Subpart A-General Provisions
� 160.101 Statutory basis and purpose.
The requirements of this subchapter implement sections 1171 through 1179 of the Social Security Act (the Act), as added by section 262 of Public Law 104-191, and section 264 of Public Law 104-191.
� 160.102 Applicability.
Except as otherwise provided, the standards, requirements, and implementation specifications adopted under this subchapter apply to the
following entities:
(a) A health plan.
(b) A health care clearinghouse.
(c) A health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter.
� 162.915 Trading partner agreements.
A covered entity must not enter into a trading partner agreement that would do any of the following:
(a) Change the definition, data condition, or use of a data element or segment in a standard.
(b) Add any data elements or segments to the maximum defined data set.
(c) Use any code or data elements that are either marked ''not used'' in the standard's implementation specification or are not in the standard's implementation specification(s).
(d) Change the meaning or intent of the standard's implementation specification(s).
� 162.920 Availability of implementation specifications.
(a) Access to implementation specifications. A person or organization may request copies (or access for inspection) of the implementation
specifications for a standard described in subparts K through R of this part by identifying the standard by name, number, and version. The
implementation specifications are available as follows:
(1) ASC X12N specifications. The implementation specifications for ASC X12N standards may be obtained from the Washington Publishing Company, PMB 161, 5284 Randolph Road,Rockville, MD, 20852-2116; telephone 301-949-9740; and FAX: 301-949-9742. They are also available through the Washington Publishing Company on the Internet at http://www.wpc-edi.com.
The implementation specifications are as follows:
(i) The ASC X12N 837-Health Care Claim: Dental, Version 4010, May 2000,Washington Publishing Company,004010X097, as referenced in �� 162.1102 and 162.1802.
and then the rule goes on to specify each transaction set. I strongly encourage you to read the Electronic Transaction Final Rule since many of your questions would be answered therein.
2. Regarding the issue of whether HIPAA's provisions under Subtitle F Administrative Simplification supercede state law -- here's the language from the law:
110 STAT. 2030 PUBLIC LAW 104-191-AUG. 21, 1996
''(1) G
ENERAL RULE.-Except as provided in paragraph (2),a provision or requirement under this part, or a standard or implementation specification adopted or established under sections 1172 through 1174, shall supersede any contrary provision of State law, including a provision of State law that requires medical or health plan records (including billing information) to be maintained or transmitted in written rather than electronic form.
''(2) EXCEPTIONS.-A provision or requirement under this part, or a standard or implementation specification adopted or established under sections 1172 through 1174, shall not supersede a contrary provision of State law, if the provision of State law-
''(A) is a provision the Secretary determines-
''(i) is necessary-
''(I) to prevent fraud and abuse;
''(II) to ensure appropriate State regulation of insurance and health plans;
''(III) for State reporting on health care delivery or costs; or
''(IV) for other purposes; or
''(ii) addresses controlled substances; or
''(B) subject to section 264(c)(2) of the Health Insurance Portability and Accountability Act of 1996, relates to the privacy of individually identifiable health information.
''(b) PUBLIC HEALTH.-Nothing in this part shall be construed to invalidate or limit the authority, power, or procedures established under any law providing for the reporting of disease or injury, child abuse, birth, or death, public health surveillance, or public health investigation or intervention.
''(c) STATE REGULATORY REPORTING.-Nothing in this part shall limit the ability of a State to require a health plan to report, or to provide access to, information for management audits, financial audits, program monitoring and evaluation, facility licensure or certification, or individual licensure or certification.
Once again, a reading of Subtitle F of HIPAA would answer many of the questions you've been posing.
Rachel
Rachel
Foerster
Principal
Rachel Foerster & Associates, Ltd.
Professionals
in EDI & Electronic Commerce
39432 North Avenue
Beach Park, IL
60099
Phone: 847-872-8070
Fax: 847-872-6860
http://www.rfa-edi.com
-----Original Message-----
From: Bill Chessman [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, April 30, 2002 1:29 PM
To: '[EMAIL PROTECTED]'
Subject: RE: States' roles in HIPAA IG vs. X12 ComplianceMike,Your interpretation of my remarks was spot on. To that end, I guess I'm focusing my curiosity about the legal weight of the IGs. Do they actually have the force of law? If there's an element that has a maximum length of 10 and I send 11 characters, am I subject to fines or other punitive actions? If the answer is yes, then does Not Used mean "Thou Shalt Not Use"? Is there any section of the Final Rule that says, more or less, "you must follow the IGs to the letter, no exceptions"?I completely agree that failure to follow the IGs is, at the very least, bad form, but I've been in the business long enough to realize that dang near everyone has some exception or other (some appalling, some bordering on hilarity).Best regards,Bill ChessmanPeregrine Systems, Inc. (though the opinions expressed are my own)-----Original Message-----
From: Augustine, Mike [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, April 30, 2002 7:29 AM
To: [EMAIL PROTECTED]
Subject: RE: States' roles in HIPAA IG vs. X12 ComplianceI think it's important to respond to Bill's statement:
<snip> then I submit it would be possible for a state to say, "gee, we need
you to send this additional stuff (in the very same 837) that doesn't
supersede/violate HIPAA but provides us [the state] with some very important
data." </snip>
What he is implying here, if I understand correctly, is that the state could dictate additional data requirements beyond that which is required under the HIPAA regulations (IG's). I believe the answer is NO. One thing that is has been made very clear is that you cannot force a TP to alter the usage or content requirements of any transaction or data element. By saying, there is this NOT USED data element that I would like to have so I will require you to send it, you violate this principal. It doesn't matter what the definition of "should" is.If the HIPAA standards have not adequately accounted for the additional requirements that even state entities would require, I think that is a real shame. But I don't think you can get around it within the HIPAA transactions. Trading separate and proprietary documents would appear to be the only solution, short of the entities backing down on their requirements. I would also like to add that Bill's statement about the "plethora of different brands of documents" would exist in either scenario - you either have additional non-HIPAA transactions specific to certain Trading Partners or you have specialized HIPAA transactions per Trading Partner (which is what I'm saying is not allowed).
Just my 2 cents on the other side of this: I would contend that if the guide says NOT USED and you use it, your transaction is non-compliant. If you receive more data than you require, you can ignore it, regardless if it is marked REQUIRED or SITUATIONAL (even if it is because your interpretation of the situational requirement differs from that of the sender). If some of that data is necessary on the outgoing response to a transaction, then you need to include it, even if you didn't use it in your processing. This means that in your gap analysis and system modifications you don't need to necessarily store and support all possible data, you just need to be able to pass it on when appropriate.
Mike Augustine
Principal, SILC, Incorporated-----Original Message-----
From: Rachel Foerster [mailto:[EMAIL PROTECTED]]
Sent: Sunday, April 28, 2002 5:48 PM
To: 'Bill Chessman'; [EMAIL PROTECTED]
Subject: RE: States' roles in HIPAA IG vs. X12 Compliance
Bill,
No the final rule does not address the **actual** meaning of should, should
not, must, must not, etc. A work group at X12N is trying to address this and
remove any ambiguity.I did forward to that work group the words and definitions used by the IETF
and almost all other global and national standards bodies regarding the use
of must, should, shall, reuqired, etc.In the absense of any clarifying language in the HIPAA guides - and since
the authors chose **not** to follow the ANSI rules of using shall, shall
not, etc. on which all of the X12 standards are based, I'm taking the
position that should = shall, must = shall, etc. Personally, I don't think
this is a reach.Rachel
Rachel Foerster
Principal
Rachel Foerster & Associates, Ltd.
Professionals in EDI & Electronic Commerce
39432 North Avenue
Beach Park, IL 60099
Phone: 847-872-8070
Fax: 847-872-6860
http://www.rfa-edi.com
-----Original Message-----
From: Bill Chessman [mailto:[EMAIL PROTECTED]]
Sent: Friday, April 26, 2002 1:06 PM
To: '[EMAIL PROTECTED]'
Subject: RE: States' roles in HIPAA IG vs. X12 Compliance
Okay, I admit, though fairly familiar with EDI, my HIPAA knowledge is
limited and only recently won. Here's the crux of my thoughts. According
to the IGs the phrase NOT USED means <copyandpaste source="004010X096">This
item should not be used when complying with this implementation
guide.</copyandpaste>I'm not clear from the discussion: does "should not" equal "must not" as far
as HIPAA rules go? If something is transmitted that falls in this "should
not" zone, is the sender liable for fines, imprisonment, wrist slaps,
summary execution or other appropriate punishment? If HIPAA "should not" is
"must not", then the answer is clearly to send additional (parallel, maybe
EDI, maybe XML, maybe proprietary--who cares?) documents. If that's the
case, it's enough to me to stop my line of inquiry.On the other hand, if "should not" really means "we don't think it's a good
idea but we can't stop you if you really really want to send this NOT USED
thing," then I submit it would be possible for a state to say, "gee, we need
you to send this additional stuff (in the very same 837) that doesn't
supersede/violate HIPAA but provides us [the state] with some very important
data." I stress here additional data that doesn't countermand or violate
any of the HIPAA requirements. (One motivation for such a stance would be
to avoid having a plethora of different brands of documents transmitted.)Does the final rule, somewhere therein, give an iron-clad statement that
though shalt not use NOT USED items under penalty of grievous punishment?Best regards,
Bill Chessman
Peregrine Systems, Inc.-----Original Message-----
From: Rachel Foerster [mailto:[EMAIL PROTECTED]]
Sent: Thursday, April 25, 2002 12:28 PM
To: [EMAIL PROTECTED]
Subject: RE: States' roles in HIPAA IG vs. X12 Compliance
Bill,
Here's my comments inline to your questions posed below.
Rachel
Rachel Foerster
Principal
Rachel Foerster & Associates, Ltd.
Professionals in EDI & Electronic Commerce
39432 North Avenue
Beach Park, IL 60099
Phone: 847-872-8070
Fax: 847-872-6860
http://www.rfa-edi.com
-----Original Message-----
From: Bill Chessman [mailto:[EMAIL PROTECTED]]
Sent: Thursday, April 25, 2002 12:37 PM
To: [EMAIL PROTECTED]
Subject: States' roles in HIPAA IG vs. X12 Compliance
All this talk about the HIPAA IG and X12 Compliance and 997 vs 824 vs
something completely different has my head spinning a little bit. Another
thing that was mentioned made me wonder about how the state laws may fit
into this jigsaw puzzle called HIPAA Compliance.In trying to keep my volume of e-mail archives to a minimum, I confess I've
lost the name of the person who posted the remark, but it went something
like, "what about state-level mandates for specific data used for
statistical analysis, epidemiological tracking, etc. and how does that
affect segments which are deemed in the HIPAA IGs as NOT USED?"<ref>No affect whatsoever to the HIPAA IGs. They are mandated by federal law
for the specific purpose defined in the law/rule and in accordance with the
standard set forth in the law. If states want other or additional data
beyond the specific data allowed within a specific HIPAA guide, they are
well within their states' rights to require additional transactions. In this
case they are then not the HIPAA mandated transaction, but another set of
data in another transaction....it's just not a HIPAA transaction. These
transactions could also be based on the full X12 transaction specification,
but subsetted to suit the needs. For example, if the X12 837 can support
additional information needed for statistical analysis, etc. there is no
prohibition against a state, or any other entity for that matter, using the
837 for that purpose. There's no conflict with HIPAA since it's not the
transaction as specified in the law. For example, here's what the law says
is a claim:Health care claims or equivalent encounter information:
A transmission from a provider to a health plan to
Request payment
Provide necessary accompanying information
Provide encounter information for the purpose of reporting health
care
No direct claim, because the reimbursement contract is based
on a
mechanism other than charges or reimbursement rates for
specific servicesDesignated Standards:
Retail pharmacy drug claims
NCPDP Telecommunication Standard Implementation Guide, Version 5
Release 1,
September 1999
NCPDP Batch Standard Batch Implementation Guide, Version 1 Release
0,
February 1, 1996
Institutional Health Care Claims
ASC X12N 837-Health Care Claim Version 004010X096
Dental Health Care Claims
ASC X12N 837-Health Care Claim Version 004010X097
Professional Health Care Claims
ASC X12N 837-Health Care Claim Version 004010X098Any entity is free to use the X12 837 for other purposes outside of this in
any way it chooses, assuming of course, that it does so with the purpose and
scope of the 837.</ref>
Is there any precedent for putting state laws on top of federal laws?
<ref>Of course there's precedent for state laws to expand on federal
laws....the Uniform Commercial Code is a good example, as is UETA, the
Uniform Electronic Transactions Act. In these two examples, each state is
free to adopt/adapt the federal act as it deems necessary within its own
jurisdiction.</ref>By that I don't mean as an attempt to supersede, but rather as an attempt to
augment. If the state says, "we want to do everything that's called for in
HIPAA but there's also this other stuff we want in addition"...would that be
possible? legal? on the horizon?Also, if so, would we likely expect some states to issue their own "HIPAA++"
IGs? Is this something that might need to be taken into consideration?<ref>States cannot supercede the HIPAA electronic transaction final rule.
Since HIPAA is federal law, it crosses all state boundaries and applies to
all states, whether business is conducted intra- or inter-state.?ref>Also, what happens if the claim is across state lines and both have their
own HIPAA++ requirements (scenario 1: they kind of overlap, scenario 2: they
conflict)?<ref>If it's a claim, then all covered entities must comply with the claim
specification set forth in the federal law. The HIPAA Electronic Transaction
Final Rule **supercedes** any state law to the contrary except if that state
law is necessary to prevent fraud and abuse.</ref><ref>Furthermore, states are free to enact their own laws and regulations
regarding the prompt payment of health care claims....and many states have
already done so, e.g., New Jersey, Texas. Some states are also using the
term "clean claim", but are conveniently not defining what constitutes a
clean claim.</ref><ref>Clear? Or clear as mud!!</ref>
Just thinking "aloud."
Best regards,
Bill Chessman
Peregrine Systems, Inc.
