CMS Releases Latest HIPAA Enforcement Stats01 December 2011
According to recent statistics released by the Office of Civil Rights (HIPAA enforcement wing of CMS/HSS) more than 14,768 HIPAA complaints have resulted in enforcement actions against HIPAA covered entities. Typically these actions were against pharmacy chains, major medical centers, group health plans, hospital chains, and small provider offices and resulted in OIG requiring changes in privacy practices and other corrective actions by the covered entities. Some instances in the past year have resulted in significant fines under the enhanced penalty provisions of ARRA(HITECH) amendments to HIPAA.
In another 7,639 cases of alleged HIPAA violations, OIG found no violation had occurred. These cases involved disclosures that were determined not to have occurred or involved disclosures that are allowed under the rules, including incidental disclosures.
In almost 35,000 HIPAA complaints and investigations, however, HHS determined that the HIPAA complaint did not present an eligible case for enforcement of the Privacy Rule on the face of the complaint. These include cases in which OCR lacks jurisdiction under HIPAA – such as a complaint alleging a violation prior to the compliance date or alleging a violation by an entity not covered by the Privacy Rule; the complaint was withdrawn or not pursued by the complainant; or the activity described on the face of the complaint does not violate the Rule – such as when the covered entity has disclosed protected health information in circumstances in which the Rule permits such a disclosure.Read More
Compliance UPDATE: CMS To Delay HIPAA 5010 Enforcement 90 days01 December 2011
Centers for Medicare & Medicaid Services’ Office of E-Health Standards and Services (OESS) announced that it would not initiate HIPAA enforcement actions until March 31, 2012, with respect to any HIPAA covered entity that is not in compliance with the ASC X12 Version 5010 (Version 5010), NCPDP Telecom D.0 (NCPDP D.0) and NCPDP Medicaid Subrogation 3.0 (NCPDP 3.0) standards. Notwithstanding OESS’ discretionary application of its enforcement authority, the compliance date for use of these newHIPAA coding standards remains January 1, 2012 (small health plans have until January 1, 2013 to comply with NCPDP 3.0).
CMS’ Office of E-Health Standards and Services is the U.S. Department of Health and Human Services’ component that enforces compliance with HIPAA transaction and code set standards.
OESS statements encouraged covered entities to continue working with their trading partners to become compliant with the new HIPAA standards, and to determine their readiness to accept the new standards as of January 1, 2012. While HIPAA enforcement action will not be taken, OESS will continue to accept complaints associated with compliance with Version 5010, NCPDP D.0 and NCPDP 3.0 transaction standards during the 90-day period beginning January 1, 2012. If requested by OESS, covered entities that are the subject of complaints (known as “filed-against entities”) must produce evidence of either HIPAA 5010 compliance or a good faith effort to become compliant with the new HIPAA standards during the 90-day period.
OESS made the decision for a discretionary enforcement period based on industry feedback revealing that, with only about 45 days remaining before the January 1, 2012 compliance date, testing between some covered entities and their trading partners has not yet reached a threshold whereby a majority of covered entities would be able to be in compliance by January 1. Feedback indicates that the number of submitters, the volume of transactions, and other testing data used as indicators of the industry’s readiness to comply with the new standards have been low across some industry sectors. OESS has also received reports that many covered entities are still awaiting software upgrades.
According to HHS, Version 5010, NCPDP Telecom D.0 and NCPDP Medicaid Subrogation 3.0 standards represent significant improvement over the current standard versions. NCPDP Telecom D.0 addresses certain pharmacy industry needs. NCPDP Medicaid Subrogation 3.0 allows state Medicaid programs to recoup payments for pharmacy services in cases where a third party payer has primary financial responsibility. Version 5010 in particular provides more functionality for transactions such as eligibility requests and health care claims status Implementation of Version 5010 also is a prerequisite for using the updated ICD-10 CM diagnosis and ICD-10-PCS inpatient procedure code set in electronic health care transactions effective October 1, 2013Read More