August 3, 1998

Health Care Financing Administration
Department of Health and Human Services
Attention: HCFA-0047-P
P.O. Box 26676
Baltimore, MD 21207-0519

Re: PROPOSED RULE HCFA-0047-P

To Whom It May Concern:

The Association of American Physicians and Surgeons ("AAPS") hereby submits its comments to proposed rule HCFA-0047-P ("Proposed Rule").

AAPS is a not-for-profit membership organization that represents thousands of physicians in all practices and specialties. It was established in 1943 to preserve the practice of private medicine, and has remained dedicated to the Oath of Hippocrates and protecting the sanctity of the patient-physician relationship. It is incorporated in the State of Indiana and is tax-exempt under Section 501(c)(6) of the Internal Revenue Code.

AAPS objects to the Proposed Rule with respect to its selection of the employer identification number ("EIN") as the statutory "unique health identifier for each � employer." 42 U.S.C. § 1320d-2(b)(1). This Proposed Rule is in direct violation of the statute, because the EIN is neither "unique" nor assigned to "each � employer," as required by the statute. Id. The Proposed Rule acknowledges, but then ignores, that many employers have multiple EINs in violation of the uniqueness requirement. Likewise, the Proposed Rule acknowledges, but then ignores, that many employers lack an EIN in violation of the requirement that the health identifier be assigned to "each � employer." Moreover, the Proposed Rule arbitrarily ignores the statutory requirement that "[t]he standards adopted [for the unique health identifier] shall specify the purposes for which a unique health identifier may be used." 42 U.S.C. § 1320d-2(b)(2). Instead, the Proposed Rule omits the purposes for which an EIN would be required in electronic transmissions.

The proposed electronic standard would impose unjustified burdens on physicians, due to its lack of uniqueness and universality, in violation of the Paperwork Reduction Act and the Regulatory Flexibility Act. In addition, the Proposed Rule fails to include security provisions for electronic transmissions, contrary to the statute. Physicians will be prevented from performing electronic transmissions due to unavailable or non-standard EINs, and inadequate security. The Proposed Rule violates physicians' constitutional rights of free speech and due process to execute electronic transmissions.

AAPS respectfully urges the Health Care Financing Administration ("HCFA") to reconsider its Proposed Rule in light of these comments.

A. THE "BACKGROUND" (SECTION I)

The Proposed Rule notes that "[i]n all cases where information about the employer is transmitted electronically, it would be beneficial to identify the employer using a standard identifier." 63 F.R. at 32785. But the actual proposed regulation then imposes a mandatory requirement that is circular: "[e]ach health care provider must use the national employer identifier wherever required on all transactions the health care provider transmits electronically." Proposed Sec. 142.608 (63 F.R. at 32798).

By defining the mandatory use of the EIN in a circular manner, the Proposed Rule is ambiguous as to when the EIN is required and when it is optional. This is arbitrary in light of the statutory requirement that "[t]he standards adopted [for the unique health identifier] shall specify the purposes for which a unique health identifier may be used." 42 U.S.C. § 1320d- 2(b)(2). Due to its lack of particularity, the Proposed Rule fails to provide physicians with adequate notice. The actual legal requirements must be set forth for notice and comment prior to promulgation of the final rule, in conformance with the Administrative Procedure Act ("APA") and the enabling statute.

B. THE "EIN STANDARD" & "IMPLEMENTATION" (SECTIONS II.D, III)

The Proposed Rule states that HCFA is "proposing as the standard the employer identification number (EIN), which is assigned by the Internal Revenue Service (IRS), Department of the Treasury." 63 F.R. at 32791. The EIN, however, violates the two principal requirements imposed by the statute for the identifier: (1) that the identifier be "unique" and (2) that the identifier be assigned to "each � employer." 42 U.S.C. § 1320d-2(b)(1). Accordingly, the EIN is an unsatisfactory identifier.

First, the EIN is not "unique" for many employers. The Proposed Rule acknowledges this problem of multiple EINs for certain employers, but fails to consider the enormous confusion that this would cause for an electronic standard. "We are aware that some organizations have more than one EIN." 63 F.R. at 32793. The Proposed Rule fails to consider that this lack of uniqueness is contrary to the statutory requirement that HCFA adopt a "unique" health identifier. The EIN is not unique for employers, and thus implementation of this as a standard will only cause endless confusion in electronic transactions. It is arbitrary and capricious for the Proposed Rule to fail to adopt a unique identifier as required by the statute.

Second, there is no EIN for many small employers, and thus their employees (and their physicians) will suffer enormous inconvenience under the Proposed Rule. These employers include sole proprietors, who are not assigned EINs, and recently established companies, for which no EIN has yet been assigned. These two types of employers likely total more than one million, and thus affect millions of patients and most physicians. The Proposed Rule would make it impossible for physicians to execute electronic transactions for such employees. The Proposed Rule thereby violates the statutory requirement that an identifier be assigned to "each � employer," and discriminates against small employers and their patients in an arbitrary and capricious manner.

The Proposed Rule fails to consider implementation problems due to multiple EINs for single employers and the lack of an EIN for many others. Should physicians use a substitute EIN for many of these employers? As written, the Proposed Rule makes electronic transmissions impossible for any employer that lacks an EIN, or refuses to disclose its EIN to the physician. The Proposed Rule arbitrarily violates physicians' constitutional free speech and due process rights to utilize electronic transmissions concerning employers that lack a "unique" EIN.

C. THE "REQUIREMENTS" (SECTION II.E)

The Proposed Rule fails to address situations where the employer either refuses to disclose its EIN, or delays disclosure for unreasonable amount of time. The Proposed Rule acknowledges that "the law does not bind employers to use the standard." 63 F.R. at 32792. Nevertheless, the Proposed Rule arbitrarily declares that "[a]ny individual or other entity that needs to know an employer's EIN for use in electronic health transactions would obtain it directly from the employer." Id. The Proposed Rule fails to consider and address lack of compliance by employers - particularly by small employers for which most patients work - with respect to producing the EINs.

It is arbitrary and capricious for HCFA to prohibit electronic transmissions by physicians in situations where the employer EIN is not provided in a timely manner. Physicians must have a safe harbor whereby they can submit electronic transmissions without EINs that are not readily available.

D. THE "COLLECTION OF INFORMATION REQUIREMENTS," THE PRA AND RFA (SECTIONS V AND VII).

E. THE PROPOSED RULE VIOLATES THE STATUTE BY OMITTING SECURITY PROTECTIONS.

42 USCS  1320d-2(d) expressly requires the following:

(d) Security standards for health information.  

   		(1)	Security standards. The Secretary shall adopt security standards that--

(A)	take into account--
     				(i)	the technical capabilities of record systems used to maintain health 
information;
(ii)	the costs of security measures;
(iii)	the need for training persons who have access to health information;
          		(iv)	the value of audit trails in computerized record systems; and
           		(v)	the needs and capabilities of small health care providers and rural health care 
providers (as such providers are defined by the Secretary); and

(B)	ensure that a health care clearinghouse, if it is part of a larger organization, has 
policies and security procedures which isolate the activities of the health care 
clearinghouse with respect to processing information in a manner that 
prevents unauthorized access to such information by such larger organization.

(2)	Safeguards. Each person described in section 1172(a) [42 USCS  1320d-1] who 
maintains or transmits health information shall maintain reasonable and appropriate 
administrative, technical, and physical safeguards--

(A)	to ensure the integrity and confidentiality of the information;
(B)	to protect against any reasonably anticipated--
(i)	threats or hazards to the security or integrity of the information; and
(ii)	unauthorized uses or disclosures of the information; and
(C)	otherwise to ensure compliance with this part [42 USCS  1320d et seq.] by the 
officers and employees of such person.

This lack of security in the Proposed Rule is entirely unjustified. Employers may justifiably fear that their EINs will be used to cross-reference employee medical records against other electronic lists that may include the employees home addresses and phone numbers. In light of the lack of penalty for an employer to withhold its EIN, many employers may rationally refuse to disclose their EINs to physicians due to justified fears of invasion of privacy. The federal government has adopted encryption techniques in many other areas that are less sensitive than personal medical information. Even users on the Internet enjoy greater security, by virtue of encryption in commercial browsers, than the Proposed Rule adopts for patients receiving confidential medical treatment. HCFA should revise electronic standard to include security features, and allow rejection of any electronic transaction for the reason of inadequate encryption.

CONCLUSION.

AAPS respectfully urges HCFA to consider and implement the above modifications with respect to HCFA-0047-P. Please contact me if I can be of further assistance.

Sincerely,

Jane Orient, M.D.
Executive Director