CMS: Compliance Review Program (March 27, 2019)
HHS has announced the launch of a Compliance Review Program to assess covered entities’ compliance with HIPAA’s rules for electronic health care transactions, including transaction formats, code sets, and unique identifiers. These rules impose standards for specified transactions involving the electronic exchange of health care data. The Affordable Care Act (ACA) added requirements for operating rules for the existing transactions, unique health plan identifiers (HPIDs), and standards for electronic funds transfers and electronic health care claims attachments. These rules are intended to increase efficiency, improve the quality and accuracy of information, and reduce overall health care costs. Nine covered entities—a mix of health plans and clearinghouses—will be selected for this initial round of compliance reviews.
A separate “What to Expect” Q&A document provides additional information on the program, explaining how selected entities will be notified, that reviews could take four to six months to complete, and how the reviews will be conducted. The Q&As note that entities selected for review will use a portal to upload requested files and will have just 30 days after information about the portal is provided to submit transactions and other information for review. HHS will review submissions within 30 days after receipt, and will then notify the entity of its findings and any necessary corrective action. According to the announcement, the program will focus on remediation through corrective action plans, but in cases of willful and egregious noncompliance, monetary penalties may be assessed. Another document lays out “prep steps” that health plans can take to prepare for a compliance review.
EBIA Comment: The prep steps document refers to transactions that health plans conduct themselves and transactions conducted by clearinghouses on a health plan’s behalf, but no reference is made to transactions by third-party administrators (TPAs) or other business associates. This may mean that the compliance review program will focus on health insurers, although cautious self-insured health plans and TPAs may take this opportunity to assess their compliance with these rules. Also, although the supporting materials refer to unique identifiers, we suspect that HPIDs will not be included in these reviews in light of CMS’s nonenforcement policy and proposed regulations to eliminate HPIDs (see our Checkpoint article). For more information, see EBIA’s HIPAA Portability, Privacy & Security manual at Section XXXII (“Electronic Transactions and Code Sets”).
Contributing Editors: EBIA Staff.