HIPAA Administrative Simplification Rules Compliance Review Program Launched By CMS


The HHS’ Centers for Medicare and Medicaid Services (CMS) introduced a compliance review program for assessing the compliance of HIPAA covered entities with the HIPAA Administrative Simplification Rules for electronic healthcare transactions. The compliance reviews are going to start in April 2019.

Why Adopt the HIPAA Administrative Simplification Rules

The goal for introducing the HIPAA Administrative Simplification Rules is to increase the efficiency and effectiveness of the United States health system. The rules necessitate healthcare organizations to follow the national standards in conducting electronic healthcare transactions, which use unique health identifiers and standard code sets, and at the same time following the HIPAA Privacy and Security Rules requirements.

The HHS’ Office for Civil Rights is in charge of implementing the HIPAA Security, Privacy and Breach Notification Rules. The CMS is in charge of administering and implementing the rules specified in 45 CFR Parts 160, 162, and 164, which cover the standards in transaction and code sets, employer identifiers, and the national provider identifiers. The standards administered by CMS need to be followed every time there is health information exchange. Without adopting the standards, the exchange of healthcare information is not done efficiently.

The CMS Compliance Review Program

Beginning on April 2019, the CMS is going to do compliance reviews on 9 randomly chosen health plans and healthcare clearinghouses, which include those that do and do not deal with Medicare and Medicaid.

Under the compliance reviews, HIPAA-covered entities will be assessed if they are following the specifications established for: Transaction formats; Unique identifiers and Code sets.

When covered entities chosen for a review are determined to be non-compliant with the HIPAA Administrative Simplification Rules, they need to implement a corrective action plan to handle the violations and make necessary changes to be compliant.

Any covered entity that do not perform the required changes to be compliant with the HIPAA Administrative Simplification standards is going to be put through “escalating enforcement actions,” which may involve civil monetary penalties.

The 2019 CMS Compliance Review Program is based on a pilot review program carried out in 2018 on voluntary participants composed of three health plans and three healthcare clearinghouses. There will be a separate program in 2019 in which healthcare providers will be the volunteers for the compliance reviews.

After the last round of 9 compulsory compliance reviews, the CMS will have a continuing campaign that involve regular reviews of randomly picked covered entities to evaluate HIPAA Administrative Simplification Rules compliance.

These are going to be added to the regular procedure for implementing compliance, which presently works on a complaint basis.

Organizations may utilize the internet-based Administrative Simplification Enforcement and Testing Tool (ASETT)  to examine transactions to find out if they are compliant or not and to send complaints concerning HIPAA Administrative Simplification Rules violations.