HHS To Strengthen Enforcement Of HIPAA Transaction Rules
Health plans will have until the end of 2015 to get certified for compliance with HIPAA transaction operating rules.
The Department of Health and Human Services (HHS) has proposed that all health plans get certified for compliance with the HIPAA standards and operating rules required for three types of administrative transactions, including insurance eligibility, claims status, and electronic funds transfer/electronic remittance advice (EFT/ERA). This certification would help the government enforce existing requirements that plans use these operating rules.
The CORE committee of the Coalition for Affordable Quality Healthcare (CAQH) developed the operating rules, which have been endorsed by HHS. CAQH CORE seeks to build consensus among industry stakeholders, including health plans, on operating rules that facilitate administrative interoperability between healthcare providers and health plans. In addition to the three sets that are the subject of HHS's proposed rule, CORE is developing operating rules for claims/encounters, claims attachments, enrollment/disenrollment in health plans, premium payments, and referral authorizations.
Health plans were supposed to start using the eligibility and claims status operating rules by Jan. 1, 2013, but many plans were not ready by that date. The government relaxed enforcement for three months, and a CAQH spokesperson recently told us that a number of plans were still not aboard. The EFT/ERA rules went into effect on Jan. 1 of this year. It's unclear how many plans are using them now.
HHS's proposed rule, published Jan. 2 in the Federal Register, said that requiring certification of compliance with the operating rules "will move [HIPAA] covered entities toward a consistent, industry-wide testing framework that will support a more seamless transition to new modified standards and operating rules."
HHS acknowledged that the industry has experienced challenges in implementing HIPAA administrative simplification requirements, including the ICD-10 diagnostic code set, version 5010 of the HIPAA transaction standards, and the eligibility and claims status operating rules. In the past, HHS has responded to industry requests for additional time by delaying implementation or relaxing enforcement of the rules, but, the document pointed out, "such practices can be expensive to the industry."
So the government has decided to mandate certification of compliance with the operating rules, but plans won't have to submit the required documentation until Dec. 31, 2015. HHS said it believes most plans will need that much time to meet the criteria because they must complete a gap analysis and do testing with a CORE-authorized testing vendor.
In addition, the proposed rule said, HHS didn't want this new requirement to compete with the industry's effort to meet the ICD-10 deadline on Oct. 1, 2014. "Facilitating the health care industry's smooth transition to ICD-10 is of paramount importance, and health plans need to prepare and fully test their systems to ensure a smooth and coordinated transition," the document reads.
To show compliance with the operating rules, health insurers must obtain either a CAQH CORE Phase III certification or a HIPAA Credential. Administered by CORE, the HIPAA Credential shows that a health plan has attested to compliance with the standards and operating rules for all three transactions and that it has conducted a certain amount of external testing.
HHS distinguished between this compliance certification and the existing requirement that health plans use the three sets of operating rules. The department said it would still enforce that requirement, which means that a health plan could be found in violation of the regulations during the 60-day comment period on the proposed rule and the subsequent period before finalization.
But Kenneth Rashbaum, a New York attorney who specializes in HIPAA-related issues, said he doubts that the regulations will be enforced during the interim period. "They'll probably take a position saying that they'll enforce it, but I'd be very surprised if they did," he said.
Rashbaum said he viewed the proposed rule as a balancing act between giving the industry more time to get its ducks in a row and taking a more determined stance on enforcement. The focus of the rule, he noted, is mainly on enforcement and penalties. For example, part of the documentation that must be submitted to the government is the number of covered lives in a plan. That number, he noted, will be used to compute penalties for plans that don't comply with the operating rules.
There's no single migration path to the next generation of enterprise communications and collaboration systems and services, and Enterprise Connect delivers what you need to evaluate all the options. Register today and learn about the full range of platforms, services, and applications that comprise modern communications and collaboration systems. Register with code MPIWK and save $200 on the entire event and Tuesday-Thursday conference passes or for a Free Expo pass. It happens in Orlando, Fla., March 17-19.
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
IT Strategies to Conquer the CloudChances are your organization is adopting cloud computing in one way or another -- or in multiple ways. Understanding the skills you need and how cloud affects IT operations and networking will help you adapt.