Guidance on Compliance
Background
To improve the efficiency and effectiveness of the health care system,
Congress enacted the Health Insurance Portability and Accountability Act
(HIPAA) of 1996, which included a series of “administrative simplification”
provisions that required the Department of Health and Human Services (HHS)
to adopt national standards for electronic health care transactions. All
covered entities must be in compliance with the electronic transactions and
code sets standards by October 16, 2003.
The law is clear: October 16, 2003 is the deadline for covered entities to comply with HIPAA’s electronic transaction and code sets provisions. After that date, covered entities, including health plans, may not conduct noncompliant transactions. With the October deadline just ahead, HHS has received a number of inquiries expressing concern over the health care industry’s state of readiness. In response, the Department believes it is particularly important to outline its approach to enforcement of HIPAA’s electronic transactions and code sets provisions. The Department will continue to provide technical assistance and issue guidance on the transactions and code sets provisions and compliance therewith.
Enforcement Approach
The Secretary has made the Centers for Medicare & Medicaid Services
(CMS) responsible for enforcing the electronic transactions and code
sets provisions of the law.
CMS will focus on obtaining voluntary compliance and use a complaint-driven approach for enforcement of HIPAA’s electronic transactions and code sets provisions. When CMS receives a complaint about a covered entity, it will notify the entity in writing that a complaint has been filed. Following notification from CMS, the entity will have the opportunity to 1) demonstrate compliance, 2) document its good faith efforts to comply with the standards, and/or 3) submit a corrective action plan.
Demonstrating Compliance - Covered entities will be given an opportunity to demonstrate to CMS that they submitted compliant transactions.
Good Faith Policy - CMS’s approach will utilize the flexibility granted in section 1176(b) of the Social Security Act to consider good faith efforts to comply when assessing individual complaints. Under section 1176(b), HHS may not impose a civil money penalty where the failure to comply is based on reasonable cause and is not due to willful neglect, and the failure to comply is cured with a 30-day period. HHS has the authority under the statute to extend the period within which a covered entity may cure the noncompliance “based on the nature and extent of the failure to comply.”
CMS recognizes that transactions often require the participation of two covered entities and that noncompliance by one covered entity may put the second covered entity in a difficult position. Therefore, during the period immediately following the compliance date, CMS intends to look at both covered entities’ good faith efforts to come into compliance with the standards in determining, on a case-by-case basis, whether reasonable cause for the noncompliance exists and, if so, the extent to which the time for curing the noncompliance should be extended.
CMS will not impose penalties on covered entities that deploy contingencies (in order to ensure the smooth flow of payments) if they have made reasonable and diligent efforts to become compliant and, in the case of health plans, to facilitate the compliance of their trading partners. Specifically, as long as a health plan can demonstrate to CMS its active outreach/testing efforts, it can continue processing payments to providers. In determining whether a good faith effort has been made, CMS will place a strong emphasis on sustained actions and demonstrable progress.
Indications of good faith might include, for example, such factors as:
- Increased external testing with trading partners.
- Lack of availability of, or refusal by, the trading partner(s) prior to October 16, 2003 to test the transaction(s) with the covered entity whose compliance is at issue.
- In the case of a health plan, concerted efforts in advance of the October 16, 2003 and continued efforts afterwards to conduct outreach and make testing opportunities available to its provider community.
While there are many examples of complaints that CMS may receive, the following is one example that illustrates how CMS expects the process to work.
Example: A complaint is filed against an otherwise-compliant health plan that accepts and processes both compliant and non-compliant transactions while working to help its providers achieve compliance.
In this situation, CMS would 1) notify the plan of the complaint, 2) based on the plan’s response to the notification, evaluate the plan’s efforts to help its noncompliant providers come into compliance, and 3) if it determined that the plan had demonstrated good faith and reasonable cause for its non-compliance, not impose a penalty for the period of time CMS determines is appropriate, based on the nature and extent of the failure to comply.
For example, CMS would examine whether the health plan undertook a course of outreach actions to its trading partners on awareness and testing, with particular focus on the actions that occurred prior to October 16th. Similarly, health care providers should be able to demonstrate that they took actions to become compliant prior to October 16th. If CMS determines that reasonable and diligent efforts have been made, the cure period for noncompliance would be extended at the discretion of the government. Furthermore, CMS will continue to monitor the covered entity to ensure that their sustained efforts bring progress towards compliance. If continued progress is not made, CMS will step up their enforcement efforts towards that covered entity.
Organizations that have exercised good faith efforts to correct problems and implement the changes required to comply with HIPAA should be prepared to document them in the event of a complaint being filed. This flexibility will permit health plans to mitigate unintended adverse effects on covered entities’ cash flow and business operations during the transition to the standards, as well as on the availability and quality of patient care.
Corrective Action Plan (CAP) – After October 16, 2003, in addition to possible fines and penalties imposed, CMS will expect non-compliant covered entities to submit plans to achieve compliance in a manner and time acceptable to the Secretary. More detailed information on CAPs will be forthcoming.
Working
Toward Compliance
In the few remaining months before the October 16th deadline, HHS
encourages health plans and providers to intensify their efforts toward
achieving transaction and code set compliance. In addition, HHS
encourages health plans to assess the readiness of their provider
communities to determine the need to implement contingency plans to
maintain the flow of payments while continuing to work toward
compliance. Although transaction and code set compliance is a huge
undertaking, the result will be greatly enhanced electronic
communication throughout the health care community. Successful
implementation will require the attention and cooperation of all health
plans and clearinghouses, and of all providers that conduct electronic
transactions. There is considerable industry support for transaction and
code sets, and we all look forward to realizing the many advantages of
its successful implementation.