Healthcare // Policy & Regulation
News
1/7/2014
03:50 PM
Connect Directly
RSS
E-Mail
50%
50%

HHS To Strengthen Enforcement Of HIPAA Transaction Rules

Health plans will have until the end of 2015 to get certified for compliance with HIPAA transaction operating rules.

The Department of Health and Human Services (HHS) has proposed that all health plans get certified for compliance with the HIPAA standards and operating rules required for three types of administrative transactions, including insurance eligibility, claims status, and electronic funds transfer/electronic remittance advice (EFT/ERA). This certification would help the government enforce existing requirements that plans use these operating rules.

The CORE committee of the Coalition for Affordable Quality Healthcare (CAQH) developed the operating rules, which have been endorsed by HHS. CAQH CORE seeks to build consensus among industry stakeholders, including health plans, on operating rules that facilitate administrative interoperability between healthcare providers and health plans. In addition to the three sets that are the subject of HHS's proposed rule, CORE is developing operating rules for claims/encounters, claims attachments, enrollment/disenrollment in health plans, premium payments, and referral authorizations.

Health plans were supposed to start using the eligibility and claims status operating rules by Jan. 1, 2013, but many plans were not ready by that date. The government relaxed enforcement for three months, and a CAQH spokesperson recently told us that a number of plans were still not aboard. The EFT/ERA rules went into effect on Jan. 1 of this year. It's unclear how many plans are using them now.

[Minnesota governor fingers IBM for state's health insurance exchange website problems. Read Minnesota Slams IBM On Health Insurance Exchange Woes.]

HHS's proposed rule, published Jan. 2 in the Federal Register, said that requiring certification of compliance with the operating rules "will move [HIPAA] covered entities toward a consistent, industry-wide testing framework that will support a more seamless transition to new modified standards and operating rules."

HHS acknowledged that the industry has experienced challenges in implementing HIPAA administrative simplification requirements, including the ICD-10 diagnostic code set, version 5010 of the HIPAA transaction standards, and the eligibility and claims status operating rules. In the past, HHS has responded to industry requests for additional time by delaying implementation or relaxing enforcement of the rules, but, the document pointed out, "such practices can be expensive to the industry."

So the government has decided to mandate certification of compliance with the operating rules, but plans won't have to submit the required documentation until Dec. 31, 2015. HHS said it believes most plans will need that much time to meet the criteria because they must complete a gap analysis and do testing with a CORE-authorized testing vendor.

In addition, the proposed rule said, HHS didn't want this new requirement to compete with the industry's effort to meet the ICD-10 deadline on Oct. 1, 2014. "Facilitating the health care industry's smooth transition to ICD-10 is of paramount importance, and health plans need to prepare and fully test their systems to ensure a smooth and coordinated transition," the document reads.

To show compliance with the operating rules, health insurers must obtain either a CAQH CORE Phase III certification or a HIPAA Credential. Administered by CORE, the HIPAA Credential shows that a health plan has attested to compliance with the standards and operating rules for all three transactions and that it has conducted a certain amount of external testing.

HHS distinguished between this compliance certification and the existing requirement that health plans use the three sets of operating rules. The department said it would still enforce that requirement, which means that a health plan could be found in violation of the regulations during the 60-day comment period on the proposed rule and the subsequent period before finalization.

But Kenneth Rashbaum, a New York attorney who specializes in HIPAA-related issues, said he doubts that the regulations will be enforced during the interim period. "They'll probably take a position saying that they'll enforce it, but I'd be very surprised if they did," he said.

Rashbaum said he viewed the proposed rule as a balancing act between giving the industry more time to get its ducks in a row and taking a more determined stance on enforcement. The focus of the rule, he noted, is mainly on enforcement and penalties. For example, part of the documentation that must be submitted to the government is the number of covered lives in a plan. That number, he noted, will be used to compute penalties for plans that don't comply with the operating rules.

There's no single migration path to the next generation of enterprise communications and collaboration systems and services, and Enterprise Connect delivers what you need to evaluate all the options. Register today and learn about the full range of platforms, services, and applications that comprise modern communications and collaboration systems. Register with code MPIWK and save $200 on the entire event and Tuesday-Thursday conference passes or for a Free Expo pass. It happens in Orlando, Fla., March 17-19.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Ken Terry
50%
50%
Ken Terry,
User Rank: Apprentice
1/7/2014 | 5:27:42 PM
Re: How much bite?
The fines in the proposed rule are not for healthcare providers but for health plans that don't comply with the operating rules for HIPAA transactions. Most hospital financial and practice management system on the market can spit out claims and claims status/eligibility requests in the required 5010 format today. But health plans that don't comply with operating rules can't necessarily receive that data without tweaking by an intermediary, usually an electronic clearinghouse.
Lorna Garey
50%
50%
Lorna Garey,
User Rank: Author
1/7/2014 | 5:13:21 PM
How much bite?
Ken, I recall reading a comment from a HC CIO who said it costs his hospital significantly less to pay the fine for HIPAA non-compliance than to implement the controls necessary to come into compliance. And, that's assuming HHS even audits and imposes a fine.

Do you think a percentage of practices are simply going to take such risks, or will the fines be large enough to hurt?
Research: Healthcare IT Priorities
Research: Healthcare IT Priorities
Meeting regulatory requirements barely inched out managing digital patient data as the top priority for our 363 healthcare provider IT pros.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Must Reads Oct. 21, 2014
InformationWeek's new Must Reads is a compendium of our best recent coverage of digital strategy. Learn why you should learn to embrace DevOps, how to avoid roadblocks for digital projects, what the five steps to API management are, and more.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
A roundup of the top stories and community news at InformationWeek.com.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.