Overview Organization The SNIP ID & EDI Address project is cooperating with another project called the AFEHCT-WEDI Health Care Communications Security and Interoperability project. The Problem This document would include background on the existing Healthcare EDI environment (where we are), the ideal (where we want to go), Identifiers as they relate to routing of transactions, a high-level description of an Electronic Partner Profile, a high-level description of the Healthcare Registry, along with some examples of how all this would look in practice. So I think what the team is trying to do is define a neutral, efficient technology that can serve both now and in the future, and that will be a significant achievement. Judging from our conversations over the last few months, it seems folks have a "problem" finding out how to exchange EDI transactions with their partners without burdensome and manual processes. If that's not a problem - i.e., either the processes are not that manual or burdensome, or just not worth fixing considering the exigencies of other HIPAA issues - then there's no need to devise requirements for a solution to an imaginary problem. And if there's no problem to solve, then there's certainly no need to deliver a solution "within any acceptable timeframe." Either manual EDI enrollment processes are a problem, or they aren't. If they are, I believe that an open standard based on a Registry of electronic partner profiles is an effective technical solution worth pursuing by the WEDI/SNIP ID & Routing SIG. This effort is/should be substantially above the business data level and be dealing with message addressing and various transport methods that may be supported/required by a trading partner. Furthermore, the scope of this effort should not be limited to the HIPAA transactions, but serve all of health care. Motivation (1) How would a provider know where to even send a standard transaction to whatever entity handles them on behalf of the plan or payer? (2) A payer might have multiple "portals" for different types of transactions (say, "real-time" vs. batch) - how does he convey that to any provider who might want to send standard transactions? (3) How does a payer know whether a provider even supports EDI in the first place? (4) Assuming a provider *does* EDI, how would a payer know that a particular provider supports particular transactions (e.g, an 835 EOB - there's nothing in the 837 which says 835s are expected in return). Where would the payer send the transactions? (5) How would a payer or provider tell trading partners the communication protocols he supports? If he's using some of dial-up system, how does he convey logon IDs and passwords? Where does his X.509 digital ID public key reside? (6) How does a payer say what his requirements are for ISA and GS fields? How can he tell the provider that he can't handle more than 5000 claims in an individual 837? (7) How does someone report errors beyond the standard TA1 and 997? Does he support the 824? Or e-mail? - if so, what e-mail address should be used for sending error messages? You can add "or his agent" (such as a Clearinghouse, repricer or Third Party Administrator) to "provider" or "payer" above. This list certainly isn't exhaustive - I'm not the keenest when it comes to keeping crap organized, and Microsoft Project would only confuse me. Any of these problems can be solved the old fashioned way: through telephone calls, e-mail and paper TPAs. They can sometimes be delegated to one's Clearinghouse. On the other hand, if we agree that paper TPAs, paper "Companion" documents and lots of e-mail and phone tag are undesirable, we might ask if any or all of these problems can be solved in an automated fashion. Or - along the road to complete automation of EDI enrollment - can this information be advertised somehow where partners know where to look? Can it be expressed in a mechanical fashion for consistency and rudimentary automation? Do you agree that these are problems at least some payers and providers would like to see resolved? If any of these struck a chord, then our proposed solution - which entails recommendations based on the open ebXML CPP (electronic Partner Profile) and Registry specifications seems to satisfy many of the requirements posed by the problems. Do you have alternative solutions? Are these problems so critical to solve that a solution has to be in place by April 2003? Standard Transactions HIPAA mandates the NCPDP Retail Pharmacy electronic transactions between pharmacists and payers for eligibility, claims and remittance advices. Some of the hesitance to venture into NCPDP may simply be due to ignorance on our part, considering most of us are X12 types! Maybe there's no problem at all integrating NCPDP's needs on a first-class basis - within our Healthcare CPP Registry. Thanks for clarifying what you mean by "all of health care." We now know you certainly did not mean NCPDP, HL7 or Healthcare supply-chain. If I hear you correctly, I think you're saying we should accommodate the non-HIPAA (or yet to be HIPAA) X12N administrative transactions (like the 277/275 claims attachment and the 269 "COB"), in addition to the "final" HIPAA X12 transactions, in the recommendations we will develop for solving whatever problem we haven't determined yet. I would fully and enthusiastically concur. For example, even though the NCPDP retail pharmacy transaction is a HIPAA standard transaction, we haven't discussed it much. Can somebody enlighten us on how it is currently used? Are Clearinghouses involved? Can a pharmacy be treated like any other provider? How are NCPDP transactions packaged and identified? Information Flow Multiple 837s could result in a single 835, couldn't they? Claims could be sent throughout the day to the payer, with the payer waiting to process them in one run, resulting in a single 835 which the provider has to reconcile with any number of claims (sent in any number of 837s). The 837 ceases to exist by the time it gets to adjudication: it has decomposed into any number of atomic claims. There's nothing to say an 835 reflects only claims from one 837 - and there's really no reason for the payer to retain any notion that a particular claim came from any particular 837. And this is in the direct point-to-point scenario between provider and payer, with no intervening Clearinghouse which may be munging claims together from multiple providers for the payer! Bob Poiesz has emphatically taught us that the 837 is nothing but an ephemeral package encapsulating any particular claim - only until the next moment when it is possibly captured in another 837's orbit. But fortunately, I don't think we have to peer at the atomic level for solving our routing problems. We're only concerned with the physics of moving intact X12 transactions. The interaction P-->A-->P should really be decomposed into two separate (and possibly unrelated) sequences: Provider ->(837) Payer Payer ->(835) Provider We can't afford to ignore the technical acknowledgements in our information flows involving the 997 and the TA1 (and maybe even the 824). In the simplest cases where individual 837s are packaged in a single interchange, diagramming the interaction might be simple: Provider ->(837) Payer ->(997) Provider But what about when multiple transactions (and multiple transaction types - i.e., a mixture of 837s and 270s) are packaged in a single interchange? I don't think that really complicates things, in that all we really wanted to demonstrate is that the 997s (plural) go back to whoever sent the original interchange. You are correct when discussing an "837" as opposed to an atomic claim. My "flows" analysis was meant to show the routes that an atomic claim/payment or eligibility request/response traverse in our health system today, whether electronic or paper or phone. In fact, even when on paper, we tend to print / accumulate paper claims for a specific payer in a sequence that allows stuffing them into a single envelop when mailing (roughly equivalent to an 837). When the envelop reaches the payer, they open it and the "integrity" of that 837 grouping is lost the moment that the individual paper claims flow into their intake process (e.g. they are scanned into their electronic applications). The 997 / TA1 is a concept that has no equivalence in the paper world, but does in the telephone inquiry - it is the acknowledgement that our admission & A/R follow-up people manually record when they call a payer to check on eligibility & claim receipt. What you bring to light is the difference between what I am describing as the atomic "flows", wherein a certain event such as a claim would be expected to elicit a payment (or at least an RA) response, and the communication of that event between trading partners. As you correctly point out, an 837 (which I would look at as a package of 1 or more atomic claims), could elicit any number of responses: a 997, several 835s, 277s, and even 278s to TPAs and 837s to COB payers. These "response" events are temporally disconnected and unrelated to the original 837. What they each do have, however, is a specific relationship back to the atomic events that were gathered in the original 837 package. Getting back to the "business requirement" here, I need to determine (using a definition here for "transaction" as the single atomic event that needs communication): 1) the final destination for each transaction to be sent; then, 2) based on that final destination (through some mechanism that will be engineered from the business requirements) discover the entry point address for each transaction to be sent; then 3) group the transactions by entry point address; then 4) create the electronic packages by entry point address; then 5) send the packages using methods described in my trading partner profile for each entry point address. For the packages sent, I would expect to get (depending on the trading partner profile) a 997 for each package sent (regardless of destination). From that point on, each atomic transaction sent out is monitored individually, without regard to the "package" it was sent in. In fact, we should not care at all how the transactions are repackaged and re-routed by the intervening parties as long as each transaction arrives expeditiously (I'd like to define that term at some point...) at the final destination. When we receive a package of transactions from wherever, a 997 would be sent as an acknowledgement of receipt. Again, other than our sending of a 997 to the sender of the package, we would assume that the contents of the package have no particular relationship to each other. The package would then be parsed into its atomic transactions, each transaction attached to its initiating event, and each would finally be distributed to the originating application for automatic processing. The 270/271 and the 276/277 allow for multiple Information Sources and Information Receivers. There is no concept here of routing an ISA from Provider (or direct agent) to Payer (or direct agent). One interchange (or transaction) can be for multiple final receivers and from multiple original submitters. There is NOT a guaranteed one to one relationship beyond the point to point of any specific leg of the ultimate path. Transport HIPAA is silent when it comes to just how standard transactions are to be sent. So EDI could be sent via dial-up BBS, e-mail, bi-synch 3780, FTP, X.25, EDIINT, or whatever. But, generally, if you want to send direct to the payer (point-to-point), the payer dictates the protocol. Because of the multitude of various protocols, and the difficulty of finding the EDI "addresses" of trading partners, most providers will probably choose to use a Clearinghouse. It's unrealistic to restrict transport methods to the common TCP/IP protocols. We need to support all the "legacy" dial-up connection types - to assuage fears of the open Internet's security "problems" or to simply support the PM systems out there already - with some means of describing scripts, logins, passwords, modem-settings, etc. etc. in our Electronic Trading Partner Agreement. Of course, I want to emphasize again that we are only concerned with the packaging, routing and securing of STANDARD (HIPAA X12 and NCPDP) transactions between any two entities. We are not looking at situations where practice management software is generating or receiving proprietary formats through a CH; proprietary links (those not using standard transactions) to a CH or business associate are out of scope. We are, after all, the Workgroup for "Electronic Data Interchange." I'll ask again what I asked on the 11th: "...does anyone know of any OASIS, W3C, IETF, etc. effort for devising XML files to describe all communication capabilities of a partner? .... I want to see something that says 'this is a dial-up using Kermit with this phone number.' Surely someone has devised a schema for describing communication capabilities. There's no sense in us reinventing the wheel." As an aside, Dick Brooks has in the past brought up the need to assign a username/password to each trading partner before granting access to a B2B server - how is this to be automated, and what effect does this have on the use of electronic Trading Partner Agreements? Maybe userids and passwords could be avoided altogether if B2B servers were somehow to employ digital certificates instead for granting access - e.g., they could grant access to legitimate providers who hold one of those AMA/Verisign issued digital certificates. Otherwise, if someone wants to ensure ahead of time who will be sending transactions before assigning a userid and password, then there seems to be no way around some kind of manual interaction - whether it is a paper TPA or a web registration. At least an Electronic Trading Partner Agreement could give the URL where a provider is to manually register, so the userID and password can be e-mailed. 1.) How many of you are planning to use a VAN? 2.) How many will just set up an ftp server on your network and let trading partners drop off their files and pick up their files from a trading partner specific outbox? For the latter, you can put into the identifiers whatever you want. This is my intent for a payer solution that I am writing. It's cheap, (free, the ftp server comes with Windows/linux/Unix). Privacy is an issue that I could overcome with encryption but I don't want to touch this issue right now, maybe in two weeks. 3.) Are there other routing and EDI transport mechanisms out there that I forgot? Maybe email attachments? Those would be easy to encrypt at least. Work Product Technically, this group is a WEDi/SNIP Business Issues SIG (Special Interest Group) for the purpose of developing a white paper to address the standard transaction routing problem. When I say we're going to develop a "White Paper," I'm just parroting what the BI leadership says we're to do. I would imagine they (BI) want a White Paper which describes the perceived problems, if any, with regard to identification and routing, and some suggestions for solving these problem(s). This project will publish implementation guidelines for (1) an Electronic Trading Partner Agreement (e-TPA) specification to mechanically configure communication and translation software, and (2) automatic "discovery" mechanisms for locating Trading Partners' e-TPAs on the Internet based on their business identifiers. Our near-term plan is to generate four "working" papers. These papers will eventually be combined into a "white" paper or recommendation containing implementable specifications for the Healthcare CPP electronic partner profile and Registry. The four working papers cover: (1) Identifiers (2) Addresses and delivery channels (3) Elements of the Healthcare Collaboration-Protocol Profile (CPP) (4) "Discovery" of Healthcare CPPs (i.e., the Registry) It's my opinion that the urgent problem to be addressed and solved **before April, 2003** is how to complement the current business model **using the X12 Interchange control envelope** for the submission of claims and without forcing the entire industry on its head...there are sufficient challenges with just adopting a new set of formatting rules and standard data. Coming up with a "down and dirty" (if necessary) solution that will enable the industry to become operational today should be the urgent priority of this group. Critical Success Factors dream of frictionless e-commerce "without the need for bilateral Trading Partner agreements" - hopefully, what we do here in WEDI/SNIP will resuscitate his hopes Critical Success Factors: * Provide basic core functions initially -- Give marketplace participants what they need to solve their current problems * Recognize that IT alone won’t produce optimal pricing and efficiency in the market -- User acceptance more critical than implementation of IT * Infrastructure should complement existing trade value chain * Infrastructure should provide for end-to-end integration of business applications & information sharing in value chain -- Must be able to be integrated into back-office applications of participants * Effective ownership and control of infrastructure -- Participants must have a perceived or real vested interest in infrastructure, both business and technical * Accurate, objective identification -- Marketplace accepted standardized product identification is crucial (I believe this factor can equally be applied to HIPAA's challenge of identifiers, whether for product/service or entity. A major issue and challenge for all industries as they move into the electronic information exchange world is unambiguous and accepted identifiers: for all the players, delivery end points, billing and paying entities, and for the products and/or services moving through the value chain. For HIPAA, I believe the medical code sets are the analogy to product/service identifiers. We're still awaiting the national identifiers for payers and providers - but we do know what the key characteristics of these identifiers most likely will be and we can begin planning to accommodate them in our respective systems. There is no mystery as to what the identifier will be for employers.) * Fulfillment of strong, genuine existing need in marketplace -- Don’t use electronic market system/infrastructure to replace existing market practice * Satisfaction of need overarching critical success factor Perhaps these learnings from other efforts can help inform this group's efforts towards coming up with solutions to solve the immediate needs as well as looking to the future. If the solution is only to the future, I don't believe it will be accepted by the industry. Thus, I would suggest that the priority focus should be on coming up with an immediate (and even perhaps interim) solution that will address the need for identifiers that can be used to enable the correct routing of HIPAA transactions to the intended and correct receiving system and which also are complementary to today's business model. It seems to me that a key characteristic of today's business model is that the industry (whether it's a clearinghouse or other intermediary, or the provider, or the payer) does not use an enveloping scheme that in any way parallels the X12 enveloping structures with their ability to logically identify the sender and receiver. As a result, other mechanisms have evolved to get the transaction to the intended final destination. Perhaps it would be worthwhile to more fully understand how it works today and how today's mechanisms can be exploited in the near/short term to enable the players to become operational with the HIPAA transactions in the very short time remaining to achieve compliance. Once the industry is operational, the evolution to more elegant approaches using new and emerging standards and specifications becomes more achievable. If the work product of this group can specify how to become operational by April, 2003, **and** provide a vision and path to the future, we'll have achieved a worthwhile goal. If we look only to the future, the industry will find a way to become operational without our help. Thus, while I'm a very strong supporter of looking to the ebXML framework specifications which include the CPP/CPA, the Message Handling Specifications, distributed registries and repositories, and the ebXML architecture which ties it all together, I am not at all confident that all of this can be brought together in the extremely narrow timeframe required for the industry to become operational....which is not October, 2003, by the way -- but April of 2003 as required by ASCA. Standards Modifications There are no changes we can make to the ISA - it's impractical that any requests (other than qualifier code changes) could move through the glacially slow X12 process in time for it to be useful to us. We're probably safest in assuming we (WEDi/SNIP ID & Routing) are not going to be developing any recommendations requiring X12 DM requests nor other than the most minimal changes to the HIPAA implementation guides. "...would the current ISA ID values be used to do a lookup in the DNS table by the VAN/CH to get the proper routing, or will the entire route be in the ISA?" Only the entity ID (NAIC, DUNS, etc.) would be in the ISA receiver field. We are advocating no changes to the existing ASC X12 standards. All proposals assume a lookup for the routing would be done based on that ID (and its qualifier). I can't imagine changes would be needed (or possible, given the time needed for data maintenance to wend its way through the standards bureaucracy) to the X12N standards in order to support any recommendations that come out of this sub-working group. "Are we attempting to introduce new standards based on a transport layer function (IP)?" New standards, or "recommendations," are a very real possibility: e.g., a recommendation for exchanging interconnect information, or Kepa's proposed DNS structure for obtaining routing information, etc., etc. These would augment the existing X12 standards and the HIPAA IGs - not replace any parts of them: we have to live with what's already in place. EbXML Of the various specifications coming out of ebXML, the Collaboration Protocol Profile (CPP) and Registry are the most relevant to our work in WEDi/SNIP. As reported earlier, Dick Brooks will be working with the OASIS ebXML CPP/A Technical Committee to ensure the next version of the CPP spec supports Healthcare's needs - specifically "EDI Addresses" and links to electronic companion guides. We also have to have a way to electronically "discover" a Trading Partner's CPP, and that implies a registry of some sort. Though we have paid a lot of attention to Kepa's DNS "directory" proposal, prudence dictates that we at least look at what ebXML has to offer. So I took the liberty of apprising the OASIS ebXML Registry TC of our interest in the ebXML Registry for "discovering" Healthcare trading partners' CPPs. See "Discovery of WEDi/SNIP CPPs," in the Registry listserve at http://lists.oasis-open.org/archives/regrep/200203/msg00038.html. It's expected that "hanging" our electronic trading partner profiles onto the CPP would not be too terribly traumatic to existing healthcare players: after all, it would not be replacing anything but clumsy paper documents or web pages. Likewise, a directory (whether Kepa's DNS "directory" or the ebXML Registry) would give us something we never had before - an automated means of finding a partner's profile - and make what had been done manually now automatic, all without upsetting already in-place systems. What exists is the ebXML CPP/CPA (Collaboration Protocol Profile and the Collaboration Protocol Agreement. These specifications were developed over an 18-month period with active participation from the best minds in the world. The continued support and maintenance of these ebXML specifications is now under the auspices of OASIS. The OASIS committee will continue the work of ebXML on Collaboration Protocol Profiles (CPPs) and Collaboration Protocol Agreements (CPAs). Development of the ebXML specifications is an on-going effort sponsored by OASIS and UN/CEFACT. Technical committees for the ebXML Registry, Messaging, Collaborative Partner, and Implementation are hosted by OASIS, and Business Process and Core Component work continues at UN/CEFACT. A CPP defines one business partner's technical capabilities to engage in electronic business collaborations with other partners by exchanging electronic messages. A CPA documents the technical agreement between two (or more) partners to engage in electronic business collaboration. The committee will develop enhancements to the existing version 1 specifications that will result in at least one substantive new version. It will also coordinate its work with appropriate standards bodies within and outside OASIS. In addition, the committee will maintain version 1.0 of the ebXML Collaboration-Protocol Profile and Agreement Specification and will issue minor updates as needed. All of the ebXML specifications are publicly available in electronic form at no cost to interested parties. Thus, one of your proposed "requirements" could be stated as follows: "The EDI Addressing specification for health care must enable the automation of the trading partner setup process." This requirement could then be satisifed by stating: "The automation of the trading partner setup will be accomplished according to the specifications and rules set forth in the ebXML Collaboration Protocol Profile and the Collaboration Protocol Agreement specifications. These specifications are available from OASIS at http://www.oasis-open.org/committees/ebxml-cppa/." Just to give everyone an idea of which companies are involved in the continued support and development of the ebXML CPP/CPA specifications, here's a current list of members of the OASIS Technical Committee. As you can see, many of the world's leading ISV's are actively involved in this work effort. Liaisons NCPDP Lynne Gilbertson lgilbertson@ncpdp.org NIST Lisa Carnahan OASIS ebXML Collaboration Protocol Profile and Agreement TC. The chair, Dale Moberg Identifiers Actually, in the WEDi/SNIP ID & Routing group, we're merely concerned with the manner in which entities are identified in the ISA interchange header (and perhaps the GS) segment for routing. As Rachel said yesterday, "the focus [of our group is] on the 'functional use' of the identifier in the ISA as the key to discovering the detailed EDI addressing information." Sometimes we do talk about the problems with the lack of standard identifiers (especially for providers) in the application transaction sets, but it's not in our charter to solve that big, hairy problem! Background RosettaNet and other initiatives have chosen to identify every partner using the same ID domain, such as D-U-N-S. This does make things slightly simpler, in that no one has to remember what kind of identifier this 9 digit number is - it's always a D-U-N-S! I don't really think it's necessary, though, to force all players to identify themselves using IDs from the same domain. Christopher J. Feahr, OD, may prefer to always identify himself with his Federal Tax ID - it's incumbent then for all his partners (payers and lens manufacturers) to address him with his TIN in the ISA. But, another provider, like Children's Hospital, may choose to use its HIN (Health Industry Number) for procurement transactions, but the D-U-N-S when exchanging administrative HIPAA standard transactions with payers. On the other hand, insurance companies might choose to be identified with their NAIC company codes. Most entities have at least one ID from multiple domains - e.g., Christopher J. Feahr, OD most certainly has both a D-U-N-S and a TIN. Aetna has not only a D-U-N-S and a TIN, but also a NAIC company code. Some outfits even have more than one ID from the same domain - it's easy to have multiple D-U-N-S numbers due to mergers or acquisitions. Even though the Federal Tax ID number doesn't have the same weaknesses as the Socialist Security number used for individuals - it's almost never used for authentication, but only for identification - some entities still may prefer not to use it to identify themselves, leaving them to favor, say, the D-U-N-S. Since an exchange of HIPAA standard transactions is initiated by the provider, it's easy enough for the provider to obtain the payer's EDI ID; for example, the NAIC company code of the payer could appear directly on the patient's insurance card as the "electronic" EDI address for inquiries and claims. From there, it's clear sailing to locate the payer's CPP based on the NAIC. But as I ruminated on Tuesday, in "More Stuff and Questions on Routing Identifiers," how would the payer know how to address the provider it's responding to? There doesn't seem to be any clear way in the 837 or 270 for the provider to tell the payer which ID and domain to use for addressing transactions back to him. Always using the TIN for ISA IDs might solve this problem, but forcing an inflexible naming system on all partners ("You must always use the TIN") might be less desirable than figuring out some way for the 837 or 270 to communicate the preferred EDI ID (and domain) for responses. I'll make one concession, though: mandating use of a single domain (e.g., the TIN or D-U-N-S) to identify all parties (e.g., providers, payers, repricers, TPAs, CHs) on the ISA would be far preferable to the situation we have today with a surfeit of payer-assigned provider IDs. Aside from that, obtaining a DUNS for your own organization is free: I didn't pay anything to get assigned a DUNS from D & B, and as I explained to Chris Feahr this morning, he can get his DUNS for free by following the procedure I outlined. I think you have to pay $.75 or some other nominal charge to get the DUNS numbers of other organizations (though I, too, have gotten those free when I said the numbers were for "research" - I never pay retail). In any event, you would rarely have to ask Dun & Bradstreet for the DUNS of your trading partner; more often is the case your trading partner would give you his DUNS, telling you that's how he is addressed in the ISA. Everyone knows his own DUNS or Federal Tax ID (by the way, the Federal Tax ID is the same thing as the Federal Employer Identification Number - EIN or FEIN) - which is "shorthand" for saying someone at his own organization (say, the CFO) certainly knows these IDs. Once you have a DUNS, enumerating the DUNS+4 is free The National Provider ID (NPI) registrar will certainly not be assigning IDs to providers based on "contract" number, so it's clear that payers will already have to be working on separating the notion of contract from that of provider ID in their HIPAA remediation efforts. So whether payers used the NPI, D-U-N-S, DUNS+4, HIN, or Federal Tax ID to identify providers, assignment of these IDs will necessarily be based on licensed entity, individual, location or role - but never on the contract with the particular payer. Nonetheless, even though we're sometimes forced to discuss the general notion of IDs as used in the application transaction sets, our primary problem to solve is getting some consistent way of identifying providers as EDI participants - and getting everyone (including payers) to use that same ID for looking up providers' EDI addresses (inter alia) in the Healthcare registry. It will be a great step forward if our small group gets all players singing from the same hymnal as far as ISA identification goes; it would be icing on the cake, indeed, if interim application solutions to the lack of an NPI came out of our group, too! It sounds like we're coming to some sort of agreement that not only providers, but payers, too, find it cumbersome to deal with proprietary payer-assigned IDs as EDI Identifiers on the ISA. Are we getting closer to being able to make some definitive statement whereby we recommend that all providers' (or their agents') EDI portals be identified by DUNS, DUNS+4, HIN or Tax ID (the only current relevant choices in the Interchange ID Qualifier)? Working with real examples helps in two ways: (1) it holds one's attention better to use real examples, instead of saying D-U-N-S xxxx for Hospital Y, and (2) if you have real good luck finding, say, a D-U-N-S for every practice and hospital you may have ever been interested in or heard about, perhaps it means D-U-N-S has great coverage and we could constrain the routing ID for providers to always be a D-U-N-S for consistency and simplicity. This is what RosettaNet and GISB have done: all trading partners must be identified with their D-U-N-S. Some examples follow, with nothing changed to protect the innocent. The punctuation typically used to make the printed ID more readable consisting of dashes in the D-U-N-S and the FEIN - would not be present in EDI or our registry. D-U-N-S: 04-643-0013 - CHILDREN'S HOSPITAL, COLUMBUS , OH 07-164-3589 - RIVERSIDE METHODIST HOSPITAL,COLUMBUS , OH Federal Tax IDs (FEINS): 23-2229683 - Aetna Inc. 61-0647538 - HUMANA INC. 95-4505291 - UCLA Orthopaedic Surgery Medical Group NAIC: 68241 - Prudential 60054 - Aetna 54771 - Highmark HCFA Carrier (Medicare) 16360 - Nationwide - Ohio 00880 - SOUTH CAROLINA BC/BS The HIN (Health Industry Number) is kind of tricky to locate. I called HIBCC, the registrar for the HIN, and they wanted $10 for each ID!!! even though I told them they were just for some examples in a paper. You would have thought they would have been grateful I wanted to mention them at all! I would prefer HIN examples for hospitals, clinics and other providers, so I would appreciate if someone on this list would supply me some. In actuality, if the HIN were going to be used as a routing identifier, the party identifying itself with a HIN would probably know what its own ID was. Here are some examples for the HIN: 52F8TXK00 - BAXTER HEALTHCARE I8IVONE00 - CARDINAL HEALTH INC. 43KEC3K00 - HUMANA HEALTHCHICAGO I noticed that the 835 guide does not have the ABA Routing Identifier listed as one of the permissible codes for the Interchange ID Qualifier in the ISA. Wouldn't the ABA Routing Identifier typically be used as the receiver ID for payment orders (835) to banks? Can you even route a payment order through a clearinghouse (or VAN) to a bank, or do you always have to "hook" up with your bank directly? Clearly, the 835 EOB containing PHI - should go between the payer and the provider directly, or through a CE like a clearinghouse. Are there even any Value-Added Banks that can handle PHI? ABA Routing Codes for Banks: 071000013 - BANK ONE, NA, CHICAGO 021000018 - The Bank Of New York We are attempting to develop recommendations to the Healthcare industry for Trading partner identification and transaction routing. In order to fulfill the spirit of the HIPAA law, it must be possible for entities willing to use the standard transactions to have a somewhat predictable (read: standardized) means of getting their standard transactions to the payers. Everyone knows their own name(s). I even know my own D-U-N-S and FEIN. Providers probably know theirs, in addition to their HIN, and eventually their NPI. Payers know theirs, which might include their NAIC. My D-U-N-S should be the same, regardless which intermediaries I choose to use. A payer's NAIC, if he prefers to use it, should be the same regardless of the intermediaries the provider uses. Since these IDs have already been assigned, and are globally unique within their respective domains, why not use them? - at least until the globally unique National Payer and Plan IDs are available. And by all means, the "ZZ" should be banished: there should be no "mutually defined" in standards! IDs can't be used for authentication: there's nothing secret about them. You can easily find my D-U-N-S, even if I didn't give it to you. And I can easily find out what your NAIC is, even if you didn't give it to me. Likewise with HINs and eventually, National Payer and Plan IDs. Since IDs are easy to discover (even lacking a central database), they make ideal EDI addresses - but lousy passwords! Actually you shouldn't even have to "discover" them - the provider should be able to find them on the back of the patient's insurance card. Given the payer's ID, it should be possible for a provider, who's willing to cobble together a standard transaction, to get it on its way to the payer in the least confusing way possible. Anything less might be construed as a roadblock in the way of Administrative Simplification. You admit that you "...have a very non-standard situation in the ISA at this time, with the possibility of providers needing to identify themselves in different ways to each receiver." Standards are needed only for interoperability. Undoubtedly, your clearinghouse service is a well-oiled machine which works well for your customers, who are already seamlessly engaged in Healthcare electronic commerce. It probably matters little what we come up with here - your paying providers and payers are already electronically enabled, and they will happily accommodate themselves to whatever idiosyncrasies you mandate for the ISA. But to require a provider new to electronic transactions to munge the ISA, using IDs other than the sender's and receiver's own, might be construed as adversely affecting the provider as surely as charging fees for the privilege of submitting a claim or eligibility request. Once this door is opened, then payers might very well use other tactics like requiring the submission of standard transactions on diskette, or enforcing weird or obsolete protocols like X.400 or BiSynch, if the (payer's) preferred VAN or Clearinghouse is not contracted with. Proprietary IDs Marcallee Jackson told us "[e]ach healthcare clearinghouse maintains a list of payer ID's. These ID's are sometimes designated by the clearinghouse, sometimes by the clearinghouse's trading partner and sometimes by the payer. I believe its this code that is commonly sent in the ISA field." Isn't our problem made easier if the payer tells everyone what its own name or ID is, constrained by the allowable qualifiers in the ISA Interchange ID Qualifier? In the absence of the National Plan ID, we should allow for a payer being identified whatever ID it prefers Anthem might prefer the D-U-N-S and Highmark the NAIC. Some payers might have two or more D-U-N-S, any of which may be acceptable. Likewise, some providers will identify themselves by the HIN, others by the FEIN. But it does no service to interoperability if a provider, using HIPAA standard transactions, has to make a determination like "Payer 'A' is on CH 'B', who demands that the payer be identified by 'C' in the ISA, except on Thursday, when it must be 'D'." Along the same lines, do we want to banish use of the "ZZ" (Mutually Defined) qualifier, which - as Kepa has pointed out - is often used to specify an ID given to the provider by the receiving payer? At the front of my mind always is the mess we have now with payer-assigned provider IDs. This is probably why I slipped and said "[our] primary problem to solve is getting some consistent way of identifying *providers* as EDI participants.." Indeed, we want consistent ways to identify all participants, including payers, Clearinghouses, Third Party Administrators, Re-pricers *and* Providers. It should be clear from all my monologue over the last two or so months that I understand we have to identify all players in order to access CPPs in a Registry and address parties in the ISA. But as it is, there doesn't seem to be much argument over how payers are identified: the NAIC seems to be relatively well standardized upon, and for our purposes it's a perfect identifier. You don't see providers assigning proprietary provider-assigned payer IDs - instead we have a common sensible and standard means of identifying payers (e.g., the NAIC company code). The big problem to solve, as I have oft-repeated, is to level the playing field and have the payers extend the same courtesy to providers: address them by their own "name," rather than forcing providers to "memorize" a bunch of payer-assigned proprietary IDs (whether for the ISA or within the application transaction). I can't speak for the other payors, but our Plan has been eager to see a national provider ID for some time now. We use multiple proprietary IDs and have wanted to consolidate onto one new number -- we even had a project to modify the provider ID fields in all of our systems. Unfortunately, the proposed National Provider ID has us afraid to re-enumerate providers on our own as we are sure the final Reg will come out the day after we are done, making us do it all over again. ;-) But seriously, multiple IDs is as much of a problem at our end as it is at the provider end. As for whether there is intelligence in the numbers, the answer is no and yes. The no is because there is no intelligence in the number itself. Rather the number is the intelligence. For example, if a provider has multiple locations, he or she will receive multiple ID numbers with each number corresponding to a location on our system. Because we started up new products in the mid-90's and took over an HMO at the same time, some providers received different ID numbers for different products. This is because those products or companies were supported on different systems than our traditional BCBS business, and those systems had different requirements for ID numbers. Regarding the information we will require on a claim, we will follow the same process as described by Doug Renshaw, except that we will not modify the NAIC numbers. NPI and National Plan ID I agree that the lack of standard Provider IDs is a problem. However, if the suggestion is that the industry ought to embrace the DUNS number (or any other number) as an unofficial standard, then I would object to that concept. The problem with that idea is that the release of the final NPI regulation is hanging over us. Enumerating providers is not an easy thing to do. The communication of the new numbers and the process for doing this is time consuming and costly in terms of time, money, and resources. There is significant work involved in creating new provider tables/databases, loading this information, and making sure that all systems process this information correctly. Finally, there will undoubtedly be claim processing problems as an entity migrates from one number to the next. If the industry (or parts) were to move to DUNS and HHS releases an NPI regulation which uses anything other than DUNS (which it is expected they will do), the industry will have to discard all the work to move to DUNS and re-duplicate the effort. There would be no way for the industry to recapture the lost time, effort, and money that it spent moving from today's proprietary IDs to the NPI. The companies I work for have been poised to move to new provider IDs for a number of years now and have been unwilling to pull the trigger for fear that immediately after we do so the HHS reg will come out and the whole thing will be wasted. I would not be surprised if the same is true with other carriers. The best thing for all concerned is for HHS to release the NPI reg and for providers to act quickly in getting their new ID numbers. (Keep in mind that the move to a standard could break down if Providers don't hold up their end by getting these numbers.) The same is true with standard group IDs and payer IDs, for what it is worth. Application This seems like an overly broad mission, especially since we're mostly concerned with interoperable guidelines for "discovering" EDI addresses to use in the routing of standard EDI transactions. Reading the Identifiers subgroup's scope, I'm not surprised people would think we're going to get into the nitty grittty of using identifiers for providers, payers and contracts within application transaction sets! I have no objection to looking at this interesting problem or writing it up in our white paper (which would consist of just copying and pasting from Kepa's Identifier myths), but this is really a topic better served by the overall WEDi/SNIP Business Issues SWG. Identifiers are of interest to us here in the WEDi/SNIP ID & Routing group only insofar as they're used to assist in the routing of standard transactions - i.e., when they're used in the ISA receiver field. The MPD only affects identification of the provider (and the contract) in the claims ensconced within the X12 transaction. do think we will have to at least pay lip service to aspects of identifiers as they're used in the application transaction set - if only because applications will have to divine an ISA receiver ID from something, and that something will be the various combinations of IDs used today (within the application or the 837, say). For example, to do routing, a payer might need some way to find the provider's DUNS, HIN or EIN - one of the ID domains allowed by the HIPAA IGs in the ISA. We can't say you can key on any combination of criteria (including plans, contracts and line of business) to search for a (payer's) EDI address: a VAN or EDIINT software, which don't burrow into the application transaction, wouldn't have anything but the ISA receiver ID (and possibly some stuff at the GS) for making routing decisions. So keys used (as nodes) in Kepa's DNS "directory" would necessarily be restricted to ISA and GS information. my provider's application's programming problem to determine which identifier is used on the claim or eligibility or cert request. For all of them (many numbers for a single provider), and in my case, many providers, I'll still have a single EDI address (well, actually 4 - 2 for batch and 2 for near-real-time). I guess the real question is how the endpoint responder gets my EDI address. What they get in the transaction will be the unique provider identifier they have told me to use. If my common EDI address is not in the message for them to generate a response to me, then they would have to discover it which means I'd have to register all provider identifiers pointing to one of the 4 EDI addresses (now there's a really ugly thought...). I guess that's why I thought the ISA address would be my ultimate response address, but if that's not the case....... Since Loop 1000 shouldn't be used as an "audit" trail - and, indeed, it can't because nobody along the way can *add* instances of the loop (because 1000A and 1000B both have a loop repeat of 1 in the HIPAA IG) they can only change Submitter or Receiver - then it seems like it is an application transaction representation of the two parties identified on the ISA: the sender (submitter) and the receiver. I can see how you would think "...that a 'repricer' would leave loop 1000 information on the repriced claim exactly the same as when he received it," but since the re-pricer opens the envelope and potentially changes stuff, I think we have a whole new "round" of sender and receiver. In Raj's first example, when the provider (or his BA) formats and sends an 837 to Raj (the re-pricer), the provider or billing agent is the submitter or sender (in both Loop ID-1000A and the ISA), and Raj said he is the receiver (in both Loop ID-1000B and the ISA). When Raj "re-prices" the claim, I agree with his intuition that he is no longer the "receiver," and he must change the loop somehow. I'd say he becomes the submitter (loop ID-1000A) and the payer should become the receiver. Because Raj is now the submitter, his name and telephone number can now appear in the 1000A PER segment, so the receiver can have a real person to talk to find out what the heck is going on! don't think the 1000A (Submitter Name) and 1000B (Receiver Name) "audit trail" in the 837 are all that important. Besides, the other transactions (like the 270/271, 276/277 and 835) don't have an analog of this "audit trail." Based on previous observations, though, it's probably the usual case that the 1000A and 1000B Electronic Transmitter Identification Numbers exactly reflect the sender and receiver IDs on the enclosing interchange envelope. The ISA is incapable of carrying application data - unless you can manage to squeeze it into a ZZ-qualified sender or receiver ID! The ISA sender and receiver IDs must be valid identifiers from a limited set of domains, e.g., HIBCC HIN, NAIC Company Code, Dun & Bradstreet D-U-N-S, IRS Tax ID (FEIN), etc. IDs of this sort can serve as both routing identifiers *and* application identifiers. Therefore, it's entirely possible that any of these also appear in the "application" NM1s (e.g., the 837's 2000A loop to identify the billing provider). Generally, you would use one of the NM1 "application" identifiers (say, the Tax ID) for a provider to locate his CPP (Electronic Partner Profile). The CPP would then tell you what identifier to use in the ISA for the receiver. It would be mere serendipity if it turned out to be the same (the Tax ID in this case) - it could just as well be the D-U-N-S or HIN of the provider. As pointed out by various folks, including Jan Root and Bob Poiesz , the 1000A (Submitter Name) and 1000B (Receiver Name) "audit trail" are of limited usefulness - they most likely just reflect what's on the ISA. And the ISA sender ID is used solely for reporting TA1 and 997 acknowledgements. Determining the ISA receiver of an interchange containing application transaction turnarounds depends on identifiers supplied for the billing provider (in the case of the 837) or information receiver (270 or 276). For example, at least one of the IDs supplied in the 837's 2000A loop to identify the billing provider would be used to locate the CPP (Electronic Partner Profile) for that provider. Depending on attributes of the desired exchange (e.g., functional group of the response, say the 277U), the CPP may provide DeliveryChannels ("EDI Addresses") describing the portal to which the interchange is sent, along with the desired receiver ID to be inserted into the ISA. This ISA receiver ID may very well be different from that of the sender ID on the interchange containing the original 837! Knowing what your own "name" is begs the question whether your trading partner can divine the ID you're known by. Imagine the scenario where a physician first encounters a patient. Let's assume Peter Barry's grandiose plans for insurance cards with National Plan IDs comes to fruition: the National Plan ID could be used to search the "National Plan ID database" to come up with, say, the NAIC company code of the payer. From there, the WEDI/SNIP Registry would be searched on the NAIC to come up with the WEDI/SNIP CPP (Electronic Trading Partner Profile) which is used to tell you how to deliver eligibility inquiries and claims to the payer handling the particular plan. Until the advent of the National Plan ID, I suppose the NAIC company code of the payer could appear directly on the insurance card as the "electronic" EDI address for inquiries and claims. But I don't see any way for the provider to use the 270 Loop 2100B (Information Receiver Name) to convey his D-U-N-S to the payer for use in returning the 271 Eligibility Response. If the provider chose to identify himself by D-U-N-S, how would the payer know which ID to use in the response's ISA? This might be what Chris Feahr wanted to know, i.e., how to auto-discover the "return path" back to the provider? Keep in mind that the provider's sender ID in the ISA should probably be directly used only for TA1 and 997 acknowledgements; there must be some other means of figuring out the ID of the provider for application responses since not only is the ISA long gone (discarded by the translator), but prudence would dictate that the ID be derived from the application data (or other data known to the payer) - rather than saving the ISA sender ID. This may not be a problem for the payer in the case of in-network providers (where the payer would have the provider's "preferred" EDI address - the D-U-N-S - on file). But a non-participating provider has to have some means in the 270 transaction to give the payer his preferred EDI ID. The 837 Claim seems to have gone half-way in acknowledging this problem, and provides a way for the provider (or his agent) to send the "Electronic Transmitter Identification Number" (ETIN) to the payer in the 1000A Submitter Name loop. But there's no way to say whether that code is a D-U-N-S, a Tax ID, or a HIN, or whatever - the 837 IG unhelpfully says "Established by trading partner agreement." Like the 270, the 837 does have a way for the provider of telling the payer his FEIN (Tax ID) in the 2010AB Pay-to Provider loop; but even if the provider used the FEIN as his routing ID, there's no definitive way of saying that it *is* the EDI ID (as opposed to just one more ID the provider shares with the payer). The definitions for Interchange Sender and Receiver seem quite adequate and appropriate - they say what I've maintained all along. The ISA Receiver field is only needed to return TA1s and 997s (and possibly 824s reflecting IG violations). Application acknowledgements, such as the 835 answer to the 837, and the 277 answer to the 276, would not necessarily be sent to the ISA sender of the original request - instead, the ISA receiver would be "calculated" based on NM1s in the original request. Interchange Envelope But as it stands, there are only a few ways entities can be identified in the ISA based on the constraints HIPAA imposes on the ISA Interchange ID Qualifier. For providers, it leaves us with only the D-U-N-S (and D-U-N-S with suffix), the Federal Tax ID (or FEIN), or the HIN as acceptable domains for identifiers - if we rule out the 'ZZ' (Mutually Defined) qualifier (the ZZ qualifier is usually used for payer-assigned provider IDs, which are the bane of standardized identification). I assume that once the NPI is in place, there will be no problem getting it added as one of the acceptable ID types in the ISA. X12 is meant to be independent of the transport method. The ISA only needs to hold "logical" identifiers that represent the sending and receiving entities - and 15 characters is more than enough for any conceivable identifier (e.g., DUNS, FEIN, HIN, NAIC, or even the National Plan ID and National Provider ID). It was always understood that some sort of mapping table (whether at the VAN or CH, or in the EDIINT software) would take a logical identifier and "map" it onto an "EDI Address." An EDI Address would be a particular mailbox (in the context of a VAN or CH), or the protocol and addressing specifications in the case of EDIINT or FTP, say. Our project takes EDI Addresses to an extra level of indirection: identifiers would be "mapped" to a CPP, which in turn contains one or more EDI Addresses (selected by preference or functional purpose, e.g., "real-time" vs. batch). Each "EDI Address" would describe where (physical address, e.g., FTP address) and how (packaging, e.g, X12.58 security or EDIINT) to send the interchange. The logical identifiers used in the ISA are fairly static - how often does a DUNS, FEIN (or even an NPI, if it comes to pass) change? But EDI Addresses are ephemeral, subject to the whim of the recipient: one day I might want claims to go directly to me via FTP, and the next day I might change my mind and have them go through a Clearinghouse. A dynamic mapping system keyed on logical identifiers accommodates this nicely. We probably shouldn't call ISA08 an "EDI Address." It's the recipient's EDI Identifier. An "EDI Address," as Peter Barry would remind us, is all the technical mumbo-jumbo that defines the protocols, port addresses and other desiderata for moving EDI data to a particular point (e.g., FTP addresses, dial-up telephone numbers, etc.). The EDI Identifier in ISA08 will be used to retrieve the recipient's CPP (Electronic Trading Partner Profile), which in turn will contain the appropriate EDI addresses. And yes, it's possible that interchanges can be "going out the door with identical ISA08 values (identifying the receiver), but be going to different EDI addresses... because of their specific transaction payloads." This seems to be a requirement raised in previous discussions; e.g., "real-time" 270s might be directed to a different EDI address than "batched" 837 claims. I don't know how this could be done today with current translators and communication software: how does the translator convey to the communication software that the interchange is "real-time" vs. "batch"? If anyone has an idea how they would implement this with their current systems, please don't hesitate to write in! If there is no direct link between the translator and communication software, then the comm software does have to be sensitive to the payload contained in the interchange - at a minimum it will have to "drill" into the GS envelope to distinguish eligibility inquiries from claims, or to examine the GS Application Receiver's Code for hints in selecting the appropriate EDI address. Likewise, if all interchanges are sent to a single intermediary, such as a VAN, then the VAN would have to "drill" into the interchanges (so the correct EDI address can be determined). As an example to show why "drilling" down into the GS may be required, consider the scenarios presented by Doug Renshaw earlier. Highmark might want interchanges delivered to a different EDI "gateway" depending on whether "V" (vision claims), "W" (if an institution is in its Western Region), or "C" (if in its Central Region) is appended to its NAIC in the GS Application Receiver's Code - these suffixes would determine the appropriate EDI address to send the interchange to. If only X12 had adopted ISO 9735 UN/EDIFACT Syntax Version 4 for interchange control, then we could have avoided the problem of drilling into the interchange (to retrieve distinguishing information from the GS). The UNB Interchange Header in EDIFACT not only lets you specify the recipient identifier (in D.E. 0010 - Interchange recipient identification), but also an internal routing code (in D.E. 0014 Interchange recipient internal identification), so you can make all your decisions for routing just by looking at the UNB without going further in the interchange. See http://www.gefeg.com/jswg/ if you're the least bit interested in the layout of the ISO 9735 EDIFACT interchange envelopes. But unfortunately, adopting ISO 9735 interchange envelopes is not in the cards, so we have to rule out this elegant solution! As an aside, I'm left wondering how all those translators out there today are going to handle out-of-network claims from a provider the payer has never seen before - will they have the capability to automatically create Trading Partner table entries, dynamically adapting to new ISA sender IDs as they arrive? Now, as Rachel would say, I think I'm getting "wrapped around an axle" with this ISA and GS stuff. After thinking about it, the GS should only be used for internal routing by the recipient - something we all learned in EDI 101. No intermediary or communications package should ever have to "drill" down within an interchange to look at functional group envelopes. So we probably only have the ISA available for routing. And if only the ISA can be used, that probably implies only the 15 character ISA08 Receiver Code is available for discerning EDI addresses - which might require different recipient IDs for various purposes. So where does that leave us if a "real-time" 270 has to be sent to a different "portal" than a "batch" 837? Do we have to use a suffix on the payer's NAIC company code in the ISA08 receiver field to distinguish between batch and real-time? Martin Scholl's impression that the HIPAA IGs allow you to choose the ISA qualifier "ZZ" so you can put "anything in there" is correct. As far as I know, the guides have not changed since I last saw them. And we can accommodate the ZZ qualifier in our CPP Electronic Partner Profile: the receiver can specify in his DeliveryChannel ("EDI Address") that the ISA Receiver Interchange ID Qualifier and ID are to be whatever he deems fit. Perhaps his DeliveryChannel is assigned to his clearinghouse, and the clearinghouse only knows him by some *contrived* (CH-assigned) receiver ID using the ZZ "mutually-defined" qualifier. Since the receiver is a customer of the clearinghouse, he knows ahead of time what his proprietary CH-assigned receiver ID is, and can place it in the CPP so senders know what to use in the ISA receiver field. Just make sure you understand that the sender would have no way, a priori, of knowing what proprietary ID to use in the ISA receiver field until he accessed the receiver's CPP. Remember that no proprietary IDs could be used to *search* the Healthcare CPP Registry since there would be no way to ensure their uniqueness across all CPPs for all entities i.e., your notion of ZZ-BILLYJOE might be different from another's notion of the same pair. That same ambiguity doesn't exist for RA centrally managed identifier domains, e.g., HIBCC HIN, NAIC Company Code, Dun & Bradstreet D-U-N-S, IRS Tax ID (FEIN), etc. NAIC Company Code 54771 is Highmark, regardless who's doing the talking. Keep in mind that there's no way to compel a sender to identify herself with a proprietary ID. Given the Open-EDI aspect of HIPAA, a payer may not even know ahead of time that he's about to receive a transaction from some provider: how would he ever manage to assign a proprietary payer-assigned ID to her? On the other hand, if she chooses, a sender may identify herself with a ZZ qualified sender ID (in actuality, she may have been forced to by her one and only VAN or clearinghouse). It doesn't matter that the sender ID is mutually defined: the receiver never uses the pair except when turning around the TA1 or 997. This forces me to backtrack a little on what I told Todd Velnosky this morning: if an interchange using a ZZ-qualified sender field were being acknowledged, then the TA1 and 997 would have to be returned to the same clearinghouse the original interchange arrived from, simply because only that clearinghouse is guaranteed to know how to interpret the ZZ-pair. To determine the receiver ID of application responses, the sender would use one of the NM1 "application" identifiers (say, the Tax ID) to locate his partner's CPP, which in turn (using the DeliveryChannel) says how to get the response where it's going and what to stuff in the ISA receiver field. Didn't I say the ZZ-qualified proprietary ID would not be a problem? i.e., once the CPP was found, the EDI Address would inform the sender that the ISA receiver was to be a ZZ-qualified proprietary ID. I just wanted to make sure we all understand that the sender would have no way, a priori, of knowing what proprietary ID to use in the ISA receiver field until he accessed the receiver's CPP. But a "mutually defined" ID is not necessarily unique (except within the domain comprised by a particular payer or CH), you have no idea who assigned it (just by looking at the ISA), and it cannot be used in a National Healthcare directory. It has a meaning only in the context of a particular payer or Clearinghouse. And if it's particular or peculiar, it has no place, really, in our recommendations. I see no way around this conundrum. You may recall that we had submitted definitions for ISA sender and ISA receiver that I thought were considered acceptable. The basic concept is that the sender is the entity responsible for creating the exchange and it's contents and the receiver is responsible to processing the contents of the exchange. So, if the contents of the entire exchange (ISA to IEA) will be processed entirely by the receiver, then yes the ISA receiver will most likely be the provider or payor. if I understand this thread, we MUST choose one of the legal ISA identifiers as a KEY to this (yet-to-be-defined) record that explains all of the 'collaboration" details... including other ISA identifiers that might be acceptable? If so, I would vote for the Fed. Tax ID# for the registry key. As I look down this list, the FTIN seems to be the only one reliably there 100% of the time and one that virtually every business will know (about itself) and have no qualms (and violate no user agreements) disclosing to "the world". -Chris 01 Duns (Dun & Bradstreet) 14 Duns Plus Suffix 20 Health Industry Number (HIN) 27 Carrier Identification Number as assigned by Health Care Financing Administration (HCFA) 28 Fiscal Intermediary Identification Number as assigned by Health Care Financing Administration (HCFA) 29 Medicare Provider and Supplier Identification Number as assigned by Health Care Financing Administration (HCFA) 30 U.S. Federal Tax Identification Number 33 National Association of Insurance Commissioners Company Code (NAIC) ZZ Mutually Defined In the absence of the national identifiers, we are left to select from one of these coding systems or to use the ZZ Mutually Defined. It's my opinion that if the objective is to be able to use the identifier from the ISA to discover more detailed EDI addressing information, then it's irrelevant which coding system the ISA identifiers are based on. The only requirement at the present time is that to be compliant with the HIPAA specifications, one must choose one of the above. Thus, I'm not sure that I understand the detailed discussion of various identifiers and identification systems. Wouldn't it be more on point to be examining how the ISA identifier would/could/should be used to link to the EDI Addressing information? Furthermore, when (notice that I'm the eternal optimist and didn't say if) the national identifiers are finalized, then I would certainly expect that the ZZ Mutually Defined option would go away....and even perhaps the other choices in favor of the national identifiers. Thus, I again reiterate that I think it's quite irrelevant to the goal of this work group to get too wrapped around the axle about various identification systems. Rather, shouldn't the focus be on the "functional use" of the identifier in the ISA as the key to discovering the detailed EDI addressing information? Doug Renshaw was kind enough to respond to my pleas from 15 March for information on how folks currently (or will) handle the ISA and GS for routing standard transactions; he has graciously agreed to let me pass on Highmark's plans as grist for discussion. Other than Doug, only Tim Collins and John Bristor have responded. Tim divulged some information on how Kentucky Medicaid might be handling IDs, and John Bristor shared what appears to be some kind of Medicaid EOB with strange and wondrous proprietary IDs. At this rate, I don't have too much to work from: I hate to nag, but with the hundreds of people on this list, surely some more folks could throw information my way so Ron Bowron and I can do a "proper" requirements analysis. Doug said that Highmark will require that its NAIC code (54771) be submitted as the Receiver ID in the ISA. In the GS, he will require the NAIC of the payer that the transaction applies to, which could be that of Highmark or several other associated payers. NAIC codes are 5 characters, and the GS receiver ID can have a payer-defined 3 character suffix applied to the NAIC. In some cases, they will use a Highmark-assigned alpha suffix to manage internal routing requirements of stuff within the same payer. For the Sender ID in both the ISA and GS, Highmark requires the use of a proprietary trading partner ID. For transactions coming from a Clearinghouse, they'll have a trading partner ID for the clearinghouse which will be tied to individual providers. Also, Highmark requires a logon and password to connect to its network for sending and receiving EDI files. Highmark is considering use of the Internet to replace its dial-in network, but use of a logon and password would still be required. Highmark will only accept standard transactions, and only for a set list of payers who are in the Highmark "family". If a provider attempts to send transactions to payers not on Highmark's list, they will be rejected. Highmark is not attempting to offer providers a "portal" for submission of their claims to any and all payers - only a means of getting claims directly to itself and several of its subsidiaries. Doug does agree with my belief (by reading the NPRM) that payers will have to offer providers a direct "portal," or else will have to contract with a clearinghouse to collect standard transactions for them. As for Highmark's use of NAIC suffixes in the GS, they spell out some specific uses for particular transactions as required for internal routing and processing purposes. Specifically, Highmark will require a "V" on vision claims, and for institutional claims, they will require a "W" if the institution is in its Western Region and a "C" if in its Central Region. Doug recognizes that NAIC codes are not a solution that works for all health plans, and that Highmark may need to change its requirements if and when a national plan ID is established. Likewise, according to Tim Collins, Kentucky Medicaid now has plans to re-assign proprietary provider IDs in anticipation of HIPAA . These IDs are "intelligent," in that the 10-digit number used on the ISA denotes the type of submitter (e.g., Medical Practice, Software Vendor or Billing agent), further qualified by the type of institution on whose behalf the transaction is being submitted (e.g., Hospital, clinic, pharmacy, dental, etc.). Doug Renshaw didn't go into detail on how Highmark's provider IDs are generated, or whether they are "intelligent" or not. I guess that doesn't matter. What I do know now from these few "scenarios" including the Medicaid sample from John Bristor - is that payers sure do like proprietary provider IDs! But do providers feel the same way? If anybody were thinking we would come up with a scheme whereby you could put a plan ID into an ISA (which you can't, because the Interchange ID Qualifier can only address carriers or entities addressable by the DUNS or EIN), and auto-magically the interchange would end up at the appropriate place (the repricer for claims, or the Third Party Administrator for eligibility requests), then (1) that would be neat, and more importantly (2) it would be really, really hard to do. I think if you want to have an 837 go to a particular repricer, you're probably going to have to explicitly put the repricer's identifier (what is that? - a DUNS, an EIN?) in the ISA receiver field. And, likewise, if you want a 270 to end up at a particular Third Party Administrator, I suppose that TPA's identifier will have to appear in the ISA receiver field. How is this done today using X12 through Clearinghouses? what's expected in the ISA (and perhaps the GS)? See "EDI Meets the Internet: Frequently Asked Questions about Electronic Data Interchange (EDI) on the Internet," RFC 1865 at http://www.ietf.org/rfc/rfc1865.txt, especially sections 5.8. Can the ISA 06 or 08 identify any entity other than the 'end' Trading Partners (i.e. a routing entity)?, and 5.10. Are there other options for routing EDI X12 messages? ...although the ISA06 and ISA08 elements are supposed to be used to identify the sender and receiver of the interchange, the receiver of the interchange could be a clearinghouse (as well as a VAN) that processes the interchange and then forwards the data to the ultimate recipient. In this case, you could put the receiver ID of the clearinghouse into the ISA08. The clearinghouse would probably have to determine the ultimate recipient of the message by looking inside the transaction set (or perhaps by using the GS03). Though this IETF RFC is obviously not a HIPAA document, it proves as of 1996 that this was not a weird practice. The TA1 and 997 go back to the sender in the ISA, whether a CH, billing service or the "real" provider. What's the problem with calling the CH who builds the ISA the "sender" or "submitter" in order to differentiate him from the "providers" he's aggregating? If the provider (or his agent) puts the provider's ID in ISA06, then the provider is also the sender (or submitter). Analogously, the "receiver" could be a CH or payer. A payer is always a payer, and even sometimes the "receiver" in the ISA. The Present 1. The present is payer-centric. It could keep going that way, but the future health care electronic traffic will include provider-to-provider transactions involving delivery-of-care and reduction of medical errors (4th largest cause of death and injury). Having every provider set up in advance with every possible other provider is not very practical. In the future, eventually, providers will participate, not as clients, but as equal participants. Especially, a sender will be able to send an asynchronous message and the provider will be able to receive it. This is a hugely significant change from the payer-mailbox model now used for batch transactions and the client/server model now used for DDE transactions The note includes "distributed my EDI documentation". That would appear to include two types of information: (i) connectivity attributes, which are the primary subject of the CPP suggesting there might be a more efficient way to let provider computers know the terms for connectivity, and (ii) transaction requirement profiles, the subject of "companion guides", which might become electronic profiles, the "7-level" edit subjects. If these subjects cannot eventually be reduced to computer-readable information, we will have lost a lot in the goals of standardization. The dominant business model in health care is: 1. For the most part, only health care claims are submitted electronically by providers to the party they've determined is the financially responsible party for reimbursement. 2. The format used for electronic claims is most often the NSF batch file format, or some variant thereof. 3. It's not typical that a provider submits claims directly to the financially responsible party. Rather, intermediaries are more likely than not to be in the picture. Intermediaries can be clearinghouses, TPAs, repricers, billing services, and so on. 4. These intermediaries typically determine the financially responsible party by interrogating data contained with the batch file. 5. While the NSF batch file has batch header and trailer records which start/end the batch, the records in the batch are fixed field/fixed record multiple record types. 6. The industry does not use the typical EDI VAN store and forward model. Thus, it has not built an infrastructure that uses an identifier from a batch header record to "mailbox" files for the receiver. 7. The industry model is one of the provider always have to "push" electronic claims to the financially responsible party through an intermediary and to then "pull" any return messages. 8. Other types of information exchanges, queries, referral requests, etc., are most often performed via phone, IVR, DDE, or fax. Thus, today's application systems do not typically support nor enable batch file transfers for these types of information exchanges. As you know, the model which most other industries use for standards-based EDI exchanges is one where the receiver of the interchange maintains a mailbox at some "post office" - most often called a VAN. Thus, both parties to the information exchange maintain their own mailboxes (or multiple mailboxes) at a post office(s) of their choosing. It's this model that the current X12 control structures enable and support. Providers' Perspective Noticed that I never answered your questions below, so I thought I'd take a minute & do so. When everything was fee-for-service, the world was simple then HCFA decided to contract for certain services from certain providers, and to only pay "schedule" rates for other services. The flood gates are now wide open, and we have nearly as many health plans as we do employers represented in our databases. The carriers offer "specialized" plans and there are no guidelines on how these coverage agreements are structured its truly a boutique business. The carriers sell the plans to employers, who turn around and offer the coverage to their employees - larger employers offer several different coverages, depending on the employee's needs. They (carriers, large self-insured employers, HMOs) then come to our front door (some thru the back door) and negotiate with us to be a contracted provider to perform some or all of the services they are selling at the other end. Along with these plans came another cottage industry - third party administrators (TPAs) - who sell their services to employers and carriers - they contract to perform lots of different services including claims review, claims repricing (taking the provider's charges and "re-pricing" them to reflect contract agreed charges), eligibility & benefits checking, etc. Further, if the plan is capitated, they perform other services related to lifetime benefits and adjudication on behalf of the plans. There are numerous situations where more than one TPA can be in the mix - e.g. a professional repricer before the plan administrator, and even a separate reviewer. They can be in any sequence, though the repricer is usually the first stop for claims if one is present. The only good news is that usually (but not always) the TPAs can figure out amongst themselves where to send the claim next in the sequence because they only deal with a limited set of contracts. The kicker is that these "third parties" usually get inserted into the mix because neither the employer nor carrier want to be burdened with figuring out the nuances of the ridiculous contracts they are negotiating. So they contract with the third party, and then tell us that "for plan INS-xxxx, send the claim to RPCyyy, and request eligibility & benefits from TPAzzz". So, it ends up being our problem to determine where to send claims and address inquiries. I have no doubt that this situation will continue with EDI, so having a separate set of addresses by plan and transaction makes a lot of sense to me. This assignment is somewhat dynamic, however, and needs to be kept up to date by whoever is contracting for the coverage. These contracts are usually not long-term, and when they change, often the claim destination can change along with other contract terms. I'm still not sure I understand how we would ever go about determination that re-discovery is necessary, but i'm learning more every day... Hope this helps to explain some of it. One of your clients visits Iowa (vacation hotspot that it is)...a place you don't have a large presence. He is injured and end up at one of my hospitals. We don't have a trading partner agreement with you, as we have no prior relationship. We can't send you an automated eligibility inquiry, as we don't have your routing #. Do we have to train our registration staff to call and ask for routing #? What do we do to get the electronic process going? Or do we have to program our system to automatically drop to paper when the claim is processed? (totally shoots the standardization process.....) Youbetcha! If/when the NPID becomes real, and when payers all agree to apply for and get one, and then when they all agree to put the identifiers on the cards, we'll all be very happy. Ditto the Nat'l provider IDs for inclusion in the ISAs (are providers even required to apply for them?). Until then, however, we'll unfortunately have to live with a hodge-podge of identifiers, but that shouldn't keep us from making any forward progress. What if we simply said, for example: ok, all you payers that want to post your CPPs to begin development of CPAs with potential provider trading partners, post in the DNS the address where your CPP can be found under whatever identifier you are currently using on your insurance cards preferably your group/plan ID, but if that's not present, and all you have is a phone number, post it under that. Without waiting for a national identifier, and waiting for the hundreds of millions of insurance cards to be re-issued, we can just start moving forward with establishing CPAs, and sending 837s. If I could just convince 25 large carriers to do that, I could achieve 50% of my goal for development of TPAs by 4/16/03, with only a fraction of the work. If the payers want to designate a CH to be their receiver, then they can simply point their identifier to where the CH's CPP resides (all the same to me). If this is true, and we want to eliminate the burden on the intermediate hops (CHs, VANs & whatnot) in not having to delve into the message to try to determine who the recipient should be, the only option left is to place the endpoint receiver into ISA08. Since that is effectively the envelop within which I'm sending the claims, I therefor can't place claims for other destinations into it (I suspect that Aetna wouldn't want to sort thru primaries to determine which were for them, and then forward the rest to their intended destinations...). Realistically, this means that if I were to send claims for 50 different endpoints to a CH, I would send them 50 different ISA/IEA batches, some of which may only contain 1 or 2 claims. If the CH is performing routing for me, then they would probably have the CPAs already established with the endpoint receivers (the CHs would already know how & where to send the EDI packages without opening them). If the CH is a designated receiver for an endpoint, then they will have Trading Partner Agreements which tell them where/how to route the claims. In either event, routing should be easily accomplished without having to look inside the wrapper (which seems to me to be the most effective approach for everyone). I believe the extra cost of a few hundred bytes per day for additional ISA/IEAs is worth the price... Payers' Perspective My current position is with Coventry Health Care, a nationally based Health Insurer. We currently receive our Inbound 837 claims from WebMD. We also receive Authorization requests from WebMD in a proprietary format. We send to them a number of other transactions, including 835 remittance information. This is all accomplished through the use of a T1 line and the FTP Protocol. No file encryption involved. For our inbound enrollment data, some of it does come to us utilizing PGP file encryption, and other data we dial out and retrieve using FTP, ZMODEM, and even old XMODEM. Prior to coming to Coventry, I was with one of the nations largest Practice Management Software companies, now called Misys Health Care. They own one of the largest Clearing Houses as well. All the providers that utilized that Clearing House did so through the use of a modem and dial up connection, utilizing FTP to transfer the files. This was for 837 and 835 transactions, as well as reports. I believe, as it appears to me, most of you do, that the Internet will be the transfer method of the future. My concern is that this group may have missed how things are working today and that the vast majority of Providers, not Hospitals, are not connected to the Internet through their PM Products. These Providers, for the most part, do not have the staff in place to implement anything outside of what their PM Software Company provides. What we will do is return a response to the submitter, depending on if it is an unknown trading partner or an unknown provider within data from a known trading partner. We will reject a transaction from an unknown trading partner. We will front end deny an unknown provider. We have many obligations related to paying providers. Working an unknown is not one of them. And I did not see anything in the rules requiring us to do so. A provider is not our customer, but potentially a trading partner. We have the liability of properly reporting income to the IRS and state income boards for payments to that provider. We will insist that they become known, not necessarily participating, to us before accepting their claims. We currently use login information at the ISA level. This is then cross referenced with the system login/password that transmitted the interchange. Interchange/ISA information is not forwarded to the applicable application. Within the transactions we would use our business level IDs for the submitter. We separate security from identification to the application. (That makes it harder for someone to hack the system and submit business information) Also, we support multiple business entities submitting through a singe login/password. (Lots of reasons, too many to get into in detail.) I was one of the first people to state that I expect to eventually see and want a clean, secure, Internet way for Health Care to conduct Ebusiness. But that is a long way off. that does not necessarily mean 'open' as I have seen it described here. I would submit that, at least with the company with whom I am familiar, we never accept unsolicited claims, electronic or paper, from providers with whom we have no established relationship. The blues are perhaps unique in this, since providers located outside of the service region do not send claims directly to that blue, but rather to the entity licensed to perform the same function in that state or region. We are not going to change the fact that we are fiscally responsible for paying claims to people actually licensed as providers and accredited by the state boards. Nor will we accept their assertion, by receiving a properly formatted claim, that they are who they say they are without some assurance, spelled contract, that we acknowledge their right to receive that payment. Nothing in your CPP will assure any auditor, paid paranoiacs that they are, of the validity of the relationship or the security thereof. Solve that problem, for free, then we've got some good groundwork. I talked to a person from a large health insurance carrier the other day who's been "lurking" on the list. Though we've gotten into a lot of technical depth here, he's certainly enjoyed the discussion thus far but as someone from the business side, he had a little problem in putting together just what we're attempting to do. Once I could give him the 20-second "elevator" pitch on what it all meant, it resonated with him and he became a "true" believer in the ID & Routing project. Basically, I told him, any provider who has his NAIC co-code will be able to *automatically* find out where his EDI "portal" is - and other technical information - from his electronic Trading Partner Agreement. He does millions of claims a month, 80% of them electronic, where 90% of those are direct from the providers using direct dial-up FTP. He wants to move to the open Internet, where encryption will be necessary. All these details of FTP addresses and security will be in the e-TPA. And, additionally, there's no reason the e-TPA couldn't contain a machine readable version of what he would have had in a "companion" document: e.g., testing requirements, EFT details, data clarification for situational elements, etc. etc. He'll be able to eliminate a lot of paper and in-person communication, and facilitate direct point-to-point exchange of standard transactions with providers. Routing Interchanges It sounds like the electronics biz (EIDX) has some of the same problems we have when it comes to identification and routing. Just goes to show you that solutions coming out of our proposed Healthcare CPP Registry might be generally applicable across all business domains. Supply-chain, anyone? Hypothetically, a payer has relationships with two clearinghouses to receive claims and submit remits: CHA and CHB. A provider sends an 837-I through CHB which, in turn submits to CHA to reach the payer. This process takes place due to the connectivity environment between the payer and CHB which only allows 837-P to be transmitted. The payer produces an 835 based on that 837. Could the payer submit the 835 to CHB or should it follow the same route through which came the 837 (via CHA)? Your hypothetical scenario assumes the payer has an arrangement whereby all 835s (remittances) are submitted through CHB. Therefore, I suppose, the payer should return the 835 through CHB. The route whence the 837-I arrived is irrelevant, and all knowledge of the original claim's path is long gone. The 837 ceases to exist by the time it gets to adjudication: it has decayed into any number of atomic claims; see "Requirements Gathering - Information Flows," (16 Feb 2002) at http://www.mail-archive.com/routing@wedi.org/msg00219.html. As far as the provider is concerned, it doesn't matter what intermediaries are used to return application responses. In this case, CHB would likely recognize the ISA receiver ID for the provider (since the 837-I originally came in through CHB from the provider) and know where to deliver the 835. Even if CHB didn't recognize the receiver ID (say, the provider was using CHB as an "open portal" to reach the payer), the clearinghouse could use the Healthcare CPP Registry to look up the ISA receiver ID and figure out the EDI address of the provider. TA1 and 997 acknowledgements would probably be treated similarly (i.e., there's no X12 requirement that these traverse the same path as the interchange they're acknowledging). Parties Who's arguing about the ISA receiver ID being any other than that of the end-point receiver? But as I asked Friday, though, couldn't the "end-point" be a repricer or TPA (as opposed to a payer)? If, as Ronald Bowron pointed out, a CH is the "end-point" for re-packaging or aggregation, then the ISA receiver ID would be that of the CH; is that at all controversial? We shouldn't get all "wrapped around an axle" on this "financially responsible party" business. As I described yesterday, if the payer is using a clearinghouse as his inbound portal, his own ID (perhaps even a proprietary CH-assigned ID) will probably appear on the ISA. I don't know what CHs require on the ISA receiver field for aggregated claims appearing in a single 837, but it's probably not that of the "financially responsible party" since there would be many such parties to whom claims are being made (in the single 837). Actually there's nothing keeping *both* the provider and the payer from using proprietary formats or NSF, even under HIPAA. If there's only one CH between them, as long as the CH converts (or is capable of converting) the data to and from the standard HIPAA formats for at least a millisecond, all is okay. I think anything going *between* separate clearinghouses has to be standard transactions, though. many of the payers are actually going to contract with CHs as their "front door" for EDI (whether the CHs are subsidiaries or otherwise), then that CH's identifier could, in fact, be the identifier that the payer tells us (via the CPP or other manual method) to place on the claim (in the ISA). It would be assumed, in that situation, that the CH is acting on behalf of (is the agent for) the payer, and therefor represents "the financially responsible party" in its dealings with the provider. In that case, the CH would have specific arrangements with the payer (a TPA), that could, in fact, specify conversion to a proprietary format (such as NSF) for transfer of the claim to the payer. As long as the claim is transferred from provider to the CH as an 837, the law is satisfied (as I read it), because the CH would be operating as the payer's agent. This is also true in reverse for the providers. Some billing software will be used by smaller providers to enter claims data, and will then transfer that data to a central location in a proprietary format (say, a "flat print image file"). The central location is the billing software's "hub" - just another CH in our view, but one with a special relation to the provider - it is the provider's "billing agent"). Again, the law is satisfied because the CH is the agent of the provider, and it communicates to payers via the mandated transaction set. One of the largest provider software suppliers in the country is planning on doing just that as their "answer" to making the software HIPAA compliant - and they are licking their chops at the millions of $$ to be made sending all those claims on behalf of the provider in that really difficult electronic format (and for only $.25 per claim - what a deal...). I'm inclined to believe that addressing the receiver should be independent of who the sender is. So I'm uncomfortable with your suggestion to use the ISA SENDER ID and the GS SENDER ID for selecting between alternate "EDI addresses." I think the other items from the ISA, GS and ST are acceptable for consideration in looking up EDI addresses. "ISA ID(s) would probably be guaranteed to be unique only within the domain of the same VAN." This is true only in the case of CH (or payer) assigned proprietary IDs. But this group definitely will be recommending that all parties be identified by global identifiers (of their own choosing, e.g., DUNS, NAIC, HIN, etc.) - DUNS 04-643-0013 is unambiguously Children's Hospital in Columbus regardless of which VAN or CH is being used. Unless an interchange is going through a pass-thru intermediary - a switch or a VAN - which delivers EDI for many entities, it probably really doesn't matter what's in the receiver field of the ISA, does it? If I deliver an interchange to Anthem, directly, doesn't it stand to reason that the interchange is somehow for none other than Anthem? Maybe Anthem will use the GS envelope for further routing, but would it even pay attention to the ISA receiver field? But if the interchange is passed through an intermediary, such as a VAN or CH, clearly the immediate destination (the VAN or CH) will not be identified as the receiver on the ISA. The ISA receiver field probably should be that of the next entity to open the transaction set: this might be the payer (for a claim), but could just as well be a Re-pricer or Third Party Administrator - who I assume are not classified as "payers." Actually, the "real" payer (the insurance company behind a self-funded Employer plan) may never see standard transactions for a plan - is it correct in this case, then, to call the payer a "receiver"? Blues Blues are perhaps unusual - if I've interpreted some folks including Robert Barclay and Bob Poiesz correctly - in that claims are submitted to the provider's local BC/BS, regardless of the Blue the subscriber is insured with. The local BC/BS serves as kind of a re-pricer before forwarding the claim to the "home" Blue. Or something like that. See http://www.mail-archive.com/routing@wedi.org/msg00501.html. We've talked about the payer's CPP DeliveryChannel ("EDI Address") being selected on criteria like the plan ID, payer identifier and transaction function (e.g., batch vs. real-time, claims vs. eligibility request) alone. But accommodating the Blues' desire to have claims sent to the provider's local BC/BS adds a bit of complexity. Note that I said "desire," not "need," because it seems the BC/BS ITS network could just as easily perform out-of-area forwarding instead of burdening the poor provider with the problem. Nevertheless, perhaps the folks designing the Elements of the CPP (electronic Partner Profile) can think of ways that selection of a DeliveryChannel can be based on attributes of the inquirer (in effect, the provider's location). Take the Blues for instance. HIPAA requires that we all accept claims etc. from providers. But it does NOT mandate how. If I am in Maine, I can say to a Utah provider "No, you can not send HIPAA transactions to me". And I will follow that with "My business associate that handles HIPAA transactions in your area for me is the UTAH Blue Plan - contact them". Nothing in HIPAA mandates that I do the HIPAA transactions via the same route or business associate for all providers/trading partners. Now, somebody can 'say' that I am refusing to obey the law and conduct HIPAA transactions with that provider, but that is NOT the reality of the situation. I am just directing the provider to the proper routing for cliams from that provider to my plan. And, that means that I can not support 'open' EDI. That would negate my current right to deligate my HIPAA responsibilities to business associates as I see fit. To my knowledge, the only restriction under HIPAA is that my business associate could not charge that provider more that the cost of a long distance telephone call. It has been a couple of years since I was involved with ITS/Blue Card but I will give you what I remember. If my mind wonders too far someone please correct me. The system is more than a convince to providers. It was also designed to give one Blue plan the benefit of other plan's rates when their subscribers traveled. So if I am from California and see a doctor in Wisconsin. I give the doctor my Blue membership card which has an ITS prefix appended to my subscriber number. This prefix is different from the Plan code. The plan code is numeric and one is issued per plan. The ITS prefix is a three byte alpha ID. There can be more than one ITS ID per plan (i.e. HMO, PPO, etc...) For example, the plan code for Blue Shield of California is 542 and the ITS prefixes are XEA (PPO) and XEE (HMO) and there may be more. The doctor submits the claim to BC/BS United of Wisconsin with my subscriber ID of XEA123456789. Wisconsin takes the claim and sees that I am a Blue Shield of CA member, based on the XEA prefix. Wisconsin then determines the local negotiated payment rate and forwards the claim to Blue Shield of CA. Blue Shield then finishes processing the claim. Then, here is were I am a little fuzzy, I can't remember if Blue Shield then cuts a check/denial or sends its decision to Wisconsin where the check/denial is created. Anyway, you get the idea. This is more than a clearinghouse arrangement. The participating Blue plans are acting as pre-pricers for each other. The Local Plan, where the provider is located, accepts a transaction and contacts the Plan where the member is from to determine if the person is eligible for coverage, whether the coverage includes the service provided, and what copays or coinsurance should be applied. Upon receiving this response, the Local Plan processes the claim and responds to the provider. The choice for the provider is whether they want to connect to one local Plan or 50 some odd Plans all around the country. As for using the Blue Plan identifier, not all Plans want to use that identifier on the standard transactions. The ones I am familiar with are using the NAIC code. Furthermore, with HHS slated to issue a Payer ID regulation, I think you will find it difficult to influence Plans to change their processes prior to the HHS regulation being issued. Functional Group I don't have any strong feelings one way or another. In the health care supply chain sector, the common practice has been to use the same values at both the ISA and GS levels.....unless the sender and receiver agreed to use the GS identifiers to identify, for example, a business unit or operating unit within a larger enterprise. This is how I implemented the use in 1985-87 at Baxter Healthcare. I believe that this is common practice in other industries as well, i.e., the same values at both ISA/GS...... For HIPAA, I could certainly envision a payer, for example, specifying a GS receiver code(s) for one or more adjudication systems and other GS receiver codes for other types of transactions. This is closer to the original intent. When this approach is used your EDI translator can then output the correct file to the correct backend adjudication system. Unfortunately, the original intent is not documented and all that we're left with in the standard is the data element name. It's just the old-timer's like me that remember some of this history!!! Personally, I think it's unfortunate that the HIPAA guides haven't provided for explicit guidance for the novices for not only the use of the ISA/GS identifiers, but also the other standard acknowledgments, such as the TA1 and the 997. As you know, confusion reigns!!! I think that what has happened is that many people have not needed to use the GS for the original purpose. As a result, they have defaulted its function to being a restatement of the ISA values. That is different than morphing. Its fine to retain that default content when no other need exists. But it would be detrimental to assume that you could eliminate the other (original and primary) use and only leave the default. The fact is that these are not the sender and receiver ID. They are something different. I assume that by your "...but..." you are not in favor of retaining that original functionality (I apologize if I have misread that point). I believe that eliminating the "Application" capability from the GS would be a mistake. The GS segment does not have either a Sender ID or a Receiver ID. What it has is an Application Sender's Code and an Application Receiver's Code. These are very different. They are intended to be used for routing and translation map identification. We are using these elements to determine both routing and mapping. In some cases, we need this information to determine which application gets the data. In fact, I would say that the GS elements can not be standardized. The 270/271 implementation guide makes some recommendations on how to distinguish between Batch and Real Time transactions: If trading partners are going to engage in both real time and batch eligibility, it is recommended that they identify the method they are using. One suggested way of identifying this is by using different identifiers for real time and batch in GS02 (Application Sender's Code) for the 270 transaction. A second suggested way is to add an extra letter to the identifier in GS02 (Application Sender's Code) for the 270 transaction, such as "B" for batch and "R" for real time. Regardless of the methodology used, this will avoid the problems associated with batch eligibility transactions getting into a real time processing environment and vice versa. Overloading the GS sender code (using solely for internal routing by the recipient) is certainly preferable to requiring different sender or receiver IDs in the ISA, depending on Batch or real-time. But unless we come up with specific recommendations that apply across the board - for every provider and payer - stuff like what's in the IG will require a TPA (or "companion document"). We want to remove the need for TPAs, right? Anybody have specific ideas for differentiating batch from real-time? How about keying in on BHT03 - the Submitter Transaction Identifier? It's required to be used (in the 270) if the transaction is processed in Real Time - and since it can only be returned in a real-time 271 response, it seems like a most excellent marker. I do realize that makes it tougher for the payer to distinguish between batch and real-time inquiries, in that you have to drill into the bowels of the transaction set before knowing which queue to insert the request - but is that any more difficult than relying on the GS? Testing In a "test" mode, it would seem easier to pack only "test" transactions into an interchange anyway... so the T/P indicator should be useful right where it is. But the CPP record could certainly carry information that supports other ways of distinguishing test from real data. In my experience with the ISA I14 is that people generally ignore it which is not to say it can't work. Most organizations do not have tight enough controls to trust that they use the ISA I14 correctly. Re: Testing. The ISA I14 Usage Indicator (e.g., P for Production Data, T for Test Data) applies to the entire interchange - we can't change the X12 standards here. I'd say just put the production transactions (and functional groups) in one production interchange, and the test transactions in another. This technique requires nothing of the CPP, since theoretically a test interchange is sent to the same portal using the same IDs in the ISA as production data. Unlike the ISA I14 T/P indicator, which is universally understood - if not universally implemented, some (or most) organizations demand that test interchanges be sent using a "testing" ISA receiver ID. I think we can handle this, too. There's nothing to keep us from adding the capability into the CPP for specifying a Test ID and Qualifier - along with the production pair. This would be done on a Delivery Channel ("EDI Address") basis, with some means to differentiate the production and test (and maybe even "real-time") ISA receiver ID and qualifier pairs. For example, in effect, the CPP would say if you end up using Delivery Channel X, then production data is sent with the ISA receiver field saying NAIC co-code 54901, but a test interchange would be sent with the "mutually defined" ID "54901TEST" - the NAIC with "TEST" appended. This is an augmentation of what we discussed before, where the CPP specifies what's stuck in the ISA receiver field depending on the circumstances; see "Why do we flap our lips so much....," at http://www.mail-archive.com/routing%40wedi.org/msg00438.html, from 12 April. It would be nice if everyone had the ability to process transactions based on the testing indicator as recommended by the X12 User Guides. And that all the information in the ISA would be used for both Production and Testing. Then the only data element to change when going live would be the Test/Production indicator. The problem with this indicator is it is not transaction specific - therefore it assumes all transaction within the interchange are valid for production. This is not always the case - for example, an entity may be in production with sending eligibility requests, but not claims. Also, not many institutions have used the T/P indicator properly. Most organizations didn't setup their test environments to represent their production environments when it comes to sender and receiver ID's. Therefore, a sender may have one ID for testing and another for production - assuming the ID is dictated by the receiver (i.e. via ZZ codes). It's possible that some may consider building x-ref tables to address this and the use of standard identifiers like the D&B numbers. Packaging I believe we are attempting to create a blueprint here for massively enabling communication between "EDI veterans" and a [possibly] large # of EDI neophytes (doctors, labs, DME suppliers, etc.). If the Big Boys are currently using "creative" implementations of the ISA information, I don't think that should deter us from recommending that the ISA be used exactly the way the standard envisioned it. If providers do enable themselves to create X12 interchanges, I would not be surprised to see lots of ISA/ISE envelopes containing a single transaction (e.g., a "real time" 270) or an interchange with 4 or 5 claims in it. Large batches of different transactions with multiple addressees is probably an artifact caused by the mere existence of the traditional form of the CH industry. As the CH industry develops new value-added services to support a model in which payors and providers collaborate more directly through EDI, then I suspect interchanges to get smaller and become more homogenous and more numerous. Portals The Web Services "paradigm" is not exactly analogous to what we're grappling with here. But even if it were apt, shouldn't your conclusion be that the *submitter* (or requestor) do the splitting? - i.e., choose among the (possibly many) "addresses" to forward his interchange to? Yes, the payer - through his CPP - is offering "services" to the provider: saying, in effect, "we do all these types of transactions: 837, 270-271, 835, 834, 276-277, etc." But should the provider have to make the decisions to implement the split - i.e., decide to send the 270 to the payer's designated "real-time" portal, and 837s to the payer's "batch" portal? Or should the payer always make it easy on the provider by saying "Send everything to this one portal," and then separate 270s from 837s for subsequent processing behind the scenes? don't believe that it's practical or reliable **today** to assume that the provider can select or determine how to address and where to send a given instance of a HIPAA transaction. I suspect that many payers' architectures have evolved over the years as new transactions and capabilities were added to their business offerings, and as a result, there are several portals into/out of the organization depending on the type of transaction, the timeframe in which that transaction is to be processed, the destination backend system, and so on. I don't believe it's reasonable to expect payers to totally re-architect their systems environment in the short term, solely in response to the HIPAA transactions requirements. A similar architecture most likely exists at many providers, especially the large multi-facility provider organizations, where disparate and disjoint systems initiate a variety of transactions, and where these transactions leave the organization through several exit points. An ideal architecture would/could be one of a single portal that would have the ability to immediately detect the type of transaction being presented and the expected timeframe within which that transaction should be processed and then appropriately address, envelope, route and receive, parse and process accordingly. But, that's an ideal and not in sync with today's situation. I will be surprised if this is a significant problem. That being said, I do not support your suggestion that this problem be laid at the doorstep of payers. I suspect it is true of most payers that they maintain eligibility on a different platform than claims. In fact, the data is probably on multiple platforms -- one for enrollment style information, another for benefit plan related information, yet another for information about deductible and co-insurance accumulators. That fact notwithstanding, given how much trouble it is to get one translator set up I can't see plans setting up a separate entry point for each transaction. What may occur is that Payors may prefer that transactions from a professional provider (e.g. doctors) go in through a different gateway that transactions from facility providers. This is likely to be true when doing business with a Blue Cross Blue Shield Plan and the member has non-HMO coverage. The reason is historical -- the BCBS Plan probably still is set up with a system for facilities and a system for professionals. However, even there, if you are doing business with a combined Blue Plan and they have been combined for some time, they may have unified their enrollment and eligibility systems. This may also happen with any carrier (Blue or non-Blue) that outsources some processing services. This could occur if the carrier outsources processing of transactions from professional providers. More likely, it could happen if the carrier outsources processing from specialty providers. For example, how many carriers interact directly with pharmacists, as opposed to hiring a PBM to do it? The same is true of behavioral health providers. Many carriers outsource that interaction to another company. Remember that self-funded groups are a wild card. In those cases, it may be the group, not the carrier/TPA that chooses which claims go where. The members may be carrying an ID card that has a logo from a particular carrier/TPA, but the provider may be surprised if they try to send a transaction to that carrier/TPA. That situation is outside the control of the carrier/TPA. It is a good point to document. It is a question that providers and clearinghouses basically need to ask and payers need to try to anticipate and answer. The responsibility cuts both ways -- it can't be laid just at the doorstep of payers. In closing, I offer the following comment as a practical caution. Given the number of claims I have seen providers mess up -- sending them to the wrong address, the wrong carrier, empty envelopes, holding them for months before sending them, etc. and then they go crying to the regulators and legislators and say that the only reason their accounts receivables stink is because of big bad carriers -- I can tell you that if someone suggests that providers don't have to take any responsibility for figuring out where to send things that person will find carriers very unsympathetic. Using the transaction set as one component to determine the destination of an interchange was never defined out of scope. But *requiring* anything other than what's available in the ISA to determine routing would place a burden on providers new to the standard transactions - or their agents (VANs). Altruistically, my concern is motivated solely by the needs and capabilities of the "little" people (providers). Generally, anyone producing standard transactions is aware not only of the ISA sender or receiver fields, but also stuff in the GS and the ST theoretically they could make decisions for routing, selecting the appropriate node in Kepa's DNS scheme. But it might be asking too much of their off-the-shelf practice management software to traverse Kepa's DNS tree (or even to use a CPP type of arrangement). Instead, they (the providers) should be able to dump all their interchanges into one conduit and be assured their "stuff" will get there safely, securely and reliably based solely on receiver ID. If that conduit were a VAN, wouldn't it be too much to expect the VAN to burrow within each and every interchange, group and transaction set to determine routing? It's not impossible, certainly. But, again, why should the sender (or her agent) have to concern herself with each of the variables present in the ISA, GS and ST (and possibly more, if you consider real-time requests which are evident only by looking within the transaction set) and figure it out on her own where to send the interchange? Isn't the ISA receiver ID enough? She has already specified the recipient's NAIC, Plan ID, or whatever, in the ISA. Once it gets to the payer, I think it should be incumbent on him to figure out how to internally route the interchange (or functional groups within). I know I sound like a broken record, but I doubt very much that many providers will be dumping transactions into any VAN. The norm will be to dump the transactions into a clearinghouse. Providers will probably have direct connects to a few payers with whom they do a large amount of business, but the rest will be via a clearinghouse. In many cases, that pre-packaged practice management system will send only to one place, the vedor/vendor's-selected clearinghouse. The software will force a submission route that guarantees a revenue stream for the vendor (not that I like it - it is reality - I have been in touch with at least 1 MAJOR vendor with that plan). I believe that there are two probable solutions for the batch/realtime issue. The majority of the solutions will either use separate channels for the batch and realtime (different mailboxes), or different values in GS02 as suggested in the 270/271 guide. I believe that you are correct that the health plan should make sure that they handle the priorities, but I think the solutions will fall into these 2 main categories. I haven't looked at the ISB to determine its viability as a technical solution. The fact that it is not part of the HIPAA guides is not an impediment, in my opinion. The 997 and TA1 are in the guides, but specifically not required as part of HIPAA. The unsolicited 277 is not a HIPAA transaction but at least some are planning to implement it as a claim pre-adjudication edit report. If willing trading partners wanted to implement the ISB as a batch/realtime solution, that is outside of the current scope of HIPAA and not a problem. The only issue would be that a health plan would not be able to require the ISB in order to accept an otherwise compliant interchange. The ISA06 and ISA08 sender and receiver "addresses" should be unique and not overloaded with extra duty. That's the only way they can be interpreted unambiguously by all intermediaries. In addition, all the information needed for correct processing should be contained within the interchange itself - between the ISA and the IEA - as a self-contained package because it's too much to expect PM systems to support alternate "channels" for conveying information to the payer. And besides, the provider can be anticipated to only have a single "conduit" to the outside world - his VAN - the simplest model for supporting inter-company exchange. Clearinghouse Aggregation It's important to remember that for any one X12 interchange, there's only *one* sender (or submitter) and *one* receiver - regardless of the number of payers or providers whose "stuff" is embedded in a single 837. To get some boundary on definitions, is it safe to say that the sender is definitely the guy who creates the ISA? What can we say about the receiver? I would submit that our job is only concerned with the identification of the trading partners (who may be clearinghouses, billing services, repricers, etc. - not just providers or payers) at the ISA level, and the issues of routing - what's needed to be known in order get the interchange from here to there. What any intermediary - such as a clearinghouse - does with the enclosed transactions (and functional groups) is simply none of our business project scope-wise. Such a simplifying assumption should assist us in maintaining focus. If you're referring to the "problem" of end-points being only payers or providers (or TPAs), I've already given out my opinion that I don't think that is much of a problem. Addressing Clearinghouses can easily be accommodated in our recommendations. I'd go a step further, and say that supporting aggregation can be made a first-class feature of our CPP EDI Address function. Take an example: a sophisticated provider, like Dave Minch, wants to send standard claim transactions to 20 payers. He looks these payers up in the Healthcare CPP Registry, and finds that 10 of the payers are supported by the same clearinghouse, and that claims for any of the 10 are to be directed to the same "portal" resident at the clearinghouse. Normally, Dave could choose to build 10 interchanges, one for each of the payers, shunting them off to the designated CH portal seriatim. The CPP for an individual payer might even specify an alternate EDI ID to be used in the ISA receiver field - i.e., the proprietary CH-assigned payer ID. Now imagine this: the CPP for the Clearinghouse (which has been referred to by the payers' CPPs) says somehow in the Delivery Channel for claims that claims can be "aggregated," with a special Receiver ID to be used. This could be of benefit to both Dave and the Clearinghouse: Dave now can "aggregate," or combine, the claims for all 10 payers (as described previously by Bob Poiesz) into one standard 837. Maybe there's some obscure advantage to Dave in doing this - as if he'd run out of incremented transaction set control numbers otherwise; I don't know - but it's Dave's option to do this as no one is forcing the provider to perform aggregation. The CH receives Dave's aggregated 837, and assuming it's HIPAA-compliant, can then proceed to split and merge, combining other providers' claims (for the same payer) into consolidated 837s for each of the payers. Apparently, some payers find this to be a big advantage in having multiple providers' claims all munged together in the same 837. In any event, there's nothing that keeps our recommendations from elegantly supporting such "requirements." But if a provider wants to send a batch of claims to different payers all bundled up in one 837, for subsequent re-sorting and distribution by his own clearinghouse, then by all means he should have that choice. The 837 HIPAA IG doesn't disallow this (it's silent on the issue) therefore his 837 is still considered "HIPAA compliant." More likely than not, our recommendations have *absolutely* no effect on this practice: the provider has determined that he would rather deal with a Clearinghouse and make a single 837, and has arranged with that Clearinghouse to do the "un-bundling" and aggregation. The provider will probably not be using our recommendations because he has no need to address, and route to, individual payers - he has devolved the responsibility on the CH for finding and routing transactions to the payers. I see no reason to act as if this practice is offensive. It isn't. But it's also one that really doesn't have to be documented in our recommendations, for the simple reason if you always package up 837s for your own Clearinghouse, you hardly have to go about "discovering" its EDI address. It's important to remember that our recommendations are to effect the efficient, safe and secure routing of standard transactions between business partners - to describe a method for providers to discover where the heck they should send the stuff once they've gone to the trouble of building standard transactions. A provider who prefers to always use a CH has no need for our recommendations. Switch Intermediaries If we do address the auditing issue, am I safe in saying that our concern should be limited to making recommendations for keeping track of an (intact) interchange as it hops through intermediaries on the way to the receiver? If so, usage of the TA1 (Interchange Acknowledgment), transaction set 997 (Functional Acknowledgment) and transaction set 242 (Data Status Tracking) are all within our purview. The 997 and TA1 are covered in the HIPAA IGs; the X12 242 transaction is used between intermediaries (e.g. VANs) to say what the disposition was of interchanges as they passed through interconnections. Once an interchange has been opened, tracking and auditing probably relies on application segments (perhaps the 837 Loop ID-1000), and thus is out of scope for this project. Open-EDI Payers will have to be prepared for taking in anything coming along from providers - if they would have taken paper before, they can't put roadblocks up discriminating against the equivalent Federally mandated HIPAA standard transactions! Not only will they have to make available an open portal for receiving electronic claims and eligibility inquiries (advertised in our Healthcare CPP Registry), but they will have to make sure their translators can accommodate ISA senders they've never seen before. 1. It is potentially possible for a payer to receive an electronic claim from a non-participating provider 2. The payer cannot refuse to receive the claim 3. The payer is not obligated to process/adjudicate the claim 4. The payer, in my opinion, should anticipate the potential for receiving electronic claims from unknown providers and have a procedure for dealing with them 5. This process would be no different than what happens today if a payer receives a paper claim from a non-par provider....what do you do with it? The real radical notion is this Open-EDI I'm talking about - though it seems few payers are thinking along these lines. Remember: "A health plan may not refuse to process a transaction simply because it is a standard transaction." I can't but think if a payer would have taken a paper claim (from a par *or* non-par provider), they absolutely must take the HIPAA standard transaction, the absence of a trading partner agreement or "certification" notwithstanding. We do hope that no mis-routing of claims will happen - that's where the Healthcare CPP Registry will help: if you have the plan's identifier, you'll get the correct CPP, which points to the plan's open portal. I agree, up to a point. But I still say that a form of pre-qualification must exist, at the trading partner level. The last thing I want to do, as a payer, is disclose eligibility data about one of my customers to someone not eligible to receive said data, also a clear violation of the only part of HIPAA with judicial recourse. And that puts us back to a trusted relationship with whomever is requesting the information. In the electronic analog of this story, the payer will have to accept standard 837s from the "unknown" OSU. The payer took OSU's paper claim; the law is clear that it will also have to take a file formatted according to the HIPAA IG. Which leads to the need for the Healthcare CPP registry: (1) OSU would have to have some (easy) means of finding Anthem's (free) electronic portal for submitting standard transactions, and (2) Anthem would need some way to find OSU's portal for returning responses (technical acknowledgements, like the TA1 and 997, and application acks like the 835 EOB). I'm NOT saying, under HIPAA, that ANY payer has the option of not accepting a valid 837 based on the provider's non-participation status with said payer. We did have a policy like that some years ago. I believe some other payers may still. It was better for the bottom line to take in as many receipts as we could via EDI, so we dropped that restriction. We have NO intention of restricting submission of claims to participating providers. Our TPA's will not include any restrictive clauses not allowed in §162.915. We are writing our processes to the IG's trying to allow for as much flexibility on the submitters part as possible by including a lot of new business intelligence logic. We will only be including requirements that, if not met, will cause the transaction to be unprocessable by us. While these requirements (primarily codes) are specific to the HIPAA IG's, they correlate directly to elements contained in a paper submission. Bad data is bad data. If a covered entity wishes to conduct a standard transaction with us, we will accommodate their request, set them up and take their data or, if the transaction is an outbound transaction like the 835, we will start routing the data to the portal identified during the set-up. Their claims generation and accounts receivables may not be on the same platform or use the same transmission medium. We are not, in any way discriminating against submitters who want to conduct standard transactions. We have no intention of violating any clauses under §162.925. The closest thing we have here the necessary *adversity* of bullet "(2)": (Allowing us to set-up the submitter in our system in order to reliably conduct the transaction(s)). There has to be some reasonable thought applied to all of this. Certain things are just understood under HIPAA. Certain questions are never asked. Like... If we wished to do away with paper Explanations Of Benefits in favor of HIPAA-standard 835's, must all providers we process a claim for be able to receive an 835? I don't want to see this whole thing revert back to business as it has been done in the past and welcome the automation possibilities available to all of us under HIPAA. We should have been able to do all of this long ago without federal mandates, but we didn't. If we assume, now, that it's just a matter of opening all the spigots, I'm afraid we'll all drown. Q. Would you ever be sending claims to insurance companies you normally never dealt with? A: Most of our business is done under some sort of contract - where we have agreed upon certain rate schedules and service lines in advance with the health plan. We do also operate a regional trauma unit through which we get patients from all over the US and abroad, and we do a lot of billing to payers with whom we have no pre-existing relationship. Q. Would you be doing this on behalf of the patient? - if so, would payment usually go to the patient (on the assumption he paid you up front)? A: Technically, all billing done by us is on behalf of the patient. Financial responsibility is the Guarantor's in ALL cases - even with programs such as Medicare, Medicaid, and Champus. This is because the Guarantor can always authorize procedures and other expenditures which go beyond the care covered by any particular plan. We direct bill payers as a service to the patient (and, of course, because the patient could never figure out how to navigate the reimbursement waters by themselves). It also assures us that we will get the bulk of our payment in a somewhat timely manner. If the patient or guarantor cannot provide us with a verifiable plan prior to delivery of service, then we will bill the patient/guarantor for charges. If they pay, then we are generally done with that account we would not bill after-the-fact on behalf of the patient. What does happen is that the patient will pay some of the bill (or pay deductibles which we later find have already been satisfied), and then present us with a verifiable plan, where upon we will bill that plan (payable to us) and refund any over-payment back to the patient. History It's good that Scott has identified this. Many of us EDI people should have recalled the Open-edi Reference Model and SITG since many of us, myself included, helped to develop these documents and actively participated in SITG (Strategic Implementation Task Group) of X12. UN/CEFACT/TMWG (and its predecessor AC.1) produced a document (N010) the Next Generation EDI Reference Model, which included the concept of discovering the capabilities of trading partner using electronic means. The development of this document started in the 1995-1996 timeframe, evolving from IDEF modeling techniques to UML. This effort determined that Open-edi scenarios could be modeled as use case scenarios. The N010 document was the stepping stone to N090 or UMM as we know it. X12 also has the Trading Partner Profile (X12 838), first introduced at version release 3020 in the early 90's as well. It has several segments that provided information about transaction capabilities (TXN) and information about business applications (ENE) at a company. It was intended to configure new trading partners but few people really knew how to do this, or wanted to, because by that time AI techniques had a bad rap. Auto-configuration was never completely possible, since all the implementation guideline were different. X12's SITG also participated with TMWG to work on both N010 and N090. IBM was invited by SITG to speak at X12 to discuss their efforts on Long Running Transactions, and speaker was our friend Marty Sachs. We thought this was an information sharing event at the time. Most know that Marty's R&D ultimately evolved into tpaML. Open Portals Today, an open door can not work. There ARE security issues and connectivity issues and identification issues and contract issues and validation issues and - well, you get the point. We can not ignore those or just make them go away. But, there must also be a vision for the future. I have had that vision for years, and shared it here. But, that IS very much a future vision today. We should be able to use the internet for open healthcare EDI. But that requires security and non-repudiation solutions and databases that provide identification and routing and validation and connectivity information. We do not have those today. This is not a simple situation. The problem that I see with the current discussion is that we are not actively recognizing that we have a today and a future. The talk often sounds like one side saying "The future is here, accept it" and the other side saying "I am not ready for it". As I recall from the beginning, the focus was on trying to establish a direction for the future vision and to facilitate the move to that future, not to impose the future. And, this group's focus is on only part of the total problem. You make it sound as if payers will be obligated to open their gateways, carte blanch, to any who wish to direct a file our way. While there may, in the past, for some payers, have been requirements that a provider must be "participating" in order to submit their claims electronically or otherwise capitalize on their EDI investment(s), that in no way means that we have to take in a file from entities we haven't entered into a Trading Partner Agreement with and set up in our system(s)(participating or not). If a provider were to unilaterally determine how to route data to us and get it wrong, it would increase the chance that we might be receiving another carriers information in error. There is also the issue of our not being able to process their information or inquiry as certain basic identifiers (part of the TPA) were not used or used correctly. I know it flies in the face of admin simp., but, until all the identifiers are finalized, we will have TPA's that look a lot like what we have today. And by no means did I have say that a payer has to adjudiciate every claim received. Only that there is the potential to receive a claim from an unknown (to you) provider and that you cannot reject it out of hand. You at least have to take it in through your electronic mailroom and then decide what to do with it the same as you would have to do with a paper claim that hit your paper mailroom. This is where the TA1 segment could be used since of course, your EDI system won't recognize the ISA sender (or perhaps it could, if the sender was a clearinghouse with which you already do business and the provider isn't known until you peel back the transaction.) In that case, what do you plan to do? We do anticipate receiving data from both par and non-par providers and processing/adjudicating those claims. If we receive claims from providers we can't identify or discern from what was received, they are not/will not be adjudicated whether they are received on paper or via EDI. Additionally, we reserve the right to not load data into our system that is coming from a submitter (which may be a provider) we don't know. I guess you could say my e-mail server is an "open portal." You never know what's going to come across; see below. Now even without examining the headers (which probably aren't forged, otherwise the spaminator would've discarded the message), I can tell I needn't bother with this e-mail. But it did require me to read at least one paragraph of the missive. This is analogous to a payer simply reading the (purported) EDI file coming in on the open portal: if it doesn't have the correct HTTP or MIME headers, for example, somebody's completely wasting your time, and it can be discarded or rejected with an HTTP response code or bounce e-mail. Same thing if you can't decrypt the S/MIME with your private key or make out an ISA in the body or an attachment. Once you do get the start of an interchange, if the remainder doesn't conform to X12 syntax, a negative TA1 or 997 can be returned. If it looks like good EDI, but doesn't comply with the HIPAA IG, an 824 can be returned. Of course, maybe I have the order things are done all wrong here, and it's certainly more complicated than this depending on the protocol and packaging, but you get the drift. Keep in mind that IETF EDIINT AS1 and AS2 implemented by many commercial software packages takes care of a lot of these details in a well-defined sequence. But suffice it to say, for those payers worried about viruses and fraud, it's clear a scofflaw isn't going to get too far if he can't fake a good transaction with the proper transport and packaging. And if he can fake a seemingly valid 837 using the proper segments, situational elements, codes, dates and IDs, hire him, 'cause a lot of smart folks are hung up over these very issues all over the country. Assume a correctly formatted 837 got past this gauntlet, and it's from an "unknown" provider. For those payers still suspicious of the EDI and any "cooties" contained within, I suppose there's always the option of taking the 837 and printing it out on a HCFA 1500 or UB92 claim form, pretending as if it came in the mail or on the fax! At that point, the payer is home free: there's now no danger of "disadvantaging" standard transactions vis-à-vis paper! Somebody could even make a cottage industry doing exactly this: taking in standard transactions and dropping them to paper. Actually, come to think of it, clearinghouses do this all the time! So a payer, in this case, would have his "open portal" maintained at the clearinghouse - a free conduit unburdened by logons, passwords, fees and subscriptions. The payer's CPP Electronic Partner Profile Delivery Channel ("EDI Address") would simply point to the clearinghouse. Standard transactions coming from "known" partners would be passed through to the payer as EDI, and "unknown" providers would have their stuff dumped to paper. If somehow that makes the payer happy (though Lord knows why), that's perfectly compliant with the law which says nothing about "disadvantaging" unknown or non-par providers vis-à-vis participating providers. I think we've beaten this dead horse long enough. Payers must maintain open portals for accepting standard transactions. The HIPAA TCS Rule requires payers to take in standard transactions on a non-discriminatory basis: no "vetting," no "certification," no "enrollment," no nothing, period. Clearinghouses could have taken care of trust issues between payers and "unknown" or non-par providers long ago, but payers would not hear of it. Kepa Zubeldia and Marcallee Jackson have written about an EDI "Power of Attorney" concept which never gained any traction. This PoA would allow CHs to automatically sign up providers (customers of the CH) with payers, saving the provider the heartbreak of onerous and manual EDI enrollment. See Kepa's sad story at Synaptek (a clearinghouse), in Re: Trading Partner Agreements, from 05 Mar 2002, at http://www.mail-archive.com/routing@wedi.org/msg00296.html. Open portals are not a matter of blind trust. A payer merely has to accept a file purported to be a standard transaction from any source (which could be a BA or CH acting on behalf of a provider); he would still presumably go through the same processes he would with a paper claim. If the file is not a correctly formatted standard transaction, a TA1 or 997 will suffice to express the payer's displeasure. These are text files - no one is asking the payer to "execute" viruses or executables within the transactions. The payer simply has to read the data, and discard it if it doesn't even begin to look like EDI (no ISA, for example). It would be very bad system design to load the file into memory and begin executing the byte codes: that's about the only way I imagine a payer could get bitten with viruses! Key exchange is not necessary before a signed and encrypted file is read. The file is encrypted with the payer's *public* key, which he has freely made available to partners via the CPP Electronic Trading Partner Profile. The payer uses his own private key to decrypt the file. He can authenticate the source of the file by checking the signature against the public key supplied in an X.509 certificate pointed to by the purported provider's CPP. There is no "exchange" of keys: payers are expected to use and support standard ITU X.509 certificates. It is unreasonable to expect providers to use PGP whose PKI necessarily depends on out-of-band exchange of certificates for applying trusted signatures; PGP will be unsuitable for all but the most insular trading communities. Rigorous testing, and perhaps even certification, is highly recommended for providers. But when push comes to shove, the spirit of the law mandates the payer must take purported standard transactions - no ifs, ands or buts. If they're not compliant standard transactions for some reason, the payer is perfectly within his rights to return a TA1, 997, 824 or an e-mail, depending on the circumstances, clearly indicating where the first problem was found. Your company doesn't require me to become "certified" for e-mail before I send my first e-mail to you, does it? No, of course not: if I don't follow MIME or S/MIME conventions, you simply reject the e-mail - even though it eats up some of your precious processor cycles. The same logic attends standard HIPAA transactions: if the provider has made even one mistake, tell him so and then forget about it. Nobody's asking payers to agonize over provider's syntax and semantic errors in the standard transactions. The HIPAA TCS Rule requires payers to take in standard transactions on a non-discriminatory basis: no "vetting", no "certification," no "enrollment," no nothing, period. As Rachel has reminded us, no payer has to adjudicate every claim received - he only has to receive it and cannot reject it out of hand simply because it is a standard transaction. But when H-day arrives, an 800 number is no substitute under HIPAA for processing of eligibility inquiries: all payers must support the 270/271 Health Care Eligibility Benefit Inquiry and Response standard transaction sets. If a payer's support of the 270/271 sucks compared to its 800 number or DDE capabilities, that supposedly is a HIPAA violation (because it would discourage a provider from using the standard 270). Listen folks: I didn't make the law. But at least here in the ID & Routing group, we can try to put together a framework whereby payers can easily support the 271 standard transactions when submitted a 270 by any provider. This is as clear-cut a case as I've ever seen of payers having to take in standard transactions on a non-discriminatory basis: no "vetting", no "certification," no "enrollment," no nothing, period just like the 800 number. Overall, I believe we have the same conceptual picture of what the HIPAA world should look like. But, till we truly have a standard, as envisioned, with all the appropriate identifiers locked-down, we won't be able to play effectively in that sandbox. As a payer, I can say, we are committed to building the best transaction processing capabilities we can. However... Whether we receive an unknown provider identifier on paper or via EDI, the result is the same. We can't process the bad info and need to get a response back to the provider telling them so. How we get the response back is really the only variable here. Of course we could attempt to determine who the provider is with the available information (which we do) and cut a check to his neighbor (which we do sometimes with both paper and EDI receipts), but it's a lot more work for all involved. Of course we'll have the same problems with Employer, Payer and Patient identifiers as well. Just at different levels and points along the way. Clearinghouses and VANs The open-portal concept certainly does not exclude VANs from participating. Sure, VANs have setup considerations for their *own* customers - as do Healthcare clearinghouses. But how often does one sign up for a VAN or Clearinghouse? - probably not too often: you only need the services of one of them (assuming yours can interconnect with other intermediaries and switches). There's nothing in our model to keep a provider from sending all of its standard transactions through its own VAN (or CH), who in turn uses the Healthcare CPP Registry to figure out how to send interchanges to "unknown" payers' open-portals. Likewise, a Healthcare entity may very well host its "open-portal" at a VAN (or CH), and its CPP's EDI Address would simply reflect the address of the intermediary. Ed showed an example of a VAN actually "drilling" into the interchange to discover the functional group to determine whether the interchange would be delivered via "fast-batch" - this is directly analogous to an intermediary drilling into the interchange to discover that an eligibility inquiry was being sent (functional group "HS") and could accordingly use a different EDI address for real-time connect. I'm guessing at the scenario, but this all seems perfectly natural: hundreds of little providers send their claims to a CH in whatever form they can (e.g., paper or proprietary electronic). The CH combines claims from all providers destined for Highmark (or its affiliates) and builds one nice 837 for you. When you receive the 837 from the CH, you politely respond with a 997 to that CH, using the CH's ID in the receiver field. Nice and symmetric. So, who has a problem with this? I didn't ask what the CH's ID looked like, but if it isn't already a globally unique ID like the DUNS, I'm hoping that we can get it there. The closest thing we have to that today is the clearinghouse network. Clearinghouses can take care of these trust issues. The problem is that there is an notion out there that HIPAA is a way to eliminate the need for clearinghouses. When we talk of open portals, that is what tends to be the thought. The reality is that a provider in Wisconsin can get a claim to a payer in New York by utilizing a clearinghouse network (I like to think in the majority of cases). There are definitely issues associated with that, such as a lack of total connectivity among clearinghouses. But I think the alternative is a Healthcare Network of Trust, such as the ATM network in banking. I do not know if that is realistic. And the alternative of blind trust is one that I am not willing to accept. I agree with others on this listserv who have said that VANs and Clearinghouses will/could use the same or functionally equivalent "Special Software", which I interpret to be addressing software that uses CPP addressing methodologies for subsequent distribution on the Internet or Intranet. This "Special Software" functionality would be standard and could be developed by individual trading partners, HIS and PMS vendors and any VAN or Clearinghouse. The business decision concerning whether a trading partner uses a VAN or Clearinghouse, or "Special Software" will in large part be made on price, availability, and ease-of-use (and additional considerations, especially other VAN or Clearinghouse value added services ). However if trading partners, including large and small providers, are otherwise HIPAA compliant, they will use the solution that best meets their needs, and many (probably most) will make the decision largely on cost. Accordingly, to the extent that health plans and/or the HIS and PMS vendors develop easy-to-use "Special Software" and integrate it into their systems for less than what a VAN or Clearinghouse would charge, I suspect many trading partners would use it -- especially if the VANs or Clearinghouses don't provide other value added services. see no need to explicitly focus our recommendations on direct point-to-point to the exclusion of clearinghouses. The discussions to date have talked about Delivery Channels within the CPP which are somewhat capable of supporting clearinghouses. Actually, intermediaries - like VANs and CHs - will be able to use our recommendations just fine. I can imagine a provider contracting with a CH intermediary for all communications. Thus, the CH will benefit by being able to discover where the provider's partners (payers, TPAs, etc.) are automatically - and they certainly won't all be customers of the CH itself. The provider in this case has delegated the task of looking up and discovering CPPs to the CH - which itself is a valuable service (that the CH can tout). But having said that, providers themselves who have contracted with clearinghouses have no direct need for our recommendations. The recommendations will be of most value for providers and payers (and CHs, TPAs, billers and repricers) who wish to connect to each other directly. A clearinghouse can receive 10 837s from 10 providers. Each provider can be sending claims to 10 different payers in their 837. When the clearinghouse resorts and organizes the claims they produce 10 837s for each of the 10 payers that contain claims from each of the 10 providers. Each 837 from the CH to a payer contains claims from multiple original senders. Each 837 from a provider contains claims for multiple ultimate receivers. For what it's worth, the design and requirements of our EDI interface use point-to-point sender and receiver ID's in the ISA. That is, if receiving a transaction from a clearinghouse, that clearinghouse's ID must be the shown as the sender. I expect that we are not the only payer to work this way. Nobody likes sharing their customer list, although clearinghouses, in order to get provider customers need to at least share their payer connectivity list. Internet I wouldn't at all be surprised to learn that the actual situation of how CMS really handles communications is much different than its public policy statements ... and along the lines you outline below. Unfortunately, I don't see anything in the HIPAA final or proposed regs that requires the use of the Internet or any other transport method....only that if the Internet is used, encryption is required. So....I guest that the bottom line is that CMS can choose to go a different direction and not use the Internet, even though it has an Internet policy that would seem to allow it??? While the presentation I made includes a bullet as stated to emphasize the point made during the presentation, the dialog went on to explain the difference between the open internet, use of the internet as a private network when the appropriate security is used, and how confusing this all is to the lay person. The dialog continued to say that Medicare does allow their contractors to offer the use of the internet protocols (not 'open internet') but there are some steps (e.g. 128-bit encryption) to follow before transactions containing PHI can be sent over the internet. These steps assure the secured transmission while using internet protocols, and are specified by CMS for Medicare. The point is that telecommunication exchange of HIPAA transactions is not specified by the regulation and industry interpretation of 'over the internet' is inconsistent. We would all benefit from some consistency here, even if only to understand the terms, our options of 'over the internet', when to secure, how to tell, and perhaps specific design issues/solutions. I applaud the efforts regarding telecommunications - past and in progress. I think this could be a 'sleeper' issue when considering the full suite of HIPAA transactions and workload/workflow transitioning from today's telecommunication networks that are based on direct connections between payer-provider to browser-based connections. Sited from: (Dated July 24, 2001) http://www.hcfa.gov/security/fq011399.htm Can provider and intermediaries/carriers begin using the Internet for sending and receiving Medicare claims and remittance advices? No. Although the policy does away with the restriction on use of the Internet it does not give organizations the authority to begin utilizing this media without obtaining full coordination and approval from all parties in the process, including HCFA. Implementation issues remain to be resolved, and allowances must be made for software and/or hardware upgrades or changes. I would agree that the need to be able to specify a variety of transport methods and protocols goes beyond just what CMS requires....but it's incorrect to presume that CMS prohibits the use of the Internet. See my other post with CMS' current Internet policies Encryption is required if you are going over an open network, meaning the Internet. This was reaffirmed by Bill Braithwaite in Chicago last week, who is now in private practice but was there when the final security rules were written even if they haven't been published yet. But if the network is itself secure, such as dial-in, leased line, VPN, then encryption is not required. Trust and Authentication Though I don't see the AMA providing any VAN services, I do definitely see the value of the AMA-Verisign relationship. The AMA already knows all of their members, and those members' initial contact points. By merely giving the membership list to Verisign, the latter is guaranteed a good list of presumably vouched-for physicians. This information can be used by Verisign in a high-quality targeted "recruitment" of physicians for digital ID services. Since the AMA information is derived in an "out-of-band" context, in-person presentation of credentials (which adds to the horrific cost of digital certificates) might be avoided. One of the uses of these digital IDs might be in EDI: If a payer receives a transaction from a provider, who has digitally signed his payload with one of these Verisign signed (on the AMA's behalf) certificates, it can be reasonably assured that it came from the real doctor (as opposed to an impersonator). How one determines whether a particular AMA certificate correlates with a transaction identified by National Provider ID or proprietary payer-assigned ID is another matter - the devil's in the details! We mustn't lose sight of the role security (and PKI) plays in all of the recommendations we come up with. Even if Kepa's DNS "directory" works flawlessly and effortlessly for locating EDI Trading Partner information given an identifier, it's all for naught if any 13-year old in his bedroom can impersonate a provider (or a payer). The last thing we would want to see is Harry Hacker pretending to be Highmark by commandeering Kepa's DNS node 54771.NAIC.HIPAA.NET: every provider relying on the DNS "directory" wanting to send claims to Highmark could have them intercepted by the hacker if a PKI is not in place! The ebXML initiative has looked at quite a few of the security aspects of maintaining a reliable Registry and Repository (for containing CPPs the ebXML version of an Electronic Trading Partner Agreement). See https://www.oasis-open.org/committees/regrep/. Frankly, I think Kepa's DNS "directory" scheme is considerably less bloated than ebXML's effort, and can be implemented today within the HIPAA community. Having said that, maybe it's still worthwhile to look at the ebXML RegRep to see if there's something we can use or learn from. Digital signatures require digital IDs or certificates which have themselves been signed by a trusted third party - a "Certificate Authority," or CA. Ronald Bowron pointed us last Friday to an example of such a CA, Verisign, who was collaborating with the AMA to certify providers' digital certificates. Presumably, the AMA is the expert in identifying doctors, so this certificate authorization model makes sense on the surface. The Thawte notary model that Ronald asked about has the same weaknesses that any certification service has which is based on in-person presentation of credentials: those credentials are easily counterfeited. For example, the Thawte notaries rely on in-person presentation of a driver's license. I guess it kind of gives you some low-level assurance that an e-mail persona is possibly someone named on the driver's license - and that may be good enough in most cases. You have to ascertain the level of risk you're willing to bear relying on certificates backed by state-issued drivers licenses. The Verisign EDI Digital certificates go a little further, in that Verisign vets the submitted information, such as company name, against Dun & Bradstreet reports and kind of makes sure the applicant really is with the organization he purports to be with. This service costs nearly $1000. Is that good enough for a payer to rely on for validating the identity of a provider submitting claims? Maybe yes, when combined with procedures where checks are mailed only to the address on file for participating providers, or to the subscriber for out-of-network claims. In any event, the methodology - however imperfect - already exists for "verifying the identity of a CE as part of the TPA process." Our proposed system might be able to rely on CA-issued certificates which contain the entity identifiers being authenticated; I think it is out of scope for our group to worry about how those entities are authenticated (by the CA) in the first place. CA-issued certificates should be sufficient for automating the TPA process. The process for obtaining a certificate is not entirely onerous on an entity, especially considering it only has to have *one* digital certificate for trading with *all* potential partners - unlike the horrible burden placed on it if separate paper TPAs have to be negotiated with each and every individual trading partner. For some useful background on Heathcare PKIs, please see stuff about the AFEHCT/WEDi Healthcare Internet Security Interoperability Pilot at http://www.afehct.org/security.asp, and PKI in Healthcare at http://www.healthkey.org/library.htm. One key issue mentioned in the note is sender authentication. The concept implied in the note is that the payer and provider set everything up in advance and establish a means of identifying themselves. That is, they exchange bilateral keys, usually only a log-in and password, possibly accompanied by a particular payer's script. Another means is to use the services of a middle party such as a clearinghouse or switch that establishes identities. But entity authentication in the future can be accomplished with more modern means that do not require the overhead of prior bilateral setup or switches. All payers - not just Blues - are concerned that they can be assured they're dealing only with the "Real McCoy." Identification, based on X.509 certificates, buttresses our entire model. If I'm not mistaken, Denial of Service (DoS) attacks are often targeted at the protocol layer: an attacker only needs the IP address of the "mark" - logon IDs and passwords aren't necessary to commence a DoS attack. I guess a payer might therefore want to keep his portal's IP address or URL a "secret," but how long can you hide this kind of stuff from a hacker? There are technical solutions to thwarting DoS attacks, but they are out of scope for our project. It's incumbent upon the payer's network administration staff to solve this problem using existing methods and technologies. The solution is not to place barriers in front of providers, forcing them to go through onerous EDI enrollment processes just so they can submit a HIPAA standard transaction. When designing the automated Healthcare Registry for electronic partner profiles, we can address fraud only insofar as we can guarantee identity through the use of X.509 technology and CA-signed digital certificates. We can only assure folks that only the entity which "owns" a particular ID (e.g., a NAIC company code, Tax ID or National Provider ID) can create the CPP (electronic partner profile) which purportedly belongs to it. I addressed this issue in Re: Updated CPP Spreadsheet and Model Diagram, at http://www.mail-archive.com/routing@wedi.org/msg00575.html. Re: Fraud and Trust. We can't address fraud, except insofar as we can guarantee (through X.509 technology and CA-signed digital certificates) that only the entity which owns a particular ID (e.g., a NAIC co-code) can create the CPP which purportedly belongs to it. Once you are sure that you have a CPP really belonging to Saint Therese Hospital in Waukegan, our job is done. If Saint Therese Hospital's lack of internal controls result in false or over-billings, or the Insurance company lacks the controls to detect fraud, it's not our problem. All a payer could be reasonably sure of is that the 837 claims indeed came from Saint Therese Hospital, and that remittances, statuses and payments actually are returned to Saint Therese Hospital. Likewise, hospitals would be sure that whomever they sent 837s to really was the payer they intended - as long as they used the correct ID to obtain the CPP. Valid digital signatures of incoming claims would indicate that the payer could trust the claim was coming from whom they thought - not that they can necessarily trust the sending entity itself. We can only guarantee identity on the Internet, not honesty or financial robustness. Since we're going to use X.509 digital certificates to buttress our trust model, we're dependent on the Trusted third-party CAs (such as Verisign) to properly vet entities. If out-of-network providers send standard transaction claims to a payer, I would expect that electronic EOBs would be sent to the provider, and that paper EOBs and a check would be sent to the patient. It only makes sense to send payment to the patient, since in this case the payer only has a contract with the patient - not the provider. Actually, you would think that it would be prudent for the payer to always send some type of paper EOB to the patient, in or out of network, to increase the odds that funny business will be caught. Given the paper EOB, a patient treated in-network might have an incentive to report provider over-billing simply because it applies to his lifetime max. I don't know how you could keep a provider from submitting an out-of-network over-billing to the payer (which would only benefit the patient since she receives the check). It's not my problem - I'm not paid to worry about it. But standard electronic transactions don't exacerbate the problem: these are probably also concerns when using the old HCFA paper form for out-of-network claims. So, much like the Public Trust model discussed in another thread, when does one consider a business entity a trusted entity? How do you determine whether or not payment is valid? In the old days, when a patient was "Out of Network", the physician simply billed the patient. It was the patients responsibility to forward the claim to the payer (this is still used today, my dentists bills this way). The payer then knows that the patient actually did visit the physician and received the services. With the CPP, does this become an automated process? What roll will the patient play, if any, to ensure the claim is sent to the proper insurance plan for payment? How does the Insurance Plan verify that the patient actually received the billed services? When using X12.58 security services, authentication and encryption are done only at the Functional Group (GS/GE envelope) and Transaction Set (ST/SE envelope) levels - the ISA is kept in the clear so intermediaries know where to send the interchange. Note that X12.58 has NOT been addressed in HIPAA at all. If accepted by the payer's translator that would be great - but so far we can't assume either mandated use or acceptance of X12.58. EDIINT, on the other hand, *does* encrypt the entire EDI Interchange including the envelope headers (ISA/IEA) - when encryption security services are applied. Since the routing of the EDI Interchange is point-to-point through the Internet, and not via a VAN or Clearinghouse, the sender/receiver ids are not used in routing so no intermediaries (there are none!) need to see the ISA. By the time an EDIINT package encrypts the interchange, it has already gone through all the rigmarole Kepa proposes and has the final destination address available for the SMTP routing or HTTP post. Certification Payers can require providers systems be certified. They can make this a condition of participating in the payer's provider network. HIPAA doesn't prohibit this. Requiring is also good business sense. Your assumption that payers cannot require providers' systems to be certified is just plain invalid. This just serves to remind me that we need to discuss supporting HIPAA transaction certification in the Healthcare CPP. I definitely think certification can be of real value, but I guess I just want to ensure that certification is not used as an excuse by payers to put even more hurdles in the way of providers, causing unnecessary manual intervention or creating onerous enrollment requirements. If certification credentialization can be automated - i.e., the third-party certification service could digitally "sign" the credentials in the party's CPP (electronic trading partner profile), which could be examined automatically - then I might be a lot less concerned. Remember: eliminating all friction points which have to handled manually - with pairwise negotiation - is one of our biggest problems to solve! I would like to ask the folks writing the working paper describing the Elements of a Healthcare Collaboration-Protocol Profile (CPP) - Marcelee Jackson (who may not even know she was "volunteered" to work on this since she was absent from the Friday, 08 March teleconference), Dave Minch, Dick Brooks and Chris Feahr - to add certification credential verification to their list of requirements. I'm of the (perhaps minority) opinion that payers can't mandate certification of providers: if a standard claim comes into a payer, I can't help but think Administrative Simplification requires the payer to take it into adjudication. Testing is obviously important (for anyone with sense) - and I can see where not only does a payer want to ensure all his systems are "go," but would like to be "certified" to cover his "behind" in case a provider claims they tried to send standard transactions which were rejected out-of-hand by him. I don't expect providers have the same fear instilled - the worst that will happen to them is to have non-compliant standard transactions rejected, which they can then fix up and re-submit. It's not, like, y'know, a payer is going to stand up and complain to the government that this wretched little provider is screwing up in every way asking for his money! Nobody says the health plan has to "debug" the provider's non-compliant transactions: all the 997 has to do is report the first X12 syntax error encountered and reject the entire transaction set, or all the 824 (when we get one) has to do is report the first problem inconsistent with HIPAA, and refuse the transaction. There should be no back and forth "debugging" (on the phone), as long as the 997 and 824 are used correctly. Certification. "Certification," as we use it in WEDI/SNIP, is defined in the Testing ("Transaction Compliance and Certification") whitepaper. It only "certifies" that an entity is capable of sending (or receiving?) syntactically and semantically correct standard transactions. The second key issue is credentialing of trading partners. I don't think we are intending the CPP to get into that territory. But just as smaller payers now use services to assist them, there might develop more widespread third party credentialing, for example, a signed certificate on the CPP or other registry by a trusted third party that the entity is in fact a good citizen doctor, licensed and all that. Such certificates are not guarantees but certification that certain documentation was attested to, for which there are fraud laws and other protections. I don't know, but I would not be surprised if the credentialing now being done, except by larger payers, is possibly a little lower quality than folks like to think. There may well be room for improvement. The note includes "nor have I tested to ensure your data". I believe that third party transaction certification beats individual testing all to pieces. That is the substance of my paper "ROI: Economics of Transaction Certification", which I'll send to anyone who would like it. The idea is that a trusted certificate by a professional firm is posted to a directory for access by trading partners. With regards to "Certification". "Certification" will not guarantee that the transactions are not fraudulent, only that they are properly formatted and contain valid content based on the standards. Not that the content is appropriate for payment. I have to agree with Rachel. Nothing in the regulation prohibits requiring a trading partner to prove that he or she is capable of sending a compliant transaction. It was mentioned below that Payers are permitted to test with providers. We view certification as an initial step in testing. If a provider cannot show evidence of certification and we test with them, then past history shows that we will spend a lot of time and effort to help the provider debug their program. Our position is that the provider should offer some evidence that they have a compliant transaction before we commit the resources necessary to perform testing. Also, keep in mind the current level and nature of dialogue between providers and payers. Providers are very shrill in criticizing carriers for claim payment processing -- even to the point that they are launching class action lawsuits, filing complaints with regulators, and seeking new laws and regulations. I suspect payers are going to want to insist that providers are capable of sending truly compliant claims so that the money payers are investing in becoming HIPAA compliant results in the efficiencies we are seeking. Otherwise, if the transactions just result in more bad claims coming in faster, it will exacerbate not reduce the current tensions. Trading Partner Agreements This maybe outside the scope of this group, but I need help understanding TPA's between a payer and provider. I get VERY nervous when I hear folks talking about providers entering into TPA's with payers because this process can be incredibly labor intensive, drive down EDI transaction volume, drive up the cost of EDI implementation and expand the time frame to implement. From a provider perspective, if a provider chooses to contract with a clearinghouse, the clearinghouse is its trading partner and will provide a TPA defining requirements for exchanging transactions. The provider should not have to enter into a proprietary individual TPA with every payer with which it might ever need to exchange a transaction. This is of particular concern because when these proprietary agreements are required, the cost of managing the process is disproportionately assigned to the providers and their clearinghouses. So, off the soap box and to the question - Why would a TPA be entered into between the payer and provider rather than between their third parties? Our legal area is not on the same page with the people that say we can do business without an agreement between the provider and the payer. In fact, this is a topic that has had EXTENSIVE debate here. The reigning opinion is that HIPAA will be forcing all payers toward agreements with the provider, not eliminate them. What I (and others) have been advocating here is that there is a need for only two authorizations from the provider. One as a general trading partner to cover legal and other issues for all transactions except the 835, and a separate contact for authorization for the 835 (this does not necessarily mean a hardcopy document). There are people (legal types mostly) that want separate authorization for each transaction. An initial authorization is necessary to start the relationship. That will include an agreement and reference guide that identifies all items about the payer that are allowed by section 1.1.1 of the HIPAA guides. At that point, all of the HIPAA transactions to date except the 835 are provider initiated. If the provider sends 837s, then the provider wants to do claims. So, once the electronic relationship is setup, the use of the transaction identifies the request to use the transaction. The 835 is payer initiated, but only at the request of the provider. To send it out automatically would not be appropriate. The provider can even want the 835 without sending an 837, so we don't have any 'trigger' except the provider's request for the 835. Since the 835 route to the provider is not a given (it could be a bank that does dollars to data reconciliation for the provider), only the provider can tell the payer where the 835 should be sent. On the other hand, I do wish to point out that when the federal government, most notably the Department of Defense, went full bore into EDI in the early to mid 1990's they initially required that each supplier to the government execute an EDI trading partner agreement. This was a huge failure and in fact, became a major barrier for getting the hundreds of thousands of suppliers willing to engage in EDI with the feds. Within 6 months the feds abandoned the requirement for an EDI trading partner agreement. Other industries also recognized the barrier an EDI trading partner agreement became when trying to establish EDI information exchanges. So, I would just urge health care to not rush into a business model that clearly didn't work for other industries, including our beloved federal government, without fully examining and understanding the impact and issues that will result....this is a prime example of beware of unintended results! I can vouch for Kepa's comment regarding many payers. We are a relatively small Health System, but we have over 2000 payers in the insurance table of our largest provider. Even if I assume that each company has at least 1 alias, that still leaves over 1000 profiles. That means if I want to send directly to each payer, I need to negotiate 1000 TPAs, perform 1000 tests, set up 1000 trading profiles, and implement however many unique transports to deliver the claim payloads to the "first hop" recipients. And I'm just 1 provider (well, actually 15) -- think of how many of us are going to be knocking at the payer's doors. Are you guys ready??? Then I shall simply pray a whole lot that if any one of the links in this frighteningly fragile chain of mail carriers decides to change transports, methods, passwords, encrypting, etc. that they give us good advance notification, and that the information they communicate is accurate, and that they don't decide to change things at the last minute..... Mess?? you got that right! Lets see.... If I can average 3TPAs per day, and get them all set up for testing it should only take me 15 months to get all 1000 ready by 4/16/03. I guess I can just make it if I start tomorrow... Does any of this sound as absurd to anyone else as it does to me????? "[if] HIPAA will end up forcing agreements between each provider and its payers, then the questions about who should be identified on the ISA becomes moot." There would be no point in us spending our time figuring out automated ways to share trading partner information (such as electronic addresses) if paper TPAs were required: this information (the ISA Identifiers and the electronic addresses) could just be placed on the same (expensive) piece of paper. The issue of Trading Partner Agreements arose in the Business Issues Teleconference yesterday. Discussion led me to believe that it's still unclear whether paper Trading Partner Agreements will be needed or desirable under HIPAA. For background, you should definitely look at the WEDi document "Trading Partner Agreements: A White Paper Describing the Business Issues and Recommended Solutions Associated with Trading Partner Agreements," by Doug Renshaw. It's available under "Transactions Workgroup White Papers" at the WEDi/SNIP site at http://snip.wedi.org/public/articles/Trading113000.pdf. The topic came up because one of the callers wanted to know how - other than by using a TPA - a sponsor (employer) would know whether to send to the payer a full compilation of enrollees, vs. just the changes since they last "talked." Other things a TPA might be required to resolve are the situations (as in "situational") where data is expected or desired. Fortunately, there seemed to be nothing in the discussion of a legal nature - i.e., everything was technical, which means a mechanical or electronic Trading Partner Agreement might suffice. Besides these issues the caller brought up, I wanted to see what Doug and his team came up with. His document is an excellent compendium of the situations calling for agreement ahead of time. But, fortunately, I saw nothing which could not be mechanized! Though he had the usual stuff like specifying communication protocols, Clearinghouse designations, and agreements on maximum numbers of claims (e.g., 5000 claims in the 837), he mentioned nothing that would require Lawyer Man to get in the way of real business. I probably can't emphasize enough how paper TPAs will gum up the works in automated partner recruitment - to the point where our work in the WEDi/SNIP ID & Routing Special Interest Group might be rendered moot. What's the point of automated "discovery" of trading partner technical requirements (communications and protocols) if that stuff may as well travel with the paper TPA? Marcallee Jackson has confirmed that signed paper TPAs would involve so much overhead that they "will cause the labor costs associated with EDI enrollment to sky rocket." Rachel Foerster has also related the story of the (bad) experience with TPAs when required by the Federal Government. Even though we have sub-projects for looking seriously at the ebXML CPP (basically a mechanical Trading Partner Agreement or Profile) and the 838 - led by Dick Brooks and Dave Minch, resp. - I'm suggesting that we move the concept of Electronic Trading Partner Agreements to the front-burner. If we can mechanically represent in them everything Doug has enumerated in the white paper, we'll be better prepared to fight the conservative tendency to require paper TPAs. Electronic Trading Partner Agreements fit into our scheme quite elegantly, in that Kepa's DNS "directory" would be used to find a trading partner's profile based on identifier. The profile itself would, in addition to the stuff mentioned in the white paper, have the technical routing information for interchanges. In effect, you'd be "discovering" electronic trading partner agreements, not "inboxes," "portals," or "front doors." EDI enrolment Today providers who use a CH complete 3 - 5 TPA/Enrollment forms - Medicare, Medicaid, BCBS and Champus are payers that almost always require agreements. In my experience it takes an average of 2 - 3 weeks for a CH to receive completed paperwork from the provider and an additional 6 - 8 weeks for approval from the payer (though BCBS often approves in 2 - 3). It takes providers as long to complete their part of the enrollment paper work for these payers as it does for most to complete testing, implementation, training and full production for payers who don't require it. That's if the enrollment process goes well. Many payers are very particular when it comes to their agreements. Some require the signature of every physician in a group (imagine that if you have 50+ physicians), most require a listing of every group number and provider ID, some require social security numbers, some that the agreement be sent in on a particular color of paper, others that only a particular color of ink may be used and most will reject the agreement for any error. Each agreement is proprietary. It often takes 2 or more attempts before the provider gets it right. The whole process is an incredible hassle. In other situations, the payer does not require a written agreement between the provider and payer but does require the CH to obtain authorization. This process, while still time consuming, is far easier than the one described above. I am strongly in support of TPA's combined with COT's and entered into only by the parties directly exchanging data. It also seems that some sort of power of attorney between the provider and CH should be sufficient to allow the CH to auto-enroll its clients with the payer, particularly for the simple exchange of data. More complicated data exchanges, such as EFT or split routing, may require a more manual process but those exchanges are not common today and not likely to be in the near future. I stress that the vast majority of payers today do not require any TPA or enrollment process between themselves and physicians who bill through a CH. These include payers such as Aetna, Cigna, United Healthcare, Coventry Healthcare, Humana and Prudential. I'd suggest we look at their current model and find ways to keep it. AFEHCT is very interested in this issue and I believe is also planning on a work group. 1. Electronic TPAs - machine readable documents that outline information proprietary to the payer; e.g., information on routing and information related to proprietary requirements for HIPAA transactions (stuff that would normally be part of a companion guide). 2. EDI Enrollment - This is a process today that requires the provider to sign an EDI agreement before exchanging transactions. This is a time consuming process and a barrier to fuller utilization of EDI. It's of particular concern to providers and clearinghouses since many health plans seem to be planning on this same requirement which could dramatically impact cost and timelines to implementation. Among other payers, every Medicare intermediary requires this process today. The primary question would be - is this legal post HIPAA? If yes, then the second issue and third topic here would be: 3. An EDI Power of Attorney - This would allow a provider to assign their clearinghouse power to enroll them with other trading partners (clearinghouses, payers, etc) for the purpose of exchanging healthcare transactions. 2. But since then, Marcallee has certainly convinced me that if the TPA "problem" cannot be gotten out of the way, then automated trading partner "discovery" has less value. As far as I know, we are the only WEDI/SNIP group worried about this issue - the impediment of paper TPAs - at the moment. If in their wisdom, the Business Issues SWG management finds it prudent to create a new group concerned with ways to lubricate healthcare e-commerce by eliminating or ameliorating the delays in trading imposed by paper TPAs, we in the WEDi/SNIP ID & Routing SIG will defer to that decision. In the meantime, I'm only too happy to see Dave and Marcallee succeed in developing a Clearinghouse Power of Attorney or the "WEDI Accord on TPAs" - if only to prove my good friend, Kepa Zubeldia, wrong for once in his life! We wanted to let you know that some progress is being made on the trading partner agreement front concerning the legal ramifications of creation of an entirely electronic eTPA. Yesterday William Kammerer, Marcallee Jackson, and I held a conference call with 3 legal types from the law firm of Davis, Wright, Tremaine (DWT), who have volunteered to provide some level of assistance to us pro bono as we wrestle with the non-technical privacy, security, and fraud-potential issues surrounding creation of an automated eTPA. The question posed to the teleconference group was "how can DWT work with our WEDI-SNIP workgroup"? We discussed our plans to move the industry toward an "electronic TPA" rather than (in place of) signed paper agreements. The TPA we have envisioned includes technical communication protocols, security and encryption, and potentially even the "companion guide" type of information all of that being generally classified as the "technical" business arrangement between the trading parties. Our most pressing concern is: even if we can get all of the nuances of the "technical" business arrangement included within our electronic definition, will there still be overriding legal barriers which will still require each trading partner to negotiate and sign a paper document to comply with the HIPAA regulations. DWT explained how business agreements can be implied under the UCC. As a simple example, when a customer sends an unsolicited order to a supplier, and the supplier fills the order, there is an implied business agreement under the UCC. DWT also indicated that there is now an extension to the UCC which is being adopted in most states that specifically addresses electronic business exchanges. After some discussion, their suggestion was that if we could promote a health care industry-wide accord, that it could act as an anchor point for creation of the compliance portion of the paperless interchange agreement and would embody language which safeguards the participants. Our next steps will be to work with DWT in drafting a "talking paper" over the next 3 weeks which lists some of the key elements that such an accord would have, and how the accord would be used in conjunction with the UCC to satisfy the regulatory needs (privacy/disclosure of PHI). Stay tuned... Regarding your question: "what will a provider do to get transactions to Highmark when he is fully HIPAA capable and doesn't want to pay the freight (of a Clearinghouse)?" We welcome providers or their billing agents to submit claims to us direct. We assign them an EDI Trading Partner number (proprietary number) and give them instructions on how to dial in to our EDI interface. This is how we connect today; I am not advocating our process as the best mechanism for the industry moving forward. Requiring prior setup excludes the more occasional trading partner. There are reasonable conditions in which a payer could agree to accept a claim or other transaction from an infrequent provider, provided the technical means for doing so is less hassle. Q. What do you think about onerous EDI enrollment processes and "certification"? Don't you want all these artificial barriers put up by the payers removed?" A: You can bet that I don't like it one bit. Remember, I have 16 different entities who send bills, and two entities who receive them. Multiply 16 times the 500+ payers we correspond with and you can understand the problem (technically, all entities don't deal with all of the payers, but the subsets are large enough!). Now the other side of my equation is that I receive claims (i & p) into two of my entities (including receiving them from my own senders). As a receiver, I have to ask myself, how much time do I want to spend dealing with paper TPAs and cert testing before allowing a provider to send x12s? The tradeoff is posting my CPP and letting claims flow in, and reject any that aren't HIPAA compliant. Since my chosen software can do a complete HIPAA check (similar to what our friends over at Claredi do), I'm banking on the fact that i'll spend a whole lot less time in auto-rejecting malformed batches/claims, and misdirected claims than if I did the manual TPAs & testing. The one caveat is that i'd like to have my TPs certify with an outside agency such as Claredi before they start sending to me (less rejection processing if they get their act cleaned up ahead of time). We should be able to incorporate a cert_id into the CPP/A. His point may be that since a known (or participating) provider will have gone through a vetting process - and signed all sorts of papers - that adding a few more pieces of paper related to electronic claims submissions isn't that burdensome. Compare this to Marcallee Jackson's comments from 23 January on EDI enrollment, where she inveighs against the practice of having providers enter into a "proprietary individual TPA with every payer with which it might ever need to exchange a transaction." Our whole project here is predicated on some assumptions: viz., that 1) onerous setup and EDI enrollment is a real problem, 2) it can be automated, and 3) the solution is secure. Even though it may not be a critical factor - in that who wouldn't prefer an EDI enrollment process that was automated, secure, and needless to say, inexpensive? - the HIPAA law could be read in such a way that onerous (i.e., manual) EDI enrollment is an impediment to Administrative Simplification. My opinion is that if a payer would accept for processing a paper claim (payable to either the provider or subscriber), it must take the equivalent standard transaction set. And just as importantly, it must provide a non-discriminatory "portal" for exchanging standard transactions. What we definitely wish to avoid, I believe, are onerous EDI enrollment procedures, negotiated TPAs, and other sundry hurdles and hoops placed in the way of providers who merely want to use the standard transaction sets. Not only are these processes exceedingly manual, but they may take months to consummate (per Marcallee Jackson) - surely an impediment to frictionless e-commerce if there ever was one! Doug Renshaw, of Highmark, said yesterday "We welcome providers or their billing agents to submit claims to us direct. We assign them an EDI Trading Partner number (proprietary number) and give them instructions on how to dial in to our EDI interface. This is how we connect today." Fortunately, he adds: "I am not advocating our process as the best mechanism for the industry moving forward." A common case will involve claims coming in from one of a payer's participating providers who has never used EDI before. Remember, HIPAA says you have to take their claim if presented in a standard electronic format - and that presumably means without placing any onerous hoops to jump through, such as TPAs, EDI enrollment, or waiting around for payer-assigned IDs, logon IDs and passwords. Less common would be a claim from a non-par provider, who wants to send a claim to be paid to the patient (who does have a contract with the payer) - one with whom the payer has absolutely no leverage and to whom the payer *must* provide a means of submitting standard transactions electronically. EFT Re: Sharing financial information like routing codes and account numbers. Providers who have set up debit blocks, as NACHA's Priscilla Holland talked about, could safely place their account information in the CPP; see "Electronic Funds Transfer and Security" at http://www.mail-archive.com/routing@wedi.org/msg00570.html, Others will probably have no choice but to use some kind of notation to indicate where a payer could obtain that information, e.g., an e-mail address or telephone number - necessarily involving a manual process. Even if we had a fool-proof method of protecting the registry from read access except by "vetted" participants, most people (providers) would still feel uncomfortable sharing that information. I don't know any way around that issue! Except if, as I suggested, the 837 were changed to include it so it could be sent directly from the provider to the payer (encrypted or over a secure channel). A REF segment, in the Pay-to or Billing Provider loop, can handle this. The following says, in effect, bank account number 26000001538215 at Fidelity Federal Bank & Trust of West Palm Beach, Florida (ABA No. 267087358): REF*11*26000001538215**01:267087358~ Some people wouldn't even like that (i.e., the provider giving the EFT information directly to the payer via the claim). Bruce T LeGrand, my "Deep Throat" Blue contact, says: My EDI portal is not secure. Since I support dial-up, NDM, FTP, .. .. ..ad nauseam ad infinitum, my process is fairly open. And I don't care. If a provider identifies himself to me properly in a claim, there is no way anyone can spoof me into sending the payment somewhere it is not supposed to go. I verified that initially with him and that data is secure within my system. If it comes in the claim, it can go anywhere. This is not a secure network like the banks have, and I don't see any reason why we should incur the costs of that on top of everything else. When I move money, it will be the bank portals that service that transaction. Thanks very much for this information about the banking world... as unsettling as it is. It may turn out that other CPP information about payors and providers will have to be semi-restricted as well. I noticed, for example, that some Claredi customers have chosen to restrict public access to some of their directory fields, even though the information looks pretty harmless to me. Of course, the whole point of our CPP record is to make it widely available... but to one's potential partners... not necessarily to one's "competition"... and maybe not very much of it in one query, no matter who you are. I would expect payments in most low-volume or CPP-initiated trading relationships to continue to be paper checks for the next few years... mailed to the address in the CPP record. In the hi-volume relationships, it will probably be necessary to send a voided paper check, sign a few forms, etc. in order to set up a direct-deposit, electronic payment arrangement anyway. So all we may need in the CPP record now is a place to indicate preferences/abilities with respect to electronic payments. I think this settles the matter, though it's disappointing that banking account "security" relies on keeping these identifiers semi-secret. Perhaps we can accommodate protection of the financial account information in the directory some technical way to ensure it is revealed only to legitimate payers (insurance companies) - by restricting it to only those folks who possess a directory entry themselves or somesuch nonsense. Or the 837 claim could be changed to send the provider's routing and account numbers for EFT payments directly to the payer (I was surprised it wasn't there already), bypassing the Healthcare CPP directory altogether. CPP CPP is a Collaboration Protocol Profile CPA is a Collaboration Protocol Agreement Companies define their E-Commerce capabilities and operational parameters in a CPP. When two companies want to setup a trading relationship they exchange CPP's. If there is a match in capabilities then the two parties agree to form a CPA which describes how they've agreed to conduct E-business. A CPP typically has contact information, EDI addresses/identifiers and other information. I like to think of the CPA as the intersection between two CPP's. The CPP/CPA is all about the rules of electronic engagement between two trading partners, with the CPP describing what you are capable of doing and the CPA being an "agreement" between two entities regarding what they **will** do. For any who have attempted to wade through the CPP/A Specification (are you listening, Chris Feahr?), it does seem daunting (at least to me). But more likely than not, Dick and Dale will probably figure out some way to use the CPP as a "template" just like what was done in the Open Travel Alliance, where we "hang" our stuff off of it. Even if we just use one or two parts from the CPP (such as the Delivery Channel stuff which is an XML'ized means of expressing Peter Barry's "EDI addresses"), and design XML schemas for documents we refer to from the CPP, both of our groups will have a "victory" that can fuel many a press release. There is indeed "versioning" in the CPP - that for the CPP schema itself (i.e., the version of the OASIS CPP specification), and for other related OASIS specifications. But I'm not sure whether there's also a capability to "version" the "instance" of the CPP, though. In any event, it's a real requirement for us to have some mechanism to tell whether the CPP electronic partner profile has changed at all. I don't envy you reading all that OASIS stuff! I might warn you, though: when you read up on the ebXML CPP, it looks big, ugly and complex - and most of that stuff is irrelevant to traditional EDI. Actually we might end up using only two or three things from the existing CPP schema (e.g., Delivery Channel, Certificate Management, Party Definition), and be off on our own devising a (general-purpose) legacy EDI extension. I would suggest putting aside the OASIS ebXML CPP specification. I think it will only confuse us for now. We really need to build our own requirements based on *our* needs - including everything we'd want to see in a partner profile if we were starting from scratch. It can be organized any way (UML diagram, spreadsheet, Access Database) that floats your boat. Then we can take that list and give it to the OASIS CPP/A group and let them help us to retrofit the existing CPP to allow for "legacy" EDI extensions. We might have to "educate" the OASIS CPP/A group on "legacy" EDI and Healthcare Transactions so they see just how this old message-centric stuff works! Dick Brooks and I joined the OASIS CPP/A group on a teleconference call last Tuesday to apprise them of our status. I think we're on the same wavelength, in that we agree much of our EDI partner profile stuff will be in an XML document of our own schema design, XLINK'ed from the main CPP. Our stuff will eventually turn into the OASIS ebXML "legacy" EDI CPP extension schema. I may have forgotten to confirm with Dale Moberg, Chair of the OASIS CPP/A Technical Committee, but I believe that WEDI/SNIP is the first group in the world attempting to make ebXML work with "legacy" EDI. Given that HIPAA transactions are X12 only I would suggest that this group elect to use a "file transfer" business process for exchanging HIPAA transactions and avoid the complexities of the "deeper" business processes (Claim/enrollment business processes within the CPP). A lot of this security and certificate stuff is already in the ebXML CPP, though I don't know how inextricably it's tied into the business process or transport mechanisms - neither of which we'll probably be using in our recommendations, unless we come up with a default "legacy" EDI business process. In the matrix Chris developed for the Elements of the Healthcare Collaboration-Protocol Profile, please distinguish between stuff which is native to ebXML (I suspect this includes certificate handling) and that stuff which is completely new and not thought of by the ebXML people. We'll have to have some organized manner, perhaps in the form of a "subsidiary" schema, to give the OASIS ebXML Technical Committee to show our new elements which pertain to Healthcare EDI. Actually, is there any possibility that our "kind" of stuff (e.g., which transactions are supported, with their start dates) is more properly part of a Business Process rather than an ebXML CPP? If so, then we might also have to "liase" with the UN/CEFACT ebTWG eBusiness Transition Working Group, at http://www.ebtwg.org/ - providing yet another opportunity for "volunteers" who are looking for work to do. Funny you should mention that. This is exactly what we did in the Open Travel Alliance B2B specification (http://www.opentravel.org/. I'm currently working on an Energy Industry specification that *automates* trading partner setup through the exchange of "profile documents".. the CPP is simply an instrument to create the CPA which is the electronic equivalent of the trading partner agreement. I would certainly agree with all of the payer comments regarding trade with "unknowns", but the CPP exchange is our electronic (but certainly applies to semi- or even non-electronic) equivalent to "discover" information about the prospective trade partner. In my second paragraph of the "Conceptual Schematic" paper I state: "The data sets to be communicated should be comprehensive enough to allow for a fully mechanized (no human) interaction, but the communication of such information does not necessarily have to be in a single transaction. In other words, exchange of all data necessary for loading trading partner tables and initiating EDI trade can be in multiple exchanges. The first exchange to identify and gather basic information, and a second and third more secure exchange to provide sensitive information which is not meant for display in a public setting." I would further emphasize that if we assume for the moment that all data and signatures needed to create a physical TPA can be "computerized", then the CPP, even if printed out and snail-mailed back & forth can constitute creation of a trade agreement. We definitely need to realize that most of us will need transition time between the ultimate electronic future and where we are today (which is with a file cabinet full of paper agreements). The transition will be gradual as many people have observed, but we still have to paint the target to shoot at. I propose that we take the conceptual model that we are working out, and apply it to a few real TPAs to fill the gaps. Then have all of you out there with TPAs do the same. When we are done, we should have a pretty comprehensive list of elements, and a pretty sound structure from which to build. In the future state, when a transaction arrives from an unknown, the unknown's CPP can be accessed as a first step, and a CPP exchange can ensue (whether automated or manual or somewhere in-between, as internal company policies dictate). Through that process, the prospective trading partners may discover that they really don't want to do EDI. That's OK. But the legitimate providers & plans who do conform to the CPP standard & protocol even if in a manual process - will have a much simpler way of consummating an agreement and beginning EDI. History Thanks. I stand corrected and also heartened to know that the X12 838 did inform the work of the CPP/A effort. I remember the years (yes, years!) of debate and rancor that the development of the 838 went through. It was one of the most emotional and controversial efforts of X12 before Y2K hit us! Dave did compile trading partner data attributes, and provided a synopsis on the listserve. He was unable to really map to the 838, which we needed to know so we could honestly say we considered the 838 we tried to eat our own EDI "dog food" and found it wanting! The matrix Dave shows will probably be useful to you in devising your CPP elements to describe partner capabilities. Design suggest that the CPP elements be designed in a more general fashion. For example, instead of a number of elements like "ExpectedTestDate837I," "ExpectedTestDate837P," "ExpectedTestDate837D" and "ExpectedTestDate270," perhaps an overloaded "ExpectedTestDate" element might do the trick where the functional group (e.g., 004010X098 for the 837P) is specified as an attribute or subordinate element. This would better accommodate mechanical processing of the XML elements in the CPP, and further, make our CPP generally applicable to all "legacy" EDI as opposed to simply Healthcare. Until translators are CPP enabled - i.e, they can update their trading partner tables with information from the CPP which has been automatically "discovered" - the sender can manually lookup the CPP and update his own trading partner files. I don't think that's particularly onerous, and he can do it all by himself. Having it automatically done by the translator is just icing on the cake. Transaction Support Every health plan, if it does electronic transactions at all, will be required by HIPAA to support the 835 - both the Health care payment and the remittance advice. So every payer, after H-Day, which uses the Healthcare CPP and Registry (implying it is EDI capable) will have some kind of notation in its CPP (electronic partner profile) saying it supports not only both forms of the 835, but also all of the other HIPAA standard transactions applicable to their business. The more variable side is that of the provider: generally it's optional for her to support the HIPAA standard transactions. She may support the inbound 271 and outbound 270 and 837, but prefers paper remittances and checks. It's problematical whether she really has to announce in her CPP that she sends 837s: the payer will know that when it receives one from her! But the payer does have to know which standard transactions the provider can accept; silence on the 835 would imply she doesn't support the 835 remittance. Now even though she doesn't take 835 EOBs, the provider may very well want to be paid electronically through her bank: our CPP extensions have to support some way of saying EFT payments are accepted, specifying her bank routing code and account number. it seems to me after re-reading the 837i IG that while we can make the recommendations regarding use of the GS for routing, this, also, is in the domain of the quasi-automated TPA, and can easily be accommodated by the CPP, even if the CPP for some payers ends up being a .txt file emailed to a requesting provider (i'm not advocating that approach, just recognizing that it will most likely be an evolutionary step toward the goal). Once the provider receives the CPP, whether emailed or picked up from the payer's registration, the next step may well be manual update of the trading partner configuration in the provider's software. Business Processes I'll warn you, though, that there probably isn't too much in the CPP/A specification that we can use directly "out of the box" - most of the baggage in there is to support Business Processes and Messaging Services, with nothing at all practically for "legacy" EDI support. That's where we come in: as far as I know, we're the only folks who are working to make the CPP support traditional EDI in a first-class way. Except for the DeliveryChannel stuff in the CPP, you may be on your own for defining partner capabilities as they apply to EDI. I propose that we learn to walk first by defining a simple "file exchange" business process that will allow organizations to exchange HIPAA compliant transaction files (per one of my earlier e-mails). There is nothing to prevent implementers from evolving their systems to become more integral with actual business processes (e.g. real time enrollments) in the future, but this is much more challenging achievement. Any kind of "response timing" would probably apply at the transport layer. Though some kind of service level agreement for application transaction set processing would be nice - guaranteeing that real-time 270s are turned around with a 271 within 2 minutes, or that a claim will be processed and definitively rejected or accepted within 24 hours - I don't see the need for it right now to be specified in the CPP. I do think it would be reasonable to have a specification which says TA1 and 997s will be returned in a certain period of time. But as long as providers can query on the status of claims with the 276, or payers can keep them "posted" with the unsolicited 277, application response timing is overkill. Application level things like "timeToPerform" in the ebXML CPP pertain to Business Processes, but I really don't think we're going to be able to apply more than the most rudimentary "default" business process to primitive "legacy" EDI messaging. Actually, I really have no problem with the way primitive "legacy" EDI works, including the HIPAA standard transactions. But I'm still in the habit of saying "legacy" because you look stupid - or just don't "get it" - if you fail to sneer at EDI in front of Venture Capitalists! Unfortunately, in a message centric system like the HIPAA standard transactions, there's really no "Business Process" evident at the interchange or transaction set level. See the thread entitled "Requirements Gathering - Information Flows", especially my messages from 02-16 and 03-01, at http://www.mail-archive.com/routing%40wedi.org/msg00219.html and http://www.mail-archive.com/routing@wedi.org/msg00283.html, resp. If a Business Process exists - apparent at the level of interchanges it's solely that of sending an interchange and expecting a TA1 or 997 in acknowledgement. You can't really say an 835 is expected in response to an 837. I'm going to predict that our use of the CPP will probably exercise very little of the ebXML Business Process stuff. DeliveryChannels The CPP people may not want to hear requests for supporting non-Internet transport protocols or non-ebXML packaging techniques (e.g., EDIINT) I've kind of lost track of what's happening over there in OASIS, ever since the onset of the "SHALL" - "MAY" battles. If they aren't amenable to expanding the CPP, we just may have to go "off on another tangent and re-create something else" - something more like IBM's tpaML which was the progenitor of ebXML CPP - see http://www.ibm.com/developerworks/library/tpaml.html. I've "volunteered" Tim Collins to look into discovering the tons of permutations "on a multitude of media, protocols, etc...", - including the ugly stuff like modem settings and initialization strings, blah, blah, blah. All that will have to be mechanically represented in some type of XML file (or the 838) - or as an extension of the CPP DeliveryChannel. In that spirit, and in line with my e-mail yesterday, perhaps we should start enumerating the various protocols that providers and payers are likely to use (for describing EDI addresses in the "directory"). I would be inclined to ignore the various legacy dial-up techniques, but others may not be so inclined. And, obviously, someone who uses expensive point-to-point leased lines doesn't need a "directory" because they're already connected to the other party! I would like to start off by suggesting simple old e-mail using S/MIME attachments. It's bi-directional, and everyone can use it today - at least as long as they're using standard e-mail clients like Outlook, Outlook Express or Netscape Communicator - but not the non-standard AOL play toy. The Microsoft-haters who use UNIX may have trouble with standard ITU X.509 certificates, so we'll have to accommodate PGP security. We should also provide for zipping (compressing) the EDI before encryption, too. This minimalist technique accommodates both the "disenfranchised" and the BIG PAYER (who can presumably automate his side of things in a lights-out fashion). I can even see the little "disenfranchised" doctor - the one who does his own electrical work cobbling together scripts to automate his e-mail client to do this, in addition to coding up his own Javascript to build 837s and 270s (or to parse 835s and 271s)! I would add EDIINT into the mix, both the AS1 (SMTP e-mail) and AS2 (HTTP) varieties; the software is somewhat available, though probably not affordable, for the "little" person. And FTP, too, even though the "little" person might not have his own FTP server: he may have to poll drop-boxes if he insists on using FTP on the receive side. I would also leave a placeholder for ebXML Messaging Services, because that's the "Next Big Thing" - and software vendors are falling all over each other to provide practically free messaging service handlers (MSH). The ebXML Messaging Specifications provide for a SOAP based packaging of business payloads for direct point-to-point transfer over the Internet one of many packaging techniques that will have to be supported in the WEDi/SNIP ID & Routing Specifications. Unfortunately, I would be remiss if I didn't say it would take quite a while for ebXML Messaging Services to catch on. Even though it can accommodate X12 EDI payloads, I doubt seriously that there will be many implementations of ebXML MS within Healthcare in the next couple of years, as new software would have to be interjected into the software mix at both ends of the trading relationship. We can expect Healthcare Clearinghouses and the more prosaic forms of point-to-point transmissions (e.g., FTP, Kermit) to predominate in the short term, and our "EDI Addresses" must support these "legacy" transport channels. Providers or their agents need to meet the payers half way. If the payers make it clear in the CPP where a particular transaction is supposed to be sent (and keep it updated), it is only fair that the providers follow the bread crumbs and send transactions where the payers tell them to. Ken has expressed one of the key reasons why different addresses for different transactions are needed in the CPP -- in today's business environment all of the transactions don't even go to the same place. In my email earlier this week I indicated that there appear to be only 2 pieces of information that are consistent throughout all of the insurance card copies I have reviewed so far - and those are different addresses for claims and eligibility inquiries. Often, the agent that responds to eligibility is not even the same corporate entity as the payer. In fact, sending eligibility inquiries to payers for certain plans wouldn't work in any event, because if they are only providing the insurance shell and claims processing for a self-insured employer, the payer may not even know where the appropriate eligibility granting entity is... In fact, in that case, I would expect that the agency that actually produces the insurance card (in this case, the plan administrator) would be the entity that files the DNS & CPP entries. So, bottom line, the CPP can and needs to be specific as to what transactions go where, and the providers or their agents need to be at least sophisticated enough to pick up the addresses and send things to the right place. We've discussed selecting alternate Delivery Channels based on functional group (e.g., "real-time" 270 vs 837 batch), but I didn't think Plan ID was ever considered as a selection criteria. That wouldn't be impossible, I suppose. But consider the implications for a VAN or other intermediary who would have no idea what Plan ID applied to the transaction without drilling into the transaction set and looking at application segments like the SBR in the 837. Besides, an 837 would contain claims for multiple plans to be processed by a single payer or TPA. I would suggest that we stay away from criteria for selecting Delivery Channels which can only be obtained from the guts of the application transaction set - or which could very well be non-unique within an interchange. Should we even waste time defining Delivery Channels (EDI Addresses) to accommodate non-IP protocols? IP is going to take over the world, anyway. See Michael C. Rawlins' exposé on ebXML, concluding with "ebXML - The Road Ahead," at http://www.rawlinsecconsulting.com/ebXML/. In it, Mike says: "...IP was deliberately not specified because the TRP team wanted to promote an open, 'protocol neutral' solution. But, at the very basic level you can't achieve interoperability if you speak different network protocols. This is an almost pathological pursuit of openness over interoperability. That we didn't specify IP over the public Internet should be an embarrassment to all of us who participated. UN/CEFACT and OASIS need to bite the bullet and take a stand on this. "If we care at all about interoperability, I see no excuse for failing to specify some subset of HTTP, SMTP, and FTP as the approved protocols. Only two would be best, but I could live with all three so long as some comprehensive, coherent recommendations were made about appropriate uses of the three. Again, we don't achieve interoperability if my application talks ebXML over CORBA IIOP, and yours talks IBM's MQ Series or RPCs a la RFC 1831. Even more to the point, SMEs and vendors of SME software need some reasonable guidance about whether to support HTTP, SMTP, or FTP, since cost-wise it may not be realistic to ask them to support all three." I haven't heard any articulation on this list thus far giving the minimum set of protocols and packaging techniques we should accommodate in our Healthcare CPP (Electronic Partner Profile). There are all sorts of junk out there like dial-up Kermit, but is it fair to the authors of the "Addresses and delivery channels" working paper (Dave Minch, Tim Collins, and Dick Brooks) to speculate on what's actually used if nobody takes the trouble to inform them of their requirements? Hearing none, I would say we can safely concentrate on IP protocols like FTP, SMTP and HTTP. The other "legacy" techniques could be accommodated by some provision in the CPP Delivery Channel for describing them in a textual format. I made a concession towards proprietary IDs using the ZZ ISA Qualifier: perhaps the CPP could specify an ID and qualifier (including a ZZ mutually defined ID) to be placed in the ISA Receiver field if a particular EDI Address (Delivery Channel) is selected. But no proprietary IDs could be used to search the Healthcare CPP Registry, nor is there a way to compel a sender to identify himself with a proprietary ID. HIPAA may well open the way for providers who haven't heretofore submitted electronic claims to "discover" the CPPs (electronic Trading Partner Profiles) of payers - which include EDI Addresses and perhaps even machine readable "companion" documents. This is as close to open-EDI as we'll probably see in the near term. Because of the standardized implementation guides and code sets, it's conceivable that partners could commence exchanging healthcare administrative standard transaction sets with no (or minimal) bi-lateral agreement. The HIPAA Implementation Guides really don't provide that much latitude for "customization" - the clear intent (of Congress) is that every healthcare player in the U.S. do the same thing consistently in order to avoid that very "customization" which induces friction any time B2B interoperability is attempted. I don't think the ISA and GS sender IDs can be used for selecting Delivery Channels for the simple reason it would be cumbersome to enumerate every possible trading partner in the CPP. And besides, you may not even know ahead of time who your trading partners will be! I want our recommendations to exclude any unnecessary artifacts which give payers an excuse to require providers to endure a cumbersome EDI enrollment process. But, anyway, I digress: the thing that made the biggest impression on me was that NEHEN participants rely on a single means of communicating with one another, viz. direct socket-to-socket TCP/IP network transmission. Eliminating communications options vastly simplifies things. This is obviously easier to do on a semi-proprietary network between a few big players who can afford special software. Peter Barry has suggested before that we need to specify "addresses" in "three arenas": "dial-up (easy), Internet (easy), and private network (not so easy)." He went on to describe the attributes of an address, including "questions of media, packaging, security, and communications capabilities. For example, a given address might have attributes to say dial-in/login-script-X/security-A/ASCII-file-no-label/filename-path-sche me-3, or something like that. Another might say Internet/security-B/ebXML-scheme-1/etc." What scares me if we don't limit the communications protocol possibilities, is that we could end up with a spiraling list of permutations. How do you describe - in a mechanical fashion - something like "use Kermit over a direct dial-up connection to 8005551212"? Do you also have to describe the modem mumbo-jumbo of 7-bit vs 8-bit and even or odd parity? I vaguely recall that was the junk you had to worry about when using pre-Internet BBSs or Compuserve. Now that there's the Internet, I set my modem and dial-up connection once, as specified by my ISP, and have forgotten about it, thankfully. I now have a single digital dial-tone, which works for e-mail (secure or insecure), file uploads and downloads, and surfing the Web. And when I start getting fancy, like doing web services using SOAP, it's still the same dial-tone: never again will I have to fuss with a modem unless I change my entry ramp to the Information super-highway (moving to DSL or cable, or changing ISPs). I hate modems and I hate printers. Even Kepa hinted at all the possibilities his DNS "directory" will have to handle, using examples like 8005551212.phone.hipaa.net and kermit.8005551212.phone.hipaa.net, adding nonchalantly "[the] sky is the limit. As long as we have some standard way to name them. We may need to 'create' such a standard." That's exactly what I'm afraid of! Let's assume for now that we'll be forced into supporting all the "legacy" dial-up connection types - to assuage fears of the open Internet's security "problems," what with some means of describing scripts, logins, passwords, modem-settings, etc. etc. Then does anyone know of any OASIS, W3C, IETF, etc. effort for devising XML files to describe all communication capabilities of a partner? The ebXML Collaboration Protocol Profile (CPP) specification only supports the common internet protocols (and then, only if ebXML Messaging services is used for packaging payloads - which could include HIPAA EDI). I want to see something that says "this is a dial-up using Kermit with this phone number." Surely someone has devised a schema for describing communication capabilities. There's no sense in us reinventing the wheel. Versioning that for most/many trading partners accessing such a registry/repository doesn't necessarily have to be a dynamic task performed each time an interchange is created. Rather, it might be necessary to access such a registry/repository once or intermittently in order to obtain the needed information for addressing/routing. Of course, this assumes that the addressing/routing information is more static than volatile. But, my gut tells me that it will be more static rather than volatile....at least during the early months/years of HIPAA EDI deployment I agree that it would not seem to be necessary to check the repository info. very often. I was thinking, however, of including a "version indicator" field somewhere (maybe just Active/Inactive flag, version date, etc.) in the repository and possibly retaining several "expired" repository versions in case the owner needed to roll back to or look at one of them. But if the receiver wasn't yelling at the sender about something going to the wrong portal and/or transactions were not being rejected, then would there even be a reason for a sender to recheck this? The other thing that occurred to me (I have approx. zero operational experience with EDI.. so please bear with me!) is that commercial translator systems must have some sort of configuration template/database into which the prospective user will have to key all/most of this repository data... sort of his local "EDI Address Book". Should we be talking to translator vendors about how this info is managed locally by the interchange senders? The obvious advantage of aligning our repository structure with a standard local user's "address book" would be auto-updating ability. What you're referring to is the trading partner profile management function that most good commercial EDI management systems provide. Some provide more or less functionality than others. Security Should public encryption keys be available in this template? IMO, yes. Along with other items needed to enable E-Commerce (e.g. self signed certificates for SSL, public keys for encryption, public keys for digital signature verification, Certificate Revocation List information). CPA I described the CPA as being "... in the realm of science fiction. Theoretically, a provider would introduce himself to the payer with his CPP, saying he wanted to send claims electronically. Software at either end would electronically negotiate terms, resulting in a CPA which binds the provider and payer in a bi-lateral trading relationship." The CPP's chief value appears to lie in the ability to use it to automatically negotiate the CPA, after which the two trading partners [previously unknown to each other] could launch right into a supported TRANSACTION. Clearly, this completely automatic model won't work in healthcare "out of the box", as you say. believe there should be certain information that should only be released until both parties can establish some level of trust. I presume a large majority of trading partners will require some form of testing, so all the testing information could be released without many of the concerns regarding live data. Once a valid test is completed, then it's possible that credentials could be passed to the partner that will provide them information regarding submitting live data. And in between the testing and live data submission, processes could be performed to verify the validity of the business entity, thereby giving the receiver and sender some level of trust regarding the transactions. I saw a thread recently that covered some method of establishing a certificate based, trust relationship, that may help address this as well. Using a PKI or PGP model, the ability to obtain information on sending live data could be based on an entities ability to pass the testing phase. A certificate or key would then be given to them that would allow them to obtain the live data submission information. At first I thought this could be out of scope for the group, but then I realized we haven't created a strong enough definition of the overall business processes in use today. I'm sure most receiver's will require some form of testing, or some form of trusted certification that they are compliant before simply allowing data to be sent. So, the CPP must have the ability to define testing criteria and requirements. Then, it should allow define the conditions in which testing be by-passed if the sending party already has been certified by so many other receivers. I have not been too concerned with CPAs heretofore. CPAs, or Collaboration Protocol Agreements, are in the realm of science fiction. Theoretically, a provider would introduce himself to the payer with his CPP, saying he wanted to send claims electronically. Software at either end would electronically negotiate terms, resulting in a CPA which binds the provider and payer in a bi-lateral trading relationship. I suppose this is where Doug Renshaw could vet the provider, and give the provider a user ID, password and proprietary provider ID - all automatically in a matter of seconds. I'm not holding my breath waiting for this to happen, though! Wouldn't it be much simpler for Doug to describe, in his own CPP, an open portal for sending standard transactions to Highmark? Repository The repository is the actual record of connectivity requirements and other information that is needed to set up a trading relationship. Some of our repository elements may be unique to healthcare or refer to a unique requirement of HIPAA, but most will be data elements commonly required by any 2 entities wishing to establish electronic data exchange. The key points about the repository: 1. It is essentially one collection of data about one trading partner's requirements, although it may be compartmentalized and it may be spread over several linked "documents" or URLs 2. The repository remains under the direct control of the trading partner to whom it refers (the "owner") 3. There is only one copy of the repository in existence 4. Each TP can decide what parts of his/her repository are exposed to whom 5. The repository can have any physical or logical location that is acceptable to the owner 3. There is only one copy... -- this probably isn't needed as a statement in the requirements, because it would tend to limit one's flexibility to post a primary & alternate address (which can be provided for in the registry), or for a Plan to contract with a CH to use their repository to post a second copy. From a conceptual point of view, of course, you are correct that the CPP itself isn't distributed across several repositories. 2. The repository remains under the direct control of the trading partner to whom it refers ("the owner"). This statement would also tend to exclude Business Associate relationships -- e.g. where an entity wants to contract with a third party to use their services which may include posting a CPP for them. I would add the term "or their contracted agent" at the end of the sentence just to keep that door open. The Healthcare Registry The attributes and addresses in the CPP will exist someplace. Everyone seems to forget that. If they exist in every participant for every trading partner--that's a whole lot of maintenance. Very expensive, very error prone, and discriminatory of the smaller players. Much better that each participant can maintain its own information, publicly posted, such that one change communicates to every trading partner. But outfits are always merging and acquiring - and our registry and Electronic Partner Profiles (CPP) can easily accommodate these eventualities. There's really no need for cutover dates (at the routing level), since the obsoleted ID can still be searched on to either (1) produce a dummy CPP which in turn points to the surviving entity's CPP, or (2) retrieve the surviving entity's CPP directly (which contains the obsoleted ID as a non-preferred search key). I don't recall that we have ever had a discussion on "the merits and demerits of using UDDI." Every time I've mentioned some kind of "directory," whether Kepa's DNS "directory" (always in quotes 'cause we've never given it a name) or the ebXML Registry, I have always included UDDI in the mix. I remarked to the OASIS ebXML Registry TC that I had some reservations about UDDI's security: "Though UDDI remains a possibility for discovering business partners' technical capabilities, its security (or lack thereof) makes it somewhat problematical." That's the only slightly pejorative statement I've ever made with respect to UDDI. See http://lists.oasis-open.org/archives/regrep/200203/msg00038.html. I have since been reassured by a correspondent that he "...can only assume that you are referring to UDDI V1 and V2. The UDDI V3 specifications due to be completed in the next few months will introduce more robust authentication, allow for authorization, and provide support for digital signatures. I would be happy to provide more details as needed. The discovery requirements that you have listed are exactly what UDDI is designed to do." As I said in my e-mail to the OASIS ebXML Registry TC, pretty much all we want to do is store "pointers" to participants' CPPs (which reside as XML files in their own servers), retrievable by one or more entity IDs. For example, a Big Payer may well choose to be identified by their NAIC company code. Providers, on the other hand, like hospitals, may prefer to name themselves by any of a HIN, a D-U-N-S or a Federal Tax ID. Likewise, a small practice may be identified solely by Tax ID, at least until the National Provider ID is available. Even if a small provider doesn't do standard HIPAA X12 transactions himself (but rather uses a Clearinghouse or Billing service), he would still have an entry in the Registry with a vestigial CPP (probably resident in the ebXML Registry itself) which points to his respective agent (e.g., via the ID of the clearinghouse or billing agent). When the National Plan ID does comes into play, we would have multiple levels of indirection in the retrieval: the plan ID would be used to retrieve a pointer to the payer or Third Party Administrator (TPA), which in turn would be used to access that entity's CPP for technical trading partner information. Implementing search by Plan ID might be more efficacious with the ebXML Registry rather than with Kepa's DNS directory. This should be a very simple use of the ebXML registry, and it allows us to get some experience in the best ways to identify partners. We need to get away from proprietary payer-assigned provider IDs in the context of standard transactions, so as to level the playing field between payers, providers and clearinghouses. The registry will also be a test-bed for experimenting with various means of authenticating partners (using X.509 certificates). It might be too much to expect Dick Brooks to do the liaisoning with both the OASIS ebXML Messaging and the Registry Technical Committees. Does anyone here want to volunteer to develop Registry use cases involving the discovery of WEDI/SNIP CPPs? It would be much more appropriate for a "real" health care person to take on this role: someone from either the payer, provider, or clearinghouse sectors needs to step up to the bar on this effort if it is to provide anything that will be acceptable to the user base and solve real problems. It's only fair that the provider advertise her capabilities, just as the payer would. The provider's "directory" entry would say she's willing and able to take 835 electronic Remittance Advices. It could also have a notation that said she was willing to take electronic funds transfer at her bank, specifying an ABA routing code and her account number. Of course, the payer doesn't have to do EFT (even if he does do the 835 ERA), so this is optional on the part of the payer - but paper checks mailed to the billing provider are still always welcome! The registry is a separate database, built to standard specifications, and able to be accessed with a standard query protocol. It's purpose is to link the all the possible identifiers used by a single trading partner with his/her SINGLE repository ADDRESS (generally, a URL). For example, if Company A is known by 10 nationally unique alphanumeric codes or names, then he would probably want to have 10 different registry records, in which each ID code points to the same repository, containing all of his "TPA" information. Key points about the registry: 1. The registry should conform strictly to an established standard (like ebXML) so that it can be queried automatically using standard protocols. 2. An industry like healthcare can support any number of registries. There might be a slight advantage in having only one registry for healthcare, but it would be almost the same effort to have a system query 3 or 4 or even 20 registries in rapid succession. All we would be looking for in the registry is the URL for the company's SINGLE repository record or record-collection. 3. There is no limit to the number of different identifiers that can be linked in a registry to a single CPP repository. This means that in addition to the identifiers permitted in the ISA, we could list a company's common names and abbreviations (e.g., "Vision Service Plan" or "VSP"), any of the company's National PlanIDs, etc. Some standardization here would be helpful and in general, we would expect the identifiers printed on the subscriber ID card to be the same ones placed in the registry. There is no requirement, however, to restrict the registry pointer IDs to the set of ID codes that are "legal" in the ISA. ISA receiver ID preferences would be spelled out in the CPP repository. 4. A company would be free to list itself in as many registries as it liked. Companies should list the same identifiers in every registry, but the system would still function OK if the different registries were not perfectly synchronized... as long as the repository URL was listed correctly in each record. 5. The registry would be a relatively static, low maintenance database. As long as the listed entity kept the URL of its CPP Repository constant, there would be no need to edit the pointers in the registry. The contents and even the physical location of the repository could be changed whenever necessary (by the owner), but it would only rarely be necessary to edit the registry. Ownership I don't really think WEDI would agree to maintain a registry for HIPAA covered entities. This is really a full time job. If the Government were going to have the National Provider and Plan ID databases, maybe the CPPs could be pointed to by them. But at this rate, I don't think anyone is going to be seeing NPI and Plan ID databases any time soon! So if we want a directory of Healthcare CPPs, it's going to have to be either 1) Kepa's DNS directory, (2) the ebXML Registry, or (3) UDDI probably maintained by an organization that makes a living from this. Frankly, I don't know how you build a business model around directories, but there are enough vendors - and not just your chintzy pre-IPO B2B startups, but real substantial outfits like IBM and Sun - tripping over themselves to provide hosting, registry services and software. This is why, as part of our "liaison" with the OASIS ebXML Registry TC, we're also talking to vendors about an actual implementation. The same thing can be done with UDDI, which Joe McVerry has volunteered to research for the purposes of a Healthcare Registry. I used to always call this Registry the "WEDI/SNIP" directory, really only to develop a sense of "ownership" among the WEDI/SNIP ID & Routing folks - in no way did I mean the WEDI Board of Directors has ever approved of such an animal or would have WEDI run it. From now on, to avoid confusion, we should just call it the "Healthcare" CPP directory. Starting with the Patient If we had any "discussion about how information is processed prior to the lookup," it was solely in the context of the provider obtaining the ID of the plan or payer (somehow - perhaps from the insurance card), or the payer using the usually present Tax ID of the provider. We have to make the assumption that some ID is available (to either provider or payer, or their agents) for performing the initial lookup. Once you have an ID, it should be clear sailing from there, even though multi-stage lookups might have to be performed: e.g., if the provider has the (future) National Plan ID in hand, he can look up the (1) Electronic Partner Profile (CPP) for the plan, which in turn might be nothing but a reference to the (2) Third Party Administrator or insurer's CPP, and finally, the TPA's CPP might reference its (3) Clearinghouse's CPP for the detailed Delivery Channel ("EDI Address") attributes which define the actual transport method and port address. I hope we don't have to understand, in detail, the "major models of insurance" to describe a workable Registry and CPP system - except in order to illustrate examples of how the thing works, as I just did above (a model based on a self-insured plan handled by a TPA using a Clearinghouse). In that example, we used the Plan ID to arrive at the EDI portal at a CH to send claims or eligibility inquiries. The Plan ID would still presumably appear in the application transaction set, otherwise the TPA - which handles dozens or hundreds of self-insured plans - would not know for whom the claim was intended. Solving the problem of how to obtain the National Plan ID (or in today's world, the payer and proprietary plan IDs) is out of scope for our project. But it is a real problem, which Chris Feahr confirms. As I indicated in my previous e-mail, it seems to have been solved adequately in the Pharmacy world according to David Feinberg. There is no doubt that the patient is "the weakest link" in this discovery process. In vision care, when the patient is unsure of the payor/plan, we routinely query one or two of the largest payors with both the patient's and the presumed subscriber's SSN numbers... just because it's easy to do and we often find them listed. An additional source of confusion in identifying plans is the fact that the patient is often more aware of the name of the general medical plan (possibly a closed-panel HMO that we do not belong to). So the patient calls the eye doctor and states that she has a "vision plan" through "HealthNet". We know that our office is not a member of the HealthNet provider panel, but... avter investigation by my staff, the "vision plan" turns out to be Vision Service Plan (VSP), meaning that re really CAN see the patient after all. The ONLY reliable info that you can get from the patient is WHO THE PATIENT IS! A central patient plan-membership registry would be VERY helpful. Otherwise, payors will want to essentially "SPAM" every payor in the world with general "type 30" eligibility queries until they get a "hit". The provider is in a tough spot here because many of these "unknown payor" cases can be served in his office, but a few can ONLY be served under the plan in an different office. Patients expect the doctor to magically resolve this at the reception desk... before the services are rendered. A good receptionist might remember that we have seen lots of folks from that particular employer and "worry about who the payor is" later (so as not to waste the appointment)... but occasionally, we get stung and the patient is NEVER happy about having to pay for a bunch of things that were supposed to be "free". Searching and "Discovery" But after thinking about it, maybe we will need to employ ebXML's robust query technology: if there's nothing in the application transaction set (e.g., the 270 or 837) that definitively gives the provider's "return" EDI identifier, then perhaps the payer could use the ebXML Registry to search on known identifiers (such as the TIN) to indirectly find the provider's CPP, which in turn would have the preferred EDI identifier (say, the D-U-N-S). But until then, we're still left with problem of how a payer determines the type (D-U-N-S, FEIN or HIN) and value of the ISA receiver ID for a provider. Some of the more recent discussion has suggested taking an identifier the provider is known by to the payer (e.g., the FEIN), and using that ID to search the Registry for the provider's CPP, which in turn contains the provider's preferred ISA ID (and that preferred ID may be the FEIN itself, or another Tax ID, or one of the provider's D-U-N-S numbers). Keep in mind that if the Registry is powerful enough to be searched by any (non-proprietary) ID, then the sender could just blindly stick the FEIN in the ISA receiver ID, knowing full well that a VAN or CH intermediary could search the Registry for the CPP which contains the EDI addresses and ports. The whole concept of a "preferred" ID may give way to a more powerful notion whereby a receiver can be identified in the ISA by any of its known IDs (whose domains or type are allowed by the HIPAA IG). Regarding the discovery of the preferred "return path" to the small provider, a payor could take the provider's FEIN from the individual transaction (a 270, for example) and look up that provider's CPP... and determine [for example] that he likes all his 271s sent to a CH maintained by his OMS vendor, and his 835s sent to his bank. if we don't have a consistent way of addressing partners (based on IDs), there's really no good way to do anything else, such as the lookup of partners' information in a directory. And it's that directory (whether a DNS lookup, ebXML Registry or UDDI) that contains the CPP which has all the good stuff for automatic trading partner hook-up. The solution has already been modeled: I'm suggesting - not the first time, certainly - that a requirement of our specifications include the ability to search the Healthcare Registry by any number and type of identifiers. The illustration showed one possible means of how, in this case, the Blue Cross Blue Shield Plan Code could be described and used to locate the CPP (electronic Partner Profile) for the a particular Blue entity (Anthem). The BC/BS Plan code(s), along with any number of Tax IDs, D-U-N-S, NAIC Company Codes, etc., etc., seem to be all perfectly acceptable keys to use for arriving at (or "discovering") the same CPP - part of a general requirement that has nothing to do with being "wedded" to any particular type of identifier. We have not yet discussed how identifiers would be qualified as search keys, and I was suggesting one possible means based on X12 coded element qualifiers - in order to avoid re-inventing the wheel. Other methods might involve the use of URNs (IETF Uniform Resource Names), but that's getting a little afield for the time being. To allay Ken Fody's concerns that "not all Plans want to use [the BCBS plan code] on the standard transactions," let me emphasize that the example showed "discovery" of Anthem's CPP based on any one of its plan codes. Once the CPP is found, the junk inside the CPP would say where to deliver transactions (the Delivery Channel) and the ISA receiver qualifier and code to use. If Anthem were to prefer to have its NAIC company code used as the Receiver ID, that's perfectly possible with the requirements I've previously suggested in "Why do we flap our lips so much about the ISA Receiver ID?," from 12 April, at http://www.mail-archive.com/routing%40wedi.org/msg00438.html. I have a tendency to write in prose, as if describing a system that already works - when in fact we all know we haven't written the specs yet! But I fancy that I'm setting forth the "Grand Vision," and (preferably) someone else is busy compiling my musings as a set of requirements within the respective Working Paper groups. Is it working? I'm not trying to shove anything down anyone's throat, but y'know: searching on various identifiers to "discover" CPPs does seem to be something people can use - and the ebXML Registry already supports this. A correspondent has confirmed that the most powerful ID for identifying BC/BS entities is the Plan Code. He said it was used in several inter-plan claims exchange systems and is universally used by all Blue plans on membership cards. Which is true enough, considering my own Anthem card shows plan codes of 332/834 (Institutional vs. Professional) on the front. Now it seems reasonable that my doctor ("shorthand" for saying his staff, software, billing agent or Clearinghouse - let's not get pedantic here) could take the "834" and look up Anthem's electronic Partner Profile (CPP) in the Healthcare Registry to see where to send claims or eligibility inquiries. Obviously, "834" by itself doesn't mean much - it has to be qualified by some code to say that it is a Blue Cross Blue Shield Association Plan Code (in both the CPP and the Registry search key). The first place to look for such qualifiers would be the X12 ISA Interchange ID Qualifier even though the BC/BS Plan Code is obviously not a HIPAA compliant ISA receiver ID. Such an animal doesn't appear there, but D.E. 66 Identification Code Qualifier - used in the NM1 does have code value AD meaning "Blue Cross Blue Shield Association Plan Code." So the Registry search key could be shown (stylized) as something like 66:AD:834 (meaning D.E. 66 code value AD qualifies value 834) which could be used to locate Anthem's CPP (assuming Anthem placed a list of all their associated plan codes in their CPP: 160 and 660 for Kentucky, 130 and 630 for Indiana, and 332 and 834 for Ohio). There's no reason the Healthcare CPP parts which specify Delivery Channels could not account for all plans using the same or different EDI portals, depending on Anthem's preferences. I'll leave the details for defining this stuff in the CPP to the volunteers who are authoring the "Elements of the Healthcare CPP" working paper (Marcelee Jackson, Dave Minch, Dick Brooks and Chris Feahr). I would also add an additional concept/idea that surfaced this week during discussions at X12 in Minneapolis, i.e., that for most/many trading partners accessing such a registry/repository doesn't necessarily have to be a dynamic task performed each time an interchange is created. Rather, it might be necessary to access such a registry/repository once or intermittently in order to obtain the needed information for addressing/routing. Of course, this assumes that the addressing/routing information is more static than volatile. But, my gut tells me that it will be more static rather than volatile....at least during the early months/years of HIPAA EDI deployment. Folks did seem to doubt that anything as ambitious as our Healthcare directory and electronic Trading Partner profile could be available by the time H-day rolls around. I emphasized that the registry and electronic profiles will be usable in a manual fashion, where CPPs can be viewed with XSLT style sheets. Most of the value of the registry is just in the ability to locate trading partners' profiles - we don't need to wait for software vendors to update their software for completely automating the "Discovery" process. We've been assuming all along that providers would have no problem "identifying" payers and plans, figuring that each patient carries his insurance card around with him (and that the cards would have the EDI identifier printed on them). But we've been disabused of that notion by comments at the meeting - either patients don't have their insurance cards 30% of the time, or the information that the provider has on file for them is woefully out of date. Pharmacy, according to David Feinberg, maintains a centralized database to solve this problem: apparently, insurance companies load demographic information about their covered subscribers at some clearinghouse for shared access by pharmacies. Of course, this isn't the problem we're trying to solve (of patients not carrying their insurance card). We can make the assumption that the provider has some means of determining some ID of the plan or payer applicable to the particular patient. But to help things along, we may want to add searching by payer name as a requirement - to accommodate the situation where the patient knows the name of his plan or insurance company: refined searches in the registry can locate the actual CPP covering the plan to which eligibility inquiries can be sent. Actually, the ISA receiver ID would generally *not* be the key into the Healthcare CPP (Electronic Trading Partner Profile) Registry, for the simple reason you would not know what to use as the ISA Receiver ID until you had obtained the CPP for the recipient - which in turn tells you which ID to use! Imagine this scenario: a provider wants to send a claim to Big Insurance Co. She knows *some* payer ID either by (1) serendipity, e.g., she remembers the NAIC for Big Insurance Co., or (2) obtaining it indirectly through the particular National Plan ID (*future* - remember National Plan ID hasn't yet been implemented or funded) which appears on the patient's insurance card, or (3) obtaining the EDI ID (in this case, the NAIC) directly from the insurance card. Either the NAIC company code or the National Plan ID could be used to search the Healthcare CPP Registry (notice I no longer call it the "WEDi/SNIP" Registry!) to obtain Big Insurance Co.'s CPP. The CPP then contains the EDI Addresses to be used (depending on criteria such as Functional Group ID) and the EDI ID to be used in the ISA Receiver field (in this case, Big Insurance Co. prefers - or mandates - the NAIC). The provider must use the Receiver ID specified in the CPP, because the EDI Address to which the interchange is sent could very well be a VAN or Clearinghouse that only knows the payer by the NAIC. Or perhaps the Clearinghouse only knows the payer by some *contrived* (CH-assigned) receiver ID - neither the NAIC nor the HCFA carrier code or any other standard ID. In this case, the selected EDI Address in the CPP would say which qualifier and ID to use in the ISA receiver field (and it could be a ZZ "mutually-defined" ID). I want to emphasize I am not back-peddling on my abhorrence of the ZZ here: the "mutually defined" ID is not being used as a *key* into the Healthcare CPP Registry (it can't be, because the provider wouldn't know it ahead of time). The EDI Address in the CPP is simply saying the provider has to stick in this qualifier (ZZ) and an arbitrary receiver ID into the ISA before sending the interchange. It works the same way when the payer wants to send an application message to the provider. And remember, standard transactions from the payer can be unsolicited: paper claims could result in electronic 835 EOBs! The payer might only have the FEIN (Tax ID) of the provider available. He uses the FEIN to search the Healthcare CPP Registry to locate the provider's CPP. The provider has said she accepts 835 EOBs at a particular EDI Address. Perhaps she is to be identified in the ISA receiver ID with her D-U-N-S, with a specification in the EDI Address that says the transaction set must be encrypted using X12.58 and sent through a VAN (since VANs are not covered entities generally, PHI has to be hidden from them using encryption). This illustrates the situation where a FEIN is used as a key into the Healthcare CPP Registry, but the D-U-N-S is the ISA Receiver ID. Again, the ISA Receiver ID was not used as the key - it wasn't even known until the CPP was obtained! Or maybe the provider uses a Clearinghouse, and her CPP EDI Address has said 835 EOBs (or even all transactions) go to the Clearinghouse, using a CH-assigned ID in the receiver field. In this case, a FEIN was used as the key into the CPP Registry, but the ISA receiver ID is a ZZ-qualified CH-assigned provider ID. Since the provider is a customer of the CH, she knows ahead of time what her proprietary CH-assigned receiver ID is, and can place it in the EDI Address so senders know what to use in the ISA. If it seems I'm softening on the ZZ qualifier, I'm not. Consider the first scenario again, where the provider has "discovered" Big Insurance Co. in the CPP Registry. In this case, the EDI Address for claims says to send the 837 to a clearinghouse. It's perfectly okay for Big Insurance Co. to say in the EDI Address within its own CPP that a ZZ qualified receiver ID be used in the ISA - after all, Big Insurance Co. is a customer of the Clearinghouse and has long known its contrived CH-assigned payer ID. But there is no way to tell the provider she must use a CH-assigned sender ID - she's not even a customer of the Clearinghouse, and this may be the first time she's ever sent anything through that Clearinghouse. It would be mighty presumptuous of the CH to insist that the non-customer provider identify herself by a proprietary CH-assigned provider ID - as if it could even be done technically. Chris Feahr brought up the possibility of VANs and CHs sharing their "family jewels" - their directories. That's unlikely: the best we can hope for is for them to populate our directory with their payers, with pointers into themselves! But I would think it very improbable that CHs would give away the names and IDs of the providers they service. Visibility Yes, I was disappointed at the reticence of most of Claredi's directory participants to share their information. Most of it's locked down and available only to other members of their trading "group." Obviously, the main purpose of the Claredi directory is to share information on certification progress: perhaps folks are humbled that they are not further along in achieving compliance, and don't want the rest of the world to know! I guess that's only natural. In any case, as Chris notes, the same "shyness" will affect our Healthcare CPP Registry. If people are not too keen on even publicizing their address and phone number, they probably won't give away to just anyone as to how to send transactions their way. Even though I'm absolutely confident we can come up with technological solutions to expose information only to others in certain categories, that still will not get people over their agoraphobia. This is a social engineering problem that mere technology will not solve. On the positive side, clearinghouses are always anxious to advertise the payers they support - I suppose that's a selling point to providers. So at least CHs will probably be happy to prime the pump with payer CPPs which will naturally point to portals at those very same clearinghouses! Keep in mind that the CPP (electronic partner profile) is really not dependent on a global, public federated registry. These are just standardized XML documents with machine readable information that describe the partner's capabilities: certification, financial institution data and EDI addresses, inter alia. The CPP doesn't have to reside in a public directory. A payer could continue to do business the old way, where a provider has to fill out all sorts of paperwork, sign TPAs, endure hideous EDI enrollment delays and whatnot. And at the end of all this, he'd be e-mailed - what else? - a nice CPP! If payers were the least bit reticent about sharing their companion guide information on the Internet as part of the WEDi/SNIP CPP (Electronic Trading Partner Profile), that would put a crimp in our efforts to automate "discovery" of trading partners and their technical requirements. Can anyone enlighten me as to what one might consider "confidential" in a companion guide? And if such proprietary information exists in there, is there the possibility that it, ....well, has no business being there in the first place? Proof of Concept Registry Thanks to Lisa Carnahan for tracking the list, and especially for writing in! There's certainly no need for me to speak up, because Lisa hasn't mis-characterized anything we've talked about! But as you know, I'm not one to resist writing in. Indeed, we're thrilled to have NIST take an interest in our modest effort to design a Healthcare CPP Electronic Partner Profile Registry, and I join Rachel in enthusiastically welcoming NIST as an active partner in the WEDI/SNIP ID & Routing Group. I want to add that NIST - the National Institute of Standards and Technology (part of the U.S. Commerce Department) - will find that Healthcare administration has perhaps more interesting needs than other verticals, simply because we have so many possible identifiers which would be used to key into the registry. This should make a prototype of the Healthcare CPP Registry a more valuable testbed for evaluating capabilities in the real world. A number of Registry vendors have graciously offered their products and services in assisting us in developing a prototype. But I think having NIST help us in conducting a field trial adds a panache of integrity and objectivity to our evaluation. And it goes without saying that if we can pull off a successful prototype together, having the NIST imprimatur will go a long ways toward influencing WEDI/SNIP and AFEHCT - to say nothing of CMS - to formally adopt our recommendations. CPP don't want to get people too concerned that they're going to have to wait for "smarter" auto-reconfigurable software before they'll get to see the benefits of electronic Trading Partner Agreements. As a proof of concept, I see us developing XSLT style-sheets for displaying e-TPAs that have been "discovered" via Kepa's DNS "directory." Since it's starting to look like our e-TPAs are probably going to be XML documents, XSLT style-sheets can render them in a human readable fashion on your web browser. In my crystal ball, I predict we'll have some "volunteers" develop these XSLT style-sheets for contribution as non-normative material for our work product. All the standard trading partner setup information you'll need including communications protocols, URLs, EDI contact addresses, "companion" document information (e.g., explanation of situational elements), supported transactions, security and acknowledgement requirements, etc. - will be available simply by providing an identifier (like a NAIC or DUNS) of your trading partner. So even if you have to copy and paste information from your web browser into your existing communication and translation software, it will sure beat paper documentation! And it will be in a consistent format, regardless of trading partner. In short, you don't really have to wait around for Dick's "next-generation" auto-configurable ebXML software before you start to see the benefits of the WEDi/SNIP e-TPA!