AGENCY:

Office of the Secretary, Department of Health and Human Services (HHS).

ACTION:

Proposed rule.

SUMMARY:

This rule would implement requirements of the Administrative Simplification subtitle of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Patient Protection and Affordable Care Act, as amended by the Health Care and Education Reconciliation Act of 2010, enacted on March 30, 2010—collectively, the Affordable Care Act. Specifically, this proposed rule would adopt standards for “health care attachments” transactions, which would support both health care claims and prior authorization transactions, and a standard for electronic signatures to be used in conjunction with health care attachments transactions. To better support the use of the proposed standards for attachments transactions with prior authorization transactions, this rule also proposes to adopt a modification to the standard for the referral certification and authorization transaction (X12 278) to move from Version 5010 to Version 6020.

DATES:

To be assured consideration, comments must be received at one of the addresses provided below, no later than 5 p.m. on March 21, 2023.

ADDRESSES:

In commenting, please refer to file code CMS-0053-P. Because of staff and resource limitations, we cannot accept comments by facsimile (FAX) transmission.

You may submit comments in one of three ways (please choose only one of the ways listed):

1. Electronically. You may submit electronic comments on this regulation to http://www.regulations.gov. Follow the “Submit a comment” instructions.

2. By regular mail. You may mail written comments to the following address ONLY: Centers for Medicare & Medicaid Services, Department of Health and Human Services, Attention: CMS-0053-P, P.O. Box 8013, Baltimore, MD 21244-1850.

Please allow sufficient time for mailed comments to be received before the close of the comment period.

3. By express or overnight mail. You may send written comments to the following address ONLY: Centers for Medicare & Medicaid Services, Department of Health and Human Services, Attention: CMS-0053-P, Mail Stop C4-26-05, 7500 Security Boulevard, Baltimore, MD 21244-1850.

For information on viewing public comments, see the beginning of the SUPPLEMENTARY INFORMATION section.

FOR FURTHER INFORMATION CONTACT:

Daniel Kalwa, (410) 786-1352. Geanelle G. Herring, (410) 786-4466. Christopher Wilson, (410) 786-3178.

SUPPLEMENTARY INFORMATION:

Inspection of Public Comments: All comments received before the close of the comment period are available for viewing by the public, including any personally identifiable or confidential business information that is included in a comment. We post all comments received before the close of the comment period on the following website as soon as possible after they have been received: http://www.regulations.gov. Follow the search instructions on that website to view public comments. CMS will not post on Regulations.gov public comments that make threats to individuals or institutions or suggest that the individual will take actions to harm the individual. CMS continues to encourage individuals not to submit duplicative comments. We will post acceptable comments from multiple unique commenters even if the content is identical or nearly identical to other comments.

I. Executive Summary

A. Purpose

This rule proposes to adopt a set of standards for the electronic exchange of clinical and administrative data to support prior authorizations and health care claims adjudication. In determining the necessity of a health care service as part of making a coverage decision, health plans often require additional information that cannot adequately be conveyed in the specified fields or data elements of the adopted prior authorization request or health care claims transaction. If adopted as proposed, this proposed rule would support electronic transmissions of this type of information, which should have the effect of decreasing the use of time and resource-consuming manual processes such as mail or fax often used today to transmit this information. This would facilitate prior authorization decisions and claims processing, reduce burden on providers and plans, and result in more timely delivery of patient health care services.

a. Need for the Regulatory Action

This rule would adopt a set of standards for the electronic exchange of clinical and administrative data to support prior authorizations and claims adjudication. Despite widespread deployment of electronic health records (EHRs), and industry experience with Health Insurance Portability and Accountability Act of 1996 (HIPAA) standards that continues to advance since HIPAA's advent, transmitting health care attachments is still primarily a manual process and, at this time, there are no adopted HIPAA standards, implementation guides, or operating rules for health care attachments or electronic signatures. If adopted, this proposed rule would support electronic transmissions of this type of information rather than the use of manual processes such as mail and fax that still predominate in the health care industry.

We believe that the health care industry has long anticipated the adoption of a set of HIPAA standards for the electronic exchange of clinical and administrative data to support electronic health care transactions, such as prior authorization of services and claims adjudication, and the standards we are proposing to adopt are an important step in reducing provider burden.

B. Summary of the Major Provisions

This rule would implement requirements of the Administrative Simplification subtitle of HIPAA and the Patient Protection and Affordable Care Act, as amended by the Health Care and Education Reconciliation Act of 2010, enacted on March 30, 2010—collectively, the Affordable Care Act. Specifically, this proposed rule would adopt standards for “health care attachments” transactions, which would support health care claims and prior authorization transactions, and a standard for electronic signatures to be used in conjunction with health care attachments transactions. This rule also proposes modifying the referral certification and authorization transaction standard to move from the X12 278, Version 5010, to the X12 278, Version 6020.

C. Summary of Costs and Benefits

Based on industry research by the Council for Affordable Quality Start Printed Page 78439 Healthcare (CAQH), the 2019 CAQH report indicates that a fully electronic system for prior authorization with health care attachments could result in as much as $454 million in annual savings to the health care industry. Similar savings can be expected for the industry by switching to health care attachments for claims. The 2019 CAQH report further estimates that the industry could expect as much as $374 million in savings per year with the full adoption of health care attachments for claims. This results in total anticipated industry savings of $828 million per year for prior authorization and claims.

II. Background

A. Legislative Authority for Administrative Simplification

This background discussion presents a history of statutory provisions and regulations that are relevant for the purposes of this proposed rule.

1. Standards Adoption and Modification Under the Administrative Simplification Provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA)

Congress addressed the need for a consistent framework for electronic transactions and other administrative simplification issues in the Health Insurance Portability and Accountability Act of 1996 (HIPAA) (Pub. L. 104-191, enacted on August 21, 1996). Through subtitle F of title II of HIPAA, Congress added to title XI of the Social Security Act (the Act) a new Part C, titled “Administrative Simplification,” which required the Secretary of the Department of Health and Human Services (the Secretary) to adopt standards for certain transactions to enable health information to be exchanged more efficiently and to achieve greater uniformity in the transmission of health information. For purposes of this and later discussion in this proposed rule, we sometimes refer to this statute as the “original” HIPAA provisions.

Section 1172(a) of the Act indicates that any standard adopted under HIPAA shall apply, in whole or in part, to the following persons, referred to as “covered entities”: (1) a health plan; (2) a health care clearinghouse; and (3) a health care provider who transmits any health information in electronic form in connection with a [HIPAA transaction]. Generally, section 1172 of the Act indicates that any standard adopted under HIPAA is to be developed, adopted, or modified by a standard setting organization (SSO). In adopting a standard, the Secretary must rely upon recommendations of the National Committee on Vital and Health Statistics (NCVHS), in consultation with the organizations referred to in section 1172(c)(3)(B) of the Act, and appropriate federal and state agencies and private organizations.

Section 1172(b) of the Act indicates that a standard adopted under HIPAA must be consistent with the objective of reducing the administrative costs of providing and paying for health care. The transaction standards adopted under HIPAA enable financial and administrative electronic data interchange (EDI) using a common structure, as opposed to the many varied, often proprietary, transaction formats on which industry had previously relied and that, due to lack of uniformity, engendered administrative burden. Section 1173(g)(1) of the Act, which was added by section 1104(b) of the Affordable Care Act, further addresses the goal of uniformity by requiring the Secretary to adopt a single set of operating rules for each transaction during the implementation of the electronic standards. These operating rules are required to be consensus-based and reflect the business rules that affect health plans and health care providers and the manner in which they operate.

Section 1173(a) of the Act indicates that the Secretary must adopt standards for financial and administrative transactions, and data elements for those transactions, to enable health information to be exchanged electronically. The original HIPAA provisions require the Secretary to adopt standards for the following transactions: health claims or equivalent encounter information; health claims attachments; enrollment and disenrollment in a health plan; eligibility for a health plan; health care payment and remittance advice; health plan premium payments; first report of injury; health claim status; and referral certification and authorization. The Affordable Care Act added the requirement that the Secretary adopt a standard for electronic funds transfers. Additionally, section 1173(a)(1)(B) of the Act requires the Secretary to adopt standards for any other financial and administrative transactions the Secretary determines appropriate.

Section 1173(c) through (f) of the Act indicates the Secretary must adopt standards for code sets for appropriate data elements for each listed health care transaction; security standards for health care information; standards for electronic signatures in coordination with the Secretary of Commerce, compliance with which will be deemed to satisfy both state and federal statutory requirements for written signatures for the listed transactions; and standards for the transmission of appropriate standard data elements needed for the coordination of benefits, sequential processing of claims, and other data elements for individuals who have more than one health plan.

Section 1174 of the Act requires the Secretary to review the adopted standards and adopt modifications to them, which include additions to the standards, as appropriate, but not more frequently than once every 12 months. Section 1174(b)(2)(B)(ii) of the Act requires that modifications must be completed in a manner that minimizes disruption and cost of compliance.

Section 1175 of the Act prohibits health plans from refusing to conduct a transaction as a standard transaction.^[1] It also prohibits health plans from delaying the transaction, or adversely affecting or attempting to adversely affect, a person or the transaction itself on the ground that the transaction is in standard format. It establishes a timetable for covered entities to comply with any standard, implementation specification, or modification as follows: for an initial standard or implementation specification, no later than 24 months (or 36 months for small health plans) following its adoption; for modifications, as the Secretary determines appropriate, but no earlier than 180 days after the modification is adopted.

Sections 1176 and 1177 of the Act establish civil money penalties (CMPs) and criminal penalties to which covered entities may be subject for violations of HIPAA Administrative Simplification rules. HHS administers the CMPs under section 1176 of the Act and the U.S. Department of Justice administers the criminal penalties under section 1177 of the Act. Section 1176(b) of the Act sets out limitations on the Secretary's authority and provides the Secretary certain discretion with respect to imposing CMPs. For example, this section provides that no CMPs may be imposed with respect to an act if a penalty has been imposed under section 1177 of the Act with respect to such act. This section also generally precludes the Secretary from imposing a CMP for a violation corrected during the 30-day period beginning when an individual knew or, by exercising reasonable diligence, would have known that the failure to comply occurred.

The original HIPAA provisions are discussed in greater detail in the August 17, 2000 final rule titled “Health Start Printed Page 78440 Insurance Reform: Standards for Electronic Transactions” final rule (65 FR 50312, hereinafter referred to as the Transactions and Code Sets final rule), and the December 28, 2000, final rule titled “Standards for Privacy of Individually Identifiable Health Information” (65 FR 82462). We refer the reader to those documents for further information.

2. Amendments to HIPAA Administrative Simplification by the Affordable Care Act

Section 1104(c)(3) of the Affordable Care Act reiterated the original HIPAA requirement to adopt a health claims attachment standard, and directed the Secretary to promulgate a final rule to establish a transaction standard and a single set of associated operating rules. Section 1104(c)(3) of the Affordable Care Act requires that the adopted standard be “consistent with the X12 Version 5010 transaction standards” and indicates that the Secretary must adopt the standard and operating rules by January 1, 2014, to be effective no later than January 1, 2016, and that the Secretary may adopt the standard and operating rules on an interim final basis. This provision makes no allowance for an extended time for small health plans to achieve compliance.

B. Prior Rulemaking

In the Transactions and Code Sets final rule, we implemented some of the HIPAA Administrative Simplification requirements by adopting standards for electronic health care transactions developed by SSOs, and medical code sets to be used in those transactions. We adopted X12 Version 4010 standards for administrative transactions, and the National Council for Prescription Drug Programs (NCPDP) Telecommunication Version 5.1 standard for retail pharmacy transactions, which were specified at 45 CFR part 162, subparts K through R.

Since then, we have adopted a number of modifications to the HIPAA standards, most recently in a January 16, 2009 final rule (74 FR 3296) titled “Health Insurance Reform; Modifications to the Health Insurance Portability and Accountability Act (HIPAA) Electronic Transaction Standards” (hereinafter referred to as the Modifications final rule). That rule, among other things, adopted updated versions of the standards, X12 Version 5010, and the NCPDP Telecommunication Standard Implementation Guide Version D.0 and equivalent Batch Standard Implementation Guide, Version 1, Release 2. We also adopted the NCPDP Implementation Guide for Batch Standard Version 3.0 standard for the Medicaid pharmacy subrogation transaction. Covered entities were required to comply with the Version 5010, Version D.0, and Version 3.0 standards on January 1, 2012, though with respect to the latter, small health plans were required to comply on January 1, 2013.

In the September 23, 2005 Federal Register (70 FR 55990), in a rule titled “HIPAA Administrative Simplification: Standards for Electronic Health Care Claims Attachments; Proposed Rule,” we proposed to adopt certain standards with respect to health care attachments. In that rule, rather than a standard with generalized applicability, we proposed to adopt health care claims attachment standards with respect to specific service areas that included ambulance services, clinical reports, emergency department, laboratory results, medications, and rehabilitation services. Due, however, to comments we received on our proposals, including comments related to the standards' lack of technical maturity and stakeholders' lack of readiness to implement electronic capture of clinical data, we did not finalize that rule. As a result, and despite the subsequent widespread deployment of electronic health records (EHRs) and greater industry experience with the HIPAA standards, transmitting health care attachments is still primarily a manual process and, at this time there are no adopted HIPAA standards, implementation guides, or operating rules for health care attachments or electronic signatures. Other specific details of prior rulemaking are discussed as appropriate in the context of the proposals in section II. of this proposed rule.

C. Standards and Code Sets Organizations

In this section, we discuss information about the organizations responsible for developing and maintaining the transaction standards and code sets that we are either proposing or discussing in this proposed rule. Information about each organization's balloting process—the process by which they vet and approve the products they develop and changes thereto—is available on their respective websites, links to which are provided in this section of this rule.

As we have discussed, the law requires any standard adopted under HIPAA to be developed, adopted, or modified by an SSO. Section 1171 of the Act provides that an SSO is an organization accredited by the American National Standards Institute (ANSI) that develops standards for information transactions, data elements, or any standard that is necessary to, or will facilitate the implementation of, Administrative Simplification. Per section 1172(c)(3) of the Act, a HIPAA SSO must develop, adopt, and modify standards in consultation with certain organizations—the National Uniform Billing Committee (NUBC), the National Uniform Claim Committee (NUCC), the Workgroup for Electronic Data Interchange (WEDI), and the American Dental Association (ADA). The two SSOs applicable to this proposed rule are the Accredited Standards Committee X12 (X12) and Health Level Seven International (HL7). Both SSOs maintain websites where the proposed implementation specifications may be obtained. One other organization, which is a health research institution and not an SSO, maintains a code set that is important to this rulemaking—the Regenstrief Institute, maintains a code set named Logical Observation Identifiers Names and Codes (LOINC).

1. X12 ( http://www.x12.org/​)

X12 develops and maintains standards for the electronic exchange of business-to-business transactions. An ANSI-accredited organization, X12 membership is open to all individuals and organizations. An X12 subcommittee known as Subcommittee N: Insurance (X12N) develops and maintains electronic standards specific to the insurance industry, including health care insurance. The subcommittee, which is comprised of volunteers, develops standards for electronic health care transactions for common administrative activities including: claims, remittance advice, claims status, enrollment, eligibility, authorizations and referrals, and electronic health care claims attachments. The X12N subcommittee is responsible for obtaining consensus on the standards from the entire organization, and produces draft documents that are made available for public review and comment, which the subcommittee addresses as necessary before voting on any proposal. Proposals must then be reviewed and ratified by a majority of the voting members of the X12N subcommittee and the executive committee of X12 itself.

2. Health Level Seven (HL7) ( www.HL7.org)

HL7 is an ANSI-accredited SSO that develops and maintains standards for the exchange, integration, sharing, and retrieval of electronic health information that supports clinical practice and the management, delivery and evaluation of health services. Its Start Printed Page 78441 domain is principally clinical data and its specific emphasis is on the interoperability between health care information systems. HL7, whose membership is open to all individuals and organizations, focuses its interface requirements on the entire health care organization rather than on a particular subset of the health care industry.

HL7 conducts a three-step process to establish standards. First, a technical committee develops standards through a voting process. All HL7 members are eligible to vote on standards, regardless of whether they are members of the committee that developed the standard. Non-members may also vote on a given ballot for a standard, though they must pay an administrative fee (that does not exceed the cost associated with an individual HL7 membership) associated with handling and processing. Second, HL7 technical committees vote on “recommendations,” which require a two-thirds majority for approval. Third, any recommended standards are submitted to the entire HL7 body for approval and, if approved, are submitted to ANSI for certification.

3. Regenstrief Institute ( LOINC.org)

Regenstrief Institute (Regenstrief) is a health research institution that develops and maintains a proprietary code set, Logical Observation Identifiers Names and Codes (LOINC). LOINC is the code system, terminology, and vocabulary for identifying individual clinical results and other clinical information. Regenstrief worked closely with the HL7 Payer/Provider Information Exchange Workgroup, formerly known as the Attachments Work Group, to develop a set of LOINC codes to uniquely indicate the type and content of attachment information in electronic transmissions. Regenstrief maintains LOINC through its LOINC Committee, which is comprised of volunteer representatives from academia, industry, and government who serve as subject matter experts in their domains of expertise. That committee establishes overall naming conventions and policies for the development process.

D. Industry Standards, Code Sets, and Implementation Guides

1. Electronic Data Interchange (EDI) and Transaction Standards

HIPAA transactions involve the electronic transmission of information between two parties to carry out health care-related financial or administrative activities, such as health insurance claims submissions and prior authorization requests, and HHS-adopted standards for those transactions represent uniform requirements for EDI of those transmissions.

The benefit of HIPAA standards is that they use a common interchange structure, eliminating covered entities' need to have information technology (IT) systems that accommodate multiple proprietary, and potentially continually changing, data formats. By enabling covered entities to exchange medical, billing, and other information to process transactions in a more expedient and cost-effective manner by reducing handling and processing time and eliminating the risk of lost paper documents, HIPAA standards can reduce administrative burdens, lower operating costs, and improve overall data quality.

HIPAA transaction standards specify: (1) data interchange structures (message transmission formats); and (2) data content (all the data elements and code sets inherent to a transaction, and not related to the format of the transaction). Implementation specifications detail the nature, location, and content format of each piece of information transmitted in a transaction. Standardization of transactions also involves: specification of the data elements that are exchanged; uniform definitions of those specific data elements in each type of electronic transaction; identification of the specific codes or values that are valid for each data element; and specification of the business actions each party must take to ensure the exchange of administrative transactions occurs smoothly and reliably, regardless of the technology employed.

a. Implementation Guides—X12

As discussed previously, X12 develops and maintains standards for the electronic exchange of business-to-business transactions. The X12N subcommittee (X12N) publishes transmission standards that apply to many lines of business, not just health care. For example, the X12N 820 message format for premium payment may be used for automobile and casualty insurance, not just health insurance. X12 implementation specifications, referred to by the industry as “implementation guides” and written collaboratively by X12N workgroups, make these general standards functional for industry-specific uses. The specifications are based on X12 standards but contain detailed instructions for using the standard to meet a specific business need. X12's implementation specifications for HIPAA transaction standards adopted by the Secretary are known as “Technical Reports Type 3” (TR3); an example is the X12 standard adopted as the HIPAA standard for the health plan premium payments transaction, the ASC X12 Standards for Electronic Data Interchange Technical Report Type 3—Payroll Deducted and Other Group Premium Payment for Insurance Products (820), February 2007, ASC X12N/005010X218).

Each X12N implementation guide has a unique version identification number (for example, 004010, 004050, or 005010), where the highest version number represents the most recent version. HHS adopted updated versions of the X12 standards in the Modifications final rule (74 FR 3296). We are proposing to adopt a Version 6020 standard for one of the HIPAA transactions, the rationale for which we discuss in section II. of this proposed rule.

b. Implementation Guides—HL7

HL7's Payer/Provider Information Exchange Workgroup develops standards for electronic health care attachments. The workgroup, which includes industry experts representing health care providers, health plans, and health technology vendors, is also responsible for creating and maintaining the implementation guides, which are sets of instructions and associated code tables that describe, list, or itemize the content, format, and code to be sent, and specify how such information is to be conveyed in an electronic health care attachment.

An HL7 standard that we are proposing to adopt in this proposed rule is the Clinical Document Architecture (CDA), which is an XML-based (a computer programming language) markup standard that specifies the encoding, structure, and semantics of clinical documents for purposes of transmitting attachment information. XML-coded files have the same characteristics and information as hard copy documents, so regardless of how data are sent within a transaction, they can be read and processed by both people and machines. Some health care attachments may not be conducive to XML formatting, such as medical imaging, video, or audio files. An important CDA feature is that it allows the entire body of an electronic document to be replaced by an image, for example, a scanned copy of a page or pages from a medical record. Although a header still supports automated document management, the clinical content can be conveyed by image or text document.

HL7 also produces the Consolidated CDA (C-CDA), an implementation guide that provides specifications for formatting document templates, Start Printed Page 78442 depending on whether they are structured or unstructured, enabling the CDA to create numerous specific document types (templates). The HL7 C-CDA implementation guide document templates are designed to be electronic versions of the most common types of paper document attachment information. Attachment information not included in a template may be created by using instructions included in the proposed unstructured document implementation guide; supported unstructured formats include MSWORD, PDF, Plain Text, RTF Text, HTML Text, GIF Image, TIF Image, JPEG Image, and PNG Image.

2. Code Sets

Transaction data content standardization involves identifying the specific codes or values for each data element. Health care EDI requires many types of code sets, including large medical data code sets and classification systems for medical diagnoses, procedures, and drugs, and smaller code sets to identify categories, such as type of facility, currency, or units, or a specific state within the United States. The American Medical Association's (AMA) Current Procedural Terminology (CPT-4), which identifies physician procedures, is an example of a health care code set. Federal agencies (the National Center for Health Statistics, the Centers for Medicare & Medicaid Services (CMS), and the U.S. Food and Drug Administration) and some private organizations (the AMA and the American Dental Association) have developed and maintain standards for large medical data code sets. These code sets are mandated for use in some federal and state programs, such as Medicare and Medicaid, and SSOs require or permit them for use in their standards. As we explain in section II. of this proposed rule, the X12 and HL7 standards we are proposing to adopt specify the use of the LOINC for HIPAA Attachments code set.

3. Implementation Guides as HIPAA Standards

Section 1172(d) of the Act directs the Secretary to establish specifications for implementing each of the adopted standards. As we explained previously, SSOs have developed various “Implementation Guides” by which to implement the same standards for different business purposes. We are proposing an approach we have taken with previous HIPAA rules that adopted a specific “Implementation Guide” as both the “standard” and the “implementation specifications” for each health care transaction.

In pursuing this approach, we were mindful that section 1104(c)(3) of the Affordable Care Act requires that the Secretary promulgate a final rule to establish a transaction standard and a single set of operating rules for health care attachments that is “consistent with the X12 Version 5010 transaction standards.” We interpret this requirement to mean that the proposed health care attachment implementation specifications must be compatible with X12 standards generally, meaning any standard we adopt for attachment information can be electronically transmitted by an X12 transmission standard in the same transaction. In this rule, we are proposing to adopt Version 6020 of the X12 standards. The Affordable Care Act was enacted in 2010, at which time we had recently adopted Version 5010 of the X12 standards. A decade later, and with X12 continuing to publish newer versions of its standards, we interpret the Affordable Care Act's mandate as referencing the then-current standards (the X12 Version 5010), but the Affordable Care Act did not specifically require a static standard in perpetuity, as that would be incongruent with the HIPAA standards paradigm.

In section II. of this proposed rule, we are proposing to adopt transaction standards that can be used together in a single electronic transmission. HL7 has noted that an extensive architecture already exists for information exchange based on the HIPAA transactions and code sets, which architecture is currently being used by the same stakeholders who would use the health care attachments transactions, so adoption of this architecture using X12 standards could have the least impact on covered entities.^[2]

Independent of that concept, we are also aware that there are other types of standards being developed and piloted by SSOs. We solicit comment on this discussion and any alternative implementation specifications that may be considered consistent with X12 Version 5010.

E. NCVHS Recommendations to the Secretary

The NCVHS ( https://ncvhs.hhs.gov/​) is a statutory advisory committee responsible for providing HHS with recommendations on health information policy and standards. It does so by, among other things, convening regular forums for interaction with industry groups on key issues related to population health, standards, privacy and confidentiality, and data access and use. Pursuant to HIPAA, the NCVHS advises HHS on the adoption of standards, implementation specifications, code sets, identifiers, and operating rules for HIPAA transactions.

The NCVHS has held a number of hearings, and made several sets of recommendations to the Secretary (see https://ncvhs.hhs.gov/​reports/​recommendation-letters/​) on claims attachments standards; we briefly summarize them here. The NCVHS Standards Subcommittee held a November 17, 2011 hearing on health claims attachments to gather information regarding updated industry practices, priorities, issues, and challenges. Participant testimony addressed the development status of standards and implementation specifications. Some organizations testified regarding their interest in serving as attachments operating rules authoring entities. By letter to HHS dated March 2, 2012, the Subcommittee told HHS it was premature to make formal recommendations regarding the adoption of any standard, implementation specification, or operating rule associated with health care attachments. On May 5, 2012, the NCVHS recommended that the Council for Affordable Quality Healthcare Committee (CAQH), a non-profit entity whose mission is to improve the efficiency, accuracy and effectiveness of industry-driven business transactions, be designated as the operating rules authoring entity.

CAQH established the Committee on Operating Rules for Information Exchange (CAQH CORE), an industry-wide collaboration committed to the development and adoption of health care operating rules for administrative transactions. CAQH CORE facilitates the adoption of health care operating rules that support standards, improve interoperability, and align administrative and clinical activities with market needs.

The Subcommittee held a second hearing on attachments on February 27, 2013, where it identified a trend toward convergence of administrative and clinical information. In a June 21, 2013 letter, the NCVHS recommended that, by January 1, 2016 (the date by which the Affordable Care Act required claims attachment standards to be effective), HHS adopt a number of initial attachments-related transaction standards, but advised HHS to take a comprehensive and incremental approach to considering attachment Start Printed Page 78443 standards in order to promote innovation and flexibility. The NCVHS noted an industry consensus that adoption of standards should not be limited to “claim attachments,” but, rather, should be more inclusive of any kind of attachment with administrative or clinical information, and it recommended that attachments-related transaction standards should be applied to claims, eligibility, prior authorization, referrals, care management, post-payment audits, and any other administrative processes for which supplemental information is needed. Among other recommendations, the NCVHS advised HHS that attachment standards should support structured and unstructured data, and both solicited and unsolicited transmissions. It further advised that attachments standards should be defined for two types of transactions: (1) Query (the electronic solicitation of an attachment); and (2) Response (the electronic transmission of an attachment).

The NCVHS held another hearing on health care attachments on February 15, 2016, and on July 5, 2016 sent the Secretary a letter titled “Recommendations for the Electronic Health Care Attachment Standard.” This letter consolidated its previous recommendations on attachments and advised that updated versions of the available standards were ready for industry use and there was unanimous testimony that the health care industry was eager to see them adopted. Considering both the length of time that had elapsed since the previous proposed rule was published and the subsequent technology advances, the NCVHS recommended that HHS publish an expedited proposed rule adopting the recommended standards.

Finally, and most recently, on March 30, 2022, the NCVHS sent to the Secretary a letter titled “Recommendations to Modernize Aspects of HIPAA and Other HIT Standards to Improve Patient Care and Achieve Burden Reduction.” This letter continued to stress previous recommendations that urged the Secretary to adopt a standard for electronic attachments as soon as possible. The recommendation letter also states the following:

We recognize that there is ongoing debate and no definitive industry consensus about the role of attachments ( i.e., documents) as opposed to data ( i.e., a string of data elements not structured within a document). While the vision with APIs [(Application Programming Interfaces)] based on FHIR® [(Fast Healthcare Interoperability Resources)] seems to be driving toward more of a data-driven transaction, we see more than sufficient industry demand for a document-based attachment standard, and we do not foresee any imminent demise of the utility of digital documents. We suggest short-term publication of an attachment rule, with consideration for emerging standards based on recent input from industry and other advisory group discussions. This could add immediate value for industry and could support future actions as HIPAA's procedural requirements may be updated to allow for non-document type digital attachment data.^[3]

Based on the NCVHS's previous recommendations to the Secretary, and particularly in consideration of its most recent March 30, 2022 recommendation, we propose here a document-based attachments standard. We acknowledge that there is a growing base of evidence that may, in the future, support our proposing attachment standards relying on other technologies such as FHIR®, and we will continue to monitor and evaluate emerging technologies for their readiness to potentially propose in future rulemaking.

F. Other Industry Recommendations

1. Consensus-Based Organization Support

Industry consensus-based organizations have demonstrated the maturity of the NCVHS-recommended standards to support health care business needs and described the opportunities inherent in the adoption of health care attachments standards to integrate administrative and clinical data, such as in automating and streamlining workflows that, today, are primarily manual processes and sources of significant administrative burden.

WEDI ( https://www.wedi.org/​ ) is a public-private coalition formed by HHS in 1991 to serve as an advisory body on the use of health IT aimed at health care information exchange. WEDI, which section 1172(c)(3) of the Act identifies as an entity required to be consulted with respect to standards adoption, published a November 2017 white paper, in concert with X12 and HL7.^[4] That white paper, described by WEDI as “a single resource document for implementers to use to help them get started in their implementation planning for the request and receipt of electronic attachments,” details the business and operational processes of exchanging additional information (attachments) using the HL7 standards for clinical information and the X12 transaction sets for requesting and transmitting the additional information. Its contents, which we have taken into account in this proposed rule, include all of the following:

• An overview of attachments.
• A discussion of resources needed to have a successful implementation of attachments standards.
• A review of current processes for requesting and responding to the need for attachment information.
• Examples of implementation approaches in the industry.
• A review of Electronic Attachment Business flows for Claims, Prior Authorizations and Notification.
• Business use cases and examples.
• Guidance on how to embed additional information within the applicable X12N transaction.

In May 2019, CAQH CORE issued a document titled “Report on Attachments: A Bridge to a Fully Automated Future to Share Medical Documentation,” ^[5] where it reported evidence from its 2018 environmental scan indicating a high degree of industry readiness and interest in the attachments standard. The report noted that “the healthcare industry continues to wait for an electronic attachments standard that can simplify the exchange of necessary medical information and supplemental documentation” and that “health plans, providers and vendors lack the direction needed to support broad use of automation in the attachment workflow, or for industry to coalesce around the use of even a small number of electronic solutions,” leading to largely manual, and often paper-based, processes, and ultimately underscoring the need to standardize electronic attachment exchange methods.

Shortly after, in July 2019, CAQH CORE released another report titled “Moving Forward: Building Momentum for End-to-End Automation of the Prior Authorization Process.” ^[6] There, CAQH CORE reported how, for even the HHS-adopted prior authorization transaction standards, health care industry uptake Start Printed Page 78444 lagged that of other transaction standards, and remained largely paper-based, due in large measure to a lack of infrastructure supporting electronic transmission of attachments that frequently serve as necessary supporting documentation in the prior authorization transaction.

2. Other Recent Public Comment Support

On June 11, 2019, CMS published a request for information (RFI) in the Federal Register titled “Reducing Administrative Burden To Put Patients Over Paperwork” (84 FR 27070). Particularly with respect to prior authorization, that RFI solicited public comment on ideas for regulatory, subregulatory, policy, practice, and procedural changes to reduce unnecessary administrative burdens for clinicians, providers, patients, and their families, with an aim to improve quality of care, lower costs, improve program integrity, and make the health care system more effective, simple, and accessible. To be clear, the RFI did not relate to, and was not for the purpose of, soliciting comments on HHS's efforts pertaining to HIPAA Administrative Simplification, but, nevertheless, many commenters, including organizations representing physician provider groups, insurance payers, health technology vendors, health care financial managers, and HIT standard advisory bodies, called for the release of an electronic attachments proposed rule to be accelerated, as well as guidance on other standards such as electronic signature protocols to achieve these goals. These commenters indicated that a HIPAA attachments transaction standard regulation could help reduce administrative burden in many clinical and administrative situations where documents need to be shared, and relieve providers of current burdensome, largely paper-based, processes.

In preparation for its August 25, 2020 Standards Committee Meeting, the NCVHS invited the public to provide feedback on the CAQH CORE operating rules for prior authorization transactions.^[7] Commenters expressed their support for an attachments transaction standard regulation. In addition, commenters provided input on current standards development efforts underway to address prior authorization challenges, including recommendations for the Secretary to explore or allow the use of other standards or alternative approaches.

We solicit comments on other standards or alternative approaches in development, for example the use of FHIR Clinical Data Exchange (CDex) as discussed in an NCVHS recommendation letter,^[8] including how they may be considered “consistent with the X12 Version 5010 transaction standards.”

III. Provisions of the Proposed Rule

A. Overview

This rule proposes to adopt new standards and modify a currently adopted standard which we believe would meet a health care business need to integrate administrative and clinical data. These proposed actions would facilitate streamlined prior authorization processes that would help minimize clinical response times, reduce potential barriers to the transition to value-based payments, and significantly reduce administrative burden on provider and health plan organizations.^[9] Consistent with NCVHS recommendations and collaborative industry organizations and stakeholders' input, we believe these industry consensus-based standards are sufficiently mature for adoption and that covered entities are ready to implement them.

Nearly every health plan has various requirements for health care providers to sometimes submit additional information beyond that contained in a HIPAA transaction. These requirements may be communicated to providers via contracts, manuals, or online databases of payment rules. This additional information may enable a health plan to make an administrative decision regarding whether a particular service is ”covered,” or about the medical necessity of a service a provider has rendered or intends to render, or for other purposes. The information a health plan requires may, for example, include medical documentation to support health care claims payment, referral authorizations, enrollee eligibility inquiries, coordination of benefits, workers' compensation claims, post-payment claims auditing, and provider dispute resolution.^[10]

A health care provider may transmit attachment information either in response to a health plan's specific request for the information (solicited), or, in certain situations, in the absence of a specific request (unsolicited). A “solicited” attachment transmission occurs where a health care provider transmits an attachment pursuant to a health plan's specific electronic request for attachment information. Conversely, a health care provider's transmitting to a health plan electronic attachment in the absence of a health plan's specific electronic request is known as an “unsolicited” transmission, and usually occurs pursuant to pre-established requirements for attachment information set forth in trading partner agreements or other guidance that specifies when additional information must be submitted to support certain diagnoses, items, services, or medications.

Although providers may transmit this additional information electronically via an attachment to a transaction, currently providers frequently transmit via manual processes that often involve paper mail, fax, and phone because there are no adopted HIPAA standards for health care attachments.

We are proposing standards herein to address these issues; in doing so, we need to define the term “attachment information.”

B. Proposed Definition of Attachment Information

We propose to define “attachment information” at § 162.103 as documentation that enables the health plan to make a decision about health care that is not included in either of the following:

• A health care claims or equivalent encounter information transaction, as described in § 162.1101.
• A referral certification and authorization transaction, as described in § 162.1301(a) and the portion of § 162.1301(c) that pertains to authorization.

We use the term “attachment information” in our proposed definition of the health care attachments transaction at § 162.2001 to specify the information transmitted by a health care provider or requested by a health plan. We are proposing to separately define “attachment information” to prevent the transaction definition at § 162.2001 from becoming too unwieldy. Start Printed Page 78445

The NCVHS recommended defining attachments as “any supplemental documentation needed about a patient(s) to support a specific health care-related event (such as a claim, prior authorization, or referral) using a standardized format,” and we have incorporated key aspects of their recommendation into our proposed definition of attachment information.^[11] We have attempted to ensure that our proposed definition is broad and general enough to include all possible patient-related information that could be generated with respect to health care services, and have done this in several ways.

Documentation: First, we believe the word “documentation,” which the NCVHS recommended and that we include in our proposed definition, is adequately broad to indicate the wide scope of information the definition should cover.

Supplemental: Second, the NCVHS recommended the definition specify that the documentation be “supplemental.” In and of themselves, the health care claims and prior authorizations transactions, which the proposed health care attachments transactions would support, do not provide the documentation that would be furnished by a health care attachments transaction. To express that the documentation would be supplemental, our proposed definition indicates that we are referring to documentation “that is not included” in a health care claims transaction or prior authorization transaction, and we include specific references to the regulatory provisions defining the health care claims and prior authorization transactions. Should we propose to adopt health care attachments transaction standards to support additional transactions, we would likely propose to broaden our definition of attachment information to include regulatory references to them.

Needed: Third, the NCVHS recommended that the definition specify the supplemental documentation should be “needed” by a health plan to enable it to decide whether to pay a claim or authorize the provision of health care; our proposed definition accounts for this with the language “enables the health plan to make a decision about health care.”

C. Proposed Code Set, Transaction Definitions, and Standards

We are proposing to adopt certain industry consensus standards that, when used together, provide the functionality necessary for the transmission of electronic health care attachment information.^[12] In this section, we describe proposed new requirements for: (1) a code set to be used for health care attachments transactions; (2) X12 standards for requesting and transmitting attachment information and HL7 standards for clinical information content; and (3) electronic signatures standards.

1. Code Set (LOINC for HIPAA Attachments)

Health plans and health care providers must have a clear and unambiguous way to specify attachment information—for example, a discharge summary, surgical operation note, or cardiovascular disease consult note—to be transmitted or requested in a health care attachments transaction.

The LOINC code set was developed for the following three principal purposes:

• To identify the specific kind of information that a health plan electronically requests of a health care provider and a health care provider electronically transmits to a health plan; for example, a discharge summary or a diagnostic imaging report.
• To specify certain optional modifier variables for attachment information, such as, for example, a time period for which the attachment information is requested.
• For structured attachment information, to identify specific HL7 Implementation Guide: LOINC Document Ontology document templates.

This rule proposes numerous implementation specifications containing specific instructions for how to utilize the LOINC for HIPAA Attachments with respect to those three purposes. Where an implementation specification requires the use of LOINC, it instructs users to utilize the codes valid at the time a transaction is initiated, similar to how other nonmedical data codes sets in HIPAA implementation specifications are treated. Regenstrief's website maintains online tools to help users search the LOINC database for specific LOINC codes or map local terms to LOINC codes ( https://loinc.org/​attachments). To improve ease of use, Regenstrief released and enhanced the search functionality to the SearchLoinc tool ( https://loinc.org/​search-app/​). In addition, Regenstrief offers the LOINC Attachments Knowledge Base ( https://loinc.org/​attachments) to help users better find and utilize LOINC codes and resources such as mapping. Regenstrief maintains a twice-yearly release cycle, and covered entities would be expected to utilize the LOINC for Attachments codes, as specified by the relevant implementation specification. In our discussion of each implementation specification, we describe in more detail how each uses LOINC.

2. Electronic Health Care Attachments Transactions

In this section, we propose to adopt standards for requesting and transmitting attachment information (as we have proposed to define that term in § 162.103). We are proposing to adopt X12 standards with respect to the transmission of attachment information and HL7 standards with respect to the clinical content of attachments. Specifically, as detailed in the sections that follow, we are proposing to adopt three X12N Technical Report Type 3 (TR3) implementation specifications for requesting and transmitting attachment information, and three HL7 implementation guides for the clinical information embedded in those transactions. While CAQH CORE has developed operating rules for attachments, the NCVHS has yet to evaluate them and make a recommendation to the Secretary. Should the NCVHS recommend that the Secretary adopt those operating rules, we will consider adopting them.

a. Scope of Health Care Attachments Transactions

Section 1173(a) of the Act requires the Secretary to adopt standards for “Health claims attachments,” and section 1104(c)(3) of the Affordable Care Act reiterated that requirement, directing the Secretary to promulgate a final rule to adopt a transaction standard and a single set of associated operating rules. The attachments standards we are proposing satisfy the requirement to adopt a standard to support health care claims, but they also support prior authorization transactions. Hereafter we refer to “health care attachments” to refer to attachments for claims as well as prior authorization transactions Start Printed Page 78446 instead of “health claims attachments,” which only includes the former.

Historically, the referral certification and authorization transaction has had among the lowest implementation rates of all the HIPAA transactions, likely attributable to the fact that we have not yet adopted standards for attachments. In a 2016 report, the CAQH CORE Index ^[13] noted that the uptake rate for such transactions being conducted fully electronically was only 18 percent, even 5 years after the adoption of Version 5010 of the X12 278 standard. The report also indicated that more than 50 percent of prior authorization transactions were conducted through proprietary web portals and automated phone calls as a means to conform to business processes due to the lack of an adopted health care attachments standard. Four years later, the 2020 CAQH Index reported only limited progress, with the uptake rate having increased to only 21 percent. As we have discussed, health plans frequently require attachment information before approving requests for prior authorization for health care services. Although section 1173(a)(1)(A) of the Act does not specifically require the Secretary to adopt attachments standards with respect to prior authorization transactions, section 1173(a)(1)(B) of the Act requires the Secretary to adopt standards for other appropriate financial and administrative transactions, consistent with the goals of improving the operation of the health care system and reducing administrative costs.

However, we are not proposing to adopt attachments standards for all health care transaction business needs. Not only would it be challenging to identify standard specifications and appropriate codes for the full array of different health care attachment types used today, but we also believe it is important that covered entities should consider gaining experience with a limited number of standard electronic attachment types so that technical and business issues can be identified to inform potential future rulemaking for other electronic attachments standards.

We request comment on alternative standards and approaches that can address the challenges described previously.

b. Proposed Definition of the Health Care Attachments Transaction

We are proposing to add a new Subpart T to 45 CFR part 162—Health Care Attachments. In Subpart T, in new § 162.2001, we are proposing to specify the electronic health care attachments transaction; specifically, we are proposing that any of three different types of transmissions would constitute a health care attachments transaction. For each type of transmission, we specify the entity type from which the transaction is being transmitted and to which it is being sent, the type of information being transmitted, and the purpose for the transaction. We note that the overarching purpose for all three types of transactions—to enable a health plan to make a decision about health care—is incorporated into the definition of attachment information, while for the two transmission types in § 162.2001(a), and as discussed later in this section, we further specify the purpose.

We are proposing the following three types of transmissions:

• In § 162.2001(a)(1) and (a)(2), a health care attachments transaction is either of two different types of transmissions, both of which are sent from a health care provider to a health plan and where the type of information being transmitted in both is attachment information.
• In § 162.2001(b), a health care attachments transaction is one type of transmission that is sent from a health plan to a health care provider, and where the type of information being transmitted is a request for attachment information.

The purpose for the transmission described in § 162.2001(a)(1) is to support a referral certification and authorization transaction, as described in § 162.1301(a), while the purpose for the transmission described in § 162.2001(a)(2) is to support a health care claims or equivalent encounter information transaction, as described in 162.1101. We are also proposing to make a conforming change to the definition of “transaction” in § 160.103, by replacing “(10) Health claims attachments” with “(10) Health care attachments.”

3. Proposed Adoption of Electronic Health Care Attachments Transaction Standards

As noted earlier, the NCVHS has held a number of hearings and made several sets of recommendations to the Secretary on attachments standards.^[14] By letter dated July 5, 2016, the NCVHS consolidated its earlier recommendations on attachments and advised that updated versions of the available standards were ready for industry use, noting that one of the most significant findings from its February 16, 2016 hearing was the general consensus across testifiers about the need for HHS to adopt the NCVHS-recommended standards.^[15] The NCVHS noted that it considered a number of criteria and factors in evaluating standards, particularly whether candidates would meet the goals of administrative simplification. Among other recommendations, the NCVHS advised that attachments standards for queries, and both solicited and unsolicited responses, should support structured and unstructured data. The NCVHS concluded that its recommended standards meet the industry's business needs, improve administrative efficiency and reduce administrative burden, are flexible and agile to meet future technology developments and health system changes, and are mature, adoptable, and enforceable.

The NCVHS noted that its recommended standards represented a collaboration between X12 and HL7, with X12 providing for existing provider/payer EDI, and HL7 providing for the CDA. Specifically, the NCVHS recommended that HHS adopt the following standards for attachment-related transactions:

• For requesting attachments, the following standards:

++ For claim-related attachment requests, the ASC X12N 277 Health Care Claim Request for Additional Information.

++ For non-claim-related attachment requests, the ASC X12N 278 Health Care Service Review—Request for Review and Response—Response.

• For attachment message content and format in the transmission of attachment information, the following standards:

++ The HL7 CDA R2—Consolidated CDA Templates for Clinical Notes R2.1.

++ The HL7 Attachment Supplement Specification Request and Response Implementation Guide R1.

++ The Attachment Type Value Set: Logical Observation Identifier Names and Codes (LOINC) developed and maintained by the Regenstrief Institute, Inc. Start Printed Page 78447

++ The HL7 Implementation Guide for CDA Release 2: Additional CDA R2 Templates—Clinical Documents for Payers—Set 1.

• For the routing/envelope of attachment information, the following standards:

++ The ASC X12N 275 Additional Information to Support a Health Care Claim or Encounter.

++ The ASC X12N 275 Additional Information to Support a Health Care Services Review.

The health care attachments standards we are proposing are those recommended by the NCVHS, and discussed in its July 5, 2016 letter to the Secretary. Also, as previously discussed, section 1104(c)(3) of the Affordable Care Act requires that the adopted attachments standard be “consistent with the X12 Version 5010 transaction standards,” which we interpret as requiring that the proposed health care attachment implementation specifications be compatible with X12 standards generally, meaning any standard we adopt for attachment information can be electronically transmitted by an X12 transmission standard in the same transaction.

While the NCVHS did not recommend specific versions of the X12N attachments standards, we are proposing to adopt the X12N Versions 6020 for both the X12N 277 standard, that is, the X12N 277—Health Care Claim Request for Additional Information (006020X313), as well as for the X12N 278—Health Care Services Request for Review and Response Version (006020X315) standard for the referral certification and authorization transaction. We are proposing to adopt Version 6020 of these standards because they better harmonize with the X12N 275—Additional Information to Support a Health Care Claim or Encounter Version (006020X314) and the X12N 275—Additional Information to Support a Health Care Services Review Version (006020X316) standards we are proposing to adopt for a provider to transmit attachment information.

Although it may be possible to use different versions of the standards for health plan requests for, and provider transmissions of, attachment information, X12 recommended to the NCVHS that all parties to those transactions use Version 6020 of the standards as they are most compatible with each other.^[16]

a. Proposed Adoption of X12N Standards for Health Care Attachments Transactions

(1) Proposed Adoption of Standards for Request From a Health Plan to a Health Care Provider for Attachment Information

(a) X12N 277—Health Care Claim Request for Additional Information (006020X313)

At § 162.2002(e)(1), we propose to adopt the X12N 277—Health Care Claim Request for Additional Information (006020X313) as the standard a health plan must use to electronically request attachment information from a health care provider to support a health care claim. We also propose to incorporate the same by reference in § 162.920.

The X12N 277 contains two noteworthy fields, which we discuss sequentially. The first is the health plan assigned claim control number, which allows for document reassociation. A health plan assigns a claim control number to associate its request with a provider's electronic health care claim. The health care provider then uses the health plan assigned claim control number in the X12 275 standard in the health care attachments transaction, discussed later in this proposed rule, that it transmits to the health plan, enabling the health plan to associate the attachment information with the previously submitted health care claim.

The other noteworthy X12N 277 field is for LOINC for HIPAA Attachments. The X12N 277 standard requires the use of the appropriate LOINC for HIPAA Attachments data element to identify the specific attachment information the health plan is requesting. The previously referenced 2017 WEDI whitepaper illustrates how the LOINC code is used in an X12 277 standard in the following hypothetical scenario: A provider performs a particular surgery for which there is no HCPCS code and sends the health plan a health care claim using a Not Otherwise Classified (NOC) procedure code. The health plan requires additional information about the procedure to adjudicate the claim, and sends the health care provider an X12N 277 Health Care Claim Request for Additional Information request using the appropriate LOINC for HIPAA Attachments code to specify the surgical operative note it needs.^[17]

(b) X12N 278—Health Care Services Request for Review and Response (006020X315)

At § 162.2002(e)(2), we propose to adopt the X12N 278—Health Care Services Request for Review and Response (006020X315) as the standard a health plan must use to electronically request attachment information from a health care provider to support a prior authorization transaction. We also propose to incorporate the same by reference in § 162.920. The X12 278 standard is unique in that it is also used for a health care provider's request for prior authorization, as reflected at § 162.1302(b)(2)(ii). We are proposing to adopt Version 6020 of that standard, which would represent a modification to the currently adopted Version 5010 of the X12N 278. As we discussed previously, the NCVHS indicated that the updated version, that is, Version 6020, of the X12 278 is more compatible with the Version 6020 X12N 275 standard we are proposing for a health care provider's transmission of an attachment information transaction to a health plan in support of a prior authorization request. Version 6020 of the X12 278 also contains the same two noteworthy fields as the X12N 277, that is, the health plan assigned claim control number and the field for LOINC for HIPAA Attachments. In section II.D. of this proposed rule we discuss our proposed modification to update the current HIPAA standard, Version 5010 of the X12 278, to Version 6020.

(2) Proposed Adoption of Standards for Response From a Health Care Provider to a Health Plan for Attachment Information

(a) X12 275—Additional Information to Support a Health Care Claim or Encounter (006020X314)

We propose to adopt, at § 162.2002(d), the X12N 275—Additional Information to Support a Health Care Claim or Encounter (006020X314) as the standard a provider must use to electronically transmit attachment information to a health plan to support a health care claims or equivalent encounter information transaction. We also propose to incorporate the same by reference in § 162.920.

The X12N 275—Additional Information to Support a Health Care Claim or Encounter standard may be used with respect to both solicited and unsolicited attachment information. Using the previous example of a surgery for which there is not a HCPCS code, in the case where a health plan has solicited attachment information, the provider would reply to the X12N 277 Start Printed Page 78448 request from the plan using the X12N 275 to convey the operative note as the attachment information. In the unsolicited scenario, the provider could concurrently transmit the X12N 275—Additional Information to Support a Health Care Claim or Encounter and a claim using the X12N 837 to enable the health plan to make a decision about the claim at the time of initial claim processing.

We note that the X12N 275—Additional Information to Support a Health Care Claim or Encounter claims attachment standard, as well as the X12N 275—Additional Information to Support a Health Care Services Review prior authorization standard (discussed in this section of this proposed rule), do not themselves contain claim or prior authorization attachment information. Rather, the standards serve as the electronic envelope for attachment information that is embedded in an HL7 standard. We describe in detail the specific HL7 standards for embedding attachment information in this section of the proposed rule, but the critical concept is that the health care attachment information is transported by the X12N 275 standard.

(b) X12N 275—Additional Information To Support a Health Care Services Review (006020X316)

We propose, at § 162.2002(c), to adopt the X12N 275—Additional Information to Support a Health Care Services Review (006020X316) as the standard a provider must use to electronically transmit attachment information to a health plan to support a health care provider's request for the review of health care to obtain an authorization for the health care; in other words, a prior authorization request. We also propose to incorporate the same by reference in § 162.920.

As we described in greater detail in our proposal to adopt the X12 275—Additional Information to Support a Health Care Claim or Encounter, this standard also can be sent in a solicited or unsolicited manner. Using our example of a surgery for which there is no HCPCS code, for solicited attachment information the provider would reply to the X12N 278 request from the health plan using the X12N 275 standard that conveys the operative note. In the unsolicited scenario, the provider could concurrently transmit the X12N 275 Additional Information to Support a Health Care Services Review and a prior authorization request using the X12N 278 to enable the health plan to make a decision about the prior authorization without additional requests for information.

B. Proposed Adoption of HL7 Implementation Guides for Health Care Attachment Information

The HL7 CDA standard is the only currently available SSO-created, NCVHS-recommended standard in the United States with published implementation specifications designed to support the HIPAA transactions. Other standards for the exchange of clinical information are being developed and piloted but, due in part to its readiness, we believe the HL7 CDA is the most appropriate standard for adoption at this time.

We are proposing to adopt the following three HL7 implementation guides as HIPAA standards for the attachment information included in health care attachments transactions:

• HL7 Implementation Guide for CDA Release 2: Consolidated CDA Templates for Clinical Notes (US Realm) Draft Standard for Trial Use Release 2.1, Volume 1—Introductory Material, June 2019 with Errata (hereafter Volume One or C-CDA Volume One or C-CDA 2.1)
• HL7 Implementation Guide for CDA Release 2: Consolidated CDA Templates for Clinical Notes (US Realm) Draft Standard for Trial Use Release 2.1, Volume 2—Templates and Supporting Material, June 2019 with Errata (hereafter Volume Two or C-CDA Volume Two or C-CDA 2.1)
• HL7 CDA R2 Attachment Implementation Guide: Exchange of C-CDA Based Documents, Release 1, March 2017 (hereafter the Attachment Implementation Guide)

Generally, the Attachment Implementation Guide specifies how to combine HL7 and X12 standards to transmit health care attachments transactions. For example, it contains instructions with respect to how to construct electronic health care attachments transactions, including how to attach and send the attachment information using the proposed X12N health care attachments standards. It also contains instructions for health plans to utilize the necessary LOINC codes for health plans to request health care attachments from a health care provider, and for providers to identify health care attachments document templates when transmitting them to a health plan. For the transmissions described in proposed § 162.2001, that is, transmissions of attachment information from a health care provider to a health plan for the specified purposes, and requests for attachment information from a health plan to a health care provider, we would require the use of the Attachment Implementation Guide at § 162.2002(a). We propose to incorporate this HL7 standard by reference in § 162.920 in a new paragraph (e) where we provide information about the availability of the HL7 standards we are proposing.

We are also proposing that for the transmissions of attachment information from a health care provider to a health plan for the specified purposes, as described in proposed § 162.2001(a), we would require the use of Volume One and Volume Two, and would include these requirements at § 162.2002(b)(1) and (b)(2), respectively. Collectively, these standards are instructions for the use of specific sections of the CDA, a larger set of clinical information standards developed by HL7, that provide specifications for users to create the HL7 document templates for the clinical information that would be used in the proposed health care attachments transactions.

Attachment information comes in two variants, “structured” and “unstructured,” and the proposed HL7 standards support both. A structured document is one that has a high degree of organization that is able to be interpreted by a computer, includes a header that contains metadata about the clinical information found in the body of the document, and a structured body. The clinical information contained in the document is subdivided into systematic sections and entries that can be identified and sorted by a computer using descriptive codes. HL7 Volume One and Volume Two instruct readers how to assemble the segments into a standardized set of document sections known as a document “template,” which is essentially a set of C-CDA components identified by a LOINC code, and include templates for the most common paper documents that serve as attachment information. An HL7 structured template is in a format that can be easily displayed in a human-readable format, while also enabling a computer to make an automated decision about a claim or a prior authorization request. Volume One and Volume Two also contain instructions for creating an unstructured document template for attachment information for which HL7 has not created a structured template. Unstructured documents still utilize an HL7 standard header that includes meta-data about the clinical information found in the document body, but the body does not contain tags that systematically identify the attachment information within. Examples of unstructured documents include medical imaging files, audio, video, and legacy attachment information such as scanned paper Start Printed Page 78449 documents. Unstructured content may also include attachment information that is not collected in a health care environment, but that a health plan may require for payment decisions, such as delivery receipts, home inspection reports, or patient-created diabetic logs.

The Attachment Implementation Guide also specifies how to construct a health care attachments transaction when Volume One or Volume Two do not provide a document template for particular attachment information. The Attachment Implementation Guide contains three criteria that any document template to be used as a health care attachment must meet if it is not already specified in one of the proposed implementation guides: (1) the template must be developed and published through the HL7 standards process; (2) the new template must be designated by HL7 as being compatible with a C-CDA 2.1 implementation specification and for use in the United States; and (3) a LOINC code for the template must be created by Regenstrief via its code creation process as previously described. This means that once a C-CDA 2.1 implementation guide-compatible document template has been created by HL7 and is assigned a LOINC code, which happens upon request of the HL7 Payer/Provider Information Exchange Workgroup once HL7 creates a new template, it may be used as attachment information in a health care attachments transaction. We invite comment on the proposed adoption of the HL7 standards—Volume One, Volume Two, and the Attachment Implementation Guide.

C. Electronic Signatures

Section 1173(e)(1) of the Act provides that the Secretary, in coordination with the Secretary of Commerce, must adopt standards specifying procedures for the electronic transmission and authentication of signatures for HIPAA transactions. Pursuant to that requirement, we proposed to adopt standards for electronic signatures in the August 12, 1998 proposed rule (63 FR 43242) titled “Security and Electronic Signature Standards.” That proposal, never finalized with respect to electronic signatures, would not have required the use of electronic signatures with any specific transaction. Rather, the proposed rule recognized that electronic signatures would require certain implementation features, including message integrity, nonrepudiation, and user authentication, and proposed that the standard for electronic signatures would be digital signatures—electronic stamps that contain information about both the user creating the signature and the document being signed—as the only technically mature means available that could provide for nonrepudiation in an open network environment. In comments on the proposed rule, industry overwhelmingly indicated that then-available technology was insufficient to enable the proposed provisions to be implemented. As such, in the February 20, 2003 final rule (68 FR 8334) titled, “Health Insurance Reform: Security Standards” (hereafter, February 2003 Security rule), we elected not to finalize the proposal, instead indicating that a final rule on electronic signature standards would be published at a later date. In the September 23, 2005 proposed rule titled HIPAA Administrative Simplification: Standards for Electronic Health Care Claims Attachments (70 FR 55990), we recognized that an electronic signature consensus standard still did not exist and that no federal standard governed the use of electronic signatures for private sector health care services. We sought industry input on how signatures should be handled when an attachment is requested and transmitted electronically.

Signatures play a vital role with respect to the documentation of health care, as a signature is often the only indicator available to health plans and health care providers that attachment information has been reviewed and approved by the service provider or other clinician with appropriate authority to supervise care. Health care entities recognize numerous legal and compliance best practices for clinician attestation of medical record documentation consistent with applicable federal and state laws and regulations, accreditation standards, payer requirements, documentation requirements for clinical services offered, and technology functionalities.^[18]

Health care best practices, such as those of the National Committee for Quality Assurance (NCQA), generally direct that all entries in the medical record contain the author's identification.^[19] A health care providers' signature (whether wet—in ink on paper documents—or electronic) on medical record documentation generally serves as the attestation that the appropriate provider representative has reviewed and approved the documentation. Health plans commonly require written and signed documentation as evidence of medical necessity for certain types of services. For example, in order for a laboratory to submit a claim for reimbursement of a laboratory test, a health plan may first require a physician visit and a signed physician order. When the laboratory later bills a health plan for the test, the plan may ask for evidence that it was ordered by an authorized health care provider; if the laboratory is unable to produce a signed order, it may not be reimbursed.

1. Proposed Definition of Electronic Signature

An electronic signature can be any of a number of types of marks or data that indicate a signatory's intent to sign. Examples of electronic signatures include an online check box indicating acceptance, a name entered by the signer in an online form, a signing device at a commercial checkout line on which a customer writes his or her signature, and an image of a signature that was written by hand and then scanned into an electronic image format.

We are proposing to define the term “electronic signature” as broadly as possible to ensure that it meets health care providers' and health plans' needs now and can also encompass future electronic signature technologies. However, we propose to narrowly specify the scope of the required use of electronic signatures, such that their required use would be limited to just attachment information transmitted electronically in electronic health care attachments transactions. Accordingly, the electronic signature standard we are proposing at § 162.2002(f) would pertain only to electronic signatures for attachment information transmitted by a health care provider in an electronic health care attachments transaction.

At § 162.103, we propose to define electronic signature as follows: Electronic signature means an electronic sound, symbol, or process, attached to or logically associated with attachment information and executed by a person with the intent to sign the attachment information.

2. Proposed Electronic Signature Standard

Electronic signatures vary in reliability and value based on the type of technology used, and any HIPAA electronic signature standard has to meet the needs of both health plans and health care providers that produce and use attachment information. Any standard that we adopt needs to support all of the current business functions and uses for signatures in the health plan payment decision process while providing assurance that attachment information is accurate and unaltered. The 1998 proposed rule that we mentioned previously, “Security and Electronic Signature Standards,” enumerated three implementation features necessary to achieve these goals: user authentication, message integrity, and non-repudiation (63 FR 43257). These core features, developed in conjunction with the Department of Commerce's National Institute of Standards and Technology and the health care industry, remain relevant to electronic signatures today. We discuss each in the following sections.

Authentication is the ability of a health plan to identify and verify the identity of the provider who signed a document, and is a vital signature characteristic because such verification serves to validate the attachment information. Just as a health plan might compare a physical signature to a signature card to authenticate a health care provider's identity, an electronic signature must provide a method of authentication. Some forms of electronic signatures do not allow for authentication; for example, a typed signature line in a word processing document that indicates it was signed by a physician does not have any unique traits that would permit authentication by a health plan.

Because some electronic signatures can be readily manipulated, there must also be a mechanism to ensure that signed attachment information remains unaltered since the time it was affixed; this feature is called message integrity. To maintain message integrity, there must be a way to electronically validate that the attachment information signed by the health care provider and sent to the health plan are identical. Without such a mechanism it would be possible, for example, to alter the amount or type of the medical item (such as, medication, durable medical equipment, a medical service, etc.) ordered by a physician after he or she had completed and signed the order.

Finally, an electronic signature standard must embody a feature known as nonrepudiation, which provides strong assurance of identity such that it is difficult for a signatory to later claim that the electronic representation is not valid or that he or she did not sign the document.^[20] Nonrepudiation is a necessary feature of an electronic signature for health care attachments transactions because health plans will use attachment information to make administrative decisions about payment for health care services and may deny payment to a health care provider based on the information in electronically signed attachments.

An electronic signature standard must manifest each of these three features to suffice for attachment information in electronic health care attachments transactions. For example, were a signing system to incorporate authentication and nonrepudiation but lack a mechanism to ensure message integrity, a health plan could not be confident that the attachment information had not been altered since being signed. Or, were a signing system to incorporate nonrepudiation and message integrity but lack a mechanism for authentication, the health plan receiving the attachment information would be assured that the content had not been altered and that someone had signed, but it could never be certain of the actual signatory. In the previously discussed 1998 and 2005 proposed rules, HHS identified digital signature technology as the only electronic signature approach offering the features of authentication, message integrity, and nonrepudiation. We continue to believe that digital signature technology is the only electronic signature technology that supports all three features.

We considered proposing, as an electronic signature standard, the specifications for electronic signatures that are included in the HL7 implementation guides we are proposing here for electronic health care attachments transactions. But we decided not to pursue that route because the specifications included in those guides do not support authentication, message integrity, and nonrepudiation.

However, HL7 has also developed an implementation guide called the HL7 Implementation Guide for CDA Release 2: Digital Signatures and Delegation of Rights, Release 1 (hereafter Digital Signatures Guide), with supplemental specifications that add support for authentication, message integrity, and nonrepudiation to their other published implementation guides. The Digital Signatures Guide promotes these three features by utilizing digital signature technology to implement identity management using digital certificates, encryption requirements to support message integrity, and multiple signed elements to support nonrepudiation. As we previously noted, a digital signature is an electronic stamp that contains information about both the user creating the signature and the document that is being signed. Digital signatures are created using digital certificates to create a secure computer code that can be used later to authenticate the signer. At the same time, the certificate is used to create another computer code, usually referred to as a hash, which can be used by a computer to verify that the document has not been changed since it was originally signed; this is a mechanism to ensure the integrity of the signed document. In both cases, the codes are encrypted so the receiver knows that the codes themselves have also not been altered, enabling the receiver to be confident that the signature was applied by the authenticated individual.

We note that the Digital Signatures Guide does not include requirements for when a document must be signed and by whom. As previously discussed, requirements with respect to who may deliver health care and how it must be documented via signature vary greatly and are developed by health plans and outlined in their provider compliance manuals, trading partner agreements, and other contractual requirements between health plans and health care providers. We do not seek to regulate clinical best practices for documentation or interfere with health plans' business needs. Therefore, we are not proposing to specify when an electronic signature must be required, but, instead, we defer to the industry to continue to establish those expectations. We would also limit the scope of the required use of electronic signatures to just health care attachments transactions. Accordingly, we are proposing to require that, where a health care provider uses an electronic signature in a health care attachments transaction, the signature must conform to the implementation specifications in the Digital Signatures Guide. Specifically, we propose to adopt, at § 162.2002(f), the HL7 Implementation Guide for CDA Release 2: Digital Signatures and Delegation of Rights, Release 1 for electronic signatures for attachment information transmitted by a health care provider in an electronic health care attachments transactions Start Printed Page 78451 specified in § 162.2001(a). We also propose to incorporate the same by reference in § 162.920.

We solicit comments on the proposed definition of electronic signature and the proposed HL7 Implementation Guide as the attachment information electronic signatures standard.

D. Proposed Modification to a HIPAA Standard

1. Modifications to Standards

Section 1174 of the Act requires the Secretary to review the adopted standards and adopt modifications to them as appropriate, but not more than once every 12 months. Modifications must be completed in a manner that minimizes disruption and cost of compliance. Per section 1175 of the Act, if the Secretary adopts a modification to a HIPAA standard or implementation specification, the compliance date for the modification may not be earlier than the 180th day following the date of the adoption of the modification. The Secretary must consider the time needed to comply due to the nature and extent of the modification when determining compliance dates, and may extend the time for compliance for small health plans if the Secretary deems it appropriate.

Section 162.910 sets out the standards maintenance process and defines the role of SSOs and Designated Standard Maintenance Organizations (DSMOs). An SSO is an organization accredited by the ANSI that develops and maintains standards for information transactions or data elements. The two SSOs applicable to this proposed rule are the Accredited Standards Committee X12 (X12) and Health Level Seven (HL7). On August 17, 2000, the Secretary designated six organizations ( see Health Insurance Reform: Announcement of Designated Standard Maintenance Organizations Notice (65 FR 50373)) to maintain the health care transaction standards adopted by the Secretary, and to process requests for modifying an adopted standard or for adopting a new standard. The six organizations include X12, HL7, and NCPDP, along with the National Uniform Billing Committee (NUBC), the National Uniform Claim Committee (NUCC), and the Dental Content Committee (DCC) of the American Dental Association.

Section 162.910 also sets forth the procedures for the maintenance of existing standards and the adoption of modifications to existing standards and new standards. Under § 162.910(c), the Secretary considers recommendations for proposed modifications to existing standards or proposed new standards, only if the recommendations are developed through a process that provides for all of the following:

• Open public access.
• Coordination with other DSMOs.
• An appeal process for the requestor of the proposal or the DSMO that participated in the review and analysis if either were dissatisfied with the decision on the request.
• An expedited process to address HIPAA content needs identified within the industry.
• Submission of the recommendation to the NCVHS.

Any entity may submit change requests with a documented business case to support the recommendation to the DSMO, which receives and processes those change requests. The DSMO reviews the request and notifies the SSO of the recommendation for approval or rejection. Should the changes be recommended for approval, the DSMO also notifies the NCVHS and suggests that a recommendation for adoption be made to the Secretary of HHS. Information pertaining to the designation of a DSMO and its responsibilities can be found in the Transactions Rule and the Notice, which were both published on August 17, 2000 (65 FR 50365 and 50373).

The modification we are proposing in this rule was developed through a process that conforms with § 162.910. In February 2016, the NCVHS held hearings to review the Version 6020 X12N 278 implementation specifications as a standard for health care attachments transactions, which X12 recommended be adopted by HHS. Testimony from that hearing indicated the need for HHS to adopt the 6020 version of the X12N 278, which X12 testified resolves technical issues with Version 5010 of the X12N 278.^[21] In its 2016 letter to the Secretary, the NCVHS recommended the adoption of the X12N 278 for health care attachments transactions, but did not recommend a specific version. Rather, the NCVHS recommended that the Secretary consider adopting the version expected to be in effect at the time the transactions standards are mandated.^[22] Version 6020 of the X12N 278 is the most current version of the referral certification and authorization transaction standard.

2. Modification to Referral Certification and Authorization Transaction Standard

As just discussed, the NCVHS recommended that HHS adopt the referral certification and authorization transaction standard (ASC X12N 278) for non-claims-related attachment requests and responses. Although the NCVHS did not recommend a specific version of the standard, we are proposing to adopt Version 6020 of the X12N 278 because Version 6020 better harmonizes with the Additional Information to Support a Health Care Services Review Version—X12N 275- (006020X316) standard we are proposing to adopt for providers transmitting attachment information. As we also discussed, while it may be possible to use different versions of the standards for health plan requests for, and provider transmissions of, attachment information, X12 advised against it, recommending to the NCVHS ^[23] that all parties to those transactions use Version 6020 of the standards as they are most compatible with each other.

Adopting Version 6020 of the X12N 278 for referral certification and authorization transactions standard to replace Version 5010 of the X12N 278 would be a modification to a standard under HIPAA, similar to the previous modifications we adopted when we moved from Version 4010 to Version 5010 for the X12 standards. Version 6020 of the X12N 278 includes several changes, some of which are maintenance changes, and some of which represent more significant improvements over Version 5010. The two most significant changes each represent technical improvements and structural changes to the standard:

• One important change will better support referral certification and authorization transactions for dental services. Currently, health care providers are able to accurately report tooth status utilizing Version 5010 of the X12N 837 for health care claims, but Version 5010 of the X12N 278 cannot support reporting tooth status in health care referral certification and authorization transactions. Version 6020 of the X12N 278 expands support for reporting the status of individual teeth, which enables a health care provider to specifically indicate a missing tooth, extracted tooth, tooth to be extracted, or impacted tooth in a health care referral Start Printed Page 78452 certification and authorization transaction. We expect this improvement in the X12N 278 to minimize or eliminate administrative delays attributable to providers having to convey relevant individual tooth information outside of the standard transactions process.

• Version 6020 revises and expands the drug authorization segment, which includes fields necessary to, for example, identify a drug, specify quantity of drug requested, specify drug dosage requested, and accommodate related procedure codes. Because Version 5010 does not enable entities to supply this additional information, health plans and providers must utilize cumbersome alternative methods to communicate drug information. Therefore, we also expect this improvement to minimize or eliminate administrative delays attributable to providers having to convey relevant drug information outside of the standard transactions process.

The referral certification and authorization transaction under § 162.1301 includes two transmission types from health care providers to health plans: prior authorization requests and referral certification requests. The X12N 278 standard is required for both types of transmission. As discussed, we are proposing that health care attachments transactions would apply to prior authorization transactions; we are not proposing that they apply to referral certification transactions. Although it would be technically feasible for us to propose to adopt Version 6020 only for prior authorization transmissions specified in § 162.1301(a) and retain Version 5010 for referral certification transmissions specified in § 162.1301(b), we are instead proposing Version 6020 for both transmission types because it includes improvements over Version 5010 that better support both transmission types, and we believe it would be more burdensome for covered entities to have to maintain both X12N 278 versions.

E. Proposed Compliance Dates

We are proposing to adopt new standards and a modification to a standard in this proposed rule. Section 1104(c)(3) of the Affordable Care Act, which requires the Secretary to adopt a transaction standard for health claims attachments, prescribes a 2-year compliance date for all covered entities and makes no special provision for small health plans, unlike the original HIPAA. In this rule, we are proposing that the same health care attachments standards would apply to both claims and prior authorization attachments transmissions. As the transmission standard for each type of attachment transaction transmission would be the same, we believe the compliance date for both types should also be the same. In addition, because we are proposing to treat the two attachments process together as one transaction in new Subpart T, adopting the same compliance timeframe for all covered entities would avoid the complications a bifurcated compliance timeframe—one for claims processes and another for prior authorization processes—would raise.

When the Secretary adopts a modification to a HIPAA standard, section 1175(b)(2) of the Act requires that the compliance date may not be earlier than the 180th day following the date of adoption. The Secretary must consider the time needed to comply due to the nature and extent of the modification when determining a compliance date, and may extend the time for small health plans to achieve compliance if the Secretary deems it appropriate. The adoption date of a standard or a modification is the effective date of the final rule in which the adoption or modification is established. The effective date is the date the rule amends the Code of Federal Regulations (CFR), which is typically 60 days after the date of publication in the Federal Register .

1. Proposed Compliance Date for Health Care Attachments and Electronic Signatures Standards

We are proposing to adopt the following seven standards for health care attachments transactions and electronic signatures:

• HL7 CDAR2: Attachment Implementation Guide: Exchange of C-CDA Based Documents, Release 1—March 2017.
• HL7 Implementation Guide for CDA Release 2: Consolidated CDA Templates for Clinical Notes (US Realm) Draft Standard for Trial Use Release 2.1, Volume 1—Introductory Material, June 2019 with Errata.
• HL7 Implementation Guide for CDA Release 2: Consolidated CDA Templates for Clinical Notes (US Realm) Draft Standard for Trial Use Release 2.1, Volume 2—Templates and Supporting Material, June 2019 with Errata.
• X12N 275 Additional Information to Support a Health Care Services Review (06020X316).
• X12N 275 Additional Information to Support a Health Care Claim or Encounter (06020X314).
• X12N 277—Health Care Claim Request for Additional Information (006020X313).
• HL7 Implementation Guide for CDA Release 2: Digital Signatures and Delegation of Rights, Release 1.

In accordance with section 1104(c)(3) of the Affordable Care Act, which sets a 2-year compliance date, and which makes no provision for an extended time for small health plans to achieve compliance, we are proposing that the compliance date for these standards would be 24 months after the effective date of the final rule for all covered entities. We would specify these compliance dates in § 162.2002.

2. Proposed Compliance Date for Modification

Section 1175(b)(2) of the Act requires the Secretary to determine an appropriate compliance date for the implementation of modified standards, such as the modification of the X12N 278 standard from Version 5010 to Version 6020, by taking into account the time needed to comply due to the nature and extent of the modification. The Act also requires that the compliance date be no earlier than the last day of the 180-day period beginning on the date the modification is adopted (the effective date of the final rule in which the modification is adopted). As discussed previously, we are proposing Version 6020 of the X12N 278 as the standard for referral certification and authorization transactions to be used by a health plan in conjunction with Version 6020 of the X12N 275, which a health care provider would use to electronically transmit attachment information to a health plan in support of a prior authorization request. As the X12N 278 will feature in the new health care attachments transaction, we believe it is important to align the compliance dates for the proposed modification to the X12N 278 standard and the health care attachments standards. Accordingly, we are proposing that covered entities would need to comply with Version 6020 of the standard 24 months after the effective date of the final rule. We would reflect this compliance date in § 162.1302 by: (1) revising paragraph (c) to specify only the standard identified in paragraph (b)(2)(i); and (2) adding new paragraph (d) to require covered entities to use, in paragraph (d)(1), Version 5010 X12N 278 for 24 months after the effective date of the final rule, and in paragraph (d)(2), Version 6020 X12N 278 on and after 24 months after the effective date of the final rule. We solicit comments on this proposed approach.

F. Proposed Incorporation by Reference

This proposed rule proposes to incorporate by reference: (1) X12 275— Start Printed Page 78453 Additional Information to Support a Health Care Claim or Encounter (006020X314); (2) X12N 275—Additional Information to Support a Health Care Services Review (006020X316); (3) X12N 277—Health Care Claim Request for Additional Information (006020X313); and (4) X12N 278—Health Care Services Request for Review and Response Version (006020X315) standard for the referral certification and authorization transaction implementation guides.

The X12 275—Additional Information to Support a Health Care Claim or Encounter implementation guide provides instructions to assist those who send additional supporting information or who receive additional supporting information to a health care claim or encounter. The implementation guide for X12N 275—Additional Information to Support a Health Care Services Review implementation guide contains the data elements used to communicate individual patient information requests and patient information (either solicited or unsolicited) between separate health care entities in a variety of settings to be consistent with confidentiality and use requirements. Instructions to collect patient information consisting of demographic, clinical and other supporting data are provided.

The X12N 277—Health Care Claim Request for Additional Information implementation guide contains the format and establishes the data contents of the Health Care Information Status Notification Transaction Set for use within the context of an Electronic Data Interchange (EDI) environment. This transaction set can be used by a health care payer or authorized agent to notify a provider, recipient, or authorized agent regarding the status of a health care claim or encounter or to request additional information from the provider regarding a health care claim or encounter, health care services review, or transactions related to the provisions of health care.

X12N 278—Health Care Services Request for Review and Response Version implementation guide contains the format. It establishes the data contents of the Health Care Services Review Information transaction set used within the context of an Electronic Data Interchange (EDI) environment. This transaction set can be used to transmit health care service information, such as subscriber, patient, demographic, diagnosis, or treatment data for the purpose of request for review, certification, notification, or reporting the outcome of a health care services review. Expected users of this transaction set are payors, plan sponsors, providers, utilization management, and other entities involved in health care services review.

This proposed rule proposes to incorporate by reference: (1) HL7 CDA R2 Attachment Implementation Guide: Exchange of C-CDA Based Documents, Release 1, March 2017; (2) HL7 Implementation Guide for CDA Release 2: Consolidated CDA Templates for Clinical Notes (US Realm) Draft Standard for Trial Use Release 2.1, Volume 1—Introductory Material, June 2019 with Errata; and (3) HL7 Implementation Guide for CDA Release 2: Consolidated CDA Templates for Clinical Notes (US Realm) Draft Standard for Trial Use Release 2.1, Volume 2—Templates and Supporting Material, June 2019 with Errata.

The HL7 CDA R2 Attachment Implementation Guide: Exchange of C-CDA Based Documents, Release 1, March 2017, defines the requirements for sending and receiving standards-based electronic attachments. It does so by applying additional constraints onto standards in common use for clinical documentation and by specifying requirements for sending and receiving systems for attachment requests and response messages. It defines the set of attachment documents as those that contain the minimum standard metadata to support basic document management functions, including identification of patients and providers, the type of document, date of creation, encounter information, and a globally unique document identifier.

HL7 Implementation Guide for CDA Release 2: Consolidated CDA Templates for Clinical Notes (US Realm) Draft Standard for Trial Use Release 2.1, Volume 1—Introductory Material, June 2019 with Errata and HL7 Implementation Guide for CDA Release 2: Consolidated CDA Templates for Clinical Notes (US Realm) Draft Standard for Trial Use Release 2.1, Volume 2—Templates and Supporting Material, June 2019 with Errata implementation guides contain a library of CDA templates, incorporating and harmonizing previous efforts from HL7. It represents the harmonization of the HL7 Health Story guides, HITSP C32, related components of IHE Patient Care Coordination (IHE PCC), and Continuity of Care (CCD). This R2.1 guide was developed and produced by the HL7 Structured Documents Workgroup. It updates the C-CDA R2 (2014) guide to support “on-the-wire” compatibility with R1.1 systems C-CDA Release 2.1 implementation guide, in conjunction with the HL7 CDA Release 2 (CDA R2) standard, is to be used for implementing the following CDA documents and header constraints for clinical notes.

The materials we propose to incorporate by reference are available to interested parties and can be inspected at the CMS Information Resource Center, 7500 Security Boulevard, Baltimore, MD 21244-1850. The X12 implementation guides are available at GLASS, sso.x12.org. The HL7 implementation guides are also available through the internet at www.HL7.org. A fee is charged for all implementation guides. Charging for such publications is consistent with the policies of other publishers of standards. If we wish to adopt any changes in this edition of the Code, we would submit the revised document to notice and comment rulemaking.

IV. Collection of Information Requirements

Under the Paperwork Reduction Act of 1995, we are required to provide 60-day notice in the Federal Register and solicit public comment before a collection of information requirement is submitted to the Office of Management and Budget (OMB) for review and approval. In order to fairly evaluate whether an information collection should be approved by OMB, section 3506(c)(2)(A) of the Paperwork Reduction Act of 1995 requires that we solicit comment on the following issues:

• The need for the information collection and its usefulness in carrying out the proper functions of our agency.
• The accuracy of our estimate of the information collection burden.
• The quality, utility, and clarity of the information to be collected.
• Recommendations to minimize the information collection burden on the affected public, including automated collection techniques.

The burden associated with the information collection requirements contained in § 162.1302 of this document are subject to the PRA; however, this one-time burden was previously approved and accounted for in the information collection request under OMB control number 0938-0866 and titled “CMS-R-218: HIPAA Standards for Coding Electronic Transactions.” This information collection request will be revised and reinstated to incorporate any proposed additional transaction standards and proposed modifications to transaction standards not currently captured in the PRA package associated with OMB approval number 0938-0866.

In addition, the collection requirements associated with this demonstration do not impose information collection and record Start Printed Page 78454 keeping requirements, because they meet the “information” definition exception under 5 CFR 1320.3(h)(4) which states: “Information” does not generally include items in the following categories: (4) Facts or opinions submitted in response to general solicitations of comments from the public, published in the Federal Register or other publications, regardless of the form or format thereof, provided that no person is required to supply specific information pertaining to the commenter, other than that necessary for self-identification, as a condition of the agency's full consideration of the comment.

If you comment on this information collection, that is, reporting, recordkeeping or third-party disclosure requirements, please submit your comments electronically as specified in the ADDRESSES section of this proposed rule. Comments must be received on/by February 21, 2023.

V. Regulatory Impact Analysis

A. Statement of Need

This rule proposes to adopt and modify standards, pursuant to HIPAA Administrative Simplification statutory provisions, for the electronic transmission of health care attachments, inclusive of attachments standards for both health care claims and prior authorizations. The health care industry has made it clear via NCVHS testimony, WEDI presentations, CAQH reports and direct inquiry that there is a clear need for government action with regard to attachments standards in order to bring consistency and reliable communications among the partners involved in health care transactions that require attachments. As a result of the absence of a federal attachments standard, health plans, providers and vendors lack the direction needed to support broad use of automation in the attachment workflow or for industry to coalesce around the use of even a small number of electronic solutions. In addition, lack of an attachments standards has deterred industry stakeholders from investing in system implementations to automate the attachments workflow, requiring a large manual administrative burden for the exchange of medical documentation. Industry SSOs and stakeholder alliances report this automation would yield substantial labor cost savings and administrative burden reduction. We believe standardizing electronic attachments transmissions would facilitate prior authorization decisions and claims processing, which would result in a decreased burden on providers and health plans, and quicker delivery of services to patients.

B. Overall Impact

We have examined the impacts of this rule as required by Executive Order 12866 on Regulatory Planning and Review (September 30, 1993), Executive Order 13563 on Improving Regulation and Regulatory Review (January 18, 2011), the Regulatory Flexibility Act (RFA) (September 19, 1980, Pub. L. 96-354), section 1102(b) of the Social Security Act, section 202 of the Unfunded Mandates Reform Act of 1995 (March 22, 1995; Pub. L. 104-4), Executive Order 13132 on Federalism (August 4, 1999), and the Congressional Review Act (5 U.S.C. 804(2)).

Executive Orders 12866 and 13563 direct agencies to assess all costs and benefits of available regulatory alternatives and, if regulation is necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, public health, and safety effects, distributive impacts, and equity). Section 3(f) of Executive Order 12866 defines a significant regulatory action as an action that is likely to result in a rule: (1) having an annual effect on the economy of $100 million or more in any 1 year, or adversely and materially affecting a sector of the economy, productivity, competition, jobs, the environment, public health or safety, or state, local or tribal governments or communities (also referred to as economically significant); (2) creating a serious inconsistency or otherwise interfering with an action taken or planned by another agency; (3) materially altering the budgetary impacts of entitlement grants, user fees, or loan programs or the rights and obligations of recipients thereof; or (4) raising novel legal or policy issues arising out of legal mandates, the President's priorities, or the principles set forth in the Executive Order.

A regulatory impact analysis (RIA) must be prepared for major rules with economically significant effects ($100 million or more in any 1 year). Based on our estimates, OMB's Office of Information and Regulatory Affairs has determined this rulemaking is “economically significant” as measured by the $100 million threshold. We believe that covered entities have already largely invested in the hardware, software, and connectivity necessary to conduct the new and modified standards proposed. We anticipate that the adoption of these changes would result in costs that would be outweighed by the benefits. Accordingly, we have prepared a Regulatory Impact Analysis that to the best of our ability presents the costs and benefits of the proposed rulemaking.

C. Regulatory Flexibility Analysis

Executive Order 13272 requires that HHS thoroughly review rules to assess and take appropriate account of their potential impact on small businesses, small governmental jurisdictions, and small organizations (as mandated by the Regulatory Flexibility Act (RFA)). The RFA requires agencies to analyze options for regulatory relief of small entities, if a rule has a significant impact on a substantial number of small entities. If a proposed rule may have a significant economic impact on a substantial number of small entities, then the proposed rule must discuss steps taken, including alternatives considered, to minimize the burden on small entities. The RFA does not define the terms significant economic impact or substantial number. The Small Business Administration (SBA) advises that this absence of statutory specificity allows what is significant or substantial to vary, depending on the problem that is to be addressed in rulemaking, the rule's requirements, and the preliminary assessment of the rule's impact. Nevertheless, HHS typically considers a significant impact to be three to five percent or more of the affected entities' costs or revenues.

The RFA generally defines a small entity as (1) a proprietary firm meeting the SBA size standards, (2) a not-for-profit organization that is not dominant in its field, or (3) a small government jurisdiction with a population of less than 50,000. The North American Industry Classification System (NAICS) is used in the U.S., Canada, and Mexico to classify businesses by industry.^[24] While there is no distinction between small and large businesses among the NAICS categories, the SBA develops size standards for each NAICS category. The most recently available update to the NAICS went into effect for the 2017 reference year, and the most recent SBA small business size regulations and Small Business Size Standards by NAICS Industry tables appear at 13 CFR 121.201. We have determined that the covered entities and their vendors affected by this proposed rule likely fall primarily in the categories listed in Table 1.

Most hospitals and most other providers and suppliers are small entities, either by nonprofit status or by having revenues of less than $8.0 million to $41.5 million in any 1 year. Accordingly, it is our normal practice to treat all health care providers as small entities. For providers, the changes proposed by this rule may involve software upgrades for practice management and EHR systems. Thus, we expect that the vast majority of physicians and other health care provider practices will need to make relatively small changes in their systems and in their processes, but may incur additional service fees from their system vendors for additional functionality. Some of the smallest provider entities may elect to continue their current manual processes. We include pharmacies in this analysis, and consider most of them to be small businesses. While we believe few health plans meet the small business size standard, many health plans are non-profit organizations and would be considered small businesses; but we are unable to identify data to help us distinguish the number of these entities and therefore solicit industry feedback to complete this analysis for the final rule. We address clearinghouses, but we do not believe that there are a significant number of clearinghouses that would be considered small entities because of the level of consolidation in the marketplace. Because these proposals include initial standards for the exchange of both administrative and clinical documentation, we also address provider practice management system (PMS) and EHR vendors in our discussion, but are unable to identify data that would help identify the proportion of firms in these markets that meet the small business size standards. State Medicaid agencies are excluded from this analysis because states are not considered small entities in any RFA.

Table 8 in the impact analysis presents the estimated implementation costs of these proposals on all entities we anticipate would be affected by the rule. The data in that table are used in this analysis to provide cost information.

1. Number of Small Entities

We used the latest available (2017) Census business data records and other information to determine the number of affected entities, as summarized in Table 2.

Based on the latest available (2017) Census business data records, we estimate that 321,639 health care provider entities may be considered small entities either because of their nonprofit status or because of their revenues, as detailed in Table 3. Approximately two percent (5,544) of these are hospitals, 57 percent (171,722) are physician practices, and 41 percent (125,329) are dental practices. To count hospitals, we are using data at the level of establishments, and to count physicians and dentists we are using data at the level of firms, as we did in the August 22, 2008 proposed rule titled “Health Insurance Reform; Modifications to the Health Insurance Portability and Accountability Act (HIPAA) Electronic Transaction Standards” (73 FR 497742, 49758). We believe health information technology (HIT) systems are still more likely to differ at the level of the enterprise rather than at the level of the firm in hospitals. We believe that this way of counting may overstate the number of affected entities in these segments, given the recent trends toward consolidation among and between provider types and toward increasing integration of HIT systems across collaborating organizations. However, this overestimation may compensate for other types of affected health care providers potentially not reflected in these particular NAICS categories. We note that the number of 5,544 hospital establishments reflected in the 2017 Census business data roughly compares with more recent 2021 data from the American Hospital Association ^[25] indicating a total of 6,090 U.S. hospitals, of which approximately 25 percent are for-profit. However, we do not have more detail, including data on the size of the hospitals in this 25 percent, in order to determine whether any should be excluded from the count of small entities.

The Census business data records indicate that in 2017 there were a total of 19,234 pharmacy firms, and we estimate that most of these qualify as small entities. Available data do not permit us to clearly distinguish small pharmacy firms from firms that are parts of larger parent organizations, but we use employee size as a proxy for the firm size subject to the SBA size standard. For purposes of this analysis, we assume the firms with more than 500 employees (190) represent chain pharmacies and those with fewer than 500 employees (19,044) represent independently-owned open- or closed-door pharmacies. The 19,044 firms with fewer than 500 employees represented 20,901 establishments and accounted for total annual receipts of $70.9 billion and average annual receipts of $3.7 million—revenue that is well below the SBA standard of $30 million. By contrast, the 190 firms with 500 or more employees represented 27,123 establishments and accounted for over $211 billion in annual receipts, and thus, average annual receipts of $1.1 Start Printed Page 78456 billion. Therefore, we assume 19,044 pharmacy firms qualify as small entities for this analysis.

For 2017, the Census Bureau counts 745 entities designated as Direct Health and Medical Insurance Carriers and 27 as Health Maintenance Organization (HMO) Medical Centers. We assume that these 772 firms represent health plans that would be subject to these proposals. Of the 745 Carriers, those with fewer than 500 employees (564) accounted for $35 billion in total and over $62 million in average annual receipts, exceeding the SBA size standard of $41.5 million. Comparable data on the eight smaller HMO Medical Centers is not available due to small cell size suppression. Although health plan firms may not qualify as small entities under the SBA receipts size standard, they may under non-profit status. However, we are not aware of data that would help us understand the relationship between health plan firm and ownership tax status to quantify the number of such firms. Therefore, we are not including an analysis of the impact on small health plans.

Clearinghouses provide transaction processing and data translation services to both providers and health plans that would be critical to implementing this proposed rule. The applicable NAICS category includes many types of financial transaction processing firms other than those affected by this rule, so the Census business data cannot be used to identify small entities of interest. In previous rulemaking, we have identified a largely consolidated market (74 FR 3312). More recently, in 2020, the national clearinghouse association, Cooperative Exchange, indicated its 23 member companies represent over 90 percent of the clearinghouse industry and provide services to over 750,000 provider organizations, through more than 7,000 payer connections and 1,000 HIT vendors.^[26] While we do not have data on the size of these firms, or on the other firms constituting the remaining less than 10 percent of the market, we continue to believe the firms in this segment are either quite large or are affiliated with other very large firms, and do not include them in this small entity analysis. In the January 2009 Modification final rule, we identified the number of 162 clearinghouse entities (74 FR 3318). We are not aware of whether there has been further consolidation in this industry since 2009, so we continue to estimate that 162 clearinghouses serve the health care market in subsequent analyses.

Other vendors affected by this rule include provider PMS and EHR technology system vendors. Counting the affected entities in these two segments is complicated, in part because they are increasingly integrated. A health care provider entity's PMS and EHR systems may be bundled in one product offering, semi-integrated affiliated systems, or entirely independent systems offered by separate vendors.^[27] We have not identified publicly available data on the number, size, or market share of these specific industry stakeholders. NAICS industry category 541511, Custom Computer Programming Services, seems to be the closest category. In 2017, the category included over 62,000 firms with 99 percent of these having less than 500 employees and 1 percent having 500 or more employees. However, this total seems out of proportion to other potential indicators of market size, leading us to believe it significantly overstates the affected entities of interest to the proposed rule. For instance, the aforementioned Cooperative Exchange description of member firm scope cited connections with 1,000 HIT vendors; 2019 market research estimates indicate there are over 500 vendors offering some type of EHR product; ^[28] the 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program final rule (85 FR 25642) estimated the number of certified HIT developers with health IT products capable of recording electronic health information certified in the 2015 Edition of health IT certification criteria to be 458; and the Electronic Health Record Association, a trade association of EHR companies addressing national efforts to create interoperable EHRs in hospital and ambulatory care settings, lists 29 companies as members.^[29] A web search for NAICS codes associated with a sampling of these EHR Association member companies yielded many different NAICS codes (including some with 541511), possibly reflecting widely varying scopes of other products and services offered by firms in this market segment. Without more definitive data on the firms specific to the health care provider PMS and EHR business markets, we estimate that the number of affected firms is around 1,000, with the bulk of market share served by a relatively small number of large entities and the remainder of market share served by many smaller entities. However, we are unable to determine how many of these smaller entities may meet small business size standards and are not subsidiaries of larger firms, so we do not include them in this small entity analysis.

2. Costs to Small Entities

To determine the impact on the health care providers considered small entities for this analysis (identified in the previous section), we used the 2017 Census business data to collect revenue estimates and compared these to the high and low estimates for the range of costs calculated for each industry segment later in this analysis, as summarized in Table 8. We calculated the percentage of revenues represented by the high and low estimates, and none exceeded the 3 to 5 percent of revenue threshold, as summarized in Table 3. Thus, for purposes of the RFA analysis, we can conclude there is not a significant impact on small entities.

3. Alternatives Considered

This rule proposes to adopt standards for “health care attachments,” which support both health care claims, as required by section 1173(a) of the Act, and prior authorization transactions, as recommended to the Secretary by NCVHS. It is our understanding that the standards recommended to the Secretary by NCVHS, and that we are proposing to adopt in this rule, are the only standards applicable to health care attachments that are ready for full implementation across the industry. Therefore, we considered the following regulatory alternatives: (1) not adopt standards for health care attachments, allowing for the industry's continued use of multiple processes, (2) wait to adopt standards for health care attachments until alternate standards, such as FHIR standards, are ready for full implementation and recommended to the Secretary by the industry, and (3) adopt a different version of the X12 implementation specifications than Version 6020, the version proposed to adopt in this rule. We chose to proceed with the proposals in this rule after identifying significant shortcomings with each of these alternatives.

We chose to propose to adopt attachments standards rather than allow for continued use of multiple standards because of the well-documented costs and administrative burdens associated with the many manual or partially electronic processes currently in use. These burdens were recently detailed in the 2020 CAQH Index. In response to CAQH surveys, industry stakeholders reported that the lack of federal standards and mandates has been a principal barrier to adoption of fully electronic standardized health care transactions.^[30] Based on these survey responses, should we not adopt standards for health care attachments, most attachment transactions and many prior authorization transactions would continue to be conducted through fully manual processes. Not adopting standards for attachment transactions would also mean forgoing the opportunity to reduce the unnecessary back-and-forth between providers and health plans, accelerate claims adjudication and patient service approval timeframes, and reduce provider resources spent on manual follow-up activities. To the extent that future payer policies continue to trend toward increased levels of prior authorization or health care attachments requirements, these burdens could also increase.

Similarly, we chose not to hold off on proposing the adoption of attachment standards until alternate standards, such as FHIR standards, are available and recommended by the industry because we believe that adoption and implementation of the specifications in this proposed rule can immediately reduce the costs and burdens associated with the lack of national standards. While we are aware of HL7's efforts to create alternative implementation specifications to support health care attachments transactions, we note that at the time of writing this proposed rule, these FHIR implementation specifications have not been finalized nor have they been tested. We also note that the HL7 CDA standard we are proposing to adopt in this proposed rule is the only currently available SSO-created, NCVHS-recommended standard with published implementation specifications designed to support both claims and prior authorization attachment transactions. We believe that the industry's readiness for improvements to the manual or partially electronic process currently in place, as outlined the CAQH stakeholder surveys and supported by NCVHS's recommendation to adopt the specifications proposed in this rule, support proposing the adoption of attachments standards at this time. However, we invite comment on our understanding of the readiness of possible implementation specifications for health care attachments that support both claim and prior authorization transactions and whether the industry supports postponement of an adopted standard as it did for the previously mentioned proposed rule in the 2005 Federal Register (70 FR 55990), titled “HIPAA Administrative Simplification: Standards for Electronic Health Care Claims Attachments; Proposed Rule.”

Finally, we chose to propose adoption of Version 6020 of the X12 implementation specifications, rather than an alternate version, such as Version 5010, because Version 5010 does not fully support attachments transactions. Version 6020 resolves technical issues and limitations in Version 5010 to enable attachments transactions that support both health care claims and prior authorization transactions. We also invite comment on any alternative implementation specifications that were not considered but meet the criteria outlined in this proposed rule.

4. Conclusion

As referenced earlier in this section, we use a baseline threshold of 3 to 5 percent of revenues to determine if a rule would have a significant economic impact on affected small entities. The small health care entities do not come close to this threshold. Therefore, the Secretary has certified that this proposed rule would not have a significant economic impact on a substantial number of small entities. However, because of the relative uncertainty in the data, the lack of consistent industry data, and our general assumptions, we invite public comments on the analysis and request any additional data that would help us determine more accurately the impact on all categories of entities affected by the proposed rule.

In addition, section 1102(b) of the Act requires us to prepare a Regulatory Impact Analysis if a rule would have a significant impact on the operations of a substantial number of small rural hospitals. This analysis must conform to the provisions of section 603 of the RFA. For purposes of section 1102(b) of the Act, we define a small rural hospital as a hospital that is located outside of a metropolitan statistical area and has Start Printed Page 78458 fewer than 100 beds. This proposed rule would not have a significant effect on the operations of a substantial number of small rural hospitals because these entities would rely on contracted health information technology (HIT) vendors for the majority of implementation investment and efforts such hospitals elect to implement. We note that health care providers may choose not to conduct transactions electronically. Therefore, they would be required to use these standards only for transactions that they conduct electronically and would be expected to do so only when the benefits clearly outweigh the costs involved. Therefore, the Secretary has certified that this proposed rule would not have a significant impact on the operations of a substantial number of small rural hospitals.

Section 202 of the Unfunded Mandates Reform Act of 1995 (UMRA) also requires that agencies assess anticipated costs and benefits before issuing any rule whose mandates would require spending more in any one year than threshold amounts in 1995 dollars, updated annually for inflation. In 2022, this threshold is approximately $165 million. This proposed rule would impose mandates that would result in the expenditure by state, local, and tribal governments, in the aggregate, or by the private sector, of more than $165 million in any one year. The impact analysis in this proposed rule addresses those impacts both qualitatively and quantitatively. In general, each state Medicaid Agency and other government entity that is considered a covered entity would be required to ensure that its contracted claim processors update software and conduct testing and training to implement the adoption of the new standards and modified versions of a previously adopted standard. However, we have no reason to believe that ongoing contractual payment arrangements for these services would necessarily increase as a result of the proposed changes. UMRA does not address the total cost of a rule. Rather, it focuses on certain categories of cost, mainly federal mandate costs resulting from imposing enforceable duties on state, local, or tribal governments, or on the private sector; or increasing the stringency of conditions in, or decreasing the funding of, state, local, or tribal governments under entitlement programs.

Executive Order 13132 establishes certain requirements that an agency must meet when it promulgates a proposed rule (and subsequent final rule) that imposes substantial direct requirement costs on state and local governments, preempts state law, or otherwise has federalism implications. This proposed rule would have a substantial direct effect on state or local governments, could preempt state law, or otherwise have a federalism implication because state Medicaid agencies or their contractors would be implementing new standards and a modified version of an existing standard for which there would be expenses for implementation and wide-scale testing.

D. Anticipated Effects

The objective of this regulatory impact analysis is to summarize the costs and benefits of the following proposals:

• Adopting new standards for the exchange of health care attachment information consisting of—

++ A code set to be used for health care attachments transactions;

++ Proposed X12 standards for requesting and transmitting attachment information and HL7 standards for clinical information content; and

++ Proposed electronic signatures standards.

• Modifying the existing standard for referral certification and authorization by updating from Version 5010 to Version 6020.

This portion of the analysis is informed by a review of an earlier environmental scan produced for us in 2016 by the MITRE Corporation, industry testimony to the NCVHS, whitepapers from the Workgroup for Electronic Data Interchange (WEDI), and survey results produced by industry consensus-based organizations, and updated web-based research on specific topics.

Consistent with statutory and regulatory requirements, any recommendations for the adoption of HIPAA standard updates are the outcome of an extensive consensus-driven process that is open to all interested stakeholders. The standards development process involves direct participatory input from representatives of the industry stakeholders required to utilize the transactions.

For purposes of this analysis, we use the segmentation of health care industry stakeholders laid out in the 2009 Modifications final rule with some additional detail on vendors supporting the integration of the administrative and clinical data. As discussed in this proposed rule, providers and payers continue to use manual processing for health care attachments, therefore, these stakeholders are relevant for purposes of this RIA because there is no adopted health care attachments standard. As noted in the 2017 WEDI white paper, most payers send hard copy letters to request additional information to support a claim or prior authorization submitted by the provider.^[31] These segments consist of the following:

• Providers

++ Hospitals

++ Physicians

++ Dentists

++ Pharmacies

• Health Plans

++ Private Health Plans and Issuers

++ Government Health Plans: Medicare, Medicaid, and Veterans Administration

• Clearinghouses
• Vendors

++ PMS Vendors

++ EHR Vendors

In analyzing the effects of this proposed rule, we referenced the 2019 and 2020 CAQH Index Reports issued on January 21, 2020 and February 3, 2021, respectively.^[32] The 2020 CAQH Index ^[33] tracks adoption of HIPAA-mandated and other electronic administrative transactions and measures progress reducing the costs and burden associated with administrative transactions exchanged across the medical and dental industries. The CAQH Index includes estimates of the number of annual transactions by submission mode (phone, fax, mail, or email), electronic (HIPAA standard) or partially electronic (web portals or interactive voice response), as well as estimates of the associated labor cost and staff time. The reported costs and savings account only for the labor time required to conduct transactions, not the time and cost associated with gathering information or costs associated with the use of clearinghouses or third-party vendors.

For two types of transactions directly addressed by this proposed rule, attachments, and prior authorization, the 2020 CAQH Index estimates the annual industry national savings opportunity of full automation adoption of these transactions at $377 million and $417 million, respectively. These savings would accrue to both health plan payers and providers, with the vast majority of estimated savings accruing to providers. With respect to the category of providers, the report does not provide a breakdown of the type of providers that contributed to the survey Start Printed Page 78459 results, but does distinguish between medical and dental providers, and does acknowledge partnering with both physician and hospital member organizations. Thus, we believe the medical provider savings reported include hospital-related responses.

In contrast to the data on labor cost savings, we are not aware of any reports or other industry estimates on the level of additional investments needed to fully implement these electronic processes for requesting and submitting attachment information, or the proportion of such costs that might be passed on to provider or health plan firms. By reviewing testimony submitted to the NCVHS and conducting web searches, such as for plan, clearinghouse, and vendor electronic data interchange (EDI) instructions and services, we understand some stakeholder segments have already largely built or acquired the capacity to implement these proposals (albeit possibly in inconsistent and proprietary ways in the absence of federal standards and operating rules). Similarly, based on NCVHS testimony, others (particularly health care providers and their vendors) have partially implemented the standards.^[34] Thus, we conclude that implementation and readiness to fully implement the proposed standards vary among and within covered entity industry segments.

We also believe it is likely that firms directly involved in deploying additional capacity, in particular in upgrading PMS or EHR functionality, would not voluntarily share proprietary and competitive, market-sensitive data on the level of additional investment needed or on the effects on customer fees. Therefore, as further explained in the discussion of cost calculations, we estimate the incremental costs involved not through projected cost build-up, but rather as a function of the level of impact of implementing the previous HIPAA-standard modifications. We seek comment on this approach and on the appropriateness of the aggregate level estimates; data reflecting estimated changes to firm-specific costs and customer-specific fees would preferably be presented in a manner that facilitates aggregation.

We do not have good information on the extent of adoption of the proposed electronic standards for attachment information among industry stakeholders because HHS has not adopted an electronic transaction standard for health care attachments. However, we believe there is good reason to expect the proposed regulatory requirements, combined with the administrative cost savings opportunities identified by CAQH, would incentivize broad adoption of these attachment standards and lead to a significant uptake of the prior authorization standard. The remainder of this section provides details supporting the cost-benefit analysis for our proposals.

1. Affected Entities

As with previous standard updates, all HIPAA covered entities would be affected by this proposed rule. Covered entities include all health plans, all health care clearinghouses, and health care providers that transmit health information in electronic form in connection with a transaction for which the Secretary has adopted a standard. Therefore, they would be required to use these standards only for transactions that they conduct electronically. See the Transactions and Code Sets rule for a discussion of affected entities (65 FR 50361).

In general, covered entities (or their vendors) would incur a number of one-time costs to implement the new and modified transactions in this proposed rule unless they have already implemented an adopted HIPAA standard, such as for prior authorization transactions. These costs would include analysis of business flow changes, software procurement or customized software development, integration of new software into existing provider/vendor systems, staff training, and collection of new data, testing, and transition processes. For some entities, new vendors may be needed for the creation and validation of the clinical documentation to be embedded in the attachment transactions. Systems implementation costs would account for most of the costs, with system testing alone likely accounting for a majority of costs for all covered entities. Ongoing operational costs would be expected to initially grow, as the implementation of electronic processes run in parallel with ongoing manual and partially automated processes, but to decline as higher proportions of transactions are automated. These HIT-related costs would be offset by significant reductions in labor costs for what are today largely manual processes to locate, collect, package, and mail clinical records needed to support requests for additional documentation to support claims and prior authorization requests. Other offsetting cost savings are expected from lower postage and other mailing costs, reductions in reprocessing volume due to higher clean claim acceptance rates, and delay in receiving payment.^[35 36]

It is likely that there are significant differences in readiness among payer and provider claims and prior authorization HIT systems, and we do not know the extent of incremental costs associated with HIT development, enablement (upgrade or licensing fees paid by users), or workflow adjustment and training to facilitate compliance with the standards proposed in this rule. So, though we are aware that the net benefits would likely vary among stakeholders, we lack the data to estimate these differential effects. An important consideration reflected in various industry testimonies submitted to the NCVHS is that some stakeholders, particularly smaller providers, would continue to have the option to leverage existing clearinghouses to provide these information exchange services based on negotiated rates. This is a standard practice today, where clearinghouses already manage 90 percent of the conversion of paper-to-electronic formats, as well as reformatting of non-compliant to compliant electronic claim transactions for the industry. Given the high costs of manual and partially electronic means for exchanging required information, we believe the impact of this rule would be significant net savings to the industry. However, the level and timing of uptake (as opposed to the retention of manual processes and clearinghouse intermediation) by provider entities are uncertain. We reflect this uncertainty with both the phasing in of and the estimation of minimum and maximums for costs and benefits. We solicit comments on this approach and our assumptions throughout this analysis.

2. Explanation of Cost Calculations

Based on consultation with industry workgroups, such as WEDI, we determined that the health care attachment standards in this proposed rule are already in common use by entities engaged in other lines of business, such as the workers' compensation and liability insurance Start Printed Page 78460 fields, that exchange medical records. Thus, there is clear evidence that the standards are fit for their intended purpose and have been successfully implemented in closely related business processes.

Although the attachments standards we are proposing to adopt are initial standards, as described in section 1175 of the Act, health plans surveyed by CAQH in 2020 reported electronic transaction submission levels of 22 percent for attachments and 21 percent for prior authorizations. Therefore, while the specification for attachments requests by the health plan (X12 277) and the subsequent response from the provider (X12 276) have not previously been adopted under HIPAA Administrative Simplification, some payer and provider systems are already exchanging HIPAA electronic prior authorization transactions using the adopted standards. Moreover, the HL-7 C-CDA has been widely adopted pursuant to the ONC 2014 and 2015 Editions of Health Information Technology Certification Criteria specifying content exchange standards and implementation specifications for exchanging electronic health information. According to the latest available posted data, as of 2017, nearly 4 in 5 (80 percent) office-based physicians had adopted a certified EHR.^[37]

Similarly, while the standards we are proposing to adopt for electronic signatures are also initial standards, we believe they have already been widely implemented by the industry. For example, in 2010 the Drug Enforcement Agency (DEA) finalized a rule requiring similar standards for electronic prescribing of controlled substances.^[38] The proposed electronic signature standard utilizes the same technology to expand electronic signature capabilities to all clinical documentation, rather than just electronic prescriptions. Therefore, we believe the implementation of the proposed electronic signature standard would not represent a significant incremental cost to providers.

Given much of the industry has already implemented some or all of the implementation specifications we are proposing to adopt in this proposed rule, or versions of the implementation specifications we are proposing to adopt in this proposed rule, we believe the level of effort involved in implementing the entire set of proposed implementation specifications herein is more akin to implementing standards modifications than to implementing transactions standards for the first time. Therefore, we anchor our cost estimates on the final cost estimates, updated for inflation,^[39] in the Modifications final rule, and then make certain adjustments to address unique aspects of certain industry segments. While the systems required for implementing the specifications proposed for adoption in this proposed rule have been continuously updated since the publication of the Modifications final rule, the technologies within the proposed implementation specifications in this proposed rule are of the same type as those considered in the Modification rule and will be integrated into systems that continue to utilize the similar business models.

The cost estimates in the Modifications final rule were based on an estimate of the total costs to implement the initial HIPAA transaction standards (Version 4010/4010A) and informed by industry interviews.^[40] To determine the costs for each provider sub-segment (that is, hospitals, physicians, and dentists), we established an estimate for what the total approximate Version 4010/4010A costs were for an individual entity within that sub-segment (based on the interviews and other data available through research) and then applied an estimated range of 20 to 40 percent of those costs to come up with estimated minimum and maximum costs for Version 5010. The range was accepted as a realistic proxy by all providers and plans who participated in the interviews. Through the course of the interviews, we identified more granular cost categories and reviewed these with the participants to help analyze and validate overall cost estimates by entity. The estimated cost for each individual entity within a segment was then multiplied by the number of entities to establish the estimated costs for entire segment.

With respect to the level and timing of the uptake of these standards, we assume that some portion of providers and their vendors may take longer to move from manual to fully automated transactions. For purposes of this analysis, we generally estimate that most stakeholders would incur costs over a 4-year period at the rate of 50 percent in the first implementation year, 30 percent in the second implementation year, and 10 percent each in the third and fourth years.

We note that, although many comments to the Modifications rule suggested we underestimated the costs, no substantive data or additional information was provided to counter our analysis at that time. We're not aware of more recent public research relating to costs of implementing modifications to HIPAA transaction standards. We invite public comments on our understanding and request any additional data that would help us determine more accurately the costs of implementing modifications to HIPAA transaction standards.

3. Explanation of Benefits Calculations

To determine the benefits for each segment of the industry, we primarily relied upon the 2020 CAQH Index. Based on survey responses, CAQH estimates that spending on labor time conducting attachment transactions accounts for about $590 million of spending on administrative transactions across the medical industry, with health care providers incurring about 88 percent of this spending at an average cost of $5.10 for each manually processed attachment. In moving from manual to electronic attachments transactions, CAQH estimates the health care industry could save $4.09 on average per transaction and an additional $377 million annually. These estimated savings would be split between health care providers ($328 million) and health plans ($49 million) and would be generated by the avoidance of 8 minutes in administrative labor time per attachment on average, as medical providers reported taking an average of 11 minutes to submit an attachment manually versus 3 minutes electronically. Comparable data on spending and savings opportunities on attachment transactions for dental providers were not available, although the survey reports that only 16 percent of dental attachment transactions in 2020 were fully electronic.

The 2019 CAQH Index reported that the use of the electronic standard for prior authorizations has remained very low due to barriers such as provider Start Printed Page 78461 awareness, vendor support, and inconsistent use of data content allowed in the standard, and the lack of an attachment standard to support the exchange of medical documentation. The 2020 CAQH Index reports that fully electronic prior authorization continues to have the lowest adoption rate of the medical transactions surveyed, although utilization between 2019 and 2020 increased by 8 percentage points to 21 percent. Since this rule proposes to adopt federal attachment standards, including those to address data content, we believe the proposed changes in this rule would substantially address these barriers and promote widespread adoption of electronic prior authorization processes. As described in section I.F. of this proposed rule, numerous organizations representing physician provider groups, insurance payers, health technology vendors, health care financial managers, and HIT standard advisory bodies have submitted recommendations to the Secretary strongly supporting this view.

CAQH reports that prior authorization is the most costly and time-consuming administrative transaction for providers, and administrative spending increased to $767 million as the cost to conduct prior authorizations rose for both plans and providers from the previous year. Based on survey responses, the 2020 CAQH Index estimates that, on average, providers spent about 20 minutes and $10.26 per transaction to conduct a prior authorization manually, and about 13 minutes and $7.07 via a partially electronic web portal in 2020. These costs compare with an average cost of $3.64 per fully electronic transaction. CAQH estimates that, based on 2020 survey data, switching to fully electronic transactions could yield an additional $417 million in annual administrative cost savings. Those savings would be split between health care providers ($322 million or 77 percent) and health plans ($95 million or 23 percent). Comparable data were not reported on prior authorization transactions for dental providers, suggesting this transaction is not generally utilized by this segment.

We utilize the CAQH national annual savings estimates as the basis for our benefits estimates. The CAQH national annual savings estimates are calculated based on potential savings moving from the reported state of 21 percent electronic processing for prior authorization transactions and 22 percent electronic processing for attachments to fully electronic processing. The total potential industry cost savings opportunity is an amount that declines as industry adoption increases. Although there was an apparent increase in electronic processing of prior authorization and health care attachments transactions from 2019 to 2020, we do not trend the benefits estimates forward because previously reported estimates of electronic processing adoption have tended to remain stable over a longer period of time. The CAQH estimation methodology only includes labor time savings, which it assesses to be the most significant component of savings, by far. We do not include estimates of other sources of savings, such as through elimination of mailing costs, so our benefit estimates may have a tendency toward understating actual industry savings.^[41] Because we believe that some portion of providers and their vendors may take longer to move from manual to fully automated transactions, we also assume a phased-in realization of the level of annual benefits projected by CAQH. For purposes of this analysis, we generally estimate that most stakeholders would realize the benefits in labor savings over a 3-year period at the rate of 50 percent in the first operational year, 75 percent in the second operational year, and 100 percent in and after the third year after the compliance date.

4. Hospitals

As previously discussed, to determine the costs for each health care provider sub-segment, we started with the minimum and maximum cost estimates in the Modifications final rule for each type of entity. For hospitals, those estimates were within a range of $1,423 million to $2,848 million, adjusted for inflation (74 FR 3316). We further assume that these costs would be incurred by hospital HIT developers, which would both absorb some portion of the costs as a cost of doing business incorporated in the current level of HIT service and maintenance agreements and also pass some portion of the costs on to the hospital in the form of higher fees for enabling new functionality. This seems reasonable given our understanding that HIT vendors generally plan on, and finance, a certain level of ongoing system development through ongoing maintenance agreements, typically with annual increases, but also must keep these at a level that remains competitive in their niche market.^[42] In other words, not all possible systems upgrades would be factored into current fees. We do not have any information on how this allocation would be made and expect there would be many variations in practice, but for purposes of this analysis, we assume a 60/40 split between costs borne by the vendor and costs passed on to the hospital. As summarized in Table 4, this results in the hospital share of costs in the range of $569 million to $1,139 million, with the remainder in the range of $854 million to $1,709 million borne by hospital HIT vendors.

To determine the benefits for hospitals, we refer to the estimates of savings for medical providers reported by CAQH, and assume that hospitals would achieve 20 percent of these savings. We assume a rough 80/20 split between physicians and hospitals because we believe the vast majority of transactions needed to support claims and prior authorizations would come from clinician practices since plans and hospitals generally have other processes for utilization management of more expensive inpatient admissions and outpatient procedures. CAQH estimated the total annual savings opportunity for medical providers for fully automating attachments and prior authorization transactions to be $328 million and $322 million, respectively. So, we estimate the hospital share to be 20 percent of $650 million or $130 million. To reflect the uncertainty around the ultimate level of uptake of these standards, we estimate a range of 25 percent below this point estimate between $98 million to $130 million in annual savings, as summarized in Table 5.

With respect to timing of costs and benefits, we assume hospitals would have both the capital and business interest to move promptly to achieve the return on investment; would incur all costs during the 2-year implementation period; and would realize the full level of annual savings in and after the first operational year following the proposed compliance date, as summarized in Tables 8 and 9.

5. Physicians

We followed a similar methodology for estimating physician costs and benefits. For physicians, the Modifications final rule cost estimates were within a range of $665 million to $1,329 million, adjusted for inflation (74 FR 3317). We assume a comparable level of effort to implement the proposed attachments standards. We further assume that these costs would be incurred by physician practice PMS and EHR vendors, who would both absorb some portion of the costs as a cost of doing business incorporated in the current level of HIT service and maintenance agreements and also pass some portion of the costs on to the practices in the form of higher fees for enabling new functionality. We again assume a 60/40 split between costs borne by the vendor and costs passed on to the customer. As summarized in Table 4, this results in a physician share of costs in the range of $266 million to $532 million, with the remainder in the range of $399 million to $797 million to be borne by physician PMS and EHR vendors. We further assume that some physician entities and their vendors may take more time to implement the standards while continuing to use manual processes in the meantime. Therefore, we estimate physician costs would be incurred over a 4-year period at the rate of 50 percent in the first implementation year, 30 percent in the second implementation year, and 10 percent each in the third and fourth years, as summarized in Table 8.

To determine the benefits for physicians, we again referred to the estimates of savings for medical providers reported by CAQH and calculated the remaining 80 percent of these savings. CAQH estimated the total annual savings opportunity for medical providers for fully automating attachments and prior authorization transactions to be $328 million and $322 million, respectively, or $650 million in total. So, we estimate the physician share to be 80 percent of $650 million, or $520 million. To reflect the uncertainty around the ultimate level of uptake of these standards, we estimate a range of 25 percent below this point estimate, or between $390 million to $520 million in annual savings, as summarized in Table 5. We further estimate that these benefits in labor savings would phase in over a 3-year period at the rate of 50 percent in the first operational year, 75 percent in the second operational year, and 100 percent in and after the third year after the compliance date, as summarized in Table 9.

6. Dentists

For dentists, we follow the same methodology for costs as we do for physicians. The Modifications final rule cost estimates for dentists were within a range of $456 million to $913 million, adjusted for inflation (74 FR 3317). We assume a comparable level of effort to implement the proposed attachments standards. We further assume that these costs would be incurred by dental practice PMS and EHR vendors, who would both absorb some portion of the costs as a cost of doing business incorporated in the current level of HIT service and maintenance agreements and also pass some portion of the costs on to the dental practices in the form of higher fees for enabling new functionality. We again assume a 60/40 split between costs borne by the vendor and costs passed on the customer. As summarized in Table 4, this results in the dentist share of costs in the range of $182 million to $365 million, with the remainder in the range of $274 million to $548 million borne by dental practice PMS and EHR vendors. As with physicians, we further assume that some dental practices and their vendors may take more time to implement the standards, while continuing to use manual processes in the meantime. Therefore, we estimate dentists' costs would be incurred over a 4-year period at the rate of 50 percent in the first implementation year, 30 percent in the second implementation year, and 10 percent each in the third and fourth years, as summarized in Table 8.

Given that the 2020 CAQH Index did not report on the potential savings opportunity for dental providers for full automation of attachments transactions, we take a different approach to benefits estimation. Comments included in testimony submitted to the NCVHS in 2016 on the Attachment Standard ^[43] (2016 NCVHS Hearing) indicated that dentists supported the proposal to make the X12N 275 transaction the standard vehicle for transporting attachment content to dental claims, but made no mention of the prior authorization transaction. These comments also indicated that many dental PMS vendor technologies may lack the capability to generate HL7 documents, requiring dentists to either upgrade existing systems or find alternative methods, such as using a clearinghouse or payer portals. Thus, we conclude that some dentists and their PMS vendors would incur costs associated with submitting attachment information to support claims, and others may maintain current manual or clearinghouse-mediated processes. Therefore, we assume that the savings opportunity for full automation of claims attachments for Start Printed Page 78463 dentists would be a portion of the savings opportunity for medical providers. Since the total number of dental entities (125,329) is about 70 percent of the number of other provider entities (177,266, or 5,544 hospital establishments and 171,722 physician firms), we estimate their savings opportunity would be no greater than 70 percent of the annual $328 million medical provider savings opportunity for attachments estimated by CAQH. In addition, we assume that, given the relatively smaller size of dental practices, a greater proportion of dentists than physicians may choose to retain manual processes. So, as summarized in Table 5, we estimate that the annual dentist savings opportunity is 50 percent of 70 percent of the medical provider opportunity, or $115 million (328 × 0.70 × 0.50). To reflect the uncertainty around the ultimate level of uptake of these standards, we estimate a range of 25 percent below this point estimate, or between $86 million to $115 million in annual savings. As with the physician estimates, we further estimate that these benefits in labor savings would phase in over a 3-year period at the rate of 50 percent in the first operational year, 75 percent in the second operational year, and 100 percent in and after the third year after the compliance date, as summarized in Table 9.

7. PMS and EHR Vendors

In testimony to the 2016 NCVHS Hearing, WEDI noted that the functionality that would be new to providers in implementing the attachment standards would consist of automating EHR systems to exchange data with the PMS and digital signatures. Consistent with this assessment, the 2016 MITRE environmental scan found that many EHR vendors had the capability of sending X12N 275 and X12N 278 EDI transactions, but that substantial work remained to routinely and reliably extract structured clinical data for C-CDA attachments. Since that time there has been both growth and consolidation in these industry segments. A health care provider entity's PMS and EHR systems may be bundled in one product offering, semi-integrated affiliated systems, or entirely independent systems offered by separate vendors.^[44] So, readiness would vary widely for provider entities based on their HIT contractors.

Because vendors of certified electronic health record technology are already familiar with CDA for meeting requirements under the ONC Health IT Certification Program, we believe all EHR vendors have some ability to extract data for C-CDA templates, although all may not have fully implemented or provided this functionality as part of core product offerings. A review of some of the largest EHR vendor websites in May 2021, provided informal evidence suggesting that about 80 percent of vendors had this functionality in place, that another 17 percent had at least partial functionality, and that only 3 percent might still have no C-CDA functionality. The many other smaller EHR vendors are also likely in varying stages of readiness. Thus, we assume that additional implementation costs may be needed to reliably extract C-CDA documentation and to either integrate this content into internal EDI processes or exchange the documentation with another PMS.

Similarly, we assume PMS vendors contracted with clients that have a certified EHR have already largely developed the ability to create the X12N 275 and X12N 278, even if this functionality has not been enabled for all customers, and that the majority of the additional cost would be associated with receiving and managing the C-CDA payload. Because of this pre-existing functionality, we are again persuaded that implementing these proposals is more akin to a standards upgrade than implementing a new standard for the first time. Based on 2020 CAQH Index results that report 22 percent of medical and 16 percent of dental attachment exchanges occurring electronically, we are aware that some provider vendors have already successfully implemented the transmission of electronic attachments. Without data on the extent of the gaps, or on the difference in readiness between EHR and PMS vendors, we assume similar costs across both types of vendors and treat them together. We also assume that other significant components of implementation costs would consist of trading partner testing and user training.

As the result of the estimates already described for hospitals, physicians, and dentists and the split with their HIT vendors in Table 4, we estimate that PMS and EHR vendor costs would add up across all customer segments to a range of $1,527 to 3,054 million. And since we assume some vendors and/or their customers may take more time to implement the standards, we estimate vendors' costs would be incurred over a 4-year period at the rate of 50 percent in the first implementation year, 30 percent in the second implementation year, and 10 percent each in the third and fourth years, as summarized in Table 8.

We have not identified any evidence that suggests there would be savings for this segment as the result of the changes in this proposed rule and do not include any estimates of benefits for this segment.

8. Clearinghouses

From remarks recorded at the 2016 NCVHS Hearing,^[45] we understand that by 2016 many entities in the clearinghouse industry had already fully implemented the standards proposed in this rule and were exchanging the transactions and clinical payloads with government and commercial health care entities, as well as with entities in other lines of business. Fundamental to the clearinghouse business role is the ability to normalize disparate data formats, including both structured and unstructured clinical data, and unwrap and convert the data into standard or proprietary formats based on the varying capabilities and needs of payer and provider clients. We assume that, by 2022, this ability has generally become the business norm throughout the clearinghouse industry. As a result, we assume that clearinghouses would not have significant new technology development costs as the result of our proposals, but would have significant new trading partner testing costs.

To estimate clearinghouse implementation costs, we considered a commenter, described in the Modifications final rule (74 FR 3318), that identified as a large clearinghouse and reported that projected costs would be at least $3.5 million, $4.3 adjusted for inflation, and would be affected specifically by the amount of testing that would be required with trading partners—both providers and health plans. On the basis of this data point, as summarized in Table 6, we estimate that 23 large clearinghouse entities would incur $4.3 million in implementation costs, and that the remainder of 139 smaller clearinghouses would incur $1.8 million, for a segment total of $349 million. To reflect the uncertainty around these projections, we estimate a range of 25 percent below and above this point estimate of between $262 Start Printed Page 78464 million to $436 million in total costs. And since we assume some customers may take more time to implement the standards, we estimate clearinghouse costs would be incurred over a 4-year period at the rate of 50 percent in the first implementation year, 30 percent in the second implementation year, and 10 percent each in the third and fourth years, as summarized in Table 8.

We have not identified any evidence that suggests there would be savings for clearinghouses as the result of the changes in this proposed rule and have not estimated any benefits for this segment.

9. Private Health Plans and Issuers

Based on our informal web searches in May 2021, for plan websites that include EDI instructions for providers on submitting X12N 275 and X12N 278 transactions, and the general absence of comments describing significant implementation burden in testimony submitted to the 2016 NCVHS Hearing, we believe health plans (or their clearinghouses) have generally already implemented the technology for these proposed changes. We believe health plans (or their clearinghouses) have already implemented both the X12N transactions and have processes for collecting at least unstructured medical record data currently used for auditing, risk coding validation, and other quality and utilization management processes. CAQH reports that 22 percent of medical and 16 percent of dental attachment exchanges were occurring electronically in 2020. In addition, we are aware that all health plans routinely collect medical record documentation from providers in a variety of ways, including through web portals and direct access to EHRs.^[46] These facts suggest to us that health plans have either already automated these processes or have workarounds to manage the receipt of this information. Thus, we believe the additional effort associated with implementing our proposals may be limited to mapping existing backend processes to the new transaction processing front-end systems. Alternatively, the smaller the health plan, the more likely that entity may rely upon a clearinghouse for administrative and clinical data exchange and the more likely the status quo would continue.

In testimony to the 2016 NCVHS Hearing, WEDI noted that the functionality that would be new to payers in implementing the attachment standards would be the HL7 CDA, LOINC codes, and other transport models requiring different skill sets than EDI. Although payers routinely collect medical record documentation today, this does not necessarily mean that the ingestion, interpretation, and integration of clinical data is fully automated. However, we do not see evidence in testimony or public comments that plans anticipate a significant implementation effort related to additional technology development to handle the HL7 CDA and LOINC codes required by federal adoption of attachment standards. It is possible, given payer involvement with the rapid evolution of clinical data exchange standards, that health plans may not be incentivized to significantly enhance their current state of C-CDA handling, and may instead continue to rely on current state processes, including the use of clearinghouses for intermediation where necessary.^[47] For these reasons, we do not believe health plans would bear as significant a level of investment for system development for these proposals as they did for the requirements of the Modifications final rule. However, they would likely incur implementation costs for trading partner testing if they exchange these transactions directly with providers in lieu of via clearinghouses.

In light of these considerations, we assume that the costs of implementation for health plans may be somewhat analogous to those for clearinghouses, but generally with fewer connections to test, since many transactions would be expected to continue to be exchanged through existing clearinghouse connections. Therefore, as summarized in Table 7, we estimate that private health plans would incur 50 percent of clearinghouse costs, and we increase that estimated range of $262 million to $436 million to reflect 4.8 times as many health plan entities (772/162 = 4.8). Thus, we estimate private health plans would incur implementation costs, driven mostly by trading partner testing, of $838 million (349 × 0.50 × 4.8). To reflect the uncertainty around these projections, we estimate a range of 25 percent below and above this point estimate of between $629 million to $1,048 million.

Given that we assume some portion of providers and their vendors may take longer to move from manual to fully automated transactions, we assume health plan testing costs would extend beyond the 2-year implementation period. So, for purposes of this analysis, we estimate that private health plans would incur costs over a 4-year period at the rate of 50 percent in the first implementation year, 30 percent in the second implementation year, and 10 percent each in the third and fourth years.

In estimating the benefits of the proposed rule for private health plans, we again referred to the estimates of savings reported by CAQH, but this time to those reported for plans. CAQH estimated the 2020 national annual plan savings opportunities for attachments and prior authorizations at $49 million and $95 million, respectively, for a total of $144 million annually. To reflect the uncertainty around the ultimate level of uptake of these standards, we estimate a range of 25 percent below this point estimate between $108 million to $144 million in annual savings. We further assume plans would realize the benefits in labor savings over a 3-year period at the rate of 50 percent in the first operational year, 75 percent in the second operational year, and 100 percent in and after the third year after the compliance date, as summarized in Table 9.

10. Government Health Plans

Similar to private health plans, we believe Medicare, Medicaid, and the Veteran's Administration systems have largely implemented the ability to receive and manage these transactions through their HIT processing vendors and contracted managed care plans, especially with respect to claims attachments, and would incur costs in rough magnitude to the impacts estimated in the Modifications final rule for testing and training. We assume these costs would again largely be borne by the contracted vendors under existing contractual terms and agreements. Accordingly, to calculate government health plan costs, we used the same range of costs estimated in the Modifications final rule of $384 million to $734 million (74 FR 3318), adjusted for inflation. As we do with providers and private health plans, we further assume that costs would be incurred over a 4-year period. As summarized in Table 8, we estimate costs would be incurred at the rate of 50 percent in the first implementation year, 30 percent in the second implementation year, and 10 percent each in the third and fourth years.

To calculate government health plan benefits, we started with the point estimate of $238 million savings due to the use of better standards in the Modifications final rule (74 FR 3318). To reflect the uncertainty around the ultimate level of uptake of these standards, we estimate a range of 25 percent below this point estimate or between $179 million to $238 million in annual savings. As with other industry segments, and as summarized in Table 9, we further assume government health plans would realize the benefits in these savings over a 3-year period at the rate of 50 percent in the first operational year, 75 percent in the second operational year, and 100 percent in and after the third year after the compliance date.

11. Pharmacies

We believe pharmacies would generally not be impacted by the changes in this proposed rule. Comments from NCPDP submitted to the 2016 NCVHS Hearing indicated: that pharmacies use the X12N 837 to bill medications and supplies covered under the Medicare Part B program and for professional pharmacy services covered under a medical plan; the type of claims submitted by pharmacy providers using the X12N 837 rarely requires an attachment; the electronic prior authorization (ePA) transactions approved as part of the NCPDP SCRIPT standard in 2013 address the documentation needs around prior authorization attachments; and that while the ePA transactions do accommodate attachments, NCPDP was not aware of any organization using a HL7 C-CDA attachment for pharmacy prior authorizations. In addition, contextual comments submitted by NCPDP to the NCVHS in 2020 in response to a Request for Comments on CAQH CORE Operating Rules ^[48] indicated there is very little use in the pharmacy industry of the X12N 278 transaction. As a result, we assume pharmacies would be affected by these proposals only rarely to support the billing of retail pharmacy supplies and professional services claims. Based on an NCPDP whitepaper, we further understand that a pharmacy needing to send attachment information to support an X12N 837 claim would generally be expected to employ existing batch processes to send attachment information to the same clearinghouse that converts their NCPDP billing transactions to X12 837 Professional Claims for formatting and transmittal in the X12N 275.^[49] Therefore, we assume the proposed changes to information exchanges between clearinghouses and health plans would continue to be managed by clearinghouses that serve this particular market. As a result, we conclude that pharmacies would generally not be affected by this proposed rule, and we estimate no costs and benefits for this segment.

12. Summary of Costs and Benefits for This Proposed Rule

Tables 8 and 9 are the compilation of the estimated costs and benefits for all of the standards proposed in this proposed rule.

E. Regulatory Review Costs Estimate

One of the costs of compliance with a proposed rule is the necessity for affected entities to review the rule in order to understand what it requires and what changes the entity would have to make to come into compliance. We assume that 323,766 affected entities (listed in Table 2) would incur some of these costs, as they are the entities that would have to implement the proposed changes. The particular staff involved in such a review would vary from entity to entity, but would generally consist of lawyers responsible for compliance activities (at all 323,766 entities) and individuals familiar with the technical X12N and HL7 standards at the level of a computer and information systems manager at private and government health plans, clearinghouses, and PMS and EHR vendors (a total of 1,937 entities). Using the Occupational Employment and Wages for May 2020 from the Bureau of Labor Statistics for lawyers (Code 23-1011) and computer and information system managers (Code 11-3021), we estimate that the national average labor costs of reviewing this rule are $100 and $109 per hour, respectively, including overhead and fringe benefits. We estimate that it would take approximately 2 hours for each staff person involved to review this proposed rule and its relevant sections and that, on average, one lawyer and two computer and information manager-level staff persons would engage in this review. For each entity that reviews the rule, the estimated costs are therefore $200 for lawyers, or $64.8 million (2 hours each × 1 staff × $100 × 323,766) for all affected entities. For each plan, clearinghouse, and PMS or EHR vendor, the estimated costs are therefore $436 for information system managers, or $0.8 million (2 hours each × 2 staff × $109 × 1,937) in total. Therefore, we estimate that the total cost of reviewing this rule is $65.6 million ($64.8 + 0.8 million).

F. Accounting Statement

Whenever a rule is considered a significant rule under Executive Order 12866, we are required to develop an Accounting Statement. This statement must state that we have prepared an accounting statement showing the classification of the expenditures associated with the provisions of this proposed rule. Monetary annualized benefits and non-budgetary costs are presented using 3 percent and 7 percent discount rates. Start Printed Page 78467

VI. Response to Comments

Because of the large number of public comments, we normally receive on Federal Register documents, we are not able to acknowledge or respond to them individually. We will consider all comments we receive by the date and time specified in the DATES section of this preamble, and, when we proceed with a subsequent document, we will respond to the comments in the preamble to that document.

List of Subjects

45 CFR Part 160

• Administrative practice and procedure
• Computer technology
• Health care
• Health facilities
• Health insurance
• Health records
• Hospitals
• Medicaid
• Medicare
• Penalties
• Reporting and recordkeeping requirements

45 CFR Part 162

• Administrative practice and procedures, electronic transactions, health facilities, health insurance, hospitals, incorporation by reference
• Medicaid
• Medicare
• Reporting and recordkeeping requirements

For the reasons set forth in this preamble, the Department of Health and Human Services proposed to amend 45 CFR subchapter C to read as follows:

PART 160—GENERAL ADMINISTRATIVE REQUIREMENTS

1. The authority citation for part 160 continues to read as follows:

Authority: 42 U.S.C. 1302(a), 42 U.S.C. 1320d-1320d-8, sec. 264 of Pub. L. 104 191, 110 Stat. 2033-2034 (42 U.S.C. 1320d-2 (note)), 5 U.S.C. 552; secs. 13400 and 13424, Pub. L. 111-5, 123 Stat. 258-279, and sec. 1104 of Pub. L. 111-148, 124 Stat. 146-154.

2. In § 160.103, paragraph (10) of the definition of “Transaction” is amended by removing the word “claims” and adding in its place the word “care”.

PART 162—ADMINISTRATIVE REQUIREMENTS

3. The authority citation for part 162 continues to read as follows:

Authority: 42 U.S.C. 1320d—1320d-9 and secs. 1104 and 10109 of Pub. L. 111-148, 124 Stat. 146-154 and 915-917.

4. Section 162.103 is amended by adding the definitions of “Attachment information” and “Electronic signature” to read as follows:

5. Section 162.920 is amended by:

a. Revising the introductory text and paragraph (a) introductory text; and

b. Adding paragraphs (a)(19) through (22) and (e).

The revisions and additions read as follows:

6. Section 162.1302 is amended—

a. In paragraph (c), by removing the phrase “standards identified in paragraph (b)(2)” and adding in its place the phrase “standard identified in paragraph (b)(2)(i)”; and

b. By adding paragraph (e).

The addition reads as follows:

7. Add subpart T, consisting of §§ 162.2001 and 162.2002 to read as follows:

Subpart T—Health Care Attachments

Footnotes