[Federal Register Volume 62, Number 195 (Wednesday, October 8, 1997)]
[Notices]
[Pages 52563-52565]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 97-26659]
=======================================================================
-----------------------------------------------------------------------
DEPARTMENT OF HEALTH AND HUMAN SERVICES
National Committee on Vital and Health Statistics: Publication of
Recommendations Relating to HIPA A Health Data Standards
AGENCY: Office of the Secretary, HHS.
ACTION: Notice.
-----------------------------------------------------------------------
SUMMARY: Section 1172 (f), Subtitle F of Pub. L. 104-191, the Health
Insurance Portability and Accountability Act of 1996, requires the
Secretary of Health and Human Services to publish in the Federal
Register any recommendation of the National Committee on Vital and
Health Statistics (NCVHS) regarding the adoption of a data standard
under that law. On September 9, the NCVHS submitted recommendations to
the Secretary relating to the unique identifier for payers, the unique
identifier for individuals, and security standards. Accordingly, the
full text of the NCVHS recommendations relating to HIPAA data standards
is reproduced below. The text of the recommendations is also available
on the NCVHS website: http//aspe.os.dhhs.gov/ncvhs/.
SUPPLEMENTARY INFORMATION: Under the Administrative Simplification
provisions of the Health Insurance Portability and Accountability Act
of 1996 HIPAA), the Secretary of Health and Human Services is required
to adopt standards for specified administrative health care
transactions to enable information to be exchanged electronically. The
law requires that, within 24 months of adoption, all health plans,
health care clearinghouses and health care providers who choose to
conduct these transactions electronically must comply with these
standads. Further, the law requires the Secretary to submit to Congress
detailed recommendations on standards with respect to the privacy of
individually identifiable health information. In preparing these
reports and recommendations, the Secretary is required to consult with
the NCHVHS, the statutory public advisory body to HHS on health data,
privacy and health information policy. On September 9, the Committee
submitted recommendations to the Secretary relating to the unique
identifier for payers, the unique identifier for individuals, and
security standards.
Accordingly, the full text of the NCVHS recommendations relating to
HIPAA data standards is reproduced below.
Recommendations Relating to the National PAYERID
September 9, 1997.
The Honorable Donna E. Shalala,
Secretary, Department of Health and Human Services, 200 Independence
Avenue, S.W., Washington, D.C. 20201
Dear Secretary Shalala: On behalf of the National Committee on
Vital and Health Statistics (NCVHS), I am pleased to forward to you
our recommendations relating to another of the health data standards
being proposed for adoption in accordance with the administrative
simplification provisions of the Health Insurance Portability and
Accountability Act of 1996 (HIPAA). The NCVHS is very pleased to
provide support, advice and consultation to you in this effort.
The NCVHS has been briefed on the proposal for the national
standard for identifiers for health plans or PAYERID, and we offer
our strong support. The proposal includes a nine digit numeric
identifier that would be assigned to all health plans. The
identifier includes a check digit and contains no embedded
intelligence. We recommend that HHS proceed to publish the proposal
for public comment without delay. In the interests of operational
efficiency and simplification, we suggest that the Department also
leave open the option of moving to an alphanumeric identifier in the
future. While public comments are likely to on the technical details
of the number and the optimal approach to enumeration, we have found
broad support for the proposal in general and urge you to proceed.
The Committee did identify one concern that we bring to your
attention. The PAYERID, as proposed, replaces the plan ID and sub ID
used in current transactions. The sub ID is currently used for
electronic routing, and concern has been expressed that this
function will be lost. We recommend that this functionality be
addressed before the final rule is issued.
We appreciate you national leadership in health data standards,
electronic data interchange and privacy, and we are privileged to
work with you on these issues.
[[Page 52564]]
Sincerely,
Don E. Detmer, M.D.,
Chair.
Recommendations Relating to the Unique Health Identifier for
Individuals
September 9, 1997.
The Honorable Donna E. Shalala,
Secretary of Health and Human Services, Washington, D.C. 20201
Dear Secretary Shalala: The National Committee on Vital and
Health Statistics (NCVHS) is responding to the requirement of
Congress to set a standard for a unique health identifier for each
individual for use in the health care system. While the NCVHS
continues to support the concept of a unique health identifier for
individuals, we believe it would be unwise and premature to proceed
to select and implement such an identifier in the absence of
legislation to assure the confidentiality of individually
identifiable health information and to preserve an individual's
right to privacy.
The selection of a unique health identifier for individuals will
become the focus of tremendous public attention and interest, far
beyond that afforded to other health privacy decisions. No choice
should be made without considerably more public notice, hearings,
and comment.
Until a new federal law adequately protects the privacy of
identifiable health information, it is not possible to make a
sufficiently informed choice about an identification number or
procedure. The degree of formal legal protection for personal health
information will have a major influence on both the decision and
public acceptance of that decision. Passage of a comprehensive
health privacy law may make the choice of an identifier easier and
less threatening to privacy.
A unique health identifier for individuals cannot be properly
protected from misuse under current law. The Committee reaches this
conclusion notwithstanding the enactment of criminal penalties for
wrongful disclosure as part of the Health Insurance Portability and
Accountability Act of 1996. Additional legislation may be required
to authorize the use of some alternatives or to provide adequate
restrictions for other alternatives.
We recommend alternative methods of identifying individuals and
linking health information of individuals for health purposes be
evaluated on the basis of the American Society for Testing and
Materials (ASTM) criteria coupled with a cost-benefit evaluation and
public comment. The committee intends to continue to receive public
comment on this issue and will revisit this issue at our November
meeting.
We appreciate you national leadership in health data standards,
electronic data interchange and privacy, and we are privileged to
work with you on these issues.
Sincerely,
Don E. Detmer, M.D.,
Chair.
Recommendations for Security Standards
September 9, 1997.
The Honorable Donna Shalala,
Secretary, Department of Health and Human Services, 200 Independence
Avenue, SW, Washington, DC 20201.
Dear Madam Secretary: The National Committee on Vital and
Health Statistics is pleased to provide recommendations on the
adoption of security standards as mandated by the Health Insurance
Portability and Accountability Act of 1996 (Public Law 104-191).
The Subcommittee on Health Data Needs, Standards and Security
held a hearing on August 5 and 6 to receive testimony from a wide
range of industry representatives on issues regarding security.
Twenty-five individuals representing professional associations,
providers, managed care organizations, vendors, consultants and
standards development organizations provide input. A copy of the
witnesses is attached to this letter.
Where there was consensus among the witnesses regarding the need
for security standards, testimony highlighted the evolutionary
development of information security in the health care industry.
Currently, there are poor practices in the handling of paper-based
health information and the move towards electronic storage and
transmission heightens concerns. Health care organizations have been
slow to adopt strong security practices due largely to lack of
strong management and organizational incentives. Additionally, the
lack of national privacy legislation or regulation to ensure
confidentiality of health information creates additional tensions.
Based on the testimony received and discussion at the Committee
meeting on September 8 and 9, the NCVHS has developed a series of
principles and recommendations for your consideration. Since the
standards in this area are not fully mature and have not been
extensively implemented by the health care industry, we are not
recommending adoption of specific standards.
The Committee believes that any standard that is adopted must be
technology neutral and should promote interoperability among
information system. There are a number of factors that must be
considered in this area; the cost of implementing specific solutions
and the need for scalability on the size of the health care entity.
In order for health information systems to be secure, there must
be:
Individual authentication of users
Every individual in an organization should have a unique
identifier for use in logging onto the organization's information
systems and each organization should have policies and procedures in
place to enforce the appropriate use and maintenance of access
methods.
access controls
Procedures should be in place that restricts users' access to
only that information for which they have a legitimate need.
Individual organizations will have to determine the appropriate
approach that will work within their organization and balance the
interests between access and privacy.
monitoring of access
Organizations should develop audit trails and mechanisms to
review access to information systems to identify authorized users
who misuse their privileges and perform unauthorized actions and
detect attempts by intruders to access systems.
physical security and disaster recovery
Organizations should immediately take steps to limit
unauthorized physical access to computer systems, displays, networks
and medical records. Disaster recovery plans should include
procedures for providing basic system functions and ensuring access
to health information in the event of a natural disaster or computer
failure.
protection of remote access points
Organizations must protect their information systems from
intruders who try to access their systems through external
communication points such as the Internet or dial-in telephone
lines.
protection of external electronic communications
Organizations need to protect sensitive communication that is
transmitted electronically over open networks so that it cannot be
easily intercepted and interpreted by parties other than the
intended recipient.
software discipline
Organizational procedures and educational programs should be
implemented to protect against viruses, Trojan horses and other
forms of malicious software and to raise users' awareness of the
problem.
system assessment
Organizations should formally assess the security and
vulnerabilities of their information systems on an ongoing basis.
monitoring of integrity of data
The integrity of health information is critical to providing
quality care to patients. Organizations must implement a process to
ensure that information systems do not compromise data integrity.
There are a series of organizational practice that the Committee
believes are imperative:
scalable confidentiality and security policies and
procedures
security/confidentiality committees
designation of an information security officer in health
care organizations
education and training programs for all employees, medical
staff, agents and contractors
organizational sanctions for violation of policies and
procedures
improved patient authorization forms for disclosure of
health information
patient access to audit logs
Many of these recommendations and practices are based on the
National Research Council's report For the Record: Protecting
[[Page 52565]]
Electronic Health Information. In the short-term, it is recommended
that health care organizations institute a risk assessment of their
current state of compliance with these organizational and technical
practices. As industry experience evolves, the Committee suggests
that criteria be developed to evaluate and monitor compliance with
these recommendations. Organizations that license or accredit health
care organizations should consider incorporating these requirements
into their standards.
The Committee plans to continue to monitor industry compliance
and the development and maturation of technology and standards. As
standards that are fully mature and tested become available, we will
review and recommend for adoption.
Thank you for the opportunity to provide assistance.
Sincerely,
Don E. Detmer, M.D.,
Chair.
CONTACT PERSON FOR MORE INFORMATION: Information about the Committee as
well as the text of all HIPAA recommendations is available on the NCVHS
website or from James Scanlon, NCVHS Executive Staff Director, Office
of the Assistant Secretary for Planning and Evaluation, DHHS, Room 440-
D, Hubert H. Humphrey Building, 200 Independence Avenue S.W.,
Washington, D.C. 20201, telephone (202) 690-7100, or Marjorie S.
Greenberg, Executive Secretary, NCVHS, NCHS, Room 1100, Presidential
Building, 6525 Belcrest Road, Hyattsville, Maryland 20782, telephone
(301) 436-7050.
Dated: October 1, 1997.
James Scanlon,
Director, Division of Data Policy, Office of the Assistant Secretary
for Planning and Evaluation.
[FR Doc. 97-26659 Filed 10-7-97; 8:45 am]
BILLING CODE 4151-04-M
