 
NOTES RE: Conference call with the Center for Medicare and Medicaid Services concerning HIPAA on October 30th, 2002, 2:00 PM Eastern Standard Time. The call-in number was (800) 642-1687 and the password was 106116768. Karen Trudel and at least three other officials participated in the call. After their opening comments, questions were taken from the listeners. Over a period of about an hour and forty-five minutes, about a dozen people had an opportunity to ask questions. It was noted that there are two different entities enforcing the administrative simplification portions of HIPAA, CMS and the Office of Civil Rights or OCR. Both will use the same definition of a covered entity. There is a flowchart for determining whether or not one is a covered entity on the government website (www.cms.hhs.gov). The government is no longer accepting applications for an extension for compliance with the electronic code sets. More than 550,000 have been received. There is no final number yet because more than 40,000 were received on paper. The statistics will be posted when they are available. Deadlines are April 14th, 2003, for the privacy rule; April 16th, 2003, to begin software and systems testing for the electronic standards; and October 16th, 2003, for compliance with the code sets. Medicare will not be accepting paper claims after October, 2003, except from "small" providers. Nothing needs to be done to obtain a waiver at the present time. Instructions are awaited. For those who have not filed for an extension and are not compliant with the electronic transaction code sets, enforcement will now be done by CMS. It will be complaint-driven. A complaint form is posted on the website. If a complaint is filed, a covered entity will have the opportunity to submit a corrective action plan before an enforcement action occurs. CMS will need to develop and publish guidelines and penalties. The focus will be on achieving compliance by October 16th, 2003. In response to a question from a physician about what constitutes an electronic transaction, it was stated that sending a fax to a modem will not be considered an electronic transaction as long as the fax starts out on paper rather than from a computer file. This means that if you send the file from your computer it's electronic and makes you a covered entity, but if you print out the item on a piece of paper and feed it through the fax machine, even if the recipient's receiver is a computer, it is apparently not considered an electronic transmission. Telephone calls are not considered electronic for this purpose. Questions about the privacy rule were consistently referred to (866) 627-7748. Another question was raised by a group practice which has filed for an extension for itself and on behalf of its individual physicians: How can it get an extension for any new hires? The answer is that there is no mechanism for doing that so that any new hires who are not compliant with the transaction code sets could be subject to enforcement, but remember that the process is complaint-driven. Questions are referred to [email protected]. A man from the American College of Physicians asked for the trigger date after which a single electronic transaction makes one a covered entity and also inquired whether the status of being a covered entity was reversible-for example, if a small practice decided to revert to paper. The answer was that the law does permit a decision as to whether to file electronically or not. A decision to file electronically to one payer does not require one to submit all electronic claims to all payers (although one is a covered entity on submitting a single electronic claim to any payer.) There is no requirement that states one cannot stop filing electronic claims. If one returns to paper, this is not grounds for a complaint for not following the electronic standards. The Office of Civil Rights is still developing guidance on the privacy issue. If there is a complaint of an inappropriate disclosure at some point in time, it would be necessary to check whether the entity was a covered entity at that point. CMS will suggest a clarification in the Frequently Asked Questions. The questioner was advised not take these oral statements as a legal opinion. The representative of the American College of Physicians also asked whether the count of full-time employees included physician owners. This is to be addressed in the regulations, and it is likely that the physician owner will count as one of the full-time employees. The trigger date determining one's status as a covered entity, that someone came up with after paging through the regulations, is April 14th, 2003. It was stated that the next roundtable will be a joint one with OCR and will also include questions on privacy. An entity that files electronic claims, but that often has to file paper corrections, asked whether this could still be done after October 2003. The answer at this time is not entirely clear. There was some discussion about the exceptions to the electronic claims filing requirement. Practices with fewer than ten full-time employees are exempt, although the definition of what constitutes a full-time employee, especially in a practice with some part-time employees, still is not really determined. A hospital or health plan with fewer than 25 full-time employees is exempt, as are entities for whom filing electronic claims is not possible - with "not possible" remaining to be defined. Also there may be "other exceptions deemed appropriate by the secretary." The question came up again about a physician who is entering practice after October 16th, 2002, who is not compliant with the transaction code sets. It was stated that such a physician is out of compliance and will need a corrective action plan because there is no opportunity to file for an extension. It was stated that a payer can mandate earlier compliance, but the CMS penalties do not apply. Someone asked whether a transcript of the call would be available. The answer was no, but an audio replay will be available next Monday, November 4th, for 72 hours. Call (800) 642-1587 and use the same conference ID as given above. A question was raised about the electronic claims filing requirement in instances in which Medicare is a secondary carrier; this has to be addressed in the regulations and may constitute another exception. Someone asked whether there was a checklist from CMS to see whether or not online pharmacies were compliant. The caller was told to read the entire regulations or to consult with an industry association because CMS did not provide a checklist. (What the enforcers use to decide what penalties to impose was not mentioned.) Someone asked whether using DDE to check eligibility would make one a covered entity, and the answer was yes. If you use the health plan's browser to determine coverage, then you are a covered entity. It was clarified that small health plans did not need to file for an extension; they automatically had until 2003 to comply with the transaction code sets. Someone asked about whether one became a covered entity by offering certain types of employee health plans. Apparently if one offers a fully insured plan, then one is a covered entity. Flexible spending accounts or employee assistance plans may not make one a covered entity, but this apparently has not been ruled on yet. Future conference calls are to be posted on the CMS website. To ask for notification of future calls, send an E-mail to [email protected]. Someone noted a problem with plans that require nonstandard transactions. It was stated that state Medicaid agencies are covered entities. It was emphasized that enforcement is complaint-driven before October 2003. This is a new assignment for CMS. It is investigating guidance to issue, and thinking may change. Someone expressed concern that while a practice will be compliant within three weeks, it had missed the deadline for filing an extension. CMS reiterated that enforcement would be complaint-based, and a form to permit people to complain about them would be posted. Someone asked whether there was any government funding to help entities such as critical access hospitals or rural hospitals become compliant. The answer is no. A question arose about billing services. These are not necessarily covered, although if an entity is performing as a clearinghouse, which translates transactions to a standard format, then it would be covered. A provider would be covered if it contracted with someone else to provide standard electronic transactions. It was observed by one of the callers that most of the questions were concerned with avoiding the need to comply and hoped that more guidance would be available on how to comply. CMS stated that its outreach has primarily been concerned with HIPAA awareness and it will shift its focus to assistance with compliance. CMS initially estimated that there were 2,000,000 covered entities. This estimate is being revised since only 550,000 extension requests were filed. That is "pretty good." CMS is now thinking that many of the entities it had assumed to be covered are small practices that are sticking to paper claims and are therefore not covered and therefore do not need an extension. My impression is that there is a much confusion, not only among people who are supposed to comply with these rules, but in the agency that will enforce them. There is also considerable interest in how to avoid having to comply with these very expensive and onerous rules.
Disclaimer: this material is transcribed from contemporaneous hand-written notes and reflect my understanding. It is not to be construed as legal advice or official interpretation. |