A proposed HIPAA Rule change for 2023 was an early Christmas gift from the Health and Human Services Department (HHS)! On December 21, 2022, HHS released a proposed rule covering the standards for covered entities to transmit attachments electronically. The rule also describes how covered entities can electronically sign documents for authentication purposes.
In this Article …
- A Proposed HIPAA Rule Change Long in the Making
- Some Technical Background About Standards
- Major Provisions of the Proposed HIPAA Rules for 2023
- Supporting Electronic Healthcare Attachments
- The Proposed HIPAA Rule Change and Electronic Signatures
- Timing of the Proposed HIPAA Rule Changes
- Will the New HIPAA Rules Save Anyone Money?
A Proposed HIPAA Rule Change Long in the Making
The original HIPAA act of 1996 mentioned establishing electronic standards for health claims attachments and referral certification and authorization.
But the first standards issued did not address either of these components of health information. Fourteen years later, Section 1104(c)(3) of the Affordable Care Act (ACA) in 2010 reinforced the requirement for rules that cover other financial or administrative transactions. The ACA even specified that a Health Claims Attachment rule be consistent with the X12 Version 5010 transaction standards. Clearly, Congress had become much more sophisticated in drafting HIPAA-related provisions!
Now, twelve years later we have clarification through a proposed new rule in HIPAA.
Some Technical Background About Standards
Many of the clarifications in this HIPAA rule modification are technical, so we need to understand some background information.
X12 is an organization that develops and maintains standards for the electronic exchange of business-to-business transactions. It is accredited by the American National Standards Institute (ANSI), a not-for-profit that controls the development of standards for processes, services, and products in the United States. It also works to ensure that US standards are compatible with international standards.
X12 focuses on electronic standards specific to the insurance industry, including health insurance. X12’s Version 5010 updated the standards for electronic transactions for HIPAA covered entities. It was adopted by HHS in 2009. Most covered entities were required to adopt it by 2012.
Health Level Seven International (HL7) is a standard-setting organization (SSO) that develops and maintains standards for the exchange, integration, sharing, and retrieval of electronic health information. It focuses mainly on clinical data and interoperability between healthcare information systems. Finally, there is the Regenstrief Institute. This SSO maintains a proprietary code set called LOINC®. The Logical Observation Identifiers Names and Codes system is used to identify individual clinical results and other clinical information.
In the Proposed HIPAA Rule change, all of these standards come to bear.
Major Provisions of the Proposed HIPAA Rules for 2023
The first change to note is the definition of “attachment information” for health claims. HHS proposes to define attachment information as “documentation that enables the health plan to make a decision about health care.” It also specifies that this is information that is not included in claims or encounter data, or in referral certification and authorization transactions.
Second, HHS wants to specify the use of LOINC® code set for coding attachment information.
Supporting Electronic Healthcare Attachments
The proposed new HIPAA rules also contain standards for electronic healthcare attachments. Here, HHS is proposing adopting the X12 standards for the transmission of attachment information. It also wants to adopt Version 6020 of the code set, stating this code set is more compatible with the other changes it is proposing. HHS also proposes using HL7 standards to address the clinical content of attachment information.
These standards are important for enabling electronic requests and responses to authorization requests. Authorization requests are among the least electronically automated processes in healthcare, often because of the need to send attachment information with the request. In fact, HHS is proposing to replace the terminology “health claims attachments” from the original HIPAA law. Instead, it will use “health care attachments” to reflect the broader scope of electronic information being transmitted and received.
The proposed rule also specifies that X12N 277 be the format for health plans to request attachment information from providers. This standard contains a field for a claim number assigned by the health plan so documents sent in response can be associated with the claim. There is also a field for a LOINC® code to identify the specific attachment information the plan is requesting. Hopefully, this will cut down on denials for lack of medical records submitted.
And X12 275 is a standard for Additional Information to Support a Health Care Claim or Encounter. This standard will be mandated for use by providers when responding to a request for additional information to support a claim.
There are other proposals related to the adoption of HL7 Implementation Guides for Clinical Document Architecture that are already in use in the Certified Electronic Health Record Technology standards.
The Proposed HIPAA Rule Change and Electronic Signatures
HHS proposes defining an electronic signature as “an electronic sound, symbol or process, attached to or logically associated with attachment information and executed by a person with the intent to sign the attachment information.” HHS is proposing the use of the HL7 Digital Signatures Guide as the standard for electronic signatures. This standard supports authentication, message integrity, and nonrepudiation. These are three principles HHS identified as important in electronic signatures.
HHS is not specifying what documents must be signed and by whom. It expects health plans will decide on their own requirements for the authentication of attachment information.
Timing of the Proposed HIPAA Rule Changes
About the only timing of these proposed HIPAA Rule modifications that is certain is the period of time to submit comments: from now until March 21, 2023. Of course, HHS has extended comment periods in the past and has sometimes spent considerable time between the closure of the comment period and the issuance of a final rule. Proposed final rules have even been withdrawn after publication due to public pressure. For instance, HHS issued a proposed rule that would have required covered entities to provide an accounting of disclosures of all uses of protected health information. This would have included uses for treatment, payment and operations. The rule was withdrawn after a large volume of comments on how unworkable this would be for covered entities.
Will the New HIPAA Rules Save Anyone Money?
HHS cites research by the Council for Affordable Quality Healthcare (CAQH) that savings from fully electronic processing of prior authorizations with healthcare attachments could save as much as $454 million annually. Electronic healthcare claims attachments could save as much as $374 million per year. For many providers, getting requested medical records information reliably and accurately to health plans would be a big plus. And for health plans, receiving healthcare attachments for claims or authorization purposes would also be a boon. All parties can benefit, even if the savings are overstated.
Even after the proposed rule is finalized, it will be some time before EHR vendors incorporate these capabilities into their systems. But it’s nice to see some movement on these implementation issues percolating for years and years!