Resources

Client Alerts, News Articles, Blog Posts, & Multimedia

Everything you need to know about BMD and the industry.

The Latest CMS Guidance: HIPAA Edition

Client Alert
June 23, 2022

The Latest CMS Guidance: HIPAA Edition

Healthcare worker holding an iPad with HIPAA Compliance

What are the HIPAA Administrative Simplification Regulations?

The HIPAA Administrative Simplification Regulations—encompassing 45 CFR Part 160, Part 162, and Part 164—require HIPAA covered entities to adopt standards for transactions involving the electronic exchange of health care data. The HIPAA Administrative Simplification Regulations include four standards covering transactions, identifiers, code sets, and operating rules. In addition to complying with the HIPAA Administrative Simplification Regulations, HIPAA covered entities must also comply with the HIPAA Privacy and Security Rules.

The purpose of these regulations is to save time and money by moving away from the burdensome paperwork system used for billing, storing patient information, and organizing claims data. By switching to electronic transactions, healthcare organizations can reduce the paperwork burden, receive payments faster, easily obtain patient information, and quickly, check the status of claims.

CMS has recently put out updated guidance for healthcare providers and plans clarifying these HIPAA regulations.

Covered Entities, Listen Up!

HHS defines a transaction as an electronic exchange of information between two parties to carry out financial or administrative activities related to healthcare. HIPAA requires covered entities to conduct standard transactions with one another. Conducting a transaction as a “standard transaction” includes compliance with the set data standard and affiliated operating rules, code sets, and unique identifiers for the particular transaction. HHS has adopted standards for Health Care Claims or Equivalent Encounter Information (45 CFR § 162.1101-1102), Eligibility for a Health Plan (45 CFR § 162.1201-1203), Referral Certification and Authorization (45 CFR § 162.1301-1302), Health Care Claim Status (45 CFR §162.1401-1403), Enrollment or Disenrollment in a Health Plan (45 CFR § 162.1501-1502), Health Care Electronic Funds Transfer and Remittance Advice (45 CFR § 162.1601-1603), Health Plan Premium Payments, Coordination of Benefits (45 CFR § 162.1701-1702), and Medicaid Pharmacy Subrogation Transactions (45 CFR § 162.1901-1902). 

Specific parameters for covered entities also exist. For example, if a covered entity uses a business associate to conduct any portion of a transaction for which a standard has been adopted, the covered entity must require their business associate to comply with that standard. Simply put, the inclusion of a business associate in a transaction does not relieve a covered entity of its responsibility to comply with HIPAA because a business associate is acting on behalf of a covered entity.

Additionally, there are specific parameters for covered entities entering into trading partner agreements. Trading partner agreements are agreements related to the exchange of information in electronic transactions between each party to the agreement. For example, it is standard for a trading partner agreement to set out the duties and responsibilities of each party to the agreement in conducting a standard transaction. Importantly, a covered entity cannot enter into a trading partner agreement that would: (a) change the definition, data condition, or use of a data element or segment in an adopted standard or operating rule; (b) add any data elements or segments to the maximum defined data set; (c) use any code or data elements marked “not used” or that are not in a standard; or (d) change the meaning or intent of a standard.

General Provisions for Health Care Providers and Health Plans, Explained

If a health care provider chooses to use a DDE platform—a direct data entry platform like a provider portal—offered by a health plan to conduct a transaction for which a standard has been adopted, the provider must use the applicable data content and condition requirements of the standard. However, there is an exception for providers that negates their requirement to follow standard formatting protocols when using a DDE platform.

However, a health plan must always conduct a transaction using an adopted standard if requested. They may use a paper-based or manual method, a DDE portal, or an electronic funds transfer. Of note, there are no exceptions to this requirement. This means that a health plan must comply with a provider’s request to conduct a transaction as a standard transaction regardless of the provider’s affiliation, or lack of, with the plan. There are also key prohibitions for health plans. Mainly, a health plan cannot:

Delay or reject a transaction because the transaction is a standard transaction. For example, the plan cannot provide incentives that discourage the use of standard transactions;

Reject a standard transaction just because the health plan does not use some or all of the data elements, such as coordination of benefits data elements; or

Offer an incentive for a health care provider to conduct a transaction using a DDE exception.

Relatedly, the coordination of benefits and code sets are also regulated. If a health plan receives a standard transaction and coordinates benefits with another health plan or payer, then the health plan must store the coordination of benefits data it needs to forward the standard transaction to the other health plan or payer. Simply put, even if the initial receiving health plan does not need the coordination of benefits information, that information is required to process the transaction and the information must still be stored for transmission to the subsequent health plan or payer. Additionally, a health plan must accept and process any standard transaction that contains valid codes, and it must keep code sets for the current billing and appeals periods open to processing.

Sidebar: What are Standard Unique Health Identifiers for Health Care Providers?

A covered health care provider is a health care provider that transmits any health information in electronic form in connection with a transaction for which a standard has been adopted. A covered health care provider must obtain a National Provider Identifier (NPI) from the National Provider System (NPS) and use an NPI on all standard transactions that require its health care provider identifier. Likewise, a covered health care provider must give its NPI to any requesting entity so that they can identify the health care provider in a standard transaction. Of note, a covered health care provider must also require its business associates to use the provider’s NPI. Further, when a covered health care provider is an organization—for example, a corporation or partnership—it must require all individual prescribers it works with to both obtain an NPI and share the NPI upon request with any entity for use in a standard transaction.

If you have any questions about any of the new CMS Guidance and how it may impact your practice, please reach out to your local BMD Healthcare Attorney, Daphne L. Kackloudis at dlkackloudis@bmdllc.com or Ashley Watson at abwatson@bmdllc.com.

 

HIPAAHIPAA ComplianceHealthcareCMS
Client Alert

Ohio Department of Health Releases Updated Charge Limits for Medical Records

March 7, 2022Under Ohio law, a healthcare provider or medical records company that receives a request for a copy of a patient's medical record may charge an amount in accordance with the limits set forth in Ohio Revised Code Section 3701.741. The allowable amounts are increased or decreased annually by the average percentage of increase or decrease in the consumer price index for all urban consumers, prepared by the United States Department of Labor, Bureau of Labor Statistics, for the immediately preceding calendar year over the calendar year immediately preceding that year, as reported by the Bureau. The Director of the Ohio Department of Health makes this determination and adjusts the amounts accordingly. The list is then published, here.Client Alert

No Surprises Act Compliance (Published by NAMAS, 2/25/22)

March 7, 2022The Department of Health and Human Services published three parts to the No Surprises Act towards the end of 2021, which took effect January 1, 2022. The Act is intended to protect consumers from “balance billing,” which occurs when a patient receives a bill with a higher price than they may have anticipated because they did not have knowledge that the provider or facility was out-of-network. The purpose of this article is to note certain requirements that compliance employees will need to be aware of at their facilities, including notice and consent, good faith estimates, and public disclosures.Client Alert

No Surprises Act and You (Published in the SCMS Winter 2022 Newsletter)

March 3, 2022Legislation has been adopted by the United States Congress and the Ohio Legislature known as the “No Surprises Act” which attempts to regulate billing by professionals and facilities to patients who are not in networks with those facilities or providers at those facilities. The federal bill was triggered by some sensational news stories of patients being billed for tens of thousands of dollars for emergency care when the hospital was out of the network under the patient’s insurance plans.Client Alert

Are You Impacted by the Project Labor Agreement Executive Order?

February 28, 2022Project Labor Agreements (PLAs) are a quasi-collective bargaining agreement between employers and unions. They establish the terms and conditions of employment, including dispute resolution. They are put into place on specific projects and apply to the contractor, whether it is union or non-union. Employees hired on the project will be treated as union.Client Alert

No Surprises Act Update: Federal Judge Strikes Portions of the No Surprises Act

February 25, 2022In a win for providers, a Texas federal court granted the Texas Medical Association’s (TMA) motion for summary judgment and struck down portions of a federal rule that establishes a reimbursement rate arbitration process between payors and providers under the No Surprises Act (NSA).
Older posts
Newer posts