The CMS Division of National Standards, on behalf of HHS, is launching the Compliance Review Program (the “Program”) to ensure compliance among covered entities with HIPAA Administrative Simplification rules for electronic health care transactions. HHS will randomly select health plans and clearinghouses to assess compliance with: (1) transaction formats; (2) code sets; and (3) unique identifiers. Participants in the Program will also have to attest whether they comply with the operating rules, which are required by the ACA and are defined as “the necessary business rules and guidelines for the electronic exchange of information that are not defined by a standard or its implementation specifications.”
If HHS finds that a health plan or clearinghouse is not compliant, HHS has indicated that it will give the covered entity the opportunity to correct issues and achieve compliance, but may impose penalties on covered entities that do not achieve compliance. HHS has posted general information about the Program here, including step-by-step guidelines explaining how a health plan can prepare here.
Although this program focuses on electronic health care transactions, plan sponsors and plan administrators may also want to ensure compliance with HIPAA’s Privacy, Security, and Breach Notification requirements which are addressed in a separate audit program described here.