Knowledge Center
Health IT Compliance
To assist members in their healthcare compliance planning, WEDI keeps track of important announcements and updates to healthcare regulations and posts implementation and compliance dates on our Health IT Compliance Timeline.

Compliance Timeline

  • 2013 Regulations

  • 2014 Regulations

  • 2015 Regulations

  • 2016 Regulations

Health IT Compliance Guide 

There are numerous federal and state organizations involved in the governing framework for Health IT in the United States.  The following document is meant to help provide a high-level overview of the key organizations involved and to provide a general sense of how the system works.  Additionally, it should be noted that this process is not linear and that the code sets, regulation, standards, operating rules, etc… are updated routinely.

Code Sets

Code sets can best be thought of as a common set of terms that are agreed to in the healthcare industry in order to make sure that everyone “speaks the same language”.  In Health IT, there are a number of organizations that manage various code sets as required in Health IT regulations issued by Health and Human Services.  These code sets are maintained by various organizations and are specific in function and/or category.  For example, LOINC is a code set that identifies laboratory and clinical observations, whereas CPT sets acceptable codes used to report medical procedures and services.  Below is a listing of the most common code sets and a link to their respective sites:



According to the Agency for Healthcare Research and Quality, a standard is “…a document, established by consensus and approved by a recognized body, that provides, for common and repeated use, rules, guidelines or characteristics for activities or their results, aimed at the achievement of the optimum degree of order in a given context. ISO/IEC Guide 2:1996, definition 3.2

In healthcare, mandated standards and operating rules come about by various bills that are approved by Congress and then given to the Health and Human Services to develop and write regulation on.  The standards that are required in the regulation become the cornerstone by which how data is entered, stored and transmitted between parties in order to make the exchange of data more efficient.

The following organizations are key standards in Health IT deployments:

Standards related to:

  • HL7 ( Clinical data
  • X12N (    Financial data, HIPAA mandated transactions
  • DICOM ( Images
  • NCPDP ( Standards for pharmacy business functions, HIPAA mandated transactions
  • IEEE ( medical information and instruments
  • NIST ( Privacy and security


Administrative vs. Clinical Standards

In the world of standards, standards are created for both the storage and transmission of patient data (electronic health records) and to facilitate billing and administrative processes (e.g. claims). 

In the HIPAA legislation and subsequent regulations that were issued, transaction standards identified for various transactions (Eligibility Inquiry and Response, Claims Status Inquiry and Response, Authorizations and Referrals, Claims, Remittance Advice.  ASC X12 ( was named as the primary organization for administrative transactions and NCPDP was named as the organization to provide standards specific to the pharmacy industry. 

Additionally, the HIPAA regulation set standards related to privacy, security and breach. 

  • “The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically” ( 
  • “The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity” ( 
  • “Interim final breach notification regulations, issued in August 2009, implement section 13402 of the Health Information Technology for Economic and Clinical Health (HITECH) Act by requiring HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information.  HHS maintains a website that provide an overview of each of the rules”: (

Subsequent to HIPAA, The Affordable Care Act (ACA) created the Office of National Coordinator (ONC). ONC created Meaningful Use (MU) Stage 1 & 2 and defined standards for various aspects of the electronic health record.  For example, the MU regulation adopted Health Level 7’s (HL7- Standard - HL7 Clinical Document Architecture (CDA) Release 2, Continuity of Care Document (CCD) and SNOMED CT, LOINC, and RxNorm code sets in order to standardize vocabularies. 

Operating Rules

 In the Affordable Care Act (ACA), Congress created Operating rules as a way to help the healthcare industry achieve greater efficiency by creating more uniformity in the implementation of standard transactions. The Affordable Care Act defines the role of operating rules and the differences between an operating rule and a standard.  In essence, the operating rule can be thought of as a business rule that helps add clarity to the exchange of healthcare information. 

CAQH CORE ( was named in regulation as the organization responsible for operating rules related to: claim status and eligibility, electronic funds transfer and remittance advice, attachments, prior authorization and enrollment.  NCPDP ( was named as the organization to develop operating rules for retail pharmacy-related eligibility transactions.

Legislation & Regulation

The original HIPAA legislation (1996), which also established WEDI as an advisor to the Secretary of Health and Human Services, was the genesis for administrative transactions that we have today.  The initial bill and subsequent legislation deal with not only creating standards for transactions, but also with developing a framework for privacy, security and national identifiers.  Additional details on HIPAA regulations is available at:  Additionally, WEDI maintains a glossary of HIPAA terms that may be useful, which is available at:

The Affordable Care Act (ACA) of 2010 legislated significant changes to the American healthcare system related to the delivery, affordability and quality.  Part of the law is to improve the quality and efficiency of healthcare.  Full details regarding the legislation can be found at:

Regulation stemming from both the HIPAA and ACA legislation was mandated by the Secretary of Health and Human Services.

Part of the American Recovery and Reinvestment Act of 2009 (ARRA), the HI-TECH Act (Health Information Technology for Economic and Clinical Health Act) instructed ONC to create an incentive program for Meaningful Use and established Health IT.  Further information on the ARRA and HI-TECH is available at:

Advisory Organizations

Within the myriad of federal laws, a number of organizations have been identified as “advisors” to Health and Human Services to help provide industry guidance to the department in developing health IT regulation. A summary of these organizations is presented below and a more detailed explanation follows:

  • As defined in HIPAA:
    • National Council of Vital Health Statistics (NCVHS)
    • Workgroup for Electronic Data Interchange
    • Designated Standard Maintenance Organizations (DSMO)
    • American Dental Association
    • National Uniform Billing Committee
    • National Uniform Coding Committee


  • As defined in ARRA / Hi-Tech
    • Health IT Policy Committee
    • Health IT Standards Committee

HIPAA Defined Advisory Organizations

Within the HIPAA law and ARRA law (HI-Tech), advisory organizations were developed as mechanisms in order to help provide feedback to Health and Human Services on recommendations for the development and adoption of Health IT standards.

Within the HIPAA legislation, The National Council of Vital Health Statistics (NCVHS) was identified as an advisory body to the Secretary of Health and Human Services.  In addition to its role as an advisory body related to health data and statistics, its role was expanded in the 1996 HIPAA legislation to encompass health information policy (  NCVHS serves as the advisory body that provides recommendations to Secretary of Health and Human Services for the establishment of standards related to the exchange of clinical data.

Additionally, the HIPAA legislation also identified WEDI as an advisor to the Secretary of Health and Human Services.  In this role, WEDI not only provides industry input to the Secretary related to critical Heath IT issues and standards but required the Secretary to consult WEDI ( prior to the adoption of a standard.   Other organizations including the ADA (, NUBC ( and NUCC ( were identified as advisory organizations.

Another organization identified in the HIPAA legislation the functions similar to an advisory organization, is the Designated Standard Maintenance Organizations (DSMO).  Simply put, this organization is a collection of the standards organizations as identified in the HIPAA legislation (ASC X12, DeCC, HL7, NCPDP, NUBC and NUCC). The purpose of this group is to help serve as a single coordinating point for receiving and processing requests for new standards to request changes to existing standards.  More information on the DSMO can be found at:

ARRA / Hi-Tech Defined Advisory Organizations

In the ARRA (HI-Tech Act), it was deemed that the Secretary, acting through the National Coordinator for Health Information Technology will develop national standards for the management of data collected; and develop interoperability and security systems for data management.  The HI-TECH law required the creation of the Health Information Technology Policy Committee (HITPC) to make recommendations on the policies needed to enable the electronic exchange and use of health information and the Health Information Technology Standards Committee (HITSC) to deliberate on technical HIT standards required for electronic exchange. The HITSC serves as the advisory body that provides recommendations to the National Coordinator for the establishment of standards related to the exchange of clinical data.  More information regarding the committees can be found at:


Product certification is a critical component of the Health IT compliance framework, as it provides a vehicle for vendors in order to certify if their products meet certain requirements in order to ensure appropriate compliance with regulation and to ensure interoperability.  Below is a brief listing of Health IT compliance organizations and a summary of their product offerings:

  • The Electronic Healthcare Network Accreditation Commission (EHNAC) ( is a nonprofit organization that accredits organizations that electronically exchange healthcare data (e.g. HIEs, health networks, e-prescribing, etc…)
  • CAQH CORE ( certifies organization’s compliance with operating rules (both mandated and voluntary). 

Trade Associations & Professional Societies

Trade associations and professional societies play a crucial role in helping to provide industry input into the Health IT compliance lifecycle.  There are numerous organizations that meet this definition and too numerous to list, but these organizations that represent payers, providers, vendors, coders / billing organizations, clearinghouses, and health IT professionals.