On December 21, 2022, the Centers for Medicare & Medicaid Services (CMS) issued a proposed rule that would adopt standards under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) for “health care attachments” transactions, which would: (1) support health care claims adjudication and prior authorization transactions; (2) adopt standards for electronic signatures to be used in conjunction with health care attachments transactions; and (3) adopt a modification to the standard for the referral certification and authorization transaction. This builds on the HIPAA Transactions Rule standards for financial and administrative transactions among health care providers and health plans and aligns with Department of Health and Human Services (HHS) interoperability regulations. Comments on the proposed rule are due March 21, 2023.
Background and Context
To enable health information to be exchanged more efficiently and to achieve greater uniformity in the transmission of health information, the CMS proposed rule would implement requirements of the Administrative Simplification subtitle of HIPAA and the Affordable Care Act to adopt transaction standards for electronic health care attachments and electronic signatures, building on the HIPAA Transactions Rule adopted at 45 C.F.R. Part 162. There are already adopted transactions requirements for health care claims and referral and certification transactions; however, at this time, there are no adopted HIPAA standards, implementation guides, or operating rules for health care attachments or electronic signatures. This proposed rule would establish electronic standards for ‘‘health care attachments’’ transactions, which would support health care claims and prior authorization transactions, and would establish a standard for electronic signatures to be used in conjunction with health care attachments transactions. This rule also proposes modifying the referral certification and authorization transaction standard to move to a new version of the current standard.
In making medical necessity determinations as part of coverage decisions, health plans often require additional information that cannot adequately be conveyed in the adopted prior authorization request or health care claims transaction. This proposed rule would support electronic transmissions of this type of information, with the goal of facilitating prior authorization decisions and claims processing, reduce burden on providers and plans, and result in more timely delivery of patient health care services.
In September 2005, CMS issued a proposed rule to adopt certain standards with respect to health care attachments. Rather than a standard with generalized applicability, CMS proposed to adopt health care claims attachment standards with respect to specific service areas that included ambulance services, clinical reports, emergency department, laboratory results, medications, and rehabilitation services. CMS did not finalize the rule due to comments received related to the standards’ lack of technical maturity and stakeholders’ lack of readiness to implement electronic capture of clinical data. Standards for electronic signatures were also proposed in an August 1998 proposed rule, but were not adopted because stakeholder feedback indicated that electronic signature technology was not yet mature. This proposed rule was issued before the Health Information Technology for Economic and Clinical Health (HITECH) Act incentives to adopt electronic health records, and therefore, before many health care providers had clinical data in electronic form.
1. Adoption of Standards for Health Care Attachments Transactions
Scope of Health Care Transaction Standard
To define the scope of when the health care attachment standard would be used, CMS defines “attachment information” as documentation transmitted by a health care provider or requested by a health plan in order to make a decision about health care that is not included in either the claim or encounter information or the referral certification and authorization transaction. Use of the word ‘‘documentation’’ is intended to be broad to indicate the wide scope of information that may be included.
The proposed rule defines a health care attachment transaction as the transmission of any of the following:
- Attachment information from a health care provider to a health plan in support of a referral certification and authorization transaction;
- Attachment information from a health care provider to a health plan in support of a health care claims or equivalent encounter transaction; or
- A request from a health plan to a health care provider for attachment information.
CMS clarifies that it is not proposing to adopt attachments standards for all health care transaction business needs and believes covered entities should gain experience with a limited number of standard electronic attachment types so that technical and business issues can be identified to inform potential future rulemaking for other electronic attachments standards.
Code Set, Implementation Specifications, and Standards
CMS proposes new requirements for a code set to be used for health care attachments transactions in addition to Accredited Standards Committee X12 (X12) standards for requesting and transmitting attachment information and Health Level Seven (HL7) standards for clinical information content, which are outlined below.
Code Set (LOINC for HIPAA Attachments): Logical Observation Identifiers Names and Codes (LOINC) is the code system, terminology, and vocabulary for identifying individual clinical results and other clinical information. CMS proposes numerous implementation specifications containing specific instructions for how to utilize LOINC for HIPAA Attachments to identify the specific kind of information that a health plan electronically requests of a health care provider and a health care provider electronically transmits to a health plan; to specify certain optional modifier variables for attachment information (e.g., a time period for which the attachment information is requested); and for structured attachment information, to identify specific HL7 Implementation Guide: LOINC Document Ontology document templates. Where an implementation specification requires the use of LOINC, it instructs users to utilize the codes valid at the time a transaction is initiated.
Standards and Implementation Specifications: CMS proposes adopting the following three X12N Technical Report Type 3 (TR3) implementation specifications for requesting and transmitting attachment information, and three HL7 implementation guides for the clinical information embedded in those transactions. CMS explains that the proposed attachments standards would satisfy the requirements to adopt a standard to support health care claims and support prior authorization transactions.
CMS proposes adopting the following HL7 implementation guides and X12 standards for health care attachments transactions:
- HL7 CDA R2 Attachment Implementation Guide: Exchange of C-CDA Based Documents, Release 1, March 2017
- HL7 Implementation Guide for CDA Release 2: Consolidated CDA Templates for Clinical Notes (US Realm) Draft Standard for Trial Use Release 2.1, Volume 1 — Introductory Material, June 2019 with Errata
- HL7 Implementation Guide for CDA Release 2: Consolidated CDA Templates for Clinical Notes (US Realm) Draft Standard for Trial Use Release 2.1, Volume 2 — Templates and Supporting Material, June 2019 with Errata
- X12N 275 – Additional Information to Support a Health Care Claim or Encounter (006020X314): the standard a provider must use to electronically transmit attachment information to a health plan to support a health care claims or equivalent encounter information transaction
- X12N 275 – Additional Information to Support a Health Care Services Review (006020X316): the standard a provider must use to electronically transmit attachment information to a health plan to support a prior authorization request
- X12N 277 – Health Care Claim Request for Additional Information (006020X313): the standard a health plan must use to electronically request attachment information from a health care provider to support a health care claim
2. Adoption of Standards for Electronic Signatures
This rule proposes a standard for electronic signatures to be used in conjunction with health care attachments transactions. Section 1173(e)(1) of the Social Security Act requires the HHS Secretary, in coordination with the Secretary of Commerce, to adopt standards specifying procedures for the electronic transmission and authentication of signatures for HIPAA transactions. The August 1998 proposed rule, which was never finalized, did not propose a standard but rather enumerated the following three implementation features: user authentication, message integrity, and non-repudiation. In the September 2005 proposed rule, CMS recognized that an electronic signature consensus standard still did not exist and sought industry input on how signatures should be handled when an attachment is requested and transmitted electronically.
Definition of Electronic Signature: CMS proposes defining the term “electronic signature” as an electronic sound, symbol, or process, attached to or logically associated with attachment information and executed by a person with the intent to sign the attachment information. CMS states that it intends to define the term as broadly as possible to ensure that it meets health care providers’ and health plans’ needs now and can also encompass future electronic signature technologies. CMS clarifies that the electronic signature standard would pertain only to electronic signatures for attachment information transmitted by a health care provider in an electronic health care attachments transaction.
Electronic Signature Standard: In this proposed rule, CMS has decided not to propose a standard for electronic signature or requirements on when to require electronic signature. Instead, it states that it defers to the industry to continue to establish those expectations and requests feedback from industry on these issues. While CMS is not proposing to specify when an electronic signature must be required, it is proposing that, where a health care provider uses an electronic signature in a health care attachments transaction, the signature must conform to the implementation specifications in the HL7 Implementation Guide for CDA Release 2: Digital Signatures and Delegation of Rights, Release 1 (hereafter Digital Signatures Guide). CMS states that the Digital Signatures Guide promotes the aforementioned three features by utilizing digital signature technology to implement identity management using digital certificates, encryption requirements to support message integrity, and multiple signed elements to support nonrepudiation.
3. Modification to Referral Certification and Authorization Transaction Standard
This proposed rule would modify previously adopted HIPAA standards for referral certification and authorization transactions. The referral certification and authorization transaction includes the following transmissions:
(a) A request from a health care provider to a health plan for the review of health care to obtain an authorization for the health care.
(b) A request from a health care provider to a health plan to obtain authorization for referring an individual to another health care provider.
(c) A response from a health plan to a health care provider to a request described in paragraph (a) or paragraph (b).
In this rule, CMS proposes adopting Version 6020 of the X12N 278 for referral certification and authorization transactions standard to replace Version 5010 of the X12N 278. CMS notes that Version 6020 of the X12N 278 provides significant technical improvements and structural changes over Version 5010, including better supporting referral certification and authorization transactions for dental services and revising and expanding the drug authorization segment.
We note that this modification follows a recently proposed rule in November 2022 that would modify the referral certification and authorization transaction standard. Those proposed modifications addressed retail pharmacy drugs and dental, professional, and institutional request for review and response. As previously discussed, this November proposed rule also adopts other standards, including the NCPDP Batch Standard Subrogation Implementation Guide Version 10 (to replace Version 3.0).
CMS proposes that the compliance date for adopting the new standards would be 24 months after the effective date of the final rule, which is 60 days after the final rule is published in the Federal Register, for all covered entities.
This proposed rule is part of a growing focus by HHS on interoperability, including electronic access to clinical data and rules on prior authorization. As we have previously discussed, CMS has recently proposed rules on interoperability and prior authorization, which are also open for comment. The Office of the National Coordinator for Health Information Technology (ONC) has also previously published a request for information, which covered standards for electronic prior authorization, among other things.
We recommend assessing how your organization would be impacted by the proposed rule, if finalized, and consider commenting on the applicability and standards.