Rule2026-05676
Administrative Simplification; Adoption of Standards for Health Care Claims Attachments Transactions and Electronic Signatures
Primary source
Metadata and text below are from the Federal Register, a public-domain U.S. government work. Always verify the official published version before relying on it for any legal matter.
Published
March 24, 2026
Effective
May 26, 2026
Issuing agencies
Health and Human Services Department
Abstract
This final rule implements requirements of the Administrative Simplification subtitle of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and the Patient Protection and Affordable Care Act, as amended by the Health Care and Education Reconciliation Act of 2010, enacted on March 30, 2010--collectively, the Affordable Care Act. Specifically, this final rule adopts standards for health care claims attachments transactions, which will support health care claims transactions, and a standard for electronic signatures to be used in conjunction with health care claims attachments transactions.
Full Text
<html>
<head>
<title>Federal Register, Volume 91 Issue 56 (Tuesday, March 24, 2026)</title>
</head>
<body><pre>
[Federal Register Volume 91, Number 56 (Tuesday, March 24, 2026)]
[Rules and Regulations]
[Pages 14350-14405]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2026-05676]
[[Page 14349]]
Vol. 91
Tuesday,
No. 56
March 24, 2026
Part IV
Department of Health and Human Services
-----------------------------------------------------------------------
Office of the Secretary
-----------------------------------------------------------------------
45 CFR Parts 160 and 162
Administrative Simplification; Adoption of Standards for Health Care
Claims Attachments Transactions and Electronic Signatures; Final Rules
��Federal Register / Vol. 91 , No. 56 / Tuesday, March 24, 2026 / Rules
and Regulations��
[[Page 14350]]
-----------------------------------------------------------------------
DEPARTMENT OF HEALTH AND HUMAN SERVICES
Office of the Secretary
45 CFR Parts 160 and 162
[CMS-0053-F]
RIN 0938-AT38
Administrative Simplification; Adoption of Standards for Health
Care Claims Attachments Transactions and Electronic Signatures
AGENCY: Office of the Secretary, Department of Health and Human
Services (HHS).
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: This final rule implements requirements of the Administrative
Simplification subtitle of the Health Insurance Portability and
Accountability Act of 1996 (HIPAA), and the Patient Protection and
Affordable Care Act, as amended by the Health Care and Education
Reconciliation Act of 2010, enacted on March 30, 2010--collectively,
the Affordable Care Act. Specifically, this final rule adopts standards
for health care claims attachments transactions, which will support
health care claims transactions, and a standard for electronic
signatures to be used in conjunction with health care claims
attachments transactions.
DATES:
Effective Date: This final rule is effective on May 26, 2026. The
incorporation by reference of certain material listed in this rule is
approved by the Director of the Federal Register as of May 26, 2026.
Compliance Date: Compliance with these regulations is required by
May 26, 2028.
FOR FURTHER INFORMATION CONTACT:
Geanelle G. Herring, (410) 786-4466.
Shaheen Halim, (410) 786-0641.
Shelley Harrow, (410) 786-6875--Regulatory Impact Analysis.
Christopher Wilson, (410) 786-3178.
SUPPLEMENTARY INFORMATION:
I. Executive Summary
A. Purpose/Need for the Regulatory Action
Despite the health care industry's widespread use of electronic
health records (EHR) and broad implementation of the Health Insurance
Portability and Accountability Act of 1996 (HIPAA) transaction
standards, the exchange of health care claims attachments has remained
largely manual, frequently relying on fax, mail, or portal uploads.
This final rule adopts standards for the electronic exchange of
clinical and administrative documentation to support claims-related
processes. Standardizing health care claims attachment transactions is
intended to reduce administrative burden and improve data exchange
efficiency between health plans and health care providers.
B. Summary of the Provisions
This final rule implements requirements of the Administrative
Simplification subtitle of HIPAA and the Affordable Care Act.
Specifically, this final rule adopts definitions of ``attachment
information'' and ``electronic signature'' in 45 CFR 162.103 and
``health care claims attachments transaction'' in Sec. 162.2001. This
rule also adopts standards for health care claims attachments
transactions in Sec. 162.2002(a) through (d) and standards for
electronic signatures, to be used in conjunction with health care
claims attachments transactions, in Sec. 162.2002(e).
In this final rule, we are adopting the following X12N standards
and Health Level 7 (HL7[supreg]) implementation guides (IG) for use by
covered entities in health care claims attachments transactions:
<bullet> X12N 277--Health Care Claim Request for Additional
Information [006020X313].
<bullet> X12N 275--Additional Information to Support a Health Care
Claim or Encounter [006020X314].
<bullet> HL7 IG for Clinical Document Architecture (CDA) Release 2:
Consolidated CDA (C-CDA) Templates for Clinical Notes (US Realm) Draft
Standard for Trial Use Release 2.1, Volume One--Introductory Material,
June 2019 with Errata (HL7 C-CDA IG Volume One).
<bullet> HL7 IG for CDA Release 2: C-CDA Templates for Clinical
Notes (US Realm) Draft Standard for Trial Use Release 2.1, Volume Two--
Templates and Supporting Material, June 2019 with Errata (HL7 C-CDA IG
Volume Two).
<bullet> HL7 CDA Release 2 Attachment IG: Exchange of C-CDA Based
Documents, Release 2, March 2022 (HL7 Attachments IG).\1\
---------------------------------------------------------------------------
\1\ The proposed rule that preceded this final rule named an
earlier iteration of this HL7 Attachments IG (Release 1, March
2017). The iteration of the HL7 Attachments IG named in this final
rule (Release 2, March 2022) contains cumulative technical updates
that are defined as ``maintenance.'' Additional discussion regarding
this can be found in section III.E. of this final rule.
---------------------------------------------------------------------------
<bullet> HL7 IG for CDA Release 2: Digital Signatures and
Delegation of Rights, Release 1 (Digital Signatures Guide).
C. Summary of the Differences Between the Notice of Proposed Rulemaking
and Final Rule
The proposed rule included proposals to support both health care
claims and prior authorization transactions, as well as a standard for
electronic signatures to be used in conjunction with these
transactions. Commenters expressed broad support for the HHS proposal
to adopt health care claims attachment standards. Conversely,
commenters overwhelmingly expressed two concerns about the proposals
for prior authorization attachments standards: (1) potential
misalignment when paired with the currently mandated X12N 278
transaction standard for prior authorization; and (2) potential
misalignment between HHS's proposed attachment standard for prior
authorization transactions with the requirements in CMS's then-
proposed, but now finalized, rule titled: ``CMS Medicare and Medicaid
Programs; Patient Protection and Affordable Care Act; Advancing
Interoperability and Improving Prior Authorization Processes for
Medicare Advantage Organizations, Medicaid Managed Care Plans, State
Medicaid Agencies, Children's Health Insurance Program (CHIP) Agencies
and CHIP Managed Care Entities, Issuers of Qualified Health Plans on
the Federally-Facilitated Exchanges, Merit-Based Incentive Payment
System (MIPS) Eligible Clinicians, and Eligible Hospitals and Critical
Access Hospitals in the Medicare Promoting Interoperability Program
final rule'' (hereinafter referred to as the CMS Interoperability and
Prior Authorization final rule) (89 FR 8758). Upon considering these
comments, along with further analysis and consultations with standard
setting organizations (SSO), we have elected not to finalize health
care attachments standards supporting prior authorization transactions
at this time.
In the proposed rule, we proposed the adoption of the 2017
iteration of one of the IGs (the HL7 CDA Release 2 Attachment IG:
Exchange of C-CDA Based Documents, Release 1, March 2017) (HL7
Attachments IG) (87 FR 78438). Based on the comments received, we
examined the history of changes to the HL7 Attachments IG and
determined that the cumulative changes in the March 2022 iteration
constitute ``maintenance updates'' because they refine the IG's
existing content rather than adding new content. Further consultation
with the designated standards maintenance organization (DSMO) indicates
that the maintenance updates reflected in the March 2022
[[Page 14351]]
iteration of the HL7 Attachments IG better facilitate the
implementation of Version 6020 of the X12N 275 and X12N 277 standards
for claims attachment, which the Secretary of Health and Human Services
(the Secretary) is adopting in this final rule. Therefore, this final
rule adopts the March 2022 iteration of the HL7 Attachments IG rather
than the proposed March 2017 iteration.
D. Summary of Costs and Savings
Based on the estimates included in the Regulatory Impact Analysis
(RIA), the primary net annualized cost, discounted at 7 percent, to the
industries is approximately $303.75 million. This estimate includes the
difference between the primary net annualized costs of $478.23 million,
which includes the regulatory review costs of $14.13 million, and
primary net annualized savings of $781.98 million.
II. Background
This background discussion presents a history of statutory
provisions and regulations relevant to this final rule.
A. Legislative Authority for Administrative Simplification
1. Standards Adoption and Modification Under the HIPAA Administrative
Simplification Provisions
Congress addressed the need for a consistent framework for
electronic transactions and other administrative simplification issues
in HIPAA (Pub. L. 104-191, enacted on August 21, 1996). Through
subtitle F of title II of HIPAA, Congress added to title XI of the
Social Security Act (the Act) a new Part C, titled: ``Administrative
Simplification,'' which required the Secretary to adopt standards for
certain transactions to enable health information to be exchanged more
efficiently and to achieve greater uniformity in the transmission of
health information. For purposes of this and later discussion in this
final rule, we sometimes refer to this statute as the ``original''
HIPAA provisions.
Section 1172(a) of the Act provides that any standard adopted by
the Secretary under the HIPAA Administrative Simplification provision
shall apply, in whole or in part, to the following persons, referred to
as ``covered entities'': (1) a health plan; (2) a health care
clearinghouse; and (3) a health care provider who transmits any health
information in electronic form in connection with a HIPAA transaction.
In general, section 1172 of the Act provides that any standard adopted
under HIPAA is to be developed, adopted, or modified by an SSO. The
statute requires consultation with four organizations named at section
1172(c)(3)(B) of the Act. In adopting a standard, section 1172(f) of
the Act requires the Secretary to rely upon recommendations of the
National Committee on Vital and Health Statistics (NCVHS) and consult
with appropriate federal and state agencies and private organizations.
Section 1172(b) of the Act provides that a standard adopted under
HIPAA must be consistent with the objective of reducing the
administrative costs of providing and paying for health care. The
transaction standards adopted under HIPAA enable financial and
administrative electronic data interchange (EDI) using a common
structure, as opposed to the many varied, often proprietary,
transaction formats on which the industry had previously relied. This
lack of uniformity across transaction formats engendered an
administrative burden.
Section 1173(g)(1) of the Act, which was added by section 1104(b)
of the Affordable Care Act, further addresses the goal of uniformity by
requiring the Secretary to adopt a single set of operating rules for
each transaction. These operating rules are required to be consensus-
based and reflective of the necessary business rules and operations
affecting both health plans and health care providers.
Section 1173(a) of the Act provides that the Secretary must adopt
standards for financial and administrative transactions, and data
elements for those transactions, to enable health information to be
exchanged electronically. The original HIPAA provisions require the
Secretary to adopt standards for the following transactions: (1) health
claims or equivalent encounter information; (2) health claims
attachments; (3) enrollment and disenrollment in a health plan; (4)
eligibility for a health plan; (5) health care payment and remittance
advice; (6) health plan premium payments; (7) first report of injury;
(8) health claim status; and (9) referral certification and
authorization (prior authorization). Section 1104(b)(2)(A) of the
Affordable Care Act added the requirement for the Secretary to adopt a
standard for electronic funds transfers. Additionally, section
1173(a)(1)(B) of the Act requires the Secretary to adopt standards for
any other financial and administrative transactions the Secretary
determines appropriate.
Sections 1173(c) through (f) of the Act provide that the Secretary
must adopt standards that: (1) select or establish code sets for
appropriate data elements for each listed health care transaction; (2)
address and ensure security for health care information; (3) specify
procedures for electronic signatures in coordination with the Secretary
of Commerce, compliance with which will be deemed to satisfy both state
and federal statutory requirements for written signatures for the
listed transactions; and (4) address the transmission of appropriate
standard data elements needed for the coordination of benefits,
sequential processing of claims, and other data elements for
individuals who have more than one health plan. Section 1174 of the Act
requires the Secretary to review the adopted standards and adopt
modifications to them, including additions to the standards as
appropriate, but not more frequently than once every 12 months.
Section 1175 of the Act prohibits health plans from refusing to
conduct a transaction as a standard transaction.\2\ It also prohibits
health plans from delaying a transaction or adversely affecting, or
attempting to adversely affect, a person or the transaction itself on
the grounds that the transaction is in a standard format. Additionally,
it establishes a timetable for covered entities to comply with any
standard, implementation specification, or modification as follows: (1)
for an initial standard or implementation specification, no later than
24 months following its adoption; and (2) for modifications, as the
Secretary determines appropriate, but no earlier than 180 days after
the modification is adopted.
---------------------------------------------------------------------------
\2\ See 45 CFR 162.103 for the definition of standard
transaction.
---------------------------------------------------------------------------
Sections 1176 and 1177 of the Act establish civil money penalties
(CMP) and criminal penalties to which covered entities may be subject,
for violations of HIPAA Administrative Simplification provisions. The
Department of Health and Human Services (HHS) administers the CMPs
under section 1176 of the Act, while the U.S. Department of Justice
administers the criminal penalties under section 1177 of the Act.
Section 1176(b) of the Act sets out limitations on the Secretary's
authority and provides the Secretary certain discretion with respect to
imposing CMPs. For example, section 1176(b)(1) provides that no CMPs
may be imposed with respect to an act if a penalty has been imposed
under section 1177 of the Act with respect to such an act. Section
1176(b)(2)(A) generally precludes the Secretary from imposing a CMP for
a violation corrected during the 30-day
[[Page 14352]]
period beginning when an individual knew or, by exercising reasonable
diligence, would have known that the failure to comply occurred. The
original HIPAA provisions are discussed in greater detail in the August
17, 2000 Health Insurance Reform: Standards for Electronic Transactions
final rule (65 FR 50312) (hereinafter referred to as the Transactions
and Code Sets final rule), and the December 28, 2000 Standards for
Privacy of Individually Identifiable Health Information final rule (65
FR 82462). We refer readers to those documents for further information.
2. Affordable Care Act Amendments to HIPAA Administrative
Simplification
Section 1104(c)(3) of the Affordable Care Act reiterated the
original HIPAA requirement to adopt a health claims attachment
standard, and directed the Secretary to promulgate a final rule to
establish a transaction standard and a single set of associated
operating rules.\3\ Section 1104(c)(3) of the Affordable Care Act
requires that the adopted standard be ``consistent with the X12 Version
5010 transaction standards,'' provides that the Secretary must adopt
the standard and operating rules by January 1, 2014, to be effective no
later than January 1, 2016, and that the Secretary may adopt the
standard and operating rules on an interim final basis. We interpret
the 24 month ``effective date'' under section 1104(c)(3) of the
Affordable Care Act to mean that the compliance date for covered
entities should be 24 months after the effective date of this final
rule. Unlike the original HIPAA provisions, the Affordable Care Act
provision makes no allowance for an extended period for small health
plans to achieve compliance.
---------------------------------------------------------------------------
\3\ As we noted in the Administrative Simplification: Adoption
of Standards for Health Care Attachments Transactions and Electronic
Signatures, and Modification to Referral Certification and
Authorization Transaction Standard proposed, at that time CAQH CORE
had developed operating rules for attachments but the NCVHS had yet
to evaluate them and make a recommendation to the Secretary, thus
they were not proposed for adoption (87 FR 78445).
---------------------------------------------------------------------------
B. Prior Rulemaking
In the Transactions and Code Sets final rule (65 FR 50312), we
implemented some of the HIPAA Administrative Simplification
requirements by adopting standards for electronic transactions
developed by SSOs, and medical code sets to be used in those
transactions. We adopted X12 Version 4010 standards for administrative
transactions, and the National Council for Prescription Drug Programs
(NCPDP) Telecommunication Version 5.1 standard for retail pharmacy
transactions, which were specified at 45 CFR part 162, subparts K
through R.
Since then, we have adopted several modifications to the HIPAA
standards, including in the Health Insurance Reform: Modifications to
the Health Insurance Portability and Accountability Act (HIPAA)
Electronic Transaction Standards final rule (hereinafter referred to as
the Modifications final rule) which appeared in the January 16, 2009
Federal Register (74 FR 3296). That rule, among other things, adopted
updated versions of the standards, X12 Version 5010, and the NCPDP
Telecommunication Standard Version D.0 and equivalent Batch Standard,
Version 1, Release 2. We also adopted the NCPDP Batch Standard Version
3.0 for the Medicaid pharmacy subrogation transaction. Covered entities
were required to comply with Version 5010, Version D.0, and Version 3.0
standards on January 1, 2012, though with respect to the latter, small
health plans were required to comply on January 1, 2013.
In the HIPAA Administrative Simplification: Standards for
Electronic Health Care Claims Attachments proposed rule (hereinafter
referred to as the Standards for Electronic Health Care Claims
Attachments proposed rule), which appeared in the September 23, 2005
Federal Register (70 FR 55990), we proposed to adopt certain health
care claims attachments standards. As opposed to a standard with
generalized applicability, that proposed rulemaking proposed to adopt
health care claims attachment standards with respect to specific
services, including ambulance services, clinical reports, emergency
department, laboratory results, medications, and rehabilitation
services. However, public comments we received on those proposals
persuasively argued that the standards lacked technical maturity and
that interested parties were not ready to implement the electronic
exchange of clinical data, so we did not finalize adopting them.
HHS issued a proposed rule titled: Administrative Simplification:
Adoption of Standards for Health Care Attachments Transactions and
Electronic Signatures, and Modification to Referral Certification and
Authorization Transaction Standard that appeared in the December 21,
2022 Federal Register (87 FR 78438) (hereinafter referred to as the
HIPAA Standards for Health Care Attachments proposed rule). In that
proposed rule, we proposed new requirements for HIPAA covered entities
that we believed would improve the electronic exchange of health
information and a new electronic signature standard. We provided a 90-
day public comment period.
We later issued a correcting document titled: Administrative
Simplification: Adoption of Standards for Health Care Attachments
Transactions and Electronic Signatures, and Modification to Referral
Certification and Authorization Transaction Standard; Correction, which
appeared in the March 17, 2023 Federal Register (88 FR 16392)
(hereinafter referred to as the HIPAA Standards for Health Care
Attachments proposed rule correction notice). That notice corrected
typographical and technical errors in the HIPAA Standards for Health
Care Attachments proposed rule by conforming the proposed regulations
text to the proposed policies discussed in the preamble.
Subsequently, we extended the public comment period for the
proposed rule by another 30 days via a notice that appeared in the
March 24, 2023 Federal Register titled: ``Adoption of Standards for
Health Care Attachments Transactions and Electronic Signatures, and
Modification to Referral Certification and Authorization Transaction
Standard: Extension of Comment Period'' (88 FR 17780). We believed it
was important for the public to have the opportunity to review and
comment on the corrected proposed rule because most of the corrections
to the proposed rule were in the regulation text.
In the HIPAA Standards for Health Care Attachments proposed rule
(87 FR 78445), we proposed to adopt attachments standards that would
apply to health care claims or equivalent encounter transactions and to
referral certification and authorization (prior authorization)
transactions.\4\ In this final rule, HHS adopts standards only for
health care claims attachments transactions or equivalent encounter
transactions, which will support health care claims transactions. HHS
further adopts a standard for electronic signatures to be used in
conjunction with health care claims attachments transactions. We thus
refer to the attachment standards being adopted in this final rule as
``health care claims attachment standards.'' In section III.A.
[[Page 14353]]
of this final rule, we explain why we elected not to move forward with
the proposals to adopt an attachments standard for prior authorization
transactions.
---------------------------------------------------------------------------
\4\ We clarify that, in this final rule, we frequently use the
shorthand ``health care claims'' to speak of health care claims or
equivalent encounter information transactions under 45 CFR 161.1101.
We note that attachments would most likely be requested for health
care claims (Sec. 161.1101(a)) involving payment, rather than for
``equivalent encounter information'' transactions (Sec.
161.1101(b)) involving the ``transmission of encounter information
for the purpose of reporting health care.''
---------------------------------------------------------------------------
C. Standards and Code Sets Organizations
The HIPAA Standards for Health Care Attachments proposed rule
presented information about the organizations responsible for
developing and maintaining the transaction standards and code sets that
we are adopting in this final rule. Information about each
organization's balloting process--the process by which they vet and
approve the products they develop and changes thereto--is available on
their respective websites. We provide links to these websites in this
section.
As we stated previously, the law requires any standard adopted
under HIPAA to be developed, adopted, or modified by an SSO. Section
1171 of the Act provides that an SSO is an organization accredited by
the American National Standards Institute (ANSI) that develops
standards for information transactions, data elements, or any standard
that is necessary to, or will facilitate the implementation of,
administrative simplification. Pursuant to section 1172(c)(3) of the
Act, a HIPAA SSO must develop, adopt, and modify standards in
consultation with certain organizations: the National Uniform Billing
Committee (NUBC), National Uniform Claim Committee (NUCC), Workgroup
for Electronic Data Interchange (WEDI), and American Dental Association
(ADA). The two SSOs associated with this final rule are the Accredited
Standards Committees (ASC) X12 and HL7, both of which maintain websites
where the required IGs may be obtained. One other organization, the
Regenstrief Institute (Regenstrief), a health research institution and
not an SSO, maintains a code set named Logical Observation Identifiers
Names and Codes (LOINC), which is important to this rulemaking.
1. X12 \5\
---------------------------------------------------------------------------
\5\ X12. (n.d.). Retrieved from <a href="https://X12.org/">https://X12.org/</a>.
---------------------------------------------------------------------------
The first SSO associated with this final rule is X12, which
develops and maintains standards for the electronic exchange of
business-to-business transactions. An ANSI-accredited organization, X12
membership is open to all individuals and organizations. An X12
subcommittee known as Subcommittee N: Insurance (X12N) develops and
maintains electronic standards specific to the insurance industry,
including, but not limited to, health insurance. Comprised of
volunteers, X12N develops standards for electronic health care
transactions for common administrative activities including: (1)
claims; (2) remittance advice; (3) claims status; (4) enrollment; (5)
eligibility; (6) authorizations and referrals; and (7) electronic
health care claims attachments. X12N is responsible for obtaining
consensus on the standards from the entire organization and producing
draft documents that it makes available for public review and comment,
which it addresses as necessary before voting on any proposal.
Proposals must then be reviewed and ratified by a majority of the X12N
voting members and X12's executive committee.
2. HL7 \6\
---------------------------------------------------------------------------
\6\ Health Level Seven International. (n.d.). Retrieved from
<a href="https://www.HL7.org/">https://www.HL7.org/</a>.
---------------------------------------------------------------------------
The second SSO associated with this final rule is HL7, an ANSI-
accredited SSO that develops and maintains standards for the exchange,
integration, sharing, and retrieval of electronic health information
that supports clinical practice and the management, delivery, and
evaluation of health services. Its domain is principally clinical data,
and its specific emphasis is the interoperability between health care
information systems. HL7's membership is open to all individuals and
organizations, and it focuses its interface requirements on the entire
health care industry, not just a subset of it.
HL7 conducts a multi-step process called balloting to solicit
feedback and comments on standards and specifications prior to
publication.\7\ A technical committee, such as a workgroup, develops
the standard or specifications, which is then submitted for
consideration under the balloting process. All HL7 members are eligible
to vote and submit feedback on standards, regardless of whether they
are members of the committee that developed the standard. Non-members
may also vote on a given ballot for a standard, though to do so they
must pay an administrative fee. After reviewing feedback received
during voting, HL7 technical committees vote on ``recommendations,''
which require a two-thirds majority for approval. HL7 standards are
available to the public on its website, and the website also describes
in more detail HL7's balloting process.\8\ HL7 standards are free and
open source, and documentation is available to anyone to ensure that
all implementers can equally access information.
---------------------------------------------------------------------------
\7\ Health Level Seven International. (n.d.). HL7 Balloting.
Retrieved from <a href="https://confluence.hl7.org/display/HL7/HL7+Balloting">https://confluence.hl7.org/display/HL7/HL7+Balloting</a>.
\8\ Health Level Seven International. (n.d.). Retrieved from
https://www.hl7.org/.
---------------------------------------------------------------------------
3. The Regenstrief Institute (Regenstrief) \9\
---------------------------------------------------------------------------
\9\ Logical Observation Identifiers Names and Codes from
Regenstrief. (n.d.). Retrieved from <a href="https://loinc.org/">https://loinc.org/</a>.
---------------------------------------------------------------------------
Regenstrief is a health research institution that develops and
maintains a code set, LOINC, which is the code system, terminology, and
vocabulary for identifying individual clinical results and other
clinical information. Regenstrief supports the development of a code
system for attachments use cases and works closely with the HL7 Payer/
Provider Information Exchange (PIE) Work Group (formerly known as the
Attachments Work Group) to develop a set of LOINC codes to uniquely
indicate the type and content of attachment information in electronic
transmissions. Regenstrief maintains LOINC through its LOINC Committee,
which is composed of volunteer representatives from academia, industry,
and government who serve as subject matter experts in their domains of
expertise. That committee establishes overall naming conventions and
policies for the development process.
D. Industry Standards, Code Sets, and IGs
1. Electronic Data Interchange (EDI) and Transaction Standards
In the HIPAA Standards for Health Care Attachments proposed rule,
we discussed how HIPAA transactions involve the electronic transmission
of information between two parties to carry out health care-related
financial or administrative activities (87 FR 78441). These activities
include health insurance claims submissions and prior authorization
requests, and HIPAA standards for those transactions require uniformity
for EDI of those transmissions.
The benefit of HIPAA standards is that they use a common
interchange structure, eliminating covered entities' need to have
information technology (IT) systems that accommodate multiple
proprietary, and potentially continually changing, data formats. The
interchange structure uniformity enables covered entities to exchange
medical, billing, and other information to process transactions more
expeditiously and cost-effectively, reduces handling and processing
time, and eliminates the risk of lost paper documents, thereby reducing
administrative burdens,
[[Page 14354]]
lowering operating costs, and improving overall data quality.
HIPAA transaction standards specify: (1) data interchange
structures (message transmission formats); and (2) data content (all of
the data elements and code sets inherent to a transaction and not
related to the format of the transaction). Implementation
specifications detail the nature, location, and content format of each
piece of information transmitted in a transaction. Standardization of
transactions also involves: (1) specification of the data elements that
are exchanged; (2) uniform definitions of those specific data elements
in each type of electronic transaction; (3) identification of the
specific codes or values that are valid for each data element; and (4)
specification of the business actions each party must take to ensure
the exchange of administrative transactions occurs smoothly and
reliably, regardless of the technology employed.
a. IGs--X12
As discussed in section II.C.1. of this final rule, X12 develops
and maintains standards for the electronic exchange of business-to-
business transactions. X12N publishes transmission standards that apply
to many lines of insurance business. For example, the X12N 820 message
format for premium payment may be used for automobile and casualty
insurance. X12 implementation specifications, referred to by the
industry as IGs and written collaboratively by X12N workgroups, make
these general standards functional for industry-specific uses. The
specifications are based on X12 standards, but contain detailed
instructions for using the standard to meet a specific business need.
X12's implementation specifications for HIPAA transaction standards
adopted by the Secretary are known as ``Technical Reports Type 3''
(TR3). Each X12N IG has a unique version identification number
represented in a parenthetical, where the highest version number
represents the most recent version. HHS adopted the then-updated
Version 5010 of the X12 standards in the Modifications final rule (74
FR 3296), while this final rule adopts Version 6020 of the X12N 275 and
X12N 277 standards, the rationale for which we discuss in section III.
of this final rule.
b. IGs--HL7
HL7's PIE Workgroup develops standards for electronic health care
attachments. The workgroup, which includes industry experts
representing health care providers, health plans, and health technology
vendors, is also responsible for creating and maintaining the IGs. The
IGs are sets of instructions and associated code tables that describe,
list, or itemize the content, format, and code to be sent, and specify
how such information is to be conveyed in an electronic health care
attachment.
The HL7 CDA is an XML-based (a computer programming language)
markup standard that specifies the encoding, structure, and semantics
of clinical documents for purposes of transmitting attachment
information. XML-coded files have the same characteristics and
information as hard copy documents, so regardless of how data are sent
within a transaction, they can be read and processed by both people and
machines. An important feature of the CDA standard is that it allows
the entire body of an electronic document to be replaced by an image,
for example, a scanned copy of a page or pages from a medical record.
That permits the clinical content to be conveyed by an image or text
document, but a header still supports automated document management.
The CDA header contains standardized, machine-readable data elements,
such as document type, patient and provider identifiers, and service
dates that enable health information technology (health IT) systems to
automatically route, index, associate, and manage attachment documents
even when the document body consists of images or other non-structured
content. This feature of the CDA standard is relevant because it
accommodates health care attachments that may not be conducive to XML
formatting, such as medical imaging, video, or audio files.
HL7 also produces the C-CDA standard that provides specifications
for formatting document templates, depending on whether they are
structured or unstructured, enabling the CDA to create numerous
specific document types, known as templates. The HL7 C-CDA IG document
templates are designed to be electronic versions of the most common
types of paper document attachment information. Attachment information
not included in a template may be created by using instructions
included in the finalized unstructured document IG; supported
unstructured formats include MSWORD, PDF, Plain Text, RTF Text, HTML
Text, GIF Image, TIF Image, JPEG Image, and PNG Image.
2. Code Sets
Transaction data content standardization involves identifying the
specific codes or values for each data element. Health care EDI
requires many types of code sets, including large medical data code
sets and classification systems for medical diagnoses, procedures, and
drugs, and smaller code sets to identify categories, such as facility
type, currency, units, or a state within the United States. Large data
code sets include those developed and maintained by federal agencies,
such as the Centers for Medicare & Medicaid Services' (CMS) Healthcare
Common Procedure Coding System (HCPCS), and by private organizations,
such as the American Medical Association's (AMA) Current Procedural
Terminology (CPT[supreg]) and the ADA's Code on Dental Procedures and
Nomenclature (CDT Code).<SUP>10 11</SUP> These code sets have been
adopted through rulemaking under HIPAA in the Transactions and Code
Sets final rule (65 FR 50312) and are mandated for use in federal and
state health care programs, such as Medicare, Medicaid, and the
Children's Health Insurance Program (CHIP). SSOs require or permit
their use in their standards.
---------------------------------------------------------------------------
\10\ CPT[supreg] is a registered service mark of the American
Medical Association.
\11\ The CDT code set is a proprietary code set.
---------------------------------------------------------------------------
3. IGs as HIPAA Standards
Section 1172(d) of the Act directs the Secretary to establish
specifications for implementing each of the adopted standards. As we
explained previously, SSOs have developed IGs by which to implement the
same standards for different business purposes. In the HIPAA Standards
for Health Care Attachments proposed rule, we proposed an approach we
have taken with previous HIPAA Rules that adopted a specific IG as both
the ``standard'' and the ``implementation specifications'' for each
health care transaction (87 FR 78442).
In pursuing this approach, we were mindful that section 1104(c)(3)
of the Affordable Care Act requires that the Secretary promulgate a
final rule to establish a transaction standard and a single set of
operating rules for health care attachments that is ``consistent with
the X12 Version 5010 transaction standards.'' We interpreted this
requirement to mean that the proposed health care attachment
implementation specifications must be compatible with X12 standards
generally, meaning any standard we adopt for attachment information can
be electronically transmitted by an X12 transmission standard in the
same transaction (87 FR 78442). The Affordable Care Act was enacted in
2010, at which time we had adopted Version 5010 of the X12 standards. A
decade later, we
[[Page 14355]]
interpreted the Affordable Care Act's mandate as referencing the then-
current standards--the X12 Version 5010--but not specifically requiring
adherence in perpetuity to a static standard, which would contravene
the HIPAA standards paradigm that is premised on standards evolution
over time and be contrary to logic as X12 continues to publish newer
versions of its standards. Therefore, in the HIPAA Standards for Health
Care Attachments proposed rule, we proposed to adopt Version 6020 of
certain X12 standards (87 FR 78447).
Additionally, we proposed to adopt transaction standards that can
be used together in a single electronic transmission (87 FR 78447
through 78449). HL7 standards can work in conjunction with other
standards like X12. The HIPAA covered entities who would use the health
care claims attachment standard are currently using X12 transaction
standards, so adoption of a health care claims attachment standard
using X12 standards, which are being finalized in this final rule,
should have minimal impact on covered entities.
Separately, we are also aware that SSOs are developing and piloting
other types of standards. In the HIPAA Standards for Health Care
Attachments proposed rule, we solicited public comment on this and any
alternative implementation specifications that may be considered
compatible with X12 Version 5010 (87 FR 78442). Commenters were
supportive of our proposals pertaining to claims attachments, however,
commenters expressed concerns about the proposals to include prior
authorization within the attachment transaction. Commenters identified
additional standards for consideration, specifically the HL7 Fast
Healthcare Interoperability Resources (FHIR[supreg]) standard.\12\ We
summarize the alternatives that commenters recommended we consider, and
provide our full response to these comments, in section III.D.2. of
this final rule.
---------------------------------------------------------------------------
\12\ Health Level Seven International. (2023). Guide to Using
HL7 Trademarks. Retrieved from <a href="http://www.hl7.org/legal/trademarks.cfm?ref=nav">http://www.hl7.org/legal/trademarks.cfm?ref=nav</a>. HL7 requires the registered trademark with
the first use of its name in a document, for which policies are
available on its website at <a href="http://www.HL7.org">www.HL7.org</a>.
---------------------------------------------------------------------------
E. The NCVHS Recommendations to the Secretary
In the proposed rule, we stated that the NCVHS is a statutorily
designated advisory committee that provides the Secretary with
recommendations on health information policy and standards (87 FR
78447).\13\ Among the ways it does so is by convening regular forums
with industry groups on key issues related to population health,
standards, privacy and confidentiality, and data access and use.
Pursuant to HIPAA, the NCVHS advises the Secretary on the adoption of
standards, implementation specifications, code sets, identifiers, and
operating rules for HIPAA transactions. For readers' reference, we
include here the process discussion also found in the HIPAA Standards
for Health Care Attachments proposed rule.
---------------------------------------------------------------------------
\13\ At the time this final rule was being drafted, the NCVHS
website was undergoing maintenance. National Committee on Vital and
Health Statistics. (n.d.). Retrieved from <a href="https://ncvhs.hhs.gov/">https://ncvhs.hhs.gov/</a>.
Website references herein to NCVHS recommendation and artifacts
reflect access made prior to the initiation of maintenance mode and
also appeared in the proposed rule. Current inquiries seeking NCVHS
recommendation letters and other artifacts referenced herein should
be directed to: <a href="/cdn-cgi/l/email-protection#c68087858b9286a5a2a5e8a1a9b0"><span class="__cf_email__" data-cfemail="dd9b9c9e90899dbeb9bef3bab2ab">[email protected]</span></a>.
---------------------------------------------------------------------------
The NCVHS held a number of hearings and made several sets of
recommendations to the Secretary on claims attachment standards, which
are reflected in the administrative record and described in prior
Federal Register notices. For example, the HIPAA Standards for Health
Care Attachments proposed rule discusses the NCVHS subcommittee
hearings, correspondence to the Secretary, and its March 30, 2022
recommendation urging prompt adoption of a claims attachments standard
(87 FR 78443 and 78444).
The NCVHS Standards Subcommittee held a November 17, 2011 hearing
on health claims attachments to gather information regarding new
business needs, priorities, issues, and challenges. Participant
testimony addressed the development status of standards and
implementation specifications. Some organizations testified regarding
their interest in serving as attachments operating rules authoring
entities. In a letter to HHS dated March 2, 2012, the NCVHS
Subcommittee on Standards advised HHS that it was premature to make
formal recommendations regarding the adoption of any standard,
implementation specification, or operating rule associated with health
care attachments.\14\ On May 5, 2012, the NCVHS recommended that the
Council for Affordable Quality Healthcare (CAQH), a nonprofit entity
whose stated mission is to improve the efficiency, accuracy, and
effectiveness of industry-driven business transactions, be designated
as the operating rules authoring entity.\15\
---------------------------------------------------------------------------
\14\ National Committee on Vital and Health Statistics. (2012,
March 2). Claim Attachments. Retrieved from <a href="https://ncvhs.hhs.gov/wp-content/uploads/2014/05/120302lt1.pdf">https://ncvhs.hhs.gov/wp-content/uploads/2014/05/120302lt1.pdf</a>.
\15\ National Committee on Vital and Health Statistics. (2021,
May 5). Recommendations to Designate an Authoring Entity and Ensure
Industry Collaboration for the Development of Operating Rules for
Health Care Administrative Transactions. Retrieved from <a href="https://ncvhs.hhs.gov/wp-content/uploads/2014/05/120505lt.pdf">https://ncvhs.hhs.gov/wp-content/uploads/2014/05/120505lt.pdf</a>.
---------------------------------------------------------------------------
The NCVHS Subcommittee held a second hearing on health claims
attachments on February 27, 2013, where it identified a trend toward
convergence of administrative and clinical information. In a June 21,
2013 letter, the NCVHS recommended that the Secretary adopt a number of
initial attachments-related transaction standards by January 1, 2016
(the date by which the Affordable Care Act required claims attachment
standards to be effective), but advised HHS to take a comprehensive and
incremental approach to considering attachment standards to promote
innovation and flexibility.\16\ The NCVHS noted there was industry
consensus that adoption of standards should not be limited to ``claim
attachments,'' but, rather, should be more inclusive of any kind of
attachment with administrative or clinical information. It recommended
that attachments-related transaction standards should be applied to
claims, eligibility, prior authorization, referrals, care management,
post-payment audits, and any other administrative processes for which
supplemental information is needed. Among other recommendations, the
NCVHS advised HHS that attachment standards should support structured
and unstructured data, and both solicited and unsolicited
transmissions. It further advised that attachments standards should be
defined for two types of transactions: (1) Query (the electronic
solicitation of an attachment); and (2) Response (the electronic
transmission of an attachment). The NCVHS held another hearing on
health care attachments on February 15, 2016, and on July 5, 2016 sent
the Secretary a letter titled: ``Recommendations for the Electronic
Health Care Attachment Standard.'' \17\ This letter consolidated its
previous recommendations on attachments and advised that updated
versions of the available standards were ready for industry use, and
there was unanimous testimony that the health care industry was eager
to see them adopted. The NCVHS recommended that HHS complete additional
rulemaking to adopt the recommended standards
[[Page 14356]]
considering the length of time that had elapsed since the 2005
publication of the previous, and, ultimately, premature Standards for
Electronic Health Care Claims Attachments proposed rule (70 FR 55990),
and subsequent technology advancement and stakeholder readiness.
---------------------------------------------------------------------------
\16\ National Committee on Vital and Health Statistics. (2013,
June 21). Attachments Standards for Health Care. Retrieved from
<a href="https://ncvhs.hhs.gov/wp-content/uploads/2014/05/130621lt2.pdf">https://ncvhs.hhs.gov/wp-content/uploads/2014/05/130621lt2.pdf</a>.
\17\ National Committee on Vital and Health Statistics. (2016,
July 5). Recommendations for the Electronic Health Care Attachment
Standard. Retrieved from <a href="https://ncvhs.hhs.gov/wp-content/uploads/2018/03/2016-Ltr-Attachments-July-1-Final-Chair-CLEAN-for-Submission-Publication.pdf">https://ncvhs.hhs.gov/wp-content/uploads/2018/03/2016-Ltr-Attachments-July-1-Final-Chair-CLEAN-for-Submission-Publication.pdf</a>.
---------------------------------------------------------------------------
On March 30, 2022, the NCVHS sent the Secretary a letter titled:
``Recommendations to Modernize Aspects of HIPAA and Other HIT [(Health
Information Technology)] Standards to Improve Patient Care and Achieve
Burden Reduction.'' \18\ This letter continued to stress previous
recommendations urging the Secretary to adopt a standard for electronic
attachments as soon as possible, and also stated--
---------------------------------------------------------------------------
\18\ National Committee on Vital and Health Statistics. (2022,
March 30). Recommendations to Modernize Aspects of HIPAA and Other
HIT Standards to Improve Patient Care and Achieve Burden Reduction.
Retrieved from <a href="https://ncvhs.hhs.gov/wp-content/uploads/2022/04/Recommendation-Letter-HIT-Standards-Modernization-to-Improve-Patient-Care-March-30-2022.pdf">https://ncvhs.hhs.gov/wp-content/uploads/2022/04/Recommendation-Letter-HIT-Standards-Modernization-to-Improve-Patient-Care-March-30-2022.pdf</a>.
We recognize that there is ongoing debate and no definitive
industry consensus about the role of attachments (i.e., documents)
as opposed to data (i.e., a string of data elements not structured
within a document). While the vision with APIs [(Application
Programming Interfaces)] based on FHIR seem to be driving toward
more of a data-driven transaction, we see more than sufficient
industry demand for a document-based attachment standard, and we do
not foresee any imminent demise of the utility of digital documents.
We suggest short-term publication of an attachment rule, with
consideration for emerging standards based on recent input from
industry and other advisory group discussions. This could add
immediate value for industry and could support future actions as
HIPAA's procedural requirements may be updated to allow for non-
document type digital attachment data.\19\
---------------------------------------------------------------------------
\19\ National Committee on Vital and Health Statistics. (2022,
March 30). Recommendations to Modernize Aspects of HIPAA and Other
HIT Standards to Improve Patient Care and Achieve Burden Reduction.
Retrieved from <a href="https://ncvhs.hhs.gov/wp-content/uploads/2022/04/Recommendation-Letter-HIT-Standards-Modernization-to-Improve-Patient-Care-March-30-2022.pdf">https://ncvhs.hhs.gov/wp-content/uploads/2022/04/Recommendation-Letter-HIT-Standards-Modernization-to-Improve-Patient-Care-March-30-2022.pdf</a>.
Based on the NCVHS's previous recommendations to the Secretary, and
particularly in consideration of its most recent March 30, 2022
recommendation, we are finalizing adoption of a document-based
attachments standard for healthcare claims or equivalent encounter
transactions in this final rule.
F. Other Industry Recommendations
1. Consensus-Based Organization Support
Industry consensus-based organizations, which vet proposals before
they are presented to the NCVHS, agree that the standards we proposed
are sufficiently mature to support health care business needs. Both
WEDI and the CAQH Committee on Operating Rules for Information Exchange
(CORE) have described the benefits that adopting health care
attachments standards would bring in automating and streamlining
workflows that, today, are primarily manual processes and sources of
significant administrative burden. We discussed their perspectives in
the HIPAA Standards for Health Care Attachments proposed rule (87 FR
78443).
In May 2019, CAQH CORE issued a document titled: ``Report on
Attachments: A Bridge to a Fully Automated Future to Share Medical
Documentation,'' where it reported evidence from its 2018 environmental
scan indicating a high degree of industry readiness and interest in the
attachments standard.\20\ The report noted that ``the health care
industry continues to wait for an electronic attachments standard that
can simplify the exchange of necessary medical information and
supplemental documentation.'' Specifically, the report stated that
``health plans, providers and vendors lack the direction needed to
support broad use of automation in the attachment workflow, or for
industry to coalesce around the use of even a small number of
electronic solutions,'' leading to largely manual, and often paper-
based, processes, and ultimately underscoring the need to standardize
electronic attachment exchange methods.
---------------------------------------------------------------------------
\20\ The Council for Affordable Quality Healthcare Committee on
Operating Rules for Information Exchange. (2019). CAQH CORE Report
on Attachments: A Bridge to a Fully Automated Future to Share
Medical Documentation. Retrieved from <a href="https://www.caqh.org/hubfs/43908627/drupal/core/core-attachments-environmental-scan-report.pdf">https://www.caqh.org/hubfs/43908627/drupal/core/core-attachments-environmental-scan-report.pdf</a>.
---------------------------------------------------------------------------
2. Other Recent Public Comment Support
CMS published the Reducing Administrative Burden to Put Patients
Over Paperwork request for information (RFI), which appeared in the
Federal Register on June 11, 2019 (84 FR 27070). That RFI solicited
public comment on ideas for regulatory, subregulatory, policy,
practice, and procedural changes to reduce unnecessary administrative
burdens for clinicians, providers, patients, and their families, with
an aim to improve quality of care, lower costs, improve program
integrity, and make the health care system more effective, simple, and
accessible. To be clear, the RFI did not relate to, and was not for the
purpose of, soliciting comments on HHS's efforts pertaining to HIPAA
Administrative Simplification. Nevertheless, many commenters, including
organizations representing physician provider groups, insurance payers,
health technology vendors, health care financial managers, and health
IT standard advisory bodies, called for the publication of a HIPAA
electronic attachments proposed rule to be accelerated, as well as
guidance on other standards, such as electronic signature protocols to
achieve these goals. These commenters indicated that adoption of a
HIPAA attachments standard could help reduce administrative burden in
many clinical and administrative situations where documents need to be
shared, and relieve providers of current burdensome, largely paper-
based, processes.
In preparation for its August 25, 2020 Standards Committee Meeting,
the NCVHS invited the public to provide feedback on the CAQH CORE
operating rules for prior authorization transactions. In response,
commenters expressed their support for the adoption of an attachment
standard. Commenters also provided input on current standards
development efforts underway to address prior authorization challenges,
including recommendations for the Secretary to explore or allow the use
of other standards or alternative approaches.\21\ In that regard, we
acknowledge there is a growing base of evidence that may support our
adopting attachment standards that rely on emerging technologies, such
as APIs. We refer readers to section III.D.2. of this final rule for a
summary of public comments received on the proposed rule regarding
emerging technologies, such as APIs, and our response to them.
---------------------------------------------------------------------------
\21\ National Committee on Vital and Health Statistics. (2020,
August 25). NCVHS Standards Subcommittee on Standards Hearing on
Request for NCVHS Review of CAQH CORE Operating Rules for Federal
Adoption. Retrieved from <a href="https://ncvhs.hhs.gov/wp-content/uploads/2020/09/Standards-Transcript-8-25-20Final-508.pdf">https://ncvhs.hhs.gov/wp-content/uploads/2020/09/Standards-Transcript-8-25-20Final-508.pdf</a>.
---------------------------------------------------------------------------
III. Provisions of the Proposed Rule, Analysis of and Responses to the
Public Comments Received, and Final Provisions
In response to the HIPAA Standards for Health Care Attachments
proposed rule, which appeared in the December 21, 2022 Federal Register
(87 FR 78438), we received more than 120 timely pieces of
correspondence commenting on health care claims and prior authorization
attachments.
In general, commenters were supportive of HHS's efforts to adopt
health care claims attachments standards that could potentially
mitigate
[[Page 14357]]
longstanding issues pertaining to the manual transmission of health
care claims attachments. Importantly, however, commenters recommended
that HHS, at this time, adopt only standards for health care claims
attachments transactions and not for prior authorization attachments
transactions, as we had also proposed. We explain in this final rule
that we are confining the scope of this rule's finalized policies to
claims attachments transactions, and we explain our rationale for not
finalizing our proposals to adopt the X12N 278 standard for prior
authorization attachments transactions.
A. Decision Regarding the Adoption of X12N 278--Health Care Services
Request for Review and Response (006020X315)
In the HIPAA Standards for Health Care Attachments proposed rule,
we proposed to adopt Version 6020 of the X12N 278--Health Care Services
Request for Review and Response (006020X315) as the standard a health
plan must use to electronically request attachment information from a
health care provider to support a prior authorization transaction (87
FR 78447). That standard, we noted, is unique in that it is also used
for a health care provider's request for prior authorization, as
reflected in Sec. 162.1302(b)(2)(ii) (87 FR 78447). We also proposed
to incorporate the same by reference in Sec. 162.920. Version 6020 of
the X12N 278 standard would have been a modification to the existing
HIPAA transaction standard, as we previously adopted Version 5010 of
the X12N 278 standard in the January 16, 2009 Modifications final rule
(74 FR 3296).
The X12N 278 standard supports prior authorization transactions for
health care that has yet to be rendered by the requesting provider, as
well as responses from health plans for authorizations or for referrals
to another provider, such as when a provider refers a patient to a
specialist or for inpatient care.\22\ Using the X12N 278 standard for
prior authorization transactions, the health plan transmits a response
to the health care provider. This response contains coded information
that can then be utilized in a health care claim to indicate that the
billed items or services were approved by the health plan before being
rendered, or that a referral to another provider has been approved.
---------------------------------------------------------------------------
\22\ See 45 CFR 162.1301.
---------------------------------------------------------------------------
After reviewing public comments, we are not adopting an attachments
standard for prior authorization at this time. Commenters cited limited
industry experience implementing the X12N 278 standard for prior
authorization attachments, variability in current prior authorization
workflows, and potential conflict with other federal interoperability
initiatives requiring FHIR-based prior authorization API capabilities.
Instead, we are adopting standards only for health care claims
attachments. This approach reflects current industry readiness and
supports administrative simplification while allowing continued
evaluation of evolving standards for prior authorization.
Comment: Although several commenters expressed support for HHS's
efforts to reduce the burden of prior authorizations by adopting
electronic standards to create a streamlined prior authorization
process that meets the needs of health plans and providers, more
commenters opposed HHS's finalizing the proposed adoption of X12N 278
standard with respect to prior authorization attachments transactions.
Commenters asserted that: (1) there is a lack of agreement on data
element standardization within the industry; (2) entities have a wide
range of prior authorization workflows and common definitions; (3)
previous attempts to leverage the X12N 278 standard to support prior
authorizations have failed; (4) the X12N 278 standard for prior
authorization transactions was never fully implemented in the industry;
(5) the X12N 278 standard for prior authorization transactions will not
support the requests or responses of a FHIR-based questionnaire; and
(6) HHS's goal of efficient, cost-effective, simplified
interoperability may be impeded by health IT vendors constantly having
to deal with exceptions due to conflicting requirements across various
rulemaking efforts.
Commenters also expressed concern that HHS's proposed X12N 278
standard for prior authorization attachments transactions that appeared
in the HIPAA Standards for Health Care Attachments proposed rule may
conflict with provisions of a CMS proposed (and now finalized) rule
that appeared nearly simultaneously in the Federal Register, on
December 13, 2022 titled: ``Medicare and Medicaid Programs; Patient
Protection and Affordable Care Act; Advancing Interoperability and
Improving Prior Authorization Processes for Medicare Advantage
Organizations, Medicaid Managed Care Plans, State Medicaid Agencies,
Children's Health Insurance Program (CHIP) Agencies and CHIP Managed
Care Entities, Issuers of Qualified Health Plans on the Federally-
Facilitated Exchanges, Merit-Based Incentive Payment System (MIPS)
Eligible Clinicians, and Eligible Hospitals and Critical Access
Hospitals in the Medicare Promoting Interoperability Program''
(hereinafter referred to as the CMS Interoperability and Prior
Authorization proposed rule) (87 FR 76238).
Commenters also requested clarification or provided HHS with
certain recommendations for consideration in the event HHS finalized
the adoption of the X12N 278 standard for prior authorization
attachments transactions. A commenter recommended that if HHS were to
adopt the X12N 278 standard, HHS should continue the use of Version
5010 and not adopt Version 6020 of the X12N 278 standard, asserting
that it offers no additional functionality, is untested, and may
contain errors.
Response: We appreciate the comments submitted in response to our
proposal to adopt a standard for health care attachments transactions
that would include the prior authorization transaction standard. Upon
further consideration, and as we explain herein, we have elected not to
finalize the prior authorization transaction standard proposal. Rather,
we are adopting only the standards for health care claims attachments
transactions. Our decision reflects substantive consideration of
several interrelated concerns raised by commenters, many of which point
to foundational issues that could have impeded effective
implementation.
First, numerous commenters cited the lack of industry consensus
regarding data element standardization. Prior authorization processes
vary widely across health plans, and there is currently no agreed-upon,
consistent set of data elements that supports a level of automation and
interoperability consistent with HIPAA Administrative Simplification
goals. While a standard like the X12N 278 is intended to create a
unified structure, in practice the diversity of clinical and
operational use cases would have made its application difficult to
scale.
Second, commenters emphasized that prior authorization workflows
differ significantly across organizations and are often not
standardized even within the same type of entity. These workflows
include clinical decision-making, review protocols, timing of
documentation, and routing processes, all of which influence where and
how attachment information is requested and supplied. While a technical
standard could, in theory, be inserted into any
[[Page 14358]]
point in the workflow, the absence of shared operational expectations
and integration strategies greatly increases the risk of fragmentation,
workarounds, and vendor-specific implementations, which would undermine
the goal of interoperability and could increase, rather than reduce,
provider burden.
Third, many commenters pointed out that previous attempts to use
the X12N 278 standard to support prior authorization have not been
successful. There is limited industry adoption and very few operational
use cases that demonstrate consistent, real-world functionality of the
standard in the context of attachments. The lack of implementation and
testing means that critical issues related to content sufficiency,
response timing, and payload alignment remain unresolved. Interested
parties also raised specific concerns that Version 6020 offers no
additional functional value over Version 5010, and, in fact, could
introduce unvetted changes that have not been adequately tested or
validated.
In addition, we acknowledge commenters' concern that adopting a
prior authorization attachment standard under HIPAA could conflict with
requirements of the aforementioned, and now finalized, CMS
Interoperability and Prior Authorization final rule that appeared in
the January 17, 2024 Federal Register in which CMS mandated the use of
a FHIR Prior Authorization Support API by CMS-regulated health plans
and payers (89 FR 8758).
We also acknowledge certain commenters' suggestions that the
current low adoption rate for Version 5010 of the X12N 278 standard may
itself be attributable to the absence of a mandated prior authorization
attachments standard. Though that is a plausible contributing factor,
it would not mitigate the practical concerns about industry readiness,
data variability, and implementation barriers that commenters
identified. Simply requiring the use of a standard in this context--
without sufficient groundwork to ensure feasibility and alignment--
would risk ineffective uptake and could impose new burdens rather than
resolve existing ones.
In light of these reasonable concerns, we concluded it would be
imprudent to now proceed to finalize adoption of a prior authorization
attachments standard, so the finalized policies in this final rule are
limited to attachments for the health care claims or equivalent
encounter transactions and associated electronic signature standards.
This permits us to focus our regulatory resources, and the industry to
focus its resources, on a narrower set of transactions for which there
is stronger implementation maturity, standards infrastructure, and
stakeholder alignment.
We remain committed to improving the prior authorization process
and recognize the importance of establishing electronic standards that
reduce burden and promote interoperability. We will continue to monitor
testing of alternative transaction standards, including FHIR-based
solutions, and will continue to engage with industry-led SSOs to
evaluate readiness for potential adoption of a prior authorization
attachments standard.
B. Overview of Final Requirements
Nearly every health plan has various requirements for health care
providers to submit additional information beyond that contained in a
HIPAA transaction. A health care provider may transmit this additional
information in a ``solicited'' or an ``unsolicited'' fashion. In
solicited transmissions, a health care provider transmits additional
information pursuant to a health plan's specific electronic request (87
FR 78444). Conversely, in unsolicited transmissions there are no
specific electronic requests. Rather, they typically occur pursuant to
pre-established health plan requirements for health care providers to
transmit additional information--to support, for example, certain
diagnoses, items, services, or medications--that are set forth in
trading partner agreements or other guidance (87 FR 78444).
Although health care providers may transmit this additional
information electronically via an attachment to a health care claims
transaction, today and historically health care providers have
frequently transmitted the information via burdensome manual processes
that often involve paper mail, fax, and phone because there have been
no previously adopted HIPAA standards for health care claims
attachments.
We are adopting standards for health care claims attachment
transactions in this final rule. In doing so, we first define the term
``attachment information.''
C. Definitions of Attachment Information and Health Care Claims
Attachments Transaction
In adopting an attachment transaction standard, we determined we
needed to define ``attachment information'' and ``health care claims
attachments transaction.'' We proposed to separately define the two
terms to prevent the definition of health care claims attachments
transaction from becoming too unwieldy and further clarify this in our
responses to comments later in this section.
1. Definition of Attachment Information
We proposed to define attachment information in Sec. 162.103 as
documentation that enables the health plan to make a decision about
health care that is not included in either of the following:
<bullet> A health care claims or equivalent encounter information
transaction, as described in Sec. 162.1101.
<bullet> A referral certification and authorization transaction, as
described in Sec. 162.1301(a) and the portion of Sec. 162.1301(c)
that pertains to authorization.
We used the term ``attachment information'' in our proposed
definition of the health care claims attachments transaction in Sec.
162.2001 to specify the information transmitted by a health care
provider or requested by a health plan. The proposed rule discussed how
the NCVHS recommended defining attachments as ``any supplemental
documentation needed about a patient(s) to support a specific health
care-related event (such as a claim, prior authorization, or referral)
using a standardized format'' (87 FR 78444 and 78445, emphasis in
original).\23\ We incorporated key aspects of their recommendation into
our proposed definition of ``attachment information,'' while attempting
to ensure that the definition was broad and general enough to include
all possible patient-related information that could be generated with
respect to health care services. The full discussion of the proposed
definition of ``attachment information,'' to which we refer readers,
further details the NCVHS's recommendations for the definition to
include reference to ``documentation,'' ``supplemental,'' and
``needed'' (87 FR 78445).
---------------------------------------------------------------------------
\23\ National Committee on Vital and Health Statistics. (2016,
July 5). Recommendations for the Electronic Health Care Attachment
Standard. Retrieved from <a href="https://ncvhs.hhs.gov/wp-content/uploads/2018/03/2016-Ltr-Attachments-July-1-Final-Chair-CLEAN-for-Submission-Publication.pdf">https://ncvhs.hhs.gov/wp-content/uploads/2018/03/2016-Ltr-Attachments-July-1-Final-Chair-CLEAN-for-Submission-Publication.pdf</a>.
---------------------------------------------------------------------------
We solicited public comments on the proposed definition of
``attachment information'' and received feedback from interested
parties, which we considered in developing this final rule.
Comment: Multiple commenters expressed support for the proposed
definition of attachment information. Some commenters indicated that
the definition proposed for attachment information sufficiently
captures what is necessary for solicited and
[[Page 14359]]
unsolicited exchange of supplementary medical information.
Response: We appreciate commenters' support of our proposed
definition of ``attachment information.''
Comment: A commenter agreed that the proposed definition of
``attachment information'' needs to be broad and general enough to
include all possible patient-related information that could be
generated with respect to health care services. The commenter
acknowledged that HHS explicitly defined the documentation as
supplemental, meaning it is documentation ``that is not included'' in a
health care claims or prior authorization transaction, which the
commenter believed means that the health care attachment standards are
dependent upon and linked to the accuracy and completeness of these
other HIPAA transaction standards. The commenter also noted that
effective adoption of the health care attachments standards is
impossible without effective adoption of the other standards, and
requested that HHS actively support and verify the effective use of
those HIPAA transaction standards, and these health care attachment
standards once finalized, as HHS did during the health care industry's
transition from International Classification of Diseases (ICD), Ninth
Revision (ICD-9) to ICD, Tenth Revision (ICD-10).
Response: We appreciate the commenter's observations supporting a
broad and general definition of ``attachment information,'' and agree
that the definition must be sufficiently inclusive to encompass the
full range of patient-related documentation a health plan may require
in support of a health care claim or equivalent encounter transaction.
We likewise agree with commenters that the finalized definition
should appropriately exclude documentation already required or
contained within other adopted HIPAA transaction standards and clarify
that this exclusion is deliberate and consistent with the principles of
administrative simplification and the goal of reducing duplicative
documentation burdens.
As noted in the HIPAA Standards for Health Care Attachments
proposed rule, we initially proposed a definition of ``attachment
information'' that would have applied with respect to both claims and
prior authorization transactions. For the reasons articulated in
section III.A. of this final rule, we are not finalizing adoption of a
prior authorization attachment transaction standard, so the finalized
definition of ``attachment information'' applies only in the context of
health care claims or equivalent encounter information transactions.
This narrowed scope is reflected in the revised definition we are
finalizing in Sec. 162.103, which specifies that ``attachment
information'' is documentation that enables a health plan to make a
decision about health care that is not included in a health care claims
or equivalent encounter information transaction, as described in Sec.
162.1101.
Comment: Several commenters suggested changes to the proposed
definition of ``attachment information'' or associated requirements on
health plans. A commenter recommended that the definition be revised to
state that attachment information should ``enable providers to make
decisions about what healthcare content the payer requires in the
healthcare attachment.'' Another commenter suggested that HHS dictate
that payers, after receipt of an initial attachment, not be able to
serially add documentation requirements.
A different commenter was concerned that too broad a definition
could allow payers to require supplemental documentation for routine
care such as vaccines, well child visits, or routine prescriptions,
which could potentially increase financial burden on small and
independent pediatricians who provide safety net care to rural or low-
income or both populations. That commenter recommended that HHS
consider adopting the NCVHS's definition of ``attachment information''
as it only included supplemental information without which a claim
could not be properly adjudicated.
Response: We appreciate the commenters' concerns but do not believe
it is appropriate or necessary to modify the definition of ``attachment
information'' to account for such concerns as our proposal was intended
to identify the type of documentation exchanged. Ultimately, payers'
business and payment-decision rules fall outside the scope of HIPAA. In
other words, though we appreciate that health care providers may
experience added burden should health plans request additional
documentation following an initial submission, HIPAA transaction
standards govern the format and content of the electronic exchange, not
payers' business practices or the quantum of documentation they may
require. Therefore, we are finalizing a slightly modified definition of
``attachment information,'' revised only to account for the fact that
we are not adopting prior authorization attachments standards.
We also continue to believe that it is crucial that the definition
of ``attachment information'' in HHS's administrative simplification
implementing regulations be broad and general enough to apply to all
situations where a health plan requires attachment information to
support a health care claims or equivalent encounter information
transaction. In this final rule, we are adopting a definition of
``attachment information'' that incorporates key aspects of the NCVHS's
definition. Though our definition of ``attachment information'' does
not include the NCVHS-recommended term ``supplemental,'' it
incorporates that concept as it specifies documentation ``that is not
included'' in a health care claims or equivalent encounter information
transaction, as described in Sec. 162.1101, to express that the
documentation would be supplemental.
In our finalized definition, we chose not to limit the definition
strictly to documentation without which a claim ``could not be
adjudicated,'' as suggested by the commenter, because such a narrow
framing may not accommodate the diversity of documentation that
different health plans may reasonably require based on their benefit
structures, medical necessity criteria, or regulatory obligations. For
example, certain documentation may not by itself determine a claim's
payability but may still be necessary under specific plan policies or
for administrative or compliance purposes.
The commenter was concerned that a broad definition of ``attachment
information,'' such as the definition being finalized in this rule,
could prompt health plans to require documentation for routine
services, which could administratively or financially burden small
health care providers, especially those serving rural or underserved
populations. However, we note that nothing prohibits a health plan from
requiring such documentation today under the manual processes currently
in widespread use (which are more labor and resource intensive than an
electronic transaction). Therefore, we do not agree that finalizing
this definition of ``attachment information'' or the adoption of a
standard for health care claims attachments in and of themselves would
cause health plans to make broad requests for documentation. We also
believe the definition we are finalizing appropriately balances
flexibility with restraint by tying the use of attachment information
directly to a standard claims or equivalent encounter transaction and
explicitly excluding any information already required by the
transaction standard itself, which would ensure that attachment
information is supplemental in nature and transaction-
[[Page 14360]]
specific while also providing sufficient adaptability across diverse
payer-provider contexts.
Comment: Multiple commenters stated that there was a critical need
to improve the clarity of the proposed definition of ``attachment
information'' as they believed the scope of the proposed definition
could be expansively interpreted as applying to all use cases,
permitting a ``kitchen sink'' approach to the eligible activities to
which the mandated standards would apply, rather than the definition of
``attachment information'' being tied to ``a specific transaction''
such as the claims transactions. The commenters further stated that the
proposed definition potentially would include any information exchange
between a health care provider and other information source (for
example, a clinical laboratory or immunization registry) and a health
plan.
Response: We reiterate that we believe the definition of the term
``attachment information'' is adequately narrow. In the proposed, and
finalized, definition of the health care claims attachments transaction
in Sec. 162.2001, ``attachment information'' refers to information
transmitted by a health care provider or requested by a health plan
that is necessary to make a decision about a health care claim and that
is not included in the standard health care claims or equivalent
encounter transaction, as described in Sec. 162.1101. Though the
definition must be sufficiently broad to encompass the various
documentation that a health plan may require ``to make a decision about
health care,'' it also must be clearly tied to the health care claim or
equivalent encounter transaction. The finalized definition does not
apply to all information exchanges between health care providers and
other entities nor does it permit a ``kitchen sink'' approach to its
application. It also would not authorize any action beyond those
already permitted under health plan policies.
Therefore, we continue to believe the finalized definition of
``attachment information'' in Sec. 162.103 appropriately balances
clarity and flexibility, ensuring that it is broad enough to be
functional in practice while remaining anchored to a defined
transaction use case.
Comment: A commenter stated that they interpreted the language in
the proposed definition of ``attachment information'' as not being
inclusive of information needed for fraud, waste, and abuse purposes.
The commenter recommended that HHS include a reference to fraud, waste,
and abuse in the definition of ``needed'' in the proposed definition of
``attachment information.'' The commenter also pointed to HHS's
language in the Executive Summary, part A, that the purpose of [the
proposed] rule is to ``determine the necessity of a health care service
as part of making a coverage decision'' and stated that fraud, waste,
and abuse must be considered when a service is deemed medically
unnecessary in order to maintain CMS program integrity.
Response: The definition of ``attachment information'' adopted in
this final rule is intended to ensure that health plans have the
documentation necessary to support proper claims processing and payment
determinations. While this information may inform a payment
determination, the determination itself may also depend on additional
factors such as plan policies or clinical review requirements.
Accordingly, certain documentation may be necessary for evaluating
coverage without being solely determinative of claim adjudication. This
approach would also allow health plans to use attachment information
for administrative purposes, including fraud, waste, and abuse
detection and prevention, without requiring a separate explicit
reference to these activities in the definition.
2. Definition of the Health Care Claims Attachments Transaction
In the HIPAA Standards for Health Care Attachments proposed rule,
we proposed to add a new Subpart T to 45 CFR part 162--Health Care
Attachments (87 FR 78446). In Subpart T, in Sec. 162.2001, we proposed
to define the ``health care attachments transaction'' for health care
claims transactions and prior authorization transactions. Specifically,
we proposed that any of the following different types of transmissions
would constitute a ``health care attachments transaction'': (1) the
transmission of attachment information from a health care provider to a
health plan in support of a referral certification and authorization
transaction or in support of a health care claims or equivalent
encounter transaction; and (2) a request from a health plan to a health
care provider for attachment information. For each type of
transmission, we specified the entity type from which the transaction
is being transmitted and to which it is being sent, the information
being transmitted, and the purpose of the transmission. We noted that
the overarching purpose for each type of transmission--to enable a
health plan to make a decision about health care--is incorporated into
the definition of ``attachment information.'' We further specified the
purpose for the two transmission types in Sec. 162.2001(a), as
discussed later in this section.
Because we are adopting only an attachment standard for health care
claims, as that term is used in this rule to include health care claims
or equivalent encounter information transactions, and not a standard
that includes the prior authorization transaction, in Sec. 162.2001 we
rename what we had called the ``health care attachments transaction''
to the ``health care claims attachments transaction.'' \24\ The
finalized definition has been revised from what we had proposed to
remove language specific to prior authorization (that had read in part,
``in support of a referral certification and authorization
transaction'') and reformat the outline structure to account for that,
so that it applies exclusively to claims attachments. Aside from that,
the definition remains the same as we had proposed.
---------------------------------------------------------------------------
\24\ As we observe at n.4, while this also includes ``equivalent
encounter information'' transactions (Sec. 161.1101(b)),
attachments more likely would be requested for health care claims
(Sec. 161.1101(a)) involving payment as opposed to the
``transmission of encounter information for the purpose of reporting
health care.''
---------------------------------------------------------------------------
In the HIPAA Standards for Health Care Attachments proposed rule,
to align with the proposed rule's scope which addressed health care
attachments for health care claims or equivalent encounter information
and prior authorization transactions, we also proposed to make a
conforming change to the definition of ``transaction'' in Sec.
160.103. We proposed to replace ``(10) Health claims attachments'' with
``(10) Health care attachments'' (87 FR 78446). Because we are not
adopting the prior authorization attachments standards, we are not
finalizing this proposed change. But, to align with the focus on health
care attachments for health care claims or other equivalent encounter
information transactions, we retain the word ``care'' from our proposal
and are finalizing the definition of ``transaction'' with modification,
so it reads ``Health care claims attachments.''
Comment: The majority of commenters who provided feedback on our
proposed definition of the health care attachments transactions opposed
the proposal. A commenter stated that because the proposed definition
refers to attachments for both claims and prior authorization
transactions and not just claims, it arbitrarily collapsed the two use
cases into one definition, to which the commenter objected. The
commenter indicated that using attachments for prior authorization
transactions diverges from the statutory
[[Page 14361]]
construct, which could result in confusion and difficulty unraveling
them down the road.
Another commenter recommended that the proposed health care
attachments transaction definition include only attachment information
created and maintained by a health care provider and explained that the
proposed definition was too broad and could lead to the capture of all
possible patient-related health services information. The commenter
stated that such a broad definition might inadvertently cause
disruption to claim adjudication processes and place a greater burden
on health care providers, believing that it would not limit attachment
information to only what was needed for a plan to make decisions about
care. Instead, a health plan might demand all possible patient-related
information that could be generated with respect to health care
services before deciding whether or not to cover an item or service or
when conducting a post-payment audit. The commenter also stated that
health care entities, such as laboratories, do not create or routinely
maintain all possible patient-related information that could be
generated with respect to health care services; do not routinely
receive electronic attachment information from clinicians; and cannot
transmit this information to health plans when requested to support
claims processing. The proposed definition, the commenter claimed,
could cause laboratories to receive innumerable requests from health
plans for electronic attachment information that they did not create
and do not maintain.
Response: As discussed in section III.A. of this final rule,
numerous commenters opposed our proposal to adopt a health care
attachment standard to include prior authorization as a use case and
opposed the adoption of a standard for prior authorization attachments
transactions, and, after further consideration, we are not finalizing
adoption of a standard for prior authorization attachments
transactions. We further note that the health care claims attachment
definitions and standards we are adopting in this rule do not include
references, or otherwise extend, to prior authorization attachment
transactions.
Our proposed definition of the ``health care attachments
transactions'' was intended to encompass the different types of
transmissions such a transaction would encompass. For each type of
transmission, we specified the entity type from which the transaction
would be transmitted and to which it would be sent, the type of
information being transmitted, and the purpose for the transaction. We
also noted in the HIPAA Standards for Health Care Attachments proposed
rule that the overarching purpose for the two types of transmissions
was to enable a health plan to make a decision about health care in
support of the health care transaction and that specification of the
information transmitted by a health care provider or requested by a
health plan in support of the transaction was incorporated into the
definition of attachment information (87 FR 78446).
We emphasize that HIPAA transaction standards govern the format and
conduct of electronic transactions; determinations about the amount or
type of documentation that a health plan may request in support of
adjudication remain subject to health plan business rules and other
governing law. The term ``attachment information,'' as defined in our
finalized definition at Sec. 162.103, is limited to documentation not
included in a standard claims transaction that enables a health plan to
make a decision about health care. These limitations ensure that the
standard does not encompass all conceivable patient-related
information.
We also clarify that this rule does not create new requirements for
entities that do not originate or maintain the documentation at issue.
The standard applies only to the exchange of documentation that a
health care provider or other covered entity already maintains and
transmits as part of a claims adjudication process.
Final Action: After considering the public comments, and for the
reasons discussed previously, in Sec. 162.103, we are finalizing, with
modification, the definition of ``attachment information'' as:
documentation that enables the health plan to make a decision about
health care that is not included in a health care claims or equivalent
encounter information transaction, as described in Sec. 162.1101.
We are also finalizing the addition of a new Subpart T to 45 CFR
part 162--Health Care Claims Attachments. In Subpart T, in Sec.
162.2001, we are finalizing the definition of the ``health care claims
attachments transaction'' as the transmission of either of the
following:
<bullet> Attachment information from a health care provider to a
health plan in support of a health care claim or equivalent encounter
information transaction, as described in Sec. 162.1101.
<bullet> A request from a health plan to a health care provider for
attachment information.
Last, because we are not adopting an attachments standard for prior
authorization transactions in this final rule, as discussed in section
III.A. of this final rule, we are finalizing, with modification, the
proposed definition of ``transaction'' in Sec. 160.103 by amending
paragraph (10) to add the word ``care,'' (Health care claims
attachments).''
D. Attachments Transaction Standards
In the HIPAA Standards for Health Care Attachments proposed rule
(87 FR 78445 through 78451), we proposed to adopt certain industry
consensus standards that, when used together, provide the functionality
necessary for the transmission of electronic health care attachment
information.\25\ The standards being adopted in this final rule are for
requesting and transmitting attachment information. In this section, we
describe the new requirements for covered entities to use: (1) certain
X12N standards for requesting and transmitting attachment information
and HL7 standards for clinical information content; and (2) electronic
signatures standards. We also describe how the HL7 Attachments IG
utilizes the LOINC code set to identify attachment information in a
consistent manner.
---------------------------------------------------------------------------
\25\ For additional information about the business and
operational processes involved in the exchange of these standards,
we refer readers to the aforementioned November 2017 WEDI whitepaper
and the HL7 CDA[supreg] R2 Attachment Implementation Guide: Exchange
of C-CDA Based Documents, Release 1 (Universal Realm) for more
technical information. Both are available at: <a href="https://build.fhir.org/ig/HL7/CDA-ccda-2.1-sd/">https://build.fhir.org/ig/HL7/CDA-ccda-2.1-sd/</a>.
---------------------------------------------------------------------------
1. Electronic Health Care Claims (or Equivalent Encounter Information)
Attachments Transactions
Health plans often require health care providers to submit
additional information in association with the claims payment process.
Additional information is frequently in a format, such as medical
imaging or free text, not supported by the discretely defined health
care claims transaction standard data fields. Claims payment is a
multi-step process that may include pre-payment review, payment
adjudication, and post-payment activities such as audits or recoupment
reviews. The claims attachment transaction standards adopted in this
final rule apply to the transmission of solicited and unsolicited
attachments used in support of these stages of the claims payment
process, including post-payment review activities related to claim
adjudication. These standards do not apply to attachments exchanged as
part of a separate claims appeal or dispute resolution process. Appeals
and related
[[Page 14362]]
transactions are outside the scope of this rule and would require
separate standards to be adopted through future rulemaking.
In the HIPAA Standards for Health Care Attachments proposed rule,
we proposed to adopt standards for requesting and transmitting
attachment information, and to define attachment information in Sec.
162.103, as documentation that enables the health plan to make a
decision about health care that is not included in a health care claim
or equivalent encounter information transaction, as described in Sec.
162.1101. We also proposed to adopt X12N standards with respect to the
transmission of attachment information and HL7 standards with respect
to the clinical content of attachments. Specifically, as detailed in
the sections that follow, we proposed to adopt three X12N TR3
implementation specifications for health care claims attachments (87 FR
78445) and three HL7 IGs for the clinical information embedded in those
transactions (87 FR 78445).
a. Scope of Health Care Claims Attachments Transactions
Section 1173(a) of the Act requires the Secretary to adopt
standards for ``health claims attachments,'' and section 1104(c)(3) of
the Affordable Care Act reiterated that requirement, directing the
Secretary to promulgate a final rule to adopt a transaction standard
and a single set of associated operating rules. In the proposed rule,
we stated that the proposed attachments standards would satisfy the
requirement to adopt a standard to support health care claims but would
also support prior authorization transactions (87 FR 78445). Because,
as we have already explained, in this final rule we are finalizing only
a definition for ``health care claims attachments,'' we use that term
to refer to attachments for health care claims or equivalent encounter
information transactions rather than the proposed rule's broader
``health care attachments'' phrase that was intended to include both
the claims and prior authorization transaction standards.
We did not propose to adopt attachments standards for all health
care transaction business needs. Rather, we stated that not only would
it be challenging to identify standard specifications and appropriate
codes for the full array of different health care attachment types used
today, but also that it was important that covered entities gain
experience with a limited number of standard electronic attachment
types so that technical and business issues could be identified to
inform potential future rulemaking for other electronic attachments
standards (87 FR 78446).
We requested comments on alternative standards and approaches that
could address the challenges described in section I.A. We summarize and
respond to public comments submitted in response to this request in the
next section.
2. Adoption of Electronic Health Care Claims Attachments Transaction
Standards
In the proposed rule, we highlighted the NCVHS's July 5, 2016
recommendations to the Secretary on attachments standards, which are
the same standards we proposed to adopt (87 FR 78446 and 78447). We
title this section to only refer to the health care claims attachments
standards that we are adopting in this final rule and emphasize that
prior authorization attachments standards are not adopted in this final
rule. But, because our proposal had been broader by including prior
authorization attachments standards and thus generated comment on the
broader proposal, our comment summaries and responses do include some
discussion of the full scope of what had been proposed.
As mentioned in the proposed rule, and discussed again in section
II.D.3. of this final rule, section 1104(c)(3) of the Affordable Care
Act requires that the adopted attachments standard be ``consistent with
the X12N Version 5010 transaction standards'' (87 FR 78440), which we
interpret as requiring that the health care claims attachment
implementation specifications we adopt should generally be compatible
with X12N standards. Thus, any standard we adopt for health care claims
attachments should be electronically transmitted by an X12N transaction
standard in the same transaction.
While the NCVHS did not recommend specific versions of the X12N
attachments standards, we proposed to adopt X12N Version 6020 for both
the X12N 277--Health Care Claim Request for Additional Information
(006020X313) and the X12N 278--Health Care Services Request for Review
and Response Version (006020X315) as the standards a health plan must
use to electronically request attachment information from a health care
provider to support a prior authorization transaction. We proposed to
adopt Version 6020 of the standards because they better harmonize with
the X12N 275--Additional Information to Support a Health Care Claim or
Encounter (006020X314) and the X12N 275--Additional Information to
Support a Health Care Services Review (006020X316) (87 FR 78447), and
we refer readers to the proposed rule for the full discussion of the
use of these standards and their compatibility (87 FR 78446).
Comment: Multiple commenters supported the proposed attachment
standards, noting the approach would enable continuous advancements in
standards-based attachment content. Commenters underscored the
importance that uniform standard requirements would have on furthering
industry adoption of automated claims processes, which would help
reduce the current manually intensive administrative burden, and,
therefore, reduce costs. Similarly, one commenter stated that adopting
unified standards would eliminate the need for proprietary data
programs, reduce handling and processing time, eliminate the risk of
lost paper documents, and, thereby, reduce administrative burden and
lower costs.
Another commenter supported HHS's proposals to apply attachment
standards for health care claims and prior authorization transactions.
The commenter noted that while some in the industry are concerned with
the lack of alignment in prior authorization standards (X12 versus
FHIR), they agreed with HHS's proposed approach since the absence of an
electronic attachments standard had contributed to low industry
adoption rates for electronic prior authorization (ePA) transactions.
A commenter noted that, currently, health plans have requirements
for submitting supporting documentation that health care providers must
follow and that health plans may request further information from a
health care provider to make an authorization decision. The commenter
noted that health care providers must submit this information via
burdensome manual processes through mail, fax, or a portal, with each
health plan having different requirements. The commenter further noted
that every player has a different portal to submit attachments, and
managing the many access usernames and passwords is also burdensome.
Therefore, the commenter stated that a standard attachment process, via
a standardized electronic format, would greatly improve the process.
Another commenter noted that payers and providers would benefit
from having a unified submission method for documents needed for prior
authorization, claims, quality, audit, and other use cases. Another
commenter stated that adopting the X12 standards
[[Page 14363]]
and C-CDA standards would improve patient outcomes.
Response: We thank commenters for the feedback on and support of
our proposals. After careful consideration, we are adopting standards
for health care claims attachments transactions to help combat the
burdensome manual processes health care providers face today when
transmitting supporting documentation required by health plans in
association with the claims payment process. We agree with commenters
that adopting standards for health care claims attachments will yield
numerous benefits, including reducing administrative burden and costs,
removing the need for proprietary data programs, cutting lengthy
processing times, and eliminating the risk of lost paper documents.
However, for the reasons extensively discussed in section III.A. of
this final rule and as noted repeatedly elsewhere, we are limiting the
scope of this rulemaking solely to the adoption of standards for health
care claims attachments transactions.
Comment: Multiple commenters noted that the technology and
regulatory spaces have significantly evolved over the years, with some
expressing concern that HHS's proposals demonstrated ``2016-based
thinking'' by proposing the use of X12N standards, which they stated
would make the evolution of requesting and responding to supplemental
data needs harder and more burdensome. One of these commenters noted
that, while they support a national attachments standard for claims and
prior authorizations, more flexible technologies are available that
would reduce complexity. A commenter requested that HHS consider
updating the required attachment standards as new methods are
introduced and real-world tested. Another commenter stated that HHS
proposed outdated standards, and that HHS should not require adherence
to standards that would move the industry backward. Further, a
commenter expressed concern about how the proposed standard
requirements would fit into the business process for most health care
provider organizations and expressed that even though discussion
included in the proposed rule was about physically capturing data
elements and the transport mechanisms, a more holistic approach would
be required to bring the technical capabilities into a product suite to
work for the end user. Another commenter expressed that by focusing on
a document-based, as opposed to a data-driven, approach, HHS was
proceeding down a standards pathway that would make the attachment
standards incongruent with the standards mandated in other proposed and
final rules, such as the CMS Interoperability and Prior Authorization
proposed rule (87 FR 76238). Multiple commenters expressed concern
regarding the proposal to adopt standards for prior authorization
attachments transactions and recommended that HHS bifurcate the claims
attachments and prior authorization attachments standards proposals to
finalize only the proposed claims attachments standard. A commenter
noted that section 1173(a)(1)(A) of the Act specifically calls for the
establishment of a claims attachment standard, but contains no
provision requiring prior authorization attachments.
Response: We thank commenters for their feedback on the proposed
attachment standards and their observations about broader health IT and
standards development trends. We acknowledge that industry technologies
and regulatory requirements have evolved significantly since 2016 and
agree that any adopted standard must balance progress with stability.
Newer technologies may offer long-term potential to reduce complexity
and improve flexibility in transmitting supplemental clinical
information, and we will continue to consider their technical viability
and operational maturity across a broad segment of the industry. The
X12N standards for health care claims attachments that we finalize here
have been used for many years in related HIPAA transactions, are
supported by widely adopted infrastructure, and offer a known path for
implementation and compliance. Standardizing attachments through X12N
Version 6020 allows for the exchange of clinical content in a format
that aligns with other existing administrative transactions, increases
health care provider and health plan efficiency and reduces the need
for burdensome manual submission processes.
While the 2016 NCVHS recommendation mentioned earlier noted the
value of a broader attachments strategy that could extend beyond claims
to include prior authorization, referrals, and other use cases, and
although we had originally proposed a broader strategy to include other
use cases, this final rule focuses specifically on claims attachments.
This narrower scope is consistent with section 1173(a)(1)(A) of the
Act, which requires the Secretary to adopt a health claims attachments
transactions standard.
With respect to interoperability, we have taken the CMS
Interoperability and Prior Authorization final rule (89 FR 8758) into
consideration, and note that adopting a consistent, national claims
attachment standard supports broader goals of administrative
simplification and compatibility across systems.
Comment: A commenter stated that the proposed rule's reference to
the limited uptake of the current referral certification and
authorization transaction standard being due to not having established
standards for attachments (87 FR 78446) may be a result of an onerous
process for certification and authorization. The commenter stated that
if limited uptake of the referral certification and authorization
transactions is a standards issue, it is imperative that the new
attachments standard be simple and practical in order to improve
compliance rates.
Response: We thank the commenter for this input. We acknowledge
that the limited uptake of the current referral certification and
authorization transaction standard (X12N 278 Version 5010), which
supports prior authorization, has been documented in multiple reports,
but that is separate from the adoption of standards for health care
claims attachments, which we are finalizing in this rule. We agree that
any future attachment standards, particularly for prior authorization,
must be practical and simple to implement in order to improve adoption
rates. Past experiences with low utilization of the referral
certification and authorization transaction, as mentioned in the 2016
NCVHS Hearing on attachments, demonstrate that overly complex standards
or processes can pose barriers to adoption, even when standards are
available. For this reason, simplicity in aligning with existing
industry workflows, and coordination with SSOs and interested parties,
are central considerations in our policy development as we continue to
evaluate prior authorization attachments options.
Comment: Multiple commenters, citing numerous rationales,
encouraged HHS to consider implementing the FHIR standard, including
the HL7[supreg] FHIR[supreg] Da Vinci Clinical Data Exchange (CDex) IG,
for prior authorization attachments transactions. At the larger policy
level, commenters described FHIR as an alternative standard aligned
with federal and industry interoperability objectives, consistent with
administrative simplification principles, and synergistic with
certified EHR capabilities. At the practical level, commenters cited
FHIR's flexibility and the efficiency of FHIR questionnaires, its
ability to support end-to-end prior authorization and provide automated
and real time solutions, and its being a
[[Page 14364]]
more modern technology. Multiple commenters expressed concern regarding
HL7 C-CDA unstructured document media types not supporting FHIR bundles
(for example, application/json+fhir). Commenters also noted that use of
the FHIR standard would allow systems to adopt FHIR specifications to
enable greater advancements within the health care industry.
Multiple commenters expressed concern over HHS proposing two rules
that included proposals on prior authorization: (1) the HHS HIPAA
Standards for Health Care Attachments proposed rule (87 FR 78438); and
(2) the CMS Interoperability and Prior Authorization proposed rule (87
FR 76238). Commenters noted that across these two rules, HHS and CMS
proposed the use of two different standards, X12N and FHIR, for prior
authorization transactions, which would require implementation of both
standards and be confusing and cumbersome. A commenter expressed that
doing so would be counterproductive to the goals of administrative
simplification. Another commenter noted that adopting both X12N and
FHIR standards would create confusion for providers, insurers, and
vendors that could lead to delays in prior authorization processing and
approvals, increased costs, and would likely result in providers using
solely the X12N standard despite incentives to use the FHIR standard.
Multiple commenters expressed support for the use of FHIR, citing a
desire for alignment with the CMS Interoperability and Prior
Authorization proposed rule. A commenter requested that HHS review the
standards proposed in the CMS Interoperability and Prior Authorization
proposed rule and allow providers to utilize both FHIR and X12
standards to meet the requirements in both rules, while another
suggested we be thoughtful in considering how HHS's proposal aligns
with CMS's proposal so as to avoid providers' duplication of efforts.
A commenter also recommended that HHS allow data-element driven
data sharing via FHIR APIs, which would enable flexibility for targeted
requests. Despite a stated preference for health care providers to
adopt the FHIR standard and connect to APIs once finalized, a commenter
recognized there would be providers that lack the means to finance
their vendors' FHIR updates. They therefore proposed the adoption of a
safe harbor for providers that would allow for the use of Version 5010
of the X12N 278 standard for prior authorization transactions and the
X12N 275 standard for claims transactions.
Response: We appreciate these comments and thank commenters for
sharing these important considerations. In its most recent letter to
the Secretary (March 30, 2022), the NCVHS recommended that HHS move
forward with publishing a claims attachments rule to address
longstanding industry needs, while also continuing to monitor and
consider emerging standards.\26\ As discussed extensively in section
III.A. of this final rule and as reiterated elsewhere, we are not in
this final rule adopting attachment standards for prior authorization
transactions. We note that the NCVHS's March 30, 2022, letter also
recommended that CMS publish the CMS Interoperability and Prior
Authorization proposed rule, which included proposals for FHIR-based
APIs to support prior authorization workflows. This underscores both
the ongoing demand for a claims attachments standard today and the
importance of continuing to evaluate newer technologies for prior
authorization and other use cases. We therefore finalize a claims
attachments standard in this rule while leaving open the opportunity to
adopt alternative standards applicable to prior authorization in other
rulemaking.
---------------------------------------------------------------------------
\26\ National Committee on Vital and Health Statistics. (2022
March 30). Recommendations to Modernize Aspects of HIPAA and Other
HIT Standards to Improve Patient Care and Achieve Burden Reduction.
Retrieved from <a href="https://ncvhs.hhs.gov/wp-content/uploads/2022/04/Recommendation-Letter-HIT-Standards-Modernization-to-Improve-Patient-Care-March-30-2022.pdf">https://ncvhs.hhs.gov/wp-content/uploads/2022/04/Recommendation-Letter-HIT-Standards-Modernization-to-Improve-Patient-Care-March-30-2022.pdf</a>.
---------------------------------------------------------------------------
Comment: A commenter noted that while they expect claims
transactions to remain X12-based, the industry and technology have
evolved significantly and are moving toward FHIR standards. Another
commenter underscored the need for claims attachments standardization
but noted industry concern with the specific technology proposed for
the prior authorization attachments standard. The commenter stated that
HIPAA regulations view the claims and prior authorization attachment
standards separately, and that the claims process occurs after care has
been delivered, as opposed to the prior authorization process which
occurs in advance of care. Given the different workflows and points at
which these two processes occur, the commenter stated the need for the
processes to mirror one another or be adopted in tandem is diminished.
A commenter stated that the proposed standards are an interim step to
move health care providers and payers to electronic data submission.
However, the commenter noted that to further advance ePA processes and
reduce administrative burden, it is critical to align prior
authorization attachments standards across all components of the ePA
process, which includes the transmission of clinical information via
health care attachments.
Response: We thank commenters for their perspectives on the need
for attachment standards in both the health care claims and prior
authorization contexts and agree that claims and prior authorization
serve distinct business functions and operate under different
workflows, with prior authorization typically occurring before items or
services have been rendered and claims typically occurring afterwards.
In this final rule, as repeatedly noted, we have elected to adopt
standards only for health care claims attachments. That focused
approach accommodates the requirement at section 1173(a)(2)(B) of the
Act that the Secretary adopt standards for the health claims attachment
transaction and public feedback recommending that we not simultaneously
finalize claims and prior authorization attachments standards in the
same final rule. Finalizing only claims attachments standards now
allows the industry to begin realizing the benefits of increased
automation that reduces administrative burden, while providing
additional time to align on prior authorization attachment standards in
future rulemaking. We acknowledge the growing interest in APIs, such as
FHIR based approaches, particularly for prior authorization
transactions, and that FHIR for API-driven data exchange has already
been adopted in other regulatory contexts, such as the CMS
Interoperability and Prior Authorization final rule (89 FR 8758).
Finally, we emphasize that the decision not to adopt a standard for
prior authorization attachments in this final rule should not be
interpreted as abandoning the goal of reducing burden in that area. To
the contrary, we recognize that prior authorization remains a major
challenge across the health care system, and our action here is
intended to allow targeted progress on claims attachments while
maintaining flexibility to support emerging standards for prior
authorization attachments through separate HHS-led policymaking efforts
coordinated with interested parties, including health plans, health
care providers, and industry. We encourage the participants in the
standards development community to continue to explore how emerging
paradigms for information exchange can be extended to address HIPAA
transactions, and we welcome
[[Page 14365]]
further dialogue with interested parties about promising approaches.
Comment: A commenter highlighted the significant burden on health
plans to ensure their systems can support the standards for health care
claims and prior authorization attachments transactions for structured
and unstructured documents. The commenter stated that by adopting an
approach in the final rule whereby a health plan would be compliant by
implementing the use of either, but not necessarily both, structured or
unstructured claims and prior authorization documents by the compliance
date, HHS could ease health plans' burden as they work to ensure their
systems can accommodate structured and unstructured documents for
claims and prior authorization attachments transactions. The commenter
also noted that HHS could, under such an approach, require that health
plans implement the other document type (whether structured or
unstructured) within 1 year of the compliance date.
Response: Consistent with section 1104(c)(3) of the Affordable Care
Act, we are finalizing a compliance date of 24 months after the
effective date of this final rule by which all covered entities must
comply. We believe that the fact that we are not finalizing adoption of
a prior authorization attachments transaction standard ought to
diminish the commenter's burden concerns. HIPAA covered entities will
have to support structured and unstructured document types, but we
understand the health care industry is moving in that direction and
should be able to fully accommodate the requirement within this final
rule's compliance timeframe. We encourage all HIPAA covered entities to
begin testing their systems early to ensure smooth implementation.
Comment: A commenter noted that current HIPAA regulations do not
require health plans to send X12N 277 (Health Care Claim Acknowledgment
or Claim Status Response) transactions as a response to an X12N 837
(health care claim) or X12N 278 (standard for prior authorization)
transaction. The commenter requested that HHS confirm whether any
requirements finalized by this rulemaking would result in a health plan
being required to respond to a X12N 837 or X12N 278 transaction with
the X12N 275 (Additional Information to Support a Health Care Claim or
Encounter) standard to inform the provider of whether the attachment
information is needed. The commenter also requested clarification as to
whether a health plan that may require an attachment for a claim or
prior authorization may then deny the corresponding claim or item or
service authorization should a provider fail to provide the attachment,
which would have the effect of requiring the provider to resubmit the
claim or prior authorization request with the appropriate attachment
information.
Response: We appreciate the commenter's feedback and the
opportunity to clarify the requirements for how health plans may
request attachment information, while also reiterating that HIPAA
specifies transaction standards requirements but does not directly
address health plans' business rules. HIPAA regulations do not now (and
this final rule does not alter this) require health plans to use the
X12N 275 transaction to respond to an X12N 837 health care claim or an
X12N 278 prior authorization transaction when requesting additional
documentation. In other words, the X12N 275 standard may be used to
support claim attachments, but HIPAA does not require its use as a
mandatory response transaction.
Similarly, currently, the X12N 277 transaction may be used to
notify a provider that claim attachment information is needed. HIPAA
does not require its use, but health plans may elect to use it to
communicate with health care providers about missing documentation.
Health plans' business rules typically would specify when they may or
may not deny a claim for failure to comply with health plan policies.
While we do not currently require the use of the X12N 275 and X12N 277
transactions in these scenarios, we encourage health plans to adopt
clear and consistent communication practices, including using these
transactions where appropriate, to minimize administrative burden and
avoid unnecessary claim denials.
Comment: Multiple commenters supported the proposed adoption of
Version 6020 for the X12N 275, X12N 278, and X12N 277 standards. A
commenter stated that adopting Version 6020 for these standards would
be critical to attachment transactions functionality because Version
6020 includes two key fields: (1) the health plan assigned claim
control number to aid with claim reassociation; and (2) the field to
capture LOINC for required data elements to identify the specific
attachment information. A commenter expressed their appreciation for
Version 6020 being tested and implemented in real-world settings.
Response: We thank commenters for their feedback and support of
Version 6020 of the standards as a business case in adopting a health
care claims attachments transaction standard.
Comment: Multiple commenters expressed concern about HHS's proposal
to adopt Version 6020 and, instead, recommended that we adopt a newer
version of the X12N attachments standards, such as Version 8020, which
a commenter noted has been published. A commenter supported the
adoption of Version 6020 of the X12N 275 and X12N 277 standards but
recommended that the attachments standards be updated to Version 8020
when possible, while another commenter expressed concern that we would
adopt Version 6020 when X12 may recommend Version 8020 be implemented
prior to, or shortly after, HHS's action. That commenter encouraged us
to ensure that the proposed technical standards are supported,
compliant, and not mandated for replacement for no less than 5 years
after the implementation date.
Multiple commenters recommended that HHS consult with standards
development organizations (SDO) to ensure that the appropriate versions
of the standards are finalized and that versioning is aligned. A
commenter noted that using the versions proposed in the proposed rule
could lead to operational and implementation costs and requested that
HHS collaborate with early adopters of the proposed attachments
standards. A commenter stated that the proposed Version 6020 of the
X12N attachments standards will be problematic for attachment standard
transactions because health care providers currently use Version 5010
of the X12N standard, and Version 8020 is being utilized by X12. The
commenter expressed the belief that HHS's proposal would create a
scenario where the transaction standard floor is lower than the one X12
will potentially recommend, and that is currently used for claims
transaction processing. A commenter noted concern over the alignment
between the proposed standards in the proposed rule and future HIPAA
standards. The commenter encouraged HHS to ensure that future adoption
of X12N standards is compatible with the proposed health care
attachments standards outlined in the proposed rule. Multiple
commenters recommended that HHS wait to adopt attachments transaction
standards until the NCVHS makes a determination about recommending the
next version of X12N standards. A commenter also stated that the NCVHS
is currently evaluating requests from X12 on the adoption of Version
8020 for the X12N 837 and X12N 835 payment/remittance advice standards.
[[Page 14366]]
Response: We appreciate the commenters' recommendations and
concerns regarding the adoption of specific versions of the X12N 275
and X12N 277 standards for health care claims attachments.
Specifically, we understand commenters' concerns regarding the
potential for Version 6020 to become outdated, especially since X12 has
published Version 8020 and the NCVHS may be considering it. However,
the NCVHS has not recommended that any newer version of these standards
be adopted under HIPAA, and under the HIPAA regulatory framework, HHS
is limited to adopting standards that have completed the formal SDO
process and have undergone appropriate evaluation and recommendation,
including through the NCVHS. Therefore, we are finalizing the adoption
of Version 6020 of the X12N 275 and X12N 277 standards, as they are
currently the most recent versions that provide the necessary
functionality to support the exchange of attachments in conjunction
with claims and are currently the viable and legally supportable
standards for the claims attachment transactions.
We agree with commenters that it is important that the attachment
standards and the broader suite of adopted HIPAA standards, such as the
X12N 837 and 835, be aligned. We are committed to ongoing coordination
with SDOs, such as X12, and with the NCVHS to ensure that any future
updates to HIPAA standards, including consideration of Version 8020 or
later, are harmonized across transaction types to reduce implementation
burden and maintain interoperability. We also recognize the importance
of maintaining stability in the adoption of new standards. The HIPAA
statute allows for the periodic update of standards--indeed, as we
discuss in section II.D.3., the HIPAA standards paradigm is premised on
standards evolution over time--but we will strive to maintain
reasonable implementation timelines and take commenters' feedback into
account as we consider future rulemaking and versioning policies.
Finally, as we extensively discuss in section III.A. of this final
rule and reiterate elsewhere, we are not finalizing the proposed
adoption of standards for prior authorization attachments at this time
and, therefore, in this rule, are not adopting an updated version of
the X12N 278 transaction standard.
a. Adoption of X12N Standards for Health Care Claims Attachments
Transactions
(1) Adoption of Standards for Request From a Health Plan to a Health
Care Provider for Attachment Information
(a) X12N 277--Health Care Claim Request for Additional Information
(006020X313)
In the proposed rule, we proposed to adopt the X12N 277--Health
Care Claim Request for Additional Information (006020X313) as the
standard a health plan must use to electronically request attachment
information from a health care provider to support a health care claim
in Sec. 162.2002(e)(1), and also proposed to incorporate the same by
reference in Sec. 162.920 (87 FR 78447). We explained that the X12N
277 standard for claims transactions contains two noteworthy fields:
(1) the health plan assigned claim control number that is assigned by
the health plan to link the attachment request with the original claim,
enabling reassociation when the provider responds via the X12N 275
transaction; and (2) the LOINC code set for HIPAA that is used to
identify the specific type of attachment requested (87 FR 78447).
Comment: Multiple commenters strongly supported HHS's proposed
adoption of the X12N 277 standard for claims attachments, and a
commenter recommended that we finalize this standard as proposed.
Commenters noted that the current claims attachment process is complex
and cumbersome and that adopting consistent electronic claims
attachment standards would reduce administrative burden and associated
costs. A commenter urged HHS to strongly enforce this new standard, if
finalized. Multiple commenters discussed how health plans have
implemented an electronic claims attachment standard outside the HIPAA
context and achieved significant efficiencies in denials, appeals, and
time to payment using clinical documents rather than granular data
elements for claims processing. A commenter noted that this example of
successful real-world implementation and return on investment
strengthens the argument for immediate claims attachments standards
adoption.
Response: We thank these commenters for their support for our
proposals to adopt a health care claims attachment standard.
HHS administers HIPAA Administrative Simplification requirements
related to the format and content of electronic administrative health
care transactions for which we have adopted standards. Consistent with
our approach of responding to complaints of non-compliance and
conducting proactive compliance reviews, should we identify a HIPAA
covered entity that fails to conduct, or fails to properly conduct, an
adopted transaction standard, it may be subject to enforcement action.
As discussed in the final action section, we are finalizing
adoption of the X12N 277 transaction standard in Sec. 162.2002(d). The
regulatory text has been reordered to group related transaction
standards together for clarity and ease of reference; this reordering
does not change the requirements for the use of the standard.
(2) Adoption of Standards for Transmission of Attachment Information
From a Health Care Provider to a Health Plan: X12N 275--Additional
Information To Support a Health Care Claim or Encounter (006020X314)
and X12N 275--Additional Information To Support a Health Care Services
Review (006020X316)
We proposed to adopt, in Sec. 162.2002(d), the X12N 275--
Additional Information to Support a Health Care Claim or Encounter
(006020X314) as the standard a health care provider must use to
electronically transmit attachment information to a health plan to
support a health care claims or equivalent encounter information
transaction. We also proposed to incorporate the same by reference in
Sec. 162.920.
As discussed in the HIPAA Standards for Health Care Attachments
proposed rule, the X12N 275 standard for claims transactions may be
used with respect to both solicited and unsolicited attachment
information (87 FR 78448). We noted in the proposed rule that the X12N
275 standard for claims transactions does not itself contain claims
attachment information (87 FR 78448). Rather, the standard serves as
the electronic envelope for health care claims attachment information
such that the attachment information (which is embedded in an HL7
standard) is transported by the X12N 275. We describe in detail the
specific HL7 standards for embedding attachment information in this
section of the final rule.
Additionally, we proposed to adopt, in Sec. 162.2002(c), the X12N
275--Additional Information to Support a Health Care Services Review
(006020X316) as the standard a health care provider must use to
electronically transmit attachment information for electronic prior
authorization
[[Page 14367]]
transactions. We also proposed to incorporate the same by reference in
Sec. 162.920. We are not adopting that standard in this final rule as
it only pertains to electronic prior authorization transactions. We
clarify that in this final rule, we are only adopting the X12N 275--
Additional Information to Support a Health Care Claim or Encounter
(006020X314) standard for health care claims attachments.
The X12N 277 transaction set is used for claim status inquiries and
responses. When a health care provider submits a claim and the payer
needs additional information to continue the review or processing of
that claim, it may send the provider a request through a X12N 277--
Health Care Claim Request for Additional Information transaction, and
the health care provider may use the X12N 275--Additional Information
to Support a Health Care Claim or Encounter to transmit the requested
information back to the payer. For example, with a surgery for which
there is no HCPCS code, for solicited attachment information, the
health plan would request attachment information using the X12N 277
standard for claims transactions, and the health care provider would
use the X12N 275 standard for claims transactions to respond with the
operative note. In a scenario with unsolicited attachment information,
the health care provider would transmit the X12N 275 standard for
claims transactions to enable the health plan to make a decision about
the claim without additional requests for information.
Comment: Multiple commenters supported the adoption of the X12N 275
standard for health care claims transactions. Commenters stated that
the present lack of attachments standards under HIPAA burdens the
health care industry and noted that evidence from voluntary X12N 275
standard implementations has demonstrated the technical success of the
transactions and cost savings. A commenter stated that, due to the X12N
standards being foundational and widely implemented across health care
providers, health plans, and health IT vendors, they believe it is
appropriate to adopt the X12N 275 standard as the basis for exchange to
support adoption at scale. A commenter recommended that HHS mandate a
version of the X12N 275 standard that is consistent with HIPAA
requirements at publication of the final rule. Another commenter
expressed support for solicited and unsolicited claims attachment
standards and noted that using the X12N 275 standard concurrently with
a claims transaction will promote efficiency and decrease costs for
providers and health plans. A commenter pointed out that Version 6020
of the X12N 275 standard includes the Binary Data Segment (BDS), which
was not part of Version 5010, and is necessary for transmitting
properly encoded clinical data.
Response: We thank the commenters for their feedback and support.
We agree that the absence of adopted HIPAA attachment standards has
contributed to variability and inefficiencies in documentation exchange
processes across the health care industry. We appreciate commenters
highlighting the value of using the X12N 275 standard for health care
claims and encounters, including its technical success in voluntary
implementations, alignment with widely adopted foundational X12N
standards, and capacity to support health care provider, health plan,
and vendor interoperability. We also agree that adopting a consistent
standard for solicited and unsolicited claims attachments can reduce
administrative burden and promote operational efficiency.
We acknowledge the specific support for Version 6020 of the X12N
275 standard and its enhancements over prior versions, including the
BDS that supports the secure and structured transmission of clinical
data in attachment transactions. Accordingly, in this final rule, we
are adopting Version 6020 of the X12N 275 standard for use in the
health care claims attachments transaction, as well as Version 6020 of
the X12N 277 standard. We believe this establishes a clear, standards-
based foundation for exchanging attachments that will enable greater
automation, improve data integrity, and reduce costs across the health
care system.
We appreciate commenters' recognition of the need for consistency
and predictability in the standards adopted under HIPAA and will
continue to engage with parties in the health care industry and SDOs to
ensure that future standards development and updates are responsive to
industry needs and remain aligned with the HIPAA regulatory framework.
Comment: A commenter stated the X12N 275 standard for health care
claims and encounters will not work with unstructured documentation.
Another commenter recommended that HHS permit trading partners to agree
upon other documentation, not covered by the HL7 C-CDA, that would be
allowed to be transported via the X12N 275 standard.
Response: We further evaluated the commenter's assertion that the
X12N 275 standard for claims transactions would not work with
unstructured documentation and determined the assertion is incorrect,
having confirmed that the X12N 275 standard for claims transactions
does support the submission of unstructured documentation. The versions
that we are adopting in this final rule include the BDS, which, in the
HL7 standard, is used to carry attachments, such as documents or
images. Moreover, the C-CDA Release 2.1 supports structured and
unstructured templates. Therefore, we believe that the standards we are
adopting in this final rule are sufficient for broad industry-wide use.
Regarding the comment recommending that we permit trading partners
to agree that documentation not covered by the HL7 C-CDA be allowed to
be transported via the X12N 275 standard for claims transactions, the
types of documentation supported by the HL7 C-CDA broadly cover those
that may be requested for the claims payment process. However, we
encourage covered entities to negotiate the types of documentation
required for implementing the transaction standard during the
development of their trading partner agreements.
Comment: A commenter noted that health IT vendors will have to
engage in new development work should the proposed X12N 275 standard
for claims attachment transactions be finalized as proposed, since such
entities have not previously developed those transaction standards.
Response: As discussed previously, we acknowledge that covered
entities, or their vendors, will incur a number of one-time costs to
implement the new HIPAA transactions. However, over time, we believe
the resultant automation will ultimately benefit the industry by
reducing burden and costs. We account for this implementation burden in
our impact analysis in section VI. of this final rule.
Comment: Multiple commenters expressed that a definition for
baseline structured data is needed to achieve administrative burden
relief. They also emphasized that it is important that the X12N 837
claim and encounter standard be supported by the X12N 275 standard for
claims transactions for additional information at the time of a prior
authorization request, initial claim submission, and for claims in paid
or denied status.
Response: We do not believe that a definition for baseline
structured data is needed because the HL7 C-CDA Release 2.1 broadly
covers structured and unstructured document types that may be
transmitted under the X12N 275 standard for claims attachment
[[Page 14368]]
transactions. We encourage interested parties to engage with SDOs and
industry collaboratives to identify and refine the consensus around
structured data elements. We also encourage covered entities to
negotiate the types of documentation required for implementing the
transaction standard during the development of their trading partner
agreements.
Final Action: After consideration of the public comments we
received, and after consultation with the SSOs, we are finalizing, with
modification, our proposal regarding the adoption of certain X12N
standards for requesting and transmitting attachment information.
In Sec. 162.2002(c), we are adopting the X12N 275--Additional
Information to Support a Health Care Claim or Encounter (006020X314) as
the standard a health care provider must use to electronically transmit
attachment information to a health plan to support a health care claim
or equivalent encounter information transaction. We are also
incorporating this standard by reference in Sec. 162.920.
In Sec. 162.2002(d), we are adopting the X12N 277--Health Care
Claim Request for Additional Information (006020X313) as the standard a
health plan must use to electronically request attachment information
from a health care provider to support a health care claim. We are also
incorporating this standard by reference in Sec. 162.920.
E. Adoption of HL7 IGs for Health Care Claims Attachment Information
The HL7 CDA standard is the only currently available SSO-created,
NCVHS-recommended implementation specification in the United States
designed to support the HIPAA transactions. Other standards for the
exchange of clinical information are being developed and piloted.
However, due in part to its readiness, we stated in the proposed rule
that we believe the HL7 CDA IG set is the most appropriate standard for
adoption at this time (87 FR 78448).
We proposed to adopt the following three HL7 IGs as HIPAA standards
for the attachment information included in health care attachments
transactions:
<bullet> HL7 IG for CDA Release 2: C-CDA Templates for Clinical
Notes (US Realm) Draft Standard for Trial Use Release 2.1, Volume One--
Introductory Material, June 2019 with Errata (HL7 C-CDA IG Volume One).
<bullet> HL7 IG for CDA Release 2: C-CDA Templates for Clinical
Notes (US Realm) Draft Standard for Trial Use Release 2.1, Volume Two--
Templates and Supporting Material, June 2019 with Errata (HL7 C-CDA IG
Volume Two).
<bullet> HL7 CDA Release 2 Attachment IG: Exchange of C-CDA Based
Documents, Release 1, March 2017 (HL7 Attachments IG).
We refer readers to the detailed discussion in the proposed rule on
the purpose and functionality of each IG and how they interact with
each other (87 FR 78448).
These IGs provide specifications for creating and transmitting both
structured and unstructured health care attachment documents.
Structured documents are machine-readable with standardized sections
and codes, while unstructured documents (for example, scanned images,
video, patient logs, etc.) have metadata (that is, information that
describes, explains, or gives context to other data) but no internal
tagging. The HL7 Attachments IG also defines criteria for creating new
templates when none exist.
In the HIPAA Standards for Health Care Attachments proposed rule,
we proposed to adopt the March 2017 iteration of the HL7 Attachments
IG. The SDO engaged in its regular maintenance process with respect to
that IG, and, in March 2022, published the Release 2 iteration of it.
Commenters on the proposed rule encouraged us to adopt the March 2022
iteration, as opposed to the March 2017 iteration that we had proposed
to adopt.
We carefully examined the history of changes to the HL7 Attachments
IG between March 2017 and March 2022 and determined that the cumulative
changes reflected in the March 2022 iteration of the IG constitute
``maintenance updates'' because, rather than adding new content, the
updates address errata in the existing IG content. Maintenance refers
to ``activities necessary to support the use of a standard adopted by
the Secretary, including technical corrections to an implementation
specification, and enhancements or expansion of a code set.'' \27\
Maintenance updates to standards are non-substantive in nature, unlike
modifications to standards which require rulemaking to be adopted by
the Secretary.
---------------------------------------------------------------------------
\27\ See 42 CFR 162.103.
---------------------------------------------------------------------------
We also consulted the DSMOs, which apprised us that the maintenance
updates reflected in the March 2022 iteration of the HL7 Attachments IG
better facilitate implementation of Version 6020 of the X12N 275 and
X12N 277 standards for claims attachments adopted by the Secretary in
this final rule. Our own in-depth evaluation along with our
consultations with the DSMOs persuade us that we can confidently
conclude that adopting the newer March 2022 iteration of the HL7
Attachments IG would be functionally equivalent to adopting the March
2017 iteration of the HL7 Attachments IG with errata.
Having established that the March 2022 iteration is functionally
equivalent to the proposed March 2017 HL7 Attachments IG with
maintenance updates, and to avoid industry confusion with respect to
which IG iteration should be used, in this final rule we are adopting
the March 2022 iteration of the HL7 Attachments IG which is Release 2.
Comment: Multiple commenters expressed support for the adoption of
the proposed HL7 IGs for the exchange of claims attachments
information. A commenter stated that the HL7 C-CDA is widely
implemented and has demonstrated its value through the flexibility it
provides in delivering solicited and unsolicited information in various
formats. Another commenter stated that if HHS proceeds with the
implementation of the claims attachments standards for payment
purposes, they support proceeding with the HL7 C-CDA standard for now.
Response: We thank commenters for their feedback and support of our
proposal.
Comment: Multiple commenters expressed concern regarding HL7's
indication that it will no longer make updates to the HL7 CDA and C-CDA
standard, in favor of moving towards FHIR solutions, and recommended
that HHS work with HL7 to continue maintaining the HL7 C-CDA standard
or develop a plan for a FHIR-based solution. A commenter urged HHS to
ensure that HL7 will continue to support and develop guides based on
the HL7 CDA standard as needed.
Response: HL7 is required, as an SSO, to continue to maintain any
IGs that are adopted by the Secretary as HIPAA standards. Like all
SSOs, HL7 holds weekly workgroup meetings and quarterly membership
meetings to ensure that adopted standards meet the needs of HIPAA
covered entities and, should a modification be needed to a standard,
the workgroup would undertake its process to update it. SSOs, SDOs, or
DSMOs maintain their standards in accordance with ANSI requirements and
their own ANSI-approved policies; maintenance is an ANSI requirement
and is embedded in each SSO's processes, so it is not governed by
expectations or assumptions.
We did include a request for comment in the HIPAA Standards for
Health Care Attachments proposed rule (87 FR
[[Page 14369]]
78444) on other standards to consider for prior authorization
transactions, to which we received numerous comments advocating for the
FHIR standard. We will consider these comments in our future planning
with respect to the health care transaction standards adopted under
HIPAA Administrative Simplification.
Comment: A commenter expressed support for an approach that enables
advancing standards-based attachment content. Additionally, since it
was not referenced in the proposed rule, multiple commenters sought
clarification as to whether the HL7 CDA[supreg] R2 IG: C-CDA Templates
for Clinical Notes STU Companion Guide Release 3 (US Realm) Standard
for Trial Use, May 2022 (HL7 C-CDA Companion Guide) may be used under
the proposed health care attachments template recognition approach.
Multiple commenters recommended that HHS consider adopting the HL7
C-CDA Companion Guide. The commenters noted the HL7 C-CDA Companion
Guide provides additional templates and best practices useful for
attachments transactions and guidance to document creators to ensure
higher levels of consistency and quality.
A commenter noted that the HL7 C-CDA Companion Guide is the primary
guide to specify templates for use in the Office of the National
Coordinator for Health Information Technology's (ONC) \28\
Certification Program (ONC Health IT Certification Program) and sought
confirmation of its belief that it represents templates applicable to
attachments without a separate template needing to be defined. The
commenter stated additional rulemaking would be needed following the
publication of the next version of the HL7 C-CDA Companion Guide if HHS
decided to reference this IG in the final rule. The commenter expressed
concern that this would hinder industry's ability to use the HL7 C-CDA
Companion Guide. Commenters also encouraged HHS to make the HL7 C-CDA
Companion Guide eligible for use without specifically being referenced
under the proposed health care attachments template recognition
approach so that future updates to templates used within the IG could
be used immediately upon publication through the accepted process.
---------------------------------------------------------------------------
\28\ On July 25, 2024, HHS announced a reorganization to
streamline and bolster technology, cybersecurity, data, and AI
strategy and policy functions which had historically been
distributed across HHS. As part of the reorganization, ONC has been
renamed the Assistant Secretary for Technology Policy and Office of
the National Coordinator for Health Information Technology (ASTP/
ONC) and has assumed oversight over technology. For more information
on this reorganization refer to the press release available at:
<a href="https://www.hhs.gov/about/news/2024/07/25/hhs-reorganizes-technology-cybersecurity-data-artificial-intelligence-strategy-policy-functions.html">https://www.hhs.gov/about/news/2024/07/25/hhs-reorganizes-technology-cybersecurity-data-artificial-intelligence-strategy-policy-functions.html</a>.
---------------------------------------------------------------------------
Response: We are adopting the C-CDA implementation specifications
because they are already implemented and widely used in EHR systems.
The HL7 C-CDA Companion Guide, which is a collection of IGs that
provides standardized templates for structuring C-CDA documents, is a
set of IGs defined by HL7 as a ``library of C-CDA templates,'' and
their functionality allows that any templates created with them are
compliant with the HL7 C-CDA standard. These templates essentially
serve as blueprints for how specific medical information should be
organized and presented when exchanging patient data between systems
using the C-CDA standard.\29\ If compatible with the HL7 C-CDA release
adopted, these templates are acceptable for use once an associated
LOINC code is available.
---------------------------------------------------------------------------
\29\ Health Level Seven International. (HL7). Understanding C-
CDA and the C-CDA Companion Guide. Retrieved from <a href="https://build.fhir.org/ig/HL7/CDA-ccda-2.1-sd/understanding_c-cda_and_the_c-cda_companion_guide.html">https://build.fhir.org/ig/HL7/CDA-ccda-2.1-sd/understanding_c-cda_and_the_c-cda_companion_guide.html</a>.
---------------------------------------------------------------------------
Comment: A commenter expressed support for a consistent format that
would eliminate manual processes to send and receive data and allow for
information to be automatically recorded into a patient's record,
stating that this change would eliminate manual processes. The
commenter also noted that health IT vendors are currently only required
to support three HL7 C-CDA templates and stated that requiring health
IT vendors to support all template types would require significant
development effort while, concurrently, numerous other regulatory
requirements go into effect. The commenter noted that integrating EHRs
and revenue cycle products to support CDA generation would require
significant development.
Response: We understand that covered entities, or their vendors,
will incur a number of one-time costs to implement the new and modified
HIPAA transactions, for which we account in the RIA (section VI. of
this final rule). Health IT vendors are not covered entities and
therefore are not directly required to comply with the requirements.
While HIPAA covered entities must comply with the requirements of this
final rule, they are not required to possess technology that implements
every template in the C-CDA; rather the attachments they transmit must
be in accordance with the standard. We are adopting both the HL7 CDA
and X12N standards for health care claims attachments transactions. Our
goal is to automate health care transactions as much as possible, which
will ultimately decrease costs.
Comment: A commenter questioned the use of HL7 C-CDA templates to
support prior authorization requests and stated that no health plans
have mapped their clinical criteria to HL7 C-CDA templates to ensure
all the data needed to make the prior authorization decisions are in
those templates. The commenter stated that this lack of successful
results from real-world testing is a critical issue and that payers use
a data-element approach for prior authorizations rather than clinical
documents. A commenter stated that the C-CDA unstructured document does
not fully support the ability to carry a FHIR bundle, and that use of
the C-CDA unstructured document would interfere with the IGs referenced
in the CMS Interoperability and Prior Authorization proposed rule that
was proposed at the time these comments were submitted. Specifically,
the commenter referenced the HL7[supreg] FHIR[supreg] Da Vinci Coverage
Requirements Discovery (CRD) and Document Templates and Rules (DTR)
IGs, which support the use of questionnaire and responses, as part of
data collection in the prior authorization process. The commenter noted
it is important that real-time responses should be considered as part
of the prior authorization workflow and recommended that HHS ensure
that any requirements for the adoption of ePA APIs by CMS-denominated
``impacted payers'' be harmonized with current HIPAA prior
authorization transaction standards and CMS's Interoperability and
Prior Authorization rule, which has since been finalized.
Response: We appreciate the comments submitted in response to our
proposal to adopt a prior authorization health care attachments
transaction standard. As articulated in section III.A. of this final
rule, and noted repeatedly elsewhere, we are not finalizing our
proposal to adopt prior authorization with the health care claims
attachments transaction standard.
Comment: A commenter recommended that C-CDA structured information
be allowed and encouraged where appropriate, but not required. The
commenter also stated that unstructured documents can, but should not
be required to, utilize the Unstructured Document CDA template.
Response: Covered entities may use any adopted documentation format
that is supported by, and compatible with, the standards adopted in
this rule. The IGs we are adopting also support
[[Page 14370]]
unstructured data documents where the HL7 C-CDA structured documents
are unable to support the document or do not exist. We note that health
plans must specify the types of attachment information that will be
necessary to support a claim and encourage health plans conducting
electronic transactions with health care providers to accept
electronically both structured and unstructured C-CDA documents.
Comment: Multiple commenters expressed that the proposed version of
the HL7 Attachments IG is no longer current, noting that an updated
version of the HL7 Attachments IG was published in March 2022.\30\ A
commenter recommended that HHS adopt the ``most recent version'' of all
the proposed HL7 IGs in the final rule.
---------------------------------------------------------------------------
\30\ Health Level Seven International (HL7). (2022, March 8).
HL7 CDA R2 Attachment Implementation Guide: Exchange of C-CDA Based
Documents, Release 2--U.S. Realm. Retrieved from <a href="https://www.hl7.org/implement/standards/product_brief.cfm?product_id=464">https://www.hl7.org/implement/standards/product_brief.cfm?product_id=464</a>.
---------------------------------------------------------------------------
Response: We appreciate these comments and thank commenters for
sharing these important considerations, which we interpret to mean that
HHS should adopt the most recent iteration of the HL7 Attachments IG
that was proposed, including its maintenance updates. As we explain
earlier, based on the commenters' suggestions, we reviewed the March
2022 iteration of the proposed HL7 Attachments IG and consulted with
standards maintenance organizations and found the March 2022 iteration
of the HL7 Attachments IG is functionally equivalent to adopting the
March 2017 iteration of the HL7 Attachments IG with errata. Therefore,
in this final rule, we are adopting Release 2 of the HL7 Attachments
IG, published in March 2022.
Comment: A commenter recommended that HHS work with the NCVHS to
develop alternative approaches to meeting the HIPAA EDI requirements
that represent a more contemporary basis of interoperability. Multiple
commenters stated that the proposal would leave limited ability to
improve on the current state of automated support to produce the
relevant data to populate the requested document type with the minimum
necessary information without substantive user involvement. A commenter
further explained that the proposed rule would require the use of C-
CDA-based attachments in accordance with the HL7 CDA[supreg] R2
Attachment IG: Exchange of C-CDA Based Documents, Release 1--US Realm
(STU) and would cover approximately 106 recognized document types.
Multiple commenters pointed out that thirteen document types in C-CDA
R2.1, of which three are recognized in the ONC Health IT Certification
Program and one is recognized in CMS's programs, have defined C-CDA
templates, but no clear implementation guidance is provided for all the
other 90+ document types that are referenced. Commenters pointed out
that this means some would not have a clear C-CDA document to consider,
for example, a physician letter or a patient consent for treatment in
an unstructured C-CDA document, while others could be structured in C-
CDA format, but no agreed upon document templates exist.
Response: We appreciate these comments and thank commenters for
sharing these implementation considerations. The C-CDA standard is
being adopted because it provides a widely recognized, structured
format that supports interoperability and can accommodate a variety of
clinical documents. The LOINC code system allows discrete
identification of attachment types, including both structured and
unstructured documents, and provides modifiers for templates and time
windows where applicable. We believe that the C-CDA standard we are
adopting broadly covers the types of documents that would be requested
for health care claims. Though the standard we are adopting might not
address all document types, it balances the need for standardization
and efficiency with practical flexibility for health care providers
while allowing the system to evolve as new document templates and
business needs arise.
The document types in the HL7 Attachments IG have discrete data
elements that allow HIPAA covered entities to exchange clinical
information as both an unstructured and structured document. Should
covered entities have future business needs that give rise to
additional document types, these could be exchanged as unstructured
documents by obtaining a LOINC code to identify the attachment type.
Comment: Multiple commenters recommended that HHS reconsider
adopting the standard for claims attachments transactions, given the
substantial guidance still needed to enable supporting a substantially
less burdensome documents-based approach. One commenter stated that in
order to support a consistent exchange through FHIR-based or X12-based
transactions, attachment approaches between the CDex guide and the HL7
Attachments IG need to be aligned.
Response: We appreciate this information and encourage the industry
to submit specific requests for changes and enhancements to the
transaction standards to the SDO responsible for maintaining the
standard.
Comment: Multiple commenters expressed support for the use of the
HL7 CDA standard, HL7 C-CDA standard, and HL7 IGs for health care
attachment transactions.
Response: We thank the commenters for their feedback and support of
our proposal.
Comment: A commenter recommended that HHS name a specific version
of the HL7 IGs as a ``floor'' and create a sub-regulatory advancement
process. The commenter stated that without a requirement to use
specific IGs, the industry will not achieve the level of
interoperability necessary to support data exchange. The commenter
recommended that HHS establish a process, such as the ONC Standards
Version Advancement Process (SVAP), to allow technology to evolve
through industry testing while also allowing the industry to provide
public comment.
Response: We thank the commenters for their feedback. We note that
section 1174(b)(2)(B)(i) of the Act provides authority permitting the
routine maintenance, testing, enhancement, and expansion of code sets
outside of the rulemaking process. We will further explore regulatory
flexibilities with respect to modifications to adopted IGs. With
respect to requiring that organizations adopt new and updated code
sets, we note that such changes are generally considered maintenance
updates, and the Secretary previously adopted LOINC as a code set for
use with HIPAA health care transaction standards. Organizations can
incorporate maintenance updates to a given IG, including its LOINC
codes, without the need for the Secretary to engage in additional
rulemaking.
Comment: A commenter recommended that HHS modify the rule to state
that the HL7 C-CDA standard be used for all documents covered by the
HL7 C-CDA, but not limit health insurance providers, hospitals, and
clinicians to solely use HL7 C-CDA permitted documents.
Response: We reiterate that covered entities may use any adopted
documentation format that is supported by, and compatible with, the
standards adopted in this rule. Additionally, we note that the IGs we
are adopting also support unstructured data documents where the HL7 C-
CDA structured documents are unable to support the document or do not
exist.
Comment: A commenter offered that mandating the HL7 IG standards
for HIPAA transactions is an important step forward, but expressed
concern that these standards have not yet been tested
[[Page 14371]]
for suitability to the dental industry. The commenter provided specific
examples relating to dental claims, noting that only one dental health
IT module is certified under the ONC Health IT Certification Program,
meaning that the majority of dental EHR systems cannot produce HL7 C-
CDA. The commenter noted that dental claims require images as
supporting documentation in a variety of formats (for example, BMP,
JPG/JPEG, TIFF/TIF, PNG, PDF, TXT, DOC/DOCX, DICOM, GIF), and
recommended that HHS allow the use of these file formats instead of
mandating the sole use of HL7 C-CDA to account for specialties that may
rely on unstructured data exchanges, specifically noting concerns in
cases where unstructured data such as MRIs and X-rays are needed. A
commenter noted that the dental industry has worked with HL7 to develop
two CDA R2 attachment standards and IGs tailored to the needs of the
dental industry. These two IGs, which the commenter suggested should be
considered for adoption, are: (1) the HL7 CDA[supreg] R2 IG:
Orthodontic Attachment, Release 1--US Realm which aims to provide a
CDA-based set of templates that can be used by a dental provider to a
payer for claims; and (2) the HL7 CDA[supreg] R2 IG: Exchange of C-CDA
Based Documents; Periodontal Attachment, Release 1--US Realm which is
used to exchange dental clinical data.
Response: We agree that it is important that HIPAA-adopted
standards support the needs of all health care types, including the
needs of the dental industry. HL7 has developed two dental C-CDA
standards, but, because the NCVHS has not yet recommended them for
adoption and because we did not propose them in the HIPAA Standards for
Health Care Attachments proposed rule, we cannot adopt them in this
final rule. Should the NCVHS make such a recommendation to the
Secretary, we may consider adopting these dental standards in future
rulemaking. Upon publication of this final rule, we will consider
outreach strategies and industry-wide policies and implementation
issues, along with sector-specific approaches that may, for example,
involve collaborating with multiple interested parties to conduct
dental-specific outreach and education.
Final Action: After consideration of the public comments we
received, we are finalizing our proposals to adopt the following HL7
IGs as HIPAA standards for the attachment information included in
health care claims attachments transactions in Sec. 162.2002(a) and
(b):
<bullet> HL7 CDA Release 2 Attachment IG: Exchange of C-CDA Based
Documents, Release 2, March 2022 (HL7 Attachments IG).
<bullet> HL7 Implementation Guide for CDA Release 2: Consolidated
CDA Templates for Clinical Notes (US Realm) Draft Standard for Trial
Use Release 2.1, Volume One--Introductory Material, June 2019 with
Errata (HL7 C-CDA IG Volume One).
<bullet> HL7 Implementation Guide for CDA Release 2: Consolidated
CDA Templates for Clinical Notes (US Realm) Draft Standard for Trial
Use Release 2.1, Volume Two--Templates and Supporting Material, June
2019 with Errata (HL7 C-CDA IG Volume Two).
F. LOINC for HIPAA Attachments
We stated in the HIPAA Standards for Health Care Attachments
proposed rule (87 FR 78445) that health plans and health care providers
must have a clear and unambiguous way to specify attachment information
(for example, a discharge summary, surgical operation note, or
cardiovascular disease consult note) to be transmitted or requested in
a health care attachments transaction.
As we stated, the LOINC code set was developed for the following
three principal purposes:
<bullet> To identify the specific kind of information that a health
plan electronically requests of a health care provider and a health
care provider electronically transmits to a health plan (for example, a
discharge summary or a diagnostic imaging report).
<bullet> To specify certain optional modifier variables for
attachment information (for example, a time period for which the
attachment information is requested).
<bullet> For structured attachment information, to identify
specific HL7 IG: LOINC Document Ontology document templates.
With respect to these three purposes, we discussed that the HL7
Attachments IG contains specific instructions for how to utilize the
LOINC code set for HIPAA Attachments (87 FR 78445).
In the proposed rule, we included an overview on tools available
from Regenstrief to support utilization of the LOINC for HIPAA
Attachments (87 FR 78445).
Comment: Multiple commenters supported the use of the LOINC for
HIPAA Attachments, with some stating that LOINC enables health plans to
request documents, which will reduce processing delays caused by
current inefficient document request processes. A commenter stated that
the use of LOINC for HIPAA Attachments is logical, as Regenstrief has
online tools for easier searches, including a LOINC database that
effectively creates an attachments knowledge base with a twice-yearly
release cycle. Commenters noted that they support use of LOINC for
HIPAA Attachments to identify the specific kind of information
communicated in an attachment request and response. Another commenter
stated that the use of LOINC for HIPAA Attachments will help payer and
provider relationships by establishing more rules regarding the use of
standardized codes and defining specific documentation and terms.
Response: We thank the commenters for their support.
Comment: Multiple commenters expressed support for adopting
flexible templates to enable continuous advances in standards-based
attachment content. A commenter expressed support for the process
discussed in the proposal (87 FR 78449) that accounts for the
development of new templates not currently specified in the HL7 C-CDA
IG Volume One, HL7 C-CDA IG Volume Two, or HL7 Attachments IG. The
commenter noted that the C-CDA Companion Guide maintains templates and
that the process discussed would afford flexibility for newly defined
or updated templates to expand standards-based coverage of the
currently permissible LOINC codes and any newly established LOINC
codes. Multiple commenters recommended that HHS establish clear
guidelines for when new codes can be requested and how long systems
will have to incorporate new LOINC documents into their systems. A
commenter recommended that HHS name a specific version of the LOINC for
HIPAA Attachments and specify that organizations must adopt updated
codes as they are issued.
Response: We thank commenters for their feedback, and we agree that
our approach to adopting flexible standards will enable continuous
advances in standards-based attachment content. We also acknowledge the
commenters' concerns about establishing clear guidelines for when new
codes can be requested and the timeframe by which LOINC documents are
incorporated into systems. As mentioned earlier, the claims attachment
transaction standards we are adopting incorporate numerous
implementation specifications containing specific instructions for how
to utilize LOINC for HIPAA Attachments to identify the specific
information that a health plan electronically requests of a health care
provider, including when a health plan can request such information and
the time period a request covers. Regenstrief maintains a regular
update process and
[[Page 14372]]
covered entities would be expected to utilize the LOINC for HIPAA
Attachments codes that are valid at the time the transaction is
initiated, as specified by the relevant implementation specification as
discussed previously in section II.C.3. of this final rule. Commenters
strongly support the adoption of the current version of the HL7 C-CDA
standard in this final rule, and we are adopting the March 2022
iteration of the HL7 Attachments IG, as discussed previously.
Comment: Multiple commenters stated that providers and payers will
require education on correct mapping of fields to use the LOINC code
set. Multiple commenters encouraged HHS to ensure that multiple LOINC
code sets are supported, and a commenter suggested that HHS require
payers to offer providers a list to inform them which documents need to
be attached.
Response: We agree with the commenters' points about the utility of
education around implementing and using LOINC codes. As discussed in
section VI. of this final rule, we anticipate that training will be
needed once this rule is finalized. Health plans may choose to develop
and create educational materials that contain lists of attachment
documents and their associated LOINC codes as an educational tool for
health care providers and systems designers.
Comment: A commenter stated that multiple LOINC codes may be needed
for a single prior authorization transaction and recommended that HHS
ensure that multiple LOINC codes will be supported and that an
additional LOINC code validates that the list of required documents
from the payer is complete. The commenter stated that delays in prior
authorization decisions occur when payers change the nature and type of
documentation for a prior authorization request.
Response: We thank commenters for sharing these considerations,
but, as we discuss in section III.A. of this final rule, we are not
finalizing our prior authorization proposal. Therefore, we need not
address LOINC code issues specific to that use case.
G. Electronic Signatures
Section 1173(e)(1) of the Act provides that the Secretary, in
coordination with the Secretary of Commerce, must adopt standards
specifying procedures for the electronic transmission and
authentication of signatures for HIPAA transactions. In the HIPAA
Standards for Health Care Attachments proposed rule, we included a
discussion of prior rulemaking related to electronic signatures (87 FR
78449), to which we refer readers for details. In the proposed rule, we
recognized that electronic signatures would require certain
implementation features, including message integrity, nonrepudiation,
and user authentication, and proposed that the standard for electronic
signatures would be digital signatures--electronic stamps that contain
information about both the user creating the signature and the document
being signed--as the only technically mature means available that could
provide for nonrepudiation in an open network environment. We also
provided an overview of our understanding of the use of signatures in
health care and reasoning for our proposal regarding electronic
signatures (87 FR 78449).
As such, in the HIPAA Standards for Health Care Attachments
proposed rule, we proposed to define the term ``electronic signature''
and to adopt the HL7 Implementation Guide for CDA Release 2: Digital
Signatures and Delegation of Rights, Release 1 (Digital Signatures
Guide) (87 FR 78450). The HIPAA Standards for Health Care Attachments
proposed rule (87 FR 78438) that appeared in the December 21, 2022,
Federal Register contained the full definition of ``electronic
signature'' and detailed information about the Digital Signatures Guide
so that the public could provide informed comments. However, we
acknowledge that a correction notice was published on March 17, 2023
(88 FR 16392) to provide the regulation text that inadvertently was not
included in the proposed rule, while subsequently, on March 24, 2023,
we published a notice (88 FR 17780) extending by 30 days the public
comment period to allow an additional opportunity for the public to
provide comment despite the fact there were no changes to the proposed
definition of electronic signature or the proposed Digital Signatures
Guide, and the proposed regulation text contained in the correction
notice reflected the same proposed definition and standard. In this
final rule, the definition of electronic signature, the Digital
Signatures Guide, and the regulation text have not changed from these
previous publications. We discuss this proposal and summarize and
discuss the comments we received on it, in this section.
1. Definition of Electronic Signature
In the HIPAA Standards for Health Care Attachments proposed rule
(87 FR 78449), we stated that an electronic signature can be any of
several types of marks or data that indicate a signatory's intent to
sign and included examples of electronic signatures.
We proposed to define the term ``electronic signature'' for
purposes of the HIPAA Standards for Health Care Attachments proposed
rule as broadly as possible to ensure that it would meet covered
entities' current needs and could also encompass future electronic
signature technologies. The proposed text in Sec. 162.103 read:
``Electronic signature means an electronic sound, symbol, or process,
attached to, or logically associated with attachment information and
executed by a person with the intent to sign the attachment
information.'' In this final rule we finalize the proposed definition
of ``electronic signature'' in Sec. 162.103 and the adoption of the
Digital Signatures Guide in Sec. 162.2002(e), with requirements for
the use of electronic signatures limited to attachment information
transmitted electronically in health care claims attachments
transactions, in accord with the attachments transactions we are
finalizing.
Comment: Multiple commenters expressed support for the proposed
electronic signature definition and the proposed implementation
requirements for the use of electronic signatures for health care
attachments, offering that electronic signatures are a modern
technology that will reduce burden and allow clinicians to focus on
patient care rather than paperwork. A commenter expressed support for
HHS's approach to electronic signatures that would allow health
insurers and clinicians to maintain their existing practices regarding
the use of electronic signatures, as there is a wide variety of
electronic signature requirements and business practices across
organizations. However, this commenter indicated that because the
regulation text for the proposed definition and Digital Signatures
Guide had not been provided in the December 21, 2022 proposed rule, the
Secretary should publish an interim final rule (IFR) with this
information and provide an additional opportunity to comment.
Additionally, multiple commenters expressed support for HHS limiting
the electronic signature requirements to just the adopted electronic
standard transactions with no requirements on how a provider will
implement a signing process for a health care attachment. Another
commenter expressed support for HHS not establishing requirements for
when, or by whom, a document should be signed. A commenter expressed
support for flexibility, allowing future technologies, like electronic
signatures, which could be incorporated as EHRs adopt them.
[[Page 14373]]
Response: We thank commenters for their feedback and support for
our proposals. As stated previously, a correction notice was published
on March 17, 2023 (88 FR 16392) to provide the regulation text that
inadvertently was not included in the proposed rule. We also published
a notice on March 24, 2023 (88 FR 17780) extending the public comment
period by 30 days despite the fact that the correction notice contained
no changes to the proposed definition of electronic signature or the
proposed adoption of the Digital Signatures Guide, and the proposed
regulation text contained in the correction notice reflected the same
language for the proposed definition and standard that was included in
the proposed rule. In this final rule, these provisions remain
unchanged. Therefore, we believe further rulemaking to obtain
additional public comment on the definition of electronic signature,
the Digital Signatures Guide, and the regulation text is unnecessary.
Comment: A commenter disagreed with the proposed use of non-
computable electronic signatures, such as an image of a signature,
stating this would not provide identity or support authentication and
assertions. Another commenter requested that HHS clarify that health
plans cannot require original digital signatures for unstructured
documents used in health care attachments. A commenter recommended that
HHS should clearly specify ``signature'' versus a ``sound, symbol or
process.'' The commenter stated that the current wording could create
confusion and complicate the intent of implementing a standardized
process. Additionally, the commenter recommended defining an electronic
signature as a digital copy of an original signature, attached to or
logically associated with attachment information, and executed by a
person with the intent to sign the attachment information.
Response: We thank the commenters for raising concerns about the
limitations of non-computable electronic signatures, such as scanned
images of handwritten signatures. We agree that these forms generally
do not provide robust support for identity verification,
authentication, or assertion of signer intent. To address these
limitations, and as we proposed, this final rule adopts the Digital
Signatures Guide, which supports key features necessary for secure
electronic signatures, including user authentication, message
integrity, and nonrepudiation.
We clarify that this rule does not prohibit health care providers
or health plans from using other forms of electronic signatures in
contexts outside of the adopted HIPAA standard transaction for health
care claims attachments. However, when an electronic signature is used
to sign attachment information at the time it is transmitted as part of
a HIPAA-standard electronic health care claims attachments transaction,
that signature must conform to the Digital Signatures Guide, as
finalized in Sec. 162.2002(e). This requirement does not apply to
documents created prior to transmission that may later be included in a
claims attachment; only signatures affixed in the course of a HIPAA-
standard attachment transaction must meet the standard.
With respect to unstructured documents, such as scanned images or
PDFs used in attachments, health plans may not impose these electronic
signature requirements except when they are transmitted as part of a
HIPAA standard claims attachments transaction. In that case, a
signature must meet the requirements of the adopted standard, though a
health plan may not impose additional electronic signature requirements
beyond the adopted standard.
As previously discussed, the definition of electronic signature is
deliberately broad to allow for industry flexibility and to avoid
restricting current practices. We acknowledge the commenter's concern
that the phrase ``electronic sound, symbol, or process'' could create
confusion when implementing standardized processes, but this language
is intended to encompass a wide range of electronic signature methods
already in use across the health care industry, including digital
images of handwritten signatures and other forms associated with the
signed content. We are not altering the proposed definition that we
finalize here, but should we find during the course of implementation
of the adopted standard that covered entities require greater
specificity, we may provide additional guidance or educational
resources, as applicable, or consider further rulemaking.
Comment: Multiple commenters stated that if HHS chooses to finalize
the proposed rule, industry should be included in discussions on
defining when an electronic signature should be required.
Response: In the proposed rule, we stated that we are not proposing
to specify when an electronic signature must be required. Instead, we
defer to the industry to continue to establish those expectations (87
FR 78450) consistent with the considerations we mentioned previously,
including federal and state laws and regulations, accreditation
standards, best practices, and payer requirements. We clarify in this
final rule that the finalized HIPAA electronic signature standard
applies only to attachment information transmitted by a health care
provider in a HIPAA-standard electronic health care claims attachments
transaction. Thus, while the health care industry may continue to set
expectations for electronic signatures in other contexts, compliance
with the adopted HIPAA standard is required in the specific context of
claims attachments transactions covered by this rule.
Comment: Multiple commenters provided feedback on the proposed
definition of electronic signatures in the context of laboratories,
explaining that laboratories face particular issues with respect to
electronic signatures, highlighting confusion around what constitutes
an electronic signature for electronically placed laboratory orders.
Multiple commenters expressed concern regarding the scope of the
electronic signatures definition and stated that the proposed
definition could impact what is considered an appropriate electronic
signature for individual data and medical records included in health
care claims attachments, like laboratory orders. The commenters stated
that the HL7 Version 2 (V2) messages used to communicate the laboratory
order include data that identifies the ordering provider. A commenter
noted that some laboratories have experienced declined payment claims
for laboratory tests that were placed electronically in an EHR and
subsequently transmitted over a secure connection using standard HL7 V2
messages. Multiple commenters also noted that HL7 V2 messages have been
used for over a decade without concerns raised regarding the validity
of the orders placed. To resolve the electronic signature issues that
laboratories face and establish a plan to resolve variations in what
constitutes an electronic signature, commenters recommended that HHS
convene a stakeholder meeting with, among others, CMS's Clinical
Laboratory Improvement Amendments office, ONC, HL7, the Electronic
Health Record Association (EHRA), and the American Clinical Laboratory
Association.
The commenters referenced language from previous CMS rulemaking,
the Medicare Program; Payment Policies Under the Physician Fee Schedule
and Other Revisions to Part B for Calendar Year (CY) 2011 final rule
(75 FR 73170), which stated that the need for a signature only applies
to requisitions, which are paper forms, but does not
[[Page 14374]]
impact interested parties who utilize an electronic process for
ordering clinical diagnostic laboratory tests.
A commenter noted subsequent conflicting guidance from a CMS-
authored Medicare Learning Network Matters fact sheet that suggested
laboratory tests must be signed, and the 2012 Physician Fee Schedule
final rule, which retracted the policy finalized in the 2011 Physician
Fee Schedule final rule. Commenters sought clarification regarding
whether the use of EHRs that electronically transmit the necessary data
to the laboratory constitutes a valid, signed laboratory order that
provides relevant evidence that an authorized health care provider
ordered it. Additionally, commenters urged HHS to make it clear that
the widely deployed current electronic laboratory ordering process
would not be impacted by the HHS digital signature proposal and,
therefore, would not require the provision of necessary evidence that
the order was placed by an authorized health care provider, as this
information is electronically traceable and readily available to both
laboratories and providers.
Multiple commenters requested that HHS confirm that it is not
proposing that original forms of medical record entries be subject to
these requirements and that the proposed definition for digital
signatures for health care claims attachments does not change the
current policy regarding upstream clinical workflows or place
additional requirements on the current electronic laboratory ordering
process.
A commenter urged HHS to remove the example in the proposed rule at
87 FR 78449 that reads ``[f]or example, for a laboratory to submit a
claim for reimbursement of a laboratory test, a health plan may first
require a physician visit and a signed physician order. When the
laboratory later bills a health plan for the test, the plan may ask for
evidence that it was ordered by an authorized health care provider; if
the laboratory is unable to produce a signed order, it may not be
reimbursed.'' The commenter stated this could be interpreted to apply
to laboratory orders, which is not the intended focus of the health
care attachments rule.
Response: We appreciate commenters' concerns regarding the timing
of signatures in clinical workflows and the implications for
implementing digital signature requirements associated with this
rulemaking, particularly with respect to laboratories. We recognize
that, in practice, health care providers typically sign clinical notes
or other documentation at the point of service or document creation,
not at the point when a CDA is later generated and submitted as part of
a claims attachment. As such, the process of adding a digital signature
at the time of CDA generation may not align with established clinical
and documentation workflows. To allay some concern, we clarify that
this rulemaking applies solely to claims attachments transmitted as
part of an electronic claim transaction and generated for that purpose
and does not apply to, or alter, upstream clinical documentation
processes or related provider practices. To be very clear, this final
rule imposes no new requirements on clinical workflows, including, but
not limited to, how laboratory orders are created, signed, and
transmitted from EHRs to laboratory systems.
By contrast, administrative workflows may be affected. Covered
entities may need to establish organizational policies or technical
workflows that designate how, when, and by whom an electronic signature
is applied to a CDA package at the time it is generated for submission
as a claims attachment, notwithstanding that an original document was
previously signed by a provider. As such, adding a digital signature at
the time of attachment generation may differ from established
administrative processes and system interfaces, particularly for
laboratory documentation and HL7 V2 messages.
We also recognize the historical context cited by commenters,
including CMS's 2011 and 2012 Physician Fee Schedule rules (75 FR 7310
and 76 FR 73026) and related CMS guidance, and the resulting concerns
about inconsistencies across programs. The scope of this final rule is
limited to electronic signatures affixed to, and part of the
requirements associated with, HIPAA health care claims attachments
transactions, contemporaneous with when such transactions occur. It
does not alter existing CMS, or any other, policies regarding
electronic laboratory orders or impose documentation standards beyond
those required in the HIPAA transaction.
The signature required on a health care claims attachment--at the
time of a health care claims attachment transaction--is distinct and
different from a signature that may have been affixed for documentation
required at the time that health care services were provided, such as
an ordering provider's signature on a lab order or provider note.
Should a document (created and signed earlier by a provider) later be
requested as part of a claims attachment and should a health plan
require a signature on the attachment, that signature must be a digital
signature that complies with the standard adopted in this final rule.
That signature may be applied by the individual or entity submitting
the claim, or by an authorized delegate of that submitter; it is not
necessary to obtain a new signature from the original author of the
clinical document.
Regarding the commenters' concern with the example cited at 87 FR
78449, we acknowledge, in retrospect, it was susceptible to being
interpreted as imposing new or conflicting requirements on laboratory
ordering processes but emphasize that is not how it should be
interpreted. Rather, our intent was to illustrate a scenario in which a
health plan, in the context of adjudicating a claim, may request
supporting documentation from a provider. Should a health plan require
submission of such a document as part of health care claims processes
pursuant to a HIPAA health care claims attachment transaction, and
should it require on such documentation a signature, the digital
signature requirements finalized here would apply to that attachment
submission; they would not apply, however, to the original clinical
order or its format.
We also recognize that questions may arise regarding who may apply
the electronic signature on a claims attachment. The finalized standard
does not prescribe that a signature must be applied by a specific
individual, but, rather, requires that the electronic signature be
executed by a person with the intent to sign the attachment
information. This allows for organizational delegation consistent with
provider policies, state laws, and payer requirements, provided that
the signer has appropriate authority and that the technical
specifications for authentication, message integrity, and
nonrepudiation are met.
We acknowledge the concerns raised by interested parties associated
with laboratories and appreciate the possibility that there may be
aspects of laboratory-specific workflows, regulatory requirements, and
data exchange practices, particularly in relation to ordering,
documentation, and claims submission processes, that may require
particular attention. We intend to work closely with covered entities
generally--but will particularly focus on laboratory-related entities--
to support and enforce consistent and practical implementation of this
rule's electronic signature requirements. That will involve monitoring
implementation challenges and prioritizing collaborative education and
coordination to support successful adoption, while avoiding unintended
disruption to established processes and operations.
[[Page 14375]]
Stakeholder input will also inform our consideration of whether
additional guidance or future rulemaking may be necessary to clarify
the application of these requirements. Among other things, we will work
with affected entities to identify any operational or technical
barriers.
Comment: A commenter stated that an organizational delegation
policy will have to be in place to add an electronic signature when the
CDA is generated, which will need to be done before a technical
solution could be implemented. The commenter stated that providers sign
clinical notes at the time they are written, not when they create a CDA
to send clinical notes electronically.
Response: We appreciate the commenter's concern regarding the
timing of signatures in clinical workflows and any implications for
implementing digital signature requirements under this rule. The
electronic signature requirement finalized in this rule applies only to
the claims attachment as transmitted in a HIPAA-standard electronic
transaction, regardless of when the underlying clinical document was
created. This means that this rulemaking does not require signatures on
documents produced prior to the attachment request, though, as we have
noted, health plan policies or other law may require that. Rather,
pursuant to the requirements of this final rule, an electronic
signature is required only on the attachment package being transmitted
and only when a health plan requires an electronic signature.
As we clarified in a prior response, covered entities may need to
establish organizational policies or technical workflows to designate
how, when, and by whom the electronic signature is applied to the
attachment package. In some cases, the signature may be applied at the
point of CDA assembly, potentially by a delegate authorized to do so,
based on pre-existing documentation and previously affixed clinical
signatures. This approach is consistent with the flexibility offered in
the Digital Signatures Guide, which supports organizational delegation
models and does not prescribe specific timing or roles for signing.
This clarification aligns with earlier discussion regarding laboratory
documentation and HL7 V2 messages, emphasizing that the electronic
signature applies to the administrative claims attachment artifact and
does not alter upstream clinical workflows or document creation
practices.
Comment: Multiple commenters expressed concern regarding the
ambiguity of the proposed electronic signature definition and stated
that it may create confusion and unintentionally force changes in
clinical workflows. A commenter stated that the proposed rule does not
address the absence of a practical way to obtain an electronic
signature on an electronic test order and explained the ways that the
X12N 275 standard, EHRs and Laboratory Information Systems (LIS), and
CDA do not fulfill this need. The commenter also explained that the HL7
V2 standard, the HL7 Version 2.5.1 IG: Laboratory Orders Implementation
Guide (LOI IG) from EHR, Release 1 and each LIS-EHR interface will have
to be updated to include an electronic signature as part of an
electronic order. The commenter also noted that guidance documents
indicate a signature can be handwritten or electronic, but that there
is little guidance on what constitutes an electronic signature.
Response: We appreciate commenters' concerns regarding the
feasibility of applying electronic signatures to laboratory test orders
and the potential impacts on clinical workflows. As we explain in this
final rule, including in the previous responses, our finalized
requirements pertain only to electronic health care claims attachments
transactions, while the definition of ``electronic signature''
finalized in Sec. 162.103 is deliberately broad to accommodate current
industry practices and future innovations.
This final rule does not require that electronic test orders, such
as those communicated in HL7 V2 messages or the HL7 2.5.1 LOI IG,
include an electronic signature (whether such a signature might be
required by virtue of some other law or practice would be beyond the
scope of this rule). The electronic signature requirements finalized
here only apply when a health care provider transmits attachment
information electronically as part of a claims attachments transaction,
and only if a health plan requires a signature on that attachment.
We acknowledge that laboratory test orders may later be requested
by a health plan as a health care claim attachment. This final rule
does not address clinical system configurations, but we will monitor
implementation issues and, as necessary, engage with parties in the
health care industry should additional guidance be necessary to clarify
whether or how the requirements of this final rule interact with
existing health IT
[…truncated; see source link]Indexed from Federal Register on March 24, 2026.
This is legal information, not legal advice. Laws vary by jurisdiction and change frequently. Always verify current law with official sources and consult a licensed attorney in your jurisdiction for advice on your specific situation.