Client Alerts, News Articles, Blog Posts, & Multimedia

Everything you need to know about BMD and the industry.

The Latest CMS Guidance: HIPAA Edition

Client Alert

The Latest CMS Guidance: HIPAA Edition

Healthcare worker holding an iPad with HIPAA Compliance

What are the HIPAA Administrative Simplification Regulations?

The HIPAA Administrative Simplification Regulations—encompassing 45 CFR Part 160, Part 162, and Part 164—require HIPAA covered entities to adopt standards for transactions involving the electronic exchange of health care data. The HIPAA Administrative Simplification Regulations include four standards covering transactions, identifiers, code sets, and operating rules. In addition to complying with the HIPAA Administrative Simplification Regulations, HIPAA covered entities must also comply with the HIPAA Privacy and Security Rules.

The purpose of these regulations is to save time and money by moving away from the burdensome paperwork system used for billing, storing patient information, and organizing claims data. By switching to electronic transactions, healthcare organizations can reduce the paperwork burden, receive payments faster, easily obtain patient information, and quickly, check the status of claims.

CMS has recently put out updated guidance for healthcare providers and plans clarifying these HIPAA regulations.

Covered Entities, Listen Up!

HHS defines a transaction as an electronic exchange of information between two parties to carry out financial or administrative activities related to healthcare. HIPAA requires covered entities to conduct standard transactions with one another. Conducting a transaction as a “standard transaction” includes compliance with the set data standard and affiliated operating rules, code sets, and unique identifiers for the particular transaction. HHS has adopted standards for Health Care Claims or Equivalent Encounter Information (45 CFR § 162.1101-1102), Eligibility for a Health Plan (45 CFR § 162.1201-1203), Referral Certification and Authorization (45 CFR § 162.1301-1302), Health Care Claim Status (45 CFR §162.1401-1403), Enrollment or Disenrollment in a Health Plan (45 CFR § 162.1501-1502), Health Care Electronic Funds Transfer and Remittance Advice (45 CFR § 162.1601-1603), Health Plan Premium Payments, Coordination of Benefits (45 CFR § 162.1701-1702), and Medicaid Pharmacy Subrogation Transactions (45 CFR § 162.1901-1902). 

Specific parameters for covered entities also exist. For example, if a covered entity uses a business associate to conduct any portion of a transaction for which a standard has been adopted, the covered entity must require their business associate to comply with that standard. Simply put, the inclusion of a business associate in a transaction does not relieve a covered entity of its responsibility to comply with HIPAA because a business associate is acting on behalf of a covered entity.

Additionally, there are specific parameters for covered entities entering into trading partner agreements. Trading partner agreements are agreements related to the exchange of information in electronic transactions between each party to the agreement. For example, it is standard for a trading partner agreement to set out the duties and responsibilities of each party to the agreement in conducting a standard transaction. Importantly, a covered entity cannot enter into a trading partner agreement that would: (a) change the definition, data condition, or use of a data element or segment in an adopted standard or operating rule; (b) add any data elements or segments to the maximum defined data set; (c) use any code or data elements marked “not used” or that are not in a standard; or (d) change the meaning or intent of a standard.

General Provisions for Health Care Providers and Health Plans, Explained

If a health care provider chooses to use a DDE platform—a direct data entry platform like a provider portal—offered by a health plan to conduct a transaction for which a standard has been adopted, the provider must use the applicable data content and condition requirements of the standard. However, there is an exception for providers that negates their requirement to follow standard formatting protocols when using a DDE platform.

However, a health plan must always conduct a transaction using an adopted standard if requested. They may use a paper-based or manual method, a DDE portal, or an electronic funds transfer. Of note, there are no exceptions to this requirement. This means that a health plan must comply with a provider’s request to conduct a transaction as a standard transaction regardless of the provider’s affiliation, or lack of, with the plan. There are also key prohibitions for health plans. Mainly, a health plan cannot:

Delay or reject a transaction because the transaction is a standard transaction. For example, the plan cannot provide incentives that discourage the use of standard transactions;

Reject a standard transaction just because the health plan does not use some or all of the data elements, such as coordination of benefits data elements; or

Offer an incentive for a health care provider to conduct a transaction using a DDE exception.

Relatedly, the coordination of benefits and code sets are also regulated. If a health plan receives a standard transaction and coordinates benefits with another health plan or payer, then the health plan must store the coordination of benefits data it needs to forward the standard transaction to the other health plan or payer. Simply put, even if the initial receiving health plan does not need the coordination of benefits information, that information is required to process the transaction and the information must still be stored for transmission to the subsequent health plan or payer. Additionally, a health plan must accept and process any standard transaction that contains valid codes, and it must keep code sets for the current billing and appeals periods open to processing.

Sidebar: What are Standard Unique Health Identifiers for Health Care Providers?

A covered health care provider is a health care provider that transmits any health information in electronic form in connection with a transaction for which a standard has been adopted. A covered health care provider must obtain a National Provider Identifier (NPI) from the National Provider System (NPS) and use an NPI on all standard transactions that require its health care provider identifier. Likewise, a covered health care provider must give its NPI to any requesting entity so that they can identify the health care provider in a standard transaction. Of note, a covered health care provider must also require its business associates to use the provider’s NPI. Further, when a covered health care provider is an organization—for example, a corporation or partnership—it must require all individual prescribers it works with to both obtain an NPI and share the NPI upon request with any entity for use in a standard transaction.

If you have any questions about any of the new CMS Guidance and how it may impact your practice, please reach out to your local BMD Healthcare Attorney, Daphne L. Kackloudis at or Ashley Watson at


The NLRB Limits the Reach of Confidentiality and Non-Disparagement Provisions in Severance Agreements Overruling Trump-Era Policies

Employers should exercise caution and closely examine the content of severance agreements to ensure compliance with a recent National Labor Relations Board (“NLRB”) decision.  On February 21, 2023, the NLRB restricted the breadth of permissible language of confidentiality and non-disparagement clauses when it issued its decision in McLaren Macomb and overruled its Trump-era decisions in Baylor University Medical Center and IGT d/b/a International Game Technology.

Ohio Medical Board Releases New Telehealth Rules

On Tuesday, February 21, 2023, the State Medical Board of Ohio released its final telehealth rules to implement Ohio’s telehealth statute (O.R.C. 4743.09) for physicians, physician assistants, dieticians, respiratory care professionals and genetic counselors. Ohio’s advanced practice registered nurses (“APRNs”) should also take note of these rules. While the Medical Board does not govern APRNs directly, those APRNs who are required to have a collaborating physician and standard care arrangement (namely nurse practitioners, certified nurse midwives, and clinical nurse specialists) are still affected by the rules. Generally, if an APRN’s collaborating physician is limited in their practice, then the APRN will also be limited.

The End of the Public Health Emergency is (Finally) Here

The COVID-19 Public Health Emergency (“PHE”) that has been in effect for over three years is finally slated to end on May 11, 2023.[1] With the end of the PHE will come many changes for healthcare providers to be aware of; however, some changes may not come until much later.

Multi-340B Contract Pharmacy Locations on the Brink? The Third Circuit’s Ruling Gives a Hint.

The 340B drug discount program requires pharmaceutical manufacturers to offer to sell their products at significant discounts to safety net providers called “covered entities.” In 1996, the Health Resources and Services Administration (HRSA) issued guidance authorizing covered entities to enter into a contract pharmacy arrangement with a single third-party contract pharmacy, to which the manufacturer would ship 340B medications but bill the covered entity. In 2010, HRSA issued revised guidance permitting covered entities to enter into an unlimited number of contract pharmacy arrangements.

Five Opportunities for Operations and Compliance Excellence in 2023

With the holidays behind us and the rest of the year ahead, now is the perfect time to get your operational/compliance house in order! Though your list might be a mile (or an inch) long, here are five places to start.