Tunitas Group

Healthcare EDI
Secure EDI Protocols EDIINT is an Internet specification for reliably exchanging structured messages over the Internet. The CommerceNet consortium conducts inter-operability testing for EDIINT products. Vendors Cyclone Software Interchange (EDIINT) GE Information Services Enterprise Harbinger Trusted Link Templar Compress-Technologies (X12.58) Small Provider Approaches WebEDI typically involves mapping EDI data elements into HTML form elements which are submitted over HTTP. Data is either submitted to the payer directly or is first translated by an EDI intermediary into X12 and then routed to payers.mall providers should recognize this approach as a short term solution because it allows the payer to circumvent the must accept provision of HIPAA. Only if a provider sends a data transaction in a standard format, must payer must accept and process that transaction. WebEDI models allow the payer or clearinghouse to implement non-standard transactions; the information that is then exchanged is determined primarily by the business model of the payer or clearinghouse. WebEDI is business as usual.		Healthcare EDI transactions are those used to exchange information concerning the provisioning of patient care. While HIPAA promises to standardize healthcare EDI transaction formats, it does not address the need for standardized communications protocols used to transmit the transactions. This oversight is significant since it leaves open how EDI trading partners are to effectively deliver their transaction data. As a result, even when able to send the standard transaction formats, providers will find themselves still having to rely upon clearinghouse services for payer connectivity rather than incur the cost of supporting a jumble of proprietary network connections. As required by law, HCFA created an impact analysis of the Administrative Simplification section of HIPAA. One of the conclusions of this analysis points out that the payer investment to implement the mandated standard transactions will not be justified unless there is a significant increase in participation by providers including smaller provider organizations and independent physicians. Current methods of EDI dependent upon clearinghouses are too inflexible for most small providers. With average daily volume of 40 patients spread across 20 or so payers, maintenance of EDI applications is too burdensome. HIPAA standard formats offer some relief provided that commercial software to produce the standard transactions becomes available. Payers, thought, must also provide suitable connectivity options to all, including low volume, submitters. The approach that assumes that small providers will continue to use clearinghouses is unsatisfactory. HIPAA defines the clearinghouse function as one of "translation from non-standard to standard format". To require small providers to use clearinghouses is, then, to deny them the benefits of Administrative Simplification. Since small provider participation is critical to the success of Administrative Simplification, such an approach, then, is illogical and likely to fail. During the public comment period for the NPRM on Standard Transactions, Tunitas Group recommended that as part of the Final Rule all payers be required to provide an Internet resource (either an FTP port or email address) as a default delivery address to which any provider can submit standard EDI transactions. We also recommended that the default security mechanism be based on s/MIME encapsulation. This recommendation is being considered and we have been asked to solicit endorsements for the recommendation from other industry members and/or trade associations. The Tunitas Group is interesting in speaking with any payer or provider organizations or associations who are interested in endorsing this recommendation. Tunitas Group presentation: Secure Internet EDI at the HEDIC Annual Meeting, April 7-9. This presentation discusses two different methods for communicating X12 transactions securely over the public Internet -- EDIINT and the X12.58 transaction. Secure EDI Protocols for the Internet support the exchange of EDI messages between trading partners that have automated back office processes to create X12 and other types of structured messages. For trading partners that exchange standard transactions, the EDI problem becomes one of how best to manage the transaction exchange securely. There are two approaches to consider when using the Internet. EDIINT places ordinary X12 messages in an s/mime envelope. The s/mime guarantees confidentiality and non-repudiation of the transaction source. S/mime communicates digital signatures, encryption parameters, certificates and keys. Secret keys are generated for each message, RSA encrypted and exchanged in-band as part of the EDIINT exchange. EDIINT includes specification of message disposition notification (MDN) to provide for receipt and notification of appropriate message decryption and authenticity verification. EDIINT explicitly supports a variety of data transport protocols: SMTP, FTP and HTTP. X12.58 adds segments containing security information to any X12 message. These segments communicate signed assurances, digital signatures, certificates, encryption and compression parameters. X12.58 assumes a shared "secret" key between trading partners. This key may be exchanged "out of band" or "in-band" using a separate X12.815 crypto message transaction. Encryption can be managed at the transaction (ST) or functional group (GS) level. X12.58 does not speak to data transport, but once the message is encrypted and signed, it may be communicated using ordinary protocols and less secure networks. X12.58 supports a continuum of security services and can be used to supplement VAN provided security mechanisms. Small Provider Participation In Healthcare EDI will occur, on large scale, only when each of the following issues has been addressed: Formats and code sets. Standards for formats and code sets have been designated within the Administrative Simplification of HIPAA. Under HIPAA providers can implement all-payer solutions. Connectivity options. Providers must have simple procedures to submit EDI to payers. Tunitas Group argues that only through the mandated support of common Internet connectivity and ordinary Internet email or FTP protocols will the required simplicity be achieved. Electronic trading partner agreements. Payer - provider electronic trading partner agreements are not commonly used in healthcare EDI. The cost of creating these agreements is high; small providers are not well prepared to negotiate these agreements with many payers, nor are payers prepared to construct such agreements with tens of thousands of providers. However as the industry transits to standard EDI transactions, the desire to trade directly will increase making these agreement more visible. We are recommending the development of a Standard Trading Partner Agreement for Healthcare EDI which could be included as an amendment to payer -provider contracts. The Standard Agreement would be simpler than current clearinghouse agreements as both parties to the Standard Agreement are parties to the EDI transaction, rather than one of them being merely a 3rd party to the transaction. Security. Broadly construed, data security assures that sensitive information is used only for authorized purposes. There is a growing concern among providers that EDI makes it easier for payers to use their claims data to unfairly profile themselves or their patients. The anticipated Medical Privacy regulations may ameliorate this situation, somewhat, by setting parameters for information disclosure. But more likely, providers and payers need to develop common agreement about how EDI data will be used and develop processes that foster credibility to the resulting EDI analyses. top

Healthcare EDI

Secure EDI Protocols

EDIINT is an Internet specification for reliably exchanging structured messages over the Internet. The CommerceNet consortium conducts inter-operability testing for EDIINT products.

Vendors
Cyclone Software Interchange (EDIINT)
GE Information Services Enterprise
Harbinger Trusted Link Templar
Compress-Technologies (X12.58)

Small Provider Approaches

WebEDI typically involves mapping EDI data elements into HTML form elements which are submitted over HTTP. Data is either submitted to the payer directly or is first translated by an EDI intermediary into X12 and then routed to payers.mall providers should recognize this approach as a short term solution because it allows the payer to circumvent the must accept provision of HIPAA. Only if a provider sends a data transaction in a standard format, must payer must accept and process that transaction. WebEDI models allow the payer or clearinghouse to implement non-standard transactions; the information that is then exchanged is determined primarily by the business model of the payer or clearinghouse. WebEDI is business as usual.

Healthcare EDI transactions are those used to exchange information concerning the provisioning of patient care. While HIPAA promises to standardize healthcare EDI transaction formats, it does not address the need for standardized communications protocols used to transmit the transactions. This oversight is significant since it leaves open how EDI trading partners are to effectively deliver their transaction data. As a result, even when able to send the standard transaction formats, providers will find themselves still having to rely upon clearinghouse services for payer connectivity rather than incur the cost of supporting a jumble of proprietary network connections.

As required by law, HCFA created an impact analysis of the Administrative Simplification section of HIPAA. One of the conclusions of this analysis points out that the payer investment to implement the mandated standard transactions will not be justified unless there is a significant increase in participation by providers including smaller provider organizations and independent physicians.

Current methods of EDI dependent upon clearinghouses are too inflexible for most small providers. With average daily volume of 40 patients spread across 20 or so payers, maintenance of EDI applications is too burdensome. HIPAA standard formats offer some relief provided that commercial software to produce the standard transactions becomes available. Payers, thought, must also provide suitable connectivity options to all, including low volume, submitters. The approach that assumes that small providers will continue to use clearinghouses is unsatisfactory. HIPAA defines the clearinghouse function as one of "translation from non-standard to standard format". To require small providers to use clearinghouses is, then, to deny them the benefits of Administrative Simplification. Since small provider participation is critical to the success of Administrative Simplification, such an approach, then, is illogical and likely to fail.

During the public comment period for the NPRM on Standard Transactions, Tunitas Group recommended that as part of the Final Rule all payers be required to provide an Internet resource (either an FTP port or email address) as a default delivery address to which any provider can submit standard EDI transactions. We also recommended that the default security mechanism be based on s/MIME encapsulation.

This recommendation is being considered and we have been asked to solicit endorsements for the recommendation from other industry members and/or trade associations. The Tunitas Group is interesting in speaking with any payer or provider organizations or associations who are interested in endorsing this recommendation.

Tunitas Group presentation: Secure Internet EDI at the HEDIC Annual Meeting, April 7-9. This presentation discusses two different methods for communicating X12 transactions securely over the public Internet -- EDIINT and the X12.58 transaction.

Secure EDI Protocols for the Internet support the exchange of EDI messages between trading partners that have automated back office processes to create X12 and other types of structured messages. For trading partners that exchange standard transactions, the EDI problem becomes one of how best to manage the transaction exchange securely. There are two approaches to consider when using the Internet.

EDIINT places ordinary X12 messages in an s/mime envelope. The s/mime guarantees confidentiality and non-repudiation of the transaction source. S/mime communicates digital signatures, encryption parameters, certificates and keys. Secret keys are generated for each message, RSA encrypted and exchanged in-band as part of the EDIINT exchange. EDIINT includes specification of message disposition notification (MDN) to provide for receipt and notification of appropriate message decryption and authenticity verification. EDIINT explicitly supports a variety of data transport protocols: SMTP, FTP and HTTP.
X12.58 adds segments containing security information to any X12 message. These segments communicate signed assurances, digital signatures, certificates, encryption and compression parameters. X12.58 assumes a shared "secret" key between trading partners. This key may be exchanged "out of band" or "in-band" using a separate X12.815 crypto message transaction. Encryption can be managed at the transaction (ST) or functional group (GS) level. X12.58 does not speak to data transport, but once the message is encrypted and signed, it may be communicated using ordinary protocols and less secure networks. X12.58 supports a continuum of security services and can be used to supplement VAN provided security mechanisms.

Small Provider Participation In Healthcare EDI will occur, on large scale, only when each of the following issues has been addressed:

Formats and code sets. Standards for formats and code sets have been designated within the Administrative Simplification of HIPAA. Under HIPAA providers can implement all-payer solutions.
Connectivity options. Providers must have simple procedures to submit EDI to payers. Tunitas Group argues that only through the mandated support of common Internet connectivity and ordinary Internet email or FTP protocols will the required simplicity be achieved.
Electronic trading partner agreements. Payer - provider electronic trading partner agreements are not commonly used in healthcare EDI. The cost of creating these agreements is high; small providers are not well prepared to negotiate these agreements with many payers, nor are payers prepared to construct such agreements with tens of thousands of providers. However as the industry transits to standard EDI transactions, the desire to trade directly will increase making these agreement more visible. We are recommending the development of a Standard Trading Partner Agreement for Healthcare EDI which could be included as an amendment to payer -provider contracts. The Standard Agreement would be simpler than current clearinghouse agreements as both parties to the Standard Agreement are parties to the EDI transaction, rather than one of them being merely a 3rd party to the transaction.
Security. Broadly construed, data security assures that sensitive information is used only for authorized purposes. There is a growing concern among providers that EDI makes it easier for payers to use their claims data to unfairly profile themselves or their patients. The anticipated Medical Privacy regulations may ameliorate this situation, somewhat, by setting parameters for information disclosure. But more likely, providers and payers need to develop common agreement about how EDI data will be used and develop processes that foster credibility to the resulting EDI analyses.

top

	Perspectives on Information Technology for the Health Care Industry
	Home \| HIPAA \| Health Care PKI \| EDI \| Electronic Signature \| Workflow Automation \| Subscribe