October 30, 2009
MACHINE-READABLE HEALTH INSURANCE IDENTIFICATION CARDS
By: Janet L. Kaminski Leduc, Senior Legislative Attorney
You asked for information about machine-readable health insurance identification (ID) cards (e.g., cards with bar codes that embed patient information that health care providers can access). Specifically, you asked if other states require such bar codes on ID cards.
Based on our online research, no states require health insurance companies to issue machine-readable ID cards containing or accessing embedded patient data. There are, however, a variety of initiatives underway and studies have been done in at least three states (Colorado, Ohio, and Texas) regarding the use of such technology.
On the national level, federal law sets minimum standards for electronic transactions in the health insurance arena. Private industry has been forging ahead with the use of magnetic stripe cards and standardized ID card formats. The apparent challenge in using such technology is having the health care provider community adopt it. To do so, they would need to invest in card readers to swipe the ID cards, opening up computer access to secure patient data. In areas where providers have adopted the technology, they report fewer transaction errors and reduced administrative costs.
In Connecticut, the Department of Public Health (DPH) is the state's lead health information exchange organization as of July 1, 2009, pursuant to PA 09-232. DPH must establish a 12-member health information technology and exchange advisory committee to advise DPH on the implementation of a statewide health information technology plan. Annually from 2010 to 2015, DPH and the committee must report to the governor and General Assembly on the status of health information technology and exchange in the state.
Additionally, PA 09-148 establishes a SustiNet Health Partnership board of directors that must make legislative recommendations, by January 1, 2011, on the details and implementation of the “SustiNet Plan,” a self-insured health care delivery plan. The act requires, among other things, that the board establish an information technology committee to make recommendations concerning health information technology. While it does not specify research into machine-readable ID cards, it requires that the committee develop a plan for developing, acquiring, financing, leasing, or purchasing fully interoperable electronic medical records software and hardware for providers participating in SustiNet. The act includes incentives to help providers meet the goal of adopting electronic medical records by July 1, 2015.
ACTIVITY AT THE NATIONAL LEVEL
HIPAA Administrative Simplification
The federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) required the secretary of Health and Human Services (HHS) to adopt national standards for the electronic transmission of personal health information. HIPAA's “administrative simplification” provisions impose requirements on providers, health plans, and clearinghouses that conduct business electronically. HIPAA does not require that entities conduct transactions electronically, but if they do, they must comply with the standard format set forth through HIPAA and related rules.
In 2000, the HHS secretary adopted final rules on transaction standards and code sets for certain common transactions, including eligibility verification. HIPAA's standards for an eligibility determination only require it to contain the subscriber's name, current insurance status, and dependent name (if applicable). Many stakeholders believe this is too limited. In 2008, the secretary published a proposed rule to update the standards to require additional information be accessible in standard formats.
For more information about HIPAA and the administrative simplification provisions, see OLR Research Report 2002-R-0976.
Workgroup for Electronic Data Interchange
The Workgroup for Electronic Data Interchange (WEDI) was established in 1991 at the urging of the federal secretary of Health and Human Services for industry participants to identify practical strategies for reducing administrative costs in healthcare through the implementation of electronic data interchange (EDI). According to its website, WEDI quickly became a major advocate in promoting the acceptance and implementation of the standardization of administrative and financial health care data (http://www.wedi.org/public/articles/details~1.shtml).
WEDI's membership includes providers, health plans, consumers, vendors, government organizations, and standards groups committed to implementing electronic commerce and EDI standards for the healthcare industry. Regulatory officials from the Centers for Medicare & Medicaid Services, Health and Human Services, Office of Civil Rights, and other government entities attend and participate in WEDI forums.
In November of 2007, WEDI adopted standards for health insurance ID cards, including requirements for machine-readable elements, which are available online in its Implementation Guide (www.wedi.org/snip/public/articles/WEDI-Health-ID-Card-Approved.pdf). The standards allow for two types of machine-readable formats: magnetic stripes and bar codes. For health insurance, carriers using such technology appear to only be using magnetic stripes.
WEDI standards have ID cards act as an access key to data, rather than information storage devices. Reasons for this include the fact that (1) providers usually request or need current, real-time information instead of previously stored, potentially out-dated information; (2) storing personal health data on a card presents more security risks than storing it in a secure database that is password protected; and (3) storing a large amount of information on a card is more expensive in terms of both the cards and the associated card readers.
Project SwipeIT. Project SwipeIT is an industry-wide effort coordinated by the Medical Group Management Association (MGMA) to have health insurers, vendors, and health care providers initiate processes to support standardized machine-readable ID cards by January 1, 2010.
MGMA says machine-readable ID cards with a magnetic stripe could be linked to providers' computer systems via a card reader allowing automatic access to patient information with a simple swipe. MGMA estimates that machine-readable ID cards could save physician offices and hospitals as much as $1 billion a year by reducing unnecessary administrative efforts and many denied claims.
Project SwipeIT's frequently asked questions and answers are at http://www.mgma.com/solutions/landing.aspx?cid=25436&id1=25438&mid=25438.
A sample standardized ID card shown on Project SwipeIT's website is duplicated here:
According to the Project SwipeIT website, eight insurance companies support the project: Humana, UnitedHealth Group, Cox HealthPlans, and the respective Blue Cross and Blue Shield companies of Illinois, Kansas City, Oklahoma, New Mexico, and Texas. Additionally, there is pledged support from vendors, associations, other organizations, and providers (including some located in Connecticut) for a total of almost 1,000 supporters at this time (see http://www.mgma.com/solutions/landing.aspx?cid=25436&id1=26552&mid=26552).
Availity. Two years ago, Availity LLC, an EDI clearinghouse and a joint venture of Humana and Blue Cross and Blue Shield of Florida, launched a collaborative ID card and swipe technology pilot program in conjunction with other major health plans (e.g., Aetna and UnitedHealth Group) in Florida. According to a Humana and MGMA news release, some practices participating in the Florida pilot reduced manual keystroke errors by more than 50% and saw a 50% reduction of denied claim transactions (MGMA and Humana Urge Industry to Adopt Standard, Machine-Readable Patient ID cards, February 3, 2009). Availity continues to offer the swipe card technology under the name of CareRead. More information is available at http://www.availity.com/about-availity/what-is-availity/products-services/careread/.
According to its website, Availity has customers in all 50 states, Puerto Rico, and the U.S. Virgin Islands with more than 50,000 organizations, including physician practices, hospitals, billing services, and labs, using its EDI services.
UnitedHealth Group. UnitedHealth Group announced in February 2009 that it was applying the WEDI national standards for its ID cards to give providers access to real-time information about patients. (UnitedHealth Group Makes it Simpler for Physicians to Administer Health Care with Updated Customer ID Cards, February 4, 2009 press release).
The company first introduced such technology in 2004, but by adopting the WEDI standards, the cards can be read by providers using a standard card reader and will (1) give access to patient insurance eligibility information and a patient's personal health record and (2) process real-time health care transactions (e.g., claim adjudication). The company “believe[s] that using the WEDI standards is the ideal policy action as it establishes a series of uniform standards that are compatible for…magnetic stripe cards and bar codes,” according to Jason Martiesian, Vice President of State Government Affairs for UnitedHealth Group in an October 27, 2009 e-mail to OLR. He indicated that one of the barriers to providers adopting the technology previously was reluctance to having to use multiple machines and processes for these readable cards for different health plans. WEDI standardizes the technology, eliminating that concern.
Martiesian noted that UnitedHealth Group's ID cards have magnetic stripes, which can be used in credit card machines that most providers have in their offices. He commented that the magnetic stripe:
enables communications between the member's physician and UnitedHealthcare at the time of service in a physician's office. It includes the policy holder ID, verifies eligibility, and accesses patient information at the point of service to assist with benefits, Personal Health Record, Real Time Adjudication, payments and other information.
The cards allow providers to check member eligibility information, claims history, view updated deductible information, as well as to check covered benefits for members. The card serves as a key to access member information. In addition, the cards can be used as a way to access member information through third party portals which allows providers to search various carrier systems without having to go to multiple websites.
The ID card provides protection for handling and processing confidential health information with the use of an alternate identification number, instead of using the member's Social Security number.
Martiesian indicated that UnitedHealth Group currently has approximately 17 million members with the readable cards across its commercial, Medicaid, and Medicare membership. The company continues providing the rest of its members with the magnetic stripe ID cards and plans to have the majority with them in 2010.
ACTIVITY AT THE STATE LEVEL
While Connecticut does not require the use of machine-readable ID cards for eligibility verification or insurance plan details, it has begun work toward the development and use of electronic medical records. For an overview of the challenges faced in adopting electronic records and other states' electronic medical records activities, see OLR Research Report 2006-R-0672 attached.
PA 05-168. A 2005 law (PA 05-168, CGS §§ 19a-25b and 19a-25c) allows licensed health care institutions to create, maintain, or use medical records in electronic format, paper, or both if the system can store medical records and patient health care information in a reproducible and secure manner. The law also allows health care providers with prescriptive authority to use electronic prescribing systems.
PA 07-2, June Special Session and PA 09-232. PA 07-2, JSS, required DPH to contract for the development of a statewide health information technology (HIT) plan. PA 09-232 requires DPH to submit the plan to the Public Health Committee by July 1, 2009. The plan must include:
1. standards and protocols for health information exchange;
2. standards to facilitate the development of a statewide, integrated electronic health information system for use by state-funded health care providers and institutions; and
3. pilot programs for health information exchange, including costs and funding sources.
PA 09-232 designates DPH as the state's lead health information exchange organization as of July 1, 2009. It requires DPH to seek private and federal funds, including any available through the federal American Recovery and Reinvestment Act, for the initial development of a statewide health information exchange. DPH can use such funds to establish HIT pilot programs and grant programs the law establishes.
The law requires the standards and protocols established to be at least as stringent as the “standards for privacy of individually identifiable health information” established under HIPAA. Information must be secure and access to it traceable by electronic audit.
PA 09-232 also establishes a 12-member health information technology and exchange advisory committee to advise DPH on implementing the statewide HIT plan. It must develop electronic data standards that are compatible with national data standards to allow for interstate interoperability and permit the collection of health information in a standard electronic format. The committee must also advise DPH on an HIT grant program through which eligible institutions may obtain funds to implement HIT and exchange in the state.
DPH and the advisory committee must report annually from February 1, 2020 and February 1, 2015 to the governor and General Assembly on:
1. any private and federal funds received during the preceding period and, if applicable, how the funds were spent;
2. the amount of grants awarded;
3. the grant recipients; and
4. the current status of HIT and health information exchange in the state.
PA 09-148. In 2009, the legislature enacted PA 09-148, An Act Concerning the Establishment of the SustiNet Plan, as amended by PA 09-3, September Special Session. PA 09-148 establishes a SustiNet Health Partnership board of directors that must make legislative recommendations, by January 1, 2011, on the details and implementation of the “SustiNet Plan,” a self-insured health care delivery plan. The act requires, among other things, that the board establish an information technology committee to make recommendations concerning health information technology. The committee must develop a plan for developing, acquiring, financing, leasing, or purchasing fully interoperable electronic medical records software and hardware for subscribing providers. The plan must allow providers to receive support services for implementing electronic medical records.
The act delineates how electronic health records will be established for SustiNet members and how participating providers may gain access to hardware and approved software for interoperable electronic medical records. The electronic records must be available in real time and accessible to any participating or subscribing health care provider rendering services to a patient.
The act requires the committee to recommend that the use of board-approved or compatible electronic medical records by July 1, 2015 be a condition of a provider's participation in the SustiNet Plan. The act permits possible extensions or exemptions for providers who would face a hardship in meeting the deadline or whose participation in SustiNet is necessary to assure geographic access to care.
The act includes incentives to help providers meet the goal of adopting electronic medical records by July 1, 2015. The committee must recommend the development and implementation of appropriate financial incentives for participating providers who subscribe early, including discounted fees. The committee must also recommend ways to eliminate or minimize transition costs for providers who implemented comprehensive electronic medical or health records systems before January 1, 2011. For example, these can include technical assistance with transitioning to new software and developing modules to help existing software connect to the integrated system established for SustiNet. As another incentive, providers will share in any cost savings achieved by implementing an integrated electronic medical records system.
In 2008, Colorado enacted Senate Bill 08-135, An Act Concerning a Standardized Card to be Issued to Persons Covered under a Health Coverage Plan and Making an Appropriation Therefore. This law requires the insurance commissioner to adopt rules providing requirements for a standardized printed health insurance ID card. Insurers must begin issuing the standard ID cards for new and renewed plans on and after July 1, 2009. By July 1, 2010, all insurers must issue the standard ID cards to all people covered by plans for which they issue cards.
In addition to specifying the minimum requirements for the standardized ID card, the law establishes a work group to make recommendations:
1. on standards for technology and tools that conform to “any standards adopted by a nonprofit organization that sets relevant national technical standards” through which information may be electronically recognized, exchanged, or transmitted between insurers and providers;
2. to “simplify eligibility and coverage verification” through an EDI using swipe card or other technology; and
3. regarding eligibility notification, preauthorization, or denial through an EDI using swipe card or other technology.
Once the commissioner receives the work group's recommendations, he must adopt rules to implement a standardized electronic swipe card or other technology to be used by insurers, providers, and insured people that allow access to information regarding coverage under health insurance plans. Insurers must implement the new technology within two years of the rules adoption, but the work group may recommend that insurers be given a six-month extension.
The law requires the commissioner to amend the rules as necessary to reflect the most current technology available that will allow real time date exchange, benefits eligibility, coverage determinations, and other appropriate provider-insurer transactions. The law appropriated $12,928 to the insurance division for preparing regulations and forming and staffing the work group.
The law places no requirements on providers, information clearing houses, or other entities.
WEDI Comments. The work group contacted WEDI for input on its legislation and developments. In a January 28, 2009 response, Peter Barry, on behalf of WEDI, noted that adding machine-readable technology to an ID card that is being issued anyway “adds insignificant cost, perhaps 6/1000ths of one percent of premium.” He believes cards with such technology are “very cost effective, potentially reducing errors a lot, and mandating it would be good for the industry.”
Barry noted that machine-readable ID cards also have to be “human-readable” to accommodate providers who do not install card readers. Thus, he believes a printed card with the machine-readable feature must still contain necessary information for providers and patients to view and reference.
Ohio House Bill 125 (2008), created the “Advisory Committee on Eligibility and Real Time Claim Adjudication” to study and recommend mechanisms or standards that will enable providers to send to and receive from payers (e.g., insurers) sufficient information to enable a provider to determine at the time of the enrollee's visit his or her eligibility for covered services and real time adjudication of provider claims for services. It requires the committee to submit a report of its findings and recommendations for legislative action to the General Assembly by January 1, 2009. Any transaction standards adopted by the General Assembly must, at a minimum, comply with the standards mandated by HIPAA.
The committee recommends adopting standards for eligibility verification set by the Council on Affordable Quality Healthcare (CAQH), which build upon current federal HIPAA requirements. But the committee chose to not recommend any particular information technology for personal identification, such as smart card, magnetic strip, or biometric technology because of the short lifespan of technology. It also did not recommend any particular information technology for providers to use when requesting eligibility verification. The committee does recommend further investigation into alternative methods of electronic data exchange.
The committee's January 2009 report may be viewed at
Pursuant to Texas HB 522 (2007), the state insurance commissioner appointed an advisory committee in 2007 to make recommendations on standardized health insurance ID cards and standards for electronic data exchange to enable providers to obtain real time insurance eligibility information. The law required the group to make recommendations by
December 2008 regarding the use of Internet website, smart card, magnetic strip, biometric, or other technologies that comply with national transaction standards.
In its December 2008 report to the commissioner, the committee recommends adopting the format and content standards adopted by WEDI that include a standard printed card with machine-readable information through the use of magnetic stripes or bar codes. It also recommends adopting standards for eligibility verification set by the CAQH.
The committee took note of ongoing EDI and administrative simplification initiatives by the federal government and industry, including ID card projects in Texas by Blue Cross and Blue Shield of Texas, Humana, and United Healthcare. In 2009, Humana expects to transition all of its Texas ID cards to magnetic stripe swipe cards and Blue Cross plans to have over one million cards converted in select areas of the state. United Healthcare already uses the swipe card technology on all of its commercial ID cards in Texas. The committee recommends the state monitor these ongoing initiatives when considering regulations relating to these issues.
The committee's December 2008 report may be viewed at http://www.tdi.state.tx.us/reports/life/documents/HB522cede2008.pdf.