CMS Launches Review Program to Assess Compliance with the HIPAA Administrative Simplification Rules

The HHS’ Centers for Medicare and Medicaid Services (CMS) has launched a compliance review program to assess whether HIPAA covered entities are complying with the HIPAA Administrative Simplification Rules for electronic healthcare transactions. The compliance reviews will commence in April 2019.

The HIPAA Administrative Simplification Rules

The HIPAA Administrative Simplification Rules were introduced to improve efficiency and the effectiveness of the health system in the United States. They require healthcare organizations to adopt national standards for healthcare transactions that are conducted electronically, including the use of standard code sets and unique health identifiers, in addition to complying with the requirements of the HIPAA Privacy and Security Rules.

The HHS’ Office for Civil Rights is responsible for enforcing the HIPAA Privacy, Security, and Breach Notification Rules. The CMS is responsible for administering and enforcing the rules covering transaction and code sets standards, the employer identifier standard, and the national provider identifier standard, as detailed in 45 CFR Parts 160, 162, and 164. The CMS-administered standards are required to be adopted whenever there is an exchange of health information. If the standards are not adopted, healthcare information cannot be exchanged efficiently.

The CMS Compliance Review Program

Starting in April 2019, the CMS will conduct compliance reviews on 9 randomly selected health plans and healthcare clearinghouses, including those that deal with Medicare and Medicaid and those that do not.

The compliance reviews will assess whether HIPAA-covered entities are in compliance with the standards set for:

  • Transaction formats;
  • Code sets; and
  • Unique identifiers

If covered entities selected for a review are found not to be in compliance with the HIPAA Administrative Simplification Rules, they will be provided with a corrective action plan to address any violations and will be given the opportunity to make changes and achieve compliance.

Any covered entity that fails to make the necessary changes and achieve compliance with the HIPAA Administrative Simplification standards will be subjected to “escalating enforcement actions”, which could include civil monetary penalties.

The 2019 CMS Compliance Review Program follows on from a pilot review program conducted in 2018 on three health plans and three healthcare clearinghouses that volunteered to participate. A separate program will take place in 2019 in which providers will also be able to volunteer for compliance reviews.

After the latest round of 9 compulsory compliance reviews have been completed, the CMS will conduct an ongoing campaign involving periodic reviews of randomly selected covered entities to assess compliance with the HIPAA Administrative Simplification Rules.

These will be in addition to the normal procedure for enforcing compliance, which currently operates on a complaint basis.

Organizations can use the web-based Administrative Simplification Enforcement and Testing Tool (ASETT) to test transactions to determine whether they are compliant and to submit complaints about HIPAA Administrative Simplification Rules violations.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.