| United States Department of Health and
For immediate release
Thursday, Feb. 13, 2003
Contact: CMS Press Office
HHS ADOPTS FINAL SECURITY STANDARDS, TRANSACTION MODIFICATIONS FOR ELECTRONIC
HEALTH INFORMATION UNDER HIPAA
HHS Secretary Tommy G. Thompson today announced the adoption of final security
standards for protecting individually identifiable health information when
it is maintained or transmitted electronically. At the same time, he also announced
the adoption of modifications to a number of the electronic transactions and
code sets adopted as national standards.
Both final regulations are required as part of the administrative simplification
provisions included in the Health Insurance Portability and Accountability
Act of 1996 (HIPAA).
"Overall, these national standards required under HIPAA will make it
easier and less costly for the health care industry to process health claims
and handle other transactions while assuring patients that their information
will remain secure and confidential," Secretary Thompson said. "The
security standards in particular will help safeguard confidential health
information as the industry increasingly relies on computers for processing
Under the security standards announced today, health insurers, certain health
care providers and health care clearinghouses must establish procedures and
mechanisms to protect the confidentiality, integrity and availability of electronic
protected health information. The rule requires covered entities to implement
administrative, physical and technical safeguards to protect electronic protected
health information in their care.
The security standards work in concert with the final privacy standards adopted
by HHS last year and scheduled to take effect for most covered entities on
April 14. The two sets of standards use many of the same terms and definitions
in order to make it easier for covered entities to comply.
"We took great care to address every detail and produce a rule that health
care providers will find easy to understand and implement," said Tom Scully,
administrator of HHS' Centers for Medicare & Medicaid Services (CMS).
The security standards will be published as a final rule in the Feb. 20 Federal
Register with an effective date of April 21, 2003. Most covered entities will
have two full years -- until April 21, 2005 -- to comply with the standards;
small health plans will have an additional year to comply, as HIPAA requires.
In a separate final regulation, HHS adopted modifications to the transaction
standards, which health plans, certain health care providers and health care
clearinghouses by law must use for electronic health care transactions. Covered
entities must comply with these modified transaction standards by Oct. 16,
The final transaction modifications rule, which will also be published in
the Federal Register on Feb. 20, combines two proposed rules published May
31, 2002. HHS worked extensively with the Designated Standards Maintenance
Organizations (DSMOs) to revise the proposed changes to the standards, as required
by Congress as part of HIPAA.
Major provisions of the final rule include:
- Repealing the National Drug Code (NDC) as the standard medical data code set
for reporting drugs and biologics in all non-retail pharmacy transactions.
- Adopting the proposed Addenda to the implementation guides with some technical
revisions based upon comments received and consultation with the DSMOs.
- For retail pharmacy transactions:
- Adopting the National Council for Prescription Drug Programs (NCPDP)
Batch Version 1.1 to support the Telecommunications Version 5.1.
- Adopting the Accredited Standards Committee (ASC) X12N 835 as
the standard for payment and remittance advice and the NCPDP
5.1 and NCPDP Batch Version 1.1. Implementation Guides as the
standard for the referral certification and authorization transaction.
- Continuing the use of the NDC code set for the reporting of drugs
The rule also adopts modified standards for two transactions
that were not included in the proposed rules -- premium payments,
The modifications were approved by the DMSOs and merely provide
CMS is responsible for implementing and enforcing the security standards,
the transactions standards and other HIPAA administrative simplification provisions,
except for the privacy standards. HHS' Office for Civil Rights is responsible
for implementing and enforcing the privacy rule.
The complete text of both final
rules will be available at the CMS web site at http://www.cms.hhs.gov/hipaa/hipaa2.
The full text of the Addenda to the transaction modifications
rule will be available at http://hipaa.wpc-edi.com/HIPAAAddenda_40.asp.
More information about HIPAA standards is available at http://www.cms.hhs.gov/hipaa and http://www.aspe.hhs.gov/admnsimp/. A fact sheet summarizing the administrative
simplification standards required by HIPAA is available at http://www.hhs.gov/news/press/2002pres/hipaa.html.