Part C - Administrative Simplification

42 USC 1320d - Definitions

For purposes of this part:
(1) Code set 
The term code set means any set of codes used for encoding data elements, such as tables of terms, medical concepts, medical diagnostic codes, or medical procedure codes.
(2) Health care clearinghouse 
The term health care clearinghouse means a public or private entity that processes or facilitates the processing of nonstandard data elements of health information into standard data elements.
(3) Health care provider 
The term health care provider includes a provider of services (as defined in section 1395x (u) of this title), a provider of medical or other health services (as defined in section 1395x (s) of this title), and any other person furnishing health care services or supplies.
(4) Health information 
The term health information means any information, whether oral or recorded in any form or medium, that
(A) is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and
(B) relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual.
(5) Health plan 
The term health plan means an individual or group plan that provides, or pays the cost of, medical care (as such term is defined in section 300gg–91 of this title). Such term includes the following, and any combination thereof:
(A) A group health plan (as defined in section 300gg–91 (a) of this title), but only if the plan
(i) has 50 or more participants (as defined in section 1002 (7) of title 29); or
(ii) is administered by an entity other than the employer who established and maintains the plan.
(B) A health insurance issuer (as defined in section 300gg–91 (b) of this title).
(C) A health maintenance organization (as defined in section 300gg–91 (b) of this title).
(D) Parts[1] A, B, or C of the Medicare program under subchapter XVIII of this chapter.
(E) The medicaid program under subchapter XIX of this chapter.
(F) A Medicare supplemental policy (as defined in section 1395ss (g)(1) of this title).
(G) A long-term care policy, including a nursing home fixed indemnity policy (unless the Secretary determines that such a policy does not provide sufficiently comprehensive coverage of a benefit so that the policy should be treated as a health plan).
(H) An employee welfare benefit plan or any other arrangement which is established or maintained for the purpose of offering or providing health benefits to the employees of 2 or more employers.
(I) The health care program for active military personnel under title 10.
(J) The veterans health care program under chapter 17 of title 38.
(K) The Civilian Health and Medical Program of the Uniformed Services (CHAMPUS), as defined in section 1072 (4) of title 10.
(L) The Indian health service program under the Indian Health Care Improvement Act (25 U.S.C. 1601 et seq.).
(M) The Federal Employees Health Benefit Plan under chapter 89 of title 5.
(6) Individually identifiable health information 
The term individually identifiable health information means any information, including demographic information collected from an individual, that
(A) is created or received by a health care provider, health plan, employer, or health care clearinghouse; and
(B) relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and
(i) identifies the individual; or
(ii) with respect to which there is a reasonable basis to believe that the information can be used to identify the individual.
(7) Standard 
The term standard, when used with reference to a data element of health information or a transaction referred to in section 1320d–2 (a)(1) of this title, means any such data element or transaction that meets each of the standards and implementation specifications adopted or established by the Secretary with respect to the data element or transaction under sections 1320d–1 through 1320d–3 of this title.
(8) Standard setting organization 
The term standard setting organization means a standard setting organization accredited by the American National Standards Institute, including the National Council for Prescription Drug Programs, that develops standards for information transactions, data elements, or any other standard that is necessary to, or will facilitate, the implementation of this part.
[1] So in original. Probably should be “Part”.

42 USC 1320d1 - General requirements for adoption of standards

(a) Applicability 
Any standard adopted under this part shall apply, in whole or in part, to the following persons:
(1) A health plan.
(2) A health care clearinghouse.
(3) A health care provider who transmits any health information in electronic form in connection with a transaction referred to in section 1320d–2 (a)(1) of this title.
(b) Reduction of costs 
Any standard adopted under this part shall be consistent with the objective of reducing the administrative costs of providing and paying for health care.
(c) Role of standard setting organizations 

(1) In general 
Except as provided in paragraph (2), any standard adopted under this part shall be a standard that has been developed, adopted, or modified by a standard setting organization.
(2) Special rules 

(A) Different standards 
The Secretary may adopt a standard that is different from any standard developed, adopted, or modified by a standard setting organization, if
(i) the different standard will substantially reduce administrative costs to health care providers and health plans compared to the alternatives; and
(ii) the standard is promulgated in accordance with the rulemaking procedures of subchapter III of chapter 5 of title 5.
(B) No standard by standard setting organization 
If no standard setting organization has developed, adopted, or modified any standard relating to a standard that the Secretary is authorized or required to adopt under this part
(i) paragraph (1) shall not apply; and
(ii) subsection (f) of this section shall apply.
(3) Consultation requirement 

(A) In general 
A standard may not be adopted under this part unless
(i) in the case of a standard that has been developed, adopted, or modified by a standard setting organization, the organization consulted with each of the organizations described in subparagraph (B) in the course of such development, adoption, or modification; and
(ii) in the case of any other standard, the Secretary, in complying with the requirements of subsection (f) of this section, consulted with each of the organizations described in subparagraph (B) before adopting the standard.
(B) Organizations described 
The organizations referred to in subparagraph (A) are the following:
(i) The National Uniform Billing Committee.
(ii) The National Uniform Claim Committee.
(iii) The Workgroup for Electronic Data Interchange.
(iv) The American Dental Association.
(d) Implementation specifications 
The Secretary shall establish specifications for implementing each of the standards adopted under this part.
(e) Protection of trade secrets 
Except as otherwise required by law, a standard adopted under this part shall not require disclosure of trade secrets or confidential commercial information by a person required to comply with this part.
(f) Assistance to Secretary 
In complying with the requirements of this part, the Secretary shall rely on the recommendations of the National Committee on Vital and Health Statistics established under section 242k (k) of this title, and shall consult with appropriate Federal and State agencies and private organizations. The Secretary shall publish in the Federal Register any recommendation of the National Committee on Vital and Health Statistics regarding the adoption of a standard under this part.
(g) Application to modifications of standards 
This section shall apply to a modification to a standard (including an addition to a standard) adopted under section 1320d–3 (b) of this title in the same manner as it applies to an initial standard adopted under section 1320d–3 (a) of this title.

42 USC 1320d2 - Standards for information transactions and data elements

(a) Standards to enable electronic exchange 

(1) In general 
The Secretary shall adopt standards for transactions, and data elements for such transactions, to enable health information to be exchanged electronically, that are appropriate for
(A) the financial and administrative transactions described in paragraph (2); and
(B) other financial and administrative transactions determined appropriate by the Secretary, consistent with the goals of improving the operation of the health care system and reducing administrative costs.
(2) Transactions 
The transactions referred to in paragraph (1)(A) are transactions with respect to the following:
(A) Health claims or equivalent encounter information.
(B) Health claims attachments.
(C) Enrollment and disenrollment in a health plan.
(D) Eligibility for a health plan.
(E) Health care payment and remittance advice.
(F) Health plan premium payments.
(G) First report of injury.
(H) Health claim status.
(I) Referral certification and authorization.
(3) Accommodation of specific providers 
The standards adopted by the Secretary under paragraph (1) shall accommodate the needs of different types of health care providers.
(b) Unique health identifiers 

(1) In general 
The Secretary shall adopt standards providing for a standard unique health identifier for each individual, employer, health plan, and health care provider for use in the health care system. In carrying out the preceding sentence for each health plan and health care provider, the Secretary shall take into account multiple uses for identifiers and multiple locations and specialty classifications for health care providers.
(2) Use of identifiers 
The standards adopted under paragraph (1) shall specify the purposes for which a unique health identifier may be used.
(c) Code sets 

(1) In general 
The Secretary shall adopt standards that
(A) select code sets for appropriate data elements for the transactions referred to in subsection (a)(1) of this section from among the code sets that have been developed by private and public entities; or
(B) establish code sets for such data elements if no code sets for the data elements have been developed.
(2) Distribution 
The Secretary shall establish efficient and low-cost procedures for distribution (including electronic distribution) of code sets and modifications made to such code sets under section 1320d–3 (b) of this title.
(d) Security standards for health information 

(1) Security standards 
The Secretary shall adopt security standards that
(A) take into account
(i) the technical capabilities of record systems used to maintain health information;
(ii) the costs of security measures;
(iii) the need for training persons who have access to health information;
(iv) the value of audit trails in computerized record systems; and
(v) the needs and capabilities of small health care providers and rural health care providers (as such providers are defined by the Secretary); and
(B) ensure that a health care clearinghouse, if it is part of a larger organization, has policies and security procedures which isolate the activities of the health care clearinghouse with respect to processing information in a manner that prevents unauthorized access to such information by such larger organization.
(2) Safeguards 
Each person described in section 1320d–1 (a) of this title who maintains or transmits health information shall maintain reasonable and appropriate administrative, technical, and physical safeguards
(A) to ensure the integrity and confidentiality of the information;
(B) to protect against any reasonably anticipated
(i) threats or hazards to the security or integrity of the information; and
(ii) unauthorized uses or disclosures of the information; and
(C) otherwise to ensure compliance with this part by the officers and employees of such person.
(e) Electronic signature 

(1) Standards 
The Secretary, in coordination with the Secretary of Commerce, shall adopt standards specifying procedures for the electronic transmission and authentication of signatures with respect to the transactions referred to in subsection (a)(1) of this section.
(2) Effect of compliance 
Compliance with the standards adopted under paragraph (1) shall be deemed to satisfy Federal and State statutory requirements for written signatures with respect to the transactions referred to in subsection (a)(1) of this section.
(f) Transfer of information among health plans 
The Secretary shall adopt standards for transferring among health plans appropriate standard data elements needed for the coordination of benefits, the sequential processing of claims, and other data elements for individuals who have more than one health plan.

42 USC 1320d3 - Timetables for adoption of standards

(a) Initial standards 
The Secretary shall carry out section 1320d–2 of this title not later than 18 months after August 21, 1996, except that standards relating to claims attachments shall be adopted not later than 30 months after August 21, 1996.
(b) Additions and modifications to standards 

(1) In general 
Except as provided in paragraph (2), the Secretary shall review the standards adopted under section 1320d–2 of this title, and shall adopt modifications to the standards (including additions to the standards), as determined appropriate, but not more frequently than once every 12 months. Any addition or modification to a standard shall be completed in a manner which minimizes the disruption and cost of compliance.
(2) Special rules 

(A) First 12-month period 
Except with respect to additions and modifications to code sets under subparagraph (B), the Secretary may not adopt any modification to a standard adopted under this part during the 12-month period beginning on the date the standard is initially adopted, unless the Secretary determines that the modification is necessary in order to permit compliance with the standard.
(B) Additions and modifications to code sets 

(i) In general The Secretary shall ensure that procedures exist for the routine maintenance, testing, enhancement, and expansion of code sets.
(ii) Additional rules If a code set is modified under this subsection, the modified code set shall include instructions on how data elements of health information that were encoded prior to the modification may be converted or translated so as to preserve the informational value of the data elements that existed before the modification. Any modification to a code set under this subsection shall be implemented in a manner that minimizes the disruption and cost of complying with such modification.

42 USC 1320d4 - Requirements

(a) Conduct of transactions by plans 

(1) In general 
If a person desires to conduct a transaction referred to in section 1320d–2 (a)(1) of this title with a health plan as a standard transaction
(A) the health plan may not refuse to conduct such transaction as a standard transaction;
(B) the insurance plan may not delay such transaction, or otherwise adversely affect, or attempt to adversely affect, the person or the transaction on the ground that the transaction is a standard transaction; and
(C) the information transmitted and received in connection with the transaction shall be in the form of standard data elements of health information.
(2) Satisfaction of requirements 
A health plan may satisfy the requirements under paragraph (1) by
(A) directly transmitting and receiving standard data elements of health information; or
(B) submitting nonstandard data elements to a health care clearinghouse for processing into standard data elements and transmission by the health care clearinghouse, and receiving standard data elements through the health care clearinghouse.
(3) Timetable for compliance 
Paragraph (1) shall not be construed to require a health plan to comply with any standard, implementation specification, or modification to a standard or specification adopted or established by the Secretary under sections 1320d–1 through 1320d–3 of this title at any time prior to the date on which the plan is required to comply with the standard or specification under subsection (b) of this section.
(b) Compliance with standards 

(1) Initial compliance 

(A) In general 
Not later than 24 months after the date on which an initial standard or implementation specification is adopted or established under sections 1320d–1 and 1320d–2 of this title, each person to whom the standard or implementation specification applies shall comply with the standard or specification.
(B) Special rule for small health plans 
In the case of a small health plan, paragraph (1) shall be applied by substituting 36 months for 24 months. For purposes of this subsection, the Secretary shall determine the plans that qualify as small health plans.
(2) Compliance with modified standards 
If the Secretary adopts a modification to a standard or implementation specification under this part, each person to whom the standard or implementation specification applies shall comply with the modified standard or implementation specification at such time as the Secretary determines appropriate, taking into account the time needed to comply due to the nature and extent of the modification. The time determined appropriate under the preceding sentence may not be earlier than the last day of the 180-day period beginning on the date such modification is adopted. The Secretary may extend the time for compliance for small health plans, if the Secretary determines that such extension is appropriate.
(3) Construction 
Nothing in this subsection shall be construed to prohibit any person from complying with a standard or specification by
(A) submitting nonstandard data elements to a health care clearinghouse for processing into standard data elements and transmission by the health care clearinghouse; or
(B) receiving standard data elements through a health care clearinghouse.

42 USC 1320d5 - General penalty for failure to comply with requirements and standards

(a) General penalty 

(1) In general 
Except as provided in subsection (b) of this section, the Secretary shall impose on any person who violates a provision of this part a penalty of not more than $100 for each such violation, except that the total amount imposed on the person for all violations of an identical requirement or prohibition during a calendar year may not exceed $25,000.
(2) Procedures 
The provisions of section 1320a–7a of this title (other than subsections (a) and (b) and the second sentence of subsection (f)) shall apply to the imposition of a civil money penalty under this subsection in the same manner as such provisions apply to the imposition of a penalty under such section 1320a–7a of this title.
(b) Limitations 

(1) Offenses otherwise punishable 
A penalty may not be imposed under subsection (a) of this section with respect to an act if the act constitutes an offense punishable under section 1320d–6 of this title.
(2) Noncompliance not discovered 
A penalty may not be imposed under subsection (a) of this section with respect to a provision of this part if it is established to the satisfaction of the Secretary that the person liable for the penalty did not know, and by exercising reasonable diligence would not have known, that such person violated the provision.
(3) Failures due to reasonable cause 

(A) In general 
Except as provided in subparagraph (B), a penalty may not be imposed under subsection (a) of this section if
(i) the failure to comply was due to reasonable cause and not to willful neglect; and
(ii) the failure to comply is corrected during the 30-day period beginning on the first date the person liable for the penalty knew, or by exercising reasonable diligence would have known, that the failure to comply occurred.
(B) Extension of period 

(i) No penalty The period referred to in subparagraph (A)(ii) may be extended as determined appropriate by the Secretary based on the nature and extent of the failure to comply.
(ii) Assistance If the Secretary determines that a person failed to comply because the person was unable to comply, the Secretary may provide technical assistance to the person during the period described in subparagraph (A)(ii). Such assistance shall be provided in any manner determined appropriate by the Secretary.
(4) Reduction 
In the case of a failure to comply which is due to reasonable cause and not to willful neglect, any penalty under subsection (a) of this section that is not entirely waived under paragraph (3) may be waived to the extent that the payment of such penalty would be excessive relative to the compliance failure involved.

42 USC 1320d6 - Wrongful disclosure of individually identifiable health information

(a) Offense 
A person who knowingly and in violation of this part
(1) uses or causes to be used a unique health identifier;
(2) obtains individually identifiable health information relating to an individual; or
(3) discloses individually identifiable health information to another person,

shall be punished as provided in subsection (b) of this section.

(b) Penalties 
A person described in subsection (a) of this section shall
(1) be fined not more than $50,000, imprisoned not more than 1 year, or both;
(2) if the offense is committed under false pretenses, be fined not more than $100,000, imprisoned not more than 5 years, or both; and
(3) if the offense is committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, be fined not more than $250,000, imprisoned not more than 10 years, or both.

42 USC 1320d7 - Effect on State law

(a) General effect 

(1) General rule 
Except as provided in paragraph (2), a provision or requirement under this part, or a standard or implementation specification adopted or established under sections 1320d–1 through 1320d–3 of this title, shall supersede any contrary provision of State law, including a provision of State law that requires medical or health plan records (including billing information) to be maintained or transmitted in written rather than electronic form.
(2) Exceptions 
A provision or requirement under this part, or a standard or implementation specification adopted or established under sections 1320d–1 through 1320d–3 of this title, shall not supersede a contrary provision of State law, if the provision of State law
(A) is a provision the Secretary determines
(i) is necessary
(I) to prevent fraud and abuse;
(II) to ensure appropriate State regulation of insurance and health plans;
(III) for State reporting on health care delivery or costs; or
(IV) for other purposes; or
(ii) addresses controlled substances; or
(B) subject to section 264(c)(2) of the Health Insurance Portability and Accountability Act of 1996, relates to the privacy of individually identifiable health information.
(b) Public health 
Nothing in this part shall be construed to invalidate or limit the authority, power, or procedures established under any law providing for the reporting of disease or injury, child abuse, birth, or death, public health surveillance, or public health investigation or intervention.
(c) State regulatory reporting 
Nothing in this part shall limit the ability of a State to require a health plan to report, or to provide access to, information for management audits, financial audits, program monitoring and evaluation, facility licensure or certification, or individual licensure or certification.

42 USC 1320d8 - Processing payment transactions by financial institutions

To the extent that an entity is engaged in activities of a financial institution (as defined in section 3401 of title 12), or is engaged in authorizing, processing, clearing, settling, billing, transferring, reconciling, or collecting payments, for a financial institution, this part, and any standard adopted under this part, shall not apply to the entity with respect to such activities, including the following:
(1) The use or disclosure of information by the entity for authorizing, processing, clearing, settling, billing, transferring, reconciling or collecting, a payment for, or related to, health plan premiums or health care, where such payment is made by any means, including a credit, debit, or other payment card, an account, check, or electronic funds transfer.
(2) The request for, or the use or disclosure of, information by the entity with respect to a payment described in paragraph (1)
(A) for transferring receivables;
(B) for auditing;
(C) in connection with
(i) a customer dispute; or
(ii) an inquiry from, or to, a customer;
(D) in a communication to a customer of the entity regarding the customers transactions, payment card, account, check, or electronic funds transfer;
(E) for reporting to consumer reporting agencies; or
(F) for complying with
(i) a civil or criminal subpoena; or
(ii) a Federal or State law regulating the entity.