Share this article on:
The Department of Health and Human Services’ Office for Civil Rights is the primary enforcer of HIPAA Rules and has issued numerous financial penalties for HIPAA violations in response to complaints and data breaches. State attorneys general are also permitted to fine HIPAA-covered entities when violations of HIPAA Rules are discovered, and several state attorneys general have exercised that right. While the HHS’ Centers for Medicare & Medicaid Services is mandated to assist OCR with the enforcement of HIPAA Rules related to compliance with the HIPAA Administrative Simplifications, to date the CMS has not issued any fines.
The Medical Group Management Association (MGMA) believes that should change and the CMS should start enforcing compliance with HIPAA Rules that aim to reduce the administrative burden on healthcare providers.
In a recent letter to CMS, the MGMA explained it has received many complaints from members related to the failure of health plans to comply with HIPAA and ACA administrative simplification requirements. The lack of enforcement activity by the CMS in this area means there is no incentive for health plans to comply with the requirements relating to mandated transactions, national identifiers, code sets, and operating rules.
The letter, written by Anders Gilberg, MGA, Senior Vice President, Government Affairs, was submitted in response to a call for comments on the CMS complaint form. While comments specific to the complaint form were included in the letter, the MGMA also took it as an opportunity to criticize the CMS HIPAA administrative simplification enforcement process.
The CMS compliant form allows physician practices to formally file complaints against healthcare clearinghouses and health plans and notify CMS about HIPAA violations, although little action appears to be taken in response to those complaints.
MGMA explained in the letter that many health plans are not supporting national standards. Use of X12 270/271 (Eligibility & Benefit Verification) remains below 80%, X12 835 (Remittance Advice) is around 56%, use of the Electronic Funds Transfer transaction for payments has fallen from 62% to 60%, and use of the X12 278 (Prior Authorization) transaction has fallen from 18% to 8%.
MGMA notes that health plans are also trying to move providers away from using HIPAA standards to online portals. While there are benefits to the use of online portals, MGMA notes that “proprietary portals create a manual workflow process for providers and decreased revenue cycle automation.”
MGMA suggests CMS should step up its enforcement efforts to encourage health plans to comply with the HIPAA and ACA administrative simplification regulations. OCR has conducted HIPAA compliance audits, investigates complaints, and has issued multiple fines. Those fines are clearly communicated to the industry through news posts and press releases, making it clear that non-compliance will not be tolerated. OCR’s enforcement activities motivate HIPAA-covered entities to step up their efforts to comply with HIPAA Rules and also encourage individuals to report violations knowing that action will be taken.
“Health plans and clearinghouses unable or unwilling to support the administrative simplification standards and operating rules force providers to employ manual methods such as phone calls, facsimiles, and web portals, thus diverting scarce provider resources away from patient care,” wrote MGMA. Potentially millions of dollars in saving opportunities are going unrealized.
MGMA suggests CMS should implement random audits of health plans and healthcare clearinghouses to assess compliance with the administrative Simplifications, publish the names of covered entities that fail CMS audits, and list fines and corrective action plans that have been issued. MGMA also suggests the CMS should halt the voluntary Optimization Pilot for Administrative Simplification Transactions as it is likely to delay the commencement of an effective compliance-based audit program.