42 USC 1320d-2: Standards for information transactions and data elements
Result 1 of 1
   
 
<< Previous   TITLE 42 / CHAPTER 7 / SUBCHAPTER XI / Part C / § 1320d-2   Next >>
 
42 USC 1320d-2: Standards for information transactions and data elements Text contains those laws in effect on January 2, 2001
From Title 42-THE PUBLIC HEALTH AND WELFARECHAPTER 7-SOCIAL SECURITYSUBCHAPTER XI-GENERAL PROVISIONS, PEER REVIEW, AND ADMINISTRATIVE SIMPLIFICATIONPart C-Administrative Simplification
Jump To: Source CreditPrior ProvisionsMiscellaneousExecutive Documents

§1320d–2. Standards for information transactions and data elements

(a) Standards to enable electronic exchange

(1) In general

The Secretary shall adopt standards for transactions, and data elements for such transactions, to enable health information to be exchanged electronically, that are appropriate for-

(A) the financial and administrative transactions described in paragraph (2); and

(B) other financial and administrative transactions determined appropriate by the Secretary, consistent with the goals of improving the operation of the health care system and reducing administrative costs.

(2) Transactions

The transactions referred to in paragraph (1)(A) are transactions with respect to the following:

(A) Health claims or equivalent encounter information.

(B) Health claims attachments.

(C) Enrollment and disenrollment in a health plan.

(D) Eligibility for a health plan.

(E) Health care payment and remittance advice.

(F) Health plan premium payments.

(G) First report of injury.

(H) Health claim status.

(I) Referral certification and authorization.

(3) Accommodation of specific providers

The standards adopted by the Secretary under paragraph (1) shall accommodate the needs of different types of health care providers.

(b) Unique health identifiers

(1) In general

The Secretary shall adopt standards providing for a standard unique health identifier for each individual, employer, health plan, and health care provider for use in the health care system. In carrying out the preceding sentence for each health plan and health care provider, the Secretary shall take into account multiple uses for identifiers and multiple locations and specialty classifications for health care providers.

(2) Use of identifiers

The standards adopted under paragraph (1) shall specify the purposes for which a unique health identifier may be used.

(c) Code sets

(1) In general

The Secretary shall adopt standards that-

(A) select code sets for appropriate data elements for the transactions referred to in subsection (a)(1) of this section from among the code sets that have been developed by private and public entities; or

(B) establish code sets for such data elements if no code sets for the data elements have been developed.

(2) Distribution

The Secretary shall establish efficient and low-cost procedures for distribution (including electronic distribution) of code sets and modifications made to such code sets under section 1320d–3(b) of this title.

(d) Security standards for health information

(1) Security standards

The Secretary shall adopt security standards that-

(A) take into account-

(i) the technical capabilities of record systems used to maintain health information;

(ii) the costs of security measures;

(iii) the need for training persons who have access to health information;

(iv) the value of audit trails in computerized record systems; and

(v) the needs and capabilities of small health care providers and rural health care providers (as such providers are defined by the Secretary); and


(B) ensure that a health care clearinghouse, if it is part of a larger organization, has policies and security procedures which isolate the activities of the health care clearinghouse with respect to processing information in a manner that prevents unauthorized access to such information by such larger organization.

(2) Safeguards

Each person described in section 1320d–1(a) of this title who maintains or transmits health information shall maintain reasonable and appropriate administrative, technical, and physical safeguards-

(A) to ensure the integrity and confidentiality of the information;

(B) to protect against any reasonably anticipated-

(i) threats or hazards to the security or integrity of the information; and

(ii) unauthorized uses or disclosures of the information; and


(C) otherwise to ensure compliance with this part by the officers and employees of such person.

(e) Electronic signature

(1) Standards

The Secretary, in coordination with the Secretary of Commerce, shall adopt standards specifying procedures for the electronic transmission and authentication of signatures with respect to the transactions referred to in subsection (a)(1) of this section.

(2) Effect of compliance

Compliance with the standards adopted under paragraph (1) shall be deemed to satisfy Federal and State statutory requirements for written signatures with respect to the transactions referred to in subsection (a)(1) of this section.

(f) Transfer of information among health plans

The Secretary shall adopt standards for transferring among health plans appropriate standard data elements needed for the coordination of benefits, the sequential processing of claims, and other data elements for individuals who have more than one health plan.

(Aug. 14, 1935, ch. 531, title XI, §1173, as added Pub. L. 104–191, title II, §262(a), Aug. 21, 1996, 110 Stat. 2024 .)

Prior Provisions

A prior section 1173 of act Aug. 14, 1935, was classified to section 1320c–22 of this title prior to the general amendment of part B of this subchapter by Pub. L. 97–248.

Recommendations With Respect to Privacy of Certain Health Information

Section 264 of Pub. L. 104–191 directed Secretary of Health and Human Services, in consultation with the National Committee on Vital and Health Statistics and the Attorney General, to submit to Congress, not later than the date that is 12 months after Aug. 21, 1996, detailed recommendations on standards with respect to the privacy of individually identifiable health information, which recommendations were to address at least the rights that an individual who is a subject of individually identifiable health information should have, the procedures that should be established for the exercise of such rights, and the uses and disclosures of such information that should be authorized or required, further provided that if legislation governing such standards was not enacted by the date that is 36 months after Aug. 21, 1996, the Secretary was to promulgate final regulations containing such standards not later than the date that is 42 months after Aug. 21, 1996, and further provided for preemption of regulations.

Ex. Ord. No. 13181. To Protect the Privacy of Protected Health Information in Oversight Investigations

Ex. Ord. No. 13181, Dec. 20, 2000, 65 F.R. 81321, provided:

By the authority vested in me as President of the United States by the Constitution and the laws of the United States of America, it is ordered as follows:

Section 1. Policy.

It shall be the policy of the Government of the United States that law enforcement may not use protected health information concerning an individual that is discovered during the course of health oversight activities for unrelated civil, administrative, or criminal investigations of a non-health oversight matter, except when the balance of relevant factors weighs clearly in favor of its use. That is, protected health information may not be so used unless the public interest and the need for disclosure clearly outweigh the potential for injury to the patient, to the physician-patient relationship, and to the treatment services. Protecting the privacy of patients' protected health information promotes trust in the health care system. It improves the quality of health care by fostering an environment in which patients can feel more comfortable in providing health care professionals with accurate and detailed information about their personal health. In order to provide greater protections to patients' privacy, the Department of Health and Human Services is issuing final regulations concerning the confidentiality of individually identifiable health information under the Health Insurance Portability and Accountability Act of 1996 [Pub. L. 104–191, see Tables for classification] (HIPAA). HIPAA applies only to "covered entities," such as health care plans, providers, and clearinghouses. HIPAA regulations therefore do not apply to other organizations and individuals that gain access to protected health information, including Federal officials who gain access to health records during health oversight activities.

Under the new HIPAA regulations, health oversight investigators will appropriately have ready access to medical records for oversight purposes. Health oversight investigators generally do not seek access to the medical records of a particular patient, but instead review large numbers of records to determine whether a health care provider or organization is violating the law, such as through fraud against the Medicare system. Access to many health records is often necessary in order to gain enough evidence to detect and bring enforcement actions against fraud in the health care system. Stricter rules apply under the HIPAA regulations, however, when law enforcement officials seek protected health information in order to investigate criminal activity outside of the health oversight realm.

In the course of their efforts to protect the health care system, health oversight investigators may also uncover evidence of wrongdoing unrelated to the health care system, such as evidence of criminal conduct by an individual who has sought health care. For records containing that evidence, the issue thus arises whether the information should be available for law enforcement purposes under the less restrictive oversight rules or the more restrictive rules that apply to non-oversight criminal investigations.

A similar issue has arisen in other circumstances. Under 18 U.S.C. 3486, an individual's health records obtained for health oversight purposes pursuant to an administrative subpoena may not be used against that individual patient in an unrelated investigation by law enforcement unless a judicial officer finds good cause. Under that statute, a judicial officer determines whether there is good cause by weighing the public interest and the need for disclosure against the potential for injury to the patient, to the physician-patient relationship, and to the treatment services. It is appropriate to extend limitations on the use of health information to all situations in which the government obtains medical records for a health oversight purpose. In recognition of the increasing importance of protecting health information as shown in the medical privacy rule, a higher standard than exists in 18 U.S.C. 3486 is necessary. It is, therefore, the policy of the Government of the United States that law enforcement may not use protected health information concerning an individual, discovered during the course of health oversight activities for unrelated civil, administrative, or criminal investigations, against that individual except when the balance of relevant factors weighs clearly in favor of its use. That is, protected health information may not be so used unless the public interest and the need for disclosure clearly outweigh the potential for injury to the patient, to the physician-patient relationship, and to the treatment services.

Sec. 2. Definitions.

(a) "Health oversight activities" shall include the oversight activities enumerated in the regulations concerning the confidentiality of individually identifiable health information promulgated by the Secretary of Health and Human Services pursuant to the "Health Insurance Portability and Accountability Act of 1996," as amended [Pub. L. 104–191, see Tables for classification].

(b) "Protected health information" shall have the meaning ascribed to it in the regulations concerning the confidentiality of individually identifiable health information promulgated by the Secretary of Health and Human Services pursuant to the "Health Insurance Portability and Accountability Act of 1996," as amended.

(c) "Injury to the patient" includes injury to the privacy interests of the patient.

Sec. 3. Implementation.

(a) Protected health information concerning an individual patient discovered during the course of health oversight activities shall not be used against that individual patient in an unrelated civil, administrative, or criminal investigation of a non-health oversight matter unless the Deputy Attorney General of the U.S Department of Justice, or insofar as the protected health information involves members of the Armed Forces, the General Counsel of the U.S. Department of Defense, has authorized such use.

(b) In assessing whether protected health information should be used under subparagraph (a) of this section, the Deputy Attorney General shall permit such use upon concluding that the balance of relevant factors weighs clearly in favor of its use. That is, the Deputy Attorney General shall permit disclosure if the public interest and the need for disclosure clearly outweigh the potential for injury to the patient, to the physician-patient relationship, and to the treatment services.

(c) Upon the decision to use protected health information under subparagraph (a) of this section, the Deputy Attorney General, in determining the extent to which this information should be used, shall impose appropriate safeguards against unauthorized use.

(d) On an annual basis, the Department of Justice, in consultation with the Department of Health and Human Services, shall provide to the President of the United States a report that includes the following information:

(i) the number of requests made to the Deputy Attorney General for authorization to use protected health information discovered during health oversight activities in a non-health oversight, unrelated investigation;

(ii) the number of requests that were granted as applied for, granted as modified, or denied;

(iii) the agencies that made the applications, and the number of requests made by each agency; and

(iv) the uses for which the protected health information was authorized.

(e) The General Counsel of the U.S. Department of Defense will comply with the requirements of subparagraphs (b), (c), and (d), above. The General Counsel also will prepare a report, consistent with the requirements of subparagraphs (d)(i) through (d)(iv), above, and will forward it to the Department of Justice where it will be incorporated into the Department's annual report to the President.

Sec. 4. Exceptions.

(a) Nothing in this Executive Order shall place a restriction on the derivative use of protected health information that was obtained by a law enforcement agency in a non-health oversight investigation.

(b) Nothing in this Executive Order shall be interpreted to place a restriction on a duty imposed by statute.

(c) Nothing in this Executive Order shall place any additional limitation on the derivative use of health information obtained by the Attorney General pursuant to the provisions of 18 U.S.C. 3486.

(d) This order does not create any right or benefit, substantive or procedural, enforceable at law by a party against the United States, the officers and employees, or any other person.

William J. Clinton.      

Section Referred to in Other Sections

This section is referred to in sections 1320d, 1320d–1, 1320d–3, 1320d–4, 1320d–7, 1396u–2 of this title.