[Federal Register Volume 62, Number 195 (Wednesday, October 8, 1997)]
[Notices]
[Pages 52563-52565]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 97-26659]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES


National Committee on Vital and Health Statistics: Publication of 
Recommendations Relating to HIPA A Health Data Standards

AGENCY: Office of the Secretary, HHS.

ACTION: Notice.

-----------------------------------------------------------------------

SUMMARY: Section 1172 (f), Subtitle F of Pub. L. 104-191, the Health 
Insurance Portability and Accountability Act of 1996, requires the 
Secretary of Health and Human Services to publish in the Federal 
Register any recommendation of the National Committee on Vital and 
Health Statistics (NCVHS) regarding the adoption of a data standard 
under that law. On September 9, the NCVHS submitted recommendations to 
the Secretary relating to the unique identifier for payers, the unique 
identifier for individuals, and security standards. Accordingly, the 
full text of the NCVHS recommendations relating to HIPAA data standards 
is reproduced below. The text of the recommendations is also available 
on the NCVHS website: http//aspe.os.dhhs.gov/ncvhs/.

SUPPLEMENTARY INFORMATION: Under the Administrative Simplification 
provisions of the Health Insurance Portability and Accountability Act 
of 1996 HIPAA), the Secretary of Health and Human Services is required 
to adopt standards for specified administrative health care 
transactions to enable information to be exchanged electronically. The 
law requires that, within 24 months of adoption, all health plans, 
health care clearinghouses and health care providers who choose to 
conduct these transactions electronically must comply with these 
standads. Further, the law requires the Secretary to submit to Congress 
detailed recommendations on standards with respect to the privacy of 
individually identifiable health information. In preparing these 
reports and recommendations, the Secretary is required to consult with 
the NCHVHS, the statutory public advisory body to HHS on health data, 
privacy and health information policy. On September 9, the Committee 
submitted recommendations to the Secretary relating to the unique 
identifier for payers, the unique identifier for individuals, and 
security standards.
    Accordingly, the full text of the NCVHS recommendations relating to 
HIPAA data standards is reproduced below.

Recommendations Relating to the National PAYERID

September 9, 1997.
The Honorable Donna E. Shalala,
Secretary, Department of Health and Human Services, 200 Independence 
Avenue, S.W., Washington, D.C. 20201
     Dear Secretary Shalala: On behalf of the National Committee on 
Vital and Health Statistics (NCVHS), I am pleased to forward to you 
our recommendations relating to another of the health data standards 
being proposed for adoption in accordance with the administrative 
simplification provisions of the Health Insurance Portability and 
Accountability Act of 1996 (HIPAA). The NCVHS is very pleased to 
provide support, advice and consultation to you in this effort.
    The NCVHS has been briefed on the proposal for the national 
standard for identifiers for health plans or PAYERID, and we offer 
our strong support. The proposal includes a nine digit numeric 
identifier that would be assigned to all health plans. The 
identifier includes a check digit and contains no embedded 
intelligence. We recommend that HHS proceed to publish the proposal 
for public comment without delay. In the interests of operational 
efficiency and simplification, we suggest that the Department also 
leave open the option of moving to an alphanumeric identifier in the 
future. While public comments are likely to on the technical details 
of the number and the optimal approach to enumeration, we have found 
broad support for the proposal in general and urge you to proceed.
    The Committee did identify one concern that we bring to your 
attention. The PAYERID, as proposed, replaces the plan ID and sub ID 
used in current transactions. The sub ID is currently used for 
electronic routing, and concern has been expressed that this 
function will be lost. We recommend that this functionality be 
addressed before the final rule is issued.
    We appreciate you national leadership in health data standards, 
electronic data interchange and privacy, and we are privileged to 
work with you on these issues.


[[Page 52564]]


        Sincerely,
Don E. Detmer, M.D.,
Chair.

Recommendations Relating to the Unique Health Identifier for 
Individuals

September 9, 1997.
The Honorable Donna E. Shalala,
Secretary of Health and Human Services, Washington, D.C. 20201
      Dear Secretary Shalala: The National Committee on Vital and 
Health Statistics (NCVHS) is responding to the requirement of 
Congress to set a standard for a unique health identifier for each 
individual for use in the health care system. While the NCVHS 
continues to support the concept of a unique health identifier for 
individuals, we believe it would be unwise and premature to proceed 
to select and implement such an identifier in the absence of 
legislation to assure the confidentiality of individually 
identifiable health information and to preserve an individual's 
right to privacy.
    The selection of a unique health identifier for individuals will 
become the focus of tremendous public attention and interest, far 
beyond that afforded to other health privacy decisions. No choice 
should be made without considerably more public notice, hearings, 
and comment.
    Until a new federal law adequately protects the privacy of 
identifiable health information, it is not possible to make a 
sufficiently informed choice about an identification number or 
procedure. The degree of formal legal protection for personal health 
information will have a major influence on both the decision and 
public acceptance of that decision. Passage of a comprehensive 
health privacy law may make the choice of an identifier easier and 
less threatening to privacy.
    A unique health identifier for individuals cannot be properly 
protected from misuse under current law. The Committee reaches this 
conclusion notwithstanding the enactment of criminal penalties for 
wrongful disclosure as part of the Health Insurance Portability and 
Accountability Act of 1996. Additional legislation may be required 
to authorize the use of some alternatives or to provide adequate 
restrictions for other alternatives.
    We recommend alternative methods of identifying individuals and 
linking health information of individuals for health purposes be 
evaluated on the basis of the American Society for Testing and 
Materials (ASTM) criteria coupled with a cost-benefit evaluation and 
public comment. The committee intends to continue to receive public 
comment on this issue and will revisit this issue at our November 
meeting.
    We appreciate you national leadership in health data standards, 
electronic data interchange and privacy, and we are privileged to 
work with you on these issues.

        Sincerely,
Don E. Detmer, M.D.,
Chair.

Recommendations for Security Standards

September 9, 1997.
The Honorable Donna Shalala,
Secretary, Department of Health and Human Services, 200 Independence 
Avenue, SW, Washington, DC 20201.
      Dear Madam Secretary: The National Committee on Vital and 
Health Statistics is pleased to provide recommendations on the 
adoption of security standards as mandated by the Health Insurance 
Portability and Accountability Act of 1996 (Public Law 104-191).
    The Subcommittee on Health Data Needs, Standards and Security 
held a hearing on August 5 and 6 to receive testimony from a wide 
range of industry representatives on issues regarding security. 
Twenty-five individuals representing professional associations, 
providers, managed care organizations, vendors, consultants and 
standards development organizations provide input. A copy of the 
witnesses is attached to this letter.
    Where there was consensus among the witnesses regarding the need 
for security standards, testimony highlighted the evolutionary 
development of information security in the health care industry. 
Currently, there are poor practices in the handling of paper-based 
health information and the move towards electronic storage and 
transmission heightens concerns. Health care organizations have been 
slow to adopt strong security practices due largely to lack of 
strong management and organizational incentives. Additionally, the 
lack of national privacy legislation or regulation to ensure 
confidentiality of health information creates additional tensions.
    Based on the testimony received and discussion at the Committee 
meeting on September 8 and 9, the NCVHS has developed a series of 
principles and recommendations for your consideration. Since the 
standards in this area are not fully mature and have not been 
extensively implemented by the health care industry, we are not 
recommending adoption of specific standards.
    The Committee believes that any standard that is adopted must be 
technology neutral and should promote interoperability among 
information system. There are a number of factors that must be 
considered in this area; the cost of implementing specific solutions 
and the need for scalability on the size of the health care entity.
    In order for health information systems to be secure, there must 
be:

 Individual authentication of users

    Every individual in an organization should have a unique 
identifier for use in logging onto the organization's information 
systems and each organization should have policies and procedures in 
place to enforce the appropriate use and maintenance of access 
methods.

 access controls

    Procedures should be in place that restricts users' access to 
only that information for which they have a legitimate need. 
Individual organizations will have to determine the appropriate 
approach that will work within their organization and balance the 
interests between access and privacy.

 monitoring of access

    Organizations should develop audit trails and mechanisms to 
review access to information systems to identify authorized users 
who misuse their privileges and perform unauthorized actions and 
detect attempts by intruders to access systems.

 physical security and disaster recovery

    Organizations should immediately take steps to limit 
unauthorized physical access to computer systems, displays, networks 
and medical records. Disaster recovery plans should include 
procedures for providing basic system functions and ensuring access 
to health information in the event of a natural disaster or computer 
failure.

 protection of remote access points

    Organizations must protect their information systems from 
intruders who try to access their systems through external 
communication points such as the Internet or dial-in telephone 
lines.

 protection of external electronic communications

    Organizations need to protect sensitive communication that is 
transmitted electronically over open networks so that it cannot be 
easily intercepted and interpreted by parties other than the 
intended recipient.

 software discipline

    Organizational procedures and educational programs should be 
implemented to protect against viruses, Trojan horses and other 
forms of malicious software and to raise users' awareness of the 
problem.

 system assessment

    Organizations should formally assess the security and 
vulnerabilities of their information systems on an ongoing basis.

 monitoring of integrity of data

    The integrity of health information is critical to providing 
quality care to patients. Organizations must implement a process to 
ensure that information systems do not compromise data integrity.
    There are a series of organizational practice that the Committee 
believes are imperative:

 scalable confidentiality and security policies and 
procedures
 security/confidentiality committees
 designation of an information security officer in health 
care organizations
 education and training programs for all employees, medical 
staff, agents and contractors
 organizational sanctions for violation of policies and 
procedures
 improved patient authorization forms for disclosure of 
health information
 patient access to audit logs

    Many of these recommendations and practices are based on the 
National Research Council's report For the Record: Protecting

[[Page 52565]]

Electronic Health Information. In the short-term, it is recommended 
that health care organizations institute a risk assessment of their 
current state of compliance with these organizational and technical 
practices. As industry experience evolves, the Committee suggests 
that criteria be developed to evaluate and monitor compliance with 
these recommendations. Organizations that license or accredit health 
care organizations should consider incorporating these requirements 
into their standards.
    The Committee plans to continue to monitor industry compliance 
and the development and maturation of technology and standards. As 
standards that are fully mature and tested become available, we will 
review and recommend for adoption.
    Thank you for the opportunity to provide assistance.

        Sincerely,
Don E. Detmer, M.D.,
Chair.

CONTACT PERSON FOR MORE INFORMATION: Information about the Committee as 
well as the text of all HIPAA recommendations is available on the NCVHS 
website or from James Scanlon, NCVHS Executive Staff Director, Office 
of the Assistant Secretary for Planning and Evaluation, DHHS, Room 440-
D, Hubert H. Humphrey Building, 200 Independence Avenue S.W., 
Washington, D.C. 20201, telephone (202) 690-7100, or Marjorie S. 
Greenberg, Executive Secretary, NCVHS, NCHS, Room 1100, Presidential 
Building, 6525 Belcrest Road, Hyattsville, Maryland 20782, telephone 
(301) 436-7050.

    Dated: October 1, 1997.
James Scanlon,
Director, Division of Data Policy, Office of the Assistant Secretary 
for Planning and Evaluation.
[FR Doc. 97-26659 Filed 10-7-97; 8:45 am]
BILLING CODE 4151-04-M