Today, these processes involve numerous paper forms and telephone calls, and many delays in communicating information among different locations, creating problems and costs for health care providers, plans and insurers alike.

To address these problems, the health care industry has attempted to develop standards for accomplishing these transactions electronically. But it has been very difficult to get all the competing parties to agree voluntarily to follow a single, uniform set of standards. Consequently, at the request of the industry and with bipartisan support, Congress included the Administrative Simplification provisions in HIPAA. To address concerns about the potential for abuse of electronic access to this type of information, the law includes specific provisions to protect the security and confidentiality of health information which might be associated with an individual.

The health care industry estimates that full implementation of these provisions could save up to $9 billion per year from administrative overhead, without reducing the amount or quality of health care services. To make these administrative savings become reality, the law requires the Secretary of HHS to adopt uniform national standards for the electronic processing of insurance claims and related transactions within 18 months of the law’s enactment. Health plans, providers, and insurers would then have 24 months to implement the standards

Implementation Plan

HHS has established six internal interdepartmental working groups to identify and assess potential standards for adoption in the following areas:

These working groups are coordinated by the HHS Committee on Health Data Standards, under the policy direction of the HHS Data Council, the department’s internal, senior advisory body on data policy. Representatives from other federal agencies involved in health care both within and outside of HHS are participating in the process at all levels. These agencies include the National Institutes of Health and the Departments of Defense and Veterans Affairs, to name a few.

The law directs the Secretary to select standards that are developed and maintained by ANSI accredited standards development organizations (SDOs), unless a different standard would result in greater administrative savings. As a helpful starting place, the ANSI Health Informatics Standards Board delivered an "Inventory of Health Care Information Standards" to the Secretary on February 10, 1997.

In adopting standards, the law requires the Secretary to rely upon the recommendations of the National Committee on Vital and Health Statistics (NCVHS), HHS’s public advisory committee in health data, standards, privacy and health information policy. To provide the opportunity for systematic consultation and public input, the Committee is holding a series of public

meetings and hearings. In addition, HHS staff involved in the standards adoption process are prepared to meet with, consult and establish liaison with representatives of interested and affected groups.

To ensure careful protection of privacy, the law provides for confidentiality protections for information processed in accordance with the new standards. It also requires the Secretary to make recommendations for health record privacy legislation to Congress. If Congress does not enact such legislation, health care providers, health plans, and health care clearinghouses using the new standards will be required to follow confidentiality regulations promulgated by HHS for transactions covered by the electronic transmission standards. The HHS regulations must be promulgated before those standards go into effect. The development of recommendations to the Congress on privacy protections is being carried out through a process parallel to the standards process.

HIPAA envisions that the standards to be adopted would come from standards already developed by the industry after extensive consultation with the industry and with State and local governments. The general approach for adoption of standards would include:

The implementation process provides a number of opportunities for interested and affected parties to participate and provide public input toward the adoption of standards:

The Administrative Simplification law requires that, within 18 months of enactment (by February 1998), the Secretary must adopt standards for a variety of health insurance transactions. The health care industry then has 24 months to implement those standards after adoption. Small plans (as defined by the Secretary) will have 36 months to implement the same standards. Privacy protection standards will either be enacted by Congress or, if Congress does not act, issued by HHS to accompany the implementation of the new standards.

Understanding CMS's Compliance Policy 

CMS has heard the concerns expressed by the health care industry – most notably, that testing rates are low and the process is complex. This means that many covered entities may not be capable of successfully transmitting HIPAA compliant transactions in time for the October 16, 2003 compliance date. This has the potential to affect provider cash flow.

That is why the Department of Health and Human Services wants to ensure that the health care industry understands its enforcement approach – more specifically, the enforcement approach the Centers for Medicare and Medicaid Services will be adopting as the industry moves towards compliance with HIPAA electronic transactions and code sets.

On July 24, 2003, HHS publicly released a document outlining its guidance on compliance with transactions and code sets after October 16, 2003. The guidance document (PDF, 82KB) can be found on this website.

In the guidance, CMS discusses two primary goals: First, to move all covered entities towards compliance as soon as possible and second, to avoid the disruption of provider cash flow and any negative impact on access to health care. To achieve these goals, CMS will focus on obtaining voluntary compliance by using a complaint-driven process. If CMS receives a complaint, CMS will evaluate the entity’s "good faith efforts" to comply with the standards and will not impose penalties on covered entities who have deployed contingencies to ensure the smooth flow of payments continues. More information on CMS’s "good faith policy" can be found in the guidance document (PDF, 82KB).

A contingency plan is an alternate way of doing business when established routines are disrupted. In the case of the October 16, 2003 deadline, a contingency plan should address the potential interruption of claims processing and claims payment due to problems with transmission using the new HIPAA transaction standards. Just as each covered entity is different, there is no single contingency approach that would be appropriate for all covered entities and all situations. In addition, larger covered entities may need more than one contingency plan.

For example, health plans will need to make their own determinations regarding contingency plans based on their unique business environments. A contingency plan could include maintaining legacy systems, flexibility on data content or interim payments. Other more specific contingency plans may also be appropriate. For example, a plan may decide to continue to receive and process claims for supplies related to drugs using the NCPDP format rather than the 837 format currently specified in the regulations. The appropriateness of a particular contingency or the basis for deploying the contingency will not be subject to review by CMS.

CMS is encouraging covered entities to consider some common risks associated with the October 16, 2003 deadline and make contingency plans to address those risks. The following seven steps are general guidelines for creating contingency plans:

1. Assess your situation: Determine what business processes are most at risk. Determine whether the risk condition is based on your readiness or the readiness of your business partners. Assess your expected October 2003 financial status. Understand how a disruption in cash flow could impact your daily operations. Estimate what financial obligations will come due at this time.

2. Identify risks: For each business process you identified as a potential risk for disruption, assess the likelihood and impact of problems. List each potential risk as high, medium, and low likelihood. Take into consideration the readiness of your trading partners as well. Communicate with your trading partners to assess their level of readiness for October 16, 2003 and what impact their risks may have on your operations. Ask your payers if they intend on maintaining active capability to send and receive your current formats while you transition to HIPAA standards. For each of your trading partners, assess whether you have established a sufficient "good faith" relationship to support each other’s contingent operations, as well as your own goals towards compliance.

Document the responses they have given you through discussions and correspondence. Focus on the risks that have the highest risk exposure and that most impact your cash flow. For example, evaluate the potential for delay in payments and take appropriate action.

3. Formulate an action plan: Determine what you can do to reduce the likelihood and impact of each risk happening. Choose a strategy that will reduce that risk. Incorporate your strategy into your staffing needs. For instance, you may require more staff time to handle phone calls to resolve problems. Recognize how this could impact your payroll.

4. Decide if and when to activate your plan: Decide when you must take action to implement your chosen strategy so as to prevent an interruption in current business. Decide what you can do now to avoid problems later.

Determine what your "trigger" is for putting your strategy into action, and decide who will make that decision, and how.

5. Communicate the plan: Record your entire strategy, the person responsible for each action, and the steps that must be taken. Share them with everyone who will have a role in implementing your contingency plan.

6. Test your plan: Review the strategy with the key players and run through each potential risk and the steps identified to reduce / avoid each risk.

7. Treat your contingency plan as an evolving process: Treat your plan as a business process that is evolving. Continually review your own efforts at readiness, particularly your efforts to inform your business partners of your expectations, and your efforts to test with them. Update your plan as you move forward and add any additional "to do" items you identify along the way. Keeping track of your status will keep you organized and focused, as well as document your "good faith efforts" to comply. Most importantly, keep the lines of communication open between you and your payers and clearinghouse.

Health plans should announce their contingency plans as soon as possible to allow their trading partners enough time to make any needed adaptations to their business operations. Before deploying a contingency plan, organizations should make an assessment of their outreach and testing efforts to assure they made a "good faith" effort to comply.

For example, Medicare – a covered entity and a health plan – is ready to accept HIPAA-compliant transactions. CMS has directed the Medicare contractors to intensify all HIPAA outreach and testing efforts with their respective provider and submitter communities. On September 23, 2003 CMS also announced that it will implement a contingency plan for the Medicare program to accept noncompliant electronic transactions after the October 16, 2003 compliance deadline. This plan will ensure continued processing of claims from thousands of providers who will not be able to meet the deadline and otherwise would have had their Medicare claims rejected. CMS made the decision to implement its contingency plan after reviewing statistics showing unacceptably low numbers of compliant claims being submitted.

The contingency plan permits CMS to continue to accept and process claims in the electronic formats now in use, giving providers additional time to complete the testing process. CMS will regularly reassess the readiness of its trading partners to determine how long the contingency plan will remain in effect.

In the days remaining before the October 16th deadline, CMS encourages providers to intensify their efforts toward achieving transaction and code set compliance. Successful contingency planning is an important part of this process and will require the attention and cooperation of all health plans, clearinghouses and of all providers that conduct electronic transactions.

As you develop your contingency plans, ask yourself the following:

CMS is here to help as well. Successful implementation will require the attention and cooperation of the entire health care community. There is considerable industry support for HIPAA transactions and code sets. Your successful contingency plans will greatly enhance communication throughout the industry as it moves towards HIPAA compliance.