Statement by
Jared Adair,
Office of HIPAA Standards,
Centers For Medicare & Medicaid Services

HIPAA Transaction And Code Set Requirements
before the
Senate Special Committee On Aging

September 23, 2003

Chairman Craig, Senator Breaux, distinguished Committee members, thank you for inviting me to discuss the progress that has been made in moving toward compliance with the electronic transaction and code set provisions of the Heath Insurance Portability and Accountability Act (HIPAA).

The Centers for Medicare & Medicaid Services (CMS) has a dual role in the implementation of HIPAA administrative simplification provisions. In the first role, which is delegated by HHS, CMS acts as a regulator and enforcer of the HIPAA transaction and code set standards. As the Agency responsible for paying Medicare claims, CMS fulfills the second role as a covered entity like thousands of other payers and submitters. Of all the programs that HIPAA covers, Medicare is the largest covered entity. CMS also works with the State Medicaid programs, which collectively are the second largest covered entity. Although there is a firewall between the two distinct roles of the Agency, our regulatory and enforcement activities are improved by our understanding of the operational and implementation issues experienced by a covered entity.

Not long ago, physician offices and hospitals manually produced health care bills and claims and sent them to health care plans for adjudication and payment. As computer technology became prevalent in billing offices, bills and claims were created and submitted electronically for payment. The transition from paper to electronic transactions has produced a number of benefits, including less expensive processing costs and faster transactions. However, the transition merely moved proprietary forms and code sets from paper to electronic media. It did not bring about real administrative simplification. Billing offices still had to accommodate the computer formats and codes for each health plan that was billed, creating a situation in which billing offices had to keep separate instructions and billing manuals for each and every health plan they billed.

While the health care industry has continued to prepare and submit bills and claims to the specific requirements of each health care payer, time has not stood still for other industries. The banking and shipping industries have advanced from simply using computers to a higher level of utilization that optimizes computer use through standardization to meet the business needs of their mobile and informed customers. For example, because the banking industry has agreed upon transaction standards, customers enjoy the safe use of their bankcards at ATMs around the world. Likewise, standards in the shipping industry make it possible to track and deliver parcels worldwide. Such standards and interoperability will benefit the entire health care industry.

The administrative simplification provisions of HIPAA built on earlier efforts to introduce standardization to the administrative transactions of the health care industry. Instead of relying on plan-specific formats, health plans and payers will now use one format for a claim, remittance advice, or eligibility inquiry. Industry representatives expressed to Congress the need for standards. While there is a general agreement that standards are beneficial, it is fair to say that questions arise on the specifics of the standards. In addition, standard code sets will be used within those formats. As a result, the format and codes will be consistent or standardized regardless of which health plan received a claim.


There are several factors involved in standardizing a transaction. Parties must agree on the pieces of information - the data content - that will be exchanged. This includes information such as "patient name," "address," and amount billed. How each piece of data will be represented - or coded - also requires standardization. Codes have been developed in the health care industry to represent procedures, diagnoses, the place of service, and other items. There also must be agreement on how to format the data elements and codes for a transaction so that the sender knows how to assemble a transaction and the receiver knows how to interpret it.

As HIPAA intended, the Department of Health and Human Services worked closely with industry standard setting organizations to assess potential candidate standards for the administrative transactions and code sets specified in the law. The transactions encompass many of the "back office" functions of a health care provider, such as claim submission, eligibility queries, claim status queries, and the remittance advice that allows the provider to post insurance payments to patient accounts.

The code sets are clinical codes-covering both diagnoses and procedures--that are used in those transactions. Under HIPAA, a code set is any set of codes used for encoding data elements, such as tables of terms, medical concepts, medical diagnosis codes, or medical procedure codes. Medical data code sets used in the health care industry include coding systems for diseases, impairments, causes of injury, as well as actions taken to prevent diseases, injuries, and impairments and to diagnose or treat patients. Code sets also are utilized for any substances, equipment, supplies, or other items used by the health care industry. HIPAA requires code sets for medical data in the administrative and financial health care transaction standards for diagnoses, procedures, and drugs. A list of the transactions and code sets is being provided to the committee as a supplement to this testimony.

The transaction and code set standards were adopted by Final Rule issued by HHS in August 2000, with an original compliance deadline of October 16, 2002. The impact analysis contained in that rule estimated a net savings to the health care industry as a whole of $30 billion over ten years. The estimates were difficult. For example, there was no existing baseline showing the degree to which electronic data interchange was in use throughout the healthcare industry, or to assess the extent to which various transactions and code sets were used. Many covered entities, including Medicare, have revised upward their HIPAA cost estimates because they have encountered unexpected complications during the assessment and implementation process.

However, it is clear that HIPAA is going to improve the administrative costs for everyone in the long term. For example, HIPAA is expected to create significant savings for the health care industry - and the taxpayer - over the first ten years of implementation. It also is important to note that HIPAA carries significant cost-reduction capabilities over time, when taking into account the start-up costs currently being incurred. Health care providers will be able to submit bills in the same format to all payers and be assured the bills will be accepted. Providers also will have the capability to query claim status and eligibility by computer rather than over the phone. Plans will not have to keep or store paper claims. This will reduce overhead as well as improve turnaround time for transactions, both of which should have a positive impact on cash flow.


When CMS began the process to propose and adopt standards, attempts were made to minimize costs to health care entities. Rather than develop new standards, CMS worked with private industry and adopted industry consensus-developed standards as directed by HIPAA. This assured the widest possible participation from those in the industry who understood business needs. Also, efforts were made to adopt standards already in widespread voluntarily use, minimizing the number of entities needing to convert to the standards. The Agency also provided support and education to facilitate implementation. For example, HIPAA implementation guides are available without charge via the Internet. In addition, when initial implementation efforts highlighted some potential problems with the standards that would have increased costs, CMS proposed and adopted modifications. These modifications were published in February 2003 and covered entities are required to comply with the modifications by October 16, 2003.

During the implementation process, industry readiness issues were brought to Congress' attention; and, in response, Congress enacted the Administrative Simplification Compliance Act in December 2001. This allowed non-compliant covered entities to request a one-year extension to work toward compliance. As a part of the extension request, the entity was required to share its plan of action for achieving HIPAA compliance. Many entities requested extensions, and tremendous progress has been made toward compliance.


Recognizing the state of industry readiness was low and that part of the problem was a lack of awareness, CMS conducted a national outreach campaign about HIPAA's electronic transaction and code set standards. The Agency has employed a multi-faceted approach to reach its diverse target audiences. For example, CMS manages a Website that provides materials designed to help providers and other entities. This site includes checklists, frequently asked questions, and other materials. Providers, office managers, vendors and others also have the ability to e-mail questions to CMS and receive a personal response. CMS has addressed thousands of HIPAA questions already through this system. In addition, CMS has produced and distributed HIPAA videos on VHS cassettes and CDs to hundreds of individual requestors. These videos have broadcast by satellite, on the Internet, and on cable networks across the country.

Our outreach efforts also include provider education conferences, which have been held in all 50 states. To further ensure that information is readily accessible, CMS has worked with many national associations, such as the American Medical Association, the American Hospital Association, the Health Insurance Association of America, and the Blue Cross and Blue Shield Association of America, to share information and participate in forums. CMS also participated in several HIPAA compliance assistance seminars for employers, health plans, and benefits administrators, which have been sponsored by the Department of Labor. Additionally, CMS published a HIPAA public service advertisement in 13 major health care journals and publications.

In an effort to be as accessible as possible, CMS has conducted 12 free national HIPAA Roundtable Conference Calls that have had record-breaking numbers of participants. In addition, many regional Roundtable calls have successfully reached doctors, hospitals, insurance companies, and others in specific geographic areas. Outreach efforts also include a HIPAA toll-free hotline that provides general information and responses to questions. More than 6,000 calls were handled in August 2003 alone. For those without Internet and e-mail access, a fax-back service to provide HIPAA material is also available. A summary of available resources is attached.


Through the course of working toward HIPAA compliance for the past several years, it has become apparent that the health care industry still agrees standardization is the right goal. However, this goal is more difficult to attain than originally anticipated due to the complexities and volume of health data. As is the case with other endeavors of this size, the "devil is in the details."

With the industry's increased awareness of HIPAA standardization came more issues. These range from the need to collect additional data elements, to the understanding that vendors and software developers could not handle the standardization effort alone. The many relationships that exist between the many providers and the many payers complicate the effort to standardize. In addition, testing before full implementation is an iterative process that takes significant time to ensure success.

Despite the challenges in achieving standardization, the industry has made substantial progress and is moving toward the goal of HIPAA compliance on October 16, 2003. After evaluating the results of testing and the percentage of complaint claims being received and adjudicated in the Medicare and Medicaid environments, reviewing information from provider and payer associations, and surveying information technology research and advisory firms, it has become clear that despite everyone's best efforts, the progress that has been made is not enough to ensure that all health care providers and payers are 100 percent ready to support the uninterrupted continuation of the nation's $1.4 trillion health care payments, a sum that is 14.1% of GDP. Many industry groups share our Agency's concerns.


It should be recognized that HIPAA is a significant systems development effort. As such, it is critical to acknowledge that things can go wrong and to have contingency plans in place. As part of its planning and risk management efforts and in response to industry request, CMS developed the attached "Guidance on Compliance" document. This preserved the compliance date as October 16, 2003, but allowed for those working toward compliance to adopt contingency plans.

As noted in the "Guidance on Compliance" document, CMS will focus on obtaining voluntary compliance and use a complaint-driven approach for the enforcement of HIPAA's electronic transactions and code sets provisions. When CMS receives a complaint about a covered entity, that covered entity will have the opportunity to demonstrate compliance, document its good faith efforts to comply with the standards, or to submit a corrective action plan. CMS recognizes that transactions often require the participation of two covered entities and that noncompliance by one covered entity may put the second covered entity in a difficult position. Therefore, during the period immediately following the compliance date, CMS will examine entities' good faith efforts to come into compliance with the standards and will determine, on a case-by-case basis, whether reasonable cause for the noncompliance exists. Pursuant to HIPAA, if CMS finds reasonable cause, the Agency will determine the extent to which the time for resolving the noncompliance should be extended.

CMS will exercise its enforcement discretion, on a case-by-case basis, to not impose penalties on a covered entity that deploys a contingency plan to ensure the smooth flow of payments if it determines that the covered entity is making reasonable and diligent efforts to become compliant and, in the case of health plans or payers, to facilitate the compliance of their trading partners. Specifically, as long as a health plan demonstrates its active outreach and testing efforts, it can continue processing payments to providers. In determining whether a good faith effort has been made, CMS will place a strong emphasis on sustained actions and demonstrable progress toward compliance with the transaction and code set regulations.

While the industry welcomed our guidance, there are those who would have liked additional action. For example, some health plans and payers are still reticent to announce or deploy contingency plans without a legal "safe harbor." CMS believes its guidance and contingency solution goes as far as permissible under the law. To alleviate industry concerns, CMS is urging health plans and payers to review the guidance, assess their trading partners' readiness, consider their "good faith efforts," and, as appropriate, deploy a contingency plan.

For example, while Medicare is able to accept and process HIPAA compliant transactions, CMS is actively assessing the readiness of its own trading partners to make sure that cash flow to Medicare fee-for-service providers will not be disrupted. Recently, CMS shared Medicare's fee-for-service contingency plan with the provider community so that providers could be prepared to work with the Agency should the plan be deployed. Under Medicare's contingency plan, the program will continue to accept and process transactions that are submitted in legacy formats while continuing to work with its trading partners toward compliance with the HIPAA standards. CMS will continue to assess the readiness of its trading partner community, including the number of Medicare submitters who are currently testing and with our contractors, as well as the percentage of complaint claims we are adjudicating. Based on this assessment, CMS will determine whether it will deploy its contingency plan.

As we move toward implementing HIPAA's important standardization requirements, it is critical to examine areas where the health care industry and CMS--both as the regulator and as a covered entity--need to review the implementation process and look for improvements. The industry will review three areas:

  1. The use of companion guides that describe situational elements but could be misused to exceed the HIPAA standardization requirements,
  2. Required data elements that are not necessarily needed to adjudicate a claim, and
  3. Clarification of implementation guidance that is open to interpretation.

CMS, in its regulator role, will consider how the law applies to these matters.

HIPAA is a large and important effort for the health care industry. It will not be easy, but it will be worth all of our efforts. In the end, it will serve as a critical foundation to future improvements to the administrative and electronic systems that support our great health care industry.


While difficulties exist in achieving compliance, this is not the time to waver in our commitment to offer order and consistency in health care administrative transactions. Rather, it is the time to work with covered entities as they strive to cross the finish line. CMS has provided the potential for a smooth transition through our enforcement guidance for those who are still working to achieve compliance. The Agency expects that health care plans and payers will consider deploying contingency plans to mitigate unintended adverse effects on covered entities' cash flow and business operations during the transition to the standards. CMS expects these contingency plans will mitigate unintended consequences of the transition on the availability and quality of care.

We are often asked what will happen on October 16, 2003. Certainly there may be problems, but health plans' and payers' willingness to appropriately deploy contingency plans will facilitate a smooth transition. The health care industry's continued emphasis on HIPAA compliance will allow us to make the promises of the HIPAA a reality.

Chairman Craig, Senator Breaux, and Committee members, thank you again for the opportunity to testify. I hope I have expressed the commitment CMS has to the transaction and code sets provisions of the HIPAA statute. I would be pleased to answer any questions you might have.

Last Revised: September 26, 2003