When we think about the Health Insurance Portability and Accountability Act of 1996 (HIPAA), many of us immediately think about protecting the privacy and security of individually identifiable health information. Justifiably so, since voluminous regulations mandate such protection, and because the federal government has stepped up its enforcement of those regulations and collected considerable sums in penalties for non-compliance. But a recent announcement by the U.S. Centers for Medicare and Medicaid Services (CMS) Division of National Standards reminds us not to forget another important set of HIPAA Administrative Simplification regulations. Both HIPAA and the Patient Protection and Affordable Care Act (ACA) require that certain electronic financial and administrative transactions be conducted using standard data content, code sets, and format (the Administrative Simplification Standards). On March 25, 2019, CMS announced that it will audit, via the Compliance Review Program, selected health plans and clearinghouses to determine compliance with these Administrative Simplification Standards.

Starting in April 2019, CMS will randomly select nine health plans and clearinghouses that are HIPAA Covered Entities for participation in the Compliance Review Program. At present, health care providers are not part of the Compliance Review Program. CMS is soliciting three health care provider volunteers to participate in a pilot compliance program geared to providers, after which health care providers will be eligible for selection for the official Compliance Review Program. CMS will continue randomly selecting entities on a rolling basis as it completes each individual audit.

If selected, plans and clearinghouses will receive instructions about how to upload requested data to a specified portal regarding their use of electronic transactions, code sets, operating standards and unique identifiers. The selected plans and clearinghouses will then have 30 days to upload the requested data. CMS will evaluate the data and provide the plan or clearinghouse with its findings within 60 days thereafter. Despite these timelines, CMS advises that the total Compliance Review can take 4-6 months. This longer time frame includes time for the plan or clearinghouse to correct any noted deficiencies pursuant to a formal corrective action plan, or for CMS to step up enforcement if compliance is not voluntarily achieved. CMS notes that it will seek civil money penalties for willful or egregious non-compliance.

CMS suggests that health plans and clearinghouses prepare for a possible Compliance Review by testing their own electronic transactions and those of their electronic partners, as well as reviewing contracts with electronic partners to ensure that they demand compliance. Plans and clearinghouses can use the Administrative Simplification Enforcement and Testing Tool (ASETT) developed by CMS to conduct these tests.

CMS reminds HIPAA Covered Entities that the Compliance Review Program is only one half of its Administrative Simplification Standards enforcement strategy. It will continue its complaint investigation strategy and encourages anyone to report alleged non-compliance with the Administrative Simplification Standards.

Health plans and clearinghouses that are HIPAA Covered Entities should move promptly to strengthen their internal controls on compliance with the Administrative Simplification Standards. Health care providers that are HIPAA Covered Entities have more time since a compliance review program for them is not yet in place. Not only will enhanced compliance efforts help prevent CMS enforcement activity, but it will also further the patient care goals that depend upon a smooth, efficient, accurate and quick transmission of patient data.