[Federal Register Volume 91, Number 56 (Tuesday, March 24, 2026)]
[Rules and Regulations]
[Pages 14350-14405]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2026-05676]
[[Page 14349]]
Vol. 91
Tuesday,
No. 56
March 24, 2026
Part IV
Department of Health and Human Services
-----------------------------------------------------------------------
Office of the Secretary
-----------------------------------------------------------------------
45 CFR Parts 160 and 162
Administrative Simplification; Adoption of Standards for Health Care
Claims Attachments Transactions and Electronic Signatures; Final Rules
��Federal Register / Vol. 91 , No. 56 / Tuesday, March 24, 2026 / Rules
and Regulations��
[[Page 14350]]
-----------------------------------------------------------------------
DEPARTMENT OF HEALTH AND HUMAN SERVICES
Office of the Secretary
45 CFR Parts 160 and 162
[CMS-0053-F]
RIN 0938-AT38
Administrative Simplification; Adoption of Standards for Health
Care Claims Attachments Transactions and Electronic Signatures
AGENCY: Office of the Secretary, Department of Health and Human
Services (HHS).
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: This final rule implements requirements of the Administrative
Simplification subtitle of the Health Insurance Portability and
Accountability Act of 1996 (HIPAA), and the Patient Protection and
Affordable Care Act, as amended by the Health Care and Education
Reconciliation Act of 2010, enacted on March 30, 2010--collectively,
the Affordable Care Act. Specifically, this final rule adopts standards
for health care claims attachments transactions, which will support
health care claims transactions, and a standard for electronic
signatures to be used in conjunction with health care claims
attachments transactions.
DATES:
Effective Date: This final rule is effective on May 26, 2026. The
incorporation by reference of certain material listed in this rule is
approved by the Director of the Federal Register as of May 26, 2026.
Compliance Date: Compliance with these regulations is required by
May 26, 2028.
FOR FURTHER INFORMATION CONTACT:
Geanelle G. Herring, (410) 786-4466.
Shaheen Halim, (410) 786-0641.
Shelley Harrow, (410) 786-6875--Regulatory Impact Analysis.
Christopher Wilson, (410) 786-3178.
SUPPLEMENTARY INFORMATION:
I. Executive Summary
A. Purpose/Need for the Regulatory Action
Despite the health care industry's widespread use of electronic
health records (EHR) and broad implementation of the Health Insurance
Portability and Accountability Act of 1996 (HIPAA) transaction
standards, the exchange of health care claims attachments has remained
largely manual, frequently relying on fax, mail, or portal uploads.
This final rule adopts standards for the electronic exchange of
clinical and administrative documentation to support claims-related
processes. Standardizing health care claims attachment transactions is
intended to reduce administrative burden and improve data exchange
efficiency between health plans and health care providers.
B. Summary of the Provisions
This final rule implements requirements of the Administrative
Simplification subtitle of HIPAA and the Affordable Care Act.
Specifically, this final rule adopts definitions of ``attachment
information'' and ``electronic signature'' in 45 CFR 162.103 and
``health care claims attachments transaction'' in Sec. 162.2001. This
rule also adopts standards for health care claims attachments
transactions in Sec. 162.2002(a) through (d) and standards for
electronic signatures, to be used in conjunction with health care
claims attachments transactions, in Sec. 162.2002(e).
In this final rule, we are adopting the following X12N standards
and Health Level 7 (HL7[supreg]) implementation guides (IG) for use by
covered entities in health care claims attachments transactions:
X12N 277--Health Care Claim Request for Additional
Information [006020X313].
X12N 275--Additional Information to Support a Health Care
Claim or Encounter [006020X314].
HL7 IG for Clinical Document Architecture (CDA) Release 2:
Consolidated CDA (C-CDA) Templates for Clinical Notes (US Realm) Draft
Standard for Trial Use Release 2.1, Volume One--Introductory Material,
June 2019 with Errata (HL7 C-CDA IG Volume One).
HL7 IG for CDA Release 2: C-CDA Templates for Clinical
Notes (US Realm) Draft Standard for Trial Use Release 2.1, Volume Two--
Templates and Supporting Material, June 2019 with Errata (HL7 C-CDA IG
Volume Two).
HL7 CDA Release 2 Attachment IG: Exchange of C-CDA Based
Documents, Release 2, March 2022 (HL7 Attachments IG).\1\
---------------------------------------------------------------------------
\1\ The proposed rule that preceded this final rule named an
earlier iteration of this HL7 Attachments IG (Release 1, March
2017). The iteration of the HL7 Attachments IG named in this final
rule (Release 2, March 2022) contains cumulative technical updates
that are defined as ``maintenance.'' Additional discussion regarding
this can be found in section III.E. of this final rule.
---------------------------------------------------------------------------
HL7 IG for CDA Release 2: Digital Signatures and
Delegation of Rights, Release 1 (Digital Signatures Guide).
C. Summary of the Differences Between the Notice of Proposed Rulemaking
and Final Rule
The proposed rule included proposals to support both health care
claims and prior authorization transactions, as well as a standard for
electronic signatures to be used in conjunction with these
transactions. Commenters expressed broad support for the HHS proposal
to adopt health care claims attachment standards. Conversely,
commenters overwhelmingly expressed two concerns about the proposals
for prior authorization attachments standards: (1) potential
misalignment when paired with the currently mandated X12N 278
transaction standard for prior authorization; and (2) potential
misalignment between HHS's proposed attachment standard for prior
authorization transactions with the requirements in CMS's then-
proposed, but now finalized, rule titled: ``CMS Medicare and Medicaid
Programs; Patient Protection and Affordable Care Act; Advancing
Interoperability and Improving Prior Authorization Processes for
Medicare Advantage Organizations, Medicaid Managed Care Plans, State
Medicaid Agencies, Children's Health Insurance Program (CHIP) Agencies
and CHIP Managed Care Entities, Issuers of Qualified Health Plans on
the Federally-Facilitated Exchanges, Merit-Based Incentive Payment
System (MIPS) Eligible Clinicians, and Eligible Hospitals and Critical
Access Hospitals in the Medicare Promoting Interoperability Program
final rule'' (hereinafter referred to as the CMS Interoperability and
Prior Authorization final rule) (89 FR 8758). Upon considering these
comments, along with further analysis and consultations with standard
setting organizations (SSO), we have elected not to finalize health
care attachments standards supporting prior authorization transactions
at this time.
In the proposed rule, we proposed the adoption of the 2017
iteration of one of the IGs (the HL7 CDA Release 2 Attachment IG:
Exchange of C-CDA Based Documents, Release 1, March 2017) (HL7
Attachments IG) (87 FR 78438). Based on the comments received, we
examined the history of changes to the HL7 Attachments IG and
determined that the cumulative changes in the March 2022 iteration
constitute ``maintenance updates'' because they refine the IG's
existing content rather than adding new content. Further consultation
with the designated standards maintenance organization (DSMO) indicates
that the maintenance updates reflected in the March 2022
[[Page 14351]]
iteration of the HL7 Attachments IG better facilitate the
implementation of Version 6020 of the X12N 275 and X12N 277 standards
for claims attachment, which the Secretary of Health and Human Services
(the Secretary) is adopting in this final rule. Therefore, this final
rule adopts the March 2022 iteration of the HL7 Attachments IG rather
than the proposed March 2017 iteration.
D. Summary of Costs and Savings
Based on the estimates included in the Regulatory Impact Analysis
(RIA), the primary net annualized cost, discounted at 7 percent, to the
industries is approximately $303.75 million. This estimate includes the
difference between the primary net annualized costs of $478.23 million,
which includes the regulatory review costs of $14.13 million, and
primary net annualized savings of $781.98 million.
II. Background
This background discussion presents a history of statutory
provisions and regulations relevant to this final rule.
A. Legislative Authority for Administrative Simplification
1. Standards Adoption and Modification Under the HIPAA Administrative
Simplification Provisions
Congress addressed the need for a consistent framework for
electronic transactions and other administrative simplification issues
in HIPAA (Pub. L. 104-191, enacted on August 21, 1996). Through
subtitle F of title II of HIPAA, Congress added to title XI of the
Social Security Act (the Act) a new Part C, titled: ``Administrative
Simplification,'' which required the Secretary to adopt standards for
certain transactions to enable health information to be exchanged more
efficiently and to achieve greater uniformity in the transmission of
health information. For purposes of this and later discussion in this
final rule, we sometimes refer to this statute as the ``original''
HIPAA provisions.
Section 1172(a) of the Act provides that any standard adopted by
the Secretary under the HIPAA Administrative Simplification provision
shall apply, in whole or in part, to the following persons, referred to
as ``covered entities'': (1) a health plan; (2) a health care
clearinghouse; and (3) a health care provider who transmits any health
information in electronic form in connection with a HIPAA transaction.
In general, section 1172 of the Act provides that any standard adopted
under HIPAA is to be developed, adopted, or modified by an SSO. The
statute requires consultation with four organizations named at section
1172(c)(3)(B) of the Act. In adopting a standard, section 1172(f) of
the Act requires the Secretary to rely upon recommendations of the
National Committee on Vital and Health Statistics (NCVHS) and consult
with appropriate federal and state agencies and private organizations.
Section 1172(b) of the Act provides that a standard adopted under
HIPAA must be consistent with the objective of reducing the
administrative costs of providing and paying for health care. The
transaction standards adopted under HIPAA enable financial and
administrative electronic data interchange (EDI) using a common
structure, as opposed to the many varied, often proprietary,
transaction formats on which the industry had previously relied. This
lack of uniformity across transaction formats engendered an
administrative burden.
Section 1173(g)(1) of the Act, which was added by section 1104(b)
of the Affordable Care Act, further addresses the goal of uniformity by
requiring the Secretary to adopt a single set of operating rules for
each transaction. These operating rules are required to be consensus-
based and reflective of the necessary business rules and operations
affecting both health plans and health care providers.
Section 1173(a) of the Act provides that the Secretary must adopt
standards for financial and administrative transactions, and data
elements for those transactions, to enable health information to be
exchanged electronically. The original HIPAA provisions require the
Secretary to adopt standards for the following transactions: (1) health
claims or equivalent encounter information; (2) health claims
attachments; (3) enrollment and disenrollment in a health plan; (4)
eligibility for a health plan; (5) health care payment and remittance
advice; (6) health plan premium payments; (7) first report of injury;
(8) health claim status; and (9) referral certification and
authorization (prior authorization). Section 1104(b)(2)(A) of the
Affordable Care Act added the requirement for the Secretary to adopt a
standard for electronic funds transfers. Additionally, section
1173(a)(1)(B) of the Act requires the Secretary to adopt standards for
any other financial and administrative transactions the Secretary
determines appropriate.
Sections 1173(c) through (f) of the Act provide that the Secretary
must adopt standards that: (1) select or establish code sets for
appropriate data elements for each listed health care transaction; (2)
address and ensure security for health care information; (3) specify
procedures for electronic signatures in coordination with the Secretary
of Commerce, compliance with which will be deemed to satisfy both state
and federal statutory requirements for written signatures for the
listed transactions; and (4) address the transmission of appropriate
standard data elements needed for the coordination of benefits,
sequential processing of claims, and other data elements for
individuals who have more than one health plan. Section 1174 of the Act
requires the Secretary to review the adopted standards and adopt
modifications to them, including additions to the standards as
appropriate, but not more frequently than once every 12 months.
Section 1175 of the Act prohibits health plans from refusing to
conduct a transaction as a standard transaction.\2\ It also prohibits
health plans from delaying a transaction or adversely affecting, or
attempting to adversely affect, a person or the transaction itself on
the grounds that the transaction is in a standard format. Additionally,
it establishes a timetable for covered entities to comply with any
standard, implementation specification, or modification as follows: (1)
for an initial standard or implementation specification, no later than
24 months following its adoption; and (2) for modifications, as the
Secretary determines appropriate, but no earlier than 180 days after
the modification is adopted.
---------------------------------------------------------------------------
\2\ See 45 CFR 162.103 for the definition of standard
transaction.
---------------------------------------------------------------------------
Sections 1176 and 1177 of the Act establish civil money penalties
(CMP) and criminal penalties to which covered entities may be subject,
for violations of HIPAA Administrative Simplification provisions. The
Department of Health and Human Services (HHS) administers the CMPs
under section 1176 of the Act, while the U.S. Department of Justice
administers the criminal penalties under section 1177 of the Act.
Section 1176(b) of the Act sets out limitations on the Secretary's
authority and provides the Secretary certain discretion with respect to
imposing CMPs. For example, section 1176(b)(1) provides that no CMPs
may be imposed with respect to an act if a penalty has been imposed
under section 1177 of the Act with respect to such an act. Section
1176(b)(2)(A) generally precludes the Secretary from imposing a CMP for
a violation corrected during the 30-day
[[Page 14352]]
period beginning when an individual knew or, by exercising reasonable
diligence, would have known that the failure to comply occurred. The
original HIPAA provisions are discussed in greater detail in the August
17, 2000 Health Insurance Reform: Standards for Electronic Transactions
final rule (65 FR 50312) (hereinafter referred to as the Transactions
and Code Sets final rule), and the December 28, 2000 Standards for
Privacy of Individually Identifiable Health Information final rule (65
FR 82462). We refer readers to those documents for further information.
2. Affordable Care Act Amendments to HIPAA Administrative
Simplification
Section 1104(c)(3) of the Affordable Care Act reiterated the
original HIPAA requirement to adopt a health claims attachment
standard, and directed the Secretary to promulgate a final rule to
establish a transaction standard and a single set of associated
operating rules.\3\ Section 1104(c)(3) of the Affordable Care Act
requires that the adopted standard be ``consistent with the X12 Version
5010 transaction standards,'' provides that the Secretary must adopt
the standard and operating rules by January 1, 2014, to be effective no
later than January 1, 2016, and that the Secretary may adopt the
standard and operating rules on an interim final basis. We interpret
the 24 month ``effective date'' under section 1104(c)(3) of the
Affordable Care Act to mean that the compliance date for covered
entities should be 24 months after the effective date of this final
rule. Unlike the original HIPAA provisions, the Affordable Care Act
provision makes no allowance for an extended period for small health
plans to achieve compliance.
---------------------------------------------------------------------------
\3\ As we noted in the Administrative Simplification: Adoption
of Standards for Health Care Attachments Transactions and Electronic
Signatures, and Modification to Referral Certification and
Authorization Transaction Standard proposed, at that time CAQH CORE
had developed operating rules for attachments but the NCVHS had yet
to evaluate them and make a recommendation to the Secretary, thus
they were not proposed for adoption (87 FR 78445).
---------------------------------------------------------------------------
B. Prior Rulemaking
In the Transactions and Code Sets final rule (65 FR 50312), we
implemented some of the HIPAA Administrative Simplification
requirements by adopting standards for electronic transactions
developed by SSOs, and medical code sets to be used in those
transactions. We adopted X12 Version 4010 standards for administrative
transactions, and the National Council for Prescription Drug Programs
(NCPDP) Telecommunication Version 5.1 standard for retail pharmacy
transactions, which were specified at 45 CFR part 162, subparts K
through R.
Since then, we have adopted several modifications to the HIPAA
standards, including in the Health Insurance Reform: Modifications to
the Health Insurance Portability and Accountability Act (HIPAA)
Electronic Transaction Standards final rule (hereinafter referred to as
the Modifications final rule) which appeared in the January 16, 2009
Federal Register (74 FR 3296). That rule, among other things, adopted
updated versions of the standards, X12 Version 5010, and the NCPDP
Telecommunication Standard Version D.0 and equivalent Batch Standard,
Version 1, Release 2. We also adopted the NCPDP Batch Standard Version
3.0 for the Medicaid pharmacy subrogation transaction. Covered entities
were required to comply with Version 5010, Version D.0, and Version 3.0
standards on January 1, 2012, though with respect to the latter, small
health plans were required to comply on January 1, 2013.
In the HIPAA Administrative Simplification: Standards for
Electronic Health Care Claims Attachments proposed rule (hereinafter
referred to as the Standards for Electronic Health Care Claims
Attachments proposed rule), which appeared in the September 23, 2005
Federal Register (70 FR 55990), we proposed to adopt certain health
care claims attachments standards. As opposed to a standard with
generalized applicability, that proposed rulemaking proposed to adopt
health care claims attachment standards with respect to specific
services, including ambulance services, clinical reports, emergency
department, laboratory results, medications, and rehabilitation
services. However, public comments we received on those proposals
persuasively argued that the standards lacked technical maturity and
that interested parties were not ready to implement the electronic
exchange of clinical data, so we did not finalize adopting them.
HHS issued a proposed rule titled: Administrative Simplification:
Adoption of Standards for Health Care Attachments Transactions and
Electronic Signatures, and Modification to Referral Certification and
Authorization Transaction Standard that appeared in the December 21,
2022 Federal Register (87 FR 78438) (hereinafter referred to as the
HIPAA Standards for Health Care Attachments proposed rule). In that
proposed rule, we proposed new requirements for HIPAA covered entities
that we believed would improve the electronic exchange of health
information and a new electronic signature standard. We provided a 90-
day public comment period.
We later issued a correcting document titled: Administrative
Simplification: Adoption of Standards for Health Care Attachments
Transactions and Electronic Signatures, and Modification to Referral
Certification and Authorization Transaction Standard; Correction, which
appeared in the March 17, 2023 Federal Register (88 FR 16392)
(hereinafter referred to as the HIPAA Standards for Health Care
Attachments proposed rule correction notice). That notice corrected
typographical and technical errors in the HIPAA Standards for Health
Care Attachments proposed rule by conforming the proposed regulations
text to the proposed policies discussed in the preamble.
Subsequently, we extended the public comment period for the
proposed rule by another 30 days via a notice that appeared in the
March 24, 2023 Federal Register titled: ``Adoption of Standards for
Health Care Attachments Transactions and Electronic Signatures, and
Modification to Referral Certification and Authorization Transaction
Standard: Extension of Comment Period'' (88 FR 17780). We believed it
was important for the public to have the opportunity to review and
comment on the corrected proposed rule because most of the corrections
to the proposed rule were in the regulation text.
In the HIPAA Standards for Health Care Attachments proposed rule
(87 FR 78445), we proposed to adopt attachments standards that would
apply to health care claims or equivalent encounter transactions and to
referral certification and authorization (prior authorization)
transactions.\4\ In this final rule, HHS adopts standards only for
health care claims attachments transactions or equivalent encounter
transactions, which will support health care claims transactions. HHS
further adopts a standard for electronic signatures to be used in
conjunction with health care claims attachments transactions. We thus
refer to the attachment standards being adopted in this final rule as
``health care claims attachment standards.'' In section III.A.
[[Page 14353]]
of this final rule, we explain why we elected not to move forward with
the proposals to adopt an attachments standard for prior authorization
transactions.
---------------------------------------------------------------------------
\4\ We clarify that, in this final rule, we frequently use the
shorthand ``health care claims'' to speak of health care claims or
equivalent encounter information transactions under 45 CFR 161.1101.
We note that attachments would most likely be requested for health
care claims (Sec. 161.1101(a)) involving payment, rather than for
``equivalent encounter information'' transactions (Sec.
161.1101(b)) involving the ``transmission of encounter information
for the purpose of reporting health care.''
---------------------------------------------------------------------------
C. Standards and Code Sets Organizations
The HIPAA Standards for Health Care Attachments proposed rule
presented information about the organizations responsible for
developing and maintaining the transaction standards and code sets that
we are adopting in this final rule. Information about each
organization's balloting process--the process by which they vet and
approve the products they develop and changes thereto--is available on
their respective websites. We provide links to these websites in this
section.
As we stated previously, the law requires any standard adopted
under HIPAA to be developed, adopted, or modified by an SSO. Section
1171 of the Act provides that an SSO is an organization accredited by
the American National Standards Institute (ANSI) that develops
standards for information transactions, data elements, or any standard
that is necessary to, or will facilitate the implementation of,
administrative simplification. Pursuant to section 1172(c)(3) of the
Act, a HIPAA SSO must develop, adopt, and modify standards in
consultation with certain organizations: the National Uniform Billing
Committee (NUBC), National Uniform Claim Committee (NUCC), Workgroup
for Electronic Data Interchange (WEDI), and American Dental Association
(ADA). The two SSOs associated with this final rule are the Accredited
Standards Committees (ASC) X12 and HL7, both of which maintain websites
where the required IGs may be obtained. One other organization, the
Regenstrief Institute (Regenstrief), a health research institution and
not an SSO, maintains a code set named Logical Observation Identifiers
Names and Codes (LOINC), which is important to this rulemaking.
1. X12 \5\
---------------------------------------------------------------------------
\5\ X12. (n.d.). Retrieved from https://X12.org/.
---------------------------------------------------------------------------
The first SSO associated with this final rule is X12, which
develops and maintains standards for the electronic exchange of
business-to-business transactions. An ANSI-accredited organization, X12
membership is open to all individuals and organizations. An X12
subcommittee known as Subcommittee N: Insurance (X12N) develops and
maintains electronic standards specific to the insurance industry,
including, but not limited to, health insurance. Comprised of
volunteers, X12N develops standards for electronic health care
transactions for common administrative activities including: (1)
claims; (2) remittance advice; (3) claims status; (4) enrollment; (5)
eligibility; (6) authorizations and referrals; and (7) electronic
health care claims attachments. X12N is responsible for obtaining
consensus on the standards from the entire organization and producing
draft documents that it makes available for public review and comment,
which it addresses as necessary before voting on any proposal.
Proposals must then be reviewed and ratified by a majority of the X12N
voting members and X12's executive committee.
2. HL7 \6\
---------------------------------------------------------------------------
\6\ Health Level Seven International. (n.d.). Retrieved from
https://www.HL7.org/.
---------------------------------------------------------------------------
The second SSO associated with this final rule is HL7, an ANSI-
accredited SSO that develops and maintains standards for the exchange,
integration, sharing, and retrieval of electronic health information
that supports clinical practice and the management, delivery, and
evaluation of health services. Its domain is principally clinical data,
and its specific emphasis is the interoperability between health care
information systems. HL7's membership is open to all individuals and
organizations, and it focuses its interface requirements on the entire
health care industry, not just a subset of it.
HL7 conducts a multi-step process called balloting to solicit
feedback and comments on standards and specifications prior to
publication.\7\ A technical committee, such as a workgroup, develops
the standard or specifications, which is then submitted for
consideration under the balloting process. All HL7 members are eligible
to vote and submit feedback on standards, regardless of whether they
are members of the committee that developed the standard. Non-members
may also vote on a given ballot for a standard, though to do so they
must pay an administrative fee. After reviewing feedback received
during voting, HL7 technical committees vote on ``recommendations,''
which require a two-thirds majority for approval. HL7 standards are
available to the public on its website, and the website also describes
in more detail HL7's balloting process.\8\ HL7 standards are free and
open source, and documentation is available to anyone to ensure that
all implementers can equally access information.
---------------------------------------------------------------------------
\7\ Health Level Seven International. (n.d.). HL7 Balloting.
Retrieved from https://confluence.hl7.org/display/HL7/HL7+Balloting.
\8\ Health Level Seven International. (n.d.). Retrieved from
https://www.hl7.org/.
---------------------------------------------------------------------------
3. The Regenstrief Institute (Regenstrief) \9\
---------------------------------------------------------------------------
\9\ Logical Observation Identifiers Names and Codes from
Regenstrief. (n.d.). Retrieved from https://loinc.org/.
---------------------------------------------------------------------------
Regenstrief is a health research institution that develops and
maintains a code set, LOINC, which is the code system, terminology, and
vocabulary for identifying individual clinical results and other
clinical information. Regenstrief supports the development of a code
system for attachments use cases and works closely with the HL7 Payer/
Provider Information Exchange (PIE) Work Group (formerly known as the
Attachments Work Group) to develop a set of LOINC codes to uniquely
indicate the type and content of attachment information in electronic
transmissions. Regenstrief maintains LOINC through its LOINC Committee,
which is composed of volunteer representatives from academia, industry,
and government who serve as subject matter experts in their domains of
expertise. That committee establishes overall naming conventions and
policies for the development process.
D. Industry Standards, Code Sets, and IGs
1. Electronic Data Interchange (EDI) and Transaction Standards
In the HIPAA Standards for Health Care Attachments proposed rule,
we discussed how HIPAA transactions involve the electronic transmission
of information between two parties to carry out health care-related
financial or administrative activities (87 FR 78441). These activities
include health insurance claims submissions and prior authorization
requests, and HIPAA standards for those transactions require uniformity
for EDI of those transmissions.
The benefit of HIPAA standards is that they use a common
interchange structure, eliminating covered entities' need to have
information technology (IT) systems that accommodate multiple
proprietary, and potentially continually changing, data formats. The
interchange structure uniformity enables covered entities to exchange
medical, billing, and other information to process transactions more
expeditiously and cost-effectively, reduces handling and processing
time, and eliminates the risk of lost paper documents, thereby reducing
administrative burdens,
[[Page 14354]]
lowering operating costs, and improving overall data quality.
HIPAA transaction standards specify: (1) data interchange
structures (message transmission formats); and (2) data content (all of
the data elements and code sets inherent to a transaction and not
related to the format of the transaction). Implementation
specifications detail the nature, location, and content format of each
piece of information transmitted in a transaction. Standardization of
transactions also involves: (1) specification of the data elements that
are exchanged; (2) uniform definitions of those specific data elements
in each type of electronic transaction; (3) identification of the
specific codes or values that are valid for each data element; and (4)
specification of the business actions each party must take to ensure
the exchange of administrative transactions occurs smoothly and
reliably, regardless of the technology employed.
a. IGs--X12
As discussed in section II.C.1. of this final rule, X12 develops
and maintains standards for the electronic exchange of business-to-
business transactions. X12N publishes transmission standards that apply
to many lines of insurance business. For example, the X12N 820 message
format for premium payment may be used for automobile and casualty
insurance. X12 implementation specifications, referred to by the
industry as IGs and written collaboratively by X12N workgroups, make
these general standards functional for industry-specific uses. The
specifications are based on X12 standards, but contain detailed
instructions for using the standard to meet a specific business need.
X12's implementation specifications for HIPAA transaction standards
adopted by the Secretary are known as ``Technical Reports Type 3''
(TR3). Each X12N IG has a unique version identification number
represented in a parenthetical, where the highest version number
represents the most recent version. HHS adopted the then-updated
Version 5010 of the X12 standards in the Modifications final rule (74
FR 3296), while this final rule adopts Version 6020 of the X12N 275 and
X12N 277 standards, the rationale for which we discuss in section III.
of this final rule.
b. IGs--HL7
HL7's PIE Workgroup develops standards for electronic health care
attachments. The workgroup, which includes industry experts
representing health care providers, health plans, and health technology
vendors, is also responsible for creating and maintaining the IGs. The
IGs are sets of instructions and associated code tables that describe,
list, or itemize the content, format, and code to be sent, and specify
how such information is to be conveyed in an electronic health care
attachment.
The HL7 CDA is an XML-based (a computer programming language)
markup standard that specifies the encoding, structure, and semantics
of clinical documents for purposes of transmitting attachment
information. XML-coded files have the same characteristics and
information as hard copy documents, so regardless of how data are sent
within a transaction, they can be read and processed by both people and
machines. An important feature of the CDA standard is that it allows
the entire body of an electronic document to be replaced by an image,
for example, a scanned copy of a page or pages from a medical record.
That permits the clinical content to be conveyed by an image or text
document, but a header still supports automated document management.
The CDA header contains standardized, machine-readable data elements,
such as document type, patient and provider identifiers, and service
dates that enable health information technology (health IT) systems to
automatically route, index, associate, and manage attachment documents
even when the document body consists of images or other non-structured
content. This feature of the CDA standard is relevant because it
accommodates health care attachments that may not be conducive to XML
formatting, such as medical imaging, video, or audio files.
HL7 also produces the C-CDA standard that provides specifications
for formatting document templates, depending on whether they are
structured or unstructured, enabling the CDA to create numerous
specific document types, known as templates. The HL7 C-CDA IG document
templates are designed to be electronic versions of the most common
types of paper document attachment information. Attachment information
not included in a template may be created by using instructions
included in the finalized unstructured document IG; supported
unstructured formats include MSWORD, PDF, Plain Text, RTF Text, HTML
Text, GIF Image, TIF Image, JPEG Image, and PNG Image.
2. Code Sets
Transaction data content standardization involves identifying the
specific codes or values for each data element. Health care EDI
requires many types of code sets, including large medical data code
sets and classification systems for medical diagnoses, procedures, and
drugs, and smaller code sets to identify categories, such as facility
type, currency, units, or a state within the United States. Large data
code sets include those developed and maintained by federal agencies,
such as the Centers for Medicare & Medicaid Services' (CMS) Healthcare
Common Procedure Coding System (HCPCS), and by private organizations,
such as the American Medical Association's (AMA) Current Procedural
Terminology (CPT[supreg]) and the ADA's Code on Dental Procedures and
Nomenclature (CDT Code).10 11 These code sets have been
adopted through rulemaking under HIPAA in the Transactions and Code
Sets final rule (65 FR 50312) and are mandated for use in federal and
state health care programs, such as Medicare, Medicaid, and the
Children's Health Insurance Program (CHIP). SSOs require or permit
their use in their standards.
---------------------------------------------------------------------------
\10\ CPT[supreg] is a registered service mark of the American
Medical Association.
\11\ The CDT code set is a proprietary code set.
---------------------------------------------------------------------------
3. IGs as HIPAA Standards
Section 1172(d) of the Act directs the Secretary to establish
specifications for implementing each of the adopted standards. As we
explained previously, SSOs have developed IGs by which to implement the
same standards for different business purposes. In the HIPAA Standards
for Health Care Attachments proposed rule, we proposed an approach we
have taken with previous HIPAA Rules that adopted a specific IG as both
the ``standard'' and the ``implementation specifications'' for each
health care transaction (87 FR 78442).
In pursuing this approach, we were mindful that section 1104(c)(3)
of the Affordable Care Act requires that the Secretary promulgate a
final rule to establish a transaction standard and a single set of
operating rules for health care attachments that is ``consistent with
the X12 Version 5010 transaction standards.'' We interpreted this
requirement to mean that the proposed health care attachment
implementation specifications must be compatible with X12 standards
generally, meaning any standard we adopt for attachment information can
be electronically transmitted by an X12 transmission standard in the
same transaction (87 FR 78442). The Affordable Care Act was enacted in
2010, at which time we had adopted Version 5010 of the X12 standards. A
decade later, we
[[Page 14355]]
interpreted the Affordable Care Act's mandate as referencing the then-
current standards--the X12 Version 5010--but not specifically requiring
adherence in perpetuity to a static standard, which would contravene
the HIPAA standards paradigm that is premised on standards evolution
over time and be contrary to logic as X12 continues to publish newer
versions of its standards. Therefore, in the HIPAA Standards for Health
Care Attachments proposed rule, we proposed to adopt Version 6020 of
certain X12 standards (87 FR 78447).
Additionally, we proposed to adopt transaction standards that can
be used together in a single electronic transmission (87 FR 78447
through 78449). HL7 standards can work in conjunction with other
standards like X12. The HIPAA covered entities who would use the health
care claims attachment standard are currently using X12 transaction
standards, so adoption of a health care claims attachment standard
using X12 standards, which are being finalized in this final rule,
should have minimal impact on covered entities.
Separately, we are also aware that SSOs are developing and piloting
other types of standards. In the HIPAA Standards for Health Care
Attachments proposed rule, we solicited public comment on this and any
alternative implementation specifications that may be considered
compatible with X12 Version 5010 (87 FR 78442). Commenters were
supportive of our proposals pertaining to claims attachments, however,
commenters expressed concerns about the proposals to include prior
authorization within the attachment transaction. Commenters identified
additional standards for consideration, specifically the HL7 Fast
Healthcare Interoperability Resources (FHIR[supreg]) standard.\12\ We
summarize the alternatives that commenters recommended we consider, and
provide our full response to these comments, in section III.D.2. of
this final rule.
---------------------------------------------------------------------------
\12\ Health Level Seven International. (2023). Guide to Using
HL7 Trademarks. Retrieved from http://www.hl7.org/legal/trademarks.cfm?ref=nav. HL7 requires the registered trademark with
the first use of its name in a document, for which policies are
available on its website at www.HL7.org.
---------------------------------------------------------------------------
E. The NCVHS Recommendations to the Secretary
In the proposed rule, we stated that the NCVHS is a statutorily
designated advisory committee that provides the Secretary with
recommendations on health information policy and standards (87 FR
78447).\13\ Among the ways it does so is by convening regular forums
with industry groups on key issues related to population health,
standards, privacy and confidentiality, and data access and use.
Pursuant to HIPAA, the NCVHS advises the Secretary on the adoption of
standards, implementation specifications, code sets, identifiers, and
operating rules for HIPAA transactions. For readers' reference, we
include here the process discussion also found in the HIPAA Standards
for Health Care Attachments proposed rule.
---------------------------------------------------------------------------
\13\ At the time this final rule was being drafted, the NCVHS
website was undergoing maintenance. National Committee on Vital and
Health Statistics. (n.d.). Retrieved from https://ncvhs.hhs.gov/.
Website references herein to NCVHS recommendation and artifacts
reflect access made prior to the initiation of maintenance mode and
also appeared in the proposed rule. Current inquiries seeking NCVHS
recommendation letters and other artifacts referenced herein should
be directed to: [email protected].
---------------------------------------------------------------------------
The NCVHS held a number of hearings and made several sets of
recommendations to the Secretary on claims attachment standards, which
are reflected in the administrative record and described in prior
Federal Register notices. For example, the HIPAA Standards for Health
Care Attachments proposed rule discusses the NCVHS subcommittee
hearings, correspondence to the Secretary, and its March 30, 2022
recommendation urging prompt adoption of a claims attachments standard
(87 FR 78443 and 78444).
The NCVHS Standards Subcommittee held a November 17, 2011 hearing
on health claims attachments to gather information regarding new
business needs, priorities, issues, and challenges. Participant
testimony addressed the development status of standards and
implementation specifications. Some organizations testified regarding
their interest in serving as attachments operating rules authoring
entities. In a letter to HHS dated March 2, 2012, the NCVHS
Subcommittee on Standards advised HHS that it was premature to make
formal recommendations regarding the adoption of any standard,
implementation specification, or operating rule associated with health
care attachments.\14\ On May 5, 2012, the NCVHS recommended that the
Council for Affordable Quality Healthcare (CAQH), a nonprofit entity
whose stated mission is to improve the efficiency, accuracy, and
effectiveness of industry-driven business transactions, be designated
as the operating rules authoring entity.\15\
---------------------------------------------------------------------------
\14\ National Committee on Vital and Health Statistics. (2012,
March 2). Claim Attachments. Retrieved from https://ncvhs.hhs.gov/wp-content/uploads/2014/05/120302lt1.pdf.
\15\ National Committee on Vital and Health Statistics. (2021,
May 5). Recommendations to Designate an Authoring Entity and Ensure
Industry Collaboration for the Development of Operating Rules for
Health Care Administrative Transactions. Retrieved from https://ncvhs.hhs.gov/wp-content/uploads/2014/05/120505lt.pdf.
---------------------------------------------------------------------------
The NCVHS Subcommittee held a second hearing on health claims
attachments on February 27, 2013, where it identified a trend toward
convergence of administrative and clinical information. In a June 21,
2013 letter, the NCVHS recommended that the Secretary adopt a number of
initial attachments-related transaction standards by January 1, 2016
(the date by which the Affordable Care Act required claims attachment
standards to be effective), but advised HHS to take a comprehensive and
incremental approach to considering attachment standards to promote
innovation and flexibility.\16\ The NCVHS noted there was industry
consensus that adoption of standards should not be limited to ``claim
attachments,'' but, rather, should be more inclusive of any kind of
attachment with administrative or clinical information. It recommended
that attachments-related transaction standards should be applied to
claims, eligibility, prior authorization, referrals, care management,
post-payment audits, and any other administrative processes for which
supplemental information is needed. Among other recommendations, the
NCVHS advised HHS that attachment standards should support structured
and unstructured data, and both solicited and unsolicited
transmissions. It further advised that attachments standards should be
defined for two types of transactions: (1) Query (the electronic
solicitation of an attachment); and (2) Response (the electronic
transmission of an attachment). The NCVHS held another hearing on
health care attachments on February 15, 2016, and on July 5, 2016 sent
the Secretary a letter titled: ``Recommendations for the Electronic
Health Care Attachment Standard.'' \17\ This letter consolidated its
previous recommendations on attachments and advised that updated
versions of the available standards were ready for industry use, and
there was unanimous testimony that the health care industry was eager
to see them adopted. The NCVHS recommended that HHS complete additional
rulemaking to adopt the recommended standards
[[Page 14356]]
considering the length of time that had elapsed since the 2005
publication of the previous, and, ultimately, premature Standards for
Electronic Health Care Claims Attachments proposed rule (70 FR 55990),
and subsequent technology advancement and stakeholder readiness.
---------------------------------------------------------------------------
\16\ National Committee on Vital and Health Statistics. (2013,
June 21). Attachments Standards for Health Care. Retrieved from
https://ncvhs.hhs.gov/wp-content/uploads/2014/05/130621lt2.pdf.
\17\ National Committee on Vital and Health Statistics. (2016,
July 5). Recommendations for the Electronic Health Care Attachment
Standard. Retrieved from https://ncvhs.hhs.gov/wp-content/uploads/2018/03/2016-Ltr-Attachments-July-1-Final-Chair-CLEAN-for-Submission-Publication.pdf.
---------------------------------------------------------------------------
On March 30, 2022, the NCVHS sent the Secretary a letter titled:
``Recommendations to Modernize Aspects of HIPAA and Other HIT [(Health
Information Technology)] Standards to Improve Patient Care and Achieve
Burden Reduction.'' \18\ This letter continued to stress previous
recommendations urging the Secretary to adopt a standard for electronic
attachments as soon as possible, and also stated--
---------------------------------------------------------------------------
\18\ National Committee on Vital and Health Statistics. (2022,
March 30). Recommendations to Modernize Aspects of HIPAA and Other
HIT Standards to Improve Patient Care and Achieve Burden Reduction.
Retrieved from https://ncvhs.hhs.gov/wp-content/uploads/2022/04/Recommendation-Letter-HIT-Standards-Modernization-to-Improve-Patient-Care-March-30-2022.pdf.
We recognize that there is ongoing debate and no definitive
industry consensus about the role of attachments (i.e., documents)
as opposed to data (i.e., a string of data elements not structured
within a document). While the vision with APIs [(Application
Programming Interfaces)] based on FHIR seem to be driving toward
more of a data-driven transaction, we see more than sufficient
industry demand for a document-based attachment standard, and we do
not foresee any imminent demise of the utility of digital documents.
We suggest short-term publication of an attachment rule, with
consideration for emerging standards based on recent input from
industry and other advisory group discussions. This could add
immediate value for industry and could support future actions as
HIPAA's procedural requirements may be updated to allow for non-
document type digital attachment data.\19\
---------------------------------------------------------------------------
\19\ National Committee on Vital and Health Statistics. (2022,
March 30). Recommendations to Modernize Aspects of HIPAA and Other
HIT Standards to Improve Patient Care and Achieve Burden Reduction.
Retrieved from https://ncvhs.hhs.gov/wp-content/uploads/2022/04/Recommendation-Letter-HIT-Standards-Modernization-to-Improve-Patient-Care-March-30-2022.pdf.
Based on the NCVHS's previous recommendations to the Secretary, and
particularly in consideration of its most recent March 30, 2022
recommendation, we are finalizing adoption of a document-based
attachments standard for healthcare claims or equivalent encounter
transactions in this final rule.
F. Other Industry Recommendations
1. Consensus-Based Organization Support
Industry consensus-based organizations, which vet proposals before
they are presented to the NCVHS, agree that the standards we proposed
are sufficiently mature to support health care business needs. Both
WEDI and the CAQH Committee on Operating Rules for Information Exchange
(CORE) have described the benefits that adopting health care
attachments standards would bring in automating and streamlining
workflows that, today, are primarily manual processes and sources of
significant administrative burden. We discussed their perspectives in
the HIPAA Standards for Health Care Attachments proposed rule (87 FR
78443).
In May 2019, CAQH CORE issued a document titled: ``Report on
Attachments: A Bridge to a Fully Automated Future to Share Medical
Documentation,'' where it reported evidence from its 2018 environmental
scan indicating a high degree of industry readiness and interest in the
attachments standard.\20\ The report noted that ``the health care
industry continues to wait for an electronic attachments standard that
can simplify the exchange of necessary medical information and
supplemental documentation.'' Specifically, the report stated that
``health plans, providers and vendors lack the direction needed to
support broad use of automation in the attachment workflow, or for
industry to coalesce around the use of even a small number of
electronic solutions,'' leading to largely manual, and often paper-
based, processes, and ultimately underscoring the need to standardize
electronic attachment exchange methods.
---------------------------------------------------------------------------
\20\ The Council for Affordable Quality Healthcare Committee on
Operating Rules for Information Exchange. (2019). CAQH CORE Report
on Attachments: A Bridge to a Fully Automated Future to Share
Medical Documentation. Retrieved from https://www.caqh.org/hubfs/43908627/drupal/core/core-attachments-environmental-scan-report.pdf.
---------------------------------------------------------------------------
2. Other Recent Public Comment Support
CMS published the Reducing Administrative Burden to Put Patients
Over Paperwork request for information (RFI), which appeared in the
Federal Register on June 11, 2019 (84 FR 27070). That RFI solicited
public comment on ideas for regulatory, subregulatory, policy,
practice, and procedural changes to reduce unnecessary administrative
burdens for clinicians, providers, patients, and their families, with
an aim to improve quality of care, lower costs, improve program
integrity, and make the health care system more effective, simple, and
accessible. To be clear, the RFI did not relate to, and was not for the
purpose of, soliciting comments on HHS's efforts pertaining to HIPAA
Administrative Simplification. Nevertheless, many commenters, including
organizations representing physician provider groups, insurance payers,
health technology vendors, health care financial managers, and health
IT standard advisory bodies, called for the publication of a HIPAA
electronic attachments proposed rule to be accelerated, as well as
guidance on other standards, such as electronic signature protocols to
achieve these goals. These commenters indicated that adoption of a
HIPAA attachments standard could help reduce administrative burden in
many clinical and administrative situations where documents need to be
shared, and relieve providers of current burdensome, largely paper-
based, processes.
In preparation for its August 25, 2020 Standards Committee Meeting,
the NCVHS invited the public to provide feedback on the CAQH CORE
operating rules for prior authorization transactions. In response,
commenters expressed their support for the adoption of an attachment
standard. Commenters also provided input on current standards
development efforts underway to address prior authorization challenges,
including recommendations for the Secretary to explore or allow the use
of other standards or alternative approaches.\21\ In that regard, we
acknowledge there is a growing base of evidence that may support our
adopting attachment standards that rely on emerging technologies, such
as APIs. We refer readers to section III.D.2. of this final rule for a
summary of public comments received on the proposed rule regarding
emerging technologies, such as APIs, and our response to them.
---------------------------------------------------------------------------
\21\ National Committee on Vital and Health Statistics. (2020,
August 25). NCVHS Standards Subcommittee on Standards Hearing on
Request for NCVHS Review of CAQH CORE Operating Rules for Federal
Adoption. Retrieved from https://ncvhs.hhs.gov/wp-content/uploads/2020/09/Standards-Transcript-8-25-20Final-508.pdf.
---------------------------------------------------------------------------
III. Provisions of the Proposed Rule, Analysis of and Responses to the
Public Comments Received, and Final Provisions
In response to the HIPAA Standards for Health Care Attachments
proposed rule, which appeared in the December 21, 2022 Federal Register
(87 FR 78438), we received more than 120 timely pieces of
correspondence commenting on health care claims and prior authorization
attachments.
In general, commenters were supportive of HHS's efforts to adopt
health care claims attachments standards that could potentially
mitigate
[[Page 14357]]
longstanding issues pertaining to the manual transmission of health
care claims attachments. Importantly, however, commenters recommended
that HHS, at this time, adopt only standards for health care claims
attachments transactions and not for prior authorization attachments
transactions, as we had also proposed. We explain in this final rule
that we are confining the scope of this rule's finalized policies to
claims attachments transactions, and we explain our rationale for not
finalizing our proposals to adopt the X12N 278 standard for prior
authorization attachments transactions.
A. Decision Regarding the Adoption of X12N 278--Health Care Services
Request for Review and Response (006020X315)
In the HIPAA Standards for Health Care Attachments proposed rule,
we proposed to adopt Version 6020 of the X12N 278--Health Care Services
Request for Review and Response (006020X315) as the standard a health
plan must use to electronically request attachment information from a
health care provider to support a prior authorization transaction (87
FR 78447). That standard, we noted, is unique in that it is also used
for a health care provider's request for prior authorization, as
reflected in Sec. 162.1302(b)(2)(ii) (87 FR 78447). We also proposed
to incorporate the same by reference in Sec. 162.920. Version 6020 of
the X12N 278 standard would have been a modification to the existing
HIPAA transaction standard, as we previously adopted Version 5010 of
the X12N 278 standard in the January 16, 2009 Modifications final rule
(74 FR 3296).
The X12N 278 standard supports prior authorization transactions for
health care that has yet to be rendered by the requesting provider, as
well as responses from health plans for authorizations or for referrals
to another provider, such as when a provider refers a patient to a
specialist or for inpatient care.\22\ Using the X12N 278 standard for
prior authorization transactions, the health plan transmits a response
to the health care provider. This response contains coded information
that can then be utilized in a health care claim to indicate that the
billed items or services were approved by the health plan before being
rendered, or that a referral to another provider has been approved.
---------------------------------------------------------------------------
\22\ See 45 CFR 162.1301.
---------------------------------------------------------------------------
After reviewing public comments, we are not adopting an attachments
standard for prior authorization at this time. Commenters cited limited
industry experience implementing the X12N 278 standard for prior
authorization attachments, variability in current prior authorization
workflows, and potential conflict with other federal interoperability
initiatives requiring FHIR-based prior authorization API capabilities.
Instead, we are adopting standards only for health care claims
attachments. This approach reflects current industry readiness and
supports administrative simplification while allowing continued
evaluation of evolving standards for prior authorization.
Comment: Although several commenters expressed support for HHS's
efforts to reduce the burden of prior authorizations by adopting
electronic standards to create a streamlined prior authorization
process that meets the needs of health plans and providers, more
commenters opposed HHS's finalizing the proposed adoption of X12N 278
standard with respect to prior authorization attachments transactions.
Commenters asserted that: (1) there is a lack of agreement on data
element standardization within the industry; (2) entities have a wide
range of prior authorization workflows and common definitions; (3)
previous attempts to leverage the X12N 278 standard to support prior
authorizations have failed; (4) the X12N 278 standard for prior
authorization transactions was never fully implemented in the industry;
(5) the X12N 278 standard for prior authorization transactions will not
support the requests or responses of a FHIR-based questionnaire; and
(6) HHS's goal of efficient, cost-effective, simplified
interoperability may be impeded by health IT vendors constantly having
to deal with exceptions due to conflicting requirements across various
rulemaking efforts.
Commenters also expressed concern that HHS's proposed X12N 278
standard for prior authorization attachments transactions that appeared
in the HIPAA Standards for Health Care Attachments proposed rule may
conflict with provisions of a CMS proposed (and now finalized) rule
that appeared nearly simultaneously in the Federal Register, on
December 13, 2022 titled: ``Medicare and Medicaid Programs; Patient
Protection and Affordable Care Act; Advancing Interoperability and
Improving Prior Authorization Processes for Medicare Advantage
Organizations, Medicaid Managed Care Plans, State Medicaid Agencies,
Children's Health Insurance Program (CHIP) Agencies and CHIP Managed
Care Entities, Issuers of Qualified Health Plans on the Federally-
Facilitated Exchanges, Merit-Based Incentive Payment System (MIPS)
Eligible Clinicians, and Eligible Hospitals and Critical Access
Hospitals in the Medicare Promoting Interoperability Program''
(hereinafter referred to as the CMS Interoperability and Prior
Authorization proposed rule) (87 FR 76238).
Commenters also requested clarification or provided HHS with
certain recommendations for consideration in the event HHS finalized
the adoption of the X12N 278 standard for prior authorization
attachments transactions. A commenter recommended that if HHS were to
adopt the X12N 278 standard, HHS should continue the use of Version
5010 and not adopt Version 6020 of the X12N 278 standard, asserting
that it offers no additional functionality, is untested, and may
contain errors.
Response: We appreciate the comments submitted in response to our
proposal to adopt a standard for health care attachments transactions
that would include the prior authorization transaction standard. Upon
further consideration, and as we explain herein, we have elected not to
finalize the prior authorization transaction standard proposal. Rather,
we are adopting only the standards for health care claims attachments
transactions. Our decision reflects substantive consideration of
several interrelated concerns raised by commenters, many of which point
to foundational issues that could have impeded effective
implementation.
First, numerous commenters cited the lack of industry consensus
regarding data element standardization. Prior authorization processes
vary widely across health plans, and there is currently no agreed-upon,
consistent set of data elements that supports a level of automation and
interoperability consistent with HIPAA Administrative Simplification
goals. While a standard like the X12N 278 is intended to create a
unified structure, in practice the diversity of clinical and
operational use cases would have made its application difficult to
scale.
Second, commenters emphasized that prior authorization workflows
differ significantly across organizations and are often not
standardized even within the same type of entity. These workflows
include clinical decision-making, review protocols, timing of
documentation, and routing processes, all of which influence where and
how attachment information is requested and supplied. While a technical
standard could, in theory, be inserted into any
[[Page 14358]]
point in the workflow, the absence of shared operational expectations
and integration strategies greatly increases the risk of fragmentation,
workarounds, and vendor-specific implementations, which would undermine
the goal of interoperability and could increase, rather than reduce,
provider burden.
Third, many commenters pointed out that previous attempts to use
the X12N 278 standard to support prior authorization have not been
successful. There is limited industry adoption and very few operational
use cases that demonstrate consistent, real-world functionality of the
standard in the context of attachments. The lack of implementation and
testing means that critical issues related to content sufficiency,
response timing, and payload alignment remain unresolved. Interested
parties also raised specific concerns that Version 6020 offers no
additional functional value over Version 5010, and, in fact, could
introduce unvetted changes that have not been adequately tested or
validated.
In addition, we acknowledge commenters' concern that adopting a
prior authorization attachment standard under HIPAA could conflict with
requirements of the aforementioned, and now finalized, CMS
Interoperability and Prior Authorization final rule that appeared in
the January 17, 2024 Federal Register in which CMS mandated the use of
a FHIR Prior Authorization Support API by CMS-regulated health plans
and payers (89 FR 8758).
We also acknowledge certain commenters' suggestions that the
current low adoption rate for Version 5010 of the X12N 278 standard may
itself be attributable to the absence of a mandated prior authorization
attachments standard. Though that is a plausible contributing factor,
it would not mitigate the practical concerns about industry readiness,
data variability, and implementation barriers that commenters
identified. Simply requiring the use of a standard in this context--
without sufficient groundwork to ensure feasibility and alignment--
would risk ineffective uptake and could impose new burdens rather than
resolve existing ones.
In light of these reasonable concerns, we concluded it would be
imprudent to now proceed to finalize adoption of a prior authorization
attachments standard, so the finalized policies in this final rule are
limited to attachments for the health care claims or equivalent
encounter transactions and associated electronic signature standards.
This permits us to focus our regulatory resources, and the industry to
focus its resources, on a narrower set of transactions for which there
is stronger implementation maturity, standards infrastructure, and
stakeholder alignment.
We remain committed to improving the prior authorization process
and recognize the importance of establishing electronic standards that
reduce burden and promote interoperability. We will continue to monitor
testing of alternative transaction standards, including FHIR-based
solutions, and will continue to engage with industry-led SSOs to
evaluate readiness for potential adoption of a prior authorization
attachments standard.
B. Overview of Final Requirements
Nearly every health plan has various requirements for health care
providers to submit additional information beyond that contained in a
HIPAA transaction. A health care provider may transmit this additional
information in a ``solicited'' or an ``unsolicited'' fashion. In
solicited transmissions, a health care provider transmits additional
information pursuant to a health plan's specific electronic request (87
FR 78444). Conversely, in unsolicited transmissions there are no
specific electronic requests. Rather, they typically occur pursuant to
pre-established health plan requirements for health care providers to
transmit additional information--to support, for example, certain
diagnoses, items, services, or medications--that are set forth in
trading partner agreements or other guidance (87 FR 78444).
Although health care providers may transmit this additional
information electronically via an attachment to a health care claims
transaction, today and historically health care providers have
frequently transmitted the information via burdensome manual processes
that often involve paper mail, fax, and phone because there have been
no previously adopted HIPAA standards for health care claims
attachments.
We are adopting standards for health care claims attachment
transactions in this final rule. In doing so, we first define the term
``attachment information.''
C. Definitions of Attachment Information and Health Care Claims
Attachments Transaction
In adopting an attachment transaction standard, we determined we
needed to define ``attachment information'' and ``health care claims
attachments transaction.'' We proposed to separately define the two
terms to prevent the definition of health care claims attachments
transaction from becoming too unwieldy and further clarify this in our
responses to comments later in this section.
1. Definition of Attachment Information
We proposed to define attachment information in Sec. 162.103 as
documentation that enables the health plan to make a decision about
health care that is not included in either of the following:
A health care claims or equivalent encounter information
transaction, as described in Sec. 162.1101.
A referral certification and authorization transaction, as
described in Sec. 162.1301(a) and the portion of Sec. 162.1301(c)
that pertains to authorization.
We used the term ``attachment information'' in our proposed
definition of the health care claims attachments transaction in Sec.
162.2001 to specify the information transmitted by a health care
provider or requested by a health plan. The proposed rule discussed how
the NCVHS recommended defining attachments as ``any supplemental
documentation needed about a patient(s) to support a specific health
care-related event (such as a claim, prior authorization, or referral)
using a standardized format'' (87 FR 78444 and 78445, emphasis in
original).\23\ We incorporated key aspects of their recommendation into
our proposed definition of ``attachment information,'' while attempting
to ensure that the definition was broad and general enough to include
all possible patient-related information that could be generated with
respect to health care services. The full discussion of the proposed
definition of ``attachment information,'' to which we refer readers,
further details the NCVHS's recommendations for the definition to
include reference to ``documentation,'' ``supplemental,'' and
``needed'' (87 FR 78445).
---------------------------------------------------------------------------
\23\ National Committee on Vital and Health Statistics. (2016,
July 5). Recommendations for the Electronic Health Care Attachment
Standard. Retrieved from https://ncvhs.hhs.gov/wp-content/uploads/2018/03/2016-Ltr-Attachments-July-1-Final-Chair-CLEAN-for-Submission-Publication.pdf.
---------------------------------------------------------------------------
We solicited public comments on the proposed definition of
``attachment information'' and received feedback from interested
parties, which we considered in developing this final rule.
Comment: Multiple commenters expressed support for the proposed
definition of attachment information. Some commenters indicated that
the definition proposed for attachment information sufficiently
captures what is necessary for solicited and
[[Page 14359]]
unsolicited exchange of supplementary medical information.
Response: We appreciate commenters' support of our proposed
definition of ``attachment information.''
Comment: A commenter agreed that the proposed definition of
``attachment information'' needs to be broad and general enough to
include all possible patient-related information that could be
generated with respect to health care services. The commenter
acknowledged that HHS explicitly defined the documentation as
supplemental, meaning it is documentation ``that is not included'' in a
health care claims or prior authorization transaction, which the
commenter believed means that the health care attachment standards are
dependent upon and linked to the accuracy and completeness of these
other HIPAA transaction standards. The commenter also noted that
effective adoption of the health care attachments standards is
impossible without effective adoption of the other standards, and
requested that HHS actively support and verify the effective use of
those HIPAA transaction standards, and these health care attachment
standards once finalized, as HHS did during the health care industry's
transition from International Classification of Diseases (ICD), Ninth
Revision (ICD-9) to ICD, Tenth Revision (ICD-10).
Response: We appreciate the commenter's observations supporting a
broad and general definition of ``attachment information,'' and agree
that the definition must be sufficiently inclusive to encompass the
full range of patient-related documentation a health plan may require
in support of a health care claim or equivalent encounter transaction.
We likewise agree with commenters that the finalized definition
should appropriately exclude documentation already required or
contained within other adopted HIPAA transaction standards and clarify
that this exclusion is deliberate and consistent with the principles of
administrative simplification and the goal of reducing duplicative
documentation burdens.
As noted in the HIPAA Standards for Health Care Attachments
proposed rule, we initially proposed a definition of ``attachment
information'' that would have applied with respect to both claims and
prior authorization transactions. For the reasons articulated in
section III.A. of this final rule, we are not finalizing adoption of a
prior authorization attachment transaction standard, so the finalized
definition of ``attachment information'' applies only in the context of
health care claims or equivalent encounter information transactions.
This narrowed scope is reflected in the revised definition we are
finalizing in Sec. 162.103, which specifies that ``attachment
information'' is documentation that enables a health plan to make a
decision about health care that is not included in a health care claims
or equivalent encounter information transaction, as described in Sec.
162.1101.
Comment: Several commenters suggested changes to the proposed
definition of ``attachment information'' or associated requirements on
health plans. A commenter recommended that the definition be revised to
state that attachment information should ``enable providers to make
decisions about what healthcare content the payer requires in the
healthcare attachment.'' Another commenter suggested that HHS dictate
that payers, after receipt of an initial attachment, not be able to
serially add documentation requirements.
A different commenter was concerned that too broad a definition
could allow payers to require supplemental documentation for routine
care such as vaccines, well child visits, or routine prescriptions,
which could potentially increase financial burden on small and
independent pediatricians who provide safety net care to rural or low-
income or both populations. That commenter recommended that HHS
consider adopting the NCVHS's definition of ``attachment information''
as it only included supplemental information without which a claim
could not be properly adjudicated.
Response: We appreciate the commenters' concerns but do not believe
it is appropriate or necessary to modify the definition of ``attachment
information'' to account for such concerns as our proposal was intended
to identify the type of documentation exchanged. Ultimately, payers'
business and payment-decision rules fall outside the scope of HIPAA. In
other words, though we appreciate that health care providers may
experience added burden should health plans request additional
documentation following an initial submission, HIPAA transaction
standards govern the format and content of the electronic exchange, not
payers' business practices or the quantum of documentation they may
require. Therefore, we are finalizing a slightly modified definition of
``attachment information,'' revised only to account for the fact that
we are not adopting prior authorization attachments standards.
We also continue to believe that it is crucial that the definition
of ``attachment information'' in HHS's administrative simplification
implementing regulations be broad and general enough to apply to all
situations where a health plan requires attachment information to
support a health care claims or equivalent encounter information
transaction. In this final rule, we are adopting a definition of
``attachment information'' that incorporates key aspects of the NCVHS's
definition. Though our definition of ``attachment information'' does
not include the NCVHS-recommended term ``supplemental,'' it
incorporates that concept as it specifies documentation ``that is not
included'' in a health care claims or equivalent encounter information
transaction, as described in Sec. 162.1101, to express that the
documentation would be supplemental.
In our finalized definition, we chose not to limit the definition
strictly to documentation without which a claim ``could not be
adjudicated,'' as suggested by the commenter, because such a narrow
framing may not accommodate the diversity of documentation that
different health plans may reasonably require based on their benefit
structures, medical necessity criteria, or regulatory obligations. For
example, certain documentation may not by itself determine a claim's
payability but may still be necessary under specific plan policies or
for administrative or compliance purposes.
The commenter was concerned that a broad definition of ``attachment
information,'' such as the definition being finalized in this rule,
could prompt health plans to require documentation for routine
services, which could administratively or financially burden small
health care providers, especially those serving rural or underserved
populations. However, we note that nothing prohibits a health plan from
requiring such documentation today under the manual processes currently
in widespread use (which are more labor and resource intensive than an
electronic transaction). Therefore, we do not agree that finalizing
this definition of ``attachment information'' or the adoption of a
standard for health care claims attachments in and of themselves would
cause health plans to make broad requests for documentation. We also
believe the definition we are finalizing appropriately balances
flexibility with restraint by tying the use of attachment information
directly to a standard claims or equivalent encounter transaction and
explicitly excluding any information already required by the
transaction standard itself, which would ensure that attachment
information is supplemental in nature and transaction-
[[Page 14360]]
specific while also providing sufficient adaptability across diverse
payer-provider contexts.
Comment: Multiple commenters stated that there was a critical need
to improve the clarity of the proposed definition of ``attachment
information'' as they believed the scope of the proposed definition
could be expansively interpreted as applying to all use cases,
permitting a ``kitchen sink'' approach to the eligible activities to
which the mandated standards would apply, rather than the definition of
``attachment information'' being tied to ``a specific transaction''
such as the claims transactions. The commenters further stated that the
proposed definition potentially would include any information exchange
between a health care provider and other information source (for
example, a clinical laboratory or immunization registry) and a health
plan.
Response: We reiterate that we believe the definition of the term
``attachment information'' is adequately narrow. In the proposed, and
finalized, definition of the health care claims attachments transaction
in Sec. 162.2001, ``attachment information'' refers to information
transmitted by a health care provider or requested by a health plan
that is necessary to make a decision about a health care claim and that
is not included in the standard health care claims or equivalent
encounter transaction, as described in Sec. 162.1101. Though the
definition must be sufficiently broad to encompass the various
documentation that a health plan may require ``to make a decision about
health care,'' it also must be clearly tied to the health care claim or
equivalent encounter transaction. The finalized definition does not
apply to all information exchanges between health care providers and
other entities nor does it permit a ``kitchen sink'' approach to its
application. It also would not authorize any action beyond those
already permitted under health plan policies.
Therefore, we continue to believe the finalized definition of
``attachment information'' in Sec. 162.103 appropriately balances
clarity and flexibility, ensuring that it is broad enough to be
functional in practice while remaining anchored to a defined
transaction use case.
Comment: A commenter stated that they interpreted the language in
the proposed definition of ``attachment information'' as not being
inclusive of information needed for fraud, waste, and abuse purposes.
The commenter recommended that HHS include a reference to fraud, waste,
and abuse in the definition of ``needed'' in the proposed definition of
``attachment information.'' The commenter also pointed to HHS's
language in the Executive Summary, part A, that the purpose of [the
proposed] rule is to ``determine the necessity of a health care service
as part of making a coverage decision'' and stated that fraud, waste,
and abuse must be considered when a service is deemed medically
unnecessary in order to maintain CMS program integrity.
Response: The definition of ``attachment information'' adopted in
this final rule is intended to ensure that health plans have the
documentation necessary to support proper claims processing and payment
determinations. While this information may inform a payment
determination, the determination itself may also depend on additional
factors such as plan policies or clinical review requirements.
Accordingly, certain documentation may be necessary for evaluating
coverage without being solely determinative of claim adjudication. This
approach would also allow health plans to use attachment information
for administrative purposes, including fraud, waste, and abuse
detection and prevention, without requiring a separate explicit
reference to these activities in the definition.
2. Definition of the Health Care Claims Attachments Transaction
In the HIPAA Standards for Health Care Attachments proposed rule,
we proposed to add a new Subpart T to 45 CFR part 162--Health Care
Attachments (87 FR 78446). In Subpart T, in Sec. 162.2001, we proposed
to define the ``health care attachments transaction'' for health care
claims transactions and prior authorization transactions. Specifically,
we proposed that any of the following different types of transmissions
would constitute a ``health care attachments transaction'': (1) the
transmission of attachment information from a health care provider to a
health plan in support of a referral certification and authorization
transaction or in support of a health care claims or equivalent
encounter transaction; and (2) a request from a health plan to a health
care provider for attachment information. For each type of
transmission, we specified the entity type from which the transaction
is being transmitted and to which it is being sent, the information
being transmitted, and the purpose of the transmission. We noted that
the overarching purpose for each type of transmission--to enable a
health plan to make a decision about health care--is incorporated into
the definition of ``attachment information.'' We further specified the
purpose for the two transmission types in Sec. 162.2001(a), as
discussed later in this section.
Because we are adopting only an attachment standard for health care
claims, as that term is used in this rule to include health care claims
or equivalent encounter information transactions, and not a standard
that includes the prior authorization transaction, in Sec. 162.2001 we
rename what we had called the ``health care attachments transaction''
to the ``health care claims attachments transaction.'' \24\ The
finalized definition has been revised from what we had proposed to
remove language specific to prior authorization (that had read in part,
``in support of a referral certification and authorization
transaction'') and reformat the outline structure to account for that,
so that it applies exclusively to claims attachments. Aside from that,
the definition remains the same as we had proposed.
---------------------------------------------------------------------------
\24\ As we observe at n.4, while this also includes ``equivalent
encounter information'' transactions (Sec. 161.1101(b)),
attachments more likely would be requested for health care claims
(Sec. 161.1101(a)) involving payment as opposed to the
``transmission of encounter information for the purpose of reporting
health care.''
---------------------------------------------------------------------------
In the HIPAA Standards for Health Care Attachments proposed rule,
to align with the proposed rule's scope which addressed health care
attachments for health care claims or equivalent encounter information
and prior authorization transactions, we also proposed to make a
conforming change to the definition of ``transaction'' in Sec.
160.103. We proposed to replace ``(10) Health claims attachments'' with
``(10) Health care attachments'' (87 FR 78446). Because we are not
adopting the prior authorization attachments standards, we are not
finalizing this proposed change. But, to align with the focus on health
care attachments for health care claims or other equivalent encounter
information transactions, we retain the word ``care'' from our proposal
and are finalizing the definition of ``transaction'' with modification,
so it reads ``Health care claims attachments.''
Comment: The majority of commenters who provided feedback on our
proposed definition of the health care attachments transactions opposed
the proposal. A commenter stated that because the proposed definition
refers to attachments for both claims and prior authorization
transactions and not just claims, it arbitrarily collapsed the two use
cases into one definition, to which the commenter objected. The
commenter indicated that using attachments for prior authorization
transactions diverges from the statutory
[[Page 14361]]
construct, which could result in confusion and difficulty unraveling
them down the road.
Another commenter recommended that the proposed health care
attachments transaction definition include only attachment information
created and maintained by a health care provider and explained that the
proposed definition was too broad and could lead to the capture of all
possible patient-related health services information. The commenter
stated that such a broad definition might inadvertently cause
disruption to claim adjudication processes and place a greater burden
on health care providers, believing that it would not limit attachment
information to only what was needed for a plan to make decisions about
care. Instead, a health plan might demand all possible patient-related
information that could be generated with respect to health care
services before deciding whether or not to cover an item or service or
when conducting a post-payment audit. The commenter also stated that
health care entities, such as laboratories, do not create or routinely
maintain all possible patient-related information that could be
generated with respect to health care services; do not routinely
receive electronic attachment information from clinicians; and cannot
transmit this information to health plans when requested to support
claims processing. The proposed definition, the commenter claimed,
could cause laboratories to receive innumerable requests from health
plans for electronic attachment information that they did not create
and do not maintain.
Response: As discussed in section III.A. of this final rule,
numerous commenters opposed our proposal to adopt a health care
attachment standard to include prior authorization as a use case and
opposed the adoption of a standard for prior authorization attachments
transactions, and, after further consideration, we are not finalizing
adoption of a standard for prior authorization attachments
transactions. We further note that the health care claims attachment
definitions and standards we are adopting in this rule do not include
references, or otherwise extend, to prior authorization attachment
transactions.
Our proposed definition of the ``health care attachments
transactions'' was intended to encompass the different types of
transmissions such a transaction would encompass. For each type of
transmission, we specified the entity type from which the transaction
would be transmitted and to which it would be sent, the type of
information being transmitted, and the purpose for the transaction. We
also noted in the HIPAA Standards for Health Care Attachments proposed
rule that the overarching purpose for the two types of transmissions
was to enable a health plan to make a decision about health care in
support of the health care transaction and that specification of the
information transmitted by a health care provider or requested by a
health plan in support of the transaction was incorporated into the
definition of attachment information (87 FR 78446).
We emphasize that HIPAA transaction standards govern the format and
conduct of electronic transactions; determinations about the amount or
type of documentation that a health plan may request in support of
adjudication remain subject to health plan business rules and other
governing law. The term ``attachment information,'' as defined in our
finalized definition at Sec. 162.103, is limited to documentation not
included in a standard claims transaction that enables a health plan to
make a decision about health care. These limitations ensure that the
standard does not encompass all conceivable patient-related
information.
We also clarify that this rule does not create new requirements for
entities that do not originate or maintain the documentation at issue.
The standard applies only to the exchange of documentation that a
health care provider or other covered entity already maintains and
transmits as part of a claims adjudication process.
Final Action: After considering the public comments, and for the
reasons discussed previously, in Sec. 162.103, we are finalizing, with
modification, the definition of ``attachment information'' as:
documentation that enables the health plan to make a decision about
health care that is not included in a health care claims or equivalent
encounter information transaction, as described in Sec. 162.1101.
We are also finalizing the addition of a new Subpart T to 45 CFR
part 162--Health Care Claims Attachments. In Subpart T, in Sec.
162.2001, we are finalizing the definition of the ``health care claims
attachments transaction'' as the transmission of either of the
following:
Attachment information from a health care provider to a
health plan in support of a health care claim or equivalent encounter
information transaction, as described in Sec. 162.1101.
A request from a health plan to a health care provider for
attachment information.
Last, because we are not adopting an attachments standard for prior
authorization transactions in this final rule, as discussed in section
III.A. of this final rule, we are finalizing, with modification, the
proposed definition of ``transaction'' in Sec. 160.103 by amending
paragraph (10) to add the word ``care,'' (Health care claims
attachments).''
D. Attachments Transaction Standards
In the HIPAA Standards for Health Care Attachments proposed rule
(87 FR 78445 through 78451), we proposed to adopt certain industry
consensus standards that, when used together, provide the functionality
necessary for the transmission of electronic health care attachment
information.\25\ The standards being adopted in this final rule are for
requesting and transmitting attachment information. In this section, we
describe the new requirements for covered entities to use: (1) certain
X12N standards for requesting and transmitting attachment information
and HL7 standards for clinical information content; and (2) electronic
signatures standards. We also describe how the HL7 Attachments IG
utilizes the LOINC code set to identify attachment information in a
consistent manner.
---------------------------------------------------------------------------
\25\ For additional information about the business and
operational processes involved in the exchange of these standards,
we refer readers to the aforementioned November 2017 WEDI whitepaper
and the HL7 CDA[supreg] R2 Attachment Implementation Guide: Exchange
of C-CDA Based Documents, Release 1 (Universal Realm) for more
technical information. Both are available at: https://build.fhir.org/ig/HL7/CDA-ccda-2.1-sd/.
---------------------------------------------------------------------------
1. Electronic Health Care Claims (or Equivalent Encounter Information)
Attachments Transactions
Health plans often require health care providers to submit
additional information in association with the claims payment process.
Additional information is frequently in a format, such as medical
imaging or free text, not supported by the discretely defined health
care claims transaction standard data fields. Claims payment is a
multi-step process that may include pre-payment review, payment
adjudication, and post-payment activities such as audits or recoupment
reviews. The claims attachment transaction standards adopted in this
final rule apply to the transmission of solicited and unsolicited
attachments used in support of these stages of the claims payment
process, including post-payment review activities related to claim
adjudication. These standards do not apply to attachments exchanged as
part of a separate claims appeal or dispute resolution process. Appeals
and related
[[Page 14362]]
transactions are outside the scope of this rule and would require
separate standards to be adopted through future rulemaking.
In the HIPAA Standards for Health Care Attachments proposed rule,
we proposed to adopt standards for requesting and transmitting
attachment information, and to define attachment information in Sec.
162.103, as documentation that enables the health plan to make a
decision about health care that is not included in a health care claim
or equivalent encounter information transaction, as described in Sec.
162.1101. We also proposed to adopt X12N standards with respect to the
transmission of attachment information and HL7 standards with respect
to the clinical content of attachments. Specifically, as detailed in
the sections that follow, we proposed to adopt three X12N TR3
implementation specifications for health care claims attachments (87 FR
78445) and three HL7 IGs for the clinical information embedded in those
transactions (87 FR 78445).
a. Scope of Health Care Claims Attachments Transactions
Section 1173(a) of the Act requires the Secretary to adopt
standards for ``health claims attachments,'' and section 1104(c)(3) of
the Affordable Care Act reiterated that requirement, directing the
Secretary to promulgate a final rule to adopt a transaction standard
and a single set of associated operating rules. In the proposed rule,
we stated that the proposed attachments standards would satisfy the
requirement to adopt a standard to support health care claims but would
also support prior authorization transactions (87 FR 78445). Because,
as we have already explained, in this final rule we are finalizing only
a definition for ``health care claims attachments,'' we use that term
to refer to attachments for health care claims or equivalent encounter
information transactions rather than the proposed rule's broader
``health care attachments'' phrase that was intended to include both
the claims and prior authorization transaction standards.
We did not propose to adopt attachments standards for all health
care transaction business needs. Rather, we stated that not only would
it be challenging to identify standard specifications and appropriate
codes for the full array of different health care attachment types used
today, but also that it was important that covered entities gain
experience with a limited number of standard electronic attachment
types so that technical and business issues could be identified to
inform potential future rulemaking for other electronic attachments
standards (87 FR 78446).
We requested comments on alternative standards and approaches that
could address the challenges described in section I.A. We summarize and
respond to public comments submitted in response to this request in the
next section.
2. Adoption of Electronic Health Care Claims Attachments Transaction
Standards
In the proposed rule, we highlighted the NCVHS's July 5, 2016
recommendations to the Secretary on attachments standards, which are
the same standards we proposed to adopt (87 FR 78446 and 78447). We
title this section to only refer to the health care claims attachments
standards that we are adopting in this final rule and emphasize that
prior authorization attachments standards are not adopted in this final
rule. But, because our proposal had been broader by including prior
authorization attachments standards and thus generated comment on the
broader proposal, our comment summaries and responses do include some
discussion of the full scope of what had been proposed.
As mentioned in the proposed rule, and discussed again in section
II.D.3. of this final rule, section 1104(c)(3) of the Affordable Care
Act requires that the adopted attachments standard be ``consistent with
the X12N Version 5010 transaction standards'' (87 FR 78440), which we
interpret as requiring that the health care claims attachment
implementation specifications we adopt should generally be compatible
with X12N standards. Thus, any standard we adopt for health care claims
attachments should be electronically transmitted by an X12N transaction
standard in the same transaction.
While the NCVHS did not recommend specific versions of the X12N
attachments standards, we proposed to adopt X12N Version 6020 for both
the X12N 277--Health Care Claim Request for Additional Information
(006020X313) and the X12N 278--Health Care Services Request for Review
and Response Version (006020X315) as the standards a health plan must
use to electronically request attachment information from a health care
provider to support a prior authorization transaction. We proposed to
adopt Version 6020 of the standards because they better harmonize with
the X12N 275--Additional Information to Support a Health Care Claim or
Encounter (006020X314) and the X12N 275--Additional Information to
Support a Health Care Services Review (006020X316) (87 FR 78447), and
we refer readers to the proposed rule for the full discussion of the
use of these standards and their compatibility (87 FR 78446).
Comment: Multiple commenters supported the proposed attachment
standards, noting the approach would enable continuous advancements in
standards-based attachment content. Commenters underscored the
importance that uniform standard requirements would have on furthering
industry adoption of automated claims processes, which would help
reduce the current manually intensive administrative burden, and,
therefore, reduce costs. Similarly, one commenter stated that adopting
unified standards would eliminate the need for proprietary data
programs, reduce handling and processing time, eliminate the risk of
lost paper documents, and, thereby, reduce administrative burden and
lower costs.
Another commenter supported HHS's proposals to apply attachment
standards for health care claims and prior authorization transactions.
The commenter noted that while some in the industry are concerned with
the lack of alignment in prior authorization standards (X12 versus
FHIR), they agreed with HHS's proposed approach since the absence of an
electronic attachments standard had contributed to low industry
adoption rates for electronic prior authorization (ePA) transactions.
A commenter noted that, currently, health plans have requirements
for submitting supporting documentation that health care providers must
follow and that health plans may request further information from a
health care provider to make an authorization decision. The commenter
noted that health care providers must submit this information via
burdensome manual processes through mail, fax, or a portal, with each
health plan having different requirements. The commenter further noted
that every player has a different portal to submit attachments, and
managing the many access usernames and passwords is also burdensome.
Therefore, the commenter stated that a standard attachment process, via
a standardized electronic format, would greatly improve the process.
Another commenter noted that payers and providers would benefit
from having a unified submission method for documents needed for prior
authorization, claims, quality, audit, and other use cases. Another
commenter stated that adopting the X12 standards
[[Page 14363]]
and C-CDA standards would improve patient outcomes.
Response: We thank commenters for the feedback on and support of
our proposals. After careful consideration, we are adopting standards
for health care claims attachments transactions to help combat the
burdensome manual processes health care providers face today when
transmitting supporting documentation required by health plans in
association with the claims payment process. We agree with commenters
that adopting standards for health care claims attachments will yield
numerous benefits, including reducing administrative burden and costs,
removing the need for proprietary data programs, cutting lengthy
processing times, and eliminating the risk of lost paper documents.
However, for the reasons extensively discussed in section III.A. of
this final rule and as noted repeatedly elsewhere, we are limiting the
scope of this rulemaking solely to the adoption of standards for health
care claims attachments transactions.
Comment: Multiple commenters noted that the technology and
regulatory spaces have significantly evolved over the years, with some
expressing concern that HHS's proposals demonstrated ``2016-based
thinking'' by proposing the use of X12N standards, which they stated
would make the evolution of requesting and responding to supplemental
data needs harder and more burdensome. One of these commenters noted
that, while they support a national attachments standard for claims and
prior authorizations, more flexible technologies are available that
would reduce complexity. A commenter requested that HHS consider
updating the required attachment standards as new methods are
introduced and real-world tested. Another commenter stated that HHS
proposed outdated standards, and that HHS should not require adherence
to standards that would move the industry backward. Further, a
commenter expressed concern about how the proposed standard
requirements would fit into the business process for most health care
provider organizations and expressed that even though discussion
included in the proposed rule was about physically capturing data
elements and the transport mechanisms, a more holistic approach would
be required to bring the technical capabilities into a product suite to
work for the end user. Another commenter expressed that by focusing on
a document-based, as opposed to a data-driven, approach, HHS was
proceeding down a standards pathway that would make the attachment
standards incongruent with the standards mandated in other proposed and
final rules, such as the CMS Interoperability and Prior Authorization
proposed rule (87 FR 76238). Multiple commenters expressed concern
regarding the proposal to adopt standards for prior authorization
attachments transactions and recommended that HHS bifurcate the claims
attachments and prior authorization attachments standards proposals to
finalize only the proposed claims attachments standard. A commenter
noted that section 1173(a)(1)(A) of the Act specifically calls for the
establishment of a claims attachment standard, but contains no
provision requiring prior authorization attachments.
Response: We thank commenters for their feedback on the proposed
attachment standards and their observations about broader health IT and
standards development trends. We acknowledge that industry technologies
and regulatory requirements have evolved significantly since 2016 and
agree that any adopted standard must balance progress with stability.
Newer technologies may offer long-term potential to reduce complexity
and improve flexibility in transmitting supplemental clinical
information, and we will continue to consider their technical viability
and operational maturity across a broad segment of the industry. The
X12N standards for health care claims attachments that we finalize here
have been used for many years in related HIPAA transactions, are
supported by widely adopted infrastructure, and offer a known path for
implementation and compliance. Standardizing attachments through X12N
Version 6020 allows for the exchange of clinical content in a format
that aligns with other existing administrative transactions, increases
health care provider and health plan efficiency and reduces the need
for burdensome manual submission processes.
While the 2016 NCVHS recommendation mentioned earlier noted the
value of a broader attachments strategy that could extend beyond claims
to include prior authorization, referrals, and other use cases, and
although we had originally proposed a broader strategy to include other
use cases, this final rule focuses specifically on claims attachments.
This narrower scope is consistent with section 1173(a)(1)(A) of the
Act, which requires the Secretary to adopt a health claims attachments
transactions standard.
With respect to interoperability, we have taken the CMS
Interoperability and Prior Authorization final rule (89 FR 8758) into
consideration, and note that adopting a consistent, national claims
attachment standard supports broader goals of administrative
simplification and compatibility across systems.
Comment: A commenter stated that the proposed rule's reference to
the limited uptake of the current referral certification and
authorization transaction standard being due to not having established
standards for attachments (87 FR 78446) may be a result of an onerous
process for certification and authorization. The commenter stated that
if limited uptake of the referral certification and authorization
transactions is a standards issue, it is imperative that the new
attachments standard be simple and practical in order to improve
compliance rates.
Response: We thank the commenter for this input. We acknowledge
that the limited uptake of the current referral certification and
authorization transaction standard (X12N 278 Version 5010), which
supports prior authorization, has been documented in multiple reports,
but that is separate from the adoption of standards for health care
claims attachments, which we are finalizing in this rule. We agree that
any future attachment standards, particularly for prior authorization,
must be practical and simple to implement in order to improve adoption
rates. Past experiences with low utilization of the referral
certification and authorization transaction, as mentioned in the 2016
NCVHS Hearing on attachments, demonstrate that overly complex standards
or processes can pose barriers to adoption, even when standards are
available. For this reason, simplicity in aligning with existing
industry workflows, and coordination with SSOs and interested parties,
are central considerations in our policy development as we continue to
evaluate prior authorization attachments options.
Comment: Multiple commenters, citing numerous rationales,
encouraged HHS to consider implementing the FHIR standard, including
the HL7[supreg] FHIR[supreg] Da Vinci Clinical Data Exchange (CDex) IG,
for prior authorization attachments transactions. At the larger policy
level, commenters described FHIR as an alternative standard aligned
with federal and industry interoperability objectives, consistent with
administrative simplification principles, and synergistic with
certified EHR capabilities. At the practical level, commenters cited
FHIR's flexibility and the efficiency of FHIR questionnaires, its
ability to support end-to-end prior authorization and provide automated
and real time solutions, and its being a
[[Page 14364]]
more modern technology. Multiple commenters expressed concern regarding
HL7 C-CDA unstructured document media types not supporting FHIR bundles
(for example, application/json+fhir). Commenters also noted that use of
the FHIR standard would allow systems to adopt FHIR specifications to
enable greater advancements within the health care industry.
Multiple commenters expressed concern over HHS proposing two rules
that included proposals on prior authorization: (1) the HHS HIPAA
Standards for Health Care Attachments proposed rule (87 FR 78438); and
(2) the CMS Interoperability and Prior Authorization proposed rule (87
FR 76238). Commenters noted that across these two rules, HHS and CMS
proposed the use of two different standards, X12N and FHIR, for prior
authorization transactions, which would require implementation of both
standards and be confusing and cumbersome. A commenter expressed that
doing so would be counterproductive to the goals of administrative
simplification. Another commenter noted that adopting both X12N and
FHIR standards would create confusion for providers, insurers, and
vendors that could lead to delays in prior authorization processing and
approvals, increased costs, and would likely result in providers using
solely the X12N standard despite incentives to use the FHIR standard.
Multiple commenters expressed support for the use of FHIR, citing a
desire for alignment with the CMS Interoperability and Prior
Authorization proposed rule. A commenter requested that HHS review the
standards proposed in the CMS Interoperability and Prior Authorization
proposed rule and allow providers to utilize both FHIR and X12
standards to meet the requirements in both rules, while another
suggested we be thoughtful in considering how HHS's proposal aligns
with CMS's proposal so as to avoid providers' duplication of efforts.
A commenter also recommended that HHS allow data-element driven
data sharing via FHIR APIs, which would enable flexibility for targeted
requests. Despite a stated preference for health care providers to
adopt the FHIR standard and connect to APIs once finalized, a commenter
recognized there would be providers that lack the means to finance
their vendors' FHIR updates. They therefore proposed the adoption of a
safe harbor for providers that would allow for the use of Version 5010
of the X12N 278 standard for prior authorization transactions and the
X12N 275 standard for claims transactions.
Response: We appreciate these comments and thank commenters for
sharing these important considerations. In its most recent letter to
the Secretary (March 30, 2022), the NCVHS recommended that HHS move
forward with publishing a claims attachments rule to address
longstanding industry needs, while also continuing to monitor and
consider emerging standards.\26\ As discussed extensively in section
III.A. of this final rule and as reiterated elsewhere, we are not in
this final rule adopting attachment standards for prior authorization
transactions. We note that the NCVHS's March 30, 2022, letter also
recommended that CMS publish the CMS Interoperability and Prior
Authorization proposed rule, which included proposals for FHIR-based
APIs to support prior authorization workflows. This underscores both
the ongoing demand for a claims attachments standard today and the
importance of continuing to evaluate newer technologies for prior
authorization and other use cases. We therefore finalize a claims
attachments standard in this rule while leaving open the opportunity to
adopt alternative standards applicable to prior authorization in other
rulemaking.
---------------------------------------------------------------------------
\26\ National Committee on Vital and Health Statistics. (2022
March 30). Recommendations to Modernize Aspects of HIPAA and Other
HIT Standards to Improve Patient Care and Achieve Burden Reduction.
Retrieved from https://ncvhs.hhs.gov/wp-content/uploads/2022/04/Recommendation-Letter-HIT-Standards-Modernization-to-Improve-Patient-Care-March-30-2022.pdf.
---------------------------------------------------------------------------
Comment: A commenter noted that while they expect claims
transactions to remain X12-based, the industry and technology have
evolved significantly and are moving toward FHIR standards. Another
commenter underscored the need for claims attachments standardization
but noted industry concern with the specific technology proposed for
the prior authorization attachments standard. The commenter stated that
HIPAA regulations view the claims and prior authorization attachment
standards separately, and that the claims process occurs after care has
been delivered, as opposed to the prior authorization process which
occurs in advance of care. Given the different workflows and points at
which these two processes occur, the commenter stated the need for the
processes to mirror one another or be adopted in tandem is diminished.
A commenter stated that the proposed standards are an interim step to
move health care providers and payers to electronic data submission.
However, the commenter noted that to further advance ePA processes and
reduce administrative burden, it is critical to align prior
authorization attachments standards across all components of the ePA
process, which includes the transmission of clinical information via
health care attachments.
Response: We thank commenters for their perspectives on the need
for attachment standards in both the health care claims and prior
authorization contexts and agree that claims and prior authorization
serve distinct business functions and operate under different
workflows, with prior authorization typically occurring before items or
services have been rendered and claims typically occurring afterwards.
In this final rule, as repeatedly noted, we have elected to adopt
standards only for health care claims attachments. That focused
approach accommodates the requirement at section 1173(a)(2)(B) of the
Act that the Secretary adopt standards for the health claims attachment
transaction and public feedback recommending that we not simultaneously
finalize claims and prior authorization attachments standards in the
same final rule. Finalizing only claims attachments standards now
allows the industry to begin realizing the benefits of increased
automation that reduces administrative burden, while providing
additional time to align on prior authorization attachment standards in
future rulemaking. We acknowledge the growing interest in APIs, such as
FHIR based approaches, particularly for prior authorization
transactions, and that FHIR for API-driven data exchange has already
been adopted in other regulatory contexts, such as the CMS
Interoperability and Prior Authorization final rule (89 FR 8758).
Finally, we emphasize that the decision not to adopt a standard for
prior authorization attachments in this final rule should not be
interpreted as abandoning the goal of reducing burden in that area. To
the contrary, we recognize that prior authorization remains a major
challenge across the health care system, and our action here is
intended to allow targeted progress on claims attachments while
maintaining flexibility to support emerging standards for prior
authorization attachments through separate HHS-led policymaking efforts
coordinated with interested parties, including health plans, health
care providers, and industry. We encourage the participants in the
standards development community to continue to explore how emerging
paradigms for information exchange can be extended to address HIPAA
transactions, and we welcome
[[Page 14365]]
further dialogue with interested parties about promising approaches.
Comment: A commenter highlighted the significant burden on health
plans to ensure their systems can support the standards for health care
claims and prior authorization attachments transactions for structured
and unstructured documents. The commenter stated that by adopting an
approach in the final rule whereby a health plan would be compliant by
implementing the use of either, but not necessarily both, structured or
unstructured claims and prior authorization documents by the compliance
date, HHS could ease health plans' burden as they work to ensure their
systems can accommodate structured and unstructured documents for
claims and prior authorization attachments transactions. The commenter
also noted that HHS could, under such an approach, require that health
plans implement the other document type (whether structured or
unstructured) within 1 year of the compliance date.
Response: Consistent with section 1104(c)(3) of the Affordable Care
Act, we are finalizing a compliance date of 24 months after the
effective date of this final rule by which all covered entities must
comply. We believe that the fact that we are not finalizing adoption of
a prior authorization attachments transaction standard ought to
diminish the commenter's burden concerns. HIPAA covered entities will
have to support structured and unstructured document types, but we
understand the health care industry is moving in that direction and
should be able to fully accommodate the requirement within this final
rule's compliance timeframe. We encourage all HIPAA covered entities to
begin testing their systems early to ensure smooth implementation.
Comment: A commenter noted that current HIPAA regulations do not
require health plans to send X12N 277 (Health Care Claim Acknowledgment
or Claim Status Response) transactions as a response to an X12N 837
(health care claim) or X12N 278 (standard for prior authorization)
transaction. The commenter requested that HHS confirm whether any
requirements finalized by this rulemaking would result in a health plan
being required to respond to a X12N 837 or X12N 278 transaction with
the X12N 275 (Additional Information to Support a Health Care Claim or
Encounter) standard to inform the provider of whether the attachment
information is needed. The commenter also requested clarification as to
whether a health plan that may require an attachment for a claim or
prior authorization may then deny the corresponding claim or item or
service authorization should a provider fail to provide the attachment,
which would have the effect of requiring the provider to resubmit the
claim or prior authorization request with the appropriate attachment
information.
Response: We appreciate the commenter's feedback and the
opportunity to clarify the requirements for how health plans may
request attachment information, while also reiterating that HIPAA
specifies transaction standards requirements but does not directly
address health plans' business rules. HIPAA regulations do not now (and
this final rule does not alter this) require health plans to use the
X12N 275 transaction to respond to an X12N 837 health care claim or an
X12N 278 prior authorization transaction when requesting additional
documentation. In other words, the X12N 275 standard may be used to
support claim attachments, but HIPAA does not require its use as a
mandatory response transaction.
Similarly, currently, the X12N 277 transaction may be used to
notify a provider that claim attachment information is needed. HIPAA
does not require its use, but health plans may elect to use it to
communicate with health care providers about missing documentation.
Health plans' business rules typically would specify when they may or
may not deny a claim for failure to comply with health plan policies.
While we do not currently require the use of the X12N 275 and X12N 277
transactions in these scenarios, we encourage health plans to adopt
clear and consistent communication practices, including using these
transactions where appropriate, to minimize administrative burden and
avoid unnecessary claim denials.
Comment: Multiple commenters supported the proposed adoption of
Version 6020 for the X12N 275, X12N 278, and X12N 277 standards. A
commenter stated that adopting Version 6020 for these standards would
be critical to attachment transactions functionality because Version
6020 includes two key fields: (1) the health plan assigned claim
control number to aid with claim reassociation; and (2) the field to
capture LOINC for required data elements to identify the specific
attachment information. A commenter expressed their appreciation for
Version 6020 being tested and implemented in real-world settings.
Response: We thank commenters for their feedback and support of
Version 6020 of the standards as a business case in adopting a health
care claims attachments transaction standard.
Comment: Multiple commenters expressed concern about HHS's proposal
to adopt Version 6020 and, instead, recommended that we adopt a newer
version of the X12N attachments standards, such as Version 8020, which
a commenter noted has been published. A commenter supported the
adoption of Version 6020 of the X12N 275 and X12N 277 standards but
recommended that the attachments standards be updated to Version 8020
when possible, while another commenter expressed concern that we would
adopt Version 6020 when X12 may recommend Version 8020 be implemented
prior to, or shortly after, HHS's action. That commenter encouraged us
to ensure that the proposed technical standards are supported,
compliant, and not mandated for replacement for no less than 5 years
after the implementation date.
Multiple commenters recommended that HHS consult with standards
development organizations (SDO) to ensure that the appropriate versions
of the standards are finalized and that versioning is aligned. A
commenter noted that using the versions proposed in the proposed rule
could lead to operational and implementation costs and requested that
HHS collaborate with early adopters of the proposed attachments
standards. A commenter stated that the proposed Version 6020 of the
X12N attachments standards will be problematic for attachment standard
transactions because health care providers currently use Version 5010
of the X12N standard, and Version 8020 is being utilized by X12. The
commenter expressed the belief that HHS's proposal would create a
scenario where the transaction standard floor is lower than the one X12
will potentially recommend, and that is currently used for claims
transaction processing. A commenter noted concern over the alignment
between the proposed standards in the proposed rule and future HIPAA
standards. The commenter encouraged HHS to ensure that future adoption
of X12N standards is compatible with the proposed health care
attachments standards outlined in the proposed rule. Multiple
commenters recommended that HHS wait to adopt attachments transaction
standards until the NCVHS makes a determination about recommending the
next version of X12N standards. A commenter also stated that the NCVHS
is currently evaluating requests from X12 on the adoption of Version
8020 for the X12N 837 and X12N 835 payment/remittance advice standards.
[[Page 14366]]
Response: We appreciate the commenters' recommendations and
concerns regarding the adoption of specific versions of the X12N 275
and X12N 277 standards for health care claims attachments.
Specifically, we understand commenters' concerns regarding the
potential for Version 6020 to become outdated, especially since X12 has
published Version 8020 and the NCVHS may be considering it. However,
the NCVHS has not recommended that any newer version of these standards
be adopted under HIPAA, and under the HIPAA regulatory framework, HHS
is limited to adopting standards that have completed the formal SDO
process and have undergone appropriate evaluation and recommendation,
including through the NCVHS. Therefore, we are finalizing the adoption
of Version 6020 of the X12N 275 and X12N 277 standards, as they are
currently the most recent versions that provide the necessary
functionality to support the exchange of attachments in conjunction
with claims and are currently the viable and legally supportable
standards for the claims attachment transactions.
We agree with commenters that it is important that the attachment
standards and the broader suite of adopted HIPAA standards, such as the
X12N 837 and 835, be aligned. We are committed to ongoing coordination
with SDOs, such as X12, and with the NCVHS to ensure that any future
updates to HIPAA standards, including consideration of Version 8020 or
later, are harmonized across transaction types to reduce implementation
burden and maintain interoperability. We also recognize the importance
of maintaining stability in the adoption of new standards. The HIPAA
statute allows for the periodic update of standards--indeed, as we
discuss in section II.D.3., the HIPAA standards paradigm is premised on
standards evolution over time--but we will strive to maintain
reasonable implementation timelines and take commenters' feedback into
account as we consider future rulemaking and versioning policies.
Finally, as we extensively discuss in section III.A. of this final
rule and reiterate elsewhere, we are not finalizing the proposed
adoption of standards for prior authorization attachments at this time
and, therefore, in this rule, are not adopting an updated version of
the X12N 278 transaction standard.
a. Adoption of X12N Standards for Health Care Claims Attachments
Transactions
(1) Adoption of Standards for Request From a Health Plan to a Health
Care Provider for Attachment Information
(a) X12N 277--Health Care Claim Request for Additional Information
(006020X313)
In the proposed rule, we proposed to adopt the X12N 277--Health
Care Claim Request for Additional Information (006020X313) as the
standard a health plan must use to electronically request attachment
information from a health care provider to support a health care claim
in Sec. 162.2002(e)(1), and also proposed to incorporate the same by
reference in Sec. 162.920 (87 FR 78447). We explained that the X12N
277 standard for claims transactions contains two noteworthy fields:
(1) the health plan assigned claim control number that is assigned by
the health plan to link the attachment request with the original claim,
enabling reassociation when the provider responds via the X12N 275
transaction; and (2) the LOINC code set for HIPAA that is used to
identify the specific type of attachment requested (87 FR 78447).
Comment: Multiple commenters strongly supported HHS's proposed
adoption of the X12N 277 standard for claims attachments, and a
commenter recommended that we finalize this standard as proposed.
Commenters noted that the current claims attachment process is complex
and cumbersome and that adopting consistent electronic claims
attachment standards would reduce administrative burden and associated
costs. A commenter urged HHS to strongly enforce this new standard, if
finalized. Multiple commenters discussed how health plans have
implemented an electronic claims attachment standard outside the HIPAA
context and achieved significant efficiencies in denials, appeals, and
time to payment using clinical documents rather than granular data
elements for claims processing. A commenter noted that this example of
successful real-world implementation and return on investment
strengthens the argument for immediate claims attachments standards
adoption.
Response: We thank these commenters for their support for our
proposals to adopt a health care claims attachment standard.
HHS administers HIPAA Administrative Simplification requirements
related to the format and content of electronic administrative health
care transactions for which we have adopted standards. Consistent with
our approach of responding to complaints of non-compliance and
conducting proactive compliance reviews, should we identify a HIPAA
covered entity that fails to conduct, or fails to properly conduct, an
adopted transaction standard, it may be subject to enforcement action.
As discussed in the final action section, we are finalizing
adoption of the X12N 277 transaction standard in Sec. 162.2002(d). The
regulatory text has been reordered to group related transaction
standards together for clarity and ease of reference; this reordering
does not change the requirements for the use of the standard.
(2) Adoption of Standards for Transmission of Attachment Information
From a Health Care Provider to a Health Plan: X12N 275--Additional
Information To Support a Health Care Claim or Encounter (006020X314)
and X12N 275--Additional Information To Support a Health Care Services
Review (006020X316)
We proposed to adopt, in Sec. 162.2002(d), the X12N 275--
Additional Information to Support a Health Care Claim or Encounter
(006020X314) as the standard a health care provider must use to
electronically transmit attachment information to a health plan to
support a health care claims or equivalent encounter information
transaction. We also proposed to incorporate the same by reference in
Sec. 162.920.
As discussed in the HIPAA Standards for Health Care Attachments
proposed rule, the X12N 275 standard for claims transactions may be
used with respect to both solicited and unsolicited attachment
information (87 FR 78448). We noted in the proposed rule that the X12N
275 standard for claims transactions does not itself contain claims
attachment information (87 FR 78448). Rather, the standard serves as
the electronic envelope for health care claims attachment information
such that the attachment information (which is embedded in an HL7
standard) is transported by the X12N 275. We describe in detail the
specific HL7 standards for embedding attachment information in this
section of the final rule.
Additionally, we proposed to adopt, in Sec. 162.2002(c), the X12N
275--Additional Information to Support a Health Care Services Review
(006020X316) as the standard a health care provider must use to
electronically transmit attachment information for electronic prior
authorization
[[Page 14367]]
transactions. We also proposed to incorporate the same by reference in
Sec. 162.920. We are not adopting that standard in this final rule as
it only pertains to electronic prior authorization transactions. We
clarify that in this final rule, we are only adopting the X12N 275--
Additional Information to Support a Health Care Claim or Encounter
(006020X314) standard for health care claims attachments.
The X12N 277 transaction set is used for claim status inquiries and
responses. When a health care provider submits a claim and the payer
needs additional information to continue the review or processing of
that claim, it may send the provider a request through a X12N 277--
Health Care Claim Request for Additional Information transaction, and
the health care provider may use the X12N 275--Additional Information
to Support a Health Care Claim or Encounter to transmit the requested
information back to the payer. For example, with a surgery for which
there is no HCPCS code, for solicited attachment information, the
health plan would request attachment information using the X12N 277
standard for claims transactions, and the health care provider would
use the X12N 275 standard for claims transactions to respond with the
operative note. In a scenario with unsolicited attachment information,
the health care provider would transmit the X12N 275 standard for
claims transactions to enable the health plan to make a decision about
the claim without additional requests for information.
Comment: Multiple commenters supported the adoption of the X12N 275
standard for health care claims transactions. Commenters stated that
the present lack of attachments standards under HIPAA burdens the
health care industry and noted that evidence from voluntary X12N 275
standard implementations has demonstrated the technical success of the
transactions and cost savings. A commenter stated that, due to the X12N
standards being foundational and widely implemented across health care
providers, health plans, and health IT vendors, they believe it is
appropriate to adopt the X12N 275 standard as the basis for exchange to
support adoption at scale. A commenter recommended that HHS mandate a
version of the X12N 275 standard that is consistent with HIPAA
requirements at publication of the final rule. Another commenter
expressed support for solicited and unsolicited claims attachment
standards and noted that using the X12N 275 standard concurrently with
a claims transaction will promote efficiency and decrease costs for
providers and health plans. A commenter pointed out that Version 6020
of the X12N 275 standard includes the Binary Data Segment (BDS), which
was not part of Version 5010, and is necessary for transmitting
properly encoded clinical data.
Response: We thank the commenters for their feedback and support.
We agree that the absence of adopted HIPAA attachment standards has
contributed to variability and inefficiencies in documentation exchange
processes across the health care industry. We appreciate commenters
highlighting the value of using the X12N 275 standard for health care
claims and encounters, including its technical success in voluntary
implementations, alignment with widely adopted foundational X12N
standards, and capacity to support health care provider, health plan,
and vendor interoperability. We also agree that adopting a consistent
standard for solicited and unsolicited claims attachments can reduce
administrative burden and promote operational efficiency.
We acknowledge the specific support for Version 6020 of the X12N
275 standard and its enhancements over prior versions, including the
BDS that supports the secure and structured transmission of clinical
data in attachment transactions. Accordingly, in this final rule, we
are adopting Version 6020 of the X12N 275 standard for use in the
health care claims attachments transaction, as well as Version 6020 of
the X12N 277 standard. We believe this establishes a clear, standards-
based foundation for exchanging attachments that will enable greater
automation, improve data integrity, and reduce costs across the health
care system.
We appreciate commenters' recognition of the need for consistency
and predictability in the standards adopted under HIPAA and will
continue to engage with parties in the health care industry and SDOs to
ensure that future standards development and updates are responsive to
industry needs and remain aligned with the HIPAA regulatory framework.
Comment: A commenter stated the X12N 275 standard for health care
claims and encounters will not work with unstructured documentation.
Another commenter recommended that HHS permit trading partners to agree
upon other documentation, not covered by the HL7 C-CDA, that would be
allowed to be transported via the X12N 275 standard.
Response: We further evaluated the commenter's assertion that the
X12N 275 standard for claims transactions would not work with
unstructured documentation and determined the assertion is incorrect,
having confirmed that the X12N 275 standard for claims transactions
does support the submission of unstructured documentation. The versions
that we are adopting in this final rule include the BDS, which, in the
HL7 standard, is used to carry attachments, such as documents or
images. Moreover, the C-CDA Release 2.1 supports structured and
unstructured templates. Therefore, we believe that the standards we are
adopting in this final rule are sufficient for broad industry-wide use.
Regarding the comment recommending that we permit trading partners
to agree that documentation not covered by the HL7 C-CDA be allowed to
be transported via the X12N 275 standard for claims transactions, the
types of documentation supported by the HL7 C-CDA broadly cover those
that may be requested for the claims payment process. However, we
encourage covered entities to negotiate the types of documentation
required for implementing the transaction standard during the
development of their trading partner agreements.
Comment: A commenter noted that health IT vendors will have to
engage in new development work should the proposed X12N 275 standard
for claims attachment transactions be finalized as proposed, since such
entities have not previously developed those transaction standards.
Response: As discussed previously, we acknowledge that covered
entities, or their vendors, will incur a number of one-time costs to
implement the new HIPAA transactions. However, over time, we believe
the resultant automation will ultimately benefit the industry by
reducing burden and costs. We account for this implementation burden in
our impact analysis in section VI. of this final rule.
Comment: Multiple commenters expressed that a definition for
baseline structured data is needed to achieve administrative burden
relief. They also emphasized that it is important that the X12N 837
claim and encounter standard be supported by the X12N 275 standard for
claims transactions for additional information at the time of a prior
authorization request, initial claim submission, and for claims in paid
or denied status.
Response: We do not believe that a definition for baseline
structured data is needed because the HL7 C-CDA Release 2.1 broadly
covers structured and unstructured document types that may be
transmitted under the X12N 275 standard for claims attachment
[[Page 14368]]
transactions. We encourage interested parties to engage with SDOs and
industry collaboratives to identify and refine the consensus around
structured data elements. We also encourage covered entities to
negotiate the types of documentation required for implementing the
transaction standard during the development of their trading partner
agreements.
Final Action: After consideration of the public comments we
received, and after consultation with the SSOs, we are finalizing, with
modification, our proposal regarding the adoption of certain X12N
standards for requesting and transmitting attachment information.
In Sec. 162.2002(c), we are adopting the X12N 275--Additional
Information to Support a Health Care Claim or Encounter (006020X314) as
the standard a health care provider must use to electronically transmit
attachment information to a health plan to support a health care claim
or equivalent encounter information transaction. We are also
incorporating this standard by reference in Sec. 162.920.
In Sec. 162.2002(d), we are adopting the X12N 277--Health Care
Claim Request for Additional Information (006020X313) as the standard a
health plan must use to electronically request attachment information
from a health care provider to support a health care claim. We are also
incorporating this standard by reference in Sec. 162.920.
E. Adoption of HL7 IGs for Health Care Claims Attachment Information
The HL7 CDA standard is the only currently available SSO-created,
NCVHS-recommended implementation specification in the United States
designed to support the HIPAA transactions. Other standards for the
exchange of clinical information are being developed and piloted.
However, due in part to its readiness, we stated in the proposed rule
that we believe the HL7 CDA IG set is the most appropriate standard for
adoption at this time (87 FR 78448).
We proposed to adopt the following three HL7 IGs as HIPAA standards
for the attachment information included in health care attachments
transactions:
HL7 IG for CDA Release 2: C-CDA Templates for Clinical
Notes (US Realm) Draft Standard for Trial Use Release 2.1, Volume One--
Introductory Material, June 2019 with Errata (HL7 C-CDA IG Volume One).
HL7 IG for CDA Release 2: C-CDA Templates for Clinical
Notes (US Realm) Draft Standard for Trial Use Release 2.1, Volume Two--
Templates and Supporting Material, June 2019 with Errata (HL7 C-CDA IG
Volume Two).
HL7 CDA Release 2 Attachment IG: Exchange of C-CDA Based
Documents, Release 1, March 2017 (HL7 Attachments IG).
We refer readers to the detailed discussion in the proposed rule on
the purpose and functionality of each IG and how they interact with
each other (87 FR 78448).
These IGs provide specifications for creating and transmitting both
structured and unstructured health care attachment documents.
Structured documents are machine-readable with standardized sections
and codes, while unstructured documents (for example, scanned images,
video, patient logs, etc.) have metadata (that is, information that
describes, explains, or gives context to other data) but no internal
tagging. The HL7 Attachments IG also defines criteria for creating new
templates when none exist.
In the HIPAA Standards for Health Care Attachments proposed rule,
we proposed to adopt the March 2017 iteration of the HL7 Attachments
IG. The SDO engaged in its regular maintenance process with respect to
that IG, and, in March 2022, published the Release 2 iteration of it.
Commenters on the proposed rule encouraged us to adopt the March 2022
iteration, as opposed to the March 2017 iteration that we had proposed
to adopt.
We carefully examined the history of changes to the HL7 Attachments
IG between March 2017 and March 2022 and determined that the cumulative
changes reflected in the March 2022 iteration of the IG constitute
``maintenance updates'' because, rather than adding new content, the
updates address errata in the existing IG content. Maintenance refers
to ``activities necessary to support the use of a standard adopted by
the Secretary, including technical corrections to an implementation
specification, and enhancements or expansion of a code set.'' \27\
Maintenance updates to standards are non-substantive in nature, unlike
modifications to standards which require rulemaking to be adopted by
the Secretary.
---------------------------------------------------------------------------
\27\ See 42 CFR 162.103.
---------------------------------------------------------------------------
We also consulted the DSMOs, which apprised us that the maintenance
updates reflected in the March 2022 iteration of the HL7 Attachments IG
better facilitate implementation of Version 6020 of the X12N 275 and
X12N 277 standards for claims attachments adopted by the Secretary in
this final rule. Our own in-depth evaluation along with our
consultations with the DSMOs persuade us that we can confidently
conclude that adopting the newer March 2022 iteration of the HL7
Attachments IG would be functionally equivalent to adopting the March
2017 iteration of the HL7 Attachments IG with errata.
Having established that the March 2022 iteration is functionally
equivalent to the proposed March 2017 HL7 Attachments IG with
maintenance updates, and to avoid industry confusion with respect to
which IG iteration should be used, in this final rule we are adopting
the March 2022 iteration of the HL7 Attachments IG which is Release 2.
Comment: Multiple commenters expressed support for the adoption of
the proposed HL7 IGs for the exchange of claims attachments
information. A commenter stated that the HL7 C-CDA is widely
implemented and has demonstrated its value through the flexibility it
provides in delivering solicited and unsolicited information in various
formats. Another commenter stated that if HHS proceeds with the
implementation of the claims attachments standards for payment
purposes, they support proceeding with the HL7 C-CDA standard for now.
Response: We thank commenters for their feedback and support of our
proposal.
Comment: Multiple commenters expressed concern regarding HL7's
indication that it will no longer make updates to the HL7 CDA and C-CDA
standard, in favor of moving towards FHIR solutions, and recommended
that HHS work with HL7 to continue maintaining the HL7 C-CDA standard
or develop a plan for a FHIR-based solution. A commenter urged HHS to
ensure that HL7 will continue to support and develop guides based on
the HL7 CDA standard as needed.
Response: HL7 is required, as an SSO, to continue to maintain any
IGs that are adopted by the Secretary as HIPAA standards. Like all
SSOs, HL7 holds weekly workgroup meetings and quarterly membership
meetings to ensure that adopted standards meet the needs of HIPAA
covered entities and, should a modification be needed to a standard,
the workgroup would undertake its process to update it. SSOs, SDOs, or
DSMOs maintain their standards in accordance with ANSI requirements and
their own ANSI-approved policies; maintenance is an ANSI requirement
and is embedded in each SSO's processes, so it is not governed by
expectations or assumptions.
We did include a request for comment in the HIPAA Standards for
Health Care Attachments proposed rule (87 FR
[[Page 14369]]
78444) on other standards to consider for prior authorization
transactions, to which we received numerous comments advocating for the
FHIR standard. We will consider these comments in our future planning
with respect to the health care transaction standards adopted under
HIPAA Administrative Simplification.
Comment: A commenter expressed support for an approach that enables
advancing standards-based attachment content. Additionally, since it
was not referenced in the proposed rule, multiple commenters sought
clarification as to whether the HL7 CDA[supreg] R2 IG: C-CDA Templates
for Clinical Notes STU Companion Guide Release 3 (US Realm) Standard
for Trial Use, May 2022 (HL7 C-CDA Companion Guide) may be used under
the proposed health care attachments template recognition approach.
Multiple commenters recommended that HHS consider adopting the HL7
C-CDA Companion Guide. The commenters noted the HL7 C-CDA Companion
Guide provides additional templates and best practices useful for
attachments transactions and guidance to document creators to ensure
higher levels of consistency and quality.
A commenter noted that the HL7 C-CDA Companion Guide is the primary
guide to specify templates for use in the Office of the National
Coordinator for Health Information Technology's (ONC) \28\
Certification Program (ONC Health IT Certification Program) and sought
confirmation of its belief that it represents templates applicable to
attachments without a separate template needing to be defined. The
commenter stated additional rulemaking would be needed following the
publication of the next version of the HL7 C-CDA Companion Guide if HHS
decided to reference this IG in the final rule. The commenter expressed
concern that this would hinder industry's ability to use the HL7 C-CDA
Companion Guide. Commenters also encouraged HHS to make the HL7 C-CDA
Companion Guide eligible for use without specifically being referenced
under the proposed health care attachments template recognition
approach so that future updates to templates used within the IG could
be used immediately upon publication through the accepted process.
---------------------------------------------------------------------------
\28\ On July 25, 2024, HHS announced a reorganization to
streamline and bolster technology, cybersecurity, data, and AI
strategy and policy functions which had historically been
distributed across HHS. As part of the reorganization, ONC has been
renamed the Assistant Secretary for Technology Policy and Office of
the National Coordinator for Health Information Technology (ASTP/
ONC) and has assumed oversight over technology. For more information
on this reorganization refer to the press release available at:
https://www.hhs.gov/about/news/2024/07/25/hhs-reorganizes-technology-cybersecurity-data-artificial-intelligence-strategy-policy-functions.html.
---------------------------------------------------------------------------
Response: We are adopting the C-CDA implementation specifications
because they are already implemented and widely used in EHR systems.
The HL7 C-CDA Companion Guide, which is a collection of IGs that
provides standardized templates for structuring C-CDA documents, is a
set of IGs defined by HL7 as a ``library of C-CDA templates,'' and
their functionality allows that any templates created with them are
compliant with the HL7 C-CDA standard. These templates essentially
serve as blueprints for how specific medical information should be
organized and presented when exchanging patient data between systems
using the C-CDA standard.\29\ If compatible with the HL7 C-CDA release
adopted, these templates are acceptable for use once an associated
LOINC code is available.
---------------------------------------------------------------------------
\29\ Health Level Seven International. (HL7). Understanding C-
CDA and the C-CDA Companion Guide. Retrieved from https://build.fhir.org/ig/HL7/CDA-ccda-2.1-sd/understanding_c-cda_and_the_c-cda_companion_guide.html.
---------------------------------------------------------------------------
Comment: A commenter expressed support for a consistent format that
would eliminate manual processes to send and receive data and allow for
information to be automatically recorded into a patient's record,
stating that this change would eliminate manual processes. The
commenter also noted that health IT vendors are currently only required
to support three HL7 C-CDA templates and stated that requiring health
IT vendors to support all template types would require significant
development effort while, concurrently, numerous other regulatory
requirements go into effect. The commenter noted that integrating EHRs
and revenue cycle products to support CDA generation would require
significant development.
Response: We understand that covered entities, or their vendors,
will incur a number of one-time costs to implement the new and modified
HIPAA transactions, for which we account in the RIA (section VI. of
this final rule). Health IT vendors are not covered entities and
therefore are not directly required to comply with the requirements.
While HIPAA covered entities must comply with the requirements of this
final rule, they are not required to possess technology that implements
every template in the C-CDA; rather the attachments they transmit must
be in accordance with the standard. We are adopting both the HL7 CDA
and X12N standards for health care claims attachments transactions. Our
goal is to automate health care transactions as much as possible, which
will ultimately decrease costs.
Comment: A commenter questioned the use of HL7 C-CDA templates to
support prior authorization requests and stated that no health plans
have mapped their clinical criteria to HL7 C-CDA templates to ensure
all the data needed to make the prior authorization decisions are in
those templates. The commenter stated that this lack of successful
results from real-world testing is a critical issue and that payers use
a data-element approach for prior authorizations rather than clinical
documents. A commenter stated that the C-CDA unstructured document does
not fully support the ability to carry a FHIR bundle, and that use of
the C-CDA unstructured document would interfere with the IGs referenced
in the CMS Interoperability and Prior Authorization proposed rule that
was proposed at the time these comments were submitted. Specifically,
the commenter referenced the HL7[supreg] FHIR[supreg] Da Vinci Coverage
Requirements Discovery (CRD) and Document Templates and Rules (DTR)
IGs, which support the use of questionnaire and responses, as part of
data collection in the prior authorization process. The commenter noted
it is important that real-time responses should be considered as part
of the prior authorization workflow and recommended that HHS ensure
that any requirements for the adoption of ePA APIs by CMS-denominated
``impacted payers'' be harmonized with current HIPAA prior
authorization transaction standards and CMS's Interoperability and
Prior Authorization rule, which has since been finalized.
Response: We appreciate the comments submitted in response to our
proposal to adopt a prior authorization health care attachments
transaction standard. As articulated in section III.A. of this final
rule, and noted repeatedly elsewhere, we are not finalizing our
proposal to adopt prior authorization with the health care claims
attachments transaction standard.
Comment: A commenter recommended that C-CDA structured information
be allowed and encouraged where appropriate, but not required. The
commenter also stated that unstructured documents can, but should not
be required to, utilize the Unstructured Document CDA template.
Response: Covered entities may use any adopted documentation format
that is supported by, and compatible with, the standards adopted in
this rule. The IGs we are adopting also support
[[Page 14370]]
unstructured data documents where the HL7 C-CDA structured documents
are unable to support the document or do not exist. We note that health
plans must specify the types of attachment information that will be
necessary to support a claim and encourage health plans conducting
electronic transactions with health care providers to accept
electronically both structured and unstructured C-CDA documents.
Comment: Multiple commenters expressed that the proposed version of
the HL7 Attachments IG is no longer current, noting that an updated
version of the HL7 Attachments IG was published in March 2022.\30\ A
commenter recommended that HHS adopt the ``most recent version'' of all
the proposed HL7 IGs in the final rule.
---------------------------------------------------------------------------
\30\ Health Level Seven International (HL7). (2022, March 8).
HL7 CDA R2 Attachment Implementation Guide: Exchange of C-CDA Based
Documents, Release 2--U.S. Realm. Retrieved from https://www.hl7.org/implement/standards/product_brief.cfm?product_id=464.
---------------------------------------------------------------------------
Response: We appreciate these comments and thank commenters for
sharing these important considerations, which we interpret to mean that
HHS should adopt the most recent iteration of the HL7 Attachments IG
that was proposed, including its maintenance updates. As we explain
earlier, based on the commenters' suggestions, we reviewed the March
2022 iteration of the proposed HL7 Attachments IG and consulted with
standards maintenance organizations and found the March 2022 iteration
of the HL7 Attachments IG is functionally equivalent to adopting the
March 2017 iteration of the HL7 Attachments IG with errata. Therefore,
in this final rule, we are adopting Release 2 of the HL7 Attachments
IG, published in March 2022.
Comment: A commenter recommended that HHS work with the NCVHS to
develop alternative approaches to meeting the HIPAA EDI requirements
that represent a more contemporary basis of interoperability. Multiple
commenters stated that the proposal would leave limited ability to
improve on the current state of automated support to produce the
relevant data to populate the requested document type with the minimum
necessary information without substantive user involvement. A commenter
further explained that the proposed rule would require the use of C-
CDA-based attachments in accordance with the HL7 CDA[supreg] R2
Attachment IG: Exchange of C-CDA Based Documents, Release 1--US Realm
(STU) and would cover approximately 106 recognized document types.
Multiple commenters pointed out that thirteen document types in C-CDA
R2.1, of which three are recognized in the ONC Health IT Certification
Program and one is recognized in CMS's programs, have defined C-CDA
templates, but no clear implementation guidance is provided for all the
other 90+ document types that are referenced. Commenters pointed out
that this means some would not have a clear C-CDA document to consider,
for example, a physician letter or a patient consent for treatment in
an unstructured C-CDA document, while others could be structured in C-
CDA format, but no agreed upon document templates exist.
Response: We appreciate these comments and thank commenters for
sharing these implementation considerations. The C-CDA standard is
being adopted because it provides a widely recognized, structured
format that supports interoperability and can accommodate a variety of
clinical documents. The LOINC code system allows discrete
identification of attachment types, including both structured and
unstructured documents, and provides modifiers for templates and time
windows where applicable. We believe that the C-CDA standard we are
adopting broadly covers the types of documents that would be requested
for health care claims. Though the standard we are adopting might not
address all document types, it balances the need for standardization
and efficiency with practical flexibility for health care providers
while allowing the system to evolve as new document templates and
business needs arise.
The document types in the HL7 Attachments IG have discrete data
elements that allow HIPAA covered entities to exchange clinical
information as both an unstructured and structured document. Should
covered entities have future business needs that give rise to
additional document types, these could be exchanged as unstructured
documents by obtaining a LOINC code to identify the attachment type.
Comment: Multiple commenters recommended that HHS reconsider
adopting the standard for claims attachments transactions, given the
substantial guidance still needed to enable supporting a substantially
less burdensome documents-based approach. One commenter stated that in
order to support a consistent exchange through FHIR-based or X12-based
transactions, attachment approaches between the CDex guide and the HL7
Attachments IG need to be aligned.
Response: We appreciate this information and encourage the industry
to submit specific requests for changes and enhancements to the
transaction standards to the SDO responsible for maintaining the
standard.
Comment: Multiple commenters expressed support for the use of the
HL7 CDA standard, HL7 C-CDA standard, and HL7 IGs for health care
attachment transactions.
Response: We thank the commenters for their feedback and support of
our proposal.
Comment: A commenter recommended that HHS name a specific version
of the HL7 IGs as a ``floor'' and create a sub-regulatory advancement
process. The commenter stated that without a requirement to use
specific IGs, the industry will not achieve the level of
interoperability necessary to support data exchange. The commenter
recommended that HHS establish a process, such as the ONC Standards
Version Advancement Process (SVAP), to allow technology to evolve
through industry testing while also allowing the industry to provide
public comment.
Response: We thank the commenters for their feedback. We note that
section 1174(b)(2)(B)(i) of the Act provides authority permitting the
routine maintenance, testing, enhancement, and expansion of code sets
outside of the rulemaking process. We will further explore regulatory
flexibilities with respect to modifications to adopted IGs. With
respect to requiring that organizations adopt new and updated code
sets, we note that such changes are generally considered maintenance
updates, and the Secretary previously adopted LOINC as a code set for
use with HIPAA health care transaction standards. Organizations can
incorporate maintenance updates to a given IG, including its LOINC
codes, without the need for the Secretary to engage in additional
rulemaking.
Comment: A commenter recommended that HHS modify the rule to state
that the HL7 C-CDA standard be used for all documents covered by the
HL7 C-CDA, but not limit health insurance providers, hospitals, and
clinicians to solely use HL7 C-CDA permitted documents.
Response: We reiterate that covered entities may use any adopted
documentation format that is supported by, and compatible with, the
standards adopted in this rule. Additionally, we note that the IGs we
are adopting also support unstructured data documents where the HL7 C-
CDA structured documents are unable to support the document or do not
exist.
Comment: A commenter offered that mandating the HL7 IG standards
for HIPAA transactions is an important step forward, but expressed
concern that these standards have not yet been tested
[[Page 14371]]
for suitability to the dental industry. The commenter provided specific
examples relating to dental claims, noting that only one dental health
IT module is certified under the ONC Health IT Certification Program,
meaning that the majority of dental EHR systems cannot produce HL7 C-
CDA. The commenter noted that dental claims require images as
supporting documentation in a variety of formats (for example, BMP,
JPG/JPEG, TIFF/TIF, PNG, PDF, TXT, DOC/DOCX, DICOM, GIF), and
recommended that HHS allow the use of these file formats instead of
mandating the sole use of HL7 C-CDA to account for specialties that may
rely on unstructured data exchanges, specifically noting concerns in
cases where unstructured data such as MRIs and X-rays are needed. A
commenter noted that the dental industry has worked with HL7 to develop
two CDA R2 attachment standards and IGs tailored to the needs of the
dental industry. These two IGs, which the commenter suggested should be
considered for adoption, are: (1) the HL7 CDA[supreg] R2 IG:
Orthodontic Attachment, Release 1--US Realm which aims to provide a
CDA-based set of templates that can be used by a dental provider to a
payer for claims; and (2) the HL7 CDA[supreg] R2 IG: Exchange of C-CDA
Based Documents; Periodontal Attachment, Release 1--US Realm which is
used to exchange dental clinical data.
Response: We agree that it is important that HIPAA-adopted
standards support the needs of all health care types, including the
needs of the dental industry. HL7 has developed two dental C-CDA
standards, but, because the NCVHS has not yet recommended them for
adoption and because we did not propose them in the HIPAA Standards for
Health Care Attachments proposed rule, we cannot adopt them in this
final rule. Should the NCVHS make such a recommendation to the
Secretary, we may consider adopting these dental standards in future
rulemaking. Upon publication of this final rule, we will consider
outreach strategies and industry-wide policies and implementation
issues, along with sector-specific approaches that may, for example,
involve collaborating with multiple interested parties to conduct
dental-specific outreach and education.
Final Action: After consideration of the public comments we
received, we are finalizing our proposals to adopt the following HL7
IGs as HIPAA standards for the attachment information included in
health care claims attachments transactions in Sec. 162.2002(a) and
(b):
HL7 CDA Release 2 Attachment IG: Exchange of C-CDA Based
Documents, Release 2, March 2022 (HL7 Attachments IG).
HL7 Implementation Guide for CDA Release 2: Consolidated
CDA Templates for Clinical Notes (US Realm) Draft Standard for Trial
Use Release 2.1, Volume One--Introductory Material, June 2019 with
Errata (HL7 C-CDA IG Volume One).
HL7 Implementation Guide for CDA Release 2: Consolidated
CDA Templates for Clinical Notes (US Realm) Draft Standard for Trial
Use Release 2.1, Volume Two--Templates and Supporting Material, June
2019 with Errata (HL7 C-CDA IG Volume Two).
F. LOINC for HIPAA Attachments
We stated in the HIPAA Standards for Health Care Attachments
proposed rule (87 FR 78445) that health plans and health care providers
must have a clear and unambiguous way to specify attachment information
(for example, a discharge summary, surgical operation note, or
cardiovascular disease consult note) to be transmitted or requested in
a health care attachments transaction.
As we stated, the LOINC code set was developed for the following
three principal purposes:
To identify the specific kind of information that a health
plan electronically requests of a health care provider and a health
care provider electronically transmits to a health plan (for example, a
discharge summary or a diagnostic imaging report).
To specify certain optional modifier variables for
attachment information (for example, a time period for which the
attachment information is requested).
For structured attachment information, to identify
specific HL7 IG: LOINC Document Ontology document templates.
With respect to these three purposes, we discussed that the HL7
Attachments IG contains specific instructions for how to utilize the
LOINC code set for HIPAA Attachments (87 FR 78445).
In the proposed rule, we included an overview on tools available
from Regenstrief to support utilization of the LOINC for HIPAA
Attachments (87 FR 78445).
Comment: Multiple commenters supported the use of the LOINC for
HIPAA Attachments, with some stating that LOINC enables health plans to
request documents, which will reduce processing delays caused by
current inefficient document request processes. A commenter stated that
the use of LOINC for HIPAA Attachments is logical, as Regenstrief has
online tools for easier searches, including a LOINC database that
effectively creates an attachments knowledge base with a twice-yearly
release cycle. Commenters noted that they support use of LOINC for
HIPAA Attachments to identify the specific kind of information
communicated in an attachment request and response. Another commenter
stated that the use of LOINC for HIPAA Attachments will help payer and
provider relationships by establishing more rules regarding the use of
standardized codes and defining specific documentation and terms.
Response: We thank the commenters for their support.
Comment: Multiple commenters expressed support for adopting
flexible templates to enable continuous advances in standards-based
attachment content. A commenter expressed support for the process
discussed in the proposal (87 FR 78449) that accounts for the
development of new templates not currently specified in the HL7 C-CDA
IG Volume One, HL7 C-CDA IG Volume Two, or HL7 Attachments IG. The
commenter noted that the C-CDA Companion Guide maintains templates and
that the process discussed would afford flexibility for newly defined
or updated templates to expand standards-based coverage of the
currently permissible LOINC codes and any newly established LOINC
codes. Multiple commenters recommended that HHS establish clear
guidelines for when new codes can be requested and how long systems
will have to incorporate new LOINC documents into their systems. A
commenter recommended that HHS name a specific version of the LOINC for
HIPAA Attachments and specify that organizations must adopt updated
codes as they are issued.
Response: We thank commenters for their feedback, and we agree that
our approach to adopting flexible standards will enable continuous
advances in standards-based attachment content. We also acknowledge the
commenters' concerns about establishing clear guidelines for when new
codes can be requested and the timeframe by which LOINC documents are
incorporated into systems. As mentioned earlier, the claims attachment
transaction standards we are adopting incorporate numerous
implementation specifications containing specific instructions for how
to utilize LOINC for HIPAA Attachments to identify the specific
information that a health plan electronically requests of a health care
provider, including when a health plan can request such information and
the time period a request covers. Regenstrief maintains a regular
update process and
[[Page 14372]]
covered entities would be expected to utilize the LOINC for HIPAA
Attachments codes that are valid at the time the transaction is
initiated, as specified by the relevant implementation specification as
discussed previously in section II.C.3. of this final rule. Commenters
strongly support the adoption of the current version of the HL7 C-CDA
standard in this final rule, and we are adopting the March 2022
iteration of the HL7 Attachments IG, as discussed previously.
Comment: Multiple commenters stated that providers and payers will
require education on correct mapping of fields to use the LOINC code
set. Multiple commenters encouraged HHS to ensure that multiple LOINC
code sets are supported, and a commenter suggested that HHS require
payers to offer providers a list to inform them which documents need to
be attached.
Response: We agree with the commenters' points about the utility of
education around implementing and using LOINC codes. As discussed in
section VI. of this final rule, we anticipate that training will be
needed once this rule is finalized. Health plans may choose to develop
and create educational materials that contain lists of attachment
documents and their associated LOINC codes as an educational tool for
health care providers and systems designers.
Comment: A commenter stated that multiple LOINC codes may be needed
for a single prior authorization transaction and recommended that HHS
ensure that multiple LOINC codes will be supported and that an
additional LOINC code validates that the list of required documents
from the payer is complete. The commenter stated that delays in prior
authorization decisions occur when payers change the nature and type of
documentation for a prior authorization request.
Response: We thank commenters for sharing these considerations,
but, as we discuss in section III.A. of this final rule, we are not
finalizing our prior authorization proposal. Therefore, we need not
address LOINC code issues specific to that use case.
G. Electronic Signatures
Section 1173(e)(1) of the Act provides that the Secretary, in
coordination with the Secretary of Commerce, must adopt standards
specifying procedures for the electronic transmission and
authentication of signatures for HIPAA transactions. In the HIPAA
Standards for Health Care Attachments proposed rule, we included a
discussion of prior rulemaking related to electronic signatures (87 FR
78449), to which we refer readers for details. In the proposed rule, we
recognized that electronic signatures would require certain
implementation features, including message integrity, nonrepudiation,
and user authentication, and proposed that the standard for electronic
signatures would be digital signatures--electronic stamps that contain
information about both the user creating the signature and the document
being signed--as the only technically mature means available that could
provide for nonrepudiation in an open network environment. We also
provided an overview of our understanding of the use of signatures in
health care and reasoning for our proposal regarding electronic
signatures (87 FR 78449).
As such, in the HIPAA Standards for Health Care Attachments
proposed rule, we proposed to define the term ``electronic signature''
and to adopt the HL7 Implementation Guide for CDA Release 2: Digital
Signatures and Delegation of Rights, Release 1 (Digital Signatures
Guide) (87 FR 78450). The HIPAA Standards for Health Care Attachments
proposed rule (87 FR 78438) that appeared in the December 21, 2022,
Federal Register contained the full definition of ``electronic
signature'' and detailed information about the Digital Signatures Guide
so that the public could provide informed comments. However, we
acknowledge that a correction notice was published on March 17, 2023
(88 FR 16392) to provide the regulation text that inadvertently was not
included in the proposed rule, while subsequently, on March 24, 2023,
we published a notice (88 FR 17780) extending by 30 days the public
comment period to allow an additional opportunity for the public to
provide comment despite the fact there were no changes to the proposed
definition of electronic signature or the proposed Digital Signatures
Guide, and the proposed regulation text contained in the correction
notice reflected the same proposed definition and standard. In this
final rule, the definition of electronic signature, the Digital
Signatures Guide, and the regulation text have not changed from these
previous publications. We discuss this proposal and summarize and
discuss the comments we received on it, in this section.
1. Definition of Electronic Signature
In the HIPAA Standards for Health Care Attachments proposed rule
(87 FR 78449), we stated that an electronic signature can be any of
several types of marks or data that indicate a signatory's intent to
sign and included examples of electronic signatures.
We proposed to define the term ``electronic signature'' for
purposes of the HIPAA Standards for Health Care Attachments proposed
rule as broadly as possible to ensure that it would meet covered
entities' current needs and could also encompass future electronic
signature technologies. The proposed text in Sec. 162.103 read:
``Electronic signature means an electronic sound, symbol, or process,
attached to, or logically associated with attachment information and
executed by a person with the intent to sign the attachment
information.'' In this final rule we finalize the proposed definition
of ``electronic signature'' in Sec. 162.103 and the adoption of the
Digital Signatures Guide in Sec. 162.2002(e), with requirements for
the use of electronic signatures limited to attachment information
transmitted electronically in health care claims attachments
transactions, in accord with the attachments transactions we are
finalizing.
Comment: Multiple commenters expressed support for the proposed
electronic signature definition and the proposed implementation
requirements for the use of electronic signatures for health care
attachments, offering that electronic signatures are a modern
technology that will reduce burden and allow clinicians to focus on
patient care rather than paperwork. A commenter expressed support for
HHS's approach to electronic signatures that would allow health
insurers and clinicians to maintain their existing practices regarding
the use of electronic signatures, as there is a wide variety of
electronic signature requirements and business practices across
organizations. However, this commenter indicated that because the
regulation text for the proposed definition and Digital Signatures
Guide had not been provided in the December 21, 2022 proposed rule, the
Secretary should publish an interim final rule (IFR) with this
information and provide an additional opportunity to comment.
Additionally, multiple commenters expressed support for HHS limiting
the electronic signature requirements to just the adopted electronic
standard transactions with no requirements on how a provider will
implement a signing process for a health care attachment. Another
commenter expressed support for HHS not establishing requirements for
when, or by whom, a document should be signed. A commenter expressed
support for flexibility, allowing future technologies, like electronic
signatures, which could be incorporated as EHRs adopt them.
[[Page 14373]]
Response: We thank commenters for their feedback and support for
our proposals. As stated previously, a correction notice was published
on March 17, 2023 (88 FR 16392) to provide the regulation text that
inadvertently was not included in the proposed rule. We also published
a notice on March 24, 2023 (88 FR 17780) extending the public comment
period by 30 days despite the fact that the correction notice contained
no changes to the proposed definition of electronic signature or the
proposed adoption of the Digital Signatures Guide, and the proposed
regulation text contained in the correction notice reflected the same
language for the proposed definition and standard that was included in
the proposed rule. In this final rule, these provisions remain
unchanged. Therefore, we believe further rulemaking to obtain
additional public comment on the definition of electronic signature,
the Digital Signatures Guide, and the regulation text is unnecessary.
Comment: A commenter disagreed with the proposed use of non-
computable electronic signatures, such as an image of a signature,
stating this would not provide identity or support authentication and
assertions. Another commenter requested that HHS clarify that health
plans cannot require original digital signatures for unstructured
documents used in health care attachments. A commenter recommended that
HHS should clearly specify ``signature'' versus a ``sound, symbol or
process.'' The commenter stated that the current wording could create
confusion and complicate the intent of implementing a standardized
process. Additionally, the commenter recommended defining an electronic
signature as a digital copy of an original signature, attached to or
logically associated with attachment information, and executed by a
person with the intent to sign the attachment information.
Response: We thank the commenters for raising concerns about the
limitations of non-computable electronic signatures, such as scanned
images of handwritten signatures. We agree that these forms generally
do not provide robust support for identity verification,
authentication, or assertion of signer intent. To address these
limitations, and as we proposed, this final rule adopts the Digital
Signatures Guide, which supports key features necessary for secure
electronic signatures, including user authentication, message
integrity, and nonrepudiation.
We clarify that this rule does not prohibit health care providers
or health plans from using other forms of electronic signatures in
contexts outside of the adopted HIPAA standard transaction for health
care claims attachments. However, when an electronic signature is used
to sign attachment information at the time it is transmitted as part of
a HIPAA-standard electronic health care claims attachments transaction,
that signature must conform to the Digital Signatures Guide, as
finalized in Sec. 162.2002(e). This requirement does not apply to
documents created prior to transmission that may later be included in a
claims attachment; only signatures affixed in the course of a HIPAA-
standard attachment transaction must meet the standard.
With respect to unstructured documents, such as scanned images or
PDFs used in attachments, health plans may not impose these electronic
signature requirements except when they are transmitted as part of a
HIPAA standard claims attachments transaction. In that case, a
signature must meet the requirements of the adopted standard, though a
health plan may not impose additional electronic signature requirements
beyond the adopted standard.
As previously discussed, the definition of electronic signature is
deliberately broad to allow for industry flexibility and to avoid
restricting current practices. We acknowledge the commenter's concern
that the phrase ``electronic sound, symbol, or process'' could create
confusion when implementing standardized processes, but this language
is intended to encompass a wide range of electronic signature methods
already in use across the health care industry, including digital
images of handwritten signatures and other forms associated with the
signed content. We are not altering the proposed definition that we
finalize here, but should we find during the course of implementation
of the adopted standard that covered entities require greater
specificity, we may provide additional guidance or educational
resources, as applicable, or consider further rulemaking.
Comment: Multiple commenters stated that if HHS chooses to finalize
the proposed rule, industry should be included in discussions on
defining when an electronic signature should be required.
Response: In the proposed rule, we stated that we are not proposing
to specify when an electronic signature must be required. Instead, we
defer to the industry to continue to establish those expectations (87
FR 78450) consistent with the considerations we mentioned previously,
including federal and state laws and regulations, accreditation
standards, best practices, and payer requirements. We clarify in this
final rule that the finalized HIPAA electronic signature standard
applies only to attachment information transmitted by a health care
provider in a HIPAA-standard electronic health care claims attachments
transaction. Thus, while the health care industry may continue to set
expectations for electronic signatures in other contexts, compliance
with the adopted HIPAA standard is required in the specific context of
claims attachments transactions covered by this rule.
Comment: Multiple commenters provided feedback on the proposed
definition of electronic signatures in the context of laboratories,
explaining that laboratories face particular issues with respect to
electronic signatures, highlighting confusion around what constitutes
an electronic signature for electronically placed laboratory orders.
Multiple commenters expressed concern regarding the scope of the
electronic signatures definition and stated that the proposed
definition could impact what is considered an appropriate electronic
signature for individual data and medical records included in health
care claims attachments, like laboratory orders. The commenters stated
that the HL7 Version 2 (V2) messages used to communicate the laboratory
order include data that identifies the ordering provider. A commenter
noted that some laboratories have experienced declined payment claims
for laboratory tests that were placed electronically in an EHR and
subsequently transmitted over a secure connection using standard HL7 V2
messages. Multiple commenters also noted that HL7 V2 messages have been
used for over a decade without concerns raised regarding the validity
of the orders placed. To resolve the electronic signature issues that
laboratories face and establish a plan to resolve variations in what
constitutes an electronic signature, commenters recommended that HHS
convene a stakeholder meeting with, among others, CMS's Clinical
Laboratory Improvement Amendments office, ONC, HL7, the Electronic
Health Record Association (EHRA), and the American Clinical Laboratory
Association.
The commenters referenced language from previous CMS rulemaking,
the Medicare Program; Payment Policies Under the Physician Fee Schedule
and Other Revisions to Part B for Calendar Year (CY) 2011 final rule
(75 FR 73170), which stated that the need for a signature only applies
to requisitions, which are paper forms, but does not
[[Page 14374]]
impact interested parties who utilize an electronic process for
ordering clinical diagnostic laboratory tests.
A commenter noted subsequent conflicting guidance from a CMS-
authored Medicare Learning Network Matters fact sheet that suggested
laboratory tests must be signed, and the 2012 Physician Fee Schedule
final rule, which retracted the policy finalized in the 2011 Physician
Fee Schedule final rule. Commenters sought clarification regarding
whether the use of EHRs that electronically transmit the necessary data
to the laboratory constitutes a valid, signed laboratory order that
provides relevant evidence that an authorized health care provider
ordered it. Additionally, commenters urged HHS to make it clear that
the widely deployed current electronic laboratory ordering process
would not be impacted by the HHS digital signature proposal and,
therefore, would not require the provision of necessary evidence that
the order was placed by an authorized health care provider, as this
information is electronically traceable and readily available to both
laboratories and providers.
Multiple commenters requested that HHS confirm that it is not
proposing that original forms of medical record entries be subject to
these requirements and that the proposed definition for digital
signatures for health care claims attachments does not change the
current policy regarding upstream clinical workflows or place
additional requirements on the current electronic laboratory ordering
process.
A commenter urged HHS to remove the example in the proposed rule at
87 FR 78449 that reads ``[f]or example, for a laboratory to submit a
claim for reimbursement of a laboratory test, a health plan may first
require a physician visit and a signed physician order. When the
laboratory later bills a health plan for the test, the plan may ask for
evidence that it was ordered by an authorized health care provider; if
the laboratory is unable to produce a signed order, it may not be
reimbursed.'' The commenter stated this could be interpreted to apply
to laboratory orders, which is not the intended focus of the health
care attachments rule.
Response: We appreciate commenters' concerns regarding the timing
of signatures in clinical workflows and the implications for
implementing digital signature requirements associated with this
rulemaking, particularly with respect to laboratories. We recognize
that, in practice, health care providers typically sign clinical notes
or other documentation at the point of service or document creation,
not at the point when a CDA is later generated and submitted as part of
a claims attachment. As such, the process of adding a digital signature
at the time of CDA generation may not align with established clinical
and documentation workflows. To allay some concern, we clarify that
this rulemaking applies solely to claims attachments transmitted as
part of an electronic claim transaction and generated for that purpose
and does not apply to, or alter, upstream clinical documentation
processes or related provider practices. To be very clear, this final
rule imposes no new requirements on clinical workflows, including, but
not limited to, how laboratory orders are created, signed, and
transmitted from EHRs to laboratory systems.
By contrast, administrative workflows may be affected. Covered
entities may need to establish organizational policies or technical
workflows that designate how, when, and by whom an electronic signature
is applied to a CDA package at the time it is generated for submission
as a claims attachment, notwithstanding that an original document was
previously signed by a provider. As such, adding a digital signature at
the time of attachment generation may differ from established
administrative processes and system interfaces, particularly for
laboratory documentation and HL7 V2 messages.
We also recognize the historical context cited by commenters,
including CMS's 2011 and 2012 Physician Fee Schedule rules (75 FR 7310
and 76 FR 73026) and related CMS guidance, and the resulting concerns
about inconsistencies across programs. The scope of this final rule is
limited to electronic signatures affixed to, and part of the
requirements associated with, HIPAA health care claims attachments
transactions, contemporaneous with when such transactions occur. It
does not alter existing CMS, or any other, policies regarding
electronic laboratory orders or impose documentation standards beyond
those required in the HIPAA transaction.
The signature required on a health care claims attachment--at the
time of a health care claims attachment transaction--is distinct and
different from a signature that may have been affixed for documentation
required at the time that health care services were provided, such as
an ordering provider's signature on a lab order or provider note.
Should a document (created and signed earlier by a provider) later be
requested as part of a claims attachment and should a health plan
require a signature on the attachment, that signature must be a digital
signature that complies with the standard adopted in this final rule.
That signature may be applied by the individual or entity submitting
the claim, or by an authorized delegate of that submitter; it is not
necessary to obtain a new signature from the original author of the
clinical document.
Regarding the commenters' concern with the example cited at 87 FR
78449, we acknowledge, in retrospect, it was susceptible to being
interpreted as imposing new or conflicting requirements on laboratory
ordering processes but emphasize that is not how it should be
interpreted. Rather, our intent was to illustrate a scenario in which a
health plan, in the context of adjudicating a claim, may request
supporting documentation from a provider. Should a health plan require
submission of such a document as part of health care claims processes
pursuant to a HIPAA health care claims attachment transaction, and
should it require on such documentation a signature, the digital
signature requirements finalized here would apply to that attachment
submission; they would not apply, however, to the original clinical
order or its format.
We also recognize that questions may arise regarding who may apply
the electronic signature on a claims attachment. The finalized standard
does not prescribe that a signature must be applied by a specific
individual, but, rather, requires that the electronic signature be
executed by a person with the intent to sign the attachment
information. This allows for organizational delegation consistent with
provider policies, state laws, and payer requirements, provided that
the signer has appropriate authority and that the technical
specifications for authentication, message integrity, and
nonrepudiation are met.
We acknowledge the concerns raised by interested parties associated
with laboratories and appreciate the possibility that there may be
aspects of laboratory-specific workflows, regulatory requirements, and
data exchange practices, particularly in relation to ordering,
documentation, and claims submission processes, that may require
particular attention. We intend to work closely with covered entities
generally--but will particularly focus on laboratory-related entities--
to support and enforce consistent and practical implementation of this
rule's electronic signature requirements. That will involve monitoring
implementation challenges and prioritizing collaborative education and
coordination to support successful adoption, while avoiding unintended
disruption to established processes and operations.
[[Page 14375]]
Stakeholder input will also inform our consideration of whether
additional guidance or future rulemaking may be necessary to clarify
the application of these requirements. Among other things, we will work
with affected entities to identify any operational or technical
barriers.
Comment: A commenter stated that an organizational delegation
policy will have to be in place to add an electronic signature when the
CDA is generated, which will need to be done before a technical
solution could be implemented. The commenter stated that providers sign
clinical notes at the time they are written, not when they create a CDA
to send clinical notes electronically.
Response: We appreciate the commenter's concern regarding the
timing of signatures in clinical workflows and any implications for
implementing digital signature requirements under this rule. The
electronic signature requirement finalized in this rule applies only to
the claims attachment as transmitted in a HIPAA-standard electronic
transaction, regardless of when the underlying clinical document was
created. This means that this rulemaking does not require signatures on
documents produced prior to the attachment request, though, as we have
noted, health plan policies or other law may require that. Rather,
pursuant to the requirements of this final rule, an electronic
signature is required only on the attachment package being transmitted
and only when a health plan requires an electronic signature.
As we clarified in a prior response, covered entities may need to
establish organizational policies or technical workflows to designate
how, when, and by whom the electronic signature is applied to the
attachment package. In some cases, the signature may be applied at the
point of CDA assembly, potentially by a delegate authorized to do so,
based on pre-existing documentation and previously affixed clinical
signatures. This approach is consistent with the flexibility offered in
the Digital Signatures Guide, which supports organizational delegation
models and does not prescribe specific timing or roles for signing.
This clarification aligns with earlier discussion regarding laboratory
documentation and HL7 V2 messages, emphasizing that the electronic
signature applies to the administrative claims attachment artifact and
does not alter upstream clinical workflows or document creation
practices.
Comment: Multiple commenters expressed concern regarding the
ambiguity of the proposed electronic signature definition and stated
that it may create confusion and unintentionally force changes in
clinical workflows. A commenter stated that the proposed rule does not
address the absence of a practical way to obtain an electronic
signature on an electronic test order and explained the ways that the
X12N 275 standard, EHRs and Laboratory Information Systems (LIS), and
CDA do not fulfill this need. The commenter also explained that the HL7
V2 standard, the HL7 Version 2.5.1 IG: Laboratory Orders Implementation
Guide (LOI IG) from EHR, Release 1 and each LIS-EHR interface will have
to be updated to include an electronic signature as part of an
electronic order. The commenter also noted that guidance documents
indicate a signature can be handwritten or electronic, but that there
is little guidance on what constitutes an electronic signature.
Response: We appreciate commenters' concerns regarding the
feasibility of applying electronic signatures to laboratory test orders
and the potential impacts on clinical workflows. As we explain in this
final rule, including in the previous responses, our finalized
requirements pertain only to electronic health care claims attachments
transactions, while the definition of ``electronic signature''
finalized in Sec. 162.103 is deliberately broad to accommodate current
industry practices and future innovations.
This final rule does not require that electronic test orders, such
as those communicated in HL7 V2 messages or the HL7 2.5.1 LOI IG,
include an electronic signature (whether such a signature might be
required by virtue of some other law or practice would be beyond the
scope of this rule). The electronic signature requirements finalized
here only apply when a health care provider transmits attachment
information electronically as part of a claims attachments transaction,
and only if a health plan requires a signature on that attachment.
We acknowledge that laboratory test orders may later be requested
by a health plan as a health care claim attachment. This final rule
does not address clinical system configurations, but we will monitor
implementation issues and, as necessary, engage with parties in the
health care industry should additional guidance be necessary to clarify
whether or how the requirements of this final rule interact with
existing health IT infrastructure.
2. Electronic Signature Standard
In the HIPAA Standards for Health Care Attachments proposed rule,
we provided an overview of electronic signatures and their ability to
effectively authenticate a signer's identity (87 FR 78450). We included
a discussion of the need to be able to electronically validate
attachment information signed by a health care provider and
nonrepudiation.
We proposed that, where a health care provider uses an electronic
signature in a health care attachments transaction, the signature must
conform to the implementation specifications in the Digital Signatures
Guide. Specifically, we proposed to adopt in Sec. 162.2002(f)
(renumbered to Sec. 162.2002(e) in this final rule) the HL7 IG for CDA
Release 2: Digital Signatures and Delegation of Rights, Release 1
(Digital Signatures Guide) for electronic signatures for attachment
information transmitted by a health care provider in an electronic
health care claims attachments transactions specified in Sec.
162.2001(a) (87 FR 78451). We also proposed to incorporate the same by
reference in Sec. 162.920. We refer readers to the proposed rule for
the full discussion of the support provided by, and specifications of,
the Digital Signatures Guide (87 FR 78450).
We solicited comments on the proposed definition of electronic
signature and the proposed Digital Signatures Guide as the attachment
information electronic signatures standard. We recognize that several
commenters, particularly from the laboratory industry, raised important
questions about how the finalized electronic signature requirement may
intersect with longstanding laboratory workflows, electronic ordering
processes, and regulatory obligations. While the digital signature
requirement adopted in this rule applies only to the transmission of
health care claims attachments and not to the underlying clinical
documentation, as noted, we will closely monitor implementation to
gauge whether it might be necessary for us to provide additional
clarity to ensure consistent and practical implementation across
provider types.
Comment: Multiple commenters expressed support for the adoption of
the Digital Signatures Guide. A commenter stated that this will help to
ensure authentication, message integrity, and nonrepudiation of
electronic signatures for claim attachments.
Response: We thank commenters for their feedback and support for
our proposal.
[[Page 14376]]
Comment: A commenter disagreed with the adoption of the Digital
Signatures Guide, stating that the level of authentication will be
unnecessary, especially for exchange between entities that have signed
business agreements or standard operating procedures (SOPs).
Response: We appreciate the commenter's perspective regarding the
use of business agreements or SOPs to establish trust between entities.
However, we do not believe that the existence of such agreements alone
provides sufficient assurance of the authenticity and integrity of
attachment information submitted as part of a claims transaction. As we
noted in the proposed rule (87 FR 78450), the lack of an electronic
signature means the attachment information cannot be relied upon to be
accurate. Electronic signatures offer critical technical safeguards,
namely authentication, message integrity, and nonrepudiation, that
otherwise cannot be assured by SOPs alone.
Comment: Multiple commenters stated that accommodating the
requirements of an electronic signature as described in the Digital
Signatures Guide would require updates to workflow, operational
interfaces between EHRs and laboratories, and HL7 V2 message
formatting, thus increasing documentation burden with no clear benefit.
Multiple commenters stated that the Digital Signatures Guide is
applicable only to a CDA-based document but cannot be used in an HL7 V2
lab order message that solely contributes data that may be included in
a health care attachment. The commenters stated that should HHS
finalize the electronic signature proposal, there would be a need to
update the CDA and FHIR specifications and corresponding electronic
signatures.
Additionally, multiple commenters recommended that an electronic
signature should only be required if requested or indicated as required
by the health plan. A commenter recommended that the electronic
signature proposal only apply to health care attachments as a distinct
artifact submitted by a provider to support a claim or referral/prior
authorization request to avoid impacting upstream clinical processes.
Response: We appreciate the commenters' concerns about potential
impacts to workflows and system interfaces, particularly in relation to
laboratory documentation and HL7 V2 messages. We clarify that the
electronic signature standard adopted in this final rule applies only
to health care attachments submitted as part of a claims transaction.
As we previously noted, it does not alter or impose requirements on
upstream clinical workflows, such as the creation or signing of
clinical notes, lab orders, or other documentation. In some cases, a
provider may have already signed the underlying clinical document, so
it could be argued that applying a signature to a claims attachment at
the time of claims submission is duplicative. To the contrary, a
signature applied to a claims attachment would serve a distinct
administrative purpose: ensuring authentication, message integrity, and
nonrepudiation for the claims attachment itself, independent of the
original clinical signature. This rule does not override or conflict
with existing messaging or laboratory processes; it applies
specifically to the signature applied to the attachment artifact
submitted in a health care attachments transaction for claims purposes.
Our intent is to ensure that the electronic signature standard
applies only where required for claims attachments when submitted in a
health care attachments transaction, without affecting how clinical
documentation is authored, signed, or transmitted in routine care.
Comment: Multiple commenters recommended that HHS not adopt the
electronic signature provisions. Because the proposed rule regulation
text in Sec. 162.2002(f) (renumbered to Sec. 162.2002(e) in this
final rule) was missing, commenters expressed concern about HHS
finalizing such a requirement.
Response: On March 17, 2023, we published a correction notice that
fixed technical and typographical errors that appeared in the December
21, 2022 HIPAA Standards for Health Care Attachments proposed rule.
Shortly after that, on March 24, 2023, to ensure that industry would be
able to adequately comment on the corrected proposed rule, we extended
the proposed rule comment period by 30 days via a Federal Register
notice titled: Adoption of Standards for Health Care Attachments
Transactions and Electronic Signatures, and Modification to Referral
Certification and Authorization Transaction Standard: Extension of
Comment Period (88 FR 17780). That notice was published prior to the
expiration of the proposed rule's initial 90-day public comment period.
While the proposed rule inadvertently omitted certain proposed
regulation text--Sec. 162.2002(f) (renumbered to Sec. 162.2002(e) in
this final rule), that identified the electronic signature standard we
proposed to adopt--the proposed rule did include fulsome preamble
discussion of this policy and stated twice (87 FR 78449 and 78450) that
the policy would be located in Sec. 162.2002(f). While there is no
doubt the correction notice (that did not introduce any new policies)
and the comment period extension remedied any perceived shortcomings,
even the initial notice of proposed rulemaking, through its fulsome
preamble discussion, afforded adequate notice to afford public comment.
We have adequate grounds to finalize this proposal.
Comment: A commenter stated that HHS should reiterate that trading
partners should determine when an electronic signature is required in
an electronic health care attachments transaction and that the HL7
standard is only needed when a health care provider uses an electronic
signature in a health care attachments transaction.
Response: We agree. It is important to note that this final rule
adopts a generalized definition for electronic signatures applicable to
health care claims (or equivalent encounter information) attachments
transactions only and adopts the requirement that electronic signatures
conform to the standards in the Digital Signatures Guide. It is the
health plan's prerogative to determine when and where signatures must
be affixed to documents.
Comment: A commenter proposed the use of DocuSign, which the
commenter asserted that the Internal Revenue Service uses as its
document verification service.
Response: We thank the commenter for the suggestion. We did not
propose use of DocuSign in the HIPAA Standards for Health Care
Attachments proposed rule since it does not conform to the HIPAA
Administrative Simplification transaction standards.
Comment: A commenter expressed that they do not believe a standard
for electronic signatures is necessary. The commenter stated that the
industry already has trust frameworks and verification for digital
transactions between providers and payer organizations and questioned
the need for further authentication via an electronic signature
standard. Another commenter referenced the use of Trust Credentials and
stated that electronic signatures must be bound to the real, ID-proofed
identity of a person or organization. The commenter recommended that
standards be consistent across federal agencies and digital signatures
be verifiable by an out-of-band query to the issuer of the Trust
Credential confirming identity and validity. The commenter provided
[[Page 14377]]
an overview of existing standards for identity proofing,
authentication, and assertions that they stated have been adopted by
ASTP/ONC and used by the Direct Standard and the Trusted Exchange
Framework and Common Agreement (TEFCA). The commenter also explained
how patients, providers, health plans, and devices are ID proofed under
DirectTrust and that the real identity is bound to a Trust Credential.
Additionally, the commenter described how a Trust Credential is
assigned under TEFCA Individual Access Services. The commenter noted
that x.509 Certificates are bound to a single entity to allow the
ability to identify and remove one bad actor without revoking all
credentials.
A commenter recommended that for the industry to reliably utilize
digital signatures nationwide, HHS should consider implementing minimum
identity assurance requirements using Identity Assurance Levels 2
(IAL2) and the NIST Special Publication (SP) 00-63A and stated that HHS
should consider that digital signatures only work if both the signer
and the verifier agree to use the same digital signature standard. The
commenter recommended implementing Private Signing Key Protection to
lower the likelihood of a stolen private key being used to forge a
digital signature.
Response: We appreciate commenters' recommendations and
perspectives regarding the need for an electronic signature standard,
and we recognize that many organizations already operate under trust
frameworks such as those supported by DirectTrust and TEFCA. We also
understand the importance of identity assurance and credentialing in
enabling secure, verifiable transactions.
In this final rule, we adopt the Digital Signatures Guide as the
standard for electronic signatures on attachment information
transmitted in electronic health care claims attachments transactions.
We selected this guide because it supports the core features--
authentication, message integrity, and nonrepudiation--essential to
ensuring trust in electronic signatures.
While identity management, including credential issuance, proofing,
and validation, is critical to the effectiveness of digital signature
technologies, it is outside the scope of this regulation. The final
rule does not establish minimum identity assurance levels or define a
trust framework for all covered entities. We expect such entities to
rely on credentialing authorities and certificate management protocols
that align with industry's best practices, including those referenced
by the commenters (for example, NIST SP 800-63A, IAL2, and x.509
certificate frameworks).
Comment: Multiple commenters recommended that HHS review existing
processes that are relevant to these proposals. A commenter referenced
the Drug Enforcement Administration's (DEA) definition at 21 CFR part
1311 of Electronic Prescription of Controlled Substances and the DEA's
IFR, stating that HHS could use that as a guide. Multiple commenters
recommended that HHS evaluate the ANSI X12.58 Security Structures
control standard as an X12 native authentication, verification,
integrity, and electronic signature method.
Response: We appreciate commenters' recommendations to evaluate
existing standards and frameworks that support identity verification,
message integrity, and electronic signature functionality, including
the DEA's requirements for electronic prescriptions of controlled
substances at 21 CFR part 1311 and the ANSI X12.58 Security Structures
control standard.
The DEA's framework provides a model for authentication and
nonrepudiation in clinical transactions, and the ANSI X12.58 standard
was specifically developed to address security controls, including
electronic signatures, in the context of X12-based EDI. These standards
reflect valuable experience and technical insights into the secure
exchange of health care data. With respect to the commenter's
suggestion to evaluate the ANSI X12.58 Security Structures standard for
authentication and digital signatures in X12 transactions, we
appreciate this input. X12.58 is relevant because it provides a
structured framework for securing X12-based transactions, including
mechanisms for verifying sender identity, ensuring message integrity,
and supporting nonrepudiation. While we are not adopting X12.58 as an
electronic signature standard at this time, partly to maintain
alignment with broader HIPAA standardization efforts and because
industry adoption varies, we acknowledge its relevance for securing
X12-based transactions.
In this rule, we are finalizing the adoption of the Digital
Signatures Guide as the standard for digital signatures on health care
claims attachments. We selected this IG because, as mentioned earlier,
it directly aligns with the content structure of the adopted attachment
standard and includes supplemental specifications to support
authentication, message integrity, and nonrepudiation. The CDA-based
digital signature model is compatible with the data formats and
exchange protocols finalized for use in electronic claims attachments
and was developed through consensus processes within the standards
development industry.
We agree that there may be opportunities for broader alignment of
electronic signature standards across federal programs. We will
consider this input in any future rulemaking or technical guidance
related to electronic transaction security and authentication. We also
encourage ongoing industry collaboration and coordination across SDOs
to promote convergence and reusability of authentication methods where
appropriate.
Comment: Multiple commenters sought clarification on the
relationship between the HIPAA Standards for Health Care Attachments
proposed rule (87 FR 78438) that contained electronic signature
proposals, and CMS's Interoperability and Prior Authorization proposed
rule (87 FR 76238) which contained no such proposals. A commenter noted
that there is an overlap of payers seeking attachment information to
support prior authorization but that the CMS Interoperability and Prior
Authorization proposed rule does not include any proposed requirements
for digitally signing medical documentation. A commenter stated that
the two proposed rules seem to have contradictory provisions and
requested that HHS address these contradictions and confirm if the
proposed digital signature requirements apply only to health care
attachments and not to other areas of clinical workflow.
Response: We appreciate commenters' requests for clarification on
any overlap between the electronic signature requirements finalized in
this rule and the proposals in CMS's Interoperability and Prior
Authorization proposed rule. We reiterate that in this final
rulemaking, we are not finalizing the prior authorization attachments
transaction that we had proposed, and the digital signature
requirements adopted here do not apply to, or alter, the prior
authorization processes or API requirements established under the CMS
Interoperability and Prior Authorization final rule. Therefore, the
digital signature standard being adopted in this rulemaking will apply
only to health care claims attachments transactions. Accordingly, the
requirements finalized in this rule operate independently and do not
overlap with those applicable to prior authorization under other CMS
regulations.
Final Action: After consideration of the public comments we
received, we are finalizing our proposals, without
[[Page 14378]]
modification, to adopt the definition of electronic signatures in Sec.
162.103 and the Digital Signatures Guide for use with health care
claims attachments in Sec. 162.2002(e).
H. Modification to a HIPAA Standard
1. Modifications to Standards
Section 1174 of the Act requires the Secretary to review the
adopted standards and consider modifications to them, which include
additions to the standards, as appropriate, but not more frequently
than once every 12 months. Section 1174(b)(2)(B)(ii) of the Act
requires that modifications must be completed in a manner that
minimizes disruption and the cost of compliance.
Section 1175 of the Act prohibits health plans from refusing to
conduct a transaction as a standard transaction. It also prohibits
health plans from delaying the transaction or adversely affecting, or
attempting to adversely affect, a person or the transaction itself on
the grounds that the transaction is in standard format. It establishes
a timetable for covered entities to comply with any standard,
implementation specification, or modification as follows: for an
initial standard or implementation specification, no later than 24
months (or 36 months for small health plans) following its adoption;
for modifications, as the Secretary determines appropriate, but no
earlier than 180 days after the modification is adopted. As authorized
under the Act, HHS implemented 45 CFR 162.910, which sets out the
standards maintenance process and defines the role of DSMOs. The two
SSOs associated with this final rule are the ASC X12 and HL7.
In the HIPAA Standards for Health Care Attachments proposed rule,
we proposed to modify the adopted Version 5010 of the X12N 278 standard
for prior authorization transactions to Version 6020. We refer readers
to the proposed rule for the full discussion of the maintenance process
for health care transaction standards adopted by the Secretary, as well
as an overview of the history of the NCVHS recommendations related to
our proposals (87 FR 78451). We summarize public comments submitted
regarding this proposal and provide our responses that follow.
Comment: A commenter expressed support for keeping up-to-date with
newer versions of X12 standards, but recommended allowing historic
versions for an extended period and/or allowing for a reasonable amount
of time for systems to be upgraded to the newer X12 standard. The
commenter indicated that 2 years would be a good starting point, but
recommended a longer window where both standards would be allowed given
the large number of requirements occurring over the next few years and
specifically referenced several HHS initiatives and regulations.
Another commenter recommended that HHS build language into the final
rule allowing for regular version updates to standards so that
providers and health systems could be more agile in communicating
electronic health information. The commenter pointed out that there may
be too much specificity in the standard version noted in the proposed
rule and stated that some practitioners have had to navigate
implementing Version 5010 without the ability to make changes in simple
things such as dental documentation.
Response: We appreciate the commenter's feedback. HHS has
considered similar recommendations regarding regular upgrades to
standards to provide, by rulemaking, HIPAA covered entities with a more
routine cadence in the adoption of updated standards and operating
rules. We continue to assess potential alternatives within the scope of
our authority and consistent with the law and will continue to work
with industry to identify means by which updated standards can be more
timely adopted and implemented. It is important to note that section
1174 of the Act requires the Secretary to review the adopted standards
and adopt modifications to them as appropriate, but not more than once
every 12 months. Moreover, modifications must be completed in a manner
that minimizes disruption and the cost of compliance.
As discussed in the proposed rule, and again here in this final
rule, section 1175(b)(1)(A) of the Act prescribes a 24-month period for
which initial compliance is required, and in the case of a small health
plan, 1175(b)(1)(B) of the Act allows 36 months for compliance.
However, section 1104(c)(3) of the Affordable Care Act, under which we
are adopting the health care claims attachment standards, reiterated
the original HIPAA requirement to adopt a health care claims attachment
standard and a single set of associated operating rules, and spoke
specifically to timing, providing that the Secretary must adopt the
standard and operating rules by January 1, 2014, to be effective no
later than January 1, 2016, and that the Secretary may adopt the
standard and operating rules on an interim final basis. We acknowledge
that this final rule comes more than 10 years after the Affordable Care
Act-specified adoption date, but interpret that provision to mean that
for the attachment standards adopted under section 1104(c)(3) of the
Affordable Care Act there should be a 2-year compliance date for all
covered entities.
That same Affordable Care Act provision requires that the adopted
standard be ``consistent with the X12 Version 5010 transaction
standards,'' and we explain in the HIPAA Standards for Health Care
Attachments proposed rule and in section II.D.3. and elsewhere in this
final rule, our rationale for adopting Version 6020 with respect to the
standards we are adopting as final. We also observe that HIPAA was
enacted nearly 30 years ago, and, in that time, we believe that covered
entities have gained experience moving from one version of a standard
to the next.
2. Modification to Referral Certification and Authorization Transaction
Standard
In the HIPAA Standards for Health Care Attachments proposed rule,
we included a robust discussion of our proposal to adopt Version 6020
of the X12N 278 standard for a referral certification and authorization
transaction for non-claims-related attachment requests and responses
(87 FR 78451). We stated that although the NCVHS did not recommend a
specific version of the standard, we proposed to adopt Version 6020 of
the X12N 278 standard because Version 6020 better harmonizes with the
X12N 275--Additional Information to Support a Health Care Services
Review (006020X316) standard that we proposed to adopt for health care
providers transmitting attachment information. For the full discussion,
we refer readers to the proposed rule (87 FR 78451).
The referral certification and authorization transaction under
Sec. 162.1301 includes two transmission types from health care
providers to health plans: prior authorization requests and referral
certification requests. The X12N 278 standard is currently required for
both types of transmission. Although it would have been technically
feasible for us to have proposed to adopt Version 6020 only for prior
authorization transmissions specified in Sec. 162.1301(a) and retain
Version 5010 for referral certification transmissions specified in
Sec. 162.1301(b), we instead proposed Version 6020 for both
transmission types because it includes improvements over Version 5010
that better support both transmission types, and we believed it would
have been more burdensome for covered entities to have to maintain both
X12N 278 versions.
Comment: Multiple commenters expressed support for the proposed
[[Page 14379]]
adoption of Version 6020 of the X12N 278 transaction standard. A
commenter noted that Version 6020 accommodates dental procedures, which
reduces administrative burden. Conversely, multiple commenters
disagreed with the proposed adoption of Version 6020 of the X12N 278
standard, noting that there have been significant advancements and
version updates, and some commenters recommended that HHS consider
alternative versions of the X12N 278 standard, like Version 8020.
Multiple commenters expressed concern that implementing Version 6020
may increase cost and burden, and a commenter stated that there are
issues with managing multiple standards and versions and gave the
example that the X12N 837 claims standard could be in Version 8020,
while the changes proposed could be at Version 6020 or Version 5010.
Response: As we explain in section III.A. of this final rule, we
are not finalizing our proposal to adopt the prior authorization
transaction standard, so we are not adopting the X12N 278--Health Care
Services Request for Review and Response (006020X315), September 2014.
We thank the commenters who supported our proposal and appreciate the
commenters' suggestions to consider alternative versions of the X12N
278 standard, like Version 8020, and will continue to monitor and
assess whether alternative versions of the current standard may better
address the needs of the industry for enhanced administrative
simplification.
Final Action: After consideration of the public comments we
received, and for reasons previously discussed herein, we are not
adopting a modification to the X12N 278 standard for prior
authorization transactions.
I. Compliance Dates
We proposed to adopt new standards and a modification to a standard
in the HIPAA Standards for Health Care Attachments proposed rule.
Section 1175(b) of the Act provides for a compliance date not later
than 24 months after the date on which an initial standard or
implementation specification is adopted for all covered entities except
small health plans. However, section 1104(c)(3) of the Affordable Care
Act requires the adoption of standards for health care attachments and
operating rules with a 2-year compliance timeframe for all covered
entities and offers no extended timeframe for small health plans. In
the HIPAA Standards for Health Care Attachments proposed rule, we
proposed that the same health care attachments standards would apply to
both claims and prior authorization attachments transmissions. As the
transmission standard for each type of attachments transaction would be
the same, we stated that we believed the compliance date for both types
should also be the same. In addition, because we proposed to treat the
two attachments processes together as one transaction in new Subpart T,
we stated that adopting the same compliance timeframe for all covered
entities would avoid the complications that a bifurcated compliance
timeframe (that is, one for claims processes and another for prior
authorization processes) may raise.
The effective date is the date the rule amends the Code of Federal
Regulations (CFR), which is typically 60 days after the date of
publication in the Federal Register.
We proposed to adopt the following eight standards for health care
claims attachments transactions and electronic signatures:
HL7 IG for CDA Release 2: C-CDA Templates for Clinical
Notes--Introductory Material, Release 2.1 (HL7 C-CDA IG Volume One).
HL7 IG for CDA Release 2: C-CDA Templates for Clinical
Notes--Templates and Supporting Material, Release 2.1 (HL7 C-CDA IG
Volume Two).
HL7 CDA Release 2 Attachment IG: Exchange of C-CDA Based
Documents, Release 1 (HL7 Attachments IG).
X12N 275--Additional Information to Support a Health Care
Services Review (06020X316).
X12N 275--Additional Information to Support a Health Care
Claim or Encounter (06020X314).
X12N 277--Health Care Claim Request for Additional
Information (006020X313).
X12N 278--Health Care Services Request for Review and
Response (006020X315), September 2014.
HL7 IG for CDA Release 2: Digital Signatures and
Delegation of Rights, Release 1 (Digital Signatures Guide).
In accordance with section 1104(c)(3) of the Affordable Care Act,
which requires the Secretary to adopt a transaction standard for health
claims attachments and prescribes a uniform 2-year compliance date for
all covered entities (with no special provision for small health plans,
unlike the original HIPAA statute), we proposed that the compliance
dates for the policies adopted in this final rule would be 24 months
from the effective date of this rule. We stated that we would specify
these compliance dates in Sec. 162.2002.
Section 1175(b)(2) of the Act requires the Secretary to determine
an appropriate compliance date for the implementation of modified
standards, such as the modification of the X12N 275 standard from
Version 5010 to Version 6020, by taking into account the time needed to
comply due to the nature and extent of the modification. The Act also
requires that the compliance date be no earlier than the last day of
the 180-day period, beginning on the date the modification is adopted
(that is, the effective date of the final rule in which the
modification is adopted). As discussed in the HIPAA Standards for
Health Care Attachments proposed rule, we proposed to adopt Version
6020 of these standards because they better harmonize with the X12N
275--Additional Information to Support a Health Care Claim or Encounter
(006020X314) and the X12N 275--Additional Information to Support a
Health Care Services Review (006020X316) standards we proposed to adopt
for the routing/envelope of attachment information by the provider. We
stated that X12 recommended to the NCVHS that all parties to those
transactions use Version 6020 of the standards as they are most
compatible with each other. In the proposed rule, we discussed that
Version 6020 of the X12N 278, as the standard for referral
certification and authorization transactions, would be used by a health
plan in conjunction with Version 6020 of the X12N 275 standard, which a
health care provider would use to electronically transmit attachment
information to a health plan in support of a prior authorization
request. As the X12N 278 standard would feature in the new health care
attachments transaction, we stated that it would be important to align
the compliance dates for the proposed modification to the X12N 278
standard and the health care attachments standards. Accordingly, we
proposed that covered entities would need to comply with Version 6020
of the standard 24 months after the effective date of the final rule.
We reflected this compliance date in Sec. 162.1302 by: (1) revising
paragraph (c) to specify only the standard identified in paragraph
(b)(2)(i); and (2) adding new paragraph (d) to require covered entities
to use, in paragraph (d)(1), Version 5010 X12N 278 for 24 months after
the effective date of the final rule, and in paragraph (d)(2), Version
6020 X12N 278 on and after 24 months after the effective date of the
final rule. We solicited comments on this proposed approach.
Comment: Multiple commenters expressed support for the proposed
compliance date of 24 months for health
[[Page 14380]]
care attachments standards and electronic signatures standard, and the
updated standard for referral certification and authorization
transactions. A commenter stated that the proposed compliance date
would provide sufficient time for providers, health plans, and
clearinghouses to adopt new standards and IGs. A commenter noted the
current voluntary use of standards and stated that limiting the scope
to just claims attachments should allow for easy implementation within
the 24-month timeframe for the industry.
Response: We appreciate the commenters' feedback and support. We
are finalizing the 24-month compliance date for the health care claims
attachment standards and the electronic signature standard that we
adopt in this final rule. As we have noted, we will closely monitor the
rule's implementation and, should we learn of concerns, will work with
the industry to address them. Some commenters supported a 24-month
compliance date for the modified standard for referral certification
and authorization transactions (X12N 278 Version 6020), but we are not
adopting that modification, as discussed in section III.A. and
elsewhere in this final rule.
Comment: Multiple commenters recommended that HHS finalize a
shorter compliance date, ranging from as soon as practical to 18
months, instead of the proposed compliance date of 24 months after the
effective date of the final rule. Another commenter requested urgent
adoption of the attachment standards, with a requirement for full
implementation within 12 months of adoption, not 24 months as HHS
proposed. That commenter stated that health plans have adequate notice
from HHS to start planning and building the platform and stated that if
a health plan expects that health care providers adapt to a health
plan's demand to provide attachments with 2-3 months' notice, it is
more than reasonable to expect health plans to implement electronic
health care attachments standards within 12 months or less. The
commenter believed that such requirement would comply with the
statutory compliance timeframe of no later than 24 months following
adoption, and stated that if any health plan has difficulty
implementing the requirements, it could suspend its attachments for
claims and prior authorization requirements until it was able to comply
with electronic health care attachments standards, which the commenter
believed would be the only fair solution for health plans, patients,
and providers. Conversely, a commenter expressed appreciation for HHS's
efforts to establish a timeline for the adoption of the final rule but
encouraged HHS to be flexible as needed with the 24-month compliance
date to give providers and health systems more time to be compliant
with new requirements.
Response: We acknowledge the commenters' view that a shorter
compliance period could allow the industry to benefit from the
standards sooner and recognize the view that a shorter timeline could
be permissible under the statute's ``no later than 24 months''
language. However, with respect to the health care claims attachment
standards and the electronic signature standard that we are adopting in
this rule, we are adopting a 24-month timeframe to ensure uniform
industry implementation and prevent the fragmentation that variable
compliance periods might engender. We appreciate the commenter's
concern that health plans often require health care providers to meet
aggressive timelines and that a shorter compliance date could encourage
quicker benefits realization. Nevertheless, preparing for the adoption
of new standards will require HIPAA covered entities, potentially along
with their health IT vendors or service partners, to engage in a series
of coordinated steps requiring careful planning that may include
updating systems, training staff, and testing with trading partners. As
such, we believe the 24-month timeframe is necessary to support
successful implementation.
Regarding the suggestion that health plans suspend their attachment
requirements should they be unable to comply on time, we clarify that
once the compliance date is reached, all covered entities are legally
required to use the adopted standards when conducting health care
claims attachment transactions electronically. However, we encourage
early preparation, coordination, and testing among trading partners to
ensure readiness and minimize implementation burdens. We note that
nothing in this rulemaking would prohibit a health plan from electing
to limit or suspend its health care claims attachment requirements.
Comment: Multiple commenters expressed concern with the compliance
date, citing the need for real-world testing of the proposed standards.
A commenter stated that attachments transaction standards must be
tested with all end-users, including physicians, in a variety of
settings, including small, independent, and rural physician practices
to ensure the standards are effective and efficient and suitable for
adoption. Another commenter recommended HHS exercise enforcement
discretion following the 24-month implementation period to allow
industry-wide testing as it will likely require the full 24 months for
implementation and testing.
Response: In accordance with section 1104(c)(3) of the Affordable
Care Act, which requires the Secretary to adopt a transaction standard
for health claims attachments and prescribes a uniform 2-year
compliance date for all covered entities (with no special provision for
small health plans, unlike the original HIPAA statute), the compliance
dates for the policies adopted in this final rule are 24 months from
the effective date of this rule.
We acknowledge the commenters' concerns about the need for real-
world testing, especially among small, independent, and rural physician
practices, and note that falls within the coordinated steps that we
speak about in a previous response. We agree that end-user validation
in a variety of clinical and operational settings is essential to the
successful adoption of the standards and encourage interested parties
to begin implementation and testing efforts as early as possible to
ensure that all participants have sufficient time to validate workflows
and system performance.
We also acknowledge the concern that some payers and vendors may
need to undertake new development work for the adopted standards. A
commenter, for example, noted that while certain EHR and revenue cycle
systems previously implemented the X12N 276/277 claims status
transactions, some payers did not do so at the time of the Version 4010
standards (we clarify that these statements reflect a commenter's
perspective, not an HHS finding that payers failed to comply with
adopted standards). We encourage such payers to work closely with
vendors, clearinghouses, and providers to identify and address gaps
early, and to comply with all adopted HIPAA standards.
Regarding a commenter's recommendation that we utilize enforcement
discretion following the 24-month period, we emphasize that we will
monitor implementation progress and, to the extent necessary, consider
appropriate action, consistent with our general approach to HIPAA
Administrative Simplification efforts.
Finally, we emphasize that early testing, collaboration with
trading partners, and use of implementation resources will be essential
for all covered entities to meet the compliance deadline.
[[Page 14381]]
Comment: Multiple commenters recommended that HHS provide support
similar to what was provided in the transition from ICD-9 to ICD-10. A
commenter agreed with the 2-year timeframe only if HHS requires
milestones, testing, and implementation support to ensure performance
to the standards by the compliance date.
Response: We agree that consistent communication and implementation
support are important to successful adoption of the standards. We
strongly encourage covered entities to develop internal implementation
timelines and testing schedules in collaboration with their trading
partners to ensure readiness by the compliance date. As resources
permit, we intend to support industry readiness through targeted
outreach and the dissemination of educational materials, consistent
with our role in past administrative simplification efforts. For
example, during the ICD-10 transition, HHS collaborated closely with
industry groups to develop technical resources, frequently asked
questions (FAQs), and webinars. For this effort, we expect that
industry organizations, such as WEDI and SSOs, including X12 and HL7,
may again play a central role in developing and sharing technical
guidance as they have with previous efforts, though we are not able to
commit them to, or require, that. HHS's support activities, including
education and technical assistance, are subject to resource
availability and agency discretion, though we certainly hope to offer
such support. Covered entities are responsible for ensuring timely
compliance and should not rely solely on HHS-led efforts.
Comment: Multiple commenters suggested a 36-month timeframe from
the date the final rule is published to implement Version 6020 of the
X12N 278 standard, while a commenter emphasized it is likely that an
updated version of that standard will be available prior to the
compliance date proposed in the rule and recommended that HHS adopt the
most updated version of the standard in the final rule.
Another commenter stated that organizations have likely begun some
level of electronic implementation to streamline their own operations,
and early pilots could be leveraged to accelerate conformance with the
proposed standards. A commenter recommended that HHS consider extending
the implementation period beyond 2 years to prevent overburden. Another
commenter stated that while they support standardization, they would
like additional time to develop workflows and properly implement
standards. Other commenters recommended a subsequent 2-year voluntary
transition period following the compliance period during which both
current and new X12N standards would be allowed to support health IT
developers and users. A commenter recommended that HHS engage health IT
end users to conduct real-world testing on the proposed standards,
including end-to-end transaction testing prior to requiring
implementation. The commenter also recommended that health IT end users
be involved in the implementation roadmap.
Multiple commenters requested that HHS consider the impact of
competing regulatory requirements when establishing the compliance
dates. Multiple commenters expressed concern with the demands that the
implementation of simultaneous regulatory actions places on adopters,
health IT developers, and industry. The commenters referenced several
regulatory requirements, including the CMS Interoperability and Prior
Authorization proposed rule, the Advanced Explanation of Benefits
(AEOB) requirements called for in the No Surprises Act,\31\ and the HHS
Administrative Simplification: Modification to the NCPDP Retail
Pharmacy Standards and Adoption of a New Pharmacy Subrogation Standard
proposed rule (87 FR 67634). A commenter recommended implementing a 24-
month transition date for adopting Version 6020 of the X12N 278
standard and accompanying health care attachment standard transactions
should a compliance date be set in late 2025 or early 2026 as this
approach would ease the weight of simultaneous implementation
requirements of other rulemaking.
---------------------------------------------------------------------------
\31\ H.R. 133--116th Congress (2019-2020): Consolidated
Appropriations Act, 2021. (2020, December 27).
---------------------------------------------------------------------------
These commenters asserted that those other regulatory requirements,
along with those of this rule, would demand significant planning and
resources which may compete with other priorities and operations at
their institution. A commenter recommended that HHS partner with the
private sector to develop a cohesive roadmap across initiatives based
on consumer needs, maturity of standards, and required resources to
stagger implementation and enforcement. Other commenters suggested
staggering the requirements for this rule and those of the CMS
Interoperability and Prior Authorization proposed rule.
Response: We thank the commenters for their feedback and agree with
the commenter's point that many organizations have begun some level of
electronic implementation to streamline their own operations and likely
can leverage those efforts to accelerate conformance with the proposed
standards. Regarding the X12N 278 standard, as we discuss in section
III.A. of this final rule and reiterate elsewhere, we are not
finalizing the adoption of Version 6020 of the X12N 278 standard,
mooting suggestions that we alter its compliance date or establish a
transition period. Should we proceed with future X12N 278-related
rulemaking, we would take into account the commenter's recommendations
regarding a move to the newer version of the standard.
With respect to those standards we are adopting, and consistent
with section 1104(c)(3) of the Affordable Care Act, we are finalizing a
compliance date by which covered entities must comply with the standard
not later than 24 months after the date on which an initial standard or
implementation specification is adopted. Some commenters suggested a
longer compliance period, with some also recommending we include a
voluntary transition period, but the statute provides for a 24-month
time period.
We recognize that meeting the required timeframe will require
significant planning and the coordinated steps to which we refer in a
previous response. We also acknowledge commenters' concerns regarding
cumulative regulatory burdens, including requirements from the now-
finalized CMS Interoperability and Prior Authorization final rule.
While this rule does not provide for staggered compliance with other
regulations, HHS will continue to engage with parties in the health
care industry and federal partners to support coordinated policy
development wherever feasible.
In response to recommendations for real-world testing and roadmap
development, we agree that broad participation from implementers and
end users--including small health care providers, health IT developers,
and clearinghouses--is critical to successful adoption. We encourage
private-sector leadership and public-private collaboration (for
example, through WEDI, HL7, and X12) to develop implementation
playbooks, testing frameworks, and milestone tracking tools. We also
anticipate offering stakeholder education and support.
We also note that many covered entities have successfully
implemented new or modified HIPAA transaction standards within a 24-
month timeframe. We will monitor implementation
[[Page 14382]]
challenges and remain prepared to engage with interested parties as
needed, but statutory requirements limit the compliance timeframe.
Prompt planning and engagement by covered entities is essential to
meeting the final compliance deadlines.
Comment: A few commenters recommended alternative compliance start
dates from what was proposed in the HIPAA Standards for Health Care
Attachments proposed rule. One of these commenters recommended that
implementation be scheduled on a date other than the end of a calendar
year and emphasized that financial planning be performed and approved
in advance of actual expenditure. The commenter stated that it is
unrealistic to expect that resources can be obtained and committed to
compliance with the proposed regulation within the current budget year,
given that the regulation requirements would not be finalized until a
final rule is issued. Another commenter requested a compliance
timeframe of at least 18 months for any new regulation on this matter
and requested that consideration be given to timeframes for state
entities to come into compliance due to significant changes to program
and processes. A commenter stated the compliance date should not be
aligned with the January 1 medical enrollment period of any year to
allow payer and provider systems sufficient time for modifications
without impacting medical enrollments during the initial weeks of the
new year.
Response: We appreciate the concerns that commenters raised
regarding the proposed compliance date. As we have repeatedly noted,
section 1104(c)(3) of the Affordable Care Act requires a 2-year
compliance timeframe. We recognize that implementing a new standard may
involve significant planning and coordinated steps to which we refer to
in a previous response, and, upon publication of this final rule,
encourage covered entities to expeditiously begin planning to ensure
their readiness to attain compliance in a timely manner.
Regarding timing in relation to the calendar year and enrollment
periods, the 24-month compliance date does not fall on January 1 of any
year, which should help mitigate disruptions to systems and operations
during the annual medical enrollment cycle and allow payers and
providers to focus on system changes during less operationally
sensitive periods.
We are finalizing a compliance date that is 24 months after the
effective date of this final rule, in accordance with section
1104(c)(3) of the Affordable Care Act.
Comment: A commenter stated that vendors will need at least 2 years
to implement the process of updating the proposed standards and
provided the explanation that, because XML is the standard format, time
would be needed for training related to implementing the HL7
transactions.
Response: We understand this commenter to be concerned that
additional time may be needed to comply because it will require the use
of an HL7 implementation specification within an X12 transaction
standard. However, we are aware that some in the industry, including at
least one Medicare Administrative Contractor, have already successfully
used the HL7 implementation specification within the X12 transaction
standard, and have done so for over 15 years. This implementation
includes publicly available companion guides and procedures,
demonstrating that HL7 content can be effectively integrated and
exchanged within the X12 transaction envelope, and providing a proven
model for how HL7 documents can be used within X12 transactions. It
also offers an early example of how vendors and clearinghouses can
structure systems, interfaces, and workflows to support this type of
transaction. Therefore, we believe the 24-month compliance period
provides sufficient time for vendors and covered entities to prepare,
test, and implement the standards adopted in this final rule.
Final Action: After considering the public comments we received, we
are finalizing a 24-month compliance date after the effective date of
this final rule for the adoption of the X12N 275--Additional
Information to Support a Health Care Claim or Encounter (06020X314) and
X12N 277--Health Care Claim Request for Additional Information
(006020X313), and the HL7 IG for CDA Release 2: Digital Signatures and
Delegation of Rights, Release 1 and other HL7 IGs adopted in this final
rule.
J. Incorporation by Reference
This final rule incorporates by reference in Sec. 162.920 the
following standards: (1) X12N 275--Additional Information to Support a
Health Care Claim or Encounter (006020X314); and (2) X12N 277--Health
Care Claim Request for Additional Information (006020X313).
The X12N 275--Additional Information to Support a Health Care Claim
or Encounter standard provides instructions to assist those who send
additional supporting information or who receive additional supporting
information to a health care claim or encounter.
The X12N 277--Health Care Claim Request for Additional Information
standard contains the format and establishes the data contents of the
Health Care Information Status Notification Transaction Set for use
within the context of an EDI environment. This transaction set can be
used by a health care payer or authorized agent to notify a health care
provider, recipient, or authorized agent regarding the status of a
health care claim or encounter or to request additional information
from the health care provider regarding a health care claim or
encounter, health care services review, or transactions related to the
provisions of health care.
This rule incorporates by reference in Sec. 162.920 the following
IGs:
HL7 CDA R2--US Realm, Version: 2.1.0.1, September 2023
\32\--The standard specifies the structure and data content for the
electronic exchange of clinical documents used as attachments in
support of healthcare administrative transactions. The implementation
guide defines how clinical documentation structured using the HL7
Clinical Document Architecture Release 2 and the HL7 C-CDA Release 2.1
may be packaged and transmitted to support requests for additional
information associated with health care claims, prior authorization
determinations, and other administrative processes. This standard also
supports the electronic exchange of structured clinical documentation
between health care providers, health plans, and their authorized
agents.
---------------------------------------------------------------------------
\32\ This September 2023 document was issued as technical errata
to the March 2022 document that has been referenced in an earlier
section of this final rule, and does not contain substantive changes
to the March 2022 specifications.
---------------------------------------------------------------------------
HL7 IG for CDA Release 2: Consolidated CDA Templates for
Clinical Notes (US Realm) Draft Standard for Trial Use Release 2.1,
Volume One--Introductory Material, August 2015 with 2019 June
Errata..--The standard provides introductory guidance and
implementation context for the Consolidated Clinical Document
Architecture (C-CDA) templates used to exchange structured clinical
documents. This volume describes the overall architecture, scope,
design principles, and conformance framework for implementing clinical
document templates based on the HL7 Clinical Document Architecture
Release 2. This standard also supports the interoperable exchange of
clinical documents across health information technology systems used by
health care providers, health information exchanges, and other
authorized entities.
[[Page 14383]]
HL7 IG for CDA Release 2: Consolidated CDA Templates for
Clinical Notes (US Realm) Draft Standard for Trial Use Release 2.1,
Volume Two--Templates and Supporting Material, June 2019--The standard
specifies the detailed template definitions and supporting technical
specifications for implementing Consolidated Clinical Document
Architecture (C-CDA) clinical documents. This volume defines the
structure, constraints, and required data elements for specific
clinical document templates, sections, and entries used to represent
patient clinical information using the HL7 Clinical Document
Architecture Release 2 framework. The standard also enables health care
providers, health information exchanges, and other authorized entities
to create and exchange standardized clinical documents that support the
interoperable communication of patient care information.
HL7 IG for CDA Release 2: Digital Signatures and
Delegation of Rights, Release 1, Draft Standard for Trial Use, October
2014--The standard establishes specifications for representing digital
signatures and delegation of signing authority within clinical
documents structured using the HL7 Clinical Document Architecture
Release 2 framework. The implementation guide defines mechanisms for
applying digital signatures to ensure the integrity, authenticity, and
non-repudiation of electronic clinical documents and for documenting
circumstances in which an individual signs a document on behalf of
another authorized party. These capabilities support the secure
exchange and verification of electronically signed clinical
documentation across health information technology systems.
The materials we incorporate by reference are available to
interested parties and can be inspected at the CMS Information Resource
Center, 7500 Security Boulevard, Baltimore, MD 21244-1850. The X12 IGs
are available at www.X12.org. The HL7 IGs are also available through
the internet at www.HL7.org. A fee is charged for the X12 standards.
Charging for such publications is consistent with the policies of other
publishers of standards.
Comment: A commenter requested that HHS clarify in the final rule
that, contrary to what was stated in the proposed rule (87 FR 78453),
HL7 does not charge a fee for the HL7 IGs.
Response: We appreciate the commenter's request for clarification.
In the HIPAA Standards for Health Care Attachments proposed rule, we
incorrectly stated that a fee is charged for all IGs. HL7 primary
standards and other selected products are licensed at no cost. It is
important to note that the no-cost license for HL7 standards includes
some restrictions on how the standards may be used and distributed. A
license that allows broader use is available to people and
organizations with an HL7 membership. For additional information,
access their Copyright policy. The HL7 IGs are available at no fee via
the internet at https://www.hl7.org/legal/ippolicy.cfm. By contrast,
there is a fee for the X12 standards, which are available via the
internet of X12 at www.X12.org.
Final Action: After consideration of the public comments we
received, and after consultation with the SSOs, we are finalizing the
incorporation by reference of the standards we are adopting in this
final rule in Sec. 162.2002 (c) through (e) and 162.920(a). We are
also finalizing the incorporation by reference of the IGs we are
adopting in this final rule in Sec. 162.2002(a), (b)(1), and
162.920(e).
K. Severability
This final rule implements requirements of HIPAA and the Affordable
Care Act for the adoption of standards for health care claims
attachments transactions, which will support health care claims
transactions, and a standard for electronic signatures to be used in
conjunction with health care claims attachments transactions.
To the extent a court may enjoin one provision of this final rule,
HHS intends that the other provisions should remain in effect, ensuring
the continuity of the regulations. We intend that any provision of the
requirements of this rule that is held to be invalid or unenforceable
by its terms or as applied to any person or circumstance would be
construed so as to continue to give maximum effect to the provision
permitted by law unless such holding is one of utter invalidity or
unenforceability, in which event we intend that the provision would be
severable from the other finalized provisions described in this section
and in other sections and would not affect the remainder thereof or the
application of the provision to persons not similarly situated or to
dissimilar circumstances.
If any section, subsection, sentence, clause, phrase, word,
provision or application of this final rule shall be found to be
invalid, illegal, unconstitutional, or unenforceable, that finding
shall not affect or undermine the validity of any other section,
subsection, sentence, clause, phrase, word, provision, or application
which can be enforced without the use of the offending portion of this
final rule.
IV. Out of Scope Comments
We received several comments on subjects that were outside the
scope of the proposed rule. We do not directly respond to those types
of comments because they are outside the scope of this rulemaking.
V. Collection of Information Requirements
Under the Paperwork Reduction Act of 1995 (PRA), 44 U.S.C. 3501
through 3520, we are required to provide notice in the Federal Register
and solicit public comment before a collection of information
requirement is submitted to the Office of Management and Budget (OMB)
for review and approval. To fairly evaluate whether an information
collection should be approved by OMB, 44 U.S.C. 3506(c)(2)(A) requires
that we solicit comment on the following issues:
The need for information collection and its usefulness in
carrying out the proper functions of our agency.
The accuracy of our estimate of the information collection
burden.
The quality, utility, and clarity of the information to be
collected.
Recommendations to minimize the information collection
burden on the affected public, including automated collection
techniques.
The burden associated with the information collection requirements
contained in Sec. 162.2002 of this document are subject to the PRA.
The PRA package previously approved for the HIPAA health care
transaction standards under OMB control number 098-0866 and titled:
``CMS-R-218: HIPAA Standards for Coding Electronic Transactions'' will
be updated to include the requirements finalized in this rule. We
solicited but did not receive any comments on this collection of
information.
VI. Regulatory Impact Analysis (RIA)
A. Statement of Need
This rule finalizes the adoption of standards, in accordance with
the HIPAA Administrative Simplification statutory provisions, for the
electronic transmission of health care claims attachments. The health
care industry has made it clear via testimony to the NCVHS, WEDI
presentations, CAQH reports, public comment, National Standards Group
(NSG) listening sessions, and direct inquiry that there is a clear need
for the Secretary to adopt electronic transaction standards for claims
attachments to bring consistent and reliable communication among the
HIPAA covered entities. Because no claims attachment standard has been
adopted, health plans, health care
[[Page 14384]]
providers, clearinghouses, and health IT vendors lack the direction
needed to support broad use of automation in the attachment workflow or
for the industry to coalesce around the use of even a small number of
electronic solutions. In addition, the lack of attachment standards has
deterred parties in the health care industry from investing in system
implementations to automate the attachments workflow, requiring a large
manual administrative burden for the exchange of medical documentation.
Industry SSOs and stakeholder alliances report that automating this
process will yield substantial labor cost savings.
Comment: A commenter expressed concern regarding the assumptions in
the 2019 CAQH study cited in the proposed rule, stating that the data
in this study is questionable and based on unreasonable assumptions
given industry experience with previous standards, and that HHS cannot
justify that the net benefits of adopting health care attachment
standards will outweigh the costs to health care providers. The
commenter also stated that the cost savings to the industry cited in
the proposed rule do not account for the added cost of implementing
both FHIR (pursuant to CMS rulemaking) and X12 updates during the same
24-month period, the ability to convert each to the other,
clearinghouse costs, and ongoing maintenance of each. A commenter
stated that health care claims cannot be separated from corresponding
appeal transactions, and that the savings cited are unlikely to be
realized unless appeal attachment standards are adopted.
Response: The commenters did not provide alternative data sources
or analyses for our further consideration, and we note that our RIA in
the HIPAA Standards for Health Care Attachments proposed rule involved
a thorough analysis utilizing multiple sources. As reiterated at the
beginning of this section, this analysis was informed by our assessment
that considered the current environment, industry testimony to the
NCVHS, WEDI whitepapers, CAQH studies, survey results produced by
industry consensus-based organizations, and updated web-based research
on specific topics.
For purposes of this final rule, we have updated data and
calculations based on the 2024 CAQH Index report, focusing on health
care claims attachments.\33\ The RIAs included in the HIPAA Standards
for Health Care Attachments proposed rule and the Modifications final
rule, in addition to the CAQH Index Reports cited throughout this RIA,
only provide an estimate of the direct costs of implementation and
automation; appeals were not estimated, presumably because appeals data
are difficult to obtain. We note that this final rule applies only to
what is being adopted, which are health care claims attachments
transaction standards. We may address other transactions, including the
use of a prior authorization transaction standard in health care
attachments, in other rulemaking.
---------------------------------------------------------------------------
\33\ The Council for Affordable Quality Healthcare, Inc. (n.d.).
2024 CAQH Index Report. Retrieved from https://www.caqh.org/hubfs/Index/2024%20Index%20Report/CAQH_IndexReport_2024_FINAL.pdf.
---------------------------------------------------------------------------
The claims attachment transaction standards adopted in this final
rule cover the transmission of solicited and unsolicited attachments
related to various stages of the claims payment process, including
post-payment review activities, but do not extend to attachments used
in claims appeal processes. Costs to implement a FHIR standard fall
outside of the scope of this final rule.
B. Overall Impact
We have examined the impacts of this rule as required by Executive
Order (E.O.) 12866, ``Regulatory Planning and Review''; E.O. 13132,
``Federalism''; E.O. 13563, ``Improving Regulation and Regulatory
Review''; E.O. 14192, ``Unleashing Prosperity Through Deregulation'';
the Regulatory Flexibility Act (RFA) (Pub. L. 96-354); section 1102(b)
of the Social Security Act; section 202 of the Unfunded Mandates Reform
Act of 1995 (UMRA) (Pub. L. 104-4); and Subtitle E of the Small
Business Regulatory Enforcement Fairness Act of 1996 (the Congressional
Review Act) (5 U.S.C. 804(2)).
E.O.s 12866 and 13563 direct agencies to assess all costs and
benefits of available regulatory alternatives and, if regulation is
necessary, to select those regulatory approaches that maximize net
benefits, including: (1) potential economic, environmental, public
health and safety, and other advantages; (2) distributive impacts; and
(3) equity. Section 3(f) of E.O. 12866 defines a ``significant
regulatory action'' as any regulatory action that is likely to result
in a rule that may: (1) have an annual effect on the economy of $100
million or more or adversely affect in a material way the economy, a
sector of the economy, productivity, competition, jobs, the
environment, public health or safety, or State, local, or tribal
governments or communities; (2) create a serious inconsistency or
otherwise interfere with an action taken or planned by another agency;
(3) materially alter the budgetary impact of entitlements, grants, user
fees, or loan programs or the rights and obligations of recipients
thereof; or (4) raise novel legal or policy issues arising out of legal
mandates, or the President's priorities.
An RIA must be prepared for a regulatory action that is significant
under section 3(f)(1) of E.O. 12866. Based on our estimates, the Office
of Information and Regulatory Affairs (OIRA) has determined this
rulemaking is significant under section 3(f)(1). In accordance with
Subtitle E of the Congressional Review Act, OIRA has also determined
that is a ``major rule'' as defined by 5 U.S.C. 804(2).
We believe that covered entities have already largely invested in
the hardware, software, and connectivity standards being adopted in
this final rule. We anticipate that the adoption of these changes will
result in costs, but that those costs will be outweighed by the
benefits that these changes will yield. Accordingly, we have prepared
an RIA that, to the best of our ability, presents the costs and
benefits of this final rule.
C. Detailed Economic Analysis
1. Anticipated Effects
The objective of this RIA is to summarize the costs and benefits of
adopting new and modified standards for the exchange of health care
claims attachment information consisting of the following provisions:
A code set to be used for health care claims attachments
transactions.
X12 standards for requesting and transmitting attachment
information and HL7 standards for clinical information content.
Electronic signatures standards.
This portion of the analysis is informed by an earlier
environmental scan produced for us in 2016 by the MITRE Corporation, a
Federally funded research and development center. Data from that
environmental scan was used since it was conducted to help develop the
HIPAA Standards for Health Care Attachments proposed rule. However, we
did not solely rely on the MITRE report. Additional data was obtained
through industry testimony to the NCVHS, whitepapers, WEDI survey
results, and updated web-based research on specific topics.\34\ Since
we did not receive any comments on the assumptions we made based on the
2016 MITRE Corporation environmental
[[Page 14385]]
scan, we continue to reference it in this final rule.
---------------------------------------------------------------------------
\34\ Guidance on Implementation of Standard Electronic
Attachments for Healthcare Transactions November 2017 Workgroup for
Electronic Data Interchange. Retrieved from https://www.wedi.org/2017/11/17/guidance-on-implementation-of-standard-electronic-attachments-for-healthcare-transactions/.
---------------------------------------------------------------------------
Consistent with statutory and regulatory requirements, any
recommendations for the adoption of HIPAA standard updates are the
outcome of an extensive, consensus-driven process that is open to all
interested parties. The standards development process involves direct,
participatory input from representatives of parties in the health care
industry that are required to utilize the transactions. Both the
standards adoption process and standards development processes are
described in detail in section II. of this final rule.
For purposes of this analysis, we use the segmentation of parties
in the health care industry laid out in the Modifications final rule,
with some additional details on vendors supporting the integration of
the administrative and clinical data. As discussed in the HIPAA
Standards for Health Care Attachments proposed rule, and again in this
final rule, health care providers and payers continue to use manual
processing for health care attachments, therefore, these interested
parties are relevant for purposes of this RIA because there is no
adopted health care claims attachments standard. As noted in the most
recent WEDI white paper, most payers send hard copy letters to request
additional information to support a claim or prior authorization
submitted by the health care provider.\35\ These segments consist of
the following:
---------------------------------------------------------------------------
\35\ Guidance on Implementation of Standard Electronic
Attachments for Healthcare Transactions November 2017 Workgroup for
Electronic Data Interchange. Retrieved from https://www.wedi.org/2017/11/17/guidance-on-implementation-of-standard-electronic-attachments-for-healthcare-transactions/.
Health Care Providers
++ Hospitals
++ Physicians
++ Dentists
++ Pharmacies
Health Plans
++ Private Health Plans and Issuers
++ Government Health Plans: Medicare, Medicaid, and Veterans
Administration
Clearinghouses
Vendors
++ Practice Management System (PMS) Vendors
++ EHR Vendors
In analyzing the effects of the proposed rule, we referenced the
2019 and 2020 CAQH Index Reports issued on January 21, 2020 and
February 3, 2021, respectively.36 37 However, for this final
rule, we are making reference to the 2024 CAQH Index Report.\38\ The
2024 CAQH Index tracks adoption of HIPAA-mandated- and other electronic
administrative transactions and measures progress related to reducing
the costs and burden associated with administrative transactions
exchanged across the medical and dental industries. The CAQH Index
includes estimates of the number of annual transactions by submission
mode (that is, phone, fax, mail, or email), electronic (that is, HIPAA
standard) or partially electronic (that is, web portals or interactive
voice response), as well as estimates of the associated labor cost and
staff time. The reported costs and savings account for the labor time
required to conduct transactions, not the time and cost associated with
gathering information or the costs associated with the use of
clearinghouses or third-party vendors.
---------------------------------------------------------------------------
\36\ The Council for Affordable Quality Healthcare, Inc. (n.d.).
2019 CAQH Index Report. Retrieved from https://www.caqh.org/sites/default/files/explorations/index/report/2019-caqh-index.pdf.
\37\ The Council for Affordable Quality Healthcare, Inc. (n.d.).
2020 CAQH Index Report. Retrieved from https://www.caqh.org/hubfs/43908627/drupal/explorations/index/2020-caqh-index.pdf.
\38\ The Council for Affordable Quality Healthcare, Inc. (n.d.).
2024 CAQH Index Report. Retrieved from https://www.caqh.org/hubfs/Index/2024%20Index%20Report/CAQH_IndexReport_2024_FINAL.pdf.
---------------------------------------------------------------------------
With respect to the category of health care providers, the report
does not provide a breakdown of the types of providers that contributed
to the survey results, but it does distinguish between medical and
dental providers and acknowledges partnering with both physician and
hospital member organizations. Thus, we believe the medical providers'
savings reported include hospital-related responses.
In contrast to the data on labor cost savings, we continue to be
unaware of any reports or other industry estimates on the level of
additional investments needed to fully implement these electronic
processes for requesting and submitting attachment information, or the
proportion of such costs that might be passed on to health care
providers or health plan firms. By reviewing testimony submitted to the
NCVHS and conducting web searches, such as for plan, clearinghouse, and
vendor EDI instructions and services, we understand some interested
parties' segments have already largely built or acquired the capacity
to implement these proposals (albeit possibly in inconsistent and
proprietary ways in the absence of federal standards). Similarly, based
on the NCVHS testimony, others (particularly health care providers and
their vendors) have partially implemented the standards.\39\ Thus, we
conclude that implementation and readiness to fully implement the
standards being adopted in this final rule will vary among and within
covered entity industry segments.
---------------------------------------------------------------------------
\39\ NCVHS Letter to the Secretary of HHS on Recommendations for
the Electronic Health Care Attachment Standard, July 5, 2016.
Retrieved from https://ncvhs.hhs.gov/wp-content/uploads/2018/03/2016-Ltr-Attachments-July-1-Final-Chair-CLEAN-for-Submission-Publication.pdf.
---------------------------------------------------------------------------
We also believe it is likely that firms directly involved in
deploying additional capacity, particularly in upgrading PMS or EHR
functionality, will not voluntarily share proprietary and competitive
market-sensitive data on the level of additional investment needed, or
on the effects on customer fees. Therefore, as further explained in the
discussion of cost calculations, we estimate the incremental costs
involved not through projected cost build-up, but rather as a function
of the level of impact of implementing the previous HIPAA-standard
modifications. We solicited comments on this approach and on the
appropriateness of the aggregate level estimates, preferably seeking
data reflecting estimated changes to firm-specific costs and customer-
specific fees in a manner that facilitated aggregation, but we received
no response or comments.
We expect that the regulatory requirements, combined with the
administrative cost savings opportunities identified by CAQH, will
result in broad adoption of these attachment standards. The remainder
of this section provides details supporting the cost-benefit analysis
for the provisions being finalized.
2. Affected Entities
As with previous HIPAA standards updates, all HIPAA covered
entities will be affected by this final rule. Covered entities include
all health plans, all health care clearinghouses, and health care
providers that transmit health information in electronic form in
connection with a transaction for which the Secretary has adopted a
standard. Therefore, these covered entities will be required to use
these standards for transactions that they conduct electronically. See
the Transactions and Code Sets final rule for a discussion of affected
entities (65 FR 50361).
In general, covered entities (or their vendors) will incur a number
of one-time costs to implement the new transactions in this final rule.
These costs likely will include analysis of business flow changes,
software procurement or customized software development, integration of
new software into existing provider/vendor systems, staff training, and
collection of
[[Page 14386]]
new data, testing, and transition processes. For some entities, new
vendors may be needed to create and validate the clinical documentation
to be embedded in the attachment transactions. System implementation
costs will account for most of the costs, with system testing alone
likely accounting for a majority of costs for all covered entities.
Ongoing operational costs will be expected to initially grow, as the
implementation of electronic processes run in parallel with ongoing
manual and partially automated processes, but will then be expected to
decline as higher proportions of transactions are automated. These
health IT-related costs will be offset by significant reductions in
labor costs for what are, today, largely manual processes to locate,
collect, package, and mail clinical records needed to support requests
for additional documentation to support claims. Other offsetting cost
savings are expected from lower postage and other mailing costs,
reductions in reprocessing volume due to higher clean claim acceptance
rates, and delay in receiving payment.40 41
---------------------------------------------------------------------------
\40\ NCVHS Letter to the Secretary of HHS on Recommendations for
the Electronic Health Care Attachment Standard, July 5, 2016.
Retrieved from https://ncvhs.hhs.gov/wp-content/uploads/2018/03/2016-Ltr-Attachments-July-1-Final-Chair-CLEAN-for-Submission-Publication.pdf.
\41\ In an RIA that, in accordance with OMB Circular A-4, takes
a society-wide perspective, changes in timing of payments represent
a transfer, rather than a net societal cost savings.
---------------------------------------------------------------------------
It is likely that there are significant differences in readiness
among payer and provider claims health IT systems, and we do not know
the extent of incremental costs associated with health IT development,
enablement (that is, upgrade or licensing fees paid by users), or
workflow adjustment and training to facilitate compliance with the
standards adopted in this final rule. So, though we are aware that the
net benefits will likely vary among interested parties, we continue to
lack the data to estimate these differential effects. An important
consideration reflected in various industry testimonies submitted to
the NCVHS is that some interested parties, particularly smaller health
care providers, will continue to have the option to leverage existing
clearinghouses to provide these information exchange services based on
negotiated rates. This is a standard practice today, where
clearinghouses already manage 85 percent of the conversion of paper-to-
electronic formats, as well as reformatting of non-compliant to
compliant electronic claim transactions for the industry. Given the
high costs of manual and partially electronic means for exchanging
required information, we believe this rule's implementation will yield
significant net industry savings. However, the level and timing of
uptake (as opposed to the retention of manual processes and
clearinghouse intermediation) by provider entities is uncertain. We
reflect this uncertainty with both the phasing in and estimation of
minimums and maximums for costs and benefits. We solicited comments in
the proposed rule on our RIA approach and assumptions.
Comment: Multiple commenters provided descriptions of additional
burdens that covered entities would experience by implementing the
policies as proposed. A commenter noted that California's Medicaid
Management Information Systems Operations will have to include new
training for call center agents and providers, new call scripts, and
possible changes to the provider manuals. Another commenter stated that
additional storage will present states with increased and expanding
costs, as Medicaid programs are not allowed to charge fees for
administering programs. Another commenter noted that there are other
impacts that must be considered when assessing the proposals outlined
in the proposed rule. The commenter provided several examples of
operational processes, workflow changes, education and training, and
additional work their institution would need to complete in order to
comply with the proposed rule.
Response: We thank commenters for their feedback. Our estimates
took into consideration business flow changes, software procurement or
customized software development, integration of new software into
existing provider/vendor systems, staff training, and collection of new
data, testing, and transition processes, and we noted previously that
some covered entities may require new vendors to create and validate
the clinical documentation to be embedded in the attachments
transactions. Our systems implementation costs account for most of the
costs, with system testing alone likely to account for many costs
estimated for all covered entities. Finally, regarding the concern
raised about the potential for states to incur additional costs, such
as administrative costs to operate the program, we encourage states to
work, as appropriate, with CMS's Center for Medicaid and CHIP Services
(CMCS) to determine if Federal Financial Participation (FFP) is
available for state administrative costs.
Comment: A commenter stated that HHS underestimated the economic
impact of this rule on all entities and expressed concern regarding the
cost of using HIPAA transaction standards without widespread adoption.
The commenter called out HHS's acknowledgement of those health plans
that do not use automation in working with medical record documentation
as part of their prior authorization request and claim adjudication
processes, with the major concern being that these plans will not
invest in the attachment standards systems and will continue to use
manual processes. The commenter therefore recommended that HHS require
that health plans invest in automation to mitigate manual processes.
Based on their prior experience with the transaction modifications
required by Version 5010 standard implementation and ICD-10
implementation, another commenter similarly stated that HHS
significantly underestimated the costs to conform to the proposed
requirements. The commenter also expressed that HHS's assumptions were
erroneous and that the X12N 275 claims standard and Version 6020 of
other transaction standards would create new implementation, revision,
and support costs for states. Another commenter stated that savings
would not be realized if payers do not also invest in systems to
eliminate manual processes to interpret documentation submitted via the
transactions.
Response: The commenters who stated that we underestimated the
rules' costs offered no substantive data or additional information to
counter our analysis. We further explain here our analysis, including
some insignificant changes--such as updating the current year labor
statistics and the use of the most recent CAQH index--that we made with
respect to costs and benefits detailed in this final rule. Also, as
discussed in section III.A. of this final rule and elsewhere, since we
are not finalizing the proposal to adopt a modification to the prior
authorization transaction standard, we do not reflect those
calculations in this RIA. In sum, we made significant efforts to ensure
the accuracy of the costs and benefits presented in this final rule.
The analysis included in the HIPAA Standards for Health Care
Attachments proposed rule was based on the analysis performed in the
Modifications final rule (74 FR 3296). The analysis was also updated
for inflation through the use of various CAQH reports. Based on the
estimates in the HIPAA Standards for Health Care Attachments proposed
rule, the inflation data were adjusted using the 2000 to 2025 Consumer
Price Index
[[Page 14387]]
(CPI).\42\ When preparing the proposed rule, although later CAQH Index
reports were available, we chose to use the 2019 report because we
believed, at that time, the estimates based on the period during the
COVID-19 public health emergency (PHE) years would have resulted in
overestimates and not be relevant to future years. We now have the CAQH
2024 report, which indeed confirms several downward trends, confirming
that the impact from the COVID-19 PHE has stabilized. Therefore, for
the purposes of this final rule, we further updated the estimates by a
factor of 23 percent, which represents a percentage increase consistent
with both inflation and the CAQH report. More specifically, using the
most recent CPI data and updating to the CAQH 2024 report (the latest
full year), we find that an additional 23 percent must be added to
account for inflation.
---------------------------------------------------------------------------
\42\ U.S. Inflation Calculator. (n.d.). Current U.S. Inflation
Rates: 2000-2026. Retrieved from https://
www.usinflationcalculator.com/inflation/current-inflation-rates/
#:~:text=To%20find%20annual%20inflation%20rates,rate%20in%202023%20wa
s%203.4%25.
---------------------------------------------------------------------------
In the proposed rule, we stated that we utilized the CAQH national
annual savings estimates as the basis for our cost estimates. The CAQH
national annual savings estimates were calculated based on the
potential savings achieved by the industry when transitioning from a
reported state of 22 percent electronic processing for attachments to
fully electronic processing. The potential cost savings by the industry
are based on the premise of cost decreases as industry adoption
increases. Although there have been previous apparent increases in
electronic processing of health care attachments, we do not trend the
benefits estimates forward because previously reported estimates of
electronic processing adoption have tended to remain stable over a
longer period. Because we believe that some portion of providers and
their vendors may take longer to move from manual to fully automated
transactions, we also assume a phased-in realization of the level of
annual benefits projected by CAQH. For the purposes of this analysis,
we generally estimate that most interested parties will realize the
benefits in labor savings over a 3-year period at the rate of 50
percent in the first operational year, 75 percent in the second
operational year, and 100 percent in and after the third year after the
compliance date. We did not elect to require that health plans invest
in automation because, with respect to the level and timing of the
uptake of these standards, we assume that some portion of providers and
their vendors may take longer to move from manual to fully automated
transactions and that could potentially cause additional financial
burden for some. Our analysis is summarized in Tables 6 and 7, which
included multiple sources for estimation of minimum and maximums for
costs and benefits and thereby accounted for the uncertainty around
certain providers choosing to retain manual processes.
We are finalizing the RIA with the revisions described in the
previous response. As this final rule will apply only to health care
claims attachments transactions, the RIA does not include the prior
authorization transaction as initially proposed.
3. Explanation of Cost Calculations
Based on consultation with industry workgroups, such as WEDI, we
determined that the health care claims attachments standards adopted in
this final rule are already in common use by entities engaged in other
lines of business that exchange medical records (for example, the
workers' compensation and liability insurance fields). Thus, there is
clear evidence that the standards are fit for their intended purpose
and have been successfully implemented in closely related business
processes.
Although the claims attachments standards we are finalizing
adoption of are initial standards, as described in section 1175 of the
Act, health plans surveyed by CAQH in 2024 reported electronic
transaction submission levels of 32 percent for attachments. Therefore,
although we had not adopted the specification for attachments requests
by the health plan (X12N 277 standard for claims transactions) and the
response from the provider (X12N 275 standard for claims transactions)
as HIPAA standards, some payer and provider systems already exchange
electronic attachments using the standards we are finalizing adoption
of in this rule. Moreover, HL7 C-CDA standards have been widely adopted
by health IT developers participating in the ONC Health IT
Certification Program; these standards are incorporated into
certification criteria that are part of the definition of a Base EHR in
45 CFR 170.102. According to the latest available posted data, as of
2021, nearly 4 in 5 (80 percent) office-based physicians had adopted a
certified EHR.\43\
---------------------------------------------------------------------------
\43\ ASTP/ONC HealthIT.gov. (n.d.). Office-based Physician
Electronic Health Record Adoption. Retrieved from https://www.healthit.gov/data/quickstats/national-trends-hospital-and-physician-adoption-electronic-health-records.
---------------------------------------------------------------------------
Similarly, while the standards we are adopting for electronic
signatures are also initial standards, they incorporate practices
already implemented in health-care related reporting and monitoring
systems. We anticipate that leveraging existing industry experience
will limit incremental implementation costs for providers. At the same
time, HHS continues to evaluate other electronic signature models for
potential applicability to other HIPAA transactions or broader
alignment across federal programs.
Given that some parts of the health care industry have experience
implementing requirements similar to the standards that we are adopting
in this final rule, we believe implementing these standards will be
more similar to implementing standard modifications than to
implementing transaction standards for the first time. Therefore, we
anchor our cost estimates on the final cost estimates included in the
Modifications final rule (74 FR 3322), updated for inflation, and then
make certain adjustments to address unique aspects of certain industry
segments.\44\ While the systems required for implementing the
specifications being adopted in this final rule have been continuously
updated since the publication of the Modifications final rule, the
technologies within the implementation specifications in this final
rule are of the same type as those considered there and will be
integrated into systems that continue to utilize similar business
models.
---------------------------------------------------------------------------
\44\ Cost estimate ranges from the January 2009 Modifications
final rule were adjusted for inflation using the Bureau of Labor
Statistics Consumer Price Index Inflation Calculator, to reflect
amounts for January 2020 and round up to the nearest whole number to
match benefits estimates from the CAQH 2020 Index. Retrieved from
https://www.bls.gov/data/inflation_calculator.htm.
---------------------------------------------------------------------------
The cost estimates in the Modifications final rule were based on an
estimate of the total costs to implement the initial HIPAA transaction
standards (Version 4010/4010A) and informed by industry interviews.\45\
To determine the costs for each provider sub-segment (that is,
hospitals, clinicians, and dentists), we established an estimate for
what the total approximate Version 4010/4010A costs were for an
individual entity within that sub-segment (based on the interviews and
other data available through research) and then applied an estimated
range of 20 to 40 percent of those costs to come up with estimated
minimum and maximum costs for
[[Page 14388]]
Version 5010. As discussed in the Modifications final rule, the
baseline range of 20 to 40 percent was accepted as a realistic proxy by
the providers and plans that participated in the earlier interviews
conducted to develop the regulatory cost benefit analysis (74 FR 3315).
The purpose of those interviews was to identify more granular cost
categories. It is important to note that through subsequent regulatory
actions, we have solicited comments on our baseline ranges to aid in
analyzing and validating overall cost estimates ranges by entity. Since
we did not receive any comments on our estimated ranges, we continue to
use the estimated range of 20 to 40 percent. For the purposes of this
final rule, the estimated cost for each individual entity within a
segment was then multiplied by the number of entities to establish the
estimated costs for the entire segment.
---------------------------------------------------------------------------
\45\ Version 5010 Regulatory Impact Analysis-Supplement.
September 2008. Retrieved from https://www.cms.gov/files/document/5010regulatoryimpactanalysissupplementpdf.
---------------------------------------------------------------------------
With respect to the level and timing of the uptake of these
standards, we assume that some portion of providers and their vendors
may take longer to move from manual to fully automated transactions.
For purposes of this analysis, we generally estimate that most
interested parties will incur costs over a 4-year period at the rate of
50 percent in the first implementation year, 30 percent in the second
implementation year, and 10 percent each in the third and fourth years.
We developed this 4-year model based on feedback from industry
interviews and historical data from prior standard transitions (for
example, Version 4010 to 5010). Providers and vendors consistently
shared that the largest investments are made in the first 2 years, with
a gradual tapering off in the final 2 years. It also provides a
structured approach to ensure that providers and vendors can manage
costs and resources effectively, while gradually scaling up their
automation efforts. We maintain these estimates for full implementation
in this final rule.
We note that although many commenters on the Modifications final
rule suggested that we underestimated the costs, commenters then
provided no substantive data or additional information to counter our
analysis. We are not aware of more recent public research relating to
the costs of implementing modifications to HIPAA transaction standards.
We invited public comments on our understanding and requested any
available additional data to help us determine the costs of
implementing modifications to HIPAA transaction standards more
accurately.
Comment: A commenter stated that significant resources will be
necessary to implement the rule's requirements and believed that those
costs are missing from the RIA estimates. The commenter listed the
following: (1) familiarization with the final rule; (2) requirements
definition; (3) specification documentation; (4) system and procedures
modification; (5) unit-string-system-UAT-Partner-E2E and B2B testing;
(6) software deployment; (7) companion guide, instruction manual, and
testing instruction updates; (8) website deployment; (9) outreach; (10)
trading partner coordination; and (11) preparation of educational and
notification materials.
Response: We thank the commenter for their feedback, but note the
commenter offered no substantive data for our consideration, so we
retain our analysis as is. We also reiterate, as we stated previously,
that: (1) we included in our estimates consideration of business flow
changes, software procurement or customized software development,
integration of new software into existing provider/vendor systems,
staff training, and collection of new data, testing, and transition
processes; (2) for some covered entities, new vendors may be needed for
the creation and validation of the clinical documentation to be
embedded in the attachment transactions; and (3) our systems
implementation costs considerations account for most of the costs, with
system testing alone likely accounting for a majority of costs
estimated for all covered entities.
Comment: A commenter noted HHS's assertion that entities have
already largely invested in resources to conduct the proposed new and
modified standards is untrue with respect to long-term and post-acute
care (LT-PAC) providers that were excluded from the Health Information
Technology for Economic and Clinical Health (HITECH) Act. The commenter
also noted that the full benefits of these proposed regulations will
likely not be realized by a significant number of resource-constrained
LT-PAC providers.
Response: Although LT-PAC providers were not included in the HITECH
Act, the X12 EDI transactions for health care claims attachments
adopted in this final rule are not part of CMS's Meaningful Use or
Promoting Interoperability programs, nor are those incentive programs
relevant to the transactions addressed in this analysis. However, we
believe that LT-PAC providers, like HIPAA covered entities, are likely
to have the technical infrastructure or vendors in place to support
development for the exchange of HIPAA mandated transactions and should
be able to update those systems to accommodate attachments for claims.
Should we learn that LT-PAC providers are lagging with full compliance
with the requirements of this final rule, as resources permit, HHS will
work with that industry segment.
4. Explanation of Benefits Calculations
To determine the benefits for each segment of the industry, we
primarily relied upon the 2024 CAQH Index report. Based on survey
responses, CAQH estimates that spending on labor time conducting
attachment transactions accounts for about $590 million of spending on
administrative transactions across the medical industry, with health
care providers incurring about 88 percent of this, spending at an
average cost of $6.30 for each manually processed attachment. CAQH
estimates that moving from manual to electronic attachments
transactions could save the health care industry $1.65 on average per
transaction. These estimated savings would be split between health care
providers and health plans and would be generated by the avoidance of 8
minutes in administrative labor time per attachment on average, as
medical providers reported taking an average of 11 minutes to submit an
attachment manually versus 3 minutes electronically. Comparable data on
spending and savings opportunities on attachment transactions for
dental providers were not available, although the survey reports that
only 37 percent of dental attachment transactions in 2024 were fully
electronic.
We utilized the 2024 CAQH national annual savings estimates as the
basis for our benefits estimates. The CAQH national annual savings
estimates are calculated based on potential savings moving from the
reported state of 32 percent electronic processing for attachments to
fully electronic processing. The total potential industry cost savings
opportunity is an amount that decreases as industry adoption increases.
Although there was an apparent increase in electronic processing of
health care attachments transactions from 2020 to 2024, we do not trend
the benefits estimates forward because previously reported estimates of
electronic processing adoption have tended to remain stable over a
longer period of time. The CAQH estimation methodology only includes
labor time savings, which it assesses to be, by far, the most
significant component of savings. We do not include estimates of other
sources of savings, such as through the elimination of mailing costs,
so our benefit estimates may have a tendency toward understating actual
[[Page 14389]]
industry savings.\46\ Because we believe that some portion of health
care providers and their vendors may take longer to move from manual to
fully automated transactions, we also assume a phased-in realization of
the level of annual benefits projected by CAQH. For purposes of this
analysis, we generally estimate that most interested parties will
realize the benefits in labor savings over a 3-year period at the rate
of 50 percent in the first operational year, 75 percent in the second
operational year, and 100 percent in and after the third year after the
compliance date. The 3-year implementation timeline was chosen based on
a combination of industry experience, realistic adoption timelines, and
the desire to maintain consistency between implementation costs and
savings. Past health care regulations often assumed multi-year
implementation timelines to allow for adequate industry readiness. This
3-year timeline likely reflects lessons learned from prior transitions,
where full compliance was phased in over a similar period. This
approach also ensures that both costs and benefits are realized in a
way that reflects typical patterns of adoption, while allowing for a
gradual transition and adjustment period for interested parties in the
health care industry.
---------------------------------------------------------------------------
\46\ On the other hand, CAQH developed estimates from the
experience of entities that voluntarily automated, and extrapolation
from such voluntary experience to the regulatory context may
generate a tendency toward overestimation of savings, on a per-unit
basis and/or in the aggregate. We welcomed comments that would have
facilitated refinement of estimates.
---------------------------------------------------------------------------
Comment: A commenter underscored the benefits in using electronic
authorizations such as time savings, financial savings, and a decrease
in denials due to fewer administrative denials. Another commenter
agreed with the time estimations regarding the submission of paper
records versus electronic records. The commenter noted that some
analyses of savings, such as those conducted by WEDI, do not explore
the impact on private practice physical therapists. The commenter
further noted that savings realized through implementation of the
proposals would be split between health care providers and health plans
but stated it is imperative that savings are split among those who
actually provide care and not the insurance companies which can often
stand in the way of paying for the provision of care.
Response: We thank the commenters for their feedback. The analysis
included in this final rule addresses three types of providers: (1)
clinicians; (2) hospitals; and (3) dentists. While further
differentiation among each group is possible, the assumption is that
the overall averages for each group capture the relevant utilization
patterns for each of its subgroups, and we believe that further
granularity, if the data existed, would not provide significantly
different numbers. Private practice physical therapists are included in
the group of clinicians. The commenters requesting a separate analysis
for this group did not indicate its uniqueness, nor why the overall
average for doctors does not suffice.
5. Costs and Benefits Determination for Each Industry
a. Hospitals
As previously discussed in the HIPAA Standards for Health Care
Attachments proposed rule, to determine the costs for each health care
provider sub-segment, we started with the minimum and maximum cost
estimates included in the Modifications final rule for each type of
entity. For hospitals, those estimates were within a range of $1,423
million to $2,848 million, adjusted for inflation (74 FR 3316). We
further assume that hospital health IT developers will incur these
costs, absorbing some portion of the costs as a cost of doing business
incorporated in the current level of health IT service and maintenance
agreements and passing some portion of the costs on to the hospital in
the form of higher fees for enabling new functionality. This seems
reasonable given our understanding that health IT vendors generally
plan on, and finance, a certain level of ongoing system development
through ongoing maintenance agreements, typically with annual
increases, but also must keep these at a level that remains competitive
in their niche market.\47\ In other words, not all possible systems
upgrades will be factored into current fees. We continue to have no
information on how this allocation will be made and expect there will
be many variations in practice, but, for purposes of this analysis, we
again assume a 60/40 estimated cost split, with the vendor bearing 60
percent of the implementation costs and passing the remaining 40
percent on to the customer. In the HIPAA Standards for Health Care
Attachments proposed rule, the cost estimates for hospitals were based
on a range of costs from the Modifications final rule, adjusted for
inflation, and costs were split between vendors and hospitals using
that 60/40 estimated cost split, which is in line with industry
practices. The 2024 CAQH report offers no information to alter this
hospital/vendor cost distribution, and we continue to believe that a
60/40 split ensures that implementation costs and savings realizations
are accounted for in a way that reflects the cost structure of health
care.
---------------------------------------------------------------------------
\47\ Pratt, M. (2018, May 30). The true cost of switching EHRs.
Medical Economics Journal, 96(10). Retrieved from https://www.medicaleconomics.com/view/true-cost-switching-ehrs.
---------------------------------------------------------------------------
As summarized in Table 1, this assumption results in the hospital
share of costs to be in the range of $569 million to $1,139 million,
with the remainder, in the range of $854 million to $1,709 million, to
be borne by hospital health IT vendors.
[GRAPHIC] [TIFF OMITTED] TR24MR26.000
[[Page 14390]]
To determine the benefits for hospitals, as discussed in the HIPAA
Standards for Health Care Attachments proposed rule, we refer to the
estimates of savings for medical providers reported by CAQH and assume
that hospitals will achieve 20 percent of these savings (87 FR 78462).
We continue to assume a rough 80/20 split between clinicians and
hospitals because we believe the majority of health care claims
attachments transactions will come from clinician practices, since
plans and hospitals generally have other payment requirements for more
expensive inpatient admissions and outpatient procedures, such that
claims attachments would be required less frequently. So, we estimate
the hospital share to be 20 percent of $650 million, or $130 million.
To reflect the uncertainty around the ultimate level of uptake of these
standards, we estimate a range of 25 percent below this point estimate
between $98 million to $130 million in annual savings, as summarized in
Table 2.
[GRAPHIC] [TIFF OMITTED] TR24MR26.001
With respect to timing of costs and benefits, we assume hospitals
will have both the capital and business interest to move promptly to
achieve the return on investment and will incur all costs during the 2-
year implementation period, which is the timing for HIPAA covered
entities to use the adopted standard. Hospitals will realize the full
level of annual savings in and after the first operational year
following the proposed compliance date, as summarized in Tables 5 and
6.
b. Clinicians
As discussed in the HIPAA Standards for Health Care Attachments
proposed rule (87 FR 784622), we continue to follow the same
methodology for estimating clinician costs and benefits as used in the
Modifications final rule (74 FR 3316). For clinicians, in both rules,
these cost estimates were within a range of $665 million to $1,329
million, adjusted for inflation (74 FR 3317). We assume a comparable
level of effort to implement the health care claims attachments
standards being adopted in this final rule. We further assume that
clinician practice PMS and EHR vendors will incur these costs,
absorbing some portion of the costs as a cost of doing business
incorporated in the current level of health IT service and maintenance
agreements and passing some portion of the costs on to the practices in
the form of higher fees for enabling new functionality. We again assume
a 60/40 estimated cost split, with the vendor bearing 60 percent of the
implementation costs and passing the remaining 40 percent on to the
customer. As summarized in Table 1, this results in a clinician share
of costs in the range of $266 million to $532 million, with the
remainder in the range of $399 million to $797 million to be borne by
physician PMS and EHR vendors. We further assume that some clinician
practices and their vendors may take more time to implement the
standards while continuing to use manual processes in the meantime.
Therefore, we estimate clinicians will incur these costs over a 4-year
period at a rate of 50 percent in the first implementation year, 30
percent in the second implementation year, and 10 percent each in the
third and fourth years, as summarized in Table 5.
To determine the benefits for clinicians, we again referred to the
estimates of savings for medical providers reported in the CAQH Index
reports and calculated the remaining 80 percent of these savings. CAQH
estimated the total annual savings opportunity for medical providers
for fully automating attachments transactions to be $328 million. So,
we estimate the clinician share to be 80 percent of $650 million, or
$520 million. To reflect the uncertainty around the ultimate level of
uptake of these standards, we estimate a range of 25 percent below this
point estimate, or between $390 million to $520 million in annual
savings, as summarized in Table 2. We further estimate that these
benefits in labor savings will phase in over a 3-year period at the
rate of 50 percent in the first operational year, 75 percent in the
second operational year, and 100 percent in and after the third year
after the compliance date, as summarized in Table 6.
c. Dentists
As discussed in the HIPAA Standards for Health Care Attachments
proposed rule, for dentists, we follow the same methodology for costs
as we do for clinicians (87 FR 78462). The Modifications final rule
cost estimates for dentists were within a range of $456 million to $913
million, adjusted for inflation (74 FR 3317). We assume a comparable
level of effort to implement the adopted health care claims attachments
standards. We further assume that dental practice PMS and EHR vendors
will incur these costs, absorbing some portion of the costs as a cost
of doing business incorporated in the current level of health IT
service and maintenance agreements and passing some portion of the
costs on to the dental practices in the form of higher
[[Page 14391]]
fees for enabling new functionality. We again assume a 60/40 estimated
cost split, in which the vendor will bear 60 percent of the
implementation costs and the remaining 40 percent will be passed on to
the customer. As summarized in Table 1, this results in a share of
costs for dentists in the range of $182 million to $365 million, with
the remainder in the range of $274 million to $548 million borne by
dental practice PMS and EHR vendors. As with clinicians, we further
assume that some dental practices and their vendors may take more time
to implement the standards, while continuing to use manual processes in
the meantime. Therefore, we estimate dentists will incur these costs
over a 4-year period at the rate of 50 percent in the first
implementation year, 30 percent in the second implementation year, and
10 percent each in the third and fourth years, as summarized in Table
5.
Given that the 2024 CAQH Index did not report on the potential
savings opportunity for dental providers for full automation of
attachments transactions, we take a different approach to benefits
estimation. Comments included in testimony submitted to the NCVHS
regarding the attachment standard during the 2016 NCVHS Hearing
indicated that dentists supported the proposal to make the X12N 275
transaction the standard vehicle for transporting attachment content to
dental claims.\48\ These comments also indicated that many dental PMS
vendor technologies may lack the capability to generate HL7 documents,
requiring dentists to either upgrade existing systems or find
alternative methods, such as using a clearinghouse or payer portals.
Thus, we conclude that some dentists and their PMS vendors will incur
costs associated with submitting attachment information to support
claims, and others may maintain current manual or clearinghouse-
mediated processes. Therefore, we assume that the savings opportunity
for full automation of claims attachments for dentists will be a
portion of the savings opportunity for medical providers. Since the
total number of dental entities (118,045) is about 70 percent of the
number of other provider entities (7,465 hospital establishments and
149,572 clinician firms), we estimate their savings opportunity will be
no greater than 70 percent of the annual $328 million medical provider
savings opportunity for attachments estimated by the CAQH 2024 Index.
In addition, we assume that, given the relatively smaller size of
dental practices, a greater proportion of dentists than clinicians may
choose to retain manual processes. So, as summarized in Table 2, we
estimate that the annual dentist savings opportunity is 50 percent of
70 percent of the medical provider opportunity, or $115 million (328 x
0.70 x 0.50). To reflect the uncertainty around the ultimate level of
uptake of these standards, we estimate a range of 25 percent below this
point estimate, or between $86 million to $115 million in annual
savings. As with the clinician estimates, we further estimate that
these benefits in labor savings will phase in over a 3-year period at
the rate of 50 percent in the first operational year, 75 percent in the
second operational year, and 100 percent in and after the third year
after the compliance date, as summarized in Table 6.
---------------------------------------------------------------------------
\48\ At the time this final rule was being drafted, the NCVHS
website was undergoing maintenance. NCVHS Subcommittee on Standards.
Agenda of the February 16, 2016 NCVHS Subcommittee on Standards
Hearing. Retrieved from https://ncvhs.hhs.gov/meetings/agenda-of-the-february-16-2016-ncvhs-subcommittee-on-standards-hearing/.
---------------------------------------------------------------------------
d. PMS and EHR Vendors
In testimony given in the 2016 NCVHS Hearing, WEDI noted that a new
functionality for providers implementing the attachment standards will
be automating EHR systems to exchange data with the PMS and digital
signatures.\49\ Consistent with this assessment, the 2016 MITRE
environmental scan, as discussed at the beginning of this section,
found that many EHR vendors had the capability to send X12N 275 EDI
transactions, but that substantial work remained to routinely and
reliably extract structured clinical data for C-CDA attachments. Since
that time, there has been both growth and consolidation in these
industry segments. A health care provider entity's PMS and EHR systems
may be bundled in one product offering, semi-integrated affiliated
systems, or entirely independent systems offered by separate
vendors.\50\ So, readiness will vary widely for provider entities based
on their health IT contractors.
---------------------------------------------------------------------------
\49\ At the time this final rule was being drafted, the NCVHS
website was undergoing maintenance. Transcript of the February 16,
2016 NCVHS Subcommittee on Standards. Retrieved from https://ncvhs.hhs.gov/transcripts-minutes/transcript-of-the-february-16-2016-ncvhs-subcommittee-on-standards/.
\50\ Pratt, M. (2018, May 30). The true cost of switching EHRs.
Medical Economics Journal, 96(10). Retrieved from https://www.medicaleconomics.com/view/true-cost-switching-ehrs.
---------------------------------------------------------------------------
Because developers of certified health IT are already familiar with
CDA for meeting requirements under the ONC Health IT Certification
Program, we believe all EHR vendors have some ability to extract data
for C-CDA templates, although all may not have fully implemented or
provided this functionality as part of core product offerings. A review
of some of the largest EHR vendor websites in May 2021 provided
informal evidence regarding C-CDA functionality. The results of this
analysis suggested that about 80 percent of vendors had this
functionality in place, 17 percent had at least partial functionality,
and only 3 percent seemed to have none. The many other, smaller EHR
vendors are likely in varying stages of readiness as well. Thus, we
assume that additional implementation costs may be needed to reliably
extract C-CDA documentation and to either integrate this content into
internal EDI processes or exchange the documentation with another PMS.
Similarly, we assume PMS vendors contracted with clients that have
a certified EHR have already largely developed the X12N 275 and X12N
277 standards for claims transactions, even if this functionality has
not been enabled for all customers, and that the majority of the
additional cost will be associated with receiving and managing the C-
CDA payload. Because of this pre-existing functionality, we are again
persuaded that implementing these final requirements is more akin to a
standards upgrade than implementing a new standard for the first time.
Based on the 2024 CAQH Index results that 32 percent of medical and 37
percent of dental attachment exchanges are occurring electronically, we
are aware that some provider vendors have already successfully
implemented the transmission of electronic attachments. Without data on
the extent of the gaps, or on the difference in readiness between EHR
and PMS vendors, we continue to assume similar costs across both types
of vendors and treat them together. We also assume that other
significant components of implementation costs will consist of trading
partner testing and user training.
[[Page 14392]]
The results of the estimates are described for hospitals,
clinicians, and dentists, as well as the split with their health IT
vendors, in Table 1. We estimate that PMS and EHR vendor costs will add
up across all customer segments to a range of $1,527 to 3,054 million.
We assume some vendors or their customers or both may take more time to
implement the standards. Therefore, we estimate vendors' costs will be
incurred over a 4-year period at the rate of 50 percent in the first
implementation year, 30 percent in the second implementation year, and
10 percent each in the third and fourth years, as summarized in Table
5.
We have not identified any evidence that suggests there will be
savings for this segment as a result of the changes in this final rule
and we do not include any estimates of benefits for this segment.
e. Clearinghouses
From remarks recorded at the 2016 NCVHS Hearing, we understand
that, by 2016, many entities in the clearinghouse industry had already
fully implemented the standards being adopted in this final rule and
were exchanging the transactions and clinical payloads with government
and commercial health care entities, as well as with entities in other
lines of business.\51\ Fundamental to the clearinghouse business role
is the ability to normalize disparate data formats, including both
structured and unstructured clinical data, and unwrap and convert the
data into standard or proprietary formats based on the varying
capabilities and needs of payer and provider clients. We assume that
this ability has generally become the business norm throughout the
clearinghouse industry. As a result, we assume that clearinghouses will
not have significant new technology development costs as a result of
these provisions but will have significant new trading partner testing
costs.
---------------------------------------------------------------------------
\51\ At the time this final rule was being drafted, the NCVHS
website was undergoing maintenance. Transcript of the February 16,
2016 NCVHS Subcommittee on Standards. Retrieved from https://ncvhs.hhs.gov/transcripts-minutes/transcript-of-the-february-16-2016-ncvhs-subcommittee-on-standards/.
---------------------------------------------------------------------------
To estimate clearinghouse implementation costs, we considered
information provided by a commenter, described in the Modifications
final rule, that identified as a large clearinghouse (74 FR 3318). This
commenter reported that projected costs would be at least $3.5 million
($4.3 adjusted for inflation) and would be affected by the amount of
testing that would be required with trading partners--both providers
and health plans. Based on this data point, as summarized in Table 3,
we estimate that 23 large clearinghouse entities will each incur $4.3
million in implementation costs, and that the remaining 139 smaller
clearinghouses will each incur $1.8 million in implementation costs,
for a segment total of $349 million. To reflect the uncertainty around
these projections, we estimate a range of 25 percent below and above
this point estimate of between $262 million to $436 million in total
costs. And since we assume some customers may take more time to
implement the standards, we estimate clearinghouse will incur costs
over a 4-year period at the rate of 50 percent in the first
implementation year, 30 percent in the second implementation year, and
10 percent each in the third and fourth years, as summarized in Table
5.
We have not identified any evidence that suggests there will be
savings for clearinghouses as a result of the changes in this final
rule and have not estimated any benefits for this segment.
[GRAPHIC] [TIFF OMITTED] TR24MR26.002
f. Private Health Plans and Issuers
Based on our informal web searches conducted in May 2021 for plan
websites that include EDI instructions for providers on submitting X12N
275 transactions, and the general absence of comments describing
significant implementation burden in testimony submitted to the 2016
NCVHS Hearing, we believe health plans (or their clearinghouses) have
generally already implemented the necessary technology to meet these
final requirements. That includes: (1) currently implemented X12N
transactions; and (2) at a minimum, having processes for collecting
unstructured medical record data. Such data are currently used for
auditing, risk coding validation, and other quality and utilization
management processes. The 2024 CAQH Index reports that 32 percent of
medical and 37 percent of dental attachment exchanges were occurring
electronically in 2024. In addition, we understand that all health
plans routinely collect medical record documentation from providers in
a variety of ways, including through web portals and direct access to
EHRs.\52\ These facts suggest to us that health plans have either
already automated these processes or have workarounds to manage the
receipt of this information. Thus, we believe the additional effort
associated with implementing our proposals may be limited to mapping
existing backend processes to the new transaction processing front-end
systems. Alternatively, the smaller the health plan, the more likely
that entity may rely upon a clearinghouse for administrative and
clinical data exchange and the more likely the status quo will
continue.
---------------------------------------------------------------------------
\52\ For example, see: Payer Access to EHRs: What Providers Need
to Know. Journal of AHIMA. October 9, 2019. Retrieved from https://journal.ahima.org/page/payer-access-to-ehrs-what-providers-need-to-know.
---------------------------------------------------------------------------
In testimony during the 2016 NCVHS Hearing, WEDI noted that the
functionality that will be new to payers in implementing the
attachments standards will be the use of HL7 CDA LOINC codes, and other
transport models that require different skill sets than EDI. Although
payers routinely collect medical record documentation today, this does
not necessarily mean that the ingestion, interpretation, and
integration of clinical data is fully automated. However, we do not see
evidence in testimony or public
[[Page 14393]]
comments that health plans anticipate a significant implementation
effort related to additional technology development to handle the HL7
CDA and LOINC codes required by federal adoption of attachments
standards. It is possible, given payer involvement with the rapid
evolution of clinical data exchange standards, that health plans may
not be incentivized to significantly enhance their current state of C-
CDA handling, and may instead continue to rely on current processes,
including the use of clearinghouses for intermediation where
necessary.\53\ For these reasons, we do not believe health plans will
bear as significant a level of investment for system development for
these final requirements as they did for the requirements of the
Modifications final rule. However, they will likely incur
implementation costs for trading partner testing if they exchange these
transactions directly with providers rather than via clearinghouses.
---------------------------------------------------------------------------
\53\ Final Report Of The Health Information Technology Advisory
Committee's Intersection of Clinical And Administrative Data Task
Force To The National Coordinator For Health Information Technology.
(2020, November 17) A Path Toward Further Clinical and
Administrative Data Integration. Retrieved from https://www.healthit.gov/sites/default/files/page/2020-11/2020-11-17_ICAD_TF_FINAL_Report_HITAC.pdf.
---------------------------------------------------------------------------
In light of these considerations, we assume that the costs of
implementation for health plans may be somewhat analogous to those for
clearinghouses, but generally with fewer connections to test, since
many transactions will be expected to continue to be exchanged through
existing clearinghouse connections. Therefore, as summarized in Table
4, we estimate that private health plans will incur 50 percent of
clearinghouse costs, and we increase that estimated range of $262
million to $436 million to reflect 4.8 times as many health plan
entities (772/162 = 4.8). Thus, we estimate private health plans will
incur implementation costs, driven mostly by trading partner testing,
of $838 million (349 x 0.50 x 4.8). To reflect the uncertainty around
these projections, we estimate a range of 25 percent below and above
this point estimate of between $629 million to $1,048 million.
[GRAPHIC] [TIFF OMITTED] TR24MR26.003
Given that we assume some portion of providers and their vendors
may take longer to move from manual to fully automated transactions, we
assume health plan testing costs will extend beyond the 2-year
implementation period. So, for purposes of this analysis, we estimate
that private health plans will incur costs over a 4-year period at the
rate of 50 percent in the first implementation year, 30 percent in the
second implementation year, and 10 percent each in the third and fourth
years.
In estimating the benefits of the final rule for private health
plans, we again referred to the estimates of savings reported by the
2024 CAQH Index report, but this time to those reported for plans. CAQH
estimated the 2024 national annual plan savings opportunities for
attachments. To reflect the uncertainty around the ultimate level of
uptake of these standards, we estimate a range of 25 percent below this
point estimate between $108 million to $144 million in annual savings.
We further assume that plans will realize the benefits in labor savings
over a 3-year period at the rate of 50 percent in the first operational
year, 75 percent in the second operational year, and 100 percent in and
after the third year after the compliance date, as summarized in Table
6.
g. Government Health Plans
Similar to private health plans, we believe Medicare, Medicaid (and
state CHIP agencies in states where CHIP is administered separately),
and the Veteran's Administration systems have largely implemented the
ability to receive and manage health care claims attachment
transactions through their health IT processing vendors and contracted
managed care plans and will incur costs similar to the impacts
estimated in the Modifications final rule for testing and training. We
assume these costs will again largely be borne by the contracted
vendors under existing contractual terms and agreements. Accordingly,
to calculate government health plan costs, we used the same range of
costs estimated in the Modifications final rule of $384 million to $734
million, adjusted for inflation. As discussed in the Modifications
final rule, government systems costs are expected to occur across a
number of federal and state agencies and include transition costs (73
FR 49770). For Medicare, since its cost structure is different from
private plans, total Medicare costs include those that would be
expended by the Medicare Administrative Contractors (MACs), durable
medical equipment (DME) MACs, and other contractors. The costs are
high, but the net benefit to Medicare relative to the private plans is
slightly more positive. As we do with health care providers and private
health plans, we further assume that costs will be incurred over a 4-
year period. As summarized in Table 5, we estimate costs will be
incurred at the rate of 50 percent in the first implementation year, 30
percent in the second implementation year, and 10 percent each in the
third and fourth years.
To calculate government health plan benefits, we started with the
point estimate of $238 million savings due to the standards adopted in
the Modifications final rule (74 FR 3318). To reflect the uncertainty
around the ultimate level of uptake of these standards, we estimate a
range of 25 percent below this point estimate or between $179 million
to $238 million in annual savings. As with other industry segments, and
as summarized in Table 6, we further assume government health plans
will realize the benefits in these savings over a 3-year period at the
rate of 50 percent in the first operational year, 75 percent in the
second
[[Page 14394]]
operational year, and 100 percent in and after the third year after the
compliance date.
h. Pharmacies
We believe pharmacies will generally not be impacted by the changes
in this final rule. Comments from NCPDP submitted to the 2016 NCVHS
Hearing indicated that: (1) pharmacies use the X12N 837 to bill
medications and supplies covered under the Medicare Part B program and
for professional pharmacy services covered under a medical plan; and
(2) the type of claims submitted by pharmacy providers using the X12N
837 rarely require an attachment. As a result, we assume pharmacies
will be affected by these provisions only in rare cases to support the
billing of retail pharmacy supplies and professional services claims.
Based on an NCPDP whitepaper, we further understand that a pharmacy
needing to send attachment information to support an X12N 837 claim
will generally be expected to employ existing batch processes to send
attachment information to the same clearinghouse that converts their
NCPDP billing transactions to X12N 837 Professional Claims for
formatting and transmittal in the X12N 275.\54\ Therefore, we assume
that final changes to information exchanges between clearinghouses and
health plans will continue to be managed by clearinghouses that serve
this particular market. As a result, we conclude that pharmacies will
generally not be affected by this final rule, and we estimate no costs
and benefits for this segment.
---------------------------------------------------------------------------
\54\ NCPDP White Paper on Pharmacy Professional Service Billing.
Retrieved from https://www.ncpdp.org/NCPDP/media/pdf/WhitePaper/Billing-Guidance-for-Pharmacists-Professional-and-Patient-Care-Services-White-Paper.pdf?ext=.pdf.
---------------------------------------------------------------------------
6. Summary of Costs and Benefits for This Final Rule
Tables 5 and 6 are the compilation of the estimated costs and
benefits for all the standards adopted in this final rule. Bear in
mind, except for pharmacies, all of the other industries mentioned will
incur costs over a four-year period, starting with the implementation
of the requirements finalized in this rule. On the other hand, except
for pharmacies, clearinghouses, and venders, all the other industries
will incur benefits over a 3-year period at the rate of 50 percent in
the first operational year, 75 percent in the second operational year,
and 100 percent in and after the third year after the compliance date.
These benefits, henceforth, will continue into perpetuity.
BILLING CODE 4120-01-P
[[Page 14395]]
[GRAPHIC] [TIFF OMITTED] TR24MR26.004
[[Page 14396]]
[GRAPHIC] [TIFF OMITTED] TR24MR26.005
[[Page 14397]]
BILLING CODE 4120-01-C
7. Regulatory Review Costs Estimate
One of the costs of compliance with a final rule is the necessity
for affected entities to review the rule in order to understand what it
requires and what changes the entity will have to make to come into
compliance. We assume that 451,908 affected entities (listed in Table
2) will incur some of these costs, as they are the entities that will
have to implement the final changes. The particular staff involved in
such a review will vary from entity to entity but will generally
consist of lawyers responsible for compliance activities (at all
451,908 entities) and individuals familiar with the technical X12N and
HL7 standards at the level of a computer and information systems
manager at private and government health plans, clearinghouses, and PMS
and EHR vendors (a total of 1,937 entities). Using the Occupational
Employment and Wages for May 2024 from the Bureau of Labor Statistics
for lawyers (Code 23-1011) and computer and information system managers
(Code 11-3021), we estimate that the national mean labor costs of
reviewing this rule are $175.72 and $180.76 per hour, respectively,
including overhead and fringe benefits.\55\ We estimate that it will
take approximately 2 hours for each staff person involved to review
this final rule and its relevant sections and that, on average, one
lawyer and two computer and information manager-level staff persons
will engage in this review. For each entity that reviews the rule, the
estimated costs are therefore $351.44 for lawyers, or $158.82 million
(2 hours each x 1 staff x $175.72 x 451,908) for all affected entities.
For each plan, clearinghouse, and PMS or EHR vendor, the estimated
costs are therefore $180.76 for information system managers, or $1.40
million (2 hours each x 2 staff x $180.76 x 1,937) for all affected
entities. Therefore, we estimate that the total cost of reviewing this
rule is $160.22 million ($158.82 + $1.40).
---------------------------------------------------------------------------
\55\ U.S. Bureau of Labor Statistics. (2024, May 3). May 2024
National Occupational Employment and Wage Estimates. Retrieved from
https://data.bls.gov/oesprofile/.
---------------------------------------------------------------------------
D. Alternatives Considered
This rule finalizes the adoption of standards for health care
claims attachments transactions, which support health care claims, as
required by section 1173(a) of the Act. Our understanding is that the
standards we are adopting in this rule are ready for full
implementation across industry. We considered the following regulatory
alternatives: (1) not adopt standards for health care claims
attachments, allowing for the industry's continued use of multiple
processes; (2) wait to adopt standards for health care claims
attachments until alternate standards, such as FHIR standards, are
ready for full implementation and recommended to the Secretary by the
NCVHS and industry through all the HIPAA-required processes; and (3)
adopt a different version of the X12 implementation specifications than
Version 6020, the version proposed for adoption in the HIPAA Standards
for Health Care Attachments proposed rule. We chose to proceed with the
provisions in this rule after identifying significant shortcomings with
each of these alternatives.
We chose to finalize adopting health care claims attachments
standards rather than allowing for continued use of multiple processes
because of the well-documented costs and administrative burdens
associated with the many manual or partially electronic processes
currently in use. These burdens were recently detailed in the 2024 CAQH
Index. In response to multiple CAQH surveys, parties in the health care
industry reported that the lack of federal standards and mandates has
been a principal barrier to adoption of fully electronic standardized
health care transactions.\56\ Based on these survey responses, should
we not adopt standards for health care claims attachments, most
attachments transactions would use different (non-standard) software or
electronic means, and some entities might continue to use fully manual
processes. Not adopting standards for health care claims attachments
transactions would also mean forgoing the opportunity to reduce the
unnecessary back-and-forth between health care providers and health
plans, accelerate claims adjudication and patient service approval
timeframes, and reduce provider resources spent on manual follow-up
activities.
---------------------------------------------------------------------------
\56\ The Council for Affordable Quality Healthcare, Inc. (n.d.).
2024 CAQH Index Report. Retrieved from https://www.caqh.org/hubfs/Index/2024%20Index%20Report/CAQH_IndexReport_2024_FINAL.pdf.
---------------------------------------------------------------------------
Similarly, we chose not to hold off on finalizing the adoption of
health care claims attachments standards until alternate standards,
such as FHIR standards, are available and recommended by the industry,
because we believe that adoption and implementation of the
specifications in this final rule can immediately reduce the costs and
burdens associated with the lack of national standards. While we are
aware of HL7's efforts to create alternative implementation
specifications to support health care claims attachments transactions,
we note that, at the time of writing this final rule, these FHIR
implementation specifications have not been finalized or tested. We
also note that the HL7 CDA standard we are adopting in this final rule
is the only currently available SSO-created, NCVHS-recommended standard
with published implementation specifications designed to support claims
attachments transactions. We believe that the industry's readiness for
improvements to the manual or partially electronic process currently in
place, as outlined in the multiple CAQH stakeholder surveys and
supported by the NCVHS's recommendation to adopt the specifications in
this rule, support finalizing the adoption of attachments standards at
this time. We invited comments on our understanding of the readiness of
possible implementation specifications for health care attachments that
support both claim and prior authorization transactions and whether the
industry supports postponement of an adopted standard as it had
previously. Commenters overwhelmingly agreed that it was time for
industry to adopt a health care claims attachment standard, however
they raised concerns on requiring it with the prior authorization
transaction standard.
Finally, we chose to finalize the adoption of Version 6020 of the
X12N implementation specifications, rather than an alternate version
such as Version 5010, because Version 5010 does not fully support
health care claims attachments transactions. Version 6020 resolves
technical issues and limitations in Version 5010 to enable attachments
transactions that support health care claims. We also invited comments
on any alternative implementation specifications that were not
considered but met the criteria outlined in the HIPAA Standards for
Health Care Attachments proposed rule. As stated previously, commenters
agreed that moving to Version 6020 of the X12N implementation
specifications was most appropriate for the actions being finalized in
this rule.
E. Accounting Statement
As required by OMB Circular A-4, we have prepared an accounting
statement in Table 7 showing the classification of the impact
associated with the provisions of this rule.\57\ Monetary annualized
benefits and non-budgetary
[[Page 14398]]
costs are presented using 3 percent and 7 percent discount rates, over
a 20-year time period.
---------------------------------------------------------------------------
\57\ Management and Budget Office. (2003, October 9). Circular
A-4, Regulatory Analysis. Retrieved from https://www.whitehouse.gov/wp-content/uploads/2025/08/CircularA-4.pdf.
[GRAPHIC] [TIFF OMITTED] TR24MR26.006
F. Regulatory Flexibility Analysis
E.O. 13272 requires that HHS thoroughly review rules to assess and
take appropriate account of their potential impact on small businesses,
small governmental jurisdictions, and small organizations (as mandated
by the RFA). The RFA requires agencies to analyze options for
regulatory relief of small entities, if a rule has a significant impact
on a substantial number of small entities. If a final rule has a
significant economic impact on a substantial number of small entities,
then the final rule must discuss steps taken, including alternatives
considered, to minimize the burden on small entities. The Small
Business Administration (SBA) advises that this absence of statutory
specificity allows what is significant or substantial to vary,
depending on the problem that is to be addressed in rulemaking, the
rule's requirements, and the preliminary assessment of the rule's
impact. Nevertheless, HHS typically considers a significant impact to
be 3 to 5 percent or more of the affected entities' revenues.
The RFA requires agencies to analyze options for regulatory relief
of small entities, if a rule has a significant impact on a substantial
number of small entities. For purposes of the RFA, we estimate that
``almost all,'' of the affected entities are small entities as that
term is used in the RFA (that is, small businesses, nonprofit
organizations, and small governmental jurisdictions). The great
majority of hospitals and most other health care providers and
suppliers are small entities, either by being nonprofit organizations
or by meeting the SBA's definition of a small business by having
revenues of less than $9.0 million to $47.0 million in any 1 year.
Accordingly, it is our normal practice to treat all health care
providers as small entities. For health care providers, the changes
made final by this rule may involve software upgrades for practice
management and EHR systems. Thus, we expect that the vast majority of
clinicians and other health care provider practices will need to make
relatively small changes in their systems and processes but may incur
additional service fees from their system vendors for additional
functionality. Some of the smallest provider entities may elect to
continue their current manual processes. We include pharmacies in this
analysis and consider most of them to be small businesses. While we
believe that few health plans meet the small business size standard,
many health plans are non-profit organizations and will be considered
small businesses; but we are unable to identify data to help us
distinguish the number of these entities and thus solicited industry
feedback for this final rule. We address clearinghouses, but we do not
believe that there are a significant number of clearinghouses that will
be considered small entities because of the level of consolidation in
the marketplace. Because this final rule adopts initial standards for
the exchange of both administrative and clinical documentation, we also
address provider PMS and EHR vendors in our discussion but continue to
be unable to identify data that will help identify the proportion of
firms in these markets that meet the small business size standards.
State Medicaid agencies (and state CHIP agencies in states where CHIP
is administered separately) are excluded from this analysis because
states are not considered small entities in any RFA.
Table 5 presents the estimated implementation costs that will
affect all
[[Page 14399]]
of the entities mentioned. The data in that table are used in this
analysis to provide cost information.
We have determined that the covered entities and their vendors
affected by this final rule will likely fall primarily in the
categories listed in Table 8.
[GRAPHIC] [TIFF OMITTED] TR24MR26.007
Table 9 shows the distribution of small firms and revenues.
According to this table, we can see and understand the disproportionate
impacts among small firms and between small and large firms. According
to the U.S. Census 2022 Statistics of U.S. Businesses (SUSB), the
average revenue amounts to approximately $1,007,051 for all 552,979
small businesses that earn between $9 and $47 million (see Table 8 for
the distribution). That is, the total revenue amounts to approximately
$597 billion.
[[Page 14400]]
[GRAPHIC] [TIFF OMITTED] TR24MR26.008
Table 10 combines the small firm's size and revenue data with the
cost estimates determined in this final rule to understand the economic
impact on small entities.
[[Page 14401]]
[GRAPHIC] [TIFF OMITTED] TR24MR26.009
1. Number of Small Entities
We used the most recent revenue data available from the U.S. Census
2022 SUSB to determine the number of small entities and their revenue.
[[Page 14402]]
[GRAPHIC] [TIFF OMITTED] TR24MR26.010
Based on the latest available U.S. Census 2022 SUSB data records,
we estimate that 552,979 health care provider entities may be
considered small entities either because of their nonprofit status or
because of their revenues, as detailed in Table 11. Approximately 0.27
percent (1,494) of these are hospitals, 25.58 percent (141,446) are
clinician practices, and 21.61 percent (119,497) are dental practices.
We believe that health IT systems are still more likely to differ at
the firm level rather than at the establishment level. We continue to
believe that this way of counting may overstate the number of affected
entities in these segments, given the recent trends toward
consolidation among and between provider types and toward increasing
integration of health IT systems across collaborating organizations.
However, this overestimation may compensate for other types of affected
health care providers potentially not reflected in these particular
industries. We note that ``hospitals'' include general medical and
surgical, psychiatric and substance abuse, and specialty hospitals
(NAICS 622). We further note that the number of 7,020 hospital
establishments reflected in the U.S. Census 2022 SUSB business data
roughly compares with more recent 2024 data from the American Hospital
Association (AHA) indicating a total of 6,120 US hospitals, of which
approximately 25 percent are for-profit. However, we do not have more
detail, including data on the size of the hospitals included in this 25
percent, in order to determine whether any should be excluded from the
count of small entities.
For consistency purposes, we used SUSB 2017 business data records
to obtain the number of small pharmacy firms since the code for that
provider was no longer available in the 2022 data, where such entities
were reported under multiple different codes. The 2017 data reported a
total of 18,912 small pharmacy firms.\58\ For 2022, the SUSB designates
code 803 entities as Direct Health and Medical Insurance Carriers.
Comparable data on the eight smaller Health Maintenance Organization
Medical Centers are not available due to small cell size suppression.
Although health plan firms may not qualify as small entities under the
SBA receipts size standard, they may under a non-profit status.
However, we are not aware of data that will help us understand the
relationship between health plan firms and ownership tax status to
quantify the number of such firms. Therefore, we are not including an
analysis of the impact on small health plans.
---------------------------------------------------------------------------
\58\ Note, the NAICS code for this industry changed in 2022, and
now include NAICS 454110, Electronic Shopping and Mail Order Retail
and 454390, Other Direct Selling Establishments; however, 2022
revenue data are not available. For this reason, 2017 revenue data
will be used in this analysis.
---------------------------------------------------------------------------
Clearinghouses provide transaction processing and data translation
services to both health care providers and health plans that will be
critical to implementing this final rule. The applicable NAICS category
includes many types of financial transaction processing firms other
than those affected by this rule, so the Census business data cannot be
used to identify small entities of interest. In previous rulemaking, we
have identified a largely consolidated market (74 FR 3312). More
recently, in 2024, the National Clearinghouse Association, Cooperative
Exchange, indicated its 18 member companies represent over 85 percent
of the clearinghouse industry and provide services to over 750,000
provider organizations, through more than 8,000 payer connections and
1,000 health IT vendors.\59\
---------------------------------------------------------------------------
\59\ From testimony submitted for the 7/23/2024 US Senate
Finance Committee. Retrieved from https://s3.amazonaws.com/amo_hub_content/Association618/files/Cooperative%20Exchange%20-%20Senate%20Finance%20Committee%20-%20final.pdf.
---------------------------------------------------------------------------
Other vendors affected by this rule include provider PMS and EHR
technology system vendors. Counting the affected entities in these two
segments is complicated, in part because they are increasingly
integrated. A health care provider entity's PMS and EHR systems may be
bundled in one product offering, semi-integrated affiliated systems, or
entirely independent systems offered by separate vendors.\60\ We have
not identified publicly available data on the number, size, or market
share of these specific parties in the health care industry. NAICS
industry categories 541611, PMS Vendors, or 561990, All Other Support
Services (EHR Vendors) seem to be the
[[Page 14403]]
closest categories. According to the 2022 SUSB, these categories
included over 102,686 small firms. However, this total seems out of
proportion to other potential indicators of market size, leading us to
believe it significantly overstates the affected entities of interest
to this final rule. For instance: (1) the aforementioned Cooperative
Exchange description of member firms scope cited connections with 1,000
health IT vendors; (2) in 2019, market research estimates indicated
there were over 500 vendors offering some type of EHR product; (3) the
21st Century Cures Act: Interoperability, Information Blocking, and the
ONC Health IT Certification Program final rule (85 FR 25642) estimated
the number of certified health IT developers with health IT products
capable of recording electronic health information certified in the
2015 Edition of Health IT certification criteria to be 458; and (4) the
EHR Association, a trade association of EHR companies addressing
national efforts to create interoperable EHRs in hospital and
ambulatory care settings, lists 29 companies as
members.61 62 A web search for NAICS codes associated with a
sampling of these EHR Association member companies yielded many
different NAICS codes (including some with 561990), possibly reflecting
widely varying scopes of other products and services offered by firms
in this market segment. Without more definitive data on the firms
specific to the health care provider PMS and EHR business markets, we
continue to estimate that the number of affected firms is around 1,000,
with the bulk of market share served by a relatively small number of
large entities and the remainder of market share served by many smaller
entities. However, we are still unable to determine how many of these
smaller entities may meet small business standards and are not
subsidiaries of larger firms, so we do not include them in this small
entity analysis.
---------------------------------------------------------------------------
\60\ Pratt, M. (2018, May 30). The true cost of switching EHRs.
Medical Economics Journal, 96(10). Retrieved from https://www.medicaleconomics.com/view/true-cost-switching-ehrs.
\61\ Green, J. (2019, October 18). Who are the largest EHR
vendors. EHR in Practice. Retrieved from https://www.ehrinpractice.com/largest-ehr-vendors.html.
\62\ HIMSS Electronic Health Record Association. (n.d.). EHR
Association Members. Retrieved from https://www.ehra.org/membership/ehra-members.
---------------------------------------------------------------------------
2. Costs to Small Entities
To determine the economic impact on the health care providers
considered to be small entities for this analysis (identified in the
previous section), we used the U.S. Census 2022 SUSB business data to
collect revenue estimates and compared these to the net annualized
primary cost estimates including the regulatory review costs ($14.13
million) as summarized in Table 10. When the net annualized primary
cost estimates were determined, there were $34.46 million for the
industries overall. We calculated the percentage of revenue represented
by the primary estimates, and small businesses earning less than
$100,000 exceeded the 3 to 5 percent of the revenue threshold, as
summarized in Table 10 (11.7 percent). However, overall, all of the
small businesses that earn between $100,000 or less and $499 million,
did not exceed the 3 to 5 percent of the revenue threshold. That
threshold is only 0.6 percent. If the net annualized costs are $34.46
million, then each of the 552,979 small businesses incurs a net
annualized cost of $62.32, regardless of their size by receipts. That
is, each firm would incur a cost of only $62.32. Thus, for the purposes
of this RFA, there were no disproportionate impacts among small firms,
and between small and large firms.
Therefore, for the purposes of the RFA analysis, we can conclude
there is no impact on all the small entities. As a measure of
significant economic impact on a substantial number of small entities,
HHS uses a change in revenue of more than 3 to 5 percent. None of the
small entities came close to meeting the 3 to 5 percent threshold. Even
if the regulatory review costs were included in the cost estimates, the
3 to 5 percent change in revenue would still not be reached.
As such, we do not believe that this threshold will be reached by
the requirements in this final rule. Therefore, the Secretary has
certified that this rule will not have a significant economic impact on
all the small entities identified.
Comment: A commenter expressed concern regarding HHS's assertion
that the adoption of these changes will result in benefits that will
outweigh the costs. The commenter recommended HHS consider mitigation
strategies for Special Needs Plans (SNP), such as locally committed and
smaller plans undertaking efforts to overcome challenges to comply with
the final requirements in this rule, as these entities were not
included in the analyses presented in the RIA section of the proposed
rule.
Response: While we appreciate the commenter's concern, HHS was not
provided with any alternative data to consider deriving with the
estimated costs for SNPs. Therefore, for the purposes of this response
and this final rule, we believe that SNPs fall into the category of
health plans. We included an analysis of the impact specifically on
small health plans in the proposed rule, and continue to do so in this
final rule, and we received no comments on our small health plan cost
assumptions. Moreover, as stated in section VI.C.1. of this final rule,
an important consideration reflected in various industry testimonies
submitted to the NCVHS is that some interested parties, particularly
smaller health care providers, will continue to have the option to
leverage existing clearinghouses to provide these information exchange
services based on negotiated rates. This is a standard practice today,
where clearinghouses already manage 90 percent of the conversion of
paper-to-electronic formats, as well as reformatting of non-compliant
to compliant electronic claim transactions for the industry.
However, because of the relative uncertainty in the data, the lack
of consistent industry data, and our general assumptions, we invited
public comments on the analysis, requesting any additional data that
would help us determine more accurately the economic impact on all the
industries affected by this final rule, and did not receive any. We
note that we did, where appropriate, update our calculations using
current data.
In addition, section 1102(b) of the Act requires us to prepare an
RIA if a rule will have a significant impact on the operations of a
substantial number of small rural hospitals. This analysis must conform
to the provisions of section 604 of the RFA. For the purposes of
section 1102(b) of the Act, we define a small rural hospital as a
hospital that is located outside of a metropolitan statistical area and
has fewer than 100 beds. This final rule will not have a significant
effect on the operations of a substantial number of small rural
hospitals because these entities will rely on contracted health IT
vendors for the majority of implementation investment and efforts such
hospitals elect to implement. We note that health care providers may
choose not to conduct transactions electronically. Therefore, they will
be required to use these standards only for transactions that they
conduct electronically and will be expected to do so only when the
benefits clearly outweigh the costs involved. As such, the Secretary
has certified that this final rule will not have a significant impact
on the operations of a substantial number of small rural hospitals.
G. Unfunded Mandates Reform Act (UMRA)
Section 202 of UMRA also requires that agencies assess anticipated
costs and benefits before issuing any rule
[[Page 14404]]
whose mandates will require spending more in any one year than
threshold amounts in 1995 dollars, updated annually for inflation. In
2025, this threshold is approximately $187 million. This final rule may
impose mandates that will result in the expenditure by state, local,
and tribal governments, in the aggregate, or by the private sector, of
more than $187 million in any one year. In general, each state Medicaid
agency, and each state CHIP agency in states where CHIP is administered
separately, and any other government entity that is considered a
covered entity, will be required to ensure that its contracted claim
processors update software and conduct testing and training to
implement the adoption of the new standards and modified versions of a
previously adopted standard. However, we have no reason to believe that
ongoing contractual payment arrangements for these services will
necessarily increase as a result of the proposed changes. UMRA does not
address the total cost of a rule. Rather, it focuses on certain
categories of cost, mainly federal mandate costs resulting from
imposing enforceable duties on state, local, or tribal governments, or
on the private sector; or increasing the stringency of conditions in,
or decreasing the funding of, state, local, or tribal governments under
entitlement programs.
H. Federalism
E.O. 13132 establishes certain requirements that an agency must
meet when it promulgates a final rule that imposes substantial direct
requirement costs on state and local governments, preempts state law,
or otherwise has federalism implications. This final rule will have a
substantial direct effect on state or local governments, could preempt
state law, or otherwise have a federalism implication because state
Medicaid agencies, and state CHIP agencies when administered separately
from Medicaid, or their contractors will be implementing new standards
and a modified version of an existing standard for which there will be
expenses for implementation and wide-scale testing.
I. Executive Order (E.O.) 14192, ``Unleashing Prosperity Through
Deregulation''
E.O. 14192, titled: ``Unleashing Prosperity Through Deregulation''
was issued on January 31, 2025, and requires that ``any new incremental
costs associated with new regulations shall, to the extent permitted by
law, be offset by the elimination of existing costs associated with at
least 10 prior regulations.'' This final rule is considered an E.O.
14192 regulatory action. We estimate that this final rule will generate
$333 million in annualized costs at a 7 percent discount rate, over a
perpetual time horizon.
This final rule is subject to the Congressional Review Act (5
U.S.C. 801 et seq.) and has been transmitted to the Congress and the
Comptroller General for review.
List of Subjects
45 CFR Part 160
Administrative practice and procedure, computer technology, health
care, health facilities, health insurance, health records, hospitals,
Medicaid, Medicare, and CHIP Penalties, and Reporting and recordkeeping
requirements.
45 CFR Part 162
Administrative practice and procedures, electronic transactions,
health facilities, health insurance, hospitals, incorporation by
reference, Medicaid, Medicare, and CHIP reporting and recordkeeping
requirements.
For the reasons set forth in this preamble, the Department of
Health and Human Services amends 45 CFR parts 160 and 162 to read as
follows:
PART 160--GENERAL ADMINISTRATIVE REQUIREMENTS
0
1. The authority citation for part 160 continues to read as follows:
Authority: 42 U.S.C. 1302(a), 42 U.S.C. 1320d-1320d-8, sec. 264
of Pub. L. 104 191, 110 Stat. 2033-2034 (42 U.S.C. 1320d-2 (note)),
5 U.S.C. 552; secs. 13400 and 13424, Pub. L. 111-5, 123 Stat. 258-
279, and sec. 1104 of Pub. L. 111-148, 124 Stat. 146-154.
0
2. In Sec. 160.103, revise paragraph (10) of the definition of
``Transaction'' to read as follows:
Sec. 160.103 Definitions.
* * * * *
Transaction * * *
(10) Health care claims attachments.
* * * * *
PART 162--ADMINISTRATIVE REQUIREMENTS
0
3. The authority citation for part 162 continues to read as follows:
Authority: 42 U.S.C. 1320d--1320d-9 and secs. 1104 and 10109 of
Pub. L. 111-148, 124 Stat. 146-154 and 915-917.
0
4. Section 162.103 is amended by adding the definitions of ``Attachment
information'' and ``Electronic signature'' to read as follows:
Sec. 162.103 Definitions.
* * * * *
Attachment information means documentation that enables the health
plan to make a decision about health care that is not included in a
health care claims or equivalent encounter information transaction, as
described in Sec. 162.1101.
* * * * *
Electronic signature means an electronic sound, symbol, or process,
attached to, or logically associated with attachment information and
executed by a person with the intent to sign the attachment
information.
* * * * *
0
5. Section 162.920 is amended by:
0
a. Revising the introductory text and paragraph (a) introductory text;
and
0
b. Adding paragraphs (a)(19) and (20) and (e).
The revisions and additions read as follows:
Sec. 162.920 Availability of implementation specifications and
operating rules.
Certain material is incorporated by reference into this part with
the approval of the Director of the Federal Register under 5 U.S.C.
552(a) and 1 CFR part 51. To enforce any edition other than that
specified in this section, the Department of Health and Human Services
must publish a document in the Federal Register and the material must
be available to the public. All approved incorporation by reference
(IBR) material is available for inspection at the Centers for Medicaid
& Medicare Services (CMS) and the National Archives and Records
Administration (NARA). Contact CMS at: 7500 Security Boulevard,
Baltimore, Maryland 21244; [email protected];
(410) 786-6597. For information on the availability of this material at
NARA, www.archives.gov/federal-register/cfr/ibr-locations or email
[email protected]. The material may be obtained from the following
source(s):
(a) ASC X12, 7600 Leesburg Pike, Suite 430, Falls Church, VA 22043;
Telephone (703) 970-4480; www.X12.org. ASC X12N specifications and the
ASC X12 Standard for Electronic Data Interchange Technical Report Type
3:
* * * * *
(19) The ASC X12N/006020X314, Additional Information to Support a
Health Care Claim or Encounter (275), September 2014; as referenced in
Sec. 162.2002(c).
(20) The ASC X12N/006020X313, Health Care Claim Request for
Additional Information (277),
[[Page 14405]]
September 2014; IBR approved for Sec. 162.2002(d).
* * * * *
(e) Health Level Seven International (HL7), 3300 Washtenaw Avenue,
Suite 227, Ann Arbor, MI 48104; Telephone (734) 677-7777; F
www.hl7.org.
(1) HL7 CDA R2 Attachment Implementation Guide: Exchange of C-CDA
Based Documents, Release 2--US Realm, Version 2.1.0.1; September 2023;
IBR approved for Sec. 162.2002(a).
(2) HL7 Implementation Guide for CDA Release 2: Consolidated CDA
Templates for Clinical Notes (US Realm) Draft Standard for Trial Use
Release 2.1, Volume One--Introductory Material, August 2015 with 2019
June Errata; IBR approved for Sec. 162.2002(b).
(3) HL7 Implementation Guide for CDA Release 2: Consolidated CDA
Templates for Clinical Notes (US Realm) Draft Standard for Trial Use
Release 2.1, Volume Two--Templates and Supporting Material, June 2019;
IBR approved for Sec. 162.2002(b).
(4) HL7 Implementation Guide for CDA Release 2: Digital Signatures
and Delegation of Rights, Release 1, Draft Standard for Trial Use,
October 2014; IBR approved for Sec. 162.2002(e).
0
6. Add subpart T, consisting of Sec. Sec. 162.2001 and 162.2002 to
read as follows:
Subpart T--Health Care Claims Attachments
Sec.
162.2001 Health care claims attachments transaction.
162.2002 Standards for health care claims attachments transaction.
Sec. 162.2001 Health care claims attachments transaction.
A health care claims attachments transaction is the transmission of
either of the following:
(a) Attachment information from a health care provider to a health
plan in support of a health care claims or equivalent encounter
transaction, as described in Sec. 162.1101.
(b) A request from a health plan to a health care provider for
attachment information.
Sec. 162.2002 Standards for health care claims attachments
transaction.
The Secretary adopts the following standards for the period on and
after May 26, 2028:
(a) For transmissions described in Sec. 162.2001, HL7 CDA Release
2: Attachment Implementation Guide: Exchange of C-CDA Based Documents,
Release 2--US Realm, Version 2.1.0.1 September 2023 (incorporated by
reference, see Sec. 162.920).
(b) For transmissions described in Sec. 162.2001(a)--
(1) HL7 Implementation Guide for CDA Release 2: Consolidated CDA
Templates for Clinical Notes (US Realm) Draft Standard for Trial Use
Release 2.1, Volume One--Introductory Material, August 2015 with 2019
June Errata (incorporated by reference, see Sec. 162.920)
(2) HL7 Implementation Guide for CDA Release 2: Consolidated CDA
Templates for Clinical Notes (US Realm) Draft Standard for Trial Use
Release 2.1, Volume Two--Templates and Supporting Material, June 2019
(incorporated by reference, see Sec. 162.920).
(c) For transmissions described in Sec. 162.2001(a), the ASC X12N/
06020X314--Additional Information to Support a Health Care Claim or
Encounter (275) (incorporated by reference, see Sec. 162.920).
(d) For transmissions described in section 162.2001(b) that pertain
to Sec. 162.2001(a) transmissions, the ASC X12N/006020X313--Health
Care Claim Request for Additional Information (277) (incorporated by
reference, see Sec. 162.920).
(e) For transmissions described in Sec. 162.2001(a), where a
health care provider uses an electronic signature, the HL7
Implementation Guide for CDA Release 2: Digital Signatures and
Delegation of Rights, Release 1, Draft Standard for Trial Use, October
2014 (incorporated by reference, see Sec. 162.920).
Robert F. Kennedy, Jr.,
Secretary, Department of Health and Human Services.
[FR Doc. 2026-05676 Filed 3-20-26; 4:15 pm]
BILLING CODE 4120-01-P