Clearinghouses could have taken care of trust issues between payers and "unknown" or non-par providers long ago, but payers would not hear of it. Kepa Zubeldia and Marcallee Jackson have written about an EDI "Power of Attorney" concept which never gained any traction. This PoA would allow CHs to automatically sign up providers (customers of the CH) with payers, saving the provider the heartbreak of onerous and manual EDI enrollment. See Kepa's sad story at Synaptek (a clearinghouse), in Re: Trading Partner Agreements, from 05 Mar 2002, at http://www.mail-archive.com/[email protected]/msg00296.html.
Open portals are not a matter of blind trust. A payer merely has to accept a file purported to be a standard transaction from any source (which could be a BA or CH acting on behalf of a provider); he would still presumably go through the same processes he would with a paper claim. If the file is not a correctly formatted standard transaction, a TA1 or 997 will suffice to express the payer's displeasure. These are text files - no one is asking the payer to "execute" viruses or executables within the transactions. The payer simply has to read the data, and discard it if it doesn't even begin to look like EDI (no ISA, for example). It would be very bad system design to load the file into memory and begin executing the byte codes: that's about the only way I imagine a payer could get bitten with viruses! Key exchange is not necessary before a signed and encrypted file is read. The file is encrypted with the payer's *public* key, which he has freely made available to partners via the CPP Electronic Trading Partner Profile. The payer uses his own private key to decrypt the file. He can authenticate the source of the file by checking the signature against the public key supplied in an X.509 certificate pointed to by the purported provider's CPP. There is no "exchange" of keys: payers are expected to use and support standard ITU X.509 certificates. It is unreasonable to expect providers to use PGP whose PKI necessarily depends on out-of-band exchange of certificates for applying trusted signatures; PGP will be unsuitable for all but the most insular trading communities. Rigorous testing, and perhaps even certification, is highly recommended for providers. But when push comes to shove, the spirit of the law mandates the payer must take purported standard transactions - no ifs, ands or buts. If they're not compliant standard transactions for some reason, the payer is perfectly within his rights to return a TA1, 997, 824 or an e-mail, depending on the circumstances, clearly indicating where the first problem was found. Your company doesn't require me to become "certified" for e-mail before I send my first e-mail to you, does it? No, of course not: if I don't follow MIME or S/MIME conventions, you simply reject the e-mail - even though it eats up some of your precious processor cycles. The same logic attends standard HIPAA transactions: if the provider has made even one mistake, tell him so and then forget about it. Nobody's asking payers to agonize over provider's syntax and semantic errors in the standard transactions. The HIPAA TCS Rule requires payers to take in standard transactions on a non-discriminatory basis: no "vetting", no "certification," no "enrollment," no nothing, period. As Rachel has reminded us, no payer has to adjudicate every claim received - he only has to receive it and cannot reject it out of hand simply because it is a standard transaction. William J. Kammerer Novannet, LLC. Columbus, US-OH 43221-3859 +1 (614) 487-0320 ----- Original Message ----- From: "Koller, Greg" <[EMAIL PROTECTED]> To: "'Mimi Hart'" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>; "Koller, Greg" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Thursday, 30 May, 2002 04:56 PM Subject: RE: TA1 responding to non-participating health care providers You have good points Mimi, maybe the banking industry is the better example. If I go to New York and put my ATM card in the machine, I will get my money because the Citibank machine is ultimately able to talk to my credit union in Milwaukee. But this is done through an extremely complex network of trust. The closest thing we have to that today is the clearinghouse network. Clearinghouses can take care of these trust issues. The problem is that there is an notion out there that HIPAA is a way to eliminate the need for clearinghouses. When we talk of open portals, that is what tends to be the thought. The reality is that a provider in Wisconsin can get a claim to a payer in New York by utilizing a clearinghouse network (I like to think in the majority of cases). There are definitely issues associated with that, such as a lack of total connectivity among clearinghouses. But I think the alternative is a Healthcare Network of Trust, such as the ATM network in banking. I do not know if that is realistic. And the alternative of blind trust is one that I am not willing to accept. -----Original Message----- From: Mimi Hart [mailto:[EMAIL PROTECTED]] Sent: Thursday, May 30, 2002 3:30 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: TA1 responding to non-participating health care providers I understand your argument Greg...but isn't healthcare different in the following: 1. Walmart uses EDI when it places an order with a supplier...who it has talked to initially, probably had several meetings with, and exchanged trading partner agreements and companion documents and pricing. A supplier does not "walk in the door" unannounced and declare itself in need...... 2. Healthcare providers have "customers" walk in the door, declare themselves in need...and pretty much, regardless of whether they have treated them before or not (especially with EMTALA provisions).. need to treat them. To stay in business..they need to create a claim and send it....regardless of whether they have ever worked with their customers insurer or not.... How can the two situations be compared? Just because "closed' works for a Walmart...how is it going to work for us? Mimi Hart Research Analyst, HIPAA Iowa Health System 319-369-7767 (phone) 319-369-8365 (fax) 319-490-0637 (pager) [EMAIL PROTECTED] >>> "Koller, Greg" <[EMAIL PROTECTED]> 05/30/02 03:11PM >>> I completely disagree with the concept of an "open" portal. You are discussing a strategy that violates basic security principal, and frankly is not achievable today. The reference to treating like paper was used. First of all, paper is pre-screened by the post office before received into the payers mailroom. (Hopefully that takes care of the Anthrax) What is my comfort level with a virus received from an unknown electronic source. (Yes, I know I am playing a bit here, but think about it) I have websites open to the general public, but there is no way in %$#% that I open up a production system capable of data exchange to an unknown entity. As the industry moves more and more to FTP with some sort of PGP encryption as the main communication method (for batch transactions anyway) how can the open portal occur? An exchange of Keys must occur before a file can be opened. A mention was made that a trading partner agreement is not mandated by HIPAA. This is true, but it is strongly recommended. This is a contradiction to open portal. If it is best practice to have an agreement, how can it be argued that open portal is required? HIPAA allows for Payers to continue to define business rules. One business rule I would require is proof of testing with an entity like Claredi before accepting transactions. I cannot see how or where such a requirement flies against the rule. It does, however, eliminate open portal. Finally, lets get to the base argument, the main reason for HIPAA (for the sake of this argument) is to promote electronic commerce in a health care industry that lags behind other industries as far as technological efficiencies. I have worked in other industries that are "more efficient" with electronic commerce, I have never seen an "open" portal utilized there. I think the concept of free flow information is a wonderful panacea. However, without some sort of qualifier (Kepa has referred many times to banking and ATM networks) where there is certification required to be a member of such a network and to have "trust" among all member, the open portal is not achievable. And I think the interpretation that it has to be one is not valid. Greg Koller Manager of Operations and Business Development United Wisconsin Proservices (414)226-5520 [EMAIL PROTECTED] Be sure to visit our website at http://www.uwproservices.com/
