Today, CMS announced its plan to launch an audit program that would check health plans’ compliance with HIPAA Administrative Simplification provisions. The audits will include reviews of health plan electronic transactions for compliance with federally mandated provisions, such as the standards and operating rules for EFT payments and electronic remittance advice. The audit program, called the HHS Administrative Simplification Optimization Program (ASOP), will also include a review of a health plan’s use of unique identifiers, such as the NPI, and standard code sets, such as the CARC and RARCs in the X12 835 remittance advice.
Four Things Payers Should Know About This Development:
- Regulatory Enforcement is No Longer a “Some Day” Proposition:
While CMS has always had the authority to conduct HIPAA audits on electronic transactions, it has never applied this power. According to its announcement, CMS is starting the audit program now because “providers, health plans, and clearinghouses have encouraged HHS to take proactive steps, including reviews, to ensure compliance” with HIPAA electronic transaction standards.
CMS’ announcement asked for health plan and clearinghouse volunteers to be part of a pilot project that would roll-out the audit program starting January, 2018. Compared to the multi-year piloting that the Office of Civil Rights (OCR) conducted with its HIPAA privacy and security audits, CMS’ piloting of its program looks like it will be completed much more quickly. CMS requested only six volunteers while OCR had over one hundred, and CMS has already completed an upgrade to the in-house testing system it will use for the audits, the Administrative Simplification Enforcement Testing Tool (ASETT).
- EFT/ERA Compliance will be Under Review
For the audit – or “compliance review” – health plans and clearinghouses will be asked to submit transaction files to CMS for review and testing through ASETT.
A health plan’s compliance with EFT and electronic remittance advice standards and operating rules will be a part of the audit program. CMS has clarified in guidance that, when requested by a provider, an EFT and/or remittance advice must be delivered by a health plan without delay, using appropriate standards, operating rules and code sets.
- While the Goal is Remediation, Violations Could Still Cost You
In its announcement, CMS stated that the audit program will use a “progressive penalty process with the goal of remediation, not punishment.” CMS has indicated that this may include corrective action plans (CAP) and technical assistance, as it uses now with its ongoing complaint-based enforcement. However, CMS did not exclude monetary penalties as a possible outcome and has stated in previous guidance that, in general, it could “impose financial penalties on any entity that is non-compliant and has failed to correct their violations.” According to regulation, CMS has the authority to apply penalties of up to $1.5 million per violation discovered through compliance reviews.
- No One is Immune
It’s clear that CMS’ upcoming audit program will include health plans and clearinghouses, but also TPAs and vendors.
Due to recent statutes and regulations, third party administrators (TPAs) and other business associates now have the same liability as HIPAA-covered entities in terms of non-compliance with HIPAA transaction provisions. Both CMS, which enforces the HIPAA transaction provisions, and OCR, which administers HIPAA privacy and security, use the same enforcement regulations, and both agencies have begun emphasizing the role and expanded liability of business associates. In 2016, OCR audits were broadened to include business associates and TPAs were first on its list of examples of organizations that could be business associates.
In the meantime…
While CMS conducts the audit pilot over the next few months, health plans and TPAs should take advantage of the time to:
- Make sure you are offering the basic electronic transactions to providers – including claims, eligibility, claim status, and EFT/ERA – and are conducting those transactions according to adopted standards and operating rules.
- Make sure all of your vendor/business associate contracts include requirements of compliance with HIPAA transaction standards and operating rules, and ask your vendors/business owners how they are confirming ongoing compliance.