HHS To Strengthen Enforcement Of HIPAA Transaction Rules - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Healthcare // Policy & Regulation
03:50 PM

HHS To Strengthen Enforcement Of HIPAA Transaction Rules

Health plans will have until the end of 2015 to get certified for compliance with HIPAA transaction operating rules.

The Department of Health and Human Services (HHS) has proposed that all health plans get certified for compliance with the HIPAA standards and operating rules required for three types of administrative transactions, including insurance eligibility, claims status, and electronic funds transfer/electronic remittance advice (EFT/ERA). This certification would help the government enforce existing requirements that plans use these operating rules.

The CORE committee of the Coalition for Affordable Quality Healthcare (CAQH) developed the operating rules, which have been endorsed by HHS. CAQH CORE seeks to build consensus among industry stakeholders, including health plans, on operating rules that facilitate administrative interoperability between healthcare providers and health plans. In addition to the three sets that are the subject of HHS's proposed rule, CORE is developing operating rules for claims/encounters, claims attachments, enrollment/disenrollment in health plans, premium payments, and referral authorizations.

Health plans were supposed to start using the eligibility and claims status operating rules by Jan. 1, 2013, but many plans were not ready by that date. The government relaxed enforcement for three months, and a CAQH spokesperson recently told us that a number of plans were still not aboard. The EFT/ERA rules went into effect on Jan. 1 of this year. It's unclear how many plans are using them now.

[Minnesota governor fingers IBM for state's health insurance exchange website problems. Read Minnesota Slams IBM On Health Insurance Exchange Woes.]

HHS's proposed rule, published Jan. 2 in the Federal Register, said that requiring certification of compliance with the operating rules "will move [HIPAA] covered entities toward a consistent, industry-wide testing framework that will support a more seamless transition to new modified standards and operating rules."

HHS acknowledged that the industry has experienced challenges in implementing HIPAA administrative simplification requirements, including the ICD-10 diagnostic code set, version 5010 of the HIPAA transaction standards, and the eligibility and claims status operating rules. In the past, HHS has responded to industry requests for additional time by delaying implementation or relaxing enforcement of the rules, but, the document pointed out, "such practices can be expensive to the industry."

So the government has decided to mandate certification of compliance with the operating rules, but plans won't have to submit the required documentation until Dec. 31, 2015. HHS said it believes most plans will need that much time to meet the criteria because they must complete a gap analysis and do testing with a CORE-authorized testing vendor.

In addition, the proposed rule said, HHS didn't want this new requirement to compete with the industry's effort to meet the ICD-10 deadline on Oct. 1, 2014. "Facilitating the health care industry's smooth transition to ICD-10 is of paramount importance, and health plans need to prepare and fully test their systems to ensure a smooth and coordinated transition," the document reads.

To show compliance with the operating rules, health insurers must obtain either a CAQH CORE Phase III certification or a HIPAA Credential. Administered by CORE, the HIPAA Credential shows that a health plan has attested to compliance with the standards and operating rules for all three transactions and that it has conducted a certain amount of external testing.

HHS distinguished between this compliance certification and the existing requirement that health plans use the three sets of operating rules. The department said it would still enforce that requirement, which means that a health plan could be found in violation of the regulations during the 60-day comment period on the proposed rule and the subsequent period before finalization.

But Kenneth Rashbaum, a New York attorney who specializes in HIPAA-related issues, said he doubts that the regulations will be enforced during the interim period. "They'll probably take a position saying that they'll enforce it, but I'd be very surprised if they did," he said.

Rashbaum said he viewed the proposed rule as a balancing act between giving the industry more time to get its ducks in a row and taking a more determined stance on enforcement. The focus of the rule, he noted, is mainly on enforcement and penalties. For example, part of the documentation that must be submitted to the government is the number of covered lives in a plan. That number, he noted, will be used to compute penalties for plans that don't comply with the operating rules.

There's no single migration path to the next generation of enterprise communications and collaboration systems and services, and Enterprise Connect delivers what you need to evaluate all the options. Register today and learn about the full range of platforms, services, and applications that comprise modern communications and collaboration systems. Register with code MPIWK and save $200 on the entire event and Tuesday-Thursday conference passes or for a Free Expo pass. It happens in Orlando, Fla., March 17-19.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Ken Terry
Ken Terry,
User Rank: Apprentice
1/7/2014 | 5:27:42 PM
Re: How much bite?
The fines in the proposed rule are not for healthcare providers but for health plans that don't comply with the operating rules for HIPAA transactions. Most hospital financial and practice management system on the market can spit out claims and claims status/eligibility requests in the required 5010 format today. But health plans that don't comply with operating rules can't necessarily receive that data without tweaking by an intermediary, usually an electronic clearinghouse.
Lorna Garey
Lorna Garey,
User Rank: Author
1/7/2014 | 5:13:21 PM
How much bite?
Ken, I recall reading a comment from a HC CIO who said it costs his hospital significantly less to pay the fine for HIPAA non-compliance than to implement the controls necessary to come into compliance. And, that's assuming HHS even audits and imposes a fine.

Do you think a percentage of practices are simply going to take such risks, or will the fines be large enough to hurt?
Can Cloud Revolutionize Business and Software Architecture?
Joao-Pierre S. Ruth, Senior Writer,  1/15/2021
10 IT Trends to Watch for in 2021
Cynthia Harvey, Freelance Journalist, InformationWeek,  12/22/2020
How CDOs Can Build Insight-Driven Organizations
Jessica Davis, Senior Editor, Enterprise Apps,  1/15/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you.
Flash Poll