Resources

Client Alerts, News Articles, Blog Posts, & Multimedia

Everything you need to know about BMD and the industry.

The Latest CMS Guidance: HIPAA Edition

Client Alert
June 23, 2022

The Latest CMS Guidance: HIPAA Edition

Healthcare worker holding an iPad with HIPAA Compliance

What are the HIPAA Administrative Simplification Regulations?

The HIPAA Administrative Simplification Regulations—encompassing 45 CFR Part 160, Part 162, and Part 164—require HIPAA covered entities to adopt standards for transactions involving the electronic exchange of health care data. The HIPAA Administrative Simplification Regulations include four standards covering transactions, identifiers, code sets, and operating rules. In addition to complying with the HIPAA Administrative Simplification Regulations, HIPAA covered entities must also comply with the HIPAA Privacy and Security Rules.

The purpose of these regulations is to save time and money by moving away from the burdensome paperwork system used for billing, storing patient information, and organizing claims data. By switching to electronic transactions, healthcare organizations can reduce the paperwork burden, receive payments faster, easily obtain patient information, and quickly, check the status of claims.

CMS has recently put out updated guidance for healthcare providers and plans clarifying these HIPAA regulations.

Covered Entities, Listen Up!

HHS defines a transaction as an electronic exchange of information between two parties to carry out financial or administrative activities related to healthcare. HIPAA requires covered entities to conduct standard transactions with one another. Conducting a transaction as a “standard transaction” includes compliance with the set data standard and affiliated operating rules, code sets, and unique identifiers for the particular transaction. HHS has adopted standards for Health Care Claims or Equivalent Encounter Information (45 CFR § 162.1101-1102), Eligibility for a Health Plan (45 CFR § 162.1201-1203), Referral Certification and Authorization (45 CFR § 162.1301-1302), Health Care Claim Status (45 CFR §162.1401-1403), Enrollment or Disenrollment in a Health Plan (45 CFR § 162.1501-1502), Health Care Electronic Funds Transfer and Remittance Advice (45 CFR § 162.1601-1603), Health Plan Premium Payments, Coordination of Benefits (45 CFR § 162.1701-1702), and Medicaid Pharmacy Subrogation Transactions (45 CFR § 162.1901-1902). 

Specific parameters for covered entities also exist. For example, if a covered entity uses a business associate to conduct any portion of a transaction for which a standard has been adopted, the covered entity must require their business associate to comply with that standard. Simply put, the inclusion of a business associate in a transaction does not relieve a covered entity of its responsibility to comply with HIPAA because a business associate is acting on behalf of a covered entity.

Additionally, there are specific parameters for covered entities entering into trading partner agreements. Trading partner agreements are agreements related to the exchange of information in electronic transactions between each party to the agreement. For example, it is standard for a trading partner agreement to set out the duties and responsibilities of each party to the agreement in conducting a standard transaction. Importantly, a covered entity cannot enter into a trading partner agreement that would: (a) change the definition, data condition, or use of a data element or segment in an adopted standard or operating rule; (b) add any data elements or segments to the maximum defined data set; (c) use any code or data elements marked “not used” or that are not in a standard; or (d) change the meaning or intent of a standard.

General Provisions for Health Care Providers and Health Plans, Explained

If a health care provider chooses to use a DDE platform—a direct data entry platform like a provider portal—offered by a health plan to conduct a transaction for which a standard has been adopted, the provider must use the applicable data content and condition requirements of the standard. However, there is an exception for providers that negates their requirement to follow standard formatting protocols when using a DDE platform.

However, a health plan must always conduct a transaction using an adopted standard if requested. They may use a paper-based or manual method, a DDE portal, or an electronic funds transfer. Of note, there are no exceptions to this requirement. This means that a health plan must comply with a provider’s request to conduct a transaction as a standard transaction regardless of the provider’s affiliation, or lack of, with the plan. There are also key prohibitions for health plans. Mainly, a health plan cannot:

Delay or reject a transaction because the transaction is a standard transaction. For example, the plan cannot provide incentives that discourage the use of standard transactions;

Reject a standard transaction just because the health plan does not use some or all of the data elements, such as coordination of benefits data elements; or

Offer an incentive for a health care provider to conduct a transaction using a DDE exception.

Relatedly, the coordination of benefits and code sets are also regulated. If a health plan receives a standard transaction and coordinates benefits with another health plan or payer, then the health plan must store the coordination of benefits data it needs to forward the standard transaction to the other health plan or payer. Simply put, even if the initial receiving health plan does not need the coordination of benefits information, that information is required to process the transaction and the information must still be stored for transmission to the subsequent health plan or payer. Additionally, a health plan must accept and process any standard transaction that contains valid codes, and it must keep code sets for the current billing and appeals periods open to processing.

Sidebar: What are Standard Unique Health Identifiers for Health Care Providers?

A covered health care provider is a health care provider that transmits any health information in electronic form in connection with a transaction for which a standard has been adopted. A covered health care provider must obtain a National Provider Identifier (NPI) from the National Provider System (NPS) and use an NPI on all standard transactions that require its health care provider identifier. Likewise, a covered health care provider must give its NPI to any requesting entity so that they can identify the health care provider in a standard transaction. Of note, a covered health care provider must also require its business associates to use the provider’s NPI. Further, when a covered health care provider is an organization—for example, a corporation or partnership—it must require all individual prescribers it works with to both obtain an NPI and share the NPI upon request with any entity for use in a standard transaction.

If you have any questions about any of the new CMS Guidance and how it may impact your practice, please reach out to your local BMD Healthcare Attorney, Daphne L. Kackloudis at dlkackloudis@bmdllc.com or Ashley Watson at abwatson@bmdllc.com.

 

HIPAAHIPAA ComplianceHealthcareCMS
Client Alert

Name, Image, and Likeness Agreements in Healthcare

November 14, 2025For example, some healthcare providers have begun to utilize "Name, Image, and Likeness" agreements to promote the brand they have created through their healthcare practice.  We have seen the most healthcare NIL activity with longevity and wellness providers, as well as orthopedics.Client Alert

Compounding GLP-1 Drugs - Recent Updates

November 13, 2025Recent guidance from the Ohio Board of Pharmacy (“BOP”) indicates that providers should generally use the FDA approved GLP-1 drug, rather than a non-FDA approved compounded version of the medication. Importantly, if a GLP-1 drug is commercially available, it cannot be copied through compounding. Currently, compounded copies of Tirzepatide and Semaglutide are not permitted.Client Alert

Top Compliance Risks for Ohio Med-Spas in 2025

November 11, 2025The Ohio Board of Pharmacy has increased inspections of med-spas holding Terminal Distributor of Dangerous Drugs (TDDD) licenses, with many facing enforcement actions in 2025. Common issues include purchasing from unlicensed distributors, improper drug storage, inadequate recordkeeping, and insufficient prescriber oversight. Understanding these risks and maintaining compliance can help protect your practice from penalties and license suspension.Client Alert

Pre and Postnuptial Agreements | Necessary, Maybe, What Happened to Forever?

November 7, 2025Both Florida and Ohio now allow clients to enter into a prenuptial or postnuptial agreement prior to marriage or after marriage (Ohio previously did not allow postnuptial agreements). Both documents have statutory guidelines that must be followed in terms of execution and financial disclosure.Client Alert

DHS Ends All Employment Authorization Auto-Extensions

October 29, 2025Effective October 30, 2025, DHS ends all automatic work authorization renewals. The 540-day extension applies only to renewals filed before this date, and there is no grace period for expired EADs filed on or after October 30. Employers must audit EADs, train staff, ensure I-9 compliance, and plan for work authorization gaps. Penalties for noncompliance can be severe.
Older posts