Main Menu

HHS Announces Compliance Review Program for HIPAA Electronic Transactions


In April, the U.S. Department of Health and Human Services (HHS) announced the launch of a compliance review program to assess covered entities’ compliance with the rules for electronic health care transactions under the Health Insurance Portability and Accountability Act (HIPAA). Let’s look at some details.

Regulatory objectives

HIPAA rules impose standards for specified transactions involving the electronic exchange of health care data, including transaction formats and code sets. The Affordable Care Act (ACA) added requirements for operating rules for the existing transactions, unique health plan identifiers (HPIDs), and standards for electronic funds transfers and electronic health care claims attachments. These rules are intended to:

  • Increase efficiency
  • Improve the quality and accuracy of information
  • Reduce overall health care costs

Nine covered entities — a mix of health plans and clearinghouses — will be selected for this initial round of compliance reviews under the compliance review program.

Questions and answers

A separate “What to Expect” Q&A document provides additional information on the program, explaining:

  • How selected entities will be notified,
  • That reviews could take four to six months to complete, and
  • Under what manner the reviews will be conducted.

The Q&As note that entities selected for review will use a portal to upload requested files and will have just 30 days after information about the portal is provided to submit transactions and other information for review. The HHS will review submissions within 30 days after receipt, and will then notify the entity of its findings and any necessary corrective action.

According to the announcement, the program will focus on remediation through corrective action plans but, in cases of willful and egregious noncompliance, monetary penalties may be assessed.

Prep steps

Another document lays out “prep steps” that health care plans can take to prepare for a compliance review. The prep steps document refers to transactions that health care plans conduct themselves and transactions conducted by clearinghouses on a plan’s behalf.

But no reference is made to transactions by third-party administrators (TPAs) or other business associates. This may mean that the compliance review program will focus on health insurers, though cautious self-insured health plans and TPAs may take this opportunity to assess their compliance with these rules.

Also, though the supporting materials refer to unique identifiers, we suspect that HPIDs won’t be included in these reviews, considering the Centers for Medicare and Medicaid Services’ nonenforcement policy and proposed regulations to eliminate HPIDs.

Comprehensive requirements

HIPAA is a comprehensive legislative act incorporating many regulatory requirements. Electronic transactions and data privacy are among the most important. For more information on the compliance review program and how it may affect your organization, contact your benefits advisor.

 CMS extends “grandmothered plans” nonenforcement policy

In late March, the Centers for Medicare and Medicaid Services (CMS) announced another extension of the limited nonenforcement policy allowing states to permit insurers in the individual and small group markets to renew health insurance policies they’d otherwise have to cancel because of noncompliance with certain insurance market reforms under the ACA.

The CMS generally continues the terms and conditions applicable to last year’s extension of this transitional policy first announced in 2013. Under this latest guidance, however, states may permit insurers that have continually renewed eligible nongrandfathered individual and small group policies since January 1, 2014, to again renew that coverage for a policy year beginning on or before October 1, 2020, provided that the policies end by January 1, 2021. Health insurers relying on this nonenforcement policy must send an informational notice — the content of which hasn’t changed from last year — to affected individuals and employers.

The individual and small group market plans under this transitional policy are sometimes referred to as “grandmothered plans.” These plans are distinct under the ACA from “grandfathered plans,” which are plans that were in existence on March 23, 2010, and haven’t undergone certain prohibited changes. Although both plan types are exempt from many ACA requirements, it’s important to accurately determine which exemption applies to identify the applicable provisions. Grandfathered plans were the subject of a recent agency request for information gathering input to better understand the challenges for plans and insurers in avoiding loss of grandfathered status.



Back to Page