HIPAA Regulatory Alert

What to do if you’re just getting started

Time to prioritize your responses, expert says

At the Seventh HIPAA Summit held in Baltimore in mid-September, "Doctor HIPAA" —former Centers for Medicare & Medicaid Services (CMS) executive William Braithwaite — said that while Transactions and Code Sets (T&CS) testing should have started in April at the latest, vendors should have provided software to all their clients and completed testing, clearinghouses should have finished testing for all customers, and health plans should have finished testing all transactions with providers and clearinghouses, the reality was that much of the testing still was being done and some entities hadn’t yet started.

Those who haven’t started need to understand the reality of their situation in terms of the law and guidances from CMS, a reasonable definition of "compliance," and the consequences of their failure to comply, he said.

"It’s time to prioritize your responses and create and promulgate contingency plans," Braithwaite said. "Establish reasonable compliance targets. Coordinate, cooperate, and push your trading partners to become compliant over time."

He reviewed the provisions for civil and criminal penalties and CMS’ initial enforcement approach, noting that the agency intends to focus on obtaining voluntary compliance and will use a complaint-driven approach for enforcement.

If CMS receives a complaint about a covered entity, it will notify the organization that a complaint has been received and provide it an opportunity to demonstrate compliance, document good-faith efforts to comply, and/or submit a corrective action plan.

Braithwaite noted that there is no definition of "compliant" in the CMS guidance and said the agency will consider an organization’s good-faith efforts to comply when assessing individual complaints.

"CMS understands that transactions require the participation of two entities," he said, "and CMS will look at both entities’ good-faith efforts to determine whether a reasonable cause for noncompliance exists and the time allowed for curing the noncompliance. CMS says it will not impose penalties on entities that deploy contingencies to ensure the smooth flow of payments if they have made reasonable and diligent efforts to become compliant and, for health plans, have taken reasonable steps to facilitate the compliance of their trading partners. As long as a health plan can demonstrate its active outreach and testing efforts, it can continue processing payments to providers."

He said covered entities might be able to demonstrate good faith, he said, by steps such as increased external testing with trading partners; lack of availability of, or refusal by, trading partners to test transactions with the entity whose compliance is at issue; and concerted efforts by a health plan before Oct. 16, 2003, and continuing efforts after that date to conduct outreach and make testing opportunities available to its provider community.

Braithwaite urged organizations to document that they had exercised good-faith efforts to correct problems and implement changes required to comply in case a complaint is filed. He said that CMS will expect noncompliant covered entities to submit plans to achieve compliance and that CMS flexibility will permit health plans to mitigate unintended adverse effects on covered entities’ cash flow and business operations during the transition to the standards.

(For more information, e-mail Mr. Braithwaite at Bill@braithwaite.com.)