Resources

Client Alerts, News Articles, Blog Posts, & Multimedia

Everything you need to know about BMD and the industry.

The Latest CMS Guidance: HIPAA Edition

Client Alert
June 23, 2022

The Latest CMS Guidance: HIPAA Edition

Healthcare worker holding an iPad with HIPAA Compliance

What are the HIPAA Administrative Simplification Regulations?

The HIPAA Administrative Simplification Regulations—encompassing 45 CFR Part 160, Part 162, and Part 164—require HIPAA covered entities to adopt standards for transactions involving the electronic exchange of health care data. The HIPAA Administrative Simplification Regulations include four standards covering transactions, identifiers, code sets, and operating rules. In addition to complying with the HIPAA Administrative Simplification Regulations, HIPAA covered entities must also comply with the HIPAA Privacy and Security Rules.

The purpose of these regulations is to save time and money by moving away from the burdensome paperwork system used for billing, storing patient information, and organizing claims data. By switching to electronic transactions, healthcare organizations can reduce the paperwork burden, receive payments faster, easily obtain patient information, and quickly, check the status of claims.

CMS has recently put out updated guidance for healthcare providers and plans clarifying these HIPAA regulations.

Covered Entities, Listen Up!

HHS defines a transaction as an electronic exchange of information between two parties to carry out financial or administrative activities related to healthcare. HIPAA requires covered entities to conduct standard transactions with one another. Conducting a transaction as a “standard transaction” includes compliance with the set data standard and affiliated operating rules, code sets, and unique identifiers for the particular transaction. HHS has adopted standards for Health Care Claims or Equivalent Encounter Information (45 CFR § 162.1101-1102), Eligibility for a Health Plan (45 CFR § 162.1201-1203), Referral Certification and Authorization (45 CFR § 162.1301-1302), Health Care Claim Status (45 CFR §162.1401-1403), Enrollment or Disenrollment in a Health Plan (45 CFR § 162.1501-1502), Health Care Electronic Funds Transfer and Remittance Advice (45 CFR § 162.1601-1603), Health Plan Premium Payments, Coordination of Benefits (45 CFR § 162.1701-1702), and Medicaid Pharmacy Subrogation Transactions (45 CFR § 162.1901-1902). 

Specific parameters for covered entities also exist. For example, if a covered entity uses a business associate to conduct any portion of a transaction for which a standard has been adopted, the covered entity must require their business associate to comply with that standard. Simply put, the inclusion of a business associate in a transaction does not relieve a covered entity of its responsibility to comply with HIPAA because a business associate is acting on behalf of a covered entity.

Additionally, there are specific parameters for covered entities entering into trading partner agreements. Trading partner agreements are agreements related to the exchange of information in electronic transactions between each party to the agreement. For example, it is standard for a trading partner agreement to set out the duties and responsibilities of each party to the agreement in conducting a standard transaction. Importantly, a covered entity cannot enter into a trading partner agreement that would: (a) change the definition, data condition, or use of a data element or segment in an adopted standard or operating rule; (b) add any data elements or segments to the maximum defined data set; (c) use any code or data elements marked “not used” or that are not in a standard; or (d) change the meaning or intent of a standard.

General Provisions for Health Care Providers and Health Plans, Explained

If a health care provider chooses to use a DDE platform—a direct data entry platform like a provider portal—offered by a health plan to conduct a transaction for which a standard has been adopted, the provider must use the applicable data content and condition requirements of the standard. However, there is an exception for providers that negates their requirement to follow standard formatting protocols when using a DDE platform.

However, a health plan must always conduct a transaction using an adopted standard if requested. They may use a paper-based or manual method, a DDE portal, or an electronic funds transfer. Of note, there are no exceptions to this requirement. This means that a health plan must comply with a provider’s request to conduct a transaction as a standard transaction regardless of the provider’s affiliation, or lack of, with the plan. There are also key prohibitions for health plans. Mainly, a health plan cannot:

Delay or reject a transaction because the transaction is a standard transaction. For example, the plan cannot provide incentives that discourage the use of standard transactions;

Reject a standard transaction just because the health plan does not use some or all of the data elements, such as coordination of benefits data elements; or

Offer an incentive for a health care provider to conduct a transaction using a DDE exception.

Relatedly, the coordination of benefits and code sets are also regulated. If a health plan receives a standard transaction and coordinates benefits with another health plan or payer, then the health plan must store the coordination of benefits data it needs to forward the standard transaction to the other health plan or payer. Simply put, even if the initial receiving health plan does not need the coordination of benefits information, that information is required to process the transaction and the information must still be stored for transmission to the subsequent health plan or payer. Additionally, a health plan must accept and process any standard transaction that contains valid codes, and it must keep code sets for the current billing and appeals periods open to processing.

Sidebar: What are Standard Unique Health Identifiers for Health Care Providers?

A covered health care provider is a health care provider that transmits any health information in electronic form in connection with a transaction for which a standard has been adopted. A covered health care provider must obtain a National Provider Identifier (NPI) from the National Provider System (NPS) and use an NPI on all standard transactions that require its health care provider identifier. Likewise, a covered health care provider must give its NPI to any requesting entity so that they can identify the health care provider in a standard transaction. Of note, a covered health care provider must also require its business associates to use the provider’s NPI. Further, when a covered health care provider is an organization—for example, a corporation or partnership—it must require all individual prescribers it works with to both obtain an NPI and share the NPI upon request with any entity for use in a standard transaction.

If you have any questions about any of the new CMS Guidance and how it may impact your practice, please reach out to your local BMD Healthcare Attorney, Daphne L. Kackloudis at dlkackloudis@bmdllc.com or Ashley Watson at abwatson@bmdllc.com.

 

HIPAAHIPAA ComplianceHealthcareCMS
Client Alert

HHS Revokes Public Comment Requirement on Certain Policy Changes

March 5, 2025The U.S. Department of Health and Human Services (HHS) has revoked the Richardson Waiver, eliminating the requirement for public notice and comment on certain policy changes. This decision allows HHS to implement new policies more quickly, potentially affecting healthcare funding rules like Medicaid work requirements. While it speeds up policymaking, it also reduces opportunities for stakeholder input, raising concerns over transparency and unintended consequences for healthcare providers, states, and patients.Client Alert

Don't Get Caught Dazed and Confused: Another Florida Court Weighs in on Employer Obligations to Accommodate Medical Marijuana Use

March 3, 2025A Florida trial court ruled in Giambrone v. Hillsborough County that employers may need to accommodate off-duty medical marijuana use under the Florida Civil Rights Act (FCRA). This contrasts with prior rulings and raises new compliance challenges for employers. With the case on appeal, now is the time to review workplace drug policies.Client Alert

Corporate Transparency Act to be Re-evaluated

February 28, 2025Recent federal rulings have impacted the enforceability of the Corporate Transparency Act (CTA), which took effect on January 1, 2024. While reporting requirements were briefly reinstated, FinCEN has now paused enforcement and is reevaluating the CTA. Businesses are no longer required to submit reports until further guidance is issued. For updates and legal counsel, contact BMD Member Blake Gerney.Client Alert

Ohio Recovery Housing Operators Beware: House Bill 58 Seeks to Make Major Changes

February 26, 2025Ohio House Bill 58 proposes significant changes to recovery housing oversight, granting ADAMH Boards authority to inspect and investigate recovery residences. The bill also introduces a Certificate of Need (CON) program, requiring state approval for major facility changes. OMHAS will assess applications based on cost, quality, accessibility, and financial feasibility. The bill also establishes a recovery housing residence fund to support inspections. For more information, contact BMD attorneys Daphne Kackloudis or Jordan Burdick.Client Alert

January 2025 Notice of Proposed Rulemaking Brings Notable Changes to HIPAA Security Rule

February 25, 2025In January 2025, the U.S. Department of Health and Human Services proposed amendments to the HIPAA Security Rule, aiming to enhance cybersecurity for covered entities (CEs) and business associates (BAs). Key changes include mandatory compliance audits, workforce training, vulnerability scans, and risk assessments. Comments on the proposed rule are due by March 7, 2025.
Older posts
Newer posts