HIPAA Regulatory Alert

HIPAA enforcement aimed at achieving compliance

Most complaints about claims payment

Centers for Medicare & Medicaid Services (CMS) Office of HIPAA Standards staffer Dianne Faup says the agency has received more than 200 transaction/code set complaints, with some 58 still open at the time of her September presentation to the Ninth Annual HIPAA Summit.

Most of the complaints have been about claims payment, often pitting small providers against health plans and clearinghouses over adverse impacts on cash flow, she said. To date, five corrective action plans have been submitted. CMS enforcement continues to be complaint-driven and focused on securing compliance.

Medicare compliance rate above 80%

Faup reported that many covered entities continue to operate under contingency plans, although many are moving into compliance, with the Medicare compliance rate at more than 80% for claims. Reasons given for noncompliance include new data elements, reliance on vendors, and delays in starting implementation, she said.

The end of contingency plans is coming, Faup cautioned, and payments may stop if entities are not compliant. She also said there is a need to embrace other transactions, such as automated eligibility, remittance, and claims status, and a need to participate in the standards revision process.

Even at this juncture, Faup said, some positive impacts can be seen, including the realization that HIPAA standards have an impact on business processes, the industry is coming together to work on implementation, and different provider groups are coming forward to participate in the standards. She told Summit attendees their organizations should be following the HIPAA rules to achieve compliance, keeping aware of future HIPAA standards rules, and participating in industry organizations so their voice is heard. Coming next, she said, are the security requirements and the national provider identifier (NPI).

The security requirements, which take effect April 21, 2005, for all covered entities except small health plans and April 21, 2006, for small health plans, require organizations to ensure confidentiality (only the right people see information), integrity (information is what it was supposed to be and hasn’t been changed), and availability (the right people can see information when needed). The security requirements apply to electronic protected health information that a covered entity creates, receives, maintains, or transmits.

Organizations must: 1) protect against reasonably anticipated threats or hazards to the security or integrity of information; 2) protect against reasonably anticipated uses and disclosures not permitted by privacy rules; and 3) ensure compliance by their work force.

In developing their plans, covered entities can consider size, complexity, capabilities, technical infrastructure, the cost of procedures to comply, and potential security risks, according to Faup.

For the NPI, the final rule was published Jan. 23, and the effective date is May 23, 2005. By May 23, 2007, for all covered entities except small health plans and one year later for the small health plans, covered entities must use NPIs to identify providers in standard transactions.