CMS Starts HIPAA Simplification Rules Audits

The Centers for Medicare and Medicaid Services (CMS) Division of National Standards has recently announced that it will be soon be commencing audits of health plans and healthcare clearinghouses to assess compliance with the HIPAA Administrative Simplification Rules.

HIPAA compliance audits are more usually associated with compliance with the HIPAA Privacy, Security, and Breach Notification Rules. Two rounds of audits on those aspects of HIPAA compliance have already been conducted by OCR.

The HIPAA Simplification Rules – and the Affordable Care Act (ACA) – require HIPAA-covered entities to adopt standards for electronic healthcare transactions, which includes using standard data content, identifiers, and code sets. These standards improve efficiency and the effectiveness of the health system in the United States.

The HHS’ Office for Civil Rights enforces compliance with the HIPAA Privacy, Security, and Breach Notification Rules, but the CMS is responsible for enforcement of compliance with the HIPAA Simplification Rules. The audit program will help to ensure that HIPAA-covered entities are meeting their obligations.

In 2018, a pilot audit program was conducted by the CMS on volunteers to help streamline the audit program. The next phase of the CMS Compliance Review program starts in April 2019 with a review of 9 randomly selected health plans and healthcare clearinghouses, including those that work with Medicare and Medicaid as well as those that do not.

The CMS will be assessing use of transaction formats, code sets, and unique identifiers required by the HIPAA Simplification Rules. Entities selected for audit will be required to attest to whether they are in compliance with the operating rules. Any covered entities found not to be in compliance will be provided with the opportunity to correct any areas of noncompliance voluntarily. Should entities fail to achieve compliance they could be issued with a financial penalty.

After the 9 audits have been completed, the CMS will embark upon a permanent audit program which will involve periodic audits on a random selection of covered entities to assess compliance and ensure that operating rules are being met. The CMS will also follow up on complaints about entities that are not in compliance and encourages anyone who discovers a compliance violation to report it.

The audit program will be extended to healthcare providers, although they have more time to prepare as they are not currently included in the audit program.

To prepare for a compliance review, and to self-assess compliance, health plans, healthcare clearinghouses, and healthcare providers can test their electronic transactions using the Administrative Simplification Enforcement and Testing Tool (ASETT) developed by the CMS.