CDA has found out that at least one dental benefit carrier is promoting a “new transmission option” for the electronic transmission of claims and that software vendors are being approached to add this new option to their software. CDA has several concerns regarding this and you should therefore be aware that this new solution is not a CDAnet service and that at this point, its use is not recommended by CDA. In addition you should know that any affirmation that this solution can be used for the transmission of dental claims through CDAnet is unauthorized and inaccurate.
What are the concerns?
The new transmission option, called the “CCD-WS,” enables dental offices to send claims to the carriers who choose to use it over the Internet. CDA has the following concerns:
- Security. The new transmission option does not meet the accepted practices for secure communication on the Internet, leaving dentists vulnerable to identity theft.
- Authority. Any transmission option is based on a “messaging specification” and how this messaging specification was developed and will evolve in the future, and who will be involved, is unclear. Dentists’ interests were not considered in the creation of this standard, and may not be considered in the future.
- Carrier selection of vendors. As currently specified, vendors must apply to the carriers choosing to implement this option. This means carriers will be able to limit your choice of software for sending claims electronically.
- Ability of dentists to organize their business as they see fit. The document that describes the messaging specification for this option does not include the ability for dentists to engage third party services such as ITRANS or Internet-based software vendors.
Who exactly is involved?
The messaging specification and the software was developed through the Health Industry Electronic Commerce Association (HIEC), www.hiec.org. This association is comprised mostly of insurance carriers, and their purpose is to further the aims of insurance carriers in the area of electronic transactions.
How is my software vendor involved?
Our understanding is that throughout the development of this specification and software, dental software vendors were not consulted. One vendor was paid to do some pilot testing once the software was completed. All software vendors have now been contacted to add this transmission option to their software.
What exactly is the security issue?
As you know, dentists are Health Information Custodians as defined by privacy legislation in Canada and are obligated to protect the patient health information under their care. As such, dentists must ensure that whenever health information is transmitted, it is done securely (which is why email should never contain patient health information). The twin pillars of secure Internet communication are encryption and authentication, as described by the excerpt from Microsoft’s Mastering Network Security highlights below:
Authentication and encryption are two intertwined technologies that help to insure that your data remains secure. Authentication is the process of insuring that both ends of the connection are in fact who they say they are. This applies not only to the entity trying to access a service (such as an end user) but to the entity providing the service, as well (such as a file server or Web site). Encryption helps to insure that the information within a session is not compromised. This includes not only reading the information within a data stream, but altering it, as well.
While authentication and encryption each has its own responsibilities in securing a communication session, maximum protection can only be achieved when the two are combined. For this reason, many security protocols contain both authentication and encryption specifications.
The security issue with this new option, called the “CCD-WS”, is the authentication. There is no capability for the receiving party to know which dentist or dental office sent the message. Only the type of software being used can be identified, and by definition, the communication is not “secure.” There is the potential for a fraudster to send a carrier claims under the name of an unsuspecting dentist.
What is required, is the CCD-WS to rely on a unique digital certificate for each dentist so that the identity of the sender of the message is verified. This option was overlooked in the creation of this system.
Are there other privacy implications?
Health information privacy legislation is a provincial domain, however all of the provinces respect the core provisions of the Pan-Canadian Health Information Privacy and Confidentiality Framework (http://www.hc-sc.gc.ca/hcs-sss/pubs/ehealth-esante/2005-pancanad-priv/index-eng.php). This framework is clear that dentists are health information custodians, the information in a dental claim is personal health information that must be protected, and that information security safeguards will be based on recognized information security standards. This framework also identifies the need for health care providers to undertake a Privacy Impact Assessment of their office, especially when a new information processing or communication technology is introduced.
What is CDA Doing to Resolve the Situation?
CDA continues to offer to work with HIEC to resolve the concerns it has. CDA’s view is that all of the participants in the dental claim processing must work together to define the solutions that will work for everyone. Our aim is to keep the technical environment as simple as possible for dentists yet ensure dentists are able to meet and exceed the expectations of their patients, their regulator and the privacy laws in their province of practice.
What is the difference between the CCD-WS and ITRANS for sending claims on the Internet?
The messaging specification that ITRANS is based on was developed by following the recognized processes of HL7, a leading international organization for health standards development (see www.hl7.org). The ITRANS claim service uses dentist-based digital certificates that enable full two-way authentication and encryption to recognized information security standards. In addition, the ITRANS Claim Service provides the dental office with access to the ITRANS portal where the office can view the logs of the claim messages the office has sent, which can be very helpful in troubleshooting claims issues with carriers.