CMS implementing a grace period for HIPAA deadline
By KEVIN NEW
Medical Device Daily Washington Editor
WASHINGTON Officials who run the nations Medicare program assured providers not prepared for a looming regulatory deadline that cash flow would not be interrupted.
The Centers for Medicare & Medicaid Services (CMS; Baltimore, Maryland) said earlier this week that it would implement a contingency plan to accept non-compliant electronic transactions after Oct. 16 of this year, the deadline date for complying with the regulations of the Health Insurance Portability & Accountability Act (HIPAA).
The contingency plan will ensure that claims will continue to be processed for what CMS estimates to be thousands of providers not able to meet the deadline, it said. Otherwise, the claims would be rejected.
Implementing this contingency plan moves us toward the dual goals of achieving HIPAA compliance while not disrupting providers cash flow and operations, so that beneficiaries can continue to get the healthcare services they need, said CMS administrator Tom Scully.
The decision to establish a contingency plan was made due to statistics showing unacceptably low numbers of compliant claims being submitted, CMS said. CMS gained the authority to implement the contingency plan based on guidance it received from the U.S. Department of Health and Human Services (HHS; Washington) in late July.
The grace period will allow providers additional time to complete testing processes for new systems. CMS will regularly reassess the readiness levels of providers to determine how long to keep the contingency plan in effect, according to Tom Grissom, CMSs director of the Center for Medicare Management, the division responsible for administering reimbursement.
Medicare is able to process HIPAA-compliant transactions, Grissom said, but we need to work with our trading partners to increase the percentage of claims in production.
Because transactions often involve the participation of two covered entities, non-compliance from one could put the other party in a difficult position, CMS said. And covered entities making a good-faith effort to comply with HIPAA standards can implement their own contingency plans to maintain operations and cash flow, according to the HHS guidance document.
We encourage other plans to assess the readiness of their trading partners and implement contingency plans if appropriate, Grissom advised.
Device manufacturers are affected by HIPAA regulations only if they conduct standard transactions, John Bentivoglio, a partner at the Washington office of Arnold & Porter, told Medical Device Daily. Bentivoglio represents several medical device manufacturers and noted that his clients biggest concerns deal with research and marketing regulations in HIPAA.
Only the biggest device companies that interact directly with patients would be considered a covered entity, he said.
HHS clarified its definitions of standard transactions and healthcare in its HIPAA preamble from December 2000, Bentivoglio noted. Standard transactions are financial and administrative in nature relating to claims and billing matters, and most device manufacturers dont interact directly with patients, he explained.
Covered entities may use or disclose protected health information for research purposes without authorization under very limited circumstances, Bentivoglio added. Device manufacturers involved in research should work with institutional review boards to ensure that authorizations for disclosing information is included in an informed consent form, he said.
One of the odd features of HIPAA is that once protected health information is disclosed to a non-covered entity, such as the devices sponsor, the information is no longer protected under the HIPAA rule, Bentivoglio explained.
