Jackie Huchenski is a Partner with Moses & Singer LLP. She is the chair of the healthcare group and a co-chair of the eHealth Practice. Jessica Friedman is an associate in both the Healthcare and eHealthlaw Group.)

On Aug. 17, 2000, the first of the administrative simplification rules under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), "Transactions and Code Sets," was published in the Federal Register; it will become effective on Oct. 16, 2000 (unless Congress acts to change this date). Compliance with the rule will be required by Oct. 16, 2002 (except for small health plans, which must comply by Oct. 16, 2003).

The Transactions and Code Sets rule attempts to reduce the inefficiency and burden created by the approximately 400 formats for healthcare claims in use. The rule adopts standards for eight electronic transactions and for code sets (defined as "any set of codes used to encode data elements" such as tables of terms and medical procedure codes, for example) to be used in those transactions. Healthcare clearinghouses, plans, and providers (who transmit any health information in electronic form) must use the standards.

The final rule affects healthcare clearinghouses, plans, and providers that electronically transmit health information (together "covered entities"). Covered entities will be subject to civil sanctions of $100 per violation--with a limit for each violation of $25,000 per year--and criminal penalties up to $250,000 and/or 10 years imprisonment for noncompliance. Enforcement will be addressed in a future rule to be published next year.

The final rule addresses the same eight transactions included in the proposed rule:

1. Health claims or equivalent encounter information (from providers to health plans);
2. eligibility for a health plan;
3. referral certification and authorization;
4. health claim status;
5. enrollment and disenrollment in a health plan;
6. health claims and remittance advice (e.g. payment);
7. health plan premium payments; and8. coordination of benefits.

Like the proposed rule, the final rule requires health plans and providers to use the designated transaction standards when performing such transactions electronically and prohibits health plans from refusing to process, or causing a delay in processing, any of the transactions when submitted electronically. Nor may providers or health plans offer incentives to conduct a transaction under an exception to the rule.

For each element required in a given transaction, the transaction and code sets rule identifies all codes that will be valid. For example, codes are required for data elements such as race/ethnicity and type of facility (administrative codes) as well as for diseases and their manifestations and causes of injury (clinical codes). For the most part, the Department of Health and Human Services (HHS) has adopted the code sets currently used in the industry. For example, ICD-9-CM codes are to be used to indicate diseases, injuries, impairments, and their manifestations for diagnoses and inpatient procedures, and CPT codes are to be used by physicians (and hospitals, as applicable) for outpatient procedures.

Changes from proposed rule:

1. One major difference between the proposed rule and the final rule is the introduction of the concept of a "business associate," which is defined in the final rule as a person who performs a function or activity on behalf of a covered entity but who is not an employee of the covered entity (the proposed Security and Privacy Rules under HIPAA include similar concepts). A covered entity may be a business associate of another covered entity. To the extent that a covered entity uses a business associate to conduct an electronic transaction, the covered entity must require the business associate to comply with the rule.

2. Another major difference between the final rule and the proposed rule is the adjustment of the definition of "small health plan" so that it agrees with the definition used in the other HIPAA rules ("small health plan" is defined as "a health plan with annual receipts of $5 million or less").

3. The final rule adds numerous defined terms (including "trading partner agreement," "standard setting organization," and "implementation specification").

4. The final rule eliminates an exception for transactions within a "corporate entity" (covered entities must now use a standard transaction when transmitting to another covered entity regardless of whether the two entities are affiliated with one another).

5. Finally, under the final rule, case management is treated as a healthcare service.

President Clinton has promised to finalize the privacy rule by the November elections and even to expand the privacy rule to paper information (not just electronically transmitted or stored information). According to the Workgroup for Electronic Interchange (WEDI), the security rule is expected to become final in the fall as well, to be followed by the National Provider Identifier and Employer Identifier rules. The preamble to the transactions and code sets rule warns that if the privacy rule is "substantially delayed" or if Congress fails to act, HHS would "seriously consider" withdrawing this rule.

This article is intended as a general comment on certain recent proposed developments in the law. It does not contain a complete legal analysis or constitute an opinion of Moses & Singer LLP or any member of the Firm on the legal issues herein described. It is recommended that readers not rely on this general guide in structuring or analyzing individual transactions but that professional advice be sought in connection with any such transaction.