New Random HIPAA Audits on the Horizon: CMS Compliance Review

HIPAA enforcement has been on the rise for the past few years, totaling over $70 million in fines since 2016 alone. And now, a new round of random HIPAA audits is on the horizon.

Now, the Centers for Medicare & Medicaid Services (CMS) Division of National Standards, on behalf of the Department of Health and Human Services (HHS), is instituting a CMS Compliance Review Program of random HIPAA audits for covered entities with HIPAA Administrative Simplification Rules for electronic health care transactions.

HIPAA is a series of national standards that healthcare organizations must have in place to safeguard the privacy and security of protected health information (PHI). The HIPAA Administrative Simplification Rules demonstrates how switching from paper to electronic transactions cuts down on paperwork and increases payment speed for health care organizations. This has become an essential part of health care, as electronic PHI (ePHI) has become more and more pervasive throughout the industry.

HIPAA covered entities such as health care providers, health insurance plans and clearing houses are required to adopt these standards for transactions that involve the electronic exchange of patient data.

Administrative Simplification Compliance Review Program

The Compliance Review Program of random HIPAA audits will initiate periodic reviews with randomly selected entities to assess their compliance. As of March 2019, HHS has begun by randomly selecting 9 health plans and clearing houses for Compliance Reviews. These reviews will likely continue after the first round of random audits.

HHS is using a two-step approach in order to enforce rules related to electronic administrative transactions:

  1. Reactive enforcement- continued investigation on complaints against covered entities
  2. Proactive enforcement– randomly selecting health plans and clearinghouses for Compliance Reviews

What Steps Can Health Plans and Clearinghouse Take?

Health Plans

For transactions that clearinghouse conduct on your behalf:

  • Verify your clearinghouses’ compliance
  • You can test the compliance of your clearinghouse’s transactions
  • Your contracts with clearinghouses and other third parties must be compliant with HIPAA Administrative Simplification rules for electronic transactions

For transactions you conduct yourself:

  • Test the compliance of your transactions
  • Verify your compliance with operating rules for eligibility, claims status, and electronic funds transfer/remittance advice
  • If your transactions are not compliant:
    • You need to address your administrative workflow to ensure you are responding efficiently to inquiries about:
      • Eligibility
      • Claims status
      • Electronic funds transfer/remittance advice
    • Your system may need to be debugged or updated by your software vendor or IT staff
    • You may also need to use a compliant clearinghouse to conduct transactions on your behalf

Clearinghouses

  • Test your transactions for compliance
  • Verify your compliance with operating rules for eligibility, claims status, and electronic funds transfer/remittance advice
  • If your transactions are not compliant:
    • You need to address your administrative workflow to ensure you are responding efficiently to inquiries about:
      • Eligibility
      • Claims status
      • Electronic funds transfer/remittance advice
    • Your system may need to be debugged or updated by your software vendor or IT staff
    • You may also need to use a compliant clearinghouse to conduct transactions on your behalf

Implementing an Effective Compliance Program

One of the most important pieces of guidance that HHS has put out in regards to HIPAA compliance is the 7 Fundamental Elements of an Effective Compliance Program.

The 7 Fundamental Elements address the minimum necessary requirements that health plans and clearinghouses must have in place:

  1. Implementing written policies, procedures, and standards of conduct.
  2. Designating a compliance officer and compliance committee.
  3. Conducting effective training and education.
  4. Developing effective lines of communication.
  5. Conducting internal monitoring and auditing.
  6. Enforcing standards through well-publicized disciplinary guidelines.
  7. Responding promptly to detected offenses and undertaking corrective action.

Addressing the HIPAA Administrative Simplification Rules with Compliancy Group

Compliancy Group allows health care professionals and vendors across the industry to address the full extent of their HIPAA regulatory requirements, including HIPAA Administrative Simplification Rules, with our HIPAA compliance solution, The Guard. The Guard is a web-based HIPAA compliance app that allows users to confidently address their HIPAA compliance so they can confidently run their business.

2019-05-14T16:34:36-04:00April 24th, 2019|