Initiatives
What’s New
Membership
Industry Events
Resources
Foundation
About Us
Site Map
Contact Us
Home
 Strategic National Implementation  Process (SNIP)
 National Provider Identifier Outreach Initiative (NPIOI)
 WEDI Regional Affiliates (WRA)
 WEDI Collaborations
 Policy and Advisory Groups(PAGS)
 NCHICA/WEDI Timeline Initiative
 Health ID Card Implementation Guide
 Clinical and EHR
 Health Savings Accounts / High Deductible Health Plans
 WEDI News and Events
 Overview
 Join & Membership Forms
 WEDI Member Newsletters
 Committees
 Policy Advisory Groups  (PAGs)
 List Serves and Forums
 Industry Events Calendar
 WEDI Listservs
 WEDI Listserv Archives
 WEDI Comments
 WEDI Bulletins
 WEDI Member Newsletters
 WEDI Policy Advisory Groups
 Presentations
 White Papers
 Clinical IT Resources
 HIPAA Resources
 Mission and Purpose
 WEDI Vision, Mission and  Guiding Principles
 Membership Information
 Join WEDI
 Board of Directors
 Committees
 WEDI Policy Advisory Groups  (PAG)
 Staff
 WEDI Member Directory
 WEDI Bylaws
 Board of Directors Members- Only Section
» Join WEDI
» WEDI Membership Renewal
» Member Directory
» WEDI Member Login
» Manage Profile
» WEDI Member Logout
 
 
 

Search WEDI for:

  
 


Workgroup for Electronic Data Interchange

Dedicated to improving healthcare through Electronic Commerce.

Find some of the latest programs, products and free resources from WEDI.

 		  
 

(10/13/98) - Letter of Comment to HCFA regarding Security NPRM

October 13, 1998
 
Health Care Financing Administration
U.S. Department of Health and Human Services
Attention: HCFA-0049-P
P.O. Box 26585
Baltimore, MD 21207-0519

RE:  HCFA-0049-P

Dear Sirs:

The following represent the comments of the Workgroup on Electronic Data
Interchange (WEDI) on the proposed rule regarding the adoption of Standards for Security and Electronic Signature which are mandated by the Health Insurance Portability and Accountability Act of 1996 (HIPAA).  This proposed rule is referred to in the Federal Register as HCFA-0049-P.

Following its publication in the Federal Register, the proposed rule was posted to the WEDI web site, along with a document generated by WEDI s Transaction Policy Advisory Group (PAG) which specifically highlighted the issues which the PAG felt it should carefully examine and comment upon.  Then, WEDI hosted a two day session in Washington, D.C. on September 21 and 22, 1998, during which the Transaction PAG and other industry representatives reviewed both the rule in general and the specific areas within the rule on which comments were directly solicited.   The session was open to both WEDI members and non-members and was well attended by representatives of the payer, provider and vendor communities.

The results of that session were a series of recommended comments to the proposed rule that were presented to WEDI s Board of Directors.  On October 2, 1998 the Board met to review each such recommendation.  The following comments, which represent the board s majority view but not necessarily its unanimous agreement, represent the organization s official positions on these issues.  We believe that our comments represent the views of the broadest coalition in the health care industry, and we hope that they can contribute significantly to the timely preparation of the final rule on Standards for Security and Electronic Signature.

First, WEDI wishes to record its support for the establishment of security standards that will assist our industry and endorses the application of these security standards in health care electronic commerce.  Notwithstanding our overall support for such standards, WEDI has a number of comments about specific issues addressed in the proposed rule. For ease of reference, each comment is identified as to the page number in the Federal Register and the issue to which it pertains.
 Page 43242 (Summary)

The Summary indicates:  The electronic signature standard is applicable only with respect to use with the specific transactions defined in the HIPAA, and when it has been determined that an electronic signature must be used.

WEDI notes that an electronic signature standard should be applied every time there is a need for an electronic signature in healthcare.   Whenever a written signature is required, an electronic signature should be acceptable.
 
 Page 43242 (Background)

The proposed rule states  security of health information is especially important when health information can be directly linked to an individual.    Once the identifiers are removed, some health information could be re-identified based on date of birth, sex and zip code.

WEDI believes that re-identification of de-identified health care data should be explicitly disallowed.

Page 43243 (Background)

The proposed rule states  the security standard to be adopted under Part C is not restricted to the transactions referred to in section 1173(a)(1) of the Act, but is applicable to any health information pertaining to an individual that is electronically maintained or transmitted..    In the rules part of the NPRM, in §142.102 and §142.302, it contradicts this, and says that it is only applicable to providers that choose to use EDI with the standard transactions.

WEDI believes that DHHS should clarify the wording in the Rules to reflect the fact that electronically maintained, individually-identifiable health care information which is electronically maintained by a party subject to the security standards according to Section 1172 (a) in the statute is protected even when not sent as part of one of the standard transactions referred to in Section 1173 (a).

Pages 43243  (Background)

The proposed rule states  compliance with electronic signature standards will be deemed to satisfy both State and Federal requirements for written signatures with respect to the transactions listed in paragraph (a) of section 1173 of the Act.    The problem is that if this electronic signature standard only applies to the standard transactions and not to other situations in healthcare (e.g., prescriptions, electronic medical record) we could end up with multiple electronic signature  standards instead of just one.   For example, Utah's Digital Signature Act, as well as Washington State and Minnesota laws apply to all commerce, not only healthcare.

WEDI recommends that the Electronic Signature Standard should satisfy both State and Federal requirements for written signatures with respect to the HIPAA transactions when electronic signatures are required.
 
Page 43245  (Introduction/Applicability)

The proposed rule states  the proposed security standard does not require the use of an electronic signature, but specifies the standard for an electronic signature that must be followed if such a signature is used.  If an entity elects to use an electronic signature, it must comply with the electronic signature standard.    Currently, claims have a  provider signature indicator as a low security signature.  Prescriptions use different mechanisms to indicate the provider s signature.  The NPRM implies that these low security systems must be replaced.

As noted earlier, WEDI believes that an electronic signature standard should be applied whenever there is a need for an electronic signature.  However, WEDI believes signature  indicators that do not use the standard should be allowed when there is no legal requirement for a written signature.

Page 43245  (Introduction/Applicability)

The proposed rule states  as a further requirement, we would provide that a health plan that conducts transactions through an agent assure that the agent meets all of the requirements of part 142 that apply to the health plan."

WEDI believes the introduction of the word  agent needs further clarification in the final rule.

Page 43245 (Introduction/Applicability)

In multiple places the NPRM refers to the fact of storing, maintaining, or transmitting electronic health information pertaining to an individual, as being subject to the security requirement, regardless of the standard HIPAA transactions.

WEDI agrees with the principle of applying the security standard to all individually identifiable electronic health information.

Pages 43246  (Introduction/Applicability)

The proposed rule notes that  the regulation proposes that whenever an electronic signature is required for an electronic transaction by law, regulation, or contract, the signature must meet the standard established in the regulation at §142.310.  Use of this standard would satisfy any Federal or State requirement for signature, either electronic or on paper.    It is important that we have only one standard for electronic signature without deviations from state to state.  As previously mentioned, states that have passed a  Digital Signature Act (e.g. Utah, Washington, etc.) may object to this.

WEDI recommends that the final rule be more specific with respect to the establishment of a standard and, to the extent possible, that a more specific standard:

1) incorporate health care industry input;
2) conform to existing/emerging state and federal standards; and
3)  permit the desired level of interoperability.

WEDI notes that the NPRM s description of an electronic signature standard is not sufficiently detailed to permit a health care organization to implement an electronic signature that can and will be consistently accepted by all of its trading partners.

WEDI further notes that a number of states have adopted specific electronic signature standards, thus making transaction exchange ( interoperability ) potentially even more difficult.

Pages 43246  (Introduction/Applicability)

The proposed rule states that security protection must be HIPAA compliant.  Encryption is only one of the tools that may or may not be applicable to that specific case.  Only when the data moves on an external  open network, encryption must be used.

WEDI recommends that the proposed rule make explicit that open Internet usage requires encryption.  WEDI further recommends as a goal that encryption be used for all networks with non-organizational controlled connections, and especially for network communications between separate corporate boundaries.

Pages 43246 (Introduction/Applicability)

Currently none of the HIPAA standard transactions that have been published require the use of an electronic signature.   Certain claims attachments could require an electronic signature.

WEDI believes that if the attachment  per se requires a written signature, then an electronic signature should be acceptable.

Page 43246 (Introduction/Applicability)
 
A later phase of HIPAA requires the adoption of uniform data standards for patient medical record information and the electronic exchange of such information.

WEDI believes that the same electronic signature standard should be applicable to the administrative transactions and to the medical record.

Page 43249 (Effective dates)

WEDI supports the implementation dates for health plans (large - 24 months, small - 36 months), providers/clearinghouses (24 months), and trading partner agreements (large plans - 24 months, small plans - 36 months).

Page 43249 (Security Standard - General)

The proposed rule solicits comments as to whether small or rural health care providers need to be defined.

WEDI does not believe these terms need to be defined.   However, WEDI believes that security standards should be risk-appropriate and scaleable so as not to impose any unnecessary burden on small and rural providers.

Page 43250 (Security Standard - General)

The proposed rule states  we would require that each affected entity assess its own security needs and risks and devise, implement, and maintain appropriate security to address its business requirements.   WEDI agrees that the entities affected should be free to assess their own security needs and to take appropriate steps to implement necessary safeguards.  This should be a driving principle, and at no point should the Department require an external audit of the affected entity, unless the Department is willing to pay for the cost of such external audit.

Page 43251 (Security Standard - General)

DHHS solicits comments as to whether the matrix should be included in the final rule.

WEDI believes that Addendum 1 (Matrix) should be part of the final rule.  Horizontal lines should be added to the to the matrix to make it easier to read.  Addendum 2 (Glossary) also should be part of the final rule.

WEDI believes that Addendum 3 (Mapping), however, should not be included in the final rule.
WEDI suggests that an indication should be added in the final rule that an Addendum 3 exists in the NPRM with some standards that have been reviewed.

Page 43251 (Security Standard - General)

DHHS solicits comments as to whether the level of detail in the matrix goes beyond what is necessary or appropriate.

WEDI believes that the level of detail in the matrix does not go beyond what is necessary or appropriate.

Page 43251  (Administrative Procedures)

The proposed rule suggests that internal or external evaluation would be required to certify security compliance.  To the extent that evaluation is from external sources, comments are solicited regarding appropriate mechanisms.

WEDI believes there are not yet  nationally available accreditation mechanisms. WEDI expects and encourages the industry to provide mechanisms, like the standards themselves, that are appropriate to the specific entity.  External assessment of compliance should not be mandated.
 
Page 43251 (Delegation of responsibility)

Regarding delegation of responsibility, should the responsibility be assigned to one individual or more than one or both?  It does not matter, as long as it is documented.  It depends on your risk assessment. The NPRM language should clarify  that there could be multiple individuals so long their responsibility is clearly defined.

WEDI notes that the security organization may be a committee of individuals.

Page 43251 (Administrative Procedures)

The proposed rule asks if the Department should encourage and/or mandate independent verification of compliance with the standard or if this should be left to the affected entity.

WEDI agrees that the Department should not mandate independent verification.  WEDI also asks the Department to clarify the difference between "verification" and "certification."

Page 43251 (Administrative Procedures)

The proposed rule solicits comments as to whether certification of  off the shelf products should be required.

WEDI believes that compliance certification for off the shelf products should not be required.

Page 43252  (Administrative Procedures)

The NPRM solicits comments regarding the extent to which obtaining external certification would create an undue burden on small and rural providers.

WEDI believes that small and rural providers may find external certification that is appropriate to their size.
 
Page 43252 (Administrative Procedures)

The proposed rule states:  If data are processed through a third party, the parties would be required to enter into a chain of trust partner agreement.   This is a very specific requirement of language in contracts, but the NPRM does not give examples.  Do current contracts have to be modified before expiration?  Is it enough to require the other party to comply with the HIPAA requirements, rather than to comply with specific requirements and to maintain the same security level?

WEDI requests that the DHHS clarify for this requirement.  WEDI further recommends that the word  assure be changed to  impose a contractual obligation, the content of which should be determined by the parties entering into the contract in Section 142.106, page 43265-1.
 
Page 43252 (Administrative Procedures)

The proposed rule states that  these agreements are important so that the same level of security will be maintained at all links in the chain when information moves from one organization to another.

WEDI believes that entities only need to ensure that their partners comply with the security standard.  Imposing the same level of security to all partners would not be appropriate.  A small provider should not have to step up the security to  clearinghouse level when entering into a clearinghouse agreement.

WEDI recommends that the words  same level of be removed from the above sentence.

Page 43252 (Administrative Procedures)

The proposed rule refers to security clearances. The NPRM does not state how these clearances are processed or who gives these clearances.

WEDI believes the proper word should be  authorization as opposed to  clearance in the fourth bullet. Also, the phrase  after receiving appropriate clearance should be removed from the sentence.
 
Page 43252  (Administrative Procedures)

The proposed rule discusses technical feasibility of supervising maintenance procedures performed at a distance via modem.  It is routine practice by most practice management vendors to perform these routine maintenance and small repairs over the phone without displacing a technician on site.  It is impractical, and may not be possible, to supervise these procedures from the provider s system.  On the other hand, having to dispatch a technician on site for every service call will cause the costs to increase dramatically.

WEDI recommends that the last bullet requirement should be changed to:  Assure that technical systems maintenance personnel are persons authorized and generally knowledgeable in the requirements of this standard.
 
 Page 43252 (Administrative Procedures)

The proposed rule states:  Termination procedures would include the following mandatory implementation features: - Changing combination locks. - Removal from access lists. - Removal of use account(s). - Turn in of keys, tokens, or cards that allow access.

WEDI believes that many of these should not be mandatory features.  What if there are no combination locks?  What if user accounts are not removed (e.g. to maintain historical integrity) but are inactivated instead?

WEDI recommends the sentence read:  Termination procedures would be include the following implementation features as appropriate.

Pages 43253  (Secure Workstations)
 
 The proposed rule states:  Each organization would be required to put into place physical safeguards to eliminate or minimize the possibility of unauthorized access to information.   Later in the rule (Section 142.308(b)(5)) it specifies locating a terminal in a locked room with restricted access.

WEDI believes this may not be very practical.  WEDI believes that physical safeguards should be determined based on the risk analysis.   While WEDI endorses the concept of security, there are different ways of precluding casual access. For example, non-physical safeguards such as screen savers, keyboard lock programs, and time-outs may be more appropriate in certain circumstances in lieu of locking a computer in a separate room.
 
 Page 43254  (Technical Security Services)

The proposed rule states that  there would be a requirement to put in place a mechanism for obtaining consent for the use and disclosure of health information.

This section only discusses the security mechanism to reflect the consent, not the process to obtain consent or the contents of the consent itself.  WEDI requests a clarification of this paragraph to indicate that in this provision the word "consent" refers to the authorization given by the entity's security officer, not by the patient.

Page 43254  (Technical Security Services)

The proposed rule states that data authentication must be accomplished not only when the data are being transmitted, but also when the data are resident inside a computer system.

While WEDI agrees that data authentication is an important element of security, we believe that the requirement that each organization provide corroboration that data in its possession has not been altered or destroyed in an unauthorized manner may not be appropriate for certain legacy systems.

Page 43254  (Technical Security Services)

The proposed rule states that older technologies such as telephony, voice mail, and faxback are not considered electronic transmissions under HIPAA.

WEDI believes there is an adverse impact on the security of individually identifiable health information when transmissions via AVR/IVR and faxback are not included in the standard.  Therefore we recommend striking the sentence from the NPRM which excludes them.

Page 43255  (Technical Security Services)

The proposed rule states  these controls would be important because of the potential for compromise of information over open systems such as the Internet or dial in lines.    The proposed rule seems to indicate that dial-in lines are as insecure as the Internet.  If dial-in lines were classified in the same open-network category as the Internet, then the use of EDI in healthcare would collapse until encryption technology is widely deployed.

WEDI recommends that the above sentence be re-written to read:  These controls would be important because of the potential for compromise of information over open systems such as the Internet.

Page 43255  (Technical Security Services)

The proposed rule states that  records are kept of everyone who is permitted to use the PC and what files they may access.   Given the thousands of files that exist in today s computers, of which the user has no knowledge (e.g., DLL, configuration files, registry, etc.), it is probably unrealistic to expect the keeping of these records.

WEDI recommends that the keeping of records of files that are accessible by each user is too burdensome and ineffective. These records could be kept at a more functional level by specifying the kind of information that may be accessed.

Page 43256  (Technical Security Services)

The proposed rule states:  Physical Access controls would be straightforward for this small rural office, using locked rooms and/or closets to secure equipment and media from unauthorized access. It is probably not practical for the small provider to only access the computer inside a locked room.  It seems more reasonable that the computer be locked up when not in use.

WEDI recommends small offices with limited staff and constant supervision should not be required to operate the computer in a locked facility.  Again, while WEDI endorses the concept of security, there are different ways of precluding casual access.  For example, non-physical safeguards such as screen savers, keyboard lock programs, and time-outs may be more appropriate in certain circumstances in lieu of locking a computer in a separate room.

Page 43257  (Electronic Signature Standard)

The proposed rule states that if electronic signatures are to be employed, digital signatures must be used.

WEDI agrees that the standard for electronic signature should be a digital signature.

Page 43257  (Electronic Signature Standard)

The proposed rule asks if the matrix should be part of the final rule.

WEDI believes that this matrix should be included in the final rule.

Page 43258 (Rules for Standards)

The proposed rule states: "Federal agencies and states may place additional requirements on their health plans."   Allowing states to put additional security and electronic signature requirements on the health plans would make implementation very difficult. Strong state preemption is required; otherwise we will end up with 50 different versions of the security and signature standards.

In order to minimize confusion on the part of those implementing the electronic signature standard, WEDI recommends that the Department publish any additional requirements from the states (such as Certification Authority requirements) known to the Department as of the date of publication of the Final Rules.
 
Page 43258  (Rules for Standards)

In (H)(2)(b) and (H)(3)(b) it refers to a health plan making the election to use the electronic signature.  It should reflect clearinghouses and providers making this election, instead of a health plan.  Health plans are discussed in (H)(1)(b).

WEDI recommends that the text in (H)(2)(b) and (H)(3)(b) be corrected in the final rule.

Page 43258  (Effective Dates)

The proposed rule solicits comments as to whether health plans should be required to implement electronic security standards when converting from paper to standard EDI transactions prior to the effective date of the security standard regulation.

WEDI agrees with the NPRM to recommend but not require health plans to implement security standards when converting from paper to standard EDI transactions prior to the effective date of the security standard regulation.

Page 43258  (Effective Dates)

The NPRM recommends that if Security standards are adopted before transaction standards, the industry should implement them independently.

WEDI agrees that implementation of the security, electronic signature, and each of the transaction standards should be independent from each other.

Page 43259  (Effective Dates)

The proposed rule solicits comments regarding monitoring and enforcement procedures between DHHS and the private sector.

WEDI is concerned about the Department s ability to fairly and consistently apply the rules for enforcement due to the Department s budget constraints.  DHHS should work with industry in establishing enforcement procedures that can be uniformly and equitably applied.

Page 43259  (New and Revised Standards)

The proposed rule solicits comments regarding new and revised standards.

The proposed rule describes processes by which waivers to standards might be granted.  WEDI believes that the term "exemption" is preferable to "waiver" since it makes clear that standards should generally not be waived.

In addition, WEDI proposes the following changes in language to the criteria list found on page 43259:

1. In the first item marked with a "+", replace "would be a clear improvement" with "is believed to be a clear improvement."
 
2. Add a bullet stating "Approval by the committee to pilot test."
 
3. Under the second bullet ("The committee's evaluation& based on the following:"), the following item (+) should be added: "+ Successful pilot."

WEDI further recommends that the process not be unduly restrictive, and the cost benefit analysis should apply to the report developed after the pilot study and not the application phase of the temporary waiver/exemption.

 Page 43262  (Impact Analysis)

The first sentence of the second column seems to indicate that complexity would be affected by the choice to use or not use a clearinghouse.

WEDI agrees with the content of this paragraph as it generally applies to HIPAA implementation. However, the implementation of security standards, except for electronic signatures, would not be significantly affected by the choice to use a clearinghouse.

Page 43263  (Paperwork Reduction Act)

HHS solicits comments as to whether an electronic signature standard should be subject to the Paperwork Reduction Act.

WEDI believes that the regulations regarding electronic signatures should not be affected by the Paperwork Reduction Act, as there is no mandate to use electronic signatures.

Pages 43266-43268 (Security Standard)

The proposed rule identifies a series of requirements and implementation features that would constitute appropriate security measures.  Our concern is that the implementation features listed may not always be appropriate to a specific systems corporate and/or physical environment.  Additionally, their inclusion in final regulations may tend to  cast them in concrete and make them difficult to change even as technology evolves over the next several years.

Therefore, WEDI recommends that the final rule detail ONLY the proposed  requirements and NOT the proposed implementation  features .

In concluding our comments regarding HCFA-0049-P, WEDI wants to take this opportunity to express our gratitude to the various federal government employees and others outside of the government (including WEDI s own Policy Advisory Group members) who have worked hard to prepare comments on the proposed rule.

With their publication, our industry has taken a significant step toward the realization of the benefits of administrative simplification that then Secretary of Health and Human Services Dr. Louis Sullivan and the first members of WEDI articulated in 1991.  We are now eager to take the next steps in this process.  Certainly, that includes clarifying or expanding upon any of these comments during the upcoming review period and offering any other assistance that is requested and appropriate to ensure the timely preparation and publication of the final rule.
 
Sincerely,

Richard P. Caliri
Chairman, WEDI
cc:   WEDI Board of Directors
       WEDI Policy Advisory Group Co-chairs
       James A. Schuping, WEDI Executive Vice President 
  
  
  
  
  
 
Some links are to pdf format files and require Adobe® Acrobat® Reader to view.
 
  Email This PagePrint This PageGo Top
Workgroup for Electronic Data Interchange  |  Webmaster  |  Disclaimer   |   Site Help
Copyright © 2000-2004 Workgroup for Electronic Data Interchange (WEDI) All rights reserved. 
 Site best viewed with Internet Explorer 5.0+ or Netscape 6.0+ in 800x600 resolution