[Federal Register Volume 67, Number 105 (Friday, May 31, 2002)]
[Rules and Regulations]
[Pages 38009-38020]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 02-13616]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Office of the Secretary

45 CFR Parts 160 and 162

[CMS-0047-F]
RIN 0938-AI59


Health Insurance Reform: Standard Unique Employer Identifier

AGENCY: Centers for Medicare and Medicaid Services (CMS), HHS.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: This final rule establishes a standard for a unique employer 
identifier and requirements concerning its use by health plans, health 
care clearinghouses, and health care providers. The health plans, 
health care clearinghouses, and health care providers must use the 
identifier, among other uses, in connection with certain electronic 
transactions.
    The use of this identifier will improve the Medicare and Medicaid 
programs, and other Federal health programs and private health 
programs, and the effectiveness and efficiency of the health care 
industry in general, by simplifying the administration of the system 
and enabling the efficient electronic transmission of certain health 
information. It will implement some of the requirements of the 
Administrative Simplification subtitle of the Health Insurance 
Portability and Accountability Act of 1996.

EFFECTIVE DATE: This regulation is effective July 30, 2002.

FOR FURTHER INFORMATION CONTACT: Patricia Peyton, (410) 786-1812.

SUPPLEMENTARY INFORMATION:
    Copies: To order copies of the Federal Register containing this 
document, send your request to: New Orders, Superintendent of 
Documents, P.O. Box 371954, Pittsburgh, PA 15250-7954. Specify the date 
of the issue requested and enclose a check or money order payable to 
the Superintendent of Documents, or enclose your Visa or Master Card 
number and expiration date. Credit card orders can also be placed by 
calling the order desk at (202) 512-1800 or by faxing to (202) 512-
2250. The cost for each copy is $9. As an alternative, you can view and 
photocopy the Federal Register document at most libraries designated as 
Federal Depository Libraries and at many other public and academic 
libraries throughout the country that receive the Federal Register. You 
may also obtain a copy from the following web sites:

[[Page 38010]]

http://www.access.gpo.gov/nara/index.html; http://aspe.hhs.gov/admnsimp/.

I. Background

    Employers may need to be identified when they transmit information 
to health plans to enroll or disenroll an employee as a participant in 
a health plan. Employers, health care providers, and health plans may 
need to identify the source or receiver of eligibility or benefit 
information. Although the source is usually a health plan, it could be 
an employer. Employers and health plans may need to identify the 
employer when making or keeping track of health plan premium payments 
or contributions relating to an employee. In all cases, in health care 
transactions, where information about the employer is transmitted 
electronically, it will be beneficial to identify the employer using a 
standard identifier.

A. Legislation

    The Congress included provisions to address the need for a standard 
unique employer identifier and other administrative simplification 
issues in the Health Insurance Portability and Accountability Act of 
1996 (HIPAA), Public Law 104-191, which became effective on August 21, 
1996. Through subtitle F of title II of that law, the Congress added to 
title XI of the Social Security Act a new part C, titled Administrative 
Simplification (Public Law 104-191) affects several titles in the 
United States Code. Hereafter, we refer to the Social Security Act as 
the Act; we refer to the other laws cited in this document by their 
names.) The purpose of this part is to improve the Medicare and 
Medicaid programs in particular and the efficiency and effectiveness of 
the health care system in general by encouraging the development of a 
health information system through the establishment of standards and 
requirements to facilitate the electronic transmission of certain 
health information.
    Part C of title XI consists of sections 1171 through 1179 of the 
Act. These sections define various terms and impose several 
requirements on the Secretary, health plans, health care 
clearinghouses, and certain health care providers concerning electronic 
transmission of health information, and security and privacy.
    We discussed the legislation in greater detail in a final rule for 
Standards for Electronic Transactions (the Transactions Rule) published 
on August 17, 2000 (65 FR 50312), and in a final rule for Privacy of 
Individually Identifiable Health Information (the Privacy Rule), 
published on December 28, 2000 (65 FR 82462). Rather than repeating the 
discussion here, we refer the reader to those documents for further 
information.
    Section 1172 of the Act makes any standard adopted under part C 
applicable to (1) all health plans, (2) all health care clearinghouses, 
and (3) any health care provider who transmits any health information 
in electronic form in connection with a transaction referred to in 
section 1173 (a)(1).
    In complying with the requirements of part C of title XI, the 
Secretary must rely on the recommendations of the National Committee on 
Vital Health Statistics (NCVHS), consult with appropriate State, 
Federal, and private agencies or organizations, and publish the 
recommendations of the NCVHS in the Federal Register.
    Paragraph (b) of section 1173 of the Act requires the Secretary to 
adopt standards for unique health identifiers for all employers (in 
addition to identifiers for individuals, health plans, and health care 
providers) for use in the health care system, and requires further that 
the adopted standards specify for what purposes unique health 
identifiers may be used.

II. Provisions of the Proposed Regulations

    On June 16, 1998 (63 FR 32784), we proposed a national standard 
employer identifier and requirements concerning its implementation. 
That rule would have established requirements that health plans, health 
care clearinghouses, and health care providers would have to meet to 
comply with the requirements for use of a unique employer identifier in 
electronic transactions.
    We proposed to add a new part to title 45 of the Code of Federal 
Regulations (63 FR 32784) for health plans, health care providers, and 
health care clearinghouses in general. The new part would have been 
part 142 of title 45 and would have been titled Administrative 
Requirements. Subpart F would have contained provisions specific to the 
employer identifier. In this final rule, we have codified these 
provisions in Part 162.
    The proposed rule for the employer identifier (63 FR 32784) 
discussed applicability of HIPAA to all health plans, all health care 
clearinghouses, and those health care providers that transmit any 
health information in electronic form in connection with transactions 
referred to in section 1173(a)(1) of the Act.
    The Transactions Rule (65 FR 50312) contains general requirements 
for administrative simplification, including applicability of the 
regulations, general effective dates, and definitions. We refer the 
reader to that rule for the discussion of comments and responses and 
for the actual regulations that were codified in the Code of Federal 
Regulations for the general requirements (45 CFR part 160 Subpart A, 
and 45 CFR part 162 Subparts A and I). In addition, some provisions in 
part 160 were further revised by the Privacy Rule published on December 
28, 2000 (65 FR 82462).

A. Definitions

    We proposed to define ``employer'' as 26 U.S.C. 3401(d) does: a 
person (or an entity) for whom an individual performs or performed any 
service, of any nature, as the employee of that person (or that entity) 
except for the following:
    (1) If the entity for whom the individual performs or performed the 
services does not have control of the payment of the wages for the 
services, the term ``employer'' means the entity having control of the 
payment of the wages.
    (2) If the entity pays wages on behalf of a nonresident alien 
individual, foreign partnership, or foreign corporation, not engaged in 
trade or business within the United States, the term ``employer'' means 
that entity.
    We did not receive any comments on our definition of ``employer.'' 
We note here that our proposed definition incorrectly omitted a 
reference to 26 U.S.C. 3401(a) of the Internal Revenue Code that is 
part of the definition at 26 U.S.C. 3401(d) of the Internal Revenue 
Code. We clarify in this rule that our definition of ``employer'' is as 
it appears in 26 U.S.C. 3401(d). We also note that the use of the term 
``individual'' in the definition at 26 U.S.C. 3401(d) is not the same 
as in the final Privacy Rule. In the Privacy Rule, the word 
``individual'' means a person who is the subject of protected health 
information. In the definition of employer, the word ``individual'' 
means a person who is an employee.
    The EIN is defined in 26 CFR 301.7701-12. We proposed to define 
``Employer identification number'' (EIN) as 26 CFR 301.7701-12 does: 
``the taxpayer identifying number of an individual or other person 
(whether or not an employer) which is assigned pursuant to 26 U.S.C. 
6011(b) or corresponding provisions of prior law, or pursuant to 26 
U.S.C. 6109, and in which nine digits are separated by a hyphen, as 
follows: 00-0000000.''
    In this final rule, we deleted the formatting description from our 
definition of EIN. We continue to define EIN as the employer 
identification number, as assigned by the IRS.

[[Page 38011]]

Deletion of the formatting description from our regulatory definition 
gives us flexibility, in case the IRS should decide in the future to 
change the format of the EIN.

B. Employer Identifier Standard

    We proposed that Sec. 142.602, National employer identifier 
standard, would describe the employer identifier standard. There 
currently exists no standard for employer identification that has been 
developed, adopted, or modified by a standard setting organization 
after consultation with the National Uniform Billing Committee (NUBC), 
the National Uniform Claim Committee (NUCC), the Workgroup for 
Electronic Data Interchange (WEDI), and the American Dental Association 
(ADA). Therefore, we would designate a new standard.
    We proposed as the standard the employer identification number 
(EIN), which is assigned by the Internal Revenue Service (IRS), 
Department of the Treasury. As stated in II. Provisions of the Proposed 
Regulations, A. Definitions, we define EIN as the employer 
identification number assigned by the IRS, and we delete the formatting 
description in our definition.
    Proposed Sec. 142.602 has become Sec. 162.605.

C. Requirements

    In the proposed rule (63 FR 32787), we noted that the Act does not 
bind employers to use the standard. However, covered health care 
providers, health plans, and health care clearinghouses are bound to 
use the standard, where required, in electronic health transactions.
    1. Health plans.
    In Sec. 142.604, Requirements: Health plans, we proposed to require 
health plans to accept the EIN on all standard transactions and 
transmit the EIN on all standard transactions that require an employer 
identifier to identify a person or entity as an employer.
    2. Health care clearinghouses.
    We proposed to require in Sec. 142.606, Requirements: Health care 
clearinghouses, that each health care clearinghouse use the EIN on all 
standard transactions that require an employer identifier to identify a 
person or entity as an employer.
    3. Health care providers.
    In Sec. 142.608, Requirements: Health care providers, we proposed 
to require each health care provider to use the EIN, wherever required, 
on all standard transactions that require an employer identifier to 
identify a person or entity as an employer.
    4. Employers.
    In Sec. 142.610, Requirements: Employers, we proposed to require 
each employer to disclose its EIN, when requested, to any entity that 
conducts standard electronic transactions that require that employer's 
identifier to identify a person or entity as an employer.
    Proposed Secs. 142.604, 142.606, and 142.608 have been consolidated 
into Sec. 162.610, and proposed Sec. 142.610 has been removed in this 
final rule.

D. Effective Dates and Compliance Dates of the Employer Identifier

    We proposed that health plans would be required to comply with our 
requirements as follows:
     Each health plan that is not a small health plan would 
have to comply with the requirements of Sec. 142.604, now consolidated 
into Sec. 162.610, no later than 24 months after the effective date of 
the final rule. (Note, proposed Sec. 142.104, General requirements for 
health plans, is addressed in the final Transactions Rule (65 FR 
50369).)
     Each small health plan would have to comply with the 
requirements of Sec. 142.604, now consolidated into Sec. 162.610, no 
later than 36 months after the effective date of the final rule. (Note, 
proposed Sec. 142.104, General requirements for health plans, is 
addressed in the final Transactions Rule (65 FR 50369).)
     If the Secretary adopts a modification to a standard or 
implementation specification, the implementation date of the 
modification would be no earlier than the 180th day following the 
adoption of the modification. The Secretary would determine the actual 
date, taking into account the time needed to comply due to the nature 
and extent of the modification. The Secretary would be able to extend 
the time for compliance for small health plans.
     We proposed that health care clearinghouses and health 
care providers must begin using the standard specified in Sec. 142.602, 
now Sec. 162.605, no later than 24 months after the effective date of 
the final rule.

III. Comments and Responses Concerning the Proposed Provisions

    All general comments on applicability of the HIPAA standards were 
addressed in the Transactions Rule. These comments will not be repeated 
here.
    There were 61 commenters on the proposed rule. These commenters 
included Federal and State government agencies, private organizations 
(including health plans and health care provider professional 
organizations), and individuals.

A. Employer Identifier Standard

    Comment: Two commenters said there should be no regulation as to 
the use or non-use of the hyphen as part of the format for the EIN. 
Eight commenters stated the hyphen should be omitted when transmitting 
standard transactions. One commenter said it should be omitted on 
standard transactions but used in human-readable formats. One commenter 
stated that the use of a modifier would be beneficial for identifying 
specific State agencies under a single EIN; another commenter 
recommended that the EIN not be used with a modifier. A few commenters 
recommended a check digit be used with the EIN; a larger number of 
commenters recommended a check digit not be used.
    Response: The hyphen is part of the EIN, as it is defined at 26 CFR 
301.7701-12 and assigned by the IRS. The standard transaction formats 
use alphanumeric fields for the EIN. These fields can accommodate the 
EIN with or without the hyphen. The implementation guides for the 
standard transactions are silent on whether the hyphen must be 
transmitted. Most translator software can easily add the hyphen to or 
remove it from the EIN field within standard transactions. In spite of 
the flexibility of the standard transaction formats and the capability 
of translators to handle EINs with and without the hyphen, we believe 
that we should require standardization of the identifier format within 
the standard transactions, in order to promote simplification and 
savings. We further believe that it would be confusing to adopt the EIN 
as the standard unique employer identifier, but then to direct that the 
adopted standard be modified, by removing the hyphen, before use in 
standard transactions. It would be equally confusing to adopt ``the EIN 
minus the hyphen'' as the standard, because this identifier would still 
be referred to informally as the EIN, and it would not be clear when 
the hyphen is needed and when it is not. We believe it is advantageous 
to adopt the EIN exactly as assigned by the IRS. This strategy is 
clearer and more flexible, should the IRS, at some time in the future, 
modify its defined format of the EIN for any reason. We therefore 
require that the EIN as assigned by the IRS be used in the standard 
transactions, which means at present that the hyphen must be 
transmitted as part of the EIN.
    The EIN was selected as a cost-effective choice for the standard 
employer identifier because the IRS is already issuing it and employers 
already have this identifier. The IRS has no

[[Page 38012]]

project initiated at this time to modify the format of the EIN or to 
add a check digit to the EIN.
    The presence of a check digit can help in detection of keying 
errors made in data entry of a number. We could have specified a check 
digit to be used with the IRS-issued EIN. However, we believe that in 
many cases where the EIN is used in standard transactions, it will be 
on file electronically and will not need to be inserted through data 
entry. Therefore, the benefits of a check digit would be modest.
    Modification of the IRS-issued identifier by addition of modifiers 
or a check digit for use in health care transactions would require 
costly additional processes and would negate the benefits of using the 
existing IRS infrastructure; therefore, we do not add modifiers or a 
check digit to the IRS format.
    Comment: Several commenters thought that the EIN was proposed to 
identify health care providers. Some stated that the EIN was not 
specific enough to uniquely identify health care providers. Others 
expressed privacy concerns if the EIN were used to identify health care 
providers.
    Response: The same entity may have multiple roles in health care 
transactions. On May 7, 1998, we proposed that the National Provider 
Identifier, not the EIN, be adopted to uniquely identify health care 
providers (63 FR 25320). The EIN will be used to identify an entity in 
the employer role. For example, a hospital may be both an employer and 
a health care provider. The hospital would use its EIN to identify 
itself when conducting transactions in an employer role, for example, 
making premium payments on behalf of its employees. When making claims 
for health care services furnished, it would use its National Provider 
Identifier.
    Comment: Several commenters thought that the EIN was proposed to 
identify the patient's health plan or insurance coverage. One commenter 
stated one identifier should be used for both payer and employer. One 
commenter stated it would be confusing to use a different identifier 
for employee welfare benefit plans and employers, since such plans are 
sponsored by employers.
    Response: The EIN will be used to identify an entity acting in the 
employer role in standard transactions. It will not identify the 
patient's health plan or insurance coverage. It will not replace the 
group number, account number, policy number, or subscriber number. 
Although it is true that the employee welfare benefit plans are often 
sponsored by employers, the EIN will be used to identify only the 
employer, not the health plan. In a future proposed rule, HHS intends 
to propose a health plan identifier to identify health plans. Employee 
welfare benefit plans would be identified by a health plan identifier.
    Comment: Several commenters supported the choice of the EIN. Two 
commenters stated the EIN did not meet the 10 criteria established for 
selection of a standard under the Act.
    Response: Of the two commenters stating that the EIN did not meet 
the criteria (see 65 FR 50351-50352 for the list of criteria), one 
commenter was not specific about how the EIN did not meet the criteria. 
The second commenter incorrectly believed that the EIN was being 
proposed to identify the insurance coverage of a patient rather than to 
identify an employer in standard transactions.

B. Requirements

    Comment: One commenter stated that we should clarify the meaning of 
the terms ``required'' and ``situational.'' Many commenters stated that 
the usage of the EIN of the employer in health care transactions was 
unclear and requested clarification, i.e., whether the EIN was 
required, situational, etc. One commenter said the EIN of the employer 
should be a situational data element on all electronic data interchange 
(EDI) transactions. Several commenters stated that the EIN should be 
required only on transactions exchanged between an employer and a 
health plan. Several commenters said they needed clarification on which 
transactions would use the EIN.
    Response: As used with respect to a data element in a standard 
transaction, the word ``required'' means that the data element is 
required according to the standard implementation guide for that 
transaction. The word ``situational'' means that the data element or 
choice of a specific code value is required if the data condition 
described in the standard implementation guide occurs. For purposes of 
this rule, if use of the employer identifier is situational and the 
data condition occurs, the EIN is considered to be required.
    The X12N Version 4010 transaction implementation guides are the 
authority for specific information on the use of the EIN to identify 
the employer in X12N transactions. The following summarizes use of the 
EIN to identify the employer in X12N transactions:
     X12N 270/271 Eligibility for a Health Plan--Situational 
(Used to identify the employer as the source of eligibility information 
when the employer maintains that information.) (Note: Although the 
implementation guide does support the use by employers, and the 
information receiver can be identified specifically as an employer, 
employer participation in this transaction is not a HIPAA business 
purpose.)
     X12N 276/277 Health Care Claims Status--Situational (Used 
to identify the employer in worker's compensation claims. This usage 
covers situations where the employer is considered the subscriber for a 
patient when the claim is a result of a work-related injury or illness. 
In this circumstance, the health care provider and health plan are 
using the standard named in the final Transactions Rule although this 
is not required by the Final Rule because one or both are not covered 
entities or this is a business purpose not covered under the final 
Transactions Rule. In most cases, the health care provider will already 
know the EIN because it will have a relationship with the employer for 
worker's compensation cases or because provision of the EIN is required 
by local, State, or other regulation.)
     X12N 820 Health Plan Premium Payments--Situational (Used 
to identify an entity who is an employer as the remitter of the premium 
or as the entity to which the premium payment applies.)
     X12N 834 Enrollment and Disenrollment in a Health Plan--
Required (when used to identify the sponsor of the health plan when the 
sponsor is an employer.) Situational (when used to identify the 
employer of a person covered under a health plan when that employer is 
not the sponsor. The non-sponsor employer is identified only when the 
contract between the sponsor and the health plan requires that the 
sponsor report this information.)
    An employer identifier is not used to identify an entity as an 
employer in the following X12N standard transactions:
     X12N 278 Referral Certification and Authorization
     X12N 835 Health Care Payment and Remittance Advice
     X12N 837 Health Care Claims or Equivalent Encounter 
Information-- Dental
     X12N 837 Health Care Claims or Equivalent Encounter 
Information--Professional
     X12N 837 Health Care Claims or Equivalent Encounter 
Information--Institutional
    The EIN of the employer is optional in the NCPDP retail pharmacy 
transactions. The implementation guides for the NCPDP transaction 
standards are the authorities for specific information on the use of 
the EIN of the

[[Page 38013]]

employer in the NCPDP standard transactions.
    Comment: Many commenters expressed concern that health care 
providers would be required to report the EIN of the patient's or 
subscriber's employer on standard transactions. They requested more 
specific data related to the costs to health care providers of 
reporting these EINs. They noted that health care providers do not 
routinely obtain and patients do not generally know these EINs. Some 
commenters noted that, with the exception of the X12N 834 enrollment 
transaction, the X12N implementation guides specify the employer 
identifier is situational in all occurrences. Health care providers are 
not a party to the X12N 834 and thus would not be required to report a 
patient's employer's EIN. Many commenters therefore recommended that 
all references to the use of employer identifiers by health care 
providers be deleted from the regulation. One commenter noted that 
third party administrators sometimes require health care providers to 
report the employer on eligibility transactions, and that 
subcontracting health care providers in Provider Sponsored 
Organizations sometimes direct eligibility transactions to the 
employer. Some commenters stated that if health care providers were 
required to report or use the EIN of the patient's employer, health 
insurance cards should carry this EIN; otherwise, health cards should 
not carry the EIN.
    Response: Health care providers do not conduct the X12N 834 
enrollment transaction, the only standard transaction where the 
employer identifier is required. In all standard transactions that a 
health care provider might conduct, the employer identifier is either 
not a permitted value or is one of a choice of alternate values. In the 
situations where the employer identifier may be used in a standard 
transaction used by covered entities under HIPAA, the employer 
identifier is used only if the party being identified is an employer 
and its identifier has been given to the health care provider as the 
electronic transaction identifier for the employer as an information 
source in an eligibility transaction. The standard transaction for 
eligibility inquiry and response does not contain data elements for 
identifying the subscriber's employer. We expect that health care 
providers will be able to obtain the EIN from the employer, as is the 
current practice, for the limited cases when an EIN is needed in 
covered standard transactions initiated by the health care provider.
    Comment: Some commenters stated that employers may not want to 
disclose their EINs and requested that the final rule explicitly state 
the penalties for an employer that does not disclose its EIN. Some were 
concerned that the EIN may not be accessible to parties needing the EIN 
for health care transactions. One commenter said that because of 
administrative costs, employers will not want to provide their EINs. 
Another commenter stated that employers would be so overwhelmed by 
requests for their EINs that they would place them on everything to 
limit staff time required for answering these requests.
    Response: These concerns were generated because commenters 
incorrectly thought that EINs would be required in transactions 
initiated by health care providers or others who would not know the 
EIN. Although identification of the subscriber's employer was part of 
the data content of the institutional health care claim transaction in 
the proposed Transactions Rule, that data element was removed from the 
institutional health care claim transaction that was adopted by the 
final Transactions Rule. In fact, the EIN will be used, for the most 
part, in transactions initiated by the employer itself. The EIN is 
required for the enrollment in a health plan standard transaction, 
which is usually initiated by employers (which are not covered 
entities). In other transactions, such as the eligibility for a health 
plan transaction, the employer identifier only occurs in conjunction 
with the use of the standard transaction between one or more 
organizations who are noncovered entities under HIPAA, or as one of the 
possible choices of identifiers for the employer. In the eligibility 
for a health plan transaction, the employer identifier can be used as 
one of the permitted identifiers for the employer as the source or 
receiver of eligibility information. Thus, when a health care provider 
is initiating the eligibility for a health plan transaction to an 
employer, in the process of determining the proper electronic routing 
identifiers and other electronic identifiers, the health care provider 
has the opportunity to obtain an EIN if required by the employer as its 
electronic routing or other electronic identifier. We believe that use 
of the EIN will not generally create compliance problems for covered 
entities.
    We had proposed to require each employer to disclose its EIN, upon 
request, to any covered entity that needed to use that employer's EIN 
in a standard transaction. This requirement is not adopted in this 
final rule because employers are not covered entities under the 
Administrative Simplification provisions of HIPAA. However, we believe 
that employers will have a strong incentive to continue the common 
business practice of providing their EINs voluntarily in those rare 
cases where it is not already known in order to maintain or improve the 
efficiency of administrative processes.
    Comment: Many commenters thought that the EIN of the patient's 
employer or of the patient would be required in health care claim and 
encounter transactions. These commenters stated that use of the EIN in 
these transactions is an invasion of privacy, both personal and 
medical. Several commenters stated that implementation of a national 
standard employer identifier will permit unwarranted Federal monitoring 
of patient care and linking of medical records through employers. They 
stated that the possibility of Federal monitoring and linking of 
medical records will create barriers of distrust between doctors and 
patients and between employers and employees. They stated use of the 
EIN will eventually lead to a numbering system on citizens that will 
make it easier to track citizens from one employer to another, build 
citizen profiles, or discriminate against citizens based upon health 
status. One commenter thought that the use of the EIN would result in 
the collection of centralized medical records and had potential for 
abuse. Several commenters stated this regulation was an improper role 
of government. Several commenters said they would like to shelve the 
proposed rule, while others said there should be a nationally 
publicized hearing or that the use of the EIN should go to a public 
vote and not be decided by the government. Several commenters were 
concerned about the security of medical records stored in central 
computer locations. One commenter supported a ``Patients' Bill of 
Rights'' with enforcement through the court systems. One commenter 
requested clarification of penalties for patients who refuse to give 
the names or EINs of their employers. One commenter said that States 
should not be required to give employers access to benefit information. 
This commenter stated this would be unacceptable, based on 
confidentiality and administrative burden.
    Response: Many commenters misunderstood the proposed application of 
the employer identifier. The inclusion of the employer identifier is 
optional in the NCPDP retail pharmacy claim. The employer identifier is 
not used at all to identify an entity as an employer in the X12N 
standard health care claim or equivalent encounter information 
transactions. It is used

[[Page 38014]]

primarily to identify employers that are sending or receiving 
transactions for enrollment in a health plan or payment of premiums. 
Those transactions do not carry information about the treatment of 
individuals. We do not believe the employer identifier will facilitate 
federal monitoring of patient care, collection of central medical 
records, or tracking of citizens. We do not believe it will lead to 
barriers of distrust between doctors and patients, or between employers 
and employees. HHS proposed standards for security of health 
information, including medical records, in a proposed rule (63 FR 
43242) published on August 12, 1998. HHS also adopted standards for 
privacy of individually identifiable health information in the Privacy 
Rule (65 FR 82462) published December 28, 2000. We do not require 
patients to give the EIN of their employers to anyone or require States 
to give employers access to benefit information.
    Comment: One commenter recommended the revision of Secs. 142.604 
and 142.608 as follows: ``Each health plan/health care provider must 
accept and transmit the national employer identifier of any employer 
that must be identified in any standard transaction.'' One commenter 
stated that Sec. 142.606 should be deleted since clearinghouses do not 
collect, validate, or supply data elements to the transaction.
    Response: We agree that Secs. 142.604 and 142.608 should be revised 
for clarity. We do not agree that Sec. 142.606 should be deleted 
because health care clearinghouses are covered entities and are 
required to use the standards, but we made a similar revision as that 
made to Secs. 142.604 and 142.608. These revisions are reflected in 
Sec. 162.610.

C. Implementation Concerns

    Comment: One commenter recommended HHS notify employers of this 
proposal for national use of EINs.
    Response: Employers are not covered entities, and this rule places 
no requirements upon them. In many cases, employers already use the EIN 
to identify themselves in standard transactions. Use of the EIN by 
employers in standard transactions will continue to be voluntary. While 
employers are not covered entities under this rule, health plans are 
free, as part of their business arrangements with employers, to require 
employers to use the standard transactions and to provide their EINs 
for this purpose. We have provided public notice of this proposal by 
publication of the proposed rule in the Federal Register on June 16, 
1998 (63 FR 32784) and by publication of this final rule in the Federal 
Register.
    Comment: Several commenters requested clarification of the employer 
enumeration process and how information in the employer identifier 
system would be maintained. They also stated that timely and accurate 
updates to this system are critical to accurate public health data 
collection efforts. One commenter wanted confirmation that the plans 
for authenticating prior to the IRS's issuance of an EIN would remain 
the same as today. It was suggested that one or more centers be 
established to answer questions about the employer identifier and 
redirect questions to the IRS or other Departments.
    Response: The IRS maintains the EIN enumeration system and 
database, and makes information on the EIN available through its web 
site at http://www.irs.ustreas.gov/. The IRS authentication, 
enumeration and update processes and the IRS enumeration system will 
not be changed as a result of this regulation. The IRS answers 
questions about the EIN through its web site. HHS answers questions 
about the Administrative Simplification regulations through its web 
site at http://aspe.hhs.gov/admnsimp.
    Comment: One commenter asked whether the EIN is always the same as 
the taxpayer identifying number.
    Response: The taxpayer identifying number may be an EIN, a Social 
Security Number, or an IRS individual taxpayer identification number. 
The IRS, at 26 CFR 301.7701-12, defines the Employer Identification 
Number as ``the taxpayer identifying number of an individual or other 
person (whether or not an employer) which is assigned pursuant to 
section 6011(b) or corresponding provisions of prior law, or pursuant 
to section 6109, and in which nine digits are separated by a hyphen, as 
follows: 00-0000000.''
    Comment: A commenter wanted to know the IRS policy on reusing an 
EIN.
    Response: Currently, the IRS does not reuse EINs; that is, it does 
not assign a previously used EIN to a new applicant for an EIN. IRS 
Publication Number 1635, ``Understanding Your EIN, Employer 
Identification Numbers,'' includes information on business and 
corporate changes that would allow continued use of an organization's 
EIN or would require issuance of a new EIN. This publication can be 
ordered by calling (800) 829-3676 or can be downloaded from the IRS web 
site at http://www.irs.ustreas.gov/plain/bus_info/pub1635.html.
    Comment: Several commenters recommended the use of an online EIN 
database and suggested an IRS directory be established. Several 
commenters recommended use of a standards-based directory schema. 
Another stated it would be necessary to have a directory only if 
transactions other than the X12N 834 Health Care Benefit Enrollment 
were to require use of the EIN. This commenter stated the X12N 834 
transaction would not require a directory since it is initiated by 
employers.
    Response: For the most part, the EIN will be used in HIPAA 
transactions initiated by the employer. The employer will know its own 
EIN; therefore, an on-line public directory will not be necessary. In 
the few cases where a standard transaction that requires an employer's 
identifier is initiated by an entity other than the employer, we expect 
that the entity will obtain the EIN from the employer, as is the 
current practice.
    Comment: A concern was raised by one commenter about the length of 
time it would take to receive an EIN and how both Medicare and Medicaid 
claims would be paid if the employer did not have an EIN. One commenter 
said that the proposed rule makes electronic transmissions impossible 
for any employer that lacks an EIN or refuses to disclose its EIN. Two 
commenters suggested that the IRS determine those employers that do not 
already have EINs and that HHS require those named by the IRS to obtain 
EINs. Another commenter suggested that instructions be made available 
on what to do if an employer does not have an EIN. One commenter stated 
that employers utilizing Social Security Numbers for tax reporting 
purposes should be required to apply for EINs.
    Response: Many of these concerns were based on an incorrect belief 
that the patient's employer's EIN would be required in standard claim 
transactions. Actually, the patient's employer's EIN is not included in 
the X12N standard claim transactions and is optional in the NCPDP 
retail pharmacy claim. We know of no situation where an employer 
identifier would be required in a standard transaction and the employer 
would not have an EIN. The employer identifier is used in standard 
transactions to identify the employer of employees who are subjects in 
the transaction. Any business that pays wages to one or more employees 
is required to have an EIN as its taxpayer identifying number. A sole 
proprietor who has no employees or who files no excise or pension tax 
return is the only business person who is not required to obtain an 
EIN; a sole proprietor with no employees would not need to be 
identified as an employer in standard transactions. The IRS 
publication,

[[Page 38015]]

``Understanding Your EIN, Employer Identification Numbers,'' 
Publication 1635, states that the IRS generally assigns an EIN within 
4-5 weeks of receiving an application by mail or assigns an EIN 
immediately via the tele-TIN telephone process. For the telephone 
number in each state, see the ``Where to Apply'' section in Publication 
1635. Publication 1635 can be downloaded from the IRS web site at 
http://www.irs.ustreas.gov/plain/bus_info/pub1635.html or can be 
ordered by calling (800) 829-3676.
    Comment: One Medicaid State agency requested clarification on 
whether Medicaid State agencies would use the EIN when making health 
plan premium payments or when making capitation payments to managed 
care plans. Other commenters had concerns of how health plan sponsors 
that are not employers would be identified in standard transactions. 
One commenter requested that the description on how to obtain an EIN 
(63 FR 32793) be expanded to include those non-employer entities that 
will need an identifier for HIPAA transactions.
    Response: HIPAA requires that the Secretary adopt a standard unique 
health identifier for each individual, employer, health plan, and 
health care provider for use in the health care system. If the Medicaid 
State agency is making premium payments or capitation payments as an 
employer on behalf of its own employees, it would use its EIN. The law 
does not provide for adoption of a standard identifier for health plan 
sponsors that are not employers but that may enroll or make premium 
payments on behalf of other persons. We recognize that in some 
situations, the EIN is used to identify health plan sponsors that are 
not employers. This practice will not be affected by this final rule.
    Comment: One commenter asked how foreign employers would be 
identified in standard transactions.
    Response: Foreign employers are treated the same as all other 
employers under this rule. In this rule, we have intentionally adopted 
a definition of ``employer'' that is identical to the definition used 
by the Internal Revenue Service in 26 U.S.C. 3401(d). This definition 
covers foreign employers who pay wages to employees for whom tax 
withholding is required by the IRS. For purposes of this rule, it is 
important that any employer that enrolls or disenrolls employees in a 
health plan or that makes premium payments on behalf of employees to a 
health plan be able to be identified by the standard employer 
identifier. Since any business that pays wages to one or more employees 
is required to obtain an EIN as its taxpayer identifying number, we 
know of no employer that would not be able to be identified by an EIN 
when enrolling or disenrolling employees in a health plan or making 
premium payments on behalf of employees to a health plan.
    Comment: In the proposed rule (63 FR 32793) we noted that some 
employer organizations have more than one EIN. We asked for comment on 
whether one EIN should be used consistently in health care 
transactions. One commenter noted that in some cases employer 
organizations with multiple EINs may be doing business with multiple 
health plans and using a different EIN with each plan, resulting in 
coordination of benefits problems. Several commenters recommended that 
specific guidelines be defined for using a single EIN across the board 
in health-related transactions. Several commenters stated that the use 
of multiple EINs would not be a problem. Several commenters made 
suggestions on which EIN should be designated for use in health care 
transactions, for example, the one that appears on the IRS Form W-2, 
Wage and Tax Statement, of the employee that is a subject of the 
transaction, the one that identifies the employee's employment address, 
or the one with the lowest numeric value. Some commenters noted that 
the intended purpose of the employer identifier is to identify the 
employer and that the employer should decide which EIN to use. Several 
commenters suggested that an IRS publication include information on IRS 
protocols for multiple EINs. Two commenters requested information about 
the IRS maintenance of EINs when corporate changes such as mergers 
occur.
    Response: When a business entity is a consolidated group consisting 
of several corporations, each corporation may be separately identified 
for certain Federal tax reporting purposes, and may have its own EIN. 
The consolidated group may also have an EIN, under which it files a 
consolidated income tax return. For any relationship of an employer to 
an employee of that employer, only one unique EIN designates the 
employer. The standard unique employer identifier of an employer of a 
particular employee is the EIN that appears on that employee's IRS Form 
W-2, Wage and Tax Statement, from the employer.
    The IRS regulations at 26 CFR 301.7701 contain definitions of 
entities that may be identified for Federal tax purposes. The 
instructions accompanying IRS Form SS-4, ``Application for Employer 
Identification Number,'' detail the kinds of entities that must have 
EINs and the situations that require an entity to obtain a new EIN. IRS 
publication 1635, ``Understanding Your EIN, Employer Identification 
Numbers,'' gives further information on business or corporate changes 
that do and do not require an entity to obtain a new EIN. IRS 
publications can be downloaded from the IRS web site at http://www.irs.ustreas.gov/plain/forms_pubs/index.html or ordered by calling 
(800) 829-3676.
    Comment: One commenter was concerned about possibly conflicting 
Federal and State regulations for use of the EIN.
    Response: This commenter did not note any particular conflicts in 
use of the EIN and we are not aware of any conflicts. Section 1178 of 
the Act discusses the effect of the Administrative Simplification 
provisions on State law. The general rule is that the standards adopted 
under the Act supersede any contrary provision of State law. For a more 
detailed discussion of the statutory preemption provisions and the 
regulatory implementation of those provisions, see 65 FR 82480 through 
82481 and 65 FR 82579 through 82588.

D. Approved Uses

    Comment: One commenter stated that the regulations should not 
require the EIN on ``past'' health information. Another commenter 
expressed concern over the lack of guidelines and controls in 
dissemination and use of EINs for health care purposes. These 
commenters said that the regulation should clearly define the approved 
uses and cross-refer to penalties for misuse.
    Response: This regulation does not require use of the EIN in 
transactions conducted before the compliance date. HHS intends to 
publish a proposed rule concerning enforcement of the HIPAA standards. 
Civil penalties for failure to comply with requirements and standards 
are covered in Section 1176 of the Act. Criminal penalties for misuse 
of an employer identifier are covered in Section 1177 of the Act.
    Comment: One commenter questioned if the EIN would replace the 
United Business Identifier used in non-health transactions. Another 
asked if the EIN would replace other employer identifiers, or be used 
in addition to them.
    Response: This rule does not address non-health care transactions. 
We cannot speak to the issue of what will happen in such transactions. 
The EIN is the only employer identifier in standard transactions.

[[Page 38016]]

    Comment: Some commenters were concerned that employers would not 
want to use their EINs because of privacy issues. One commenter stated 
that effective security and confidentiality measures should protect the 
EIN. Three commenters stated that health data organizations and public 
policy researchers should have access to the EIN for public health 
surveillance. They wanted this access to be clarified.
    Response: The confidentiality of the EIN is protected under the 
Internal Revenue Code. Section 26 U.S.C. Sec. 6103 provides that, 
generally, taxpayer return information, including taxpayer identity 
(which includes a taxpayer identifying number), must be kept 
confidential and may not be disclosed by, among others, federal 
officers or employees, except as permitted by Title 26.
    In this rule we make no changes to the existing access that health 
data organizations and public policy researchers have to the EIN. 
Health data organizations and researchers desiring access to data from 
a Federal system of records that contains the EIN should address their 
requests to the Freedom of Information Act official in the agency 
responsible for the system.

E. The Specific Impact of the Employer Identifier

    Comment: One commenter stated that the cost to implement the EIN 
would add to premiums paid by individuals and their families. Several 
commenters said the expense and resources to implement this identifier 
are greater than estimated. One commenter stated that more specific 
data related to the exact costs to health care providers should be made 
available for public comment prior to publication of the final rule.
    Response: Those concerned with the cost of the identifier consisted 
primarily of commenters that incorrectly thought that health care 
providers would be required to use the EIN on health care claims. As 
noted in our previous responses, the EIN will be used primarily by 
employers on transactions they initiate; therefore, we do not expect 
the costs to be higher than those estimated in the proposed rule. When 
the employer identifier is used in standard transactions initiated by 
entities other than the employer, we expect that these entities will 
obtain the EIN from the employer, as is the current practice.

IV. Provisions of Final Rule

    We are implementing the employer identifier standard, which we now 
refer to as the standard unique employer identifier, as we proposed in 
the proposed rule, incorporating minor revisions. Any revisions are 
noted in Section VI (Summary of Changes to the Proposed Rule).

V. Implementation of the Standard Unique Employer Identifier

A. Obtaining an EIN

    The Internal Revenue Service (IRS) maintains the process for 
assigning EINs. A business can obtain an EIN by submitting, to the 
Internal Revenue Service, Internal Revenue Service Form SS-4, 
Application for Employer Identification Number. Any business that is 
required to furnish a taxpayer identification number (generally one 
that pays wages to one or more employees) must use an EIN as its 
taxpayer identifying number. (26 CFR 301.6109-1(a)(1)(ii)(C)). A sole 
proprietor who has no employees or who files no excise or pension tax 
returns is the only business person who does not need to have an EIN as 
the taxpayer identifying number. We know of no situations where an 
employer having employees would not be able to obtain an EIN. The EIN 
is currently the employer identifier in most widespread use in the 
enrollment and disenrollment in a health plan, the eligibility for a 
health plan, and the health plan premium payment transactions. 
Employers are not required by the Act to use the EIN or conduct 
standard transactions. However, we believe that many employers will 
find that it will be to their advantage to do so.

B. Approved Uses

    The IRS, in a letter to us dated January 16, 1998, stated that 
``the use of the EIN as a unique identifying number in all health care 
transactions would not present a problem for the (Internal Revenue) 
Service in any way.'' The IRS further expressed the ``hope that the use 
of the EIN in this capacity will bring about the consistency and 
accuracy that are required for these types of transactions.'' Two years 
after adoption of this standard (3 years for small health plans) 
covered entities must use the EIN as the employer identifier in the 
health-related financial and administrative transactions for which 
standards have been adopted by the Secretary under 45 CFR Subchapter C 
that require an employer identifier. We note that employers that are 
not health plans, health care clearinghouses, or health care providers 
are not bound by the Act, and use of the EIN by employers to identify 
themselves in the employer role is voluntary.
    Examples of approved uses in standard health care transactions are 
the following:
     Employers could use their EINs to identify themselves in 
transactions making health plan premium payments to health plans on 
behalf of their employees.
     Employers could use the EIN to identify themselves or 
other employers as the source or receiver of information about 
eligibility.
     Employers could use their EINs to identify themselves in 
transactions to enroll or disenroll their employees in a health plan.

VI. Summary of Changes to the Proposed Rule

    We changed the title of this regulation from National Standard 
Employer Identifier to Standard Unique Employer Identifier to 
accurately reflect the requirement under the Act for the Secretary to 
adopt a standard unique health identifier for each employer for use in 
the health care system.
    We deleted the formatting description from the definition of EIN. 
We continue to define EIN as the employer identification number as 
assigned by the IRS.
    We clarified that our definition of employer is as it appears in 26 
U.S.C. 3401(d).
    We removed the requirement for each employer to disclose its EIN, 
upon request, to covered entities that need to use that employer's EIN 
in standard transactions.
    We consolidated the requirements for health care providers, health 
plans, and health care clearinghouses in Sec. 162.610.

VII. Collection of Information Requirements

    Under the Paperwork Reduction Act of 1995 (PRA), agencies are 
required to provide a 30-day notice in the Federal Register and solicit 
public comment on a collection of information requirement submitted to 
the Office of Management and Budget (OMB) for review and approval. In 
order to fairly evaluate whether an information collection should be 
approved by OMB, section 3506(c)(2)(A) of the PRA requires that we 
solicit comment on the following issues:
     Whether the information collection is necessary and useful 
to carry out the proper functions of the agency.
     The accuracy of the agency's estimate of the information 
collection burden.
     The quality, utility, and clarity of the information to be 
collected.
     Recommendations to minimize the information collection 
burden on the

[[Page 38017]]

affected public, including automated collection techniques.
    We are soliciting public comment on each of these issues for the 
following section of this document that contains information collection 
requirements.

Subpart F--Standard Unique Employer Identifier

Sec. 162.610  Requirements for covered entities

Discussion
    While this standard would replace the use of multiple identifiers, 
resulting in a reduction of burden, the requirement to use and disclose 
information using this standard meets the definition of an agency-
sponsored third-party disclosure under the Paperwork Reduction Act of 
1995 (PRA). However, the burden associated with the routine or ongoing 
use of this requirement is excluded under the definition of ``burden'' 
at 5 CFR 1320.3(b)(2). Health care clearinghouses do not normally 
obtain or use the EIN except to reformat it as part of translating one 
transaction format to another. Adoption of the EIN does not require any 
changes to the way health care clearinghouses process employer 
identifiers. Thus, the cost of this regulation for health care 
clearinghouses is negligible.
    As explained earlier in this document in section III. Comments and 
Responses Concerning the Proposed Provisions, health care providers do 
not conduct the only standard transaction in which the employer 
identifier is a required data element. In standard transactions that 
include the employer identifier and which may be conducted by a health 
care provider, the employer identifier use is situational. In such 
transactions, if the employer identifier is not known by the health 
care provider, the health care provider does not have to furnish it. 
The cost of this regulation for health care providers, therefore, is 
negligible.
    The remaining burden associated with this requirement, which is 
subject to the PRA, is the initial one-time burden on health plans and 
covered health care providers to modify their current computer systems.
    In most cases where a health plan would need to use an employer 
identifier, the health plan would have received the identifier on an 
incoming transaction from the employer. We estimate the one-time burden 
over a 3-year period on the estimated 2.55 million health plans to 
modify their current computer systems software would be 2 hours/$60 per 
entity, for a total burden of 5.1 million hours/$153 million. The 
maximum annual burden would be 5.1 million hours divided by 3, or 1.7 
million hours, and $153 million divided by 3, or $51 million. These 
figures are based on the assumption that this and the other burden 
calculations associated with HIPAA, Title II systems modifications, may 
overlap. This average also takes into consideration that: (1) this 
standard may already be in use by several of the estimated entities; 
(2) modifications may be performed in an aggregate manner during the 
course of routine business and/or; (3) modifications may be made by 
contractors such as practice management vendors, in a single effort for 
a multitude of affected entities.
    As required by section 3504(h) of the Paperwork Reduction Act of 
1995, we have submitted a copy of this document to the Office of 
Management and Budget (OMB) for its review of these information 
collection requirements.

Centers for Medicare & Medicaid Services, Office of Information 
Services, DCES, SSG, Attn: John Burke, Room N2-14-26, 7500 Security 
Boulevard, Baltimore, MD 21244-1850; ATTN: CMS 0047-F

      and

Office of Information and Regulatory Affairs, Office of Management and 
Budget, Room 10235, New Executive Office Building, Washington, DC 
20503, Attn: Brenda Aguilar, CMS Desk Officer

VIII. Final Impact Analysis of the Employer Identifier

    We have examined the impacts of this rule as required by Executive 
Order 12866 (September 1993, Regulatory Planning and Review), the 
Regulatory Flexibility Act (RFA) (September 16, 1980, Pub. L. 96-354), 
section 1102(b) of the Social Security Act, the Unfunded Mandates 
Reform Act of 1995 (Pub. L. 104-4), and Executive Order 13132. 
Executive Order 12866 directs agencies to assess all costs and benefits 
of available regulatory alternatives and, if regulation is necessary, 
to select regulatory approaches that maximize net benefits (including 
potential economic, environmental, public health and safety effects, 
distributive impacts, and equity). A regulatory impact analysis (RIA) 
must be prepared for major rules with economically significant effects 
($100 million or more in any 1 year). We estimate the total maximum 
annual costs for all health plans to modify their computer systems 
software to implement the employer identifier standard to be $51 
million per year, for 3 years. Therefore, we do not believe that this 
rule is a major rule under Executive Order 12866 or 5 U.S.C. 804(2).
    Section 1102(b) of the Act requires us to prepare a regulatory 
impact analysis if a rule may have a significant impact on the 
operations of a substantial number of small rural hospitals. This 
analysis must conform to the provisions of section 604 of the RFA. For 
purposes of section 1102(b) of the Act, we define a small rural 
hospital as a hospital that is located outside of a Metropolitan 
Statistical Area and has fewer than 100 beds. We have determined that 
this final rule will not have a significant impact on the operations of 
a substantial number of small rural hospitals.
    We note that the costs and savings for the administrative 
simplification standards were presented in the final Transactions Rule 
(65 FR 50350). Due to a lack of data that would permit an analysis of 
each individual standard, the Department chose to analyze the impact of 
all of the standards in total, with the exception of the privacy 
standards. As the effect of any one standard is affected by the 
implementation of other standards, it can be misleading to discuss the 
impact of one standard by itself. Therefore, we have done an impact 
analysis on the total effect of all the standards in the final 
Transactions Rule (65 FR 50350). This employer identifier rule is 
expected to represent a minor portion of the costs or savings expected 
from the administrative simplification standards, because of the 
voluntary nature of the use of this identifier by employers and the 
limited use of an employer identifier in standard transactions 
conducted by covered entities.

A. Unfunded Mandates

    This final rule has been reviewed in accordance with the Unfunded 
Mandates Reform Act of 1995 (UMRA) (2 U.S.C. 1501 et seq.) and 
Executive Order 12866. Section 202 of UMRA requires that agencies 
assess anticipated costs and benefits before issuing any rule that may 
result in expenditure in any 1 year by State, local, or tribal 
governments, in the aggregate, or by the private sector, of $110 
million. As discussed in the combined impact analysis published at 65 
FR 50350, HHS estimates that implementation of the administrative 
simplification standards overall will require the expenditure of more 
than $110 million by the private sector. However, we do not believe the 
implementation of the employer identifier standard to be a significant 
regulatory action under UMRA.

B. Regulatory Flexibility Analysis

    The Regulatory Flexibility Act (RFA) of 1980, Pub. L. 96-354, 
requires us to prepare a regulatory flexibility analysis

[[Page 38018]]

if the Secretary certifies that a regulation would have a significant 
economic impact on a substantial number of small entities. On November 
17, 2000, the Small Business Administration (SBA) published a final 
rule (65 FR 69432) changing the small business size standards for the 
health care industry. This SBA final rule became effective December 18, 
2000. The size standards that the SBA now uses are those defined by the 
North American Industry Classification System. Prior to that, the SBA 
used size standards as defined by the Standard Industrial Codes. The 
size standard is no longer a uniform $5 million in annual revenues for 
all components in the health care sector. Rather, the size standard now 
ranges from $6 million to $29 million. The regulatory flexibility 
analysis for the employer identifier is linked to the aggregate 
regulatory flexibility analysis for all the administrative 
simplification standards that appeared in the final Transactions Rule 
published on August 17, 2000, which predated the SBA change. It is 
appropriate, for the purposes of this rule, to continue to use the $5 
million small business size standard that was in effect at the time of 
publication of the final Transactions Rule. Nonprofit organizations are 
considered small entities. Small government jurisdictions with a 
population of less than 50,000 people are also considered small 
entities. Individuals and States are not considered small entities.
    We do not believe that this regulation will have a significant 
economic impact on a substantial number of small entities. The EIN is 
already one of the identifiers most frequently used to identify the 
employer in electronic health care transactions. Most clearinghouses, 
including small clearinghouses, already have the ability to accept and 
transmit the EIN when an employer identifier is required. Many health 
plans and health care providers already use the EIN to identify the 
employer in any transactions that require an employer identifier. Their 
current practice is to obtain the EIN from the employer, if they are 
the initiator of the transaction and they do not already know the EIN. 
We believe these entities will incur few conversion costs as a result 
of this regulation. There are few situations when an employer 
identifier is required in standard transactions initiated by health 
plans and no such situations for those initiated by health care 
providers. Converting from other employer identifiers to the EIN 
primarily involves the database administration task of substituting one 
record identifier for another in a limited number of records, which is 
not a costly activity. Therefore, we believe this regulation will not 
impose a significant economic impact on small health plans or small 
health care providers that convert their systems to use the EIN to 
identify the employer in those few situations. As stated in the 
Collection of Information Requirements section in this rule, we 
estimate the total maximum annual costs for all health plans to modify 
their computer systems software to be $51 million per year, for 3 
years. Employers are not bound by the Act to use the standards; 
therefore, any use of the EIN by employers will be voluntary. Most of 
the use of the employer identifier in transactions will be voluntary 
use by employers in transactions they initiate. Therefore, we believe 
this regulation will not impose a significant economic impact on small 
employers.

C. Executive Order 12866

    In accordance with the provisions of Executive Order 12866, this 
final rule was reviewed by the Office of Management and Budget.
    This portion of the impact analysis relates specifically to the 
standard that is the subject of this regulation--the employer 
identifier. This section describes specific impacts that relate to the 
employer identifier. As we indicated in the introduction to this impact 
analysis, however, we do not associate the specific costs and savings 
to the specific standards.
1. Affected Entities
a. Health Care Providers
    In all standard transactions conducted by the health care provider, 
the employer identifier is not used or is situational. The employer 
identifier is used only if the data condition described in the 
implementation guide occurs. In the instances when an EIN could be used 
by a health care provider, the EIN is situationally required only if 
the entity being identified is an employer and the identifier is known 
to the health care provider. We expect health care providers will 
obtain the EIN from the employer in these limited cases. However, if 
the health care provider cannot obtain the EIN, then the data condition 
has not been met and its use is not required. There are no situations 
in which an employer identifier is required in a standard transaction 
initiated by a health care provider. Any negative impact on health care 
providers generally will be related to the initial implementation 
period for health care providers that currently use an identifier other 
than the EIN to identify the employer in electronic health 
transactions. Those health care providers will incur implementation 
costs for converting systems from use of other employer identifiers to 
use of the EIN. Some health care providers will incur those costs 
directly and others will incur them in the form of fee increases from 
billing agents and health care clearinghouses.
b. Health Plans
    Health plans that engage in electronic commerce will have to modify 
their systems to use the EIN if they do not currently use the EIN to 
identify the employer in standard electronic health transactions that 
require an employer identifier. In most cases, health plans currently 
obtain and use the EIN of the employer in those standard transactions 
that require an employer identifier. Health plans currently using an 
employer identifier other than the EIN will have a one-time cost 
impact. We estimate the total maximum cost for all health plans to be 
$51 million per year, over 3 years, to make these systems 
modifications.
c. Health Care Clearinghouses
    Health care clearinghouses will have to modify their systems to use 
the EIN if they do not currently use the EIN to identify the employer 
in standard electronic health transactions that require an employer 
identifier. In most cases, health care clearinghouses currently use the 
EIN of the employer in those standard transactions that require an 
employer identifier. Health care clearinghouses currently using an 
employer identifier other than the EIN will have a one-time cost 
impact.
2. Effects of Various Options
a. Guiding Principles for Standard Selection
    The implementation teams charged with designating standards under 
the statute have defined, with significant input from the health care 
industry, a set of common criteria for evaluating potential standards 
(see 65 FR 50351-50352). These criteria are based on direct 
specifications in HIPAA, the purpose of the law, and principles that 
support the regulatory philosophy set forth in Executive Order 12866 of 
September 30, 1993, and the Paperwork Reduction Act of 1995.
    We assessed the various options for an employer identifier against 
those criteria with the overall goal of achieving the maximum benefit 
for the least cost. We found that the EIN met all the criteria. No 
other alternative employer identifier is in widespread

[[Page 38019]]

use. No other alternative met a majority of the criteria, especially 
those supporting the regulatory goal of cost-effectiveness. We assessed 
the costs and benefits of the EIN, but we did not assess the costs and 
benefits of other identifier options, because they did not meet the 
criteria.
b. Need To Convert
    All covered health care providers, health plans, and health care 
clearinghouses that do not currently use the EIN to identify the 
employer in electronic health transactions that require an employer 
identifier would have to convert. Because the EIN is currently in 
widespread use as an employer identifier throughout the industry, 
adopting the EIN would not require conversion for most health care 
providers, health plans or health care clearinghouses. The selection of 
the EIN imposes a far smaller burden on the industry than any 
nonselected option and presents significant advantages in terms of 
cost-effectiveness, universality, and flexibility.
c. Complexity of Conversion
    The first two digits of the EIN reflect the issuing Internal 
Revenue district. However, the EIN does not rely significantly on 
embedded intelligence (coded information that is part of the 
identifier) to identify the specific employer. For those health care 
providers, health plans, and health care clearinghouses that must 
convert to use the EIN, the complexity of the conversion would be 
significantly affected by the degree to which their processing systems 
currently rely on employer identifiers that contain embedded 
intelligence. Converting from one identifier that contains no embedded 
intelligence to another is less complex than modifying software logic 
to obtain needed information from other data elements. However, the use 
of an identifier that does not contain embedded intelligence meets the 
guiding principle of assuring flexibility.
    In general, the shorter the identifier, the easier it is to 
implement. It is more likely that a shorter identifier, such as the 
EIN, would fit into existing data formats.
    The selection of the EIN does not impose a greater burden on the 
industry in terms of the complexity of conversion than the nonselected 
options.
    Executive Order 13132 of August 4, 1999, Federalism, published in 
the Federal Register on August 10, 1999 (64 FR 43255) requires us to 
ensure meaningful and timely input by State and local officials in the 
development of rules that have Federalism implications. Although the 
proposed rule (63 FR 32784) was published before the enactment of this 
Executive Order, the Department consulted with State and local 
officials as part of an outreach program early in the process of 
developing the proposed regulation. The Department received comments on 
the proposed rule from State agencies and from entities who conduct 
transactions with State agencies. Many of the comments referred to the 
costs incurred by State and local governments that will result from 
implementation of the HIPAA standards. We assume that government 
entities will have these costs offset by future savings, consistent 
with our projections for the private sector (see the combined impact 
analysis (65 FR 50350)). A Congressional Budget Office analysis made 
the following points: States are already in the forefront of 
administering the Medicaid program electronically, Medicaid State 
agencies can compensate (for these costs) by reducing other 
expenditures, and the Federal Government pays a portion of the cost of 
converting State Medicaid Management Information Systems.
    Other comments regarding States expressed the need for 
clarification as to when State agencies were subject to the standards. 
Responses to comments from States and State organizations regarding the 
employer identifier standard are found elsewhere in this preamble.
    In complying with the requirements of part C of title XI, the 
Secretary established interdepartmental implementation teams that 
consulted with appropriate State and Federal agencies and private 
organizations. These external groups consisted of the NCVHS' 
Subcommittee on Standards and Security, the Workgroup for Electronic 
Data Interchange (WEDI), the National Uniform Claim Committee (NUCC), 
the National Uniform Billing Committee (NUBC) and the American Dental 
Association (ADA). The teams also received comments on the proposed 
regulation from a variety of organizations, including State Medicaid 
agencies and other Federal agencies.

List of Subjects

45 CFR Part 160

    Electronic transactions, Health, Health care, Health facilities, 
Health insurance, Health records, Medicaid, Medical research, Medicare, 
Reporting and recordkeeping requirements.

45 CFR Part 162

    Administrative practice and procedure, Electronic transactions, 
Health facilities, Health insurance, Hospitals, Incorporation by 
reference, Medicaid, Medicare, Reporting and recordkeeping 
requirements.

    For the reasons stated in the preamble of this final rule, 45 CFR 
subchapter C is amended to read as follows:

PART 160--GENERAL ADMINISTRATIVE REQUIREMENTS

    A. Part 160 is amended as follows:
    1. The authority citation for part 160 continues to read as 
follows:

    Authority: Secs. 1171 through 1179 of the Social Security Act 
(42 U.S.C. 1320d-1320d-8), as added by sec. 262 of Pub. L. 104-191, 
110 Stat. 2021-2031, and sec. 264 of Pub. L. 104-191, 110 Stat. 
2033-2034 (42 U.S.C. 1320d-2 (note)).

    2. Section 160.103 is amended by republishing the introductory text 
and adding the definitions of ``EIN'' and ``Employer'' in alphabetical 
order to read as follows:


Sec. 160.103  Definitions.

    Except as otherwise provided, the following definitions apply to 
this subchapter:
* * * * *
    EIN stands for the employer identification number assigned by the 
Internal Revenue Service, U.S. Department of the Treasury. The EIN is 
the taxpayer identifying number of an individual or other entity 
(whether or not an employer) assigned under one of the following:
    (1) 26 U.S.C. 6011(b), which is the portion of the Internal Revenue 
Code dealing with identifying the taxpayer in tax returns and 
statements, or corresponding provisions of prior law.
    (2) 26 U.S.C. 6109, which is the portion of the Internal Revenue 
Code dealing with identifying numbers in tax returns, statements, and 
other required documents.
    Employer is defined as it is in 26 U.S.C. 3401(d).
* * * * *

PART 162--ADMINISTRATIVE REQUIREMENTS

    B. Part 162 is amended as follows:
    1. The authority citation for part 162 continues to read as 
follows:

    Authority: Secs. 1171 through 1179 of the Social Security Act 
(42 U.S.C. 1320d-1320d-8), as added by sec. 262 of Pub. L. 104-191, 
110 Stat. 2021-2031, and sec. 264 of Pub. L. 104-191, 110 Stat. 
2033-2034 (42 U.S.C. 1320d-2 (note)).

Subparts B Through E--[Reserved]

    2. Subparts B through E are reserved.

[[Page 38020]]


    3. A new subpart F, consisting of Secs. 162.600, 162.605 and 
162.610, is added to read as follows:
Subpart F--Standard Unique Employer Identifier
Sec.
162.600  Compliance dates of the implementation of the standard 
unique employer identifier.
162.605  Standard unique employer identifier.
162.610  Implementation specifications for covered entities.

Subpart F--Standard Unique Employer Identifier


Sec. 162.600  Compliance dates of the implementation of the standard 
unique employer identifier.

    (a) Health care providers. Health care providers must comply with 
the requirements of this subpart no later than July 30, 2004.
    (b) Health plans. A health plan must comply with the requirements 
of this subpart no later than one of the following dates:
    (1) Health plans other than small health plans-- July 30, 2004.
    (2) Small health plans-- August 1, 2005.
    (c) Health care clearinghouses. Health care clearinghouses must 
comply with the requirements of this subpart no later than July 30, 
2004.


Sec. 162.605  Standard unique employer identifier.

    The Secretary adopts the EIN as the standard unique employer 
identifier provided for by 42 U.S.C. 1320d-2(b).


Sec. 162.610  Implementation specifications for covered entities.

    (a) The standard unique employer identifier of an employer of a 
particular employee is the EIN that appears on that employee's IRS Form 
W-2, Wage and Tax Statement, from the employer.
    (b) A covered entity must use the standard unique employer 
identifier (EIN) of the appropriate employer in standard transactions 
that require an employer identifier to identify a person or entity as 
an employer, including where situationally required.

Subparts G Through H--[Reserved]

    4. Subparts G through H are reserved.

    Dated: March 20, 2002.
Tommy G. Thompson
Secretary.
[FR Doc. 02-13616 Filed 5-24-02; 4:50 pm]
BILLING CODE 4120-01-P