Listen to HHS: Don't Put HIPAA Compliance on Back Burner
May 7, 2007
Perhaps you cannot feel the ground trembling yet, but certainly distant echoes signal that a new emphasis on HIPAA privacy and security enforcement is on its way.
Simply witness the following activity:
- NPI Deadline is May 23, 2007.
What is NPI? The National Provider Identifier is a 10-digit number that all covered entities–particularly health care providers–will have to use exclusively by May 23, 2007, in performing electronic administrative functions like billing and eligibility. They can apply online: https://nppes.cms.hhs.gov.
Employers with on-site clinics are considered to be health care providers. Providers include those on an individual level–like a dentist or doctor–and those at the organizational level–like a hospital. Many health plans and carriers will have already designated another number for providers but after May 23, they can no longer do so. Health plans will need some sort of translation table to equate existing ID numbers with the new NPIs.
The deadline is delayed until May 23, 2008, for small health plans (i.e., those with $5 million or less in annual receipts).
The Centers for Medicare and Medicaid Services (CMS) stated in recent guidance that it will examine a covered entity’s good faith efforts and any necessary corrective action plan in determining its level of enforcement. CMS will not be so cooperative in cases of willful neglect. The CMS guidance is available at: www.cms.hhs.gov/nationalprovidentstand/downloads/npi_contingency.pdf
- New Website on HIPAA Compliance and Enforcement. In April, the Department of Health and Human Services (HHS) celebrated the fourth anniversary of the Privacy Rule’s effective date by launching an enhanced website. The purpose it to make it easier for everyone to understand how HHS will enforce privacy rights and standards. The HHS Office for Civil Rights (OCR) is in charge of enforcement. The website devotes considerable space to consumer rights, including the use and disclosure rules for protected health information and guidance on how to file complaints. Employers with health plans would do well to ensure that their plans continue to be in compliance. The website is located at: www.hhs.gov/ocr/privacy/enforcement.
- Delegation of Subpoena Authority. Also in April, OCR announced that HHS delegated to OCR the authority to issue subpoenas in investigations of alleged violations of the HIPAA Privacy Rule and of the Patient Safety and Quality Improvement Act of 2005. These investigations can result in civil money penalties of up to $25,000 per violation. The announcement can be found in the April 16, 2007, issue of the Federal Register notice and is available at http://www.hhs.gov/ocr/hipaa.
Infinisource has a great resource for complying with HIPAA’s privacy and security requirements: HIPAA Solved. This product builds customized policies and procedures for both privacy and security. Within a matter of hours of receiving the HIPAA Solved CD-ROM and binder, an employer can be well on its way to HIPAA compliance. For more information, visit our website at www.benefitsolved.com and look for HIPAA Privacy and Security among our Products and Services.