Rules Finalized on Security and Transactions Standards Modifications

Two HIPAA final regulations, those for Security Standards, and for Modifications to the Transactions Standards, went on display on 2/13/03 at the Office of the Federal Register. They were published in the February 20 edition of the Federal Register.

Copies of the rules can be viewed at

These are the versions that were sent to the Office of the Federal Register. The Federal Register versions will be made available, via links, from this same web site.

Under the security standards announced today, health insurers, certain health care providers and health care clearinghouses must establish procedures and mechanisms to protect the confidentiality, integrity and availability of electronic protected health information. The rule requires covered entities to implement administrative, physical and technical safeguards to protect electronic protected health information in their care.

The security standards work in concert with the final privacy standards adopted by HHS last year and scheduled to take effect for most covered entities on April 14. The two sets of standards use many of the same terms and definitions in order to make it easier for covered entities to comply.

Covered entities (except small health plans) must comply with the security standards by April 21, 2005. Small health plans have an additional year to comply.

The final transaction modifications rule, which will also be published in the Federal Register on Feb. 20, combines two proposed rules published May 31, 2002. HHS worked extensively with the Designated Standards Maintenance Organizations (DSMOs) to revise the proposed changes to the standards, as required by Congress as part of HIPAA.

Major provisions of the final rule include:

  • Repealing the National Drug Code (NDC) as the standard medical data code set for reporting drugs and biologics in all non-retail pharmacy transactions.
  • Adopting the proposed Addenda to the implementation guides with some technical revisions based upon comments received and consultation with the DSMOs.
  • For retail pharmacy transactions:
  • Adopting the National Council for Prescription Drug Programs (NCPDP) Batch Version 1.1 to support the Telecommunications Version 5.1.
  • Adopting the Accredited Standards Committee (ASC) X12N 835 as the standard for payment and remittance advice and the NCPDP Telecommunications Version 5.1 and NCPDP Batch Version 1.1. Implementation Guides as the standard for the referral certification and authorization transaction.
  • Continuing the use of the NDC code set for the reporting of drugs and biologics.

The rule also adopts modified standards for two transactions that were not included in the proposed rules -- premium payments, and coordination of benefits. The modifications were approved by the DMSOs and merely provide explanatory guidance.

Posted to HIPAAcomply 2/13/03