may have other
meanings and connotations in other contexts, but the regulation defines it
specifically, and an entity is considered a health care clearinghouse only to the
extent that it meets the criteria in this definition. Telecommunications entities that
provide connectivity or mechanisms to convey information, such as telephone
companies and Internet Service Providers, are not health care clearinghouses as
defined in the rule unless they actually carry out the functions outlined in our
definition. Value added networks and switches are not health care
clearinghouses unless they carry out the functions outlined in the definition. The
examples of entities in our proposed definition we continue to consider to be
health care clearinghouses, as well as any other entities that meet that definition,
to the extent that they perform the functions in the definition.
        In order to fall within this definition of clearinghouse, the covered entity
must perform the clearinghouse function on health information received from
some other entity. A department or component of a health plan or health care
provider that transforms nonstandard information into standard data elements or
standard transactions (or vice versa) is not a clearinghouse for purposes of this
rule, unless it also performs these functions for another entity. As described in
more detail in § 164.504(d), we allow affiliates to perform clearinghouse functions
for each other without triggering the definition of ‘‘clearinghouse’’ if the conditions
in § 164.504(d) are met.


82488 Federal Register / Vol. 65, No. 250 / Thursday, December 28, 2000 / Rules and
Regulations

        The revised language provides that clearinghouses are not subject to
certain requirements in the rule when acting as business associates of other
covered entities. As revised, a clearinghouse acting as a business associate is
subject only to the provisions of this section, to the definitions, to the general
rules for uses and disclosures of protected health information (subject to
limitations), to the provision relating to health care components, to the provisions
relating to uses and disclosures for which consent, individual authorization or an
opportunity to agree or object is not required (subject to limitations), to the
transition requirements and to the compliance date. With respect to the uses and

                                                                                      17
                                                                                 Privacy
                                                                              Final Rule
                                                                       December 28, 2000
                                                    Policy Memorandum 2004-48
                                                                     Exhibit 4
disclosures authorized under § 164.502 or § 164.512, a clearinghouse acting as
a business associate is not authorized by the rule to make any use or disclosure
not permitted by its business associate contract. Clearinghouses acting as
business associates are not subject to the other requirements of this rule, which
include the provisions relating to procedural requirements, requirements for
obtaining consent, individual authorization or agreement, provision of a notice,
individual rights to request privacy protection, access and amend information and
receive an accounting of disclosures and the administrative requirements.
       We note that, even as business associates, clearinghouses remain
covered entities. Clearinghouses, like other covered entities, are responsible
under this regulation for abiding by the terms of business associate contracts.
For example, while the provisions regarding individuals’ access to and right to
request corrections to protected health information about them apply only to
health plans and covered health care providers, clearinghouses may have some
responsibility for providing such access under their business associate contracts.
A clearinghouse (or any other covered entity) that violates the terms of a
business associate contract also is in direct violation of this rule and, as a
covered entity, is subject to compliance and enforcement action.




                                                                             18
                                                                        Privacy
                                                                     Final Rule
                                                              December 28, 2000
                                                            Policy Memorandum 2004-48
                                                                             Exhibit 4

82509 Federal Register / Vol. 65, No. 250 / Thursday, December 28, 2000 / Rules and
Regulations

Section 164.504(g)—Multiple Covered Function Entities
        Although not addressed in the proposed rule, this final rule also
recognizes that a covered entity may as a single legal entity, affiliated entity, or
other arrangement combine the functions or operations of health care providers,
health plans and health care clearinghouses (for example, integrated health
plans and health care delivery systems may function as both health plans and
health care providers). The rule permits such covered entities to use or disclose
the protected health information of its patients or members for all covered entity
functions, consistent with the other requirements of this rule. The health care
component must meet the requirements of this rule that apply to a particular type
of covered entity when it is functioning as that entity; e.g., when a health care
component is operating as a health care provider it must meet the requirements
of this rule applicable to a health care provider. However, such covered entities
may not use or disclose the protected health information of an individual who is
not involved in a particular covered entity function for that function, and such
information must be segregated from any joint information systems. For example,
an HMO may integrate data about health plan members and clinic services to
members, but a health care system may not share information about a patient in
its hospital with its health plan if the patient is not a member of the health plan.

82572 Federal Register / Vol. 65, No. 250 / Thursday, December 28, 2000 / Rules and
Regulations

Health Care Clearinghouse
        Comment: The largest set of comments relating to health care
clearinghouses focused on our proposal to exempt health care clearinghouses
from the patient notice and access rights provisions of the regulation. In our
NPRM, we proposed to exempt health care clearinghouses from certain
provisions of the regulation that deal with the covered entities’ notice of
information practices and consumers’ rights to inspect, copy, and amend their
records. The rationale for this exemption was based on our belief that health care
clearinghouses engage primarily in business-to-business transactions and do not
initiate or maintain direct relationships with individuals. We proposed this position
with the caveat that the exemptions would be void for any health care
clearinghouse that had direct contact with individuals in a capacity other than that
of a business partner. In addition, we indicated that, in most instances,
clearinghouses also would be considered business partners under this rule and
would be bound by their contracts with covered plans and providers. They also
would be subject to the notice of information practices developed by the plans
and providers with whom they contract. Commenters stated that, although health
care clearinghouses do not have direct contact with individuals, they do have

                                                                                      19
                                                                                 Privacy
                                                                              Final Rule
                                                                       December 28, 2000
                                                      Policy Memorandum 2004-48
                                                                       Exhibit 4
individually identifiable health information that may be subject to misuse or
inappropriate disclosure.
        They expressed concern that we were proposing to exempt health care
clearinghouses from all or many aspects of the regulation. These commenters
suggested that we either delete the exemption or make it very narrow, specific
and explicit in the final regulatory text.
        Clearinghouse commenters, on the other hand, were in agreement with
our proposal, including the exemption provision and the provision that the
exemption is voided when the entity does have direct contact with individuals.
They also stated that a health care clearinghouse that has a direct contact with
individuals is no longer a health care clearinghouse as defined and should be
subject to all requirements of the regulation.
        Response: In the final rule, where a clearinghouse creates or receives
protected health information as a business associate of another covered entity,
we maintain the exemption for health care clearinghouses from certain provisions
of the regulation dealing with the notice of information practices and patient’s
direct access rights to inspect, copy and amend records (§§ 164.524 and
164.526), on the grounds that a health care clearinghouse is engaged in
business-to-business operations, and is not dealing directly with individuals.
Moreover, as business associates of plans and providers, health care
clearinghouses are bound by the notices of information practices of the covered
entities with whom they contract. Where a health care clearinghouse creates or
receives protected health information other than as a business associate,
however, it must comply with all the standards, requirements, and
implementation specifications of the rule. We describe and delimit the exact
nature of the exemption in the regulatory text. See § 164.500(b). We will monitor
developments in this sector should the basic business-to-business relationship
change.

         Comment: A number of comments relate to the proposed definition of
health care clearinghouse. Many commenters suggested that we expand the
definition. They suggested that additional types of entities be included in the
definition of health care clearinghouse, specifically medical transcription services,
billing services, coding services, and ‘‘intermediaries.’’ One commenter
suggested that the definition be expanded to add entities that receive standard
transactions, process them and clean them up, and then send them on, without
converting them to any standard format. Another commenter suggested that the
health care clearinghouse definition be expanded to include entities that do not
perform translation but may receive protected health information in a standard
format and have access to that information. Another commenter stated that the
list of covered entities should include any organization that receives or maintains
individually identifiable health information. One organization recommended that
we expand the health care clearinghouse definition to include the concept of a
research data clearinghouse, which would collect individually identifiable health
information from other covered entities to generate research data files for release
                                                                               20
                                                                          Privacy
                                                                       Final Rule
                                                                December 28, 2000
                                                      Policy Memorandum 2004-48
                                                                       Exhibit 4
as de-identified data or with appropriate confidentiality safeguards. One
commenter stated that HHS had gone beyond Congressional intent by including
billing services in the definition.
        Response: We cannot expand the definition of ‘‘health care
clearinghouse’’ to cover entities not covered by the definition of this term in the
statute. In the final regulation, we make a number of changes to address public
comments relating to definition. We modify the definition of health care
clearinghouse to conform to the definition published in the Transactions Rule
(with the addition of a few words, as noted above). We clarify in the preamble
that, while the term ‘‘health care clearinghouse’’ may have other meanings and
connotations in other contexts, for purposes of this regulation an entity is
considered a health care clearinghouse only to the extent that it actually meets
the criteria in our definition. Entities performing other functions but not meeting
the criteria for a health care clearinghouse are not clearinghouses, although they
may be business associates. Billing services are included in the regulatory
definition of ‘‘health care clearinghouse,’’ if they perform the specified
clearinghouse functions. Although we have not added or deleted any entities
from our original definition, we will monitor industry practices and may add other
entities in the future as changes occur in the health system.

        Comment: Several commenters suggested that we clarify that an entity
acting solely as a conduit through which individually identifiable health
information is transmitted or through which protected health information
flows but is not stored is not a covered entity, e.g., a telephone company or
Internet Service Provider. Other commenters indicated that once a transaction
leaves a provider or plan electronically, it may flow through several entities
before reaching a clearinghouse. They asked that the regulation protect the
information in that interim stage, just as the security NPRM established a chain of
trust arrangement for such a network. Others noted that these ‘‘conduit’’ entities
are likely to be business partners of the provider, clearinghouse or plan, and we
should clarify that they are subject to business partner obligations as in the
proposed Security Rule.
        Response: We clarify that entities acting as simple and routine
communications conduits and carriers of information, such as telephone
companies and Internet Service Providers, are not clearinghouses as defined in
the rule unless they carry out the functions outlined in our definition. Similarly, we
clarify that value added networks and switches are not health care
clearinghouses unless they carry out the functions outlined in the definition, and
clarify that such entities may be business associates if they meet the definition in
the regulation.

        Comment: Several commenters, including the large clearinghouses and
their trade associations, suggested that we not treat health care clearinghouses
as playing a dual role as covered entity and business partner in the final rule
because such a dual role causes confusion as to which rules actually apply to
                                                                                21
                                                                           Privacy
                                                                        Final Rule
                                                                 December 28, 2000
                                                            Policy Memorandum 2004-48
                                                                             Exhibit 4
clearinghouses. In their view, the definition of health care clearinghouse is
sufficiently clear to stand alone and identify a health care clearinghouse as a
covered entity, and allows health care clearinghouses to operate under one
consistent set of rules.
        Response: For reasons explained in § 164.504 of this preamble, we do
not create an exception to the business associate requirements when the
business associate is also a covered entity. We retain the concept that a health
care clearinghouse may be a covered entity and a business associate of a
covered entity under the regulation. As business associates, they would be
bound by their contracts with covered plans and providers.

82717 Federal Register / Vol. 65, No. 250 / Thursday, December 28, 2000 / Rules and
Regulations

       Comment: A few commenters suggested we prohibit health care
clearinghouses from seeking authorization for the use or disclosure of protected
health information for marketing purposes.
       Response: We do not prohibit clearinghouses from seeking authorizations
for these purposes. We believe, however, that health care clearinghouses will
almost always create or obtain protected health information in a business
associate capacity. Business associates may only engage in activities involving
the use or disclosure of protected health information, including seeking or acting
on an authorization, to the extent their contracts allow them to do so. When a
clearinghouse creates or receives protected health information other than as a
business associate of a covered entity, it is permitted and required to obtain
authorizations to the same extent as any other covered entity.

82720 Federal Register / Vol. 65, No. 250 / Thursday, December 28, 2000 / Rules and
Regulations

Section 164.520—Notice of Privacy Practices for Protected Health
Information
        Comment: Many commenters supported the proposal to require covered
entities to produce a notice of information practices. They stated that such notice
would improve individuals’ understanding of how their information may be used
and disclosed and would help to build trust between individuals and covered
entities. A few comments, however, argued that the notice requirement would be
administratively burdensome and expensive without providing significant benefit
to individuals.
        Response: We retain the requirement for covered health care providers
and health plans to produce a notice of information practices. We additionally
require health care clearinghouses that create or receive protected health
information other than as a business associate of another covered entity to
produce a notice. We believe the notice will provide individuals with a clearer
understanding of how their information may be used and disclosed and is
essential to inform individuals of their privacy rights. The notice will focus
                                                                                     22
                                                                                Privacy
                                                                             Final Rule
                                                                  December 28, 2000
                                                      Policy Memorandum 2004-48
                                                                       Exhibit 4
individuals on privacy issues, and prompt individuals to have discussions about
privacy issues with their health plans, health care providers, and other persons.
        The importance of providing individuals with notice of the uses and
disclosures of their information and of their rights with respect to that information
is well supported by industry groups, and is recognized in current state and
federal law. The July 1977 Report of the Privacy Protection Study Commission
recommended that ‘‘each medical-care provider be required to notify an
individual on whom it maintains a medical record of the disclosures that may be
made of information in the record without the individual’s express authorization.’’
23 The Commission also recommended that ‘‘an insurance institution * * * notify
(an applicant or principal insured) as to: * * * the types of parties to whom and
circumstances under which information about the individual may be disclosed
without his authorization, and the types of information that may be disclosed;
[and] * * * the procedures whereby the individual may correct, amend, delete, or
dispute any resulting record about himself.’’ 24 The Privacy Act (5 U.S.C. 552a)
requires government agencies to provide notice of the routine uses of information
the agency collects and the rights individuals have with respect to that
information. In its report ‘‘Best Principles for Health Privacy,’’ the Health Privacy
Working Group stated, ‘‘Individuals should be given notice about the use and
disclosure of their health information and their rights with regard to that
information.’’ 25 The National Association of Insurance Commissioners’ Health
Information Privacy Model Act requires carriers to provide a written notice of
health information policies, standards, and procedures, including a description of
the uses and disclosures prohibited and permitted by the Act, the procedures for
authorizing and limiting disclosures and for revoking authorizations, and the
procedures for accessing and amending protected health information. Some
states require additional notice. For example, Hawaii requires health care
providers and health plans, among others, to produce a notice of confidentiality
practices, including a description of the individual’s privacy rights and a
description of the uses and disclosures of protected health information permitted
under state law without the individual’s authorization. (HRS section 323C–13)
        Today, health plan hand books and evidences of coverage include some
of what is required to be in the notice. Industry and standard-setting
organizations have also developed notice requirements. The National
Committee for Quality Assurance accreditation guidelines state that an
accredited managed care organization ‘‘communicates to prospective members
its policies and practices regarding the collection, use, and disclosure of medical
information [and] * * * informs members * * * of its policies and procedures on * *
* allowing members access to their medical records.’’ 26 Standards of the
American Society for Testing and Materials state, ‘‘Organizations and individuals
who collect, process, handle, or maintain health information should provide
individuals and the public with a notice of information practices.’’ They
recommend that the notice include, among other elements, ‘‘a description of the
rights of individuals, including the right to inspect and copy information and the
right to seek amendments [and] a description of the types of uses and
                                                                               23
                                                                          Privacy
                                                                       Final Rule
                                                                December 28, 2000
                                                            Policy Memorandum 2004-48
                                                                             Exhibit 4
disclosures that are permitted or required by law without the individual’s
authorization.’’ 27 We build on this well-established principle in this final rule.

82799 Federal Register / Vol. 65, No. 250 / Thursday, December 28, 2000 / Rules and
Regulations

Health care clearinghouse means a public or private entity, including a billing
service, re-pricing company, community health management information system
or community health information system, and ‘‘value-added’’ networks and
switches, that does either of the following functions:
       (1)        Processes or facilitates the processing of health information
                  received from another entity in a nonstandard format or
                  containing nonstandard data content into standard data elements
                  or a standard transaction.
       (2)        Receives a standard transaction from another entity and
                  processes or facilitates the processing of health information into
                  nonstandard format or nonstandard data content for the receiving
                  entity.

82829 Federal Register / Vol. 65, No. 250 / Thursday, December 28, 2000 / Rules and
Regulations

(c) Health care clearinghouses. A health care clearinghouse must comply with
the applicable requirements of this subpart no later than February 26, 2003. [FR
Doc. 00–32678 Filed 12–20–00; 11:21 am]




                                                                                      24
                                                                                 Privacy
                                                                              Final Rule
                                                                       December 28, 2000
                                                            Policy Memorandum 2004-48
                                                                             Exhibit 4



     STANDARD UNIQUE EMPLOYER IDENTIFIER RULE – May 31, 2002

38011 Federal Register / Vol. 67, No. 105 / Friday, May 31, 2002 / Rules and Regulations

2. Health care clearinghouses.

We proposed to require in § 142.606 that each health care clearinghouse use the
EIN on all standard transactions that require an employer identifier to identify a
person or entity as an employer.

38018 Federal Register / Vol. 67, No. 105 / Friday, May 31, 2002 / Rules and Regulations

c. Health Care Clearinghouses

Health care clearinghouses will have to modify their systems to use the EIN if
they do not currently use the EIN to identify the employer in standard electronic
health transactions that require an employer identifier. In most cases, health care
clearinghouses currently use the EIN of the employer in those standard
transactions that require an employer identifier. Health care clearinghouses
currently using an employer identifier other than the EIN will have a one-time cost
impact.

38020 Federal Register / Vol. 67, No. 105 / Friday, May 31, 2002 / Rules and Regulations

(c) Health care clearinghouses. Health care clearinghouses must comply with the
requirements of this subpart no later than July 30, 2004.




                                                                                      25
                                                                                 Privacy
                                                                              Final Rule
                                                                       December 28, 2000
                                                           Policy Memorandum 2004-48
                                                                            Exhibit 4


                   SECURITY FINAL RULE – February 20, 2003

8358 Federal Register / Vol. 68, No. 34 / Thursday, February 20, 2003 / Rules and Regulations

1. Health Care Clearinghouses

The proposed rule proposed that if a health care clearinghouse were part of a
larger organization, it would be required to ensure that all health information
pertaining to an individual is protected from unauthorized access by the larger
organization; this statement closely tracked the statutory language in section
1173(d)(1)(B) of the Act. Since the point of the statutory language is to ensure
that health care information in the possession of a health care clearinghouse is
not inappropriately accessed by the larger organization of which it is a part, this
final rule implements the statutory language through the information access
management provision of § 164.308(a)(4)(ii)(A).

The final rule, at § 164.105, makes the health care component and affiliated
entity standards of the Privacy Rule applicable to the security standards.
Therefore, we have not changed those standards substantively. In pertaining to
the Privacy Rule, we have simply moved them to a new location in part 164. Any
differences between § 164.105 and § 164.504(a) through (d) reflects the addition
of requirements specific to the security standards.

The health care component approach was developed in response to extensive
comment received principally on the Privacy Rule. See 65 FR 82502 through
82503 and 82637 through 82640 for a discussion of the policy concerns
underlying the health care component approach. Since the security standards
are intended to support the protection of electronic information protected by the
Privacy Rule, it makes sense to incorporate organizational requirements that
parallel those required of covered entities by the Privacy Rule. This policy will
also minimize the burden of complying with both rules.

         a. Comment: Relative to the following preamble statement (63 FR 43258):
‘‘If the clearinghouse is part of a larger organization, then security must be
imposed to prevent unauthorized access by the larger organization.’’ One
commenter asked what is considered to be ‘‘the larger organization.’’ For
example, if a clearinghouse function occurs in a department of a larger business
entity, will the regulation cover all internal electronic communication, such as e-
mail, within the larger business and all external electronic communication, such
as email with its owners?
         Response: The ‘‘larger organization’’ is the overall business entity that a
clearinghouse would be part of. Under the Security Rule, the larger organization
must assure that the health care clearinghouse function has instituted measures
to ensure only that electronic protected health information that it processes is not
                                                                                       26
                                                                                  Security
                                                                               Final Rule
                                                                        February 20, 2003
                                                           Policy Memorandum 2004-48
                                                                            Exhibit 4
improperly accessed by unauthorized persons or other entities, including the
larger organization. Internal electronic communication within the larger
organization will not be covered by the rule if it does not involve the
clearinghouse, assuming that it has designated health care components, of
which the health care clearinghouse is one. External communication must be
protected as sent by the clearinghouse, but need not be protected once received.

        b. Comment: One commenter asked that the first sentence in § 142.306(b)
of the proposed rule, ‘‘If a health care clearinghouse is part of a larger
organization, it must assure all health information is protected from unauthorized
access by the larger organization’’ be expanded to read, ‘‘If a health care
clearinghouse or any other health care entity is part of a larger organization . . .’’
        Response: The Act specifically provides, at section 1173(d)(1)(B), that the
Secretary must adopt standards to ensure that a health care clearinghouse, if
part of a larger organization, has policies and security procedures to protect
information from unauthorized access by the larger organization. Health care
providers and health plans are often part of larger organizations that are not
themselves health care providers or health plans. The security measures
implemented by health plans and covered health care providers should protect
electronic protected health information in circumstances such as the one
identified by the commenter. Therefore, we agree with the comment that the
requirement should be expanded as suggested by the commenter. In this final
rule, those components of a hybrid entity that are designated as health care
components must comply with the security standards and protect against
unauthorized access with respect to the other components of the larger entity in
the same way as they must deal with separate entities.

8372 Federal Register / Vol. 68, No. 34 / Thursday, February 20, 2003 / Rules and Regulations

3. Clearinghouses

All health care clearinghouses must meet the requirements of this regulation.
Health care clearinghouses would face effects similar to those experienced by
health care providers and health plans. However, because clearinghouses
represent one way in which providers and plans can achieve compliance, the
clearinghouses’ costs of complying with these standards would probably be
passed along to those entities, to be shared over the entire customer base.

8380 Federal Register / Vol. 68, No. 34 / Thursday, February 20, 2003 / Rules and Regulations

(b) Health care clearinghouse. A health care clearinghouse must comply with the
applicable requirements of this subpart no later than April 20, 2005.




                                                                                       27
                                                                                  Security
                                                                               Final Rule
                                                                        February 20, 2003
                                                            Policy Memorandum 2004-48
                                                                             Exhibit 4


  STANDARD UNIQUE PROVIDER IDENTIFIER FINAL RULE – January 23,
                            2004

3443 Federal Register / Vol. 69, No. 15 / Friday, January 23, 2004 / Rules and Regulations

5. Implementation Specifications for Health Care Providers, Health Plans, and
Health Care Clearinghouses
Proposed Provisions (§ 142.404, § 142.406, and § 142.408)

In section II. E., ‘‘Requirements,’’ of the preamble of the May 7, 1998, proposed
rule (63 FR 25330), we discussed the requirements that health plans, health care
clearinghouses, and covered health care providers would have to meet in
implementing the NPI. The proposed regulation text, in § 142.404, stated that
health plans would be required to accept and transmit, directly or through a
health care clearinghouse, the NPI on all standard transactions wherever
required. The proposed regulation text, in § 142.406, stated that health care
clearinghouses would be required to use the NPI wherever a standard electronic
transaction requires it. The preamble of the May 7, 1998, proposed rule (63 FR
25330) states: ‘‘In § 142.408, Requirements: Health care providers, we would
require each health care provider that needs an NPI for HIPAA transactions to
obtain, by application if necessary, an NPI * * *’’ Section 142.408(a) of the
proposed regulation text states: ‘‘Each health care provider must obtain, by
application if necessary, a national provider identifier.’’ The text of the proposed
rule states, in § 142.408(c): ‘‘Each health care provider must communicate any
changes to the data elements in its file in the national provider system to an
enumerator of national provider identifiers within 60 days of the change.’’

Comments and Responses on Requirements for Health Care Providers, Health
Plans, and Health Care Clearinghouses

We believe that the Congress intended that each health care provider be eligible
for an NPI and intended to authorize the Secretary to require covered health care
providers to obtain one. HIPAA requires the adoption of a standard unique health
identifier for health care providers and directs the Secretary to specify the
purposes for which the identifier may be used. The statute sets forth the
maximum amount of time by which all covered entities must comply with the
standards, leaving discretion to the Secretary to designate compliance dates
(within the limitations of the law). We proposed in the May 7, 1998, proposed
rule, and require in this final rule, that covered entities must be in compliance
with the standards no later than 2 years (3 years for small health plans) from the
effective date of the regulation. Thus, as of the compliance date, a covered
health care provider must have obtained and begun to use an NPI.



                                                                                     28
                                                     Standard Unique Provider Identifier
                                                                            Final Rule
                                                                     January 23, 2004
                                                      Policy Memorandum 2004-48
                                                                       Exhibit 4
        Comment: Some commenters recommended that all data about a health
care provider in the NPS be required to be updated; others stated that only
certain data elements should be required to be updated. Most indicated that data
needed for unique identification should be kept current.
        Response: In the proposed rule, the NPS was proposed to include many
data elements that we have since decided not to include. (See section II. C. 2. of
this preamble, ‘‘Data Elements and Data Dissemination.’’) We have decided that
the NPS will consist entirely of data elements about a health care provider that
are needed for administrative (communications) purposes and for the unique
identification of the health care provider. We believe it is appropriate and
necessary for the health care providers to notify the NPS of changes in their
required NPS data, but, given limits on our statutory authority, we can require
such notification only of covered health care providers.

        Comment: We received many comments concerning the length of time a
health care provider should be allowed before it must notify the NPS of changes
to its NPS data. Most commenters thought that the 60-day period was too long
and believed a 15- to-30-day period was more appropriate.
        Response: The May 7, 1998, proposed rule at § 142.408(c) proposed 60
days to allow reasonable flexibility in the time required for a health care provider
to complete a paper form (the NPI application/update form) containing the
update(s) and forward it to the NPS. We will attempt to design the NPS to be
responsive and easy to use. We will consider a design that will allow a health
care provider (or possibly a health care provider’s authorized representative (see
section II. B. 2., ‘‘Health Care Provider Enumeration,’’ of this preamble)) to
communicate the health care provider’s changes directly into the NPS over the
Internet, using a secure Web-based transaction. A paper form (the NPI
application/update form) will be developed for this same purpose and will be
available from the NPS and from the CMS Web site (http://www.cms.hhs.gov) for
use by health care providers. We realize that many health care providers may
prefer to send electronic updates if the capability exists. According to the majority
of commenters, health care providers should be required to communicate
changes in their NPS data in far less than 60 days. We agree. Therefore, we
adopt in this final rule a requirement that covered health care providers notify the
NPS of changes in their required
NPS data within 30 calendar days of the changes (§ 162.410(a)(4)).

        Comment: Several commenters indicated that health plans will need to
know about changes in health care provider information. Commenters did not
believe it would be fair for health care providers to have to notify both the NPS
and the health plans in which they are enrolled of changes.
        Response: We agree that health plans will need to know of changes in the
data associated with their enrolled health care providers. Most health plans
collect more information about a health care provider than the NPS will collect.
Therefore, we expect that health plans will still require health care providers to
                                                                                29
                                                Standard Unique Provider Identifier
                                                                       Final Rule
                                                                January 23, 2004
                                                     Policy Memorandum 2004-48
                                                                      Exhibit 4
notify them of changes in this information. The NPS will have the capability to
provide listings or reports of changes in NPS data in accordance with section II.
C. 2. of this preamble, ‘‘Data Elements and Data Dissemination.’’

        Comment: Several commenters stated that the NPS should be required to
apply updates within a specified period of time after receipt of the updated
information from a health care provider.
        Response: We expect that the update process will be designed in a way
that will allow the system to process updates within a reasonable timeframe (for
example, 10 business days from receipt). The volume of updates at any given
time may impact system performance. If changes are unable to be made (for
example, the health care provider furnishing updates does not appear to match
any health care provider in the NPS), the health care provider will receive a
message that will indicate why the NPS is unable to update the record. The
message will request that the problem be resolved and the information be
resubmitted.

       Comment: Several commenters asked if health plans should take any
action to notify the NPS of changes to health care provider data if they become
aware of these changes.
       Response: Although health plans would not be required to provide
information to the NPS to update health care provider data, we encourage health
plans to instruct and remind their enrolled health care providers to notify the NPS
of changes in their data.

       Comment: There were numerous comments about penalties for non-use
of the NPI:
           If NPIs could not be assigned to covered health care providers
            before the compliance date for those health care providers, and
            sufficiently ahead of that time to enable the health care providers to
            be capable of using the NPI in standard transactions, penalties
            should not be enforced for nonuse of the NPI.
           Sufficient time should elapse to ensure adequate experience in
            using the NPI before penalties are assessed.
           Financial penalties for noncompliance should not be assessed until
            1 year after the NPI compliance dates.
           The method of enforcing compliance with the standard should be
            made public.
           The penalties for nonuse of a single standard and nonuse of
            multiple standards should be clarified.
           When noncompliance forces nonpayment, the entity expecting
            payment will resolve the issue.

      Response: NPIs will be assigned to health care providers as quickly as
possible and within the parameters of the performance criteria that are in effect.
                                                                                 30
                                              Standard Unique Provider Identifier
                                                                         Final Rule
                                                                 January 23, 2004
                                                            Policy Memorandum 2004-48
                                                                             Exhibit 4
(See earlier comment and response for additional information.) HHS is preparing,
and has issued in part, a separate regulation on enforcement of the HIPAA
standards. This regulation is expected to address all but perhaps the last concern
of these commenters. The regulation cannot place requirements on entities that
are not covered entities, and the entities involved in the situation described in the
last bullet may not be covered entities.

        Comment: Many commenters suggested that (1) health care providers not
be required to use the NPI within the first year after the effective date of its
adoption, although willing trading partners could use the NPI by mutual
agreement at any time after the effective date; and (2) health plans should give
their health care providers at least 6 months’ notice before requiring them to use
the NPI.
        Response: Upon the effective date of the adoption of this standard (which
will be 16 months after the date it is published), health care providers may apply
for NPIs. Covered entities (except for small health plans) must begin using the
NPI in standard transactions no later than 24 months after the effective date.
(Small health plans have 36 months to begin using NPIs.) These are statutory
requirements that we have incorporated into this final rule. We believe these
timeframes enable more than sufficient time for covered health care providers to
become aware of their responsibilities under this final rule, to apply for and be
assigned their NPIs, and to complete work needed to begin using their NPIs.
Applying for an NPI up to 18 months after the effective date of the adoption of
this standard will still give health care providers 6 months before the statutory
compliance date arrives. We encourage health plans to give health care
providers 6 months’ notice before requiring them to use NPIs; however, we do
not require that action by the health plans. How soon health care providers could
use NPIs would depend on when they obtained the NPIs, and health plans have
no direct control over that action. We encourage all parties to work together to
ensure a smooth transition.

3450 Federal Register / Vol. 69, No. 15 / Friday, January 23, 2004 / Rules and Regulations

c. Health care clearinghouses

Health care clearinghouses must use the NPI of any health care provider or
subpart that has been assigned an NPI to identify that health care provider or
subpart on all standard transactions when the NPI is required. As with health
plans, health care clearinghouses will be able to obtain NPS data from the NPS.

3460 Federal Register / Vol. 69, No. 15 / Friday, January 23, 2004 / Rules and Regulations

§ 162.414 Implementation Specifications: Health Care Clearinghouses



                                                                                     31
                                                     Standard Unique Provider Identifier
                                                                            Final Rule
                                                                     January 23, 2004
                                                       Policy Memorandum 2004-48
                                                                        Exhibit 4
A health care clearinghouse must obtain and use the NPI of any health care
provider or subpart in any standard transaction that requires the standard unique
identifier for health care providers.

Applicability of the PRA to the Requirements

The emerging and increasing uses of health care EDI standards and transactions
have raised the issue of the applicability of the PRA. The Office of Management
and Budget (OMB) has determined that this regulatory requirement (which
mandates that the private sector disclose information and do so in a particular
format) constitutes an agency-sponsored third-party disclosure as defined under
the PRA. HIPAA requires the Secretary to adopt standards that have been
developed, adopted, or modified by a standard setting organization, unless there
is no such standard, or unless a different standard would substantially reduce
administrative costs. OMB has concluded that the scope of its review under the
PRA would include the review and approval of our decision to adopt or reject an
established industry standard, based on the HIPAA criterion of whether a
different standard would substantially reduce administrative costs. For example,
if OMB concluded under the PRA that a different standard would substantially
reduce administrative costs as compared to an established industry standard, we
would be required to reconsider our decision under the HIPAA standards.

We would be required to make a new determination of whether it is appropriate
to adopt an established industry standard or whether we should enter into
negotiated rulemaking to develop an alternative standard (section 1172(c)(2)(A)
of the Act). The burden associated with the requirements of this final rule, which
is subject to the PRA, is the initial onetime burden on health care providers who
are covered entities to apply for an NPI and later, as necessary, to furnish
updates, and on the covered entities identified above to modify their current
processes to implement the NPI. However, the burden associated with the
routine or ongoing use of the NPI is exempt from the PRA as defined in 5 CFR
1320.3(b)(2).

Based on the assumption that the burden associated with systems modifications
that need to be made to implement the NPI may overlap with the systems
modifications needed to implement other HIPAA standards, and the fact that the
NPI will replace the use of multiple identifiers, resulting in a reduction of burden,
commenters should take into consideration when drafting comments that: (1)
One or more of these current identifiers may not be used; (2) systems
modifications may be performed in an aggregate manner during the course of
routine business; and/or (3) systems modifications may be made by contractors
such as practice management vendors, in a single effort for a multitude of
affected entities.



                                                                                32
                                                Standard Unique Provider Identifier
                                                                       Final Rule
                                                                January 23, 2004
                                                            Policy Memorandum 2004-48
                                                                             Exhibit 4
3468 Federal Register / Vol. 69, No. 15 / Friday, January 23, 2004 / Rules and Regulations

(c) Health care clearinghouses. A health care clearinghouse must comply with
the implementation specifications in § 162.414 no later than May 23, 2007.

3469 Federal Register / Vol. 69, No. 15 / Friday, January 23, 2004 / Rules and Regulations

§ 162.414 Implementation specifications: Health care clearinghouses.

A health care clearinghouse must use the NPI of any health care provider (or
subpart(s), if applicable) that has been assigned an NPI to identify that health
care provider on all standard transactions where that health care provider’s
identifier is required.




                                                                                     33
                                                     Standard Unique Provider Identifier
                                                                            Final Rule
                                                                     January 23, 2004
                                                     Policy Memorandum 2004-48
                                                                      Exhibit 4


Subpart E - Privacy of Individually Identifiable Health Information

§ 164.500 Applicability.
(a) Except as otherwise provided herein, the standards, requirements, and
implementation specifications of this subpart apply to covered entities with
respect to protected health information.
(b) Health care clearinghouses must comply with the standards, requirements,
and implementation specifications as follows:
(1) When a health care clearinghouse creates or receives protected health
information as a business associate of another covered entity, the clearinghouse
must comply with:
(i) Section 164.500 relating to applicability;
(ii) Section 164.501 relating to definitions;
(iii) Section 164.502 relating to uses and disclosures of protected health
information, except that a clearinghouse is prohibited from using or disclosing
protected health information other than as permitted in the business associate
contract under which it created or received the protected health information;
(iv) Section 164.504 relating to the organizational requirements for covered
entities, including the designation of health care components of a covered entity;
(v) Section 164.512 relating to uses and disclosures for which individual
authorization or an opportunity to agree or object is not required, except that a
clearinghouse is prohibited from using or disclosing protected health information
other than as permitted in the business associate contract under which it created
or received the protected health information;
(vi) Section 164.532 relating to transition requirements; and
(vii) Section 164.534 relating to compliance dates for initial implementation of the
privacy standards.
(2) When a health care clearinghouse creates or receives protected health
information other than as a business associate of a covered entity, the
clearinghouse must comply with all of the standards, requirements, and
implementation specifications of this subpart.
(c) The standards, requirements, and implementation specifications of this
subpart do not apply to the Department of Defense or to any other federal
agency, or nongovernmental organization acting on its behalf, when providing
health care to overseas foreign national beneficiaries.



There are no Frequently Asked Questions on the DHHS website that provide
information pertinent to health care clearinghouses.




                                                                               34
                                               Standard Unique Provider Identifier
                                                                      Final Rule
                                                               January 23, 2004

				
DOCUMENT INFO