CMS Launches Review Program for HIPAA-Covered Health Plans

March 27, 2019 - CMS has launched a Compliance Review Program to ensure that health plans, payers, providers, and other covered entities are complying with HIPAA Administrative Simplification rules for electronic transactions.

All HIPAA-covered health plans and other entities must comply with Administrative Simplification rules in order to reap the benefits of standardized transactions and reduced administrative costs. Transactions can include claims and encounter information, eligibility, enrollment and disenrollment, and referrals and authorizations.

Common standards for formats and content accelerate the flow of information between providers and health plans, CMS notes, which can help inform patients about coverage, benefits, and out-of-pocket costs.

In April 2019, HHS will randomly select nine HIPAA-covered entities for Compliance Reviews. HHS piloted the program in 2018 with three health plans and three clearinghouses to streamline the process.

“We intend that our compliance reviews for use of the HIPAA Administrative Simplification transaction standards will result in an environment that requires minimal government intervention because entities are conducting electronic transactions in adopted standard formats,” CMS said at the time.

In 2019, providers will be able to participate in a separate program on a voluntary basis.

The Compliance Review Program will continue to conduct periodic reviews to evaluate compliance among randomly selected entities. The program will serve as a supplement to HHS’s current complaint-based approach to enforce standards in electronic transactions.

Entities can still file a complaint or test a transaction using the Administrative Simplification Enforcement and Testing Tool (ASETT), a web-based application. ASETT enables individuals and organizations to file a HIPAA or ACA complaint against an entity for potential non-compliance with transactions, code sets, unique identifier, or operating rules standards.

HHS will review entities’ administrative transactions for compliance using standards for transaction formats, code sets, and unique identifiers. Participants will attest to whether they comply with operating rules, and entities found to be noncompliant will have the opportunity to take actions and correct issues.

Covered entities who do not achieve compliance may be subject to additional enforcement actions.

For more information about the HIPAA Administrative Simplification rules, click here. To share questions or comments about the Compliance Review Program, contact AdministrativeSimplification@cms.hhs.gov.