AGENCY:

Centers for Medicare and Medicaid Services (CMS), HHS.

ACTION:

Final rule.

SUMMARY:

This final rule establishes a standard for a unique employer identifier and requirements concerning its use by health plans, health care clearinghouses, and health care providers. The health plans, health care clearinghouses, and health care providers must use the identifier, among other uses, in connection with certain electronic transactions.

The use of this identifier will improve the Medicare and Medicaid programs, and other Federal health programs and private health programs, and the effectiveness and efficiency of the health care industry in general, by simplifying the administration of the system and enabling the efficient electronic transmission of certain health information. It will implement some of the requirements of the Administrative Simplification subtitle of the Health Insurance Portability and Accountability Act of 1996.

EFFECTIVE DATE:

This regulation is effective July 30, 2002.

FOR FURTHER INFORMATION CONTACT:

Patricia Peyton, (410) 786-1812.

SUPPLEMENTARY INFORMATION:

Copies: To order copies of the Federal Register containing this document, send your request to: New Orders, Superintendent of Documents, P.O. Box 371954, Pittsburgh, PA 15250-7954. Specify the date of the issue requested and enclose a check or money order payable to the Superintendent of Documents, or enclose your Visa or Master Card number and expiration date. Credit card orders can also be placed by calling the order desk at (202) 512-1800 or by faxing to (202) 512-2250. The cost for each copy is $9. As an alternative, you can view and photocopy the Federal Register document at most libraries designated as Federal Depository Libraries and at many other public and academic libraries throughout the country that receive the Federal Register. You may also obtain a copy from the following web sites: Start Printed Page 38010

http://www.access.gpo.gov/​nara/​index.html;​; http://aspe.hhs.gov/​admnsimp/​.

I. Background

Employers may need to be identified when they transmit information to health plans to enroll or disenroll an employee as a participant in a health plan. Employers, health care providers, and health plans may need to identify the source or receiver of eligibility or benefit information. Although the source is usually a health plan, it could be an employer. Employers and health plans may need to identify the employer when making or keeping track of health plan premium payments or contributions relating to an employee. In all cases, in health care transactions, where information about the employer is transmitted electronically, it will be beneficial to identify the employer using a standard identifier.

A. Legislation

The Congress included provisions to address the need for a standard unique employer identifier and other administrative simplification issues in the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, which became effective on August 21, 1996. Through subtitle F of title II of that law, the Congress added to title XI of the Social Security Act a new part C, titled Administrative Simplification (Public Law 104-191) affects several titles in the United States Code. Hereafter, we refer to the Social Security Act as the Act; we refer to the other laws cited in this document by their names.) The purpose of this part is to improve the Medicare and Medicaid programs in particular and the efficiency and effectiveness of the health care system in general by encouraging the development of a health information system through the establishment of standards and requirements to facilitate the electronic transmission of certain health information.

Part C of title XI consists of sections 1171 through 1179 of the Act. These sections define various terms and impose several requirements on the Secretary, health plans, health care clearinghouses, and certain health care providers concerning electronic transmission of health information, and security and privacy.

We discussed the legislation in greater detail in a final rule for Standards for Electronic Transactions (the Transactions Rule) published on August 17, 2000 (65 FR 50312), and in a final rule for Privacy of Individually Identifiable Health Information (the Privacy Rule), published on December 28, 2000 (65 FR 82462). Rather than repeating the discussion here, we refer the reader to those documents for further information.

Section 1172 of the Act makes any standard adopted under part C applicable to (1) all health plans, (2) all health care clearinghouses, and (3) any health care provider who transmits any health information in electronic form in connection with a transaction referred to in section 1173 (a)(1).

In complying with the requirements of part C of title XI, the Secretary must rely on the recommendations of the National Committee on Vital Health Statistics (NCVHS), consult with appropriate State, Federal, and private agencies or organizations, and publish the recommendations of the NCVHS in the Federal Register.

Paragraph (b) of section 1173 of the Act requires the Secretary to adopt standards for unique health identifiers for all employers (in addition to identifiers for individuals, health plans, and health care providers) for use in the health care system, and requires further that the adopted standards specify for what purposes unique health identifiers may be used.

II. Provisions of the Proposed Regulations

On June 16, 1998 (63 FR 32784), we proposed a national standard employer identifier and requirements concerning its implementation. That rule would have established requirements that health plans, health care clearinghouses, and health care providers would have to meet to comply with the requirements for use of a unique employer identifier in electronic transactions.

We proposed to add a new part to title 45 of the Code of Federal Regulations (63 FR 32784) for health plans, health care providers, and health care clearinghouses in general. The new part would have been part 142 of title 45 and would have been titled Administrative Requirements. Subpart F would have contained provisions specific to the employer identifier. In this final rule, we have codified these provisions in Part 162.

The proposed rule for the employer identifier (63 FR 32784) discussed applicability of HIPAA to all health plans, all health care clearinghouses, and those health care providers that transmit any health information in electronic form in connection with transactions referred to in section 1173(a)(1) of the Act.

The Transactions Rule (65 FR 50312) contains general requirements for administrative simplification, including applicability of the regulations, general effective dates, and definitions. We refer the reader to that rule for the discussion of comments and responses and for the actual regulations that were codified in the Code of Federal Regulations for the general requirements (45 CFR part 160 Subpart A, and 45 CFR part 162 Subparts A and I). In addition, some provisions in part 160 were further revised by the Privacy Rule published on December 28, 2000 (65 FR 82462).

A. Definitions

We proposed to define “employer” as 26 U.S.C. 3401(d) does: a person (or an entity) for whom an individual performs or performed any service, of any nature, as the employee of that person (or that entity) except for the following:

(1) If the entity for whom the individual performs or performed the services does not have control of the payment of the wages for the services, the term “employer” means the entity having control of the payment of the wages.

(2) If the entity pays wages on behalf of a nonresident alien individual, foreign partnership, or foreign corporation, not engaged in trade or business within the United States, the term “employer” means that entity.

We did not receive any comments on our definition of “employer.” We note here that our proposed definition incorrectly omitted a reference to 26 U.S.C. 3401(a) of the Internal Revenue Code that is part of the definition at 26 U.S.C. 3401(d) of the Internal Revenue Code. We clarify in this rule that our definition of “employer” is as it appears in 26 U.S.C. 3401(d). We also note that the use of the term “individual” in the definition at 26 U.S.C. 3401(d) is not the same as in the final Privacy Rule. In the Privacy Rule, the word “individual” means a person who is the subject of protected health information. In the definition of employer, the word “individual” means a person who is an employee.

The EIN is defined in 26 CFR 301.7701-12. We proposed to define “Employer identification number” (EIN) as 26 CFR 301.7701-12 does: “the taxpayer identifying number of an individual or other person (whether or not an employer) which is assigned pursuant to 26 U.S.C. 6011(b) or corresponding provisions of prior law, or pursuant to 26 U.S.C. 6109, and in which nine digits are separated by a hyphen, as follows: 00-0000000.”

In this final rule, we deleted the formatting description from our definition of EIN. We continue to define EIN as the employer identification number, as assigned by the IRS. Start Printed Page 38011Deletion of the formatting description from our regulatory definition gives us flexibility, in case the IRS should decide in the future to change the format of the EIN.

B. Employer Identifier Standard

We proposed that § 142.602, National employer identifier standard, would describe the employer identifier standard. There currently exists no standard for employer identification that has been developed, adopted, or modified by a standard setting organization after consultation with the National Uniform Billing Committee (NUBC), the National Uniform Claim Committee (NUCC), the Workgroup for Electronic Data Interchange (WEDI), and the American Dental Association (ADA). Therefore, we would designate a new standard.

We proposed as the standard the employer identification number (EIN), which is assigned by the Internal Revenue Service (IRS), Department of the Treasury. As stated in II. Provisions of the Proposed Regulations, A. Definitions, we define EIN as the employer identification number assigned by the IRS, and we delete the formatting description in our definition.

Proposed § 142.602 has become § 162.605.

C. Requirements

In the proposed rule (63 FR 32787), we noted that the Act does not bind employers to use the standard. However, covered health care providers, health plans, and health care clearinghouses are bound to use the standard, where required, in electronic health transactions.

1. Health plans.

In § 142.604, Requirements: Health plans, we proposed to require health plans to accept the EIN on all standard transactions and transmit the EIN on all standard transactions that require an employer identifier to identify a person or entity as an employer.

2. Health care clearinghouses.

We proposed to require in § 142.606, Requirements: Health care clearinghouses, that each health care clearinghouse use the EIN on all standard transactions that require an employer identifier to identify a person or entity as an employer.

3. Health care providers.

In § 142.608, Requirements: Health care providers, we proposed to require each health care provider to use the EIN, wherever required, on all standard transactions that require an employer identifier to identify a person or entity as an employer.

4. Employers.

In § 142.610, Requirements: Employers, we proposed to require each employer to disclose its EIN, when requested, to any entity that conducts standard electronic transactions that require that employer's identifier to identify a person or entity as an employer.

Proposed §§ 142.604, 142.606, and 142.608 have been consolidated into § 162.610, and proposed § 142.610 has been removed in this final rule.

D. Effective Dates and Compliance Dates of the Employer Identifier

We proposed that health plans would be required to comply with our requirements as follows:

• Each health plan that is not a small health plan would have to comply with the requirements of § 142.604, now consolidated into § 162.610, no later than 24 months after the effective date of the final rule. (Note, proposed § 142.104, General requirements for health plans, is addressed in the final Transactions Rule (65 FR 50369).)
• Each small health plan would have to comply with the requirements of § 142.604, now consolidated into § 162.610, no later than 36 months after the effective date of the final rule. (Note, proposed § 142.104, General requirements for health plans, is addressed in the final Transactions Rule (65 FR 50369).)
• If the Secretary adopts a modification to a standard or implementation specification, the implementation date of the modification would be no earlier than the 180th day following the adoption of the modification. The Secretary would determine the actual date, taking into account the time needed to comply due to the nature and extent of the modification. The Secretary would be able to extend the time for compliance for small health plans.
• We proposed that health care clearinghouses and health care providers must begin using the standard specified in § 142.602, now § 162.605, no later than 24 months after the effective date of the final rule.

III. Comments and Responses Concerning the Proposed Provisions

All general comments on applicability of the HIPAA standards were addressed in the Transactions Rule. These comments will not be repeated here.

There were 61 commenters on the proposed rule. These commenters included Federal and State government agencies, private organizations (including health plans and health care provider professional organizations), and individuals.

A. Employer Identifier Standard

Comment: Two commenters said there should be no regulation as to the use or non-use of the hyphen as part of the format for the EIN. Eight commenters stated the hyphen should be omitted when transmitting standard transactions. One commenter said it should be omitted on standard transactions but used in human-readable formats. One commenter stated that the use of a modifier would be beneficial for identifying specific State agencies under a single EIN; another commenter recommended that the EIN not be used with a modifier. A few commenters recommended a check digit be used with the EIN; a larger number of commenters recommended a check digit not be used.

Response: The hyphen is part of the EIN, as it is defined at 26 CFR 301.7701-12 and assigned by the IRS. The standard transaction formats use alphanumeric fields for the EIN. These fields can accommodate the EIN with or without the hyphen. The implementation guides for the standard transactions are silent on whether the hyphen must be transmitted. Most translator software can easily add the hyphen to or remove it from the EIN field within standard transactions. In spite of the flexibility of the standard transaction formats and the capability of translators to handle EINs with and without the hyphen, we believe that we should require standardization of the identifier format within the standard transactions, in order to promote simplification and savings. We further believe that it would be confusing to adopt the EIN as the standard unique employer identifier, but then to direct that the adopted standard be modified, by removing the hyphen, before use in standard transactions. It would be equally confusing to adopt “the EIN minus the hyphen” as the standard, because this identifier would still be referred to informally as the EIN, and it would not be clear when the hyphen is needed and when it is not. We believe it is advantageous to adopt the EIN exactly as assigned by the IRS. This strategy is clearer and more flexible, should the IRS, at some time in the future, modify its defined format of the EIN for any reason. We therefore require that the EIN as assigned by the IRS be used in the standard transactions, which means at present that the hyphen must be transmitted as part of the EIN.

The EIN was selected as a cost-effective choice for the standard employer identifier because the IRS is already issuing it and employers already have this identifier. The IRS has no Start Printed Page 38012project initiated at this time to modify the format of the EIN or to add a check digit to the EIN.

The presence of a check digit can help in detection of keying errors made in data entry of a number. We could have specified a check digit to be used with the IRS-issued EIN. However, we believe that in many cases where the EIN is used in standard transactions, it will be on file electronically and will not need to be inserted through data entry. Therefore, the benefits of a check digit would be modest.

Modification of the IRS-issued identifier by addition of modifiers or a check digit for use in health care transactions would require costly additional processes and would negate the benefits of using the existing IRS infrastructure; therefore, we do not add modifiers or a check digit to the IRS format.

Comment: Several commenters thought that the EIN was proposed to identify health care providers. Some stated that the EIN was not specific enough to uniquely identify health care providers. Others expressed privacy concerns if the EIN were used to identify health care providers.

Response: The same entity may have multiple roles in health care transactions. On May 7, 1998, we proposed that the National Provider Identifier, not the EIN, be adopted to uniquely identify health care providers (63 FR 25320). The EIN will be used to identify an entity in the employer role. For example, a hospital may be both an employer and a health care provider. The hospital would use its EIN to identify itself when conducting transactions in an employer role, for example, making premium payments on behalf of its employees. When making claims for health care services furnished, it would use its National Provider Identifier.

Comment: Several commenters thought that the EIN was proposed to identify the patient's health plan or insurance coverage. One commenter stated one identifier should be used for both payer and employer. One commenter stated it would be confusing to use a different identifier for employee welfare benefit plans and employers, since such plans are sponsored by employers.

Response: The EIN will be used to identify an entity acting in the employer role in standard transactions. It will not identify the patient's health plan or insurance coverage. It will not replace the group number, account number, policy number, or subscriber number. Although it is true that the employee welfare benefit plans are often sponsored by employers, the EIN will be used to identify only the employer, not the health plan. In a future proposed rule, HHS intends to propose a health plan identifier to identify health plans. Employee welfare benefit plans would be identified by a health plan identifier.

Comment: Several commenters supported the choice of the EIN. Two commenters stated the EIN did not meet the 10 criteria established for selection of a standard under the Act.

Response: Of the two commenters stating that the EIN did not meet the criteria (see 65 FR 50351-50352 for the list of criteria), one commenter was not specific about how the EIN did not meet the criteria. The second commenter incorrectly believed that the EIN was being proposed to identify the insurance coverage of a patient rather than to identify an employer in standard transactions.

B. Requirements

Comment: One commenter stated that we should clarify the meaning of the terms “required” and “situational.” Many commenters stated that the usage of the EIN of the employer in health care transactions was unclear and requested clarification, i.e., whether the EIN was required, situational, etc. One commenter said the EIN of the employer should be a situational data element on all electronic data interchange (EDI) transactions. Several commenters stated that the EIN should be required only on transactions exchanged between an employer and a health plan. Several commenters said they needed clarification on which transactions would use the EIN.

Response: As used with respect to a data element in a standard transaction, the word “required” means that the data element is required according to the standard implementation guide for that transaction. The word “situational” means that the data element or choice of a specific code value is required if the data condition described in the standard implementation guide occurs. For purposes of this rule, if use of the employer identifier is situational and the data condition occurs, the EIN is considered to be required.

The X12N Version 4010 transaction implementation guides are the authority for specific information on the use of the EIN to identify the employer in X12N transactions. The following summarizes use of the EIN to identify the employer in X12N transactions:

• X12N 270/271 Eligibility for a Health Plan—Situational (Used to identify the employer as the source of eligibility information when the employer maintains that information.) (Note: Although the implementation guide does support the use by employers, and the information receiver can be identified specifically as an employer, employer participation in this transaction is not a HIPAA business purpose.)
• X12N 276/277 Health Care Claims Status—Situational (Used to identify the employer in worker's compensation claims. This usage covers situations where the employer is considered the subscriber for a patient when the claim is a result of a work-related injury or illness. In this circumstance, the health care provider and health plan are using the standard named in the final Transactions Rule although this is not required by the Final Rule because one or both are not covered entities or this is a business purpose not covered under the final Transactions Rule. In most cases, the health care provider will already know the EIN because it will have a relationship with the employer for worker's compensation cases or because provision of the EIN is required by local, State, or other regulation.)
• X12N 820 Health Plan Premium Payments—Situational (Used to identify an entity who is an employer as the remitter of the premium or as the entity to which the premium payment applies.)
• X12N 834 Enrollment and Disenrollment in a Health Plan—Required (when used to identify the sponsor of the health plan when the sponsor is an employer.) Situational (when used to identify the employer of a person covered under a health plan when that employer is not the sponsor. The non-sponsor employer is identified only when the contract between the sponsor and the health plan requires that the sponsor report this information.)

An employer identifier is not used to identify an entity as an employer in the following X12N standard transactions:

• X12N 278 Referral Certification and Authorization
• X12N 835 Health Care Payment and Remittance Advice
• X12N 837 Health Care Claims or Equivalent Encounter Information— Dental
• X12N 837 Health Care Claims or Equivalent Encounter Information—Professional
• X12N 837 Health Care Claims or Equivalent Encounter Information—Institutional

The EIN of the employer is optional in the NCPDP retail pharmacy transactions. The implementation guides for the NCPDP transaction standards are the authorities for specific information on the use of the EIN of the Start Printed Page 38013employer in the NCPDP standard transactions.

Comment: Many commenters expressed concern that health care providers would be required to report the EIN of the patient's or subscriber's employer on standard transactions. They requested more specific data related to the costs to health care providers of reporting these EINs. They noted that health care providers do not routinely obtain and patients do not generally know these EINs. Some commenters noted that, with the exception of the X12N 834 enrollment transaction, the X12N implementation guides specify the employer identifier is situational in all occurrences. Health care providers are not a party to the X12N 834 and thus would not be required to report a patient's employer's EIN. Many commenters therefore recommended that all references to the use of employer identifiers by health care providers be deleted from the regulation. One commenter noted that third party administrators sometimes require health care providers to report the employer on eligibility transactions, and that subcontracting health care providers in Provider Sponsored Organizations sometimes direct eligibility transactions to the employer. Some commenters stated that if health care providers were required to report or use the EIN of the patient's employer, health insurance cards should carry this EIN; otherwise, health cards should not carry the EIN.

Response: Health care providers do not conduct the X12N 834 enrollment transaction, the only standard transaction where the employer identifier is required. In all standard transactions that a health care provider might conduct, the employer identifier is either not a permitted value or is one of a choice of alternate values. In the situations where the employer identifier may be used in a standard transaction used by covered entities under HIPAA, the employer identifier is used only if the party being identified is an employer and its identifier has been given to the health care provider as the electronic transaction identifier for the employer as an information source in an eligibility transaction. The standard transaction for eligibility inquiry and response does not contain data elements for identifying the subscriber's employer. We expect that health care providers will be able to obtain the EIN from the employer, as is the current practice, for the limited cases when an EIN is needed in covered standard transactions initiated by the health care provider.

Comment: Some commenters stated that employers may not want to disclose their EINs and requested that the final rule explicitly state the penalties for an employer that does not disclose its EIN. Some were concerned that the EIN may not be accessible to parties needing the EIN for health care transactions. One commenter said that because of administrative costs, employers will not want to provide their EINs. Another commenter stated that employers would be so overwhelmed by requests for their EINs that they would place them on everything to limit staff time required for answering these requests.

Response: These concerns were generated because commenters incorrectly thought that EINs would be required in transactions initiated by health care providers or others who would not know the EIN. Although identification of the subscriber's employer was part of the data content of the institutional health care claim transaction in the proposed Transactions Rule, that data element was removed from the institutional health care claim transaction that was adopted by the final Transactions Rule. In fact, the EIN will be used, for the most part, in transactions initiated by the employer itself. The EIN is required for the enrollment in a health plan standard transaction, which is usually initiated by employers (which are not covered entities). In other transactions, such as the eligibility for a health plan transaction, the employer identifier only occurs in conjunction with the use of the standard transaction between one or more organizations who are noncovered entities under HIPAA, or as one of the possible choices of identifiers for the employer. In the eligibility for a health plan transaction, the employer identifier can be used as one of the permitted identifiers for the employer as the source or receiver of eligibility information. Thus, when a health care provider is initiating the eligibility for a health plan transaction to an employer, in the process of determining the proper electronic routing identifiers and other electronic identifiers, the health care provider has the opportunity to obtain an EIN if required by the employer as its electronic routing or other electronic identifier. We believe that use of the EIN will not generally create compliance problems for covered entities.

We had proposed to require each employer to disclose its EIN, upon request, to any covered entity that needed to use that employer's EIN in a standard transaction. This requirement is not adopted in this final rule because employers are not covered entities under the Administrative Simplification provisions of HIPAA. However, we believe that employers will have a strong incentive to continue the common business practice of providing their EINs voluntarily in those rare cases where it is not already known in order to maintain or improve the efficiency of administrative processes.

Comment: Many commenters thought that the EIN of the patient's employer or of the patient would be required in health care claim and encounter transactions. These commenters stated that use of the EIN in these transactions is an invasion of privacy, both personal and medical. Several commenters stated that implementation of a national standard employer identifier will permit unwarranted Federal monitoring of patient care and linking of medical records through employers. They stated that the possibility of Federal monitoring and linking of medical records will create barriers of distrust between doctors and patients and between employers and employees. They stated use of the EIN will eventually lead to a numbering system on citizens that will make it easier to track citizens from one employer to another, build citizen profiles, or discriminate against citizens based upon health status. One commenter thought that the use of the EIN would result in the collection of centralized medical records and had potential for abuse. Several commenters stated this regulation was an improper role of government. Several commenters said they would like to shelve the proposed rule, while others said there should be a nationally publicized hearing or that the use of the EIN should go to a public vote and not be decided by the government. Several commenters were concerned about the security of medical records stored in central computer locations. One commenter supported a “Patients' Bill of Rights” with enforcement through the court systems. One commenter requested clarification of penalties for patients who refuse to give the names or EINs of their employers. One commenter said that States should not be required to give employers access to benefit information. This commenter stated this would be unacceptable, based on confidentiality and administrative burden.

Response: Many commenters misunderstood the proposed application of the employer identifier. The inclusion of the employer identifier is optional in the NCPDP retail pharmacy claim. The employer identifier is not used at all to identify an entity as an employer in the X12N standard health care claim or equivalent encounter information transactions. It is used Start Printed Page 38014primarily to identify employers that are sending or receiving transactions for enrollment in a health plan or payment of premiums. Those transactions do not carry information about the treatment of individuals. We do not believe the employer identifier will facilitate federal monitoring of patient care, collection of central medical records, or tracking of citizens. We do not believe it will lead to barriers of distrust between doctors and patients, or between employers and employees. HHS proposed standards for security of health information, including medical records, in a proposed rule (63 FR 43242) published on August 12, 1998. HHS also adopted standards for privacy of individually identifiable health information in the Privacy Rule (65 FR 82462) published December 28, 2000. We do not require patients to give the EIN of their employers to anyone or require States to give employers access to benefit information.

Comment: One commenter recommended the revision of §§ 142.604 and 142.608 as follows: “Each health plan/health care provider must accept and transmit the national employer identifier of any employer that must be identified in any standard transaction.” One commenter stated that § 142.606 should be deleted since clearinghouses do not collect, validate, or supply data elements to the transaction.

Response: We agree that §§ 142.604 and 142.608 should be revised for clarity. We do not agree that § 142.606 should be deleted because health care clearinghouses are covered entities and are required to use the standards, but we made a similar revision as that made to §§ 142.604 and 142.608. These revisions are reflected in § 162.610.

C. Implementation Concerns

Comment: One commenter recommended HHS notify employers of this proposal for national use of EINs.

Response: Employers are not covered entities, and this rule places no requirements upon them. In many cases, employers already use the EIN to identify themselves in standard transactions. Use of the EIN by employers in standard transactions will continue to be voluntary. While employers are not covered entities under this rule, health plans are free, as part of their business arrangements with employers, to require employers to use the standard transactions and to provide their EINs for this purpose. We have provided public notice of this proposal by publication of the proposed rule in the Federal Register on June 16, 1998 (63 FR 32784) and by publication of this final rule in the Federal Register.

Comment: Several commenters requested clarification of the employer enumeration process and how information in the employer identifier system would be maintained. They also stated that timely and accurate updates to this system are critical to accurate public health data collection efforts. One commenter wanted confirmation that the plans for authenticating prior to the IRS's issuance of an EIN would remain the same as today. It was suggested that one or more centers be established to answer questions about the employer identifier and redirect questions to the IRS or other Departments.

Response: The IRS maintains the EIN enumeration system and database, and makes information on the EIN available through its web site at http://www.irs.ustreas.gov/​. The IRS authentication, enumeration and update processes and the IRS enumeration system will not be changed as a result of this regulation. The IRS answers questions about the EIN through its web site. HHS answers questions about the Administrative Simplification regulations through its web site at http://aspe.hhs.gov/​admnsimp.

Comment: One commenter asked whether the EIN is always the same as the taxpayer identifying number.

Response: The taxpayer identifying number may be an EIN, a Social Security Number, or an IRS individual taxpayer identification number. The IRS, at 26 CFR 301.7701-12, defines the Employer Identification Number as “the taxpayer identifying number of an individual or other person (whether or not an employer) which is assigned pursuant to section 6011(b) or corresponding provisions of prior law, or pursuant to section 6109, and in which nine digits are separated by a hyphen, as follows: 00-0000000.”

Comment: A commenter wanted to know the IRS policy on reusing an EIN.

Response: Currently, the IRS does not reuse EINs; that is, it does not assign a previously used EIN to a new applicant for an EIN. IRS Publication Number 1635, “Understanding Your EIN, Employer Identification Numbers,” includes information on business and corporate changes that would allow continued use of an organization's EIN or would require issuance of a new EIN. This publication can be ordered by calling (800) 829-3676 or can be downloaded from the IRS web site at http://www.irs.ustreas.gov/​plain/​bus_​info/​pub1635.html.

Comment: Several commenters recommended the use of an online EIN database and suggested an IRS directory be established. Several commenters recommended use of a standards-based directory schema. Another stated it would be necessary to have a directory only if transactions other than the X12N 834 Health Care Benefit Enrollment were to require use of the EIN. This commenter stated the X12N 834 transaction would not require a directory since it is initiated by employers.

Response: For the most part, the EIN will be used in HIPAA transactions initiated by the employer. The employer will know its own EIN; therefore, an on-line public directory will not be necessary. In the few cases where a standard transaction that requires an employer's identifier is initiated by an entity other than the employer, we expect that the entity will obtain the EIN from the employer, as is the current practice.

Comment: A concern was raised by one commenter about the length of time it would take to receive an EIN and how both Medicare and Medicaid claims would be paid if the employer did not have an EIN. One commenter said that the proposed rule makes electronic transmissions impossible for any employer that lacks an EIN or refuses to disclose its EIN. Two commenters suggested that the IRS determine those employers that do not already have EINs and that HHS require those named by the IRS to obtain EINs. Another commenter suggested that instructions be made available on what to do if an employer does not have an EIN. One commenter stated that employers utilizing Social Security Numbers for tax reporting purposes should be required to apply for EINs.

Response: Many of these concerns were based on an incorrect belief that the patient's employer's EIN would be required in standard claim transactions. Actually, the patient's employer's EIN is not included in the X12N standard claim transactions and is optional in the NCPDP retail pharmacy claim. We know of no situation where an employer identifier would be required in a standard transaction and the employer would not have an EIN. The employer identifier is used in standard transactions to identify the employer of employees who are subjects in the transaction. Any business that pays wages to one or more employees is required to have an EIN as its taxpayer identifying number. A sole proprietor who has no employees or who files no excise or pension tax return is the only business person who is not required to obtain an EIN; a sole proprietor with no employees would not need to be identified as an employer in standard transactions. The IRS publication, Start Printed Page 38015“Understanding Your EIN, Employer Identification Numbers,” Publication 1635, states that the IRS generally assigns an EIN within 4-5 weeks of receiving an application by mail or assigns an EIN immediately via the tele-TIN telephone process. For the telephone number in each state, see the “Where to Apply” section in Publication 1635. Publication 1635 can be downloaded from the IRS web site at http://www.irs.ustreas.gov/​plain/​bus_​info/​pub1635.html or can be ordered by calling (800) 829-3676.

Comment: One Medicaid State agency requested clarification on whether Medicaid State agencies would use the EIN when making health plan premium payments or when making capitation payments to managed care plans. Other commenters had concerns of how health plan sponsors that are not employers would be identified in standard transactions. One commenter requested that the description on how to obtain an EIN (63 FR 32793) be expanded to include those non-employer entities that will need an identifier for HIPAA transactions.

Response: HIPAA requires that the Secretary adopt a standard unique health identifier for each individual, employer, health plan, and health care provider for use in the health care system. If the Medicaid State agency is making premium payments or capitation payments as an employer on behalf of its own employees, it would use its EIN. The law does not provide for adoption of a standard identifier for health plan sponsors that are not employers but that may enroll or make premium payments on behalf of other persons. We recognize that in some situations, the EIN is used to identify health plan sponsors that are not employers. This practice will not be affected by this final rule.

Comment: One commenter asked how foreign employers would be identified in standard transactions.

Response: Foreign employers are treated the same as all other employers under this rule. In this rule, we have intentionally adopted a definition of “employer” that is identical to the definition used by the Internal Revenue Service in 26 U.S.C. 3401(d). This definition covers foreign employers who pay wages to employees for whom tax withholding is required by the IRS. For purposes of this rule, it is important that any employer that enrolls or disenrolls employees in a health plan or that makes premium payments on behalf of employees to a health plan be able to be identified by the standard employer identifier. Since any business that pays wages to one or more employees is required to obtain an EIN as its taxpayer identifying number, we know of no employer that would not be able to be identified by an EIN when enrolling or disenrolling employees in a health plan or making premium payments on behalf of employees to a health plan.

Comment: In the proposed rule (63 FR 32793) we noted that some employer organizations have more than one EIN. We asked for comment on whether one EIN should be used consistently in health care transactions. One commenter noted that in some cases employer organizations with multiple EINs may be doing business with multiple health plans and using a different EIN with each plan, resulting in coordination of benefits problems. Several commenters recommended that specific guidelines be defined for using a single EIN across the board in health-related transactions. Several commenters stated that the use of multiple EINs would not be a problem. Several commenters made suggestions on which EIN should be designated for use in health care transactions, for example, the one that appears on the IRS Form W-2, Wage and Tax Statement, of the employee that is a subject of the transaction, the one that identifies the employee's employment address, or the one with the lowest numeric value. Some commenters noted that the intended purpose of the employer identifier is to identify the employer and that the employer should decide which EIN to use. Several commenters suggested that an IRS publication include information on IRS protocols for multiple EINs. Two commenters requested information about the IRS maintenance of EINs when corporate changes such as mergers occur.

Response: When a business entity is a consolidated group consisting of several corporations, each corporation may be separately identified for certain Federal tax reporting purposes, and may have its own EIN. The consolidated group may also have an EIN, under which it files a consolidated income tax return. For any relationship of an employer to an employee of that employer, only one unique EIN designates the employer. The standard unique employer identifier of an employer of a particular employee is the EIN that appears on that employee's IRS Form W-2, Wage and Tax Statement, from the employer.

The IRS regulations at 26 CFR 301.7701 contain definitions of entities that may be identified for Federal tax purposes. The instructions accompanying IRS Form SS-4, “Application for Employer Identification Number,” detail the kinds of entities that must have EINs and the situations that require an entity to obtain a new EIN. IRS publication 1635, “Understanding Your EIN, Employer Identification Numbers,” gives further information on business or corporate changes that do and do not require an entity to obtain a new EIN. IRS publications can be downloaded from the IRS web site at http://www.irs.ustreas.gov/​plain/​forms_​pubs/​index.html or ordered by calling (800) 829-3676.

Comment: One commenter was concerned about possibly conflicting Federal and State regulations for use of the EIN.

Response: This commenter did not note any particular conflicts in use of the EIN and we are not aware of any conflicts. Section 1178 of the Act discusses the effect of the Administrative Simplification provisions on State law. The general rule is that the standards adopted under the Act supersede any contrary provision of State law. For a more detailed discussion of the statutory preemption provisions and the regulatory implementation of those provisions, see 65 FR 82480 through 82481 and 65 FR 82579 through 82588.

D. Approved Uses

Comment: One commenter stated that the regulations should not require the EIN on “past” health information. Another commenter expressed concern over the lack of guidelines and controls in dissemination and use of EINs for health care purposes. These commenters said that the regulation should clearly define the approved uses and cross-refer to penalties for misuse.

Response: This regulation does not require use of the EIN in transactions conducted before the compliance date. HHS intends to publish a proposed rule concerning enforcement of the HIPAA standards. Civil penalties for failure to comply with requirements and standards are covered in Section 1176 of the Act. Criminal penalties for misuse of an employer identifier are covered in Section 1177 of the Act.

Comment: One commenter questioned if the EIN would replace the United Business Identifier used in non-health transactions. Another asked if the EIN would replace other employer identifiers, or be used in addition to them.

Response: This rule does not address non-health care transactions. We cannot speak to the issue of what will happen in such transactions. The EIN is the only employer identifier in standard transactions. Start Printed Page 38016

Comment: Some commenters were concerned that employers would not want to use their EINs because of privacy issues. One commenter stated that effective security and confidentiality measures should protect the EIN. Three commenters stated that health data organizations and public policy researchers should have access to the EIN for public health surveillance. They wanted this access to be clarified.

Response: The confidentiality of the EIN is protected under the Internal Revenue Code. Section 26 U.S.C. § 6103 provides that, generally, taxpayer return information, including taxpayer identity (which includes a taxpayer identifying number), must be kept confidential and may not be disclosed by, among others, federal officers or employees, except as permitted by Title 26.

In this rule we make no changes to the existing access that health data organizations and public policy researchers have to the EIN. Health data organizations and researchers desiring access to data from a Federal system of records that contains the EIN should address their requests to the Freedom of Information Act official in the agency responsible for the system.

E. The Specific Impact of the Employer Identifier

Comment: One commenter stated that the cost to implement the EIN would add to premiums paid by individuals and their families. Several commenters said the expense and resources to implement this identifier are greater than estimated. One commenter stated that more specific data related to the exact costs to health care providers should be made available for public comment prior to publication of the final rule.

Response: Those concerned with the cost of the identifier consisted primarily of commenters that incorrectly thought that health care providers would be required to use the EIN on health care claims. As noted in our previous responses, the EIN will be used primarily by employers on transactions they initiate; therefore, we do not expect the costs to be higher than those estimated in the proposed rule. When the employer identifier is used in standard transactions initiated by entities other than the employer, we expect that these entities will obtain the EIN from the employer, as is the current practice.

IV. Provisions of Final Rule

We are implementing the employer identifier standard, which we now refer to as the standard unique employer identifier, as we proposed in the proposed rule, incorporating minor revisions. Any revisions are noted in Section VI (Summary of Changes to the Proposed Rule).

V. Implementation of the Standard Unique Employer Identifier

A. Obtaining an EIN

The Internal Revenue Service (IRS) maintains the process for assigning EINs. A business can obtain an EIN by submitting, to the Internal Revenue Service, Internal Revenue Service Form SS-4, Application for Employer Identification Number. Any business that is required to furnish a taxpayer identification number (generally one that pays wages to one or more employees) must use an EIN as its taxpayer identifying number. (26 CFR 301.6109-1(a)(1)(ii)(C)). A sole proprietor who has no employees or who files no excise or pension tax returns is the only business person who does not need to have an EIN as the taxpayer identifying number. We know of no situations where an employer having employees would not be able to obtain an EIN. The EIN is currently the employer identifier in most widespread use in the enrollment and disenrollment in a health plan, the eligibility for a health plan, and the health plan premium payment transactions. Employers are not required by the Act to use the EIN or conduct standard transactions. However, we believe that many employers will find that it will be to their advantage to do so.

B. Approved Uses

The IRS, in a letter to us dated January 16, 1998, stated that “the use of the EIN as a unique identifying number in all health care transactions would not present a problem for the (Internal Revenue) Service in any way.” The IRS further expressed the “hope that the use of the EIN in this capacity will bring about the consistency and accuracy that are required for these types of transactions.” Two years after adoption of this standard (3 years for small health plans) covered entities must use the EIN as the employer identifier in the health-related financial and administrative transactions for which standards have been adopted by the Secretary under 45 CFR Subchapter C that require an employer identifier. We note that employers that are not health plans, health care clearinghouses, or health care providers are not bound by the Act, and use of the EIN by employers to identify themselves in the employer role is voluntary.

Examples of approved uses in standard health care transactions are the following:

• Employers could use their EINs to identify themselves in transactions making health plan premium payments to health plans on behalf of their employees.
• Employers could use the EIN to identify themselves or other employers as the source or receiver of information about eligibility.
• Employers could use their EINs to identify themselves in transactions to enroll or disenroll their employees in a health plan.

VI. Summary of Changes to the Proposed Rule

We changed the title of this regulation from National Standard Employer Identifier to Standard Unique Employer Identifier to accurately reflect the requirement under the Act for the Secretary to adopt a standard unique health identifier for each employer for use in the health care system.

We deleted the formatting description from the definition of EIN. We continue to define EIN as the employer identification number as assigned by the IRS.

We clarified that our definition of employer is as it appears in 26 U.S.C. 3401(d).

We removed the requirement for each employer to disclose its EIN, upon request, to covered entities that need to use that employer's EIN in standard transactions.

We consolidated the requirements for health care providers, health plans, and health care clearinghouses in § 162.610.

VII. Collection of Information Requirements

Under the Paperwork Reduction Act of 1995 (PRA), agencies are required to provide a 30-day notice in the Federal Register and solicit public comment on a collection of information requirement submitted to the Office of Management and Budget (OMB) for review and approval. In order to fairly evaluate whether an information collection should be approved by OMB, section 3506(c)(2)(A) of the PRA requires that we solicit comment on the following issues:

• Whether the information collection is necessary and useful to carry out the proper functions of the agency.
• The accuracy of the agency's estimate of the information collection burden.
• The quality, utility, and clarity of the information to be collected.
• Recommendations to minimize the information collection burden on the Start Printed Page 38017affected public, including automated collection techniques.

We are soliciting public comment on each of these issues for the following section of this document that contains information collection requirements.

Subpart F—Standard Unique Employer Identifier

§ 162.610 Requirements for covered entities

Discussion

While this standard would replace the use of multiple identifiers, resulting in a reduction of burden, the requirement to use and disclose information using this standard meets the definition of an agency-sponsored third-party disclosure under the Paperwork Reduction Act of 1995 (PRA). However, the burden associated with the routine or ongoing use of this requirement is excluded under the definition of “burden” at 5 CFR 1320.3(b)(2). Health care clearinghouses do not normally obtain or use the EIN except to reformat it as part of translating one transaction format to another. Adoption of the EIN does not require any changes to the way health care clearinghouses process employer identifiers. Thus, the cost of this regulation for health care clearinghouses is negligible.

As explained earlier in this document in section III. Comments and Responses Concerning the Proposed Provisions, health care providers do not conduct the only standard transaction in which the employer identifier is a required data element. In standard transactions that include the employer identifier and which may be conducted by a health care provider, the employer identifier use is situational. In such transactions, if the employer identifier is not known by the health care provider, the health care provider does not have to furnish it. The cost of this regulation for health care providers, therefore, is negligible.

The remaining burden associated with this requirement, which is subject to the PRA, is the initial one-time burden on health plans and covered health care providers to modify their current computer systems.

In most cases where a health plan would need to use an employer identifier, the health plan would have received the identifier on an incoming transaction from the employer. We estimate the one-time burden over a 3-year period on the estimated 2.55 million health plans to modify their current computer systems software would be 2 hours/$60 per entity, for a total burden of 5.1 million hours/$153 million. The maximum annual burden would be 5.1 million hours divided by 3, or 1.7 million hours, and $153 million divided by 3, or $51 million. These figures are based on the assumption that this and the other burden calculations associated with HIPAA, Title II systems modifications, may overlap. This average also takes into consideration that: (1) this standard may already be in use by several of the estimated entities; (2) modifications may be performed in an aggregate manner during the course of routine business and/or; (3) modifications may be made by contractors such as practice management vendors, in a single effort for a multitude of affected entities.

As required by section 3504(h) of the Paperwork Reduction Act of 1995, we have submitted a copy of this document to the Office of Management and Budget (OMB) for its review of these information collection requirements.

Centers for Medicare & Medicaid Services, Office of Information Services, DCES, SSG, Attn: John Burke, Room N2-14-26, 7500 Security Boulevard, Baltimore, MD 21244-1850; ATTN: CMS 0047-F

   and

Office of Information and Regulatory Affairs, Office of Management and Budget, Room 10235, New Executive Office Building, Washington, DC 20503, Attn: Brenda Aguilar, CMS Desk Officer

VIII. Final Impact Analysis of the Employer Identifier

We have examined the impacts of this rule as required by Executive Order 12866 (September 1993, Regulatory Planning and Review), the Regulatory Flexibility Act (RFA) (September 16, 1980, Pub. L. 96-354), section 1102(b) of the Social Security Act, the Unfunded Mandates Reform Act of 1995 (Pub. L. 104-4), and Executive Order 13132. Executive Order 12866 directs agencies to assess all costs and benefits of available regulatory alternatives and, if regulation is necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, public health and safety effects, distributive impacts, and equity). A regulatory impact analysis (RIA) must be prepared for major rules with economically significant effects ($100 million or more in any 1 year). We estimate the total maximum annual costs for all health plans to modify their computer systems software to implement the employer identifier standard to be $51 million per year, for 3 years. Therefore, we do not believe that this rule is a major rule under Executive Order 12866 or 5 U.S.C. 804(2).

Section 1102(b) of the Act requires us to prepare a regulatory impact analysis if a rule may have a significant impact on the operations of a substantial number of small rural hospitals. This analysis must conform to the provisions of section 604 of the RFA. For purposes of section 1102(b) of the Act, we define a small rural hospital as a hospital that is located outside of a Metropolitan Statistical Area and has fewer than 100 beds. We have determined that this final rule will not have a significant impact on the operations of a substantial number of small rural hospitals.

We note that the costs and savings for the administrative simplification standards were presented in the final Transactions Rule (65 FR 50350). Due to a lack of data that would permit an analysis of each individual standard, the Department chose to analyze the impact of all of the standards in total, with the exception of the privacy standards. As the effect of any one standard is affected by the implementation of other standards, it can be misleading to discuss the impact of one standard by itself. Therefore, we have done an impact analysis on the total effect of all the standards in the final Transactions Rule (65 FR 50350). This employer identifier rule is expected to represent a minor portion of the costs or savings expected from the administrative simplification standards, because of the voluntary nature of the use of this identifier by employers and the limited use of an employer identifier in standard transactions conducted by covered entities.

A. Unfunded Mandates

This final rule has been reviewed in accordance with the Unfunded Mandates Reform Act of 1995 (UMRA) (2 U.S.C. 1501 et seq.) and Executive Order 12866. Section 202 of UMRA requires that agencies assess anticipated costs and benefits before issuing any rule that may result in expenditure in any 1 year by State, local, or tribal governments, in the aggregate, or by the private sector, of $110 million. As discussed in the combined impact analysis published at 65 FR 50350, HHS estimates that implementation of the administrative simplification standards overall will require the expenditure of more than $110 million by the private sector. However, we do not believe the implementation of the employer identifier standard to be a significant regulatory action under UMRA.

B. Regulatory Flexibility Analysis

The Regulatory Flexibility Act (RFA) of 1980, Pub. L. 96-354, requires us to prepare a regulatory flexibility analysis Start Printed Page 38018if the Secretary certifies that a regulation would have a significant economic impact on a substantial number of small entities. On November 17, 2000, the Small Business Administration (SBA) published a final rule (65 FR 69432) changing the small business size standards for the health care industry. This SBA final rule became effective December 18, 2000. The size standards that the SBA now uses are those defined by the North American Industry Classification System. Prior to that, the SBA used size standards as defined by the Standard Industrial Codes. The size standard is no longer a uniform $5 million in annual revenues for all components in the health care sector. Rather, the size standard now ranges from $6 million to $29 million. The regulatory flexibility analysis for the employer identifier is linked to the aggregate regulatory flexibility analysis for all the administrative simplification standards that appeared in the final Transactions Rule published on August 17, 2000, which predated the SBA change. It is appropriate, for the purposes of this rule, to continue to use the $5 million small business size standard that was in effect at the time of publication of the final Transactions Rule. Nonprofit organizations are considered small entities. Small government jurisdictions with a population of less than 50,000 people are also considered small entities. Individuals and States are not considered small entities.

We do not believe that this regulation will have a significant economic impact on a substantial number of small entities. The EIN is already one of the identifiers most frequently used to identify the employer in electronic health care transactions. Most clearinghouses, including small clearinghouses, already have the ability to accept and transmit the EIN when an employer identifier is required. Many health plans and health care providers already use the EIN to identify the employer in any transactions that require an employer identifier. Their current practice is to obtain the EIN from the employer, if they are the initiator of the transaction and they do not already know the EIN. We believe these entities will incur few conversion costs as a result of this regulation. There are few situations when an employer identifier is required in standard transactions initiated by health plans and no such situations for those initiated by health care providers. Converting from other employer identifiers to the EIN primarily involves the database administration task of substituting one record identifier for another in a limited number of records, which is not a costly activity. Therefore, we believe this regulation will not impose a significant economic impact on small health plans or small health care providers that convert their systems to use the EIN to identify the employer in those few situations. As stated in the Collection of Information Requirements section in this rule, we estimate the total maximum annual costs for all health plans to modify their computer systems software to be $51 million per year, for 3 years. Employers are not bound by the Act to use the standards; therefore, any use of the EIN by employers will be voluntary. Most of the use of the employer identifier in transactions will be voluntary use by employers in transactions they initiate. Therefore, we believe this regulation will not impose a significant economic impact on small employers.

C. Executive Order 12866

In accordance with the provisions of Executive Order 12866, this final rule was reviewed by the Office of Management and Budget.

This portion of the impact analysis relates specifically to the standard that is the subject of this regulation—the employer identifier. This section describes specific impacts that relate to the employer identifier. As we indicated in the introduction to this impact analysis, however, we do not associate the specific costs and savings to the specific standards.

1. Affected Entities

a. Health Care Providers

In all standard transactions conducted by the health care provider, the employer identifier is not used or is situational. The employer identifier is used only if the data condition described in the implementation guide occurs. In the instances when an EIN could be used by a health care provider, the EIN is situationally required only if the entity being identified is an employer and the identifier is known to the health care provider. We expect health care providers will obtain the EIN from the employer in these limited cases. However, if the health care provider cannot obtain the EIN, then the data condition has not been met and its use is not required. There are no situations in which an employer identifier is required in a standard transaction initiated by a health care provider. Any negative impact on health care providers generally will be related to the initial implementation period for health care providers that currently use an identifier other than the EIN to identify the employer in electronic health transactions. Those health care providers will incur implementation costs for converting systems from use of other employer identifiers to use of the EIN. Some health care providers will incur those costs directly and others will incur them in the form of fee increases from billing agents and health care clearinghouses.

b. Health Plans

Health plans that engage in electronic commerce will have to modify their systems to use the EIN if they do not currently use the EIN to identify the employer in standard electronic health transactions that require an employer identifier. In most cases, health plans currently obtain and use the EIN of the employer in those standard transactions that require an employer identifier. Health plans currently using an employer identifier other than the EIN will have a one-time cost impact. We estimate the total maximum cost for all health plans to be $51 million per year, over 3 years, to make these systems modifications.

c. Health Care Clearinghouses

Health care clearinghouses will have to modify their systems to use the EIN if they do not currently use the EIN to identify the employer in standard electronic health transactions that require an employer identifier. In most cases, health care clearinghouses currently use the EIN of the employer in those standard transactions that require an employer identifier. Health care clearinghouses currently using an employer identifier other than the EIN will have a one-time cost impact.

2. Effects of Various Options

a. Guiding Principles for Standard Selection

The implementation teams charged with designating standards under the statute have defined, with significant input from the health care industry, a set of common criteria for evaluating potential standards (see 65 FR 50351-50352). These criteria are based on direct specifications in HIPAA, the purpose of the law, and principles that support the regulatory philosophy set forth in Executive Order 12866 of September 30, 1993, and the Paperwork Reduction Act of 1995.

We assessed the various options for an employer identifier against those criteria with the overall goal of achieving the maximum benefit for the least cost. We found that the EIN met all the criteria. No other alternative employer identifier is in widespread Start Printed Page 38019use. No other alternative met a majority of the criteria, especially those supporting the regulatory goal of cost-effectiveness. We assessed the costs and benefits of the EIN, but we did not assess the costs and benefits of other identifier options, because they did not meet the criteria.

b. Need To Convert

All covered health care providers, health plans, and health care clearinghouses that do not currently use the EIN to identify the employer in electronic health transactions that require an employer identifier would have to convert. Because the EIN is currently in widespread use as an employer identifier throughout the industry, adopting the EIN would not require conversion for most health care providers, health plans or health care clearinghouses. The selection of the EIN imposes a far smaller burden on the industry than any nonselected option and presents significant advantages in terms of cost-effectiveness, universality, and flexibility.

c. Complexity of Conversion

The first two digits of the EIN reflect the issuing Internal Revenue district. However, the EIN does not rely significantly on embedded intelligence (coded information that is part of the identifier) to identify the specific employer. For those health care providers, health plans, and health care clearinghouses that must convert to use the EIN, the complexity of the conversion would be significantly affected by the degree to which their processing systems currently rely on employer identifiers that contain embedded intelligence. Converting from one identifier that contains no embedded intelligence to another is less complex than modifying software logic to obtain needed information from other data elements. However, the use of an identifier that does not contain embedded intelligence meets the guiding principle of assuring flexibility.

In general, the shorter the identifier, the easier it is to implement. It is more likely that a shorter identifier, such as the EIN, would fit into existing data formats.

The selection of the EIN does not impose a greater burden on the industry in terms of the complexity of conversion than the nonselected options.

Executive Order 13132 of August 4, 1999, Federalism, published in the Federal Register on August 10, 1999 (64 FR 43255) requires us to ensure meaningful and timely input by State and local officials in the development of rules that have Federalism implications. Although the proposed rule (63 FR 32784) was published before the enactment of this Executive Order, the Department consulted with State and local officials as part of an outreach program early in the process of developing the proposed regulation. The Department received comments on the proposed rule from State agencies and from entities who conduct transactions with State agencies. Many of the comments referred to the costs incurred by State and local governments that will result from implementation of the HIPAA standards. We assume that government entities will have these costs offset by future savings, consistent with our projections for the private sector (see the combined impact analysis (65 FR 50350)). A Congressional Budget Office analysis made the following points: States are already in the forefront of administering the Medicaid program electronically, Medicaid State agencies can compensate (for these costs) by reducing other expenditures, and the Federal Government pays a portion of the cost of converting State Medicaid Management Information Systems.

Other comments regarding States expressed the need for clarification as to when State agencies were subject to the standards. Responses to comments from States and State organizations regarding the employer identifier standard are found elsewhere in this preamble.

In complying with the requirements of part C of title XI, the Secretary established interdepartmental implementation teams that consulted with appropriate State and Federal agencies and private organizations. These external groups consisted of the NCVHS' Subcommittee on Standards and Security, the Workgroup for Electronic Data Interchange (WEDI), the National Uniform Claim Committee (NUCC), the National Uniform Billing Committee (NUBC) and the American Dental Association (ADA). The teams also received comments on the proposed regulation from a variety of organizations, including State Medicaid agencies and other Federal agencies.

List of Subjects

45 CFR Part 160

• Electronic transactions
• Health
• Health care
• Health facilities
• Health insurance
• Health records
• Medicaid
• Medical research
• Medicare
• Reporting and recordkeeping requirements

45 CFR Part 162

• Administrative practice and procedure
• Electronic transactions
• Health facilities
• Health insurance
• Hospitals
• Incorporation by reference
• Medicaid
• Medicare
• Reporting and recordkeeping requirements

For the reasons stated in the preamble of this final rule, 45 CFR subchapter C is amended to read as follows:

PART 160—GENERAL ADMINISTRATIVE REQUIREMENTS

A. Part 160 is amended as follows:

1. The authority citation for part 160 continues to read as follows:

Authority: Secs. 1171 through 1179 of the Social Security Act (42 U.S.C. 1320d-1320d-8), as added by sec. 262 of Pub. L. 104-191, 110 Stat. 2021-2031, and sec. 264 of Pub. L. 104-191, 110 Stat. 2033-2034 (42 U.S.C. 1320d-2 (note)).

2. Section 160.103 is amended by republishing the introductory text and adding the definitions of “EIN” and “Employer” in alphabetical order to read as follows:

PART 162—ADMINISTRATIVE REQUIREMENTS

B. Part 162 is amended as follows:

1. The authority citation for part 162 continues to read as follows:

Authority: Secs. 1171 through 1179 of the Social Security Act (42 U.S.C. 1320d-1320d-8), as added by sec. 262 of Pub. L. 104-191, 110 Stat. 2021-2031, and sec. 264 of Pub. L. 104-191, 110 Stat. 2033-2034 (42 U.S.C. 1320d-2 (note)).

Subparts B Through E—[Reserved]

2. Subparts B through E are reserved.

3. A new subpart F, consisting of §§ 162.600, 162.605 and 162.610, is added to read as follows:

Subpart F—Standard Unique Employer Identifier

Subparts G Through H—[Reserved]

4. Subparts G through H are reserved.