CMS GL-2022-03: Guidance on HIPAA Covered Entities’ Responsibility to Require that Business Associates Comply with Health Insurance Portability and Accountability Act of 1996 (HIPAA) Regulations (Mar. 22, 2022); CMS GL-2022-04: Guidance on Health Plans’ Payment of Health Care Claims Using Virtual Credit Cards (VCCs) and Adopted HIPAA standards for Health Care Electronic Funds Transfers (EFT) and Remittance Advice (ERA) Transactions; 45 Code of Federal Regulations (C.F.R.) §§ 162.1601 and 162.1602(d) (Mar. 22, 2022)
The CMS National Standards Group (NSG) has issued two guidance letters addressing HIPAA administrative simplification provisions related to electronic health care transactions. HIPAA administrative simplification encompasses standards for privacy, security, breach notification, and electronic health care transactions. HHS’s Office for Civil Rights enforces the privacy, security, and breach notification standards, while the NSG administers compliance with the standards for electronic transactions, including code sets, unique identifiers, and operating rules.
The first letter addresses business associates’ compliance obligations and a covered entity’s responsibility for its business associates’ noncompliance. The second letter explains the transaction standards for electronic funds transfer (EFT) and electronic remittance advice (ERA). Here are highlights:
Business Associates. Although covered entities must contractually require their business associates to comply with the electronic transaction standards, engaging a business associate does not relieve the covered entity from its obligation to fully comply with the standards. Thus, if the business associate fails to comply with the electronic transaction standards, then the NSG may seek recourse against the covered entity for the business associate’s noncompliance. This same rule applies when the business associate is a covered entity in its own right—the covered entity that hired the business associate still may be held responsible for noncompliant actions taken by the business associate on the covered entity’s behalf. [EBIA Comment: In a footnote, NSG notes that the HITECH Act established different direct liability rules for business associates under HIPAA’s privacy and security standards. Business associates are directly liable for compliance with the security standards and some of the privacy standards (see our Checkpoint article) but not the electronic transaction standards.]
EFT/ERA. If a provider asks a health plan to conduct a payment transaction in accordance with HIPAA’s EFT/ERA transaction standards, then the health plan must do so—regardless of whether the provider is in the plan’s network or otherwise affiliated with the plan. Conversely, if a provider does not request that the health plan use the adopted standards for EFT/ERA transactions or fails to complete a health plan’s EFT/ERA enrollment process, then the health plan is not obligated to use the adopted standards. In this case, health plans may pay health care claims using virtual credit cards, which are not covered by the EFT standards. Although health plans may require providers to conduct certain aspects of the payment transactions with the plans’ business associates, providers retain the freedom to choose their own service providers for other aspects of the transactions. Providers may use the Administrative Simplification Enforcement Testing Tool (ASETT) to file a complaint against a health plan that fails to comply with the electronic transaction standards.
EBIA Comment: Although HIPAA privacy, security, and breach notification requirements tend to grab the headlines, electronic transactions lie at the core of HIPAA administrative simplification. The NSG has recently focused attention and resources on compliance, including highlighting the functionality of the ASETT application. Health plans and their business associates conducting covered electronic transactions should keep abreast of NSG’s activity. For more information, see EBIA’s HIPAA Portability, Privacy & Security manual at Sections XXIV (“Business Associate Contracts”) and XXXII (“Electronic Transactions and Code Sets”).
Contributing Editors: EBIA Staff.