CMS Steering Letters Handle Compliance With HIPAA Digital Transactions Requirements

The CMS Nationwide Requirements Group (NSG) has issued two steerage letters addressing HIPAA administrative simplification provisions associated to digital well being care transactions. HIPAA administrative simplification encompasses requirements for privateness, safety, breach notification, and digital well being care transactions. HHS’s Workplace for Civil Rights enforces the privateness, safety, and breach notification requirements, whereas the NSG administers compliance with the requirements for digital transactions, together with code units, distinctive identifiers, and working guidelines.

The primary letter addresses enterprise associates’ compliance obligations and a coated entity’s accountability for its enterprise associates’ noncompliance. The second letter explains the transaction requirements for digital funds switch (EFT) and digital remittance recommendation (ERA). Listed below are highlights:

• Enterprise Associates. Though coated entities should contractually require their enterprise associates to adjust to the digital transaction requirements, partaking a enterprise affiliate doesn’t relieve the coated entity from its obligation to totally adjust to the requirements. Thus, if the enterprise affiliate fails to adjust to the digital transaction requirements, then the NSG could search recourse towards the coated entity for the enterprise affiliate’s noncompliance. This identical rule applies when the enterprise affiliate is a coated entity in its personal proper—the coated entity that employed the enterprise affiliate nonetheless could also be held liable for noncompliant actions taken by the enterprise affiliate on the coated entity’s behalf. [EBIA Comment: In a footnote, NSG notes that the HITECH Act established different direct liability rules for business associates under HIPAA’s privacy and security standards. Business associates are directly liable for compliance with the security standards and some of the privacy standards (see our Checkpoint article) however not the digital transaction requirements.]
• EFT/ERA. If a supplier asks a well being plan to conduct a fee transaction in accordance with HIPAA’s EFT/ERA transaction requirements, then the well being plan should accomplish that—no matter whether or not the supplier is within the plan’s community or in any other case affiliated with the plan. Conversely, if a supplier doesn’t request that the well being plan use the adopted requirements for EFT/ERA transactions or fails to finish a well being plan’s EFT/ERA enrollment course of, then the well being plan is just not obligated to make use of the adopted requirements. On this case, well being plans could pay well being care claims utilizing digital bank cards, which aren’t coated by the EFT requirements. Though well being plans could require suppliers to conduct sure elements of the fee transactions with the plans’ enterprise associates, suppliers retain the liberty to decide on their very own service suppliers for different elements of the transactions. Suppliers could use the Administrative Simplification Enforcement Testing Device (ASETT) to file a grievance towards a well being plan that fails to adjust to the digital transaction requirements.

EBIA Remark: Though HIPAA privateness, safety, and breach notification necessities are likely to seize the headlines, digital transactions lie on the core of HIPAA administrative simplification. The NSG has just lately centered consideration and sources on compliance, together with highlighting the performance of the ASETT utility. Well being plans and their enterprise associates conducting coated digital transactions ought to preserve abreast of NSG’s exercise. For extra data, see EBIA’s HIPAA Portability, Privateness & Safety handbook at Sections XXIV (“Enterprise Affiliate Contracts”) and XXXII (“Digital Transactions and Code Units”).

Contributing Editors: EBIA Workers.