Several proposed rules previously published, along with the Privacy Rule, comprise the "Administrative Simplification" portions of HIPAA.

Four of these rules have been published: Transaction and Code Sets, National Provider Identifier, National Employer Identifier, and Security and Electronic Signature Standards. The first three are record standardization rules, and the fourth covers how health information is to be protected against invasion and kept accurate -mechanically and administratively.

Ins & Outs of Administrative Simplification

Like the Privacy Rule, these four rules affect health plans, healthcare clearinghouses and providers (covered entities) that (1) electronically transmit health information or (2) electronically maintain any health information used in electronic transmissions Also like the Privacy Rule, each rule will become effective 60 days after being published in the Federal Register (subject to any congressional action during such time); covered entities will have two years from the effective date of each Administrative Simplification rule to comply (health plans with fewer than 50 participants will have three years).

Sanctions for noncompliance are the same as those to be imposed for non-compliance with the Privacy Rule: civil sanctions will be $100 per violation with a limit of $25,000 per year for the same violation; criminal sanctions will be up to $250,000 and/or 10 years imprisonment.

Transactions and Code Sets; Provider and Employer Identifiers
Three proposed rules standardize data and record-keeping in the healthcare industry: (1) the Transactions and Code Sets rule; (2) the National Standard Health Care Provider Identifier; and (3) National Standard Employer Identifier.

The Transactions and Code Sets proposed rule was published May 7, 1998 (63 Fed. Reg. 25272). It proposes standards for code sets (defined as "any set of codes used for encoding data elements," such as tables of terms and medical procedure codes, for example) to be used in electronic transactions and specify which elements must be included in each transaction. The data elements and standards were developed by a subcommittee of the Accredited Standards Committee known as ASC X12N.

Eight types of transactions are addressed in the Transaction and Code Sets rule:

1. Health Claims or Equivalent Encounter Information (e.g., submission of healthcare claim billing information, encounter information, or both from providers to health plans);
2. Health Claims and Remittance Advice (e.g., sending payment to a financial institution for a provider or sending an explanation of benefits to a provider);
3. Coordination of Benefits;
4. Health Claim Status;
5. Enrollment and Disenrollment in a Health Plan;
6. Eligibility for a Health Plan;
7. Health Plan Premium Payments; and
8. Referral Certification and Authorization.

HHS indicates it will develop separate rules for two additional transactions: First Report of Injury (used to report information pertaining to an injury, illness or incident) and Health Claims Attachments (used to transmit healthcare service information to request a review, certification or notification).

Under the proposed rule, health plans may not refuse to process nor cause a delay in processing any of the eight transactions when submitted electronically. Presumably, the same will hold true for the remaining two transactions.

For each element required in a given transaction, the Transaction and Code Sets proposed rule identifies all codes which will be valid.

Codes are required for data elements such as race/ethnicity and type of facility, as well as for diseases and their manifestations and causes of injury. For the most part, HHS has adopted the code sets currently used in the industry.

For example, ICD-9-CM codes are to be used to indicate diseases, injuries, impairments and their manifestations for diagnoses and inpatient procedures; CPT codes are to be used by physicians (and hospitals, as applicable) for outpatient procedures; and CDT codes are to be used by dentists for dental services.

Ownership of some of the clinical codes remains with the respective organization that had such proprietary rights prior to the rule (e.g., the AMA owns the CPT codes and retains ownership rights to them).

The "National Standard Health Care Provider Identifier" (also published May 7, 1998) assigns eight-digit alphanumeric codes to all providers for use in the covered transactions. Similarly, the "National Standard Employer Identifier" (published June 16, 1998) adopts the IRS employer identification number for use as the standard employer identifier in the covered transactions. The "National Health Plan Identifier" will assign identifiers to health plans.

Security and Electronic Signature Standards
The Security and Electronic Signature standards (the Security Rule published Aug. 12, 1998) are the most complex of the four rules discussed here and will arguably require the most effort, energy and expense to implement. Additionally, the security standards contain significant ambiguities, which HHS may address in the final rule.

The security portion of the standards is designed to protect information in the healthcare industry.

It deals with how systems storing or transmitting healthcare information must work to protect such information. The Security Rule applies to all health information which is transmitted between or stored by covered entities, whether it is individually identifiable. The Security Rule establishes four categories of security measures to ensure data is accurate and complete, confidential and available to those who are permitted access: (A) administrative procedures, (B) physical safeguards, (C) technical security services and (D) technical security mechanisms.

In addition, the Security and Electronic Signature standards establish rules for using electronic signatures to authenticate electronic messages - that is, to ensure (1) the sender is who he or she claims to be, (2) the document received is the same as what was sent, and (3) the sender cannot later disavow sending the information. (A covered entity is not required to use an electronic signature; if one is used, however, the entity must comply with the standards established in the proposed rule.)

The following is a summary of the required security measures and the electronic signature rules:

Administrative Procedures (organizational rules and practices to manage security)

1. A covered entity must certify its system or network meets a specified set of security requirements, which certification can be done internally or through an external auditor. The requirements are not included in the proposed rule; presumably, HHS will include the requirements in the final rule. Additionally, the proposed rule does not specify whether this responsibility is ongoing; however, for the proposed rule to be effective, it seems likely entities will be required to recertify on a regular basis.
2. Each covered entity must have "chain of trust" partner agreements requiring business partners to which it electronically releases information to protect the integrity and confidentiality of such data. Unlike the business partner provisions of the Privacy Rule, the security standard does not specify what provisions are required to be in chain of trust agreements, nor does it define "business partners"; it is hoped, HHS will address these issues in the final rule.
3. A covered entity must have a contingency plan for system emergencies. The plan must include system backups, protections for critical facilities, disaster recovery plans, and numerous other elements.
4. Every covered entity must have formal procedures for processing, receiving, manipulating, storing, disseminating, transmitting and disposing of records and health information.
5. Each covered entity must have policies and procedures for granting differing levels of access by personnel to health information. These policies and procedures must contain features regarding rules for granting access, for example, to a terminal, transaction or program; rules determining an entity's right of access to a terminal, transaction, program, etc.; and rules determining types of and reasons for changes to an entity's access to a terminal, transaction, program, etc.
6. All covered entities must conduct an ongoing review of their records of system activity, such as log-ins, file access and security incidents.
7. A covered entity must set up a system whereby personnel are assigned clearances to see certain kinds of information and must be supervised while doing so. Additionally, the covered entity must record, review and check (with unstated frequency) all clearances.
8. Each covered entity must create an overall, coordinated security operating plan, including software and hardware installation and operation rules, including virus protection, and security testing procedures.
9. A covered entity must have a system for keeping track of security breaches and set up reporting and response procedures.
10. Every covered entity must have a system to prevent and repair security breaches, including sanctions. Every covered entity is specifically required to go through cost benefit analyses of measures to be taken and to assess the risk of security breaches, reduce that risk to an acceptable level, and maintain that level of risk. The rule does not define what an entity may consider to be an "acceptable" level of risk.
11. All covered entities must have a security system for protecting against access to health information by former personnel. The system must include rules for changing locks, removing personnel from access lists, removal of user accounts, deleting access privileges and recovering keys, cards or other methods of access.
12. A covered entity must give its personnel security training to protect health information by educating the personnel and giving them periodic reminders regarding virus protection, log-in success and failure, and password management.

Physical Safeguards (rules and policies concerning protection of computers, buildings and related equipment)

1. Each covered entity must assign security responsibility to an individual or outside entity, which will promulgate rules for receiving and removing hardware and software - including policies and procedures to control access to such hardware and software and a tracking mechanism for such access - and data backup, storage and disposal.
2. A covered entity must have rules limiting and ensuring physical access to data as appropriate, and set up a disaster recovery process, emergency access rules, procedures for bringing software and hardware into and out of facilities, a security plan, procedures for verifying access prior to access being permitted, documentation of maintenance, procedures to permit access on a need-to-know basis only, procedures for visitors, and restriction of program testing to authorized users.
3. Every covered entity must document its policies and procedures on workstation use, including functions to be performed at each workstation, the manner of performing such functions, and physical location and attributes of each site specifically related to privacy of each workstation.
4. Work stations must be kept where information is accessed in a secure area.
5. All personnel must be trained, as appropriate for their respective job responsibilities, in proper use of health information and how health information is accessed, as well as confidentiality and security of such information.

Technical Security Services (processes to protect and control information access) - Each covered entity must make rules about who is authorized to access information, including procedures for emergency access.

The procedures must contain mechanisms to record and examine system activity; authorizational controls of access based on role or user; methods to corroborate that data has not been altered or destroyed; authentication of any entity accessing data, which includes automatic log-off, unique user identifiers, and at least one of the following - a biometric identifier (i.e., iris scan or hand scan), password, personal identification number, telephone callback procedure or a physical electronic device which must be triggered to gain access to the computer.

Technical Security Mechanisms (processes to protect data transmitted over a network)

1. If a covered entity uses communications or networks to electronically transmit health information, the networks must include the following: integrity controls for the information sent and stored; authentication to ensure the message sent is the same as the message received; and encryption or other protection to ensure data is not intercepted and interpreted by anyone other than the intended beneficiary.
2. If a covered entity uses network controls, it also must use alarms to respond to abnormal conditions, audit trails, entity authentication which denies access to unauthorized users, and event reporting which will indicate operational abnormalities.

Electronic Signatures

In addition to the above, if a covered entity uses an electronic signature, the method by which the entity affixes the signature must assure the unaltered transmission of the signature, provide evidence of the identity of the signer and the integrity of the message, and authenticate the identity of the entity. The covered entity may also add other attributes to the signature (such as a time or date stamp).