The Rise and (Possible) Fall of PPACA s Section 1104

Similar documents
AMERICAN RECOVERY & REINVESTMENT ACT OF 2009 TITLE XIII HEALTH INFORMATION TECHNOLOGY ANALYSIS OF PRIVACY AND SECURITY REQUIREMENTS (SUBPART D)

PPACA's Impact: The Election, 2013 and Beyond

Health Care Reform: The Sequel

LEGISLATING HEALTH CARE REFORM

POLICIES AND PROCEDURES FOR DETECTING AND PREVENTING FRAUD, WASTE AND ABUSE

Impact of the Election on the ACA

The American Health Care Act: Overview

Politics, Policy, and Pathway for ACA Repeal in Billy Wynne Managing Partner, TRP Health Policy December 14, 2016

Site Access Agreement. (hereinafter referred to as the

The Threat Continues. Medicaid, the Budget, and Deficit Reduction: The Bottom Line: Our Message on Medicaid and the Super Committee Process

Summary The Patient Protection and Affordable Care Act (ACA, as amended) was signed into law by President Barack Obama on March 23, As is often

Status of Health Reform Bills Moving Through Congress

Electronic Remittance Advice (ERA) Enrollment Form

A Spring Cheat Sheet

Introduction to the Federal Budget Process

[Enter Organization Logo] DISCLOSURES OF SUBSTANCE USE DISORDER PATIENT RECORDS. Policy Number: [Enter] Effective Date: [Enter]

GENERAL ASSEMBLY OF NORTH CAROLINA SESSION 2013

GENERAL ASSEMBLY OF NORTH CAROLINA SESSION 2015 H 3 HOUSE BILL 372 Committee Substitute Favorable 6/11/15 Committee Substitute #2 Favorable 6/18/15

The Federal Legislative and Regulatory Process. ASTRO Government Relations

Health Information Technology Provisions in the Recovery Act

Healthcare & the New Congress: The 2017 Agenda

Update on the SGR fix

September 5, California Health Benefit Exchange Attn: Brian Kearns 1601 Exposition Blvd Sacramento, CA 95815

Model Business Associate Agreement

Policy/Procedure Statement

An Update on Health Reform. Jessica Waltman Senior Vice President of Government Affairs, National Association of Health Underwriters March 3-4, 2015

Case 1:10-cv RJL Document 26 Filed 09/13/10 Page 1 of 31 UNITED STATES DISTRICT COURT FOR THE DISTRICT OF COLUMBIA

Federal/State Government Affairs

President Trump Signs Executive Order Instructing Agencies to Minimize Burdens of the ACA

ACA REPLACEMENT BILL WITHDRAWN

Enforcing HIPAA Administrative Simplification: Dispassionate Enforcement or Compassionate Prosecution?

The Unfunded Mandates Reform Act (UMRA) passed in

The Midterm Elections (And a Peek Toward 2016) Andrew H. Friedman The Washington Update

Questions and Answers for POS Facilitated Enrollment Administered by WellPoint, Inc. Submission Guidelines. Frequently Asked Questions

National Conference of State Legislatures Legislative Summit

INTRODUCTION TO THE FEDERAL BUDGET PROCESS by Martha Coven and Richard Kogan

Proposed Public Charge Regulation Summary

KPMG report: U.S. congressional elections and tax policy; preliminary observations

This presentation is the third in DPH s post election series of presentation on the postelection

May 2017 Recess: WOMEN RESIST! FIGHTING TO SAVE OUR HEALTHCARE AND RESIST TRUMP'S AGENDA

Breach Notification and Enforcement

BUSINESS ASSOCIATE AGREEMENT

Health Care Reform in the 112 th Congress

MONTEFIORE HEALTH SYSTEM ADMINISTRATIVE POLICY AND PROCEDURE SUBJECT: SUMMARY OF FEDERAL AND STATE NUMBER: JC31.1 FALSE CLAIMS LAWS

Patient Privacy and Security: Data Breach Reporting and other HIPAA Changes

Florida HIV/AIDS Comprehensive Planning Network (FCPN) November 1-3, 2017 Tampa, FL

THE WINDS OF CHANGE Will Your Business Soar or be Blown off Course?

21st Annual Health Sciences Tax Conference

Health Information Technology for Economic and Clinical Health (HITECH) Act Privacy and Security Provisions

Use of the Annual Appropriations Process to Block Implementation of the Affordable Care Act (FY2011-FY2017)

IN THE KNOW: (Almost) Everything You Want to Know about Voting in Philadelphia s May 17 Primary

Medicare Provisions In The Patient Protection And Affordable Care Act (ppaca) Summary And Timeline

Consent for Treatment of Minors in Idaho

Washington Speak A Glossary of Commonly Used and Confused Terms

Health Care Under the Trump Administration & 115 th Congress

GREETINGS BILL PRINTS PICK UP

Legal Issues in Coding

Health Care Reform Where Will We Be at the End of 2012? Penn-Ohio Regional Health Care Alliance

11.002/17.30 Making Public Policy 9/29/14. The Passage of the Affordable Care Act

Comments on the Draft Digital Information Security in Healthcare Act

An Update on ACA Repeal and Replace Efforts

Potential Effects of 2016 Elections on Medical Device Industry

HIPAA Privacy Rule Compliance Issues

Public Opinion on Health Care Issues October 2010

Electronic Funds. ebusiness Marketing and Service

Upcoming Rules Pursuant to the Patient Protection and Affordable Care Act

rdd Doc 825 Filed 12/11/17 Entered 12/11/17 16:29:55 Main Document Pg 1 of 4

Upcoming Rules Pursuant to the Patient Protection and Affordable Care Act: The Spring 2014 Unified Agenda

Increasing HIT through the Economic Stimulus Bill

POLICY STATEMENT. Topic: False Claims Act Date Effective: 10/13/08. X Revised New Section: Corporate Compliance Number: 10.05

Restatement I of the Data Use and Reciprocal Support Agreement (DURSA)

february 2018 Recess: WOMEN GRAB BACK! Fighting for justice in the Trump era

Ambulance Billing Services Agreement Between MultiMed Billing Service, Inc., d/b/a MultiMed And City of Saratoga Springs

Supporting Immigrant Clients in Challenging Times G A B R I E L L E L ESSARD N AT I O N A L I M M I GRAT I O N L AW C E N T E R

220 Burnham Street South Windsor, CT Vox Fax

MISSISSIPPI LEGISLATURE REGULAR SESSION 2017

Health Care Fraud and Abuse Laws Affecting Medicare and Medicaid: An Overview

Technical Corrections to the HIPAA Privacy, Security, and Enforcement Rules. AGENCY: Office for Civil Rights, Department of Health and Human Services.

Presented by: Jeff Bush

Upcoming Rules Pursuant to the Patient Protection and Affordable Care Act: Spring 2013 Unified Agenda

Submitted to: Healthcare Supply Chain Association 2025 M Street, NW, Suite 800 Washington DC Prepared by:

Health Care Reform Research Project (120 points)

CFPB ; RIN 3170-AA33

First Amended Notice of Intent to Amend Rules Under the Good Cause Exemption

Election-Year Advocacy & Civic Engagement

MISSISSIPPI LEGISLATURE REGULAR SESSION 2017

February 24 FAL Call Minutes February 24, :00 P.M., EST

Blues Public Policy Brief *Customer Edition* February 24, 2012

Taking The Public's Pulse On Health System Reform by Mark D. Smith, Drew E. Altman, Robert Leitman, Thomas W. Moloney, and Humphrey Taylor

Use of the Annual Appropriations Process to Block Implementation of the Affordable Care Act (FY2011-FY2016)

Independent Payment Advisory Board (IPAB)

Solicitation of New Safe Harbors and Special Fraud Alerts. Portability and Accountability Act of 1996 (HIPAA), this annual

BUDGET PROCESS. Budget and Appropriations Process

A Summary of the U.S. House of Representatives Fiscal Year 2013 Budget Resolution

Washington Update. HFMA Region 8 MidAmerica Summer Institute August 2017

Health Care Reform & the 2012 Election

Hot Topics for Assisted Living

AAPC REGIONAL CONFERENCE. Legal Issues in Coding Minimizing Coder Liability. Lecturer: Michael D. Miscoe Esq, CPC, CASCC, CUC, CCPC, CPCO, CHCC

POLICY AND PROCEDURES OFFICE OF THE CENTER DIRECTOR. Drug Safety Oversight Board (DSB) Table of Contents

UNTANGLING THE KNOTS What s Possible for Health Reform Efforts

Transcription:

The Rise and (Possible) Fall of PPACA s Section 1104 Matthew Albright Zelis Healthcare February 2017

What effect would a potential repeal of the Patient Protection and Affordable Care Act (PPACA) have on the requirements and enforcement of the EFT and ERA standards and operating rules, the Certification of Compliance program, and other requirements on health plans in Section 1104 of the PPACA? Every day, someone makes a new prediction about the future of the Patient Protection and Affordable Care Act (PPACA). The headlines ping-pong between a phased, surgical removal of its more contentious features and immediate and wholesale repeal, but the law s future remains uncertain. Section 1104 takes up about seven pages of the 900-page law that now dominates the news cycle. The section amends the administrative simplification provisions in the Health Insurance Portability and Accountability Act of 1996 (for purposes of this article, the original HIPAA ). The amendments include new standards and operating rules for HIPAA administrative transactions, including the healthcare electronic funds transfers (EFT) and electronic remittance advice (ERA) transactions. The PPACA provisions also include the establishment of a Certification of Compliance program which threatens hefty penalty fees and an audit program that the Centers for Medicare & Medicaid Services (CMS) has promised will bring industry into compliance. While Section 1104 has never been a controversial part of PPACA, in many repeal scenarios now being discussed, the section may be at risk. While Section 1104 has never been a controversial part of PPACA, in many repeal scenarios now being discussed, the section may be at risk. This paper examines what may likely happen to the administrative simplification mandates that health plans, TPAs and their vendors are currently under if Section 1104 of the PPACA were to be repealed. It further explores what a repeal or retention of Section 1104 would mean for health plans, TPAs and other payers. POSSIBLE APPROACHES TO PPACA REPEAL One repeal approach being considered is that the Republican-led Congress will remove elements of PPACA through a process called reconciliation. Reconciliation can speed bills through Congress because they can avoid filibusters and require just a simple majority to pass. The principal rule with reconciliation is that it can only be used to change laws that are scored by the Congressional Budget Office (CBO); that is, laws that affect the budget. Section 1104 affects the budget because of the penalties that can be assessed on health plans that do not comply with the Certification of Compliance program. Ironically, the CBO scored Section 1104 not as a cost but as a revenue 2

generator because the penalties on industry would bring revenue into the government. Although the Certification of Compliance program is just one of many elements in Section 1104 and, in fact, has yet to be implemented, all of Section 1104 could be repealed through reconciliation because the CBO scored the provisions as a whole section, not by its individual parts. At this point, however, it seems unlikely that Section 1104 would be a target for a repeal through reconciliation, simply because the Republicans are likely to pick only the most controversial parts of the PPACA to be targets. When talking about repeal, many Republicans publicly and privately refer to Tom Price s 2015 repeal bill as a blueprint. Price s bill did not include Section 1104 in that bill and, in fact, only targeted a small handful of PPACA s 424 parts. In another approach, any sections of PPACA that are not repealed through reconciliation will be at risk if or when a replacement for PPACA is passed. Section 1104 is not contentious; it is a minor piece of PPACA and, in fact, most of the industry is in favor of the overall intent and approach of the section to cut administrative costs. As with other PPACA provisions that create costs for private businesses, however, Republicans may sweep Section 1104 away because it empowers CMS to assess penalties on commercial health plans. The fact that both health plans and providers have done so much work to comply with the section probably will not sway Congress one way or the other. There are other elements of PPACA in which both industry and government have invested much more heavily, but this does not appear to be a strong enough argument for the Congressional majority that now wants to repeal PPACA. The fact that both health plans and providers have done so much work to comply with the section probably will not sway Congress one way or the other. THE RISE: THE HIPAA ADMINISTRATIVE TRANSACTION RENAISSANCE Section 1104 required the Secretary of Health and Human Services (HHS) to adopt standards for the healthcare EFT and the claims attachment transactions, establish a health plan identifier (HPID) and adopt operating rules for all of the HIPAA transactions. Section 1104 also required HHS to conduct audits of health plans, create a Certification of Compliance program and appoint a Review Committee with broad authority to recommend administrative simplification regulations. CMS began publishing regulations to implement Section 1104 a year and a half after PPACA s passage. Section 1104 had a total of nine general provisions. Within a three-year period, CMS Office of E-Health Standards and Services (OESS) published regulations addressing five of them. In the meantime, with a large amount of industry support from both payers and providers, the Council for Affordable Quality Healthcare Committee on 3

Operating Rules for Information Exchange (CAQH CORE) developed and voted on operating rules for all but one of the transactions. (Operating rules have not been developed for the healthcare claim attachment transaction, which still awaits a standard). Healthcare payers and providers spent hundreds of millions implementing the standards and operating rules, and Section 1104 appears to have done what it was supposed to do: Industry has increased electronic use for three of the four transmissions for which operating rules have been adopted at the rate of 5% a year. With all the time and investment spent by both industry and government implementing Section 1104, what would happen if the section were repealed? Which elements of administrative simplification would technically remain government mandates and which elements would be tossed in the dustbin of legislative history? And, without PPACA, would CMS have any enforcement powers to pursue violations? In contemplating the answer, we need to consider two things: statutory authority and the will of the regulators. First, we ll examine where the statutory authority for current administrative simplification provisions comes from. Then we ll be better able to understand which provisions continued existence will be subject to good old fashion human willpower. IDENTIFYING THE AUTHORITY FOR ADMINISTRATIVE SIMPLIFICATION PROVISIONS The English philosopher, Thomas Hobbs, once said, It is not wisdom but Authority that makes a law. In that spirit, predicting which of the HIPAA administrative simplification requirements may stay or go if the whole section were to be repealed depends on the law in which the requirements are found. Table A below lists all of the programs and provisions of the HIPAA administrative transactions (labeled as Administrative Transaction Provisions ). The authority for these provisions are derived from two laws: the original HIPAA and PPACA (these provisions and their authorities are described in more detail in the section entitled, Explanations of Section 1104 Provisions and their Statutory Authority on page 8). If the authority for a provision comes mostly or all from PPACA, it would likely go away if Section 1104 were repealed. (It will go as the table indicates in bright red). If a provision s authority comes mostly or all from the original HIPAA, then it technically could survive a repeal unchanged. (It will stay, according to the table). A number of provisions listed in the table derive their authority from both the original HIPAA and from PPACA. Whether these provisions would survive a repeal of the section or not is more of a subjective call on the part of CMS. A provision s life or death would depend on whether the mandate is agreeable enough both to industry and to the government for CMS to write corrective regulations for keeping the provision. These middle-of-the-road provisions 4

are indicated in light green ( could stay ) or light red ( probably won t stay ), according to an estimate of how strongly the industry and government may be motivated to keep them. Table A: If Section 1104 goes away, the survivability of a provision of Section of 1104 may be predicted based on where that provision derives its authority. Administrative Transaction Provisions Transaction Standards Adopted Before PPACA Healthcare EFT Payments Claims Attachments Authority Regulation(s) Published? Original HIPAA Yes Statute Operating and 2000 Rules Cited in PPACA HIPAA Regulation Standards Cited in PPACA Original HIPAA Yes Statute, 2000 HIPAA Regulation and PPACA Original HIPAA No Statute Enforcement Operating Tools Rules and Cited Other in PPACA Programs Stay or Go? Will Stay Could Stay Could Stay Eligibility and Claim Mostly PPACA Yes Probably Won't Stay Status EFT & ERA Mostly PPACA Yes Probably Won't Stay Claim, Referral and Certification, Premium Payments, Enrollment/Disenrollment in a Health Plan Health Plan Identifier Mostly PPACA No Probably Won't Stay Original HIPAA Statute and PPACA Yes Will Go Review Committee PPACA N/A Will Go Certification of Compliance Program Audits Complaint Investigations Enforcement Tools and Other Programs PPACA Proposed Will Go Original HIPAA and some PPACA N/A Could Stay Original HIPAA N/A Will Stay Compliance Reviews Original HIPAA N/A Will Stay WHAT DOES A SECTION 1104 REPEAL MEAN FOR HEALTHCARE PAYERS? To summarize, if section 1104 were repealed, health Plans, including TPAs and other payers, would likely still: Be required to offer EFT and ERA to all providers (not just those in its networks), and offer those transactions according to the standards that have been adopted for them. This includes transmitting the data necessary for re-association of an EFT with its associated ERA. 5

Be under the current enforcement regime for HIPAA transaction requirements, including the audit program likely being put into place by CMS NSG. It should be noted that a PPACA repeal would not affect the considerable increase in civil money penalties (CMP) for HIPAA violations that was mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009. HITECH increased CMPs that are the result of complaint investigations or a compliance reviews to $1.5 million per year per violation. As we ve seen by the headlines on HIPAA breaches, OCR often bundles violations to threaten bankruptcy generating amounts of CMPs so that violators plead out and choose settlement agreements in the millions. If section 1104 were repealed, payers would likely not have to worry about: The Health Plan Identifier (HPID). Many, many TPAs did their due diligence and applied for thousands of HPIDs on behalf of their self-funded health plans. That was likely a complete waste of time. The Certification of Compliance program. The potentially dodged bullets here would be the PPACA-mandated penalties. These penalties were so hefty that the government thought they could pick up some of the bill for the rest of PPACA. If Section 1104 were repealed, would health plans, TPAs and business associates have to comply with the adopted operating rules? The survival of operating rules is very much a matter of the general climate of the industry after a potential Section 1104 repeal. If CMS feels like justifying its authority to promulgate operating rules, then we may see them survive. However, maybe the efficacy of operating rules is no longer dependent on whether they are mandated by the government or not. Operating rules were and continue to be written and voted on by industry. This was true even before PPACA. Operating rules represent the best of how the business community and government should work together to create rational regulatory approaches: Industry forms a consensus on shared rules, and the government helps enforce them. But perhaps industry no longer needs government with regard to operating rules; perhaps the healthcare industry can regulate itself by including the rules in contracts and making them a minimum expectation of doing business. A rescinding of the operating rules, in the broader context of a PPACA repeal, would be a test of the so-called nudge theory. With the mandated use of operating rules in PPACA, government gave industry a regulatory nudge to use the electronic transactions according to consistent business rules. Now, if the government mandate to use those rules is withdrawn through a PPACA repeal, will industry continue to govern itself as the nudge theory might predict? That answer remains to be seen. 6

COULD SECTION 1104 ESCAPE THE CHOPPING BLOCK ENTIRELY? The wallflower that is Section 1104 may or may not be swept away in reconciliation or a broader PPACA replacement; it could also survive unnoticed or be re-introduced under a different name in a different Republican-sponsored law. But whether the section itself survives or not, CMS enforcement and most of the administrative simplification requirements that health plans are complying with today will remain after the dance is over. 7

Explanations of Section 1104 Provisions and their Statutory Authority The likelihood provisions will survive a reconciliation or repeal and replace scenario is heavily dependent on the law from which they derive their authority. This section looks at each of Section 1104 s requirements in turn to give context to their potential survivability if the section were to be repealed. TRANSACTIONS ADOPTED BEFORE PPACA The original HIPAA in 1996 required the Secretary to adopt standards for nine common administrative transactions: 1) health claims or equivalent encounter information, 2) health claims attachments, 3) enrollment and disenrollment in a health plan, 4) eligibility for a health plan, 5) healthcare payment and remittance advice, 6) health plan premium payments, 7) first report of injury, 8) health claim status and 9) referral certification and authorization. In 2000, CMS published a final rule adopting standards for seven of the transactions (for purposes of this paper, the HIPAA 2000 regulation ). CMS then published a regulation in 2009 that updated all of the standards to their next version, versions 5010. None of the transaction standards adopted in those earlier regulations would be affected by a Section 1104 repeal. STANDARD FOR THE HEALTHCARE EFT By sheer dumb luck, the healthcare EFT standard would likely survive a Section 1104 repeal because of a seemingly insignificant decision made at the time by the regulators about where they put the regulation in the Code of Federal Regulations (CFR). As per the mandate in the original HIPAA, the X12 835 was adopted in the HIPAA 2000 regulation as the single standard for a transaction titled the healthcare payment and remittance advice. This transaction was actually made up of two separate and very different transmissions: 1) the remittance advice, to which the X12 835 standard applied, and 2) the payment itself, for which, at the time, no standard was adopted. In implementing PPACA s mandate to adopt standards for the healthcare EFT, the CMS regulators simply added more standards under the existing healthcare payment and remittance advice transaction. Since that transaction was already established in the original HIPAA passed in 1996, CMS has technically had the authority to adopt a standard for the healthcare EFT ever since. Because of this, CMS has a strong argument to claim the authority to adopt healthcare EFT standards without PPACA. In fact, the interim final rule adopting the healthcare EFT standards makes reference to this original HIPAA authority. Ultimately, the requirement for payers to offer EFT payments to providers and to use the healthcare EFT standards when they do so is likely to survive a Section 1104 repeal. 8

CLAIM ATTACHMENT STANDARD(S) The claims attachment was another transaction that was listed in the original HIPAA statute; therefore, CMS has always had the authority to adopt standard(s) for it. PPACA just gave HHS a deadline to do so. The claims attachment transaction holds the distinguished position of being the one transaction most in need of an industry standard in terms of the potential savings to providers a consistent standard might bring and the one transaction for which a standard(s) will be the most difficult for industry and the government to agree upon. All this is to say that, while the industry has been waiting for the claim attachment standard(s) for twenty years, a repeal of Section 1104 would neither prohibit an attachment standard from being adopted nor speed along its long-awaited adoption. OPERATING RULES Operating rules were not mentioned in the original 1996 HIPAA statute nor in the HIPAA 2000 regulation. Operating rules were created and defined in PPACA; therefore, one would assume that the two interim final rules that implemented operating rules for the eligibility, claims status and EFT/ERA transactions will likely be repealed if Section 1104 is repealed. However, even though operating rules were clearly created and defined in Section 1104, a repeal of that section does not necessarily spell their demise. An argument could be made that the Secretary has had authority to develop operating rules all along. Under the original HIPAA, HHS has the authority to adopt different standards if the standards will substantially reduce administrative costs to healthcare providers and health plans compared to the alternatives. Operating rules certainly meet the vernacular meaning of standards: They are consistent business rules established by general consent. They could also meet HIPAA s definition for different standards which are basically defined as anything that has gone through a specific vetting process before adoption. Industry especially health plans, TPAs and other payers has spent hundreds of millions of dollars remediating their systems and processes to implement the adopted operating rules. Thus, in the case of a Section 1104 repeal, CMS may be motivated enough to write a few regulations that assert its authority to keep the Operating rules. STANDARD HEALTH PLAN IDENTIFIER Like the healthcare EFT and claims attachment standards, the original HIPAA statute required a standard identifier be adopted for health plans the health plan identifier (HPID). PPACA simply gave CMS some deadlines by which it needed to be adopted. CMS actually met those deadlines, adopting a HPID through a final rule in 2012. However, weeks before the rule was to take effect in late 2014, CMS declared enforcement discretion on the regulatory requirements. Technically, this 9

meant that health plans were still required to apply for an HPID and the identifier was still required to be used, but that CMS would not enforce the requirements. Non-technically, the indefinite enforcement delay meant that CMS was no longer interested in developing the HPID program. CMS formal Request for Information (RFI) on the HPID rule in mid-2015 was, in essence, a request for any better ideas the industry might have and a signal that it would be years, if ever, before CMS mandated any HPID requirements. For better or for worse, a repeal of Section 1104 will not impact the HPID program s timeline at all. REVIEW COMMITTEE Section 1104 also required that HHS appoint an industry-based Review Committee which it endowed with surprisingly powerful authority. Amazingly, according to Section 1104, a recommendation from this committee regarding HIPAA transactions would have to be adopted by HHS through an interim final rule within three months of the committee s recommendation. HHS designated the National Committee on Vital and Health Statistics (NCVHS) as the Review Committee. Since its inception in 2014, the one product produced by the Review Committee was a 91-page findings and recommendations document where the only thing clear was that the Review Committee did not understand the power that PPACA had given it. The document included 175 recommendations, some of which contradicted each other, many of which were recommendations that were completely out of HHS regulatory power. Needless to say, HHS did not publish a regulation implementing the 175 recommendations within 90 days, and the document is likely sitting in a dusty shared drive somewhere in CMS. A Section 1104 repeal would certainly be the end of the Review Committee s short-lived life, and the staff at CMS probably won t shed many tears over the demise of an industry-based committee that had so much power over the content and timing of CMS rulemaking. CERTIFICATION OF COMPLIANCE PROGRAM The Certification of Compliance program and its penalties has little to no chance of surviving a repeal of Section 1104, but the program never got off the ground anyway. A proposed rule was published in January 2014 that married the program to the establishment of an HPID database, which, as we ve said, CMS has sentenced to an indefinite holding pattern without regulations. THE ENFORCEMENT SURVIVORS: AUDITS, COMPLIANCE REVIEWS AND COMPLAINT INVESTIGATIONS In 2014, both CMS and OESS underwent changes in leadership. No more transaction-related regulations were written; OESS was demoted from an office to a group and renamed the National Standards Group (NSG); and then NSG took a break from writing regulations to focus on enforcement in general and on an audit program specifically. 10

An audit of health plans is mandated in Section 1104. However, like the operating rules, an argument can be made that HHS has had this audit authority since the 2000 HIPAA regulation. The 2000 HIPAA regulation gave HHS the authority to use two enforcement tools to pursue violations of HIPAA privacy, security and the transaction requirements: complaint investigations and compliance reviews. Both the Office of Civil Rights (OCR) and CMS NSG have well-structured complaint processes where providers, trading partners and consumers can report violations. OCR uses this authority to pursue HIPAA privacy and security violations, while NSG uses it to pursue violations of HIPAA transaction requirements. As noted in [The Sleeping Dragon white paper], NSG made its complaint process more user-friendly last summer and has started to market the ability to file complaints more widely. Both OCR and NSG can likewise use compliance reviews basically, investigations of compliance that are not complaint-related to pursue violations of HIPAA in two instances: 1) when a preliminary review of the facts indicates a possible violation due to willful neglect; and 2) in any other circumstance. To translate what appears to be government double-speak, in any other circumstance means that CMS can investigate a covered entity or business associate whenever and for whatever reason they deem appropriate to do so. An audit program fits nicely into the description of a compliance review, so an audit program conducted by CMS to search out violations of HIPAA transaction requirements could be said to have been authorized back in 2000. Given the amount of time NSG has dedicated to developing an audit program and the very public and aggressive direction that its sister agency OCR has taken on privacy audits, it is likely that NSG will continue the audit program under this authority, and CMS probably wouldn t need to write any regulations to justify that authority. Matthew Albright is VP of Legislative Affairs at Zelis Healthcare. Albright previously headed up the Certification program at CAQH CORE and served in multiple roles at the Office of E-health Standards and Services in the Centers for Medicare & Medicaid Services (CMS). 11

12

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback