Dykema Gossett PLLC

Homeostasis: Health Care Law Blog

HIPAA Isn’t Only About Data Privacy and Security


HIPAA Isn’t Only About Data Privacy and Security

Authored by Joanne Lax (retired Member of Dykema)

When we think about the Health Insurance Portability and Accountability Act of 1996 (HIPAA), many of us immediately think about protecting the privacy and security of individually identifiable health information. Justifiably so, since voluminous regulations mandate such protection, and because the federal government has stepped up its enforcement of those regulations and collected considerable sums in penalties for non-compliance. But a recent announcement by the U.S. Centers for Medicare and Medicaid Services (CMS) Division of National Standards reminds us not to forget another important set of HIPAA Administrative Simplification regulations. Both HIPAA and the Patient Protection and Affordable Care Act (ACA) require that certain electronic financial and administrative transactions be conducted using standard data content, code sets, and format (the Administrative Simplification Standards). On March 25, 2019, CMS announced that it will audit, via the Compliance Review Program, selected health plans and clearinghouses to determine compliance with these Administrative Simplification Standards.

Starting in April 2019, CMS will randomly select nine health plans and clearinghouses that are HIPAA Covered Entities for participation in the Compliance Review Program. At present, health care providers are not part of the Compliance Review Program. CMS is soliciting three health care provider volunteers to participate in a pilot compliance program geared to providers, after which health care providers will be eligible for selection for the official Compliance Review Program. CMS will continue randomly selecting entities on a rolling basis as it completes each individual audit.

If selected, plans and clearinghouses will receive instructions about how to upload requested data to a specified portal regarding their use of electronic transactions, code sets, operating standards and unique identifiers. The selected plans and clearinghouses will then have 30 days to upload the requested data. CMS will evaluate the data and provide the plan or clearinghouse with its findings within 60 days thereafter. Despite these timelines, CMS advises that the total Compliance Review can take 4-6 months. This longer time frame includes time for the plan or clearinghouse to correct any noted deficiencies pursuant to a formal corrective action plan, or for CMS to step up enforcement if compliance is not voluntarily achieved. CMS notes that it will seek civil money penalties for willful or egregious non-compliance.

CMS suggests that health plans and clearinghouses prepare for a possible Compliance Review by testing their own electronic transactions and those of their electronic partners, as well as reviewing contracts with electronic partners to ensure that they demand compliance. Plans and clearinghouses can use the Administrative Simplification Enforcement and Testing Tool (ASETT) developed by CMS to conduct these tests.

CMS reminds HIPAA Covered Entities that the Compliance Review Program is only one half of its Administrative Simplification Standards enforcement strategy. It will continue its complaint investigation strategy and encourages anyone to report alleged non-compliance with the Administrative Simplification Standards.

Health plans and clearinghouses that are HIPAA Covered Entities should move promptly to strengthen their internal controls on compliance with the Administrative Simplification Standards. Health care providers that are HIPAA Covered Entities have more time since a compliance review program for them is not yet in place. Not only will enhanced compliance efforts help prevent CMS enforcement activity, but it will also further the patient care goals that depend upon a smooth, efficient, accurate and quick transmission of patient data.

To sign up for Dykema’s Health Care Blog e-mail updates, please click here.

Joanne R. Lax is a retired member of Dykema. Her career with Dykema’s Health Care Practice Group spanned 40 years, starting in 1978. Her areas of concentration included post-acute and long-term care, behavioral health, clinical ethics, data privacy/HIPAA, and assisted reproductive technology. Joanne presently serves on the Board of Directors of the American Health Lawyers Association (term expected to end in 2021), after serving for nine years as Chair and Vice Chair of AHLA’s Post-Acute and Long-Term Care Practice Group. She also served as Chair of the State Bar of Michigan’s Health Care Law Section. During her career, Joanne earned many honors and awards, including designation as a Super Lawyer, designation as a Best Lawyer and Best Lawyer’s Lawyer of the Year for health care in Detroit in 2012, Fellow of the State Bar of Michigan Health Care Law Section, and designation as a Leading Lawyer. In her retirement, Joanne is a guest blogger for Homeostasis.