CMS Begins Compliance Review Program
Beginning this month, nine HIPAA-covered entities — a mix of health plans and clearinghouses — will be randomly selected by the Centers for Medicare & Medicaid Services (CMS) for compliance reviews. Any health plan or clearinghouse — not just those that work with Medicare or Medicaid — may be selected. The CMS Division of National Standards is launching the Compliance Review Program to ensure compliance among covered entities with HIPAA Administrative Simplification rules for electronic health record transactions.
What to Expect
Each selected organization will be contacted by telephone to identify the appropriate point of contact for a HIPAA compliance review. The contact will then receive an introductory email with further instructions and resources for assistance, such as a dedicated mailbox and one-on-one phone calls.
CMS will review participants’ administrative transactions for compliance with standards for:
- Electronic transaction formats;
- Code sets; and
- Unique identifiers.
Participants will attest to whether they comply with operating rules.
The program implements a progressive penalty process with the goal of remediation. If an organization isn’t compliant, CMS will work with the entity to resolve any issues. Corrective Action Plans are commonly used to address noncompliance. In cases of willful and egregious noncompliance, monetary penalties may be assessed and calculated on a case-by-case basis.
Learn By Example
CMS recently completed the Optimization Pilot in preparation for this full-scale Compliance Review Program. Ten organizations met the criteria for participation and of these, four clearinghouses and one health plan completed the pilot. Among pilot participants, the most common violations involved transaction standards. Types of violations from the most to the least frequent were:
- Transactions (42)
- Code sets (15)
- Unique identifiers (14)
- Operating rules (3)
Based on the lessons learned from the pilot, CMS made enhancements to the Edifics X-Engine testing tool, such as increasing the number of violations reported in a single file, streamlining Compliance Review Standard Operating Procedures, and improving communication protocols.
Prep Steps You Can Take
CMS has released prep steps that health plans and clearinghouses can take to prepare for the Compliance Review Program.
For transactions that clearinghouses conduct on your behalf:
- Ask your clearinghouses to verify that they are handling your transactions in a compliant way.
- Test the compliance of your clearinghouse’s transactions.
- Be sure your contracts with clearinghouses and other third parties require compliance with HIPAA Administrative Simplification rules for electronic transactions.
Health Plans and Clearinghouses
For transactions you conduct yourself:
- Test the compliance of your transactions.
- Verify compliance with operating rules for eligibility, claims status, and electronic funds transfer/remittance advice.
According to CMS, providers will be able to participate in a separate pilot program on a voluntary basis, but no information has yet been made available.
HHS HIPAA Administrative Simplification Information Bulletin, March 25, 2019
HHS HIPAA Administration Simplification Information Bulletin, March 22, 2019
What to Expect: Q&A, CMS