Government Advocacy

May 23rd, 2018: MGMA calls on CMS to enforce health plan HIPAA compliance

Advocacy Letter

Health Information Technology

Federal Compliance

May 23, 2018 
 
Kathleen Cantwell
Director of the Office of Strategic Operations and Regulatory Affairs
Centers for Medicare & Medicaid Services
Office of Strategic Operations and Regulatory Affairs
Division of Regulations Development
Room C4-26-05
7500 Security Boulevard
Baltimore, MD  21244-1850

Attention:  Document Identifier CMS-10148 
 
Dear Director Cantwell:

The following comments for the Medical Group Management Association (MGMA) is in response to the Information Collection Request for the Centers for Medicare & Medicaid Services (CMS) “HIPAA Administrative Simplification (Non-Privacy/Security) Complaint Form.”  We will provide comments specifically on the complaint form itself and more generally on the overall CMS administrative simplification enforcement process. 

MGMA is the premier association for professionals who lead medical practices. Since 1926, through data, advocacy and education, MGMA empowers medical group practices to create meaningful change in healthcare. With a membership of more than 40,000 medical practice administrators, executives, and leaders, MGMA represents more than 12,500 organizations of all sizes, types, structures, and specialties that deliver almost half of the healthcare in the United States. 

MGMA appreciates the opportunity to provide comment of the complaint form and on the broad issue of enforcement of the electronic transactions, operating rules, national identifiers, and code sets mandated in HIPAA and the Patient Protection and Affordable Care Act of 2010 (ACA). While we are supportive of a process that permits physician practices to formally lodge a complaint against a health plan or clearinghouse, notifying CMS of a potential violation, the low adoption rate for many of the electronic transactions signals that this process should be augmented with a more aggressive enforcement approach. The most current figures from the CAQH Index report show significant stagnation in several of the critical administrative transactions and actually a decreased utilization rate for some.  

For example, use of the X12 270/271 (Eligibility & Benefit Verification) continues to be less than 80% and the X12 835 (Remittance Advice) remains stagnant at 56% adoption. Disconcertingly, use of the Electronic Funds Transfer transaction for payments declined from 62% to 60% while use of the X12 278 (Prior Authorization) transaction went from 18% to just 8%. At the same time, health plans have increasingly been driving providers away from using the HIPAA standards transactions and toward use of online portals. While online portal use benefits the plans by reducing faxes and phone calls, proprietary portals create a manual workflow process for providers and decreased revenue cycle automation. 

Form-Specific Comments

The “HIPAA Non-Privacy/Security Complaint Form” wording and structure should be modified in the following ways:  

•    The name of the form should be changed from “HIPAA Non-Privacy/Security Complaint Form” to “HIPAA Administrative Simplification Complaint Form” to better reflect the types of complaints that would be covered on this form.

•    In Section 1, the question “Organization Name:” should be “Organization Name (If Applicable)” to reflect the fact that an individual can file a complaint not just an organization.

•    In Section 1, the question “Role in Organization:” should be “Role in Organization (If Applicable)” to reflect the fact that an individual can file a complaint not just an organization.

•    The Section 3, Subsection 3 disclaimer (“Would you prefer to remain anonymous during the CMS investigation? YES  NO  Disclaimer: If you select yes, please note that CMS will not share your information to the Filed Against Entity (FAE) during the investigation process. However, information provided in this complaint is subject to the rules and policy under the Freedom of Information Act (FOIA)” should be moved up to immediately follow Section 1 of the form. This placement would emphasize the ability of the complainant to file the form anonymously. 

•    The Section 3, Subsection 3 statement “Disclaimer: If you select yes, please note that CMS will not share your information to the Filed Against Entity (FAE) during the investigation process. However, information provided in this complaint is subject to the rules and policy under the Freedom of Information Act (FOIA)” should include an explanation of the applicable rules and policy under the Freedom of Information Act, or, at a minimum, include a hyperlink to a government website that can provide additional detail.

•    Section 3, Subsection 4 (“Who are you filing against? Health Plan Covered Health Care Provider Health Care Clearinghouse Vendor”) should be moved up to proceed the current Section 2 “Filed Against Entity” section to allow the complainant to identify the type of entity they are complaining about prior to providing the specific contact information. 

•    We recommend adding a new Subsection to Section 3. This new subsection would permit the complainant to explain that they are not sure who the complaint should be lodged against. This is typical in the industry, where a provider is told by their practice management system software vendor, clearinghouse, and health plan that the non-compliance issue resides with one of the other entities. In these cases, the provider knows only that there is a problem that is preventing an administrative transaction from being transmitted or accepted using the national standard. The supporting documentation should then be utilized by CMS to determine where the non-compliance action(s) reside. 

•    Section 3, Subsection 4 (“Who are you filing against? Health Plan Covered Health Care Provider Health Care Clearinghouse Vendor”) could be confusing with the inclusion of the term “Vendor,” as a clearinghouse is also a vendor. We recommend that this section of the form specify only those covered entities included in HIPAA (Health Plans, Clearinghouses, Providers) but include a separate question related to a non-covered entity vendor that the complaint is being lodged against. CMS should consider the following options in this section: (i) practice management system software vendor; (iii) electronic health record software vendor; (iii) billing system vendor; (iv) other (please describe___________.  This type of clarification will be important if the agency is to understand if a non-covered entity is not supporting the administrative simplification requirements.

•    In Section 3, Subsection 5, when complainants are asked to “Describe the complaint in detail below (You may attach additional pages as needed, and enclose copies of supporting documentation that may assist CMS with investigating your complaint),” we recommend providing examples of the types of supporting documentation that the agency would find most helpful during an investigation. As well, it should be explained that the complainant may redact information from the documentation in situations where, for example, patient or client-identifying information is included in the documentation. 

•    Section 3, Subsection 6 (“Have you attempted to submit this complaint with another agency”) should be moved to the end of the form, just prior to the signature. 

•    Section 3, Subsection 7 (“Have you attempted to resolve this dispute?”) should be moved to be the second last question asked in the form, right before “Have you attempted to submit this complaint with another agency?”  Further, we urge that there be added a clarifying statement reminding complainants that while they are encouraged to do so, they are not required to initiate a resolution with the Filed Against Entity prior to lodging a complaint directly to CMS.

•    Section 3, Subsection 8 (“Check the appropriate box for this complaint: (Please check all that apply”)) and Subsection 9 (“Transactions”) should be moved to be between current Section 3 Subsections 1 and 2. This flow would allow the complainant to fully describe the issue in question before moving on to the remaining questions. 

•    With the above ordering change made, Section 3, Subsection 1 (“Select the HIPAA Non-Privacy/Security Complaint Category below:”) should be removed as it now is redundant to the current Section 3, Subsection 8 (“Check the appropriate box for this complaint: (Please check all that apply”)).

•    Section 3, Subsection 8, First bullet: sentence is missing a period.

•    Section 3, Subsection 8, there should a separate bullet specific to the failure/refusal of a covered entity to provide payment via electronic funds transfer following a provider request. 

•    Section 3, Subsection 8, there should a separate bullet specific to the failure of a covered entity to support one or more of the mandated operating rules.

•    Section 3, Subsection 9, first bullet should read: “270/271-Insurance Eligibility Verification with a Health Plan.”

•    Section 3, Subsection 9, for bullets 1, 2, and 5, there should be after each description, the following: “…and/or supporting operating rules.” As an alternative, each operating rule could be its own separate bullet in this list.

•    Section 3, Subsection 10, as we are recommending that this list proceed the description of the issue by the complainant, we recommend “Select the appropriate code sets discussed in your complaint” be changed to read “Select the appropriate code set(s) to be discussed in your complaint.”

•    We recommended the reordered form be the following: (i) Section 1; (ii) Section 3, Subsection 3; (iii) Section 3, Subsection 4; (iv) Section 2; (v) Section 3, Subsection 8; (vi) Section 3, Subsection 9; (vii) Section 3, Subsection 2; (viii) Section 3, Subsection 5; (ix) Section 3, Subsection 7; (x) Section 3, Subsection 6.

General comments on the form

•    We believe one reason why the number of administrative simplification-related complaints is so low is the concern that if physician practices lodge a complaint against a health plan or clearinghouse, those entities could take punitive action against them. CMS is strongly urged to develop a flexible process that will encourage reticent providers to step forward and lodge complaints where appropriate.
 
•    The requirement to register in the Administrative Simplification Enforcement and Testing Tool (ASETT) act a deterrent for some potential complainants to submit the form to CMS. Therefore, we recommend that the complaint form be made available outside of the ASETT system to be downloaded, printed, mailed, or emailed to the agency by a potential complainant. 

•    MGMA recommends that CMS accept a complaint form that includes specifics regarding the Filed Against Entity and the alleged infraction itself, but does not include the Complainant Information. The infraction allegation information should be sufficient to initiate an investigation yet will not subject a complainant to any potential punitive action from a Filed Against Entity. 

General comments on administrative simplification enforcement

MGMA members have reported many occurrences of non-compliance on the part of health plans (including commercial plans, state Medicaid agencies, and Veterans Affairs-contracted payers. With no enforcement fines to date levied against a covered entity for non-compliance, there is little reason to submit a complaint on the part of a provider and little incentive to be complaint on the part of a health plan. Conversely, the Office for Civil Rights (OCR) has not only levied fines and reached numerous settlement agreements with non-complaint covered entities, but they have widely communicated each instance of non-compliance through press releases and other communication channels. In addition, the publicly-available HHS Breach Notification website lists every breach of more than 500 patient records. Further, OCR has initiated a series of HIPAA audits over the past several years, conducted through a contracted consultant. These audits not only serve as further motivation for covered entities to develop and implement compliant policies, but they also have served to identify common areas of concern that then can be addressed through OCR and private sector education. 

This level of transparency and the conducting of audits that motivate covered entities to improve their privacy and security policies and procedures and encourage individuals to come forward and report potential problems can be emulated by CMS. Recent results from the CAQH Index, measuring use and costs of the HIPAA electronic transactions and operating rules, suggests that the administrative transactions are underutilized and billions of dollars of saving are going unrealized. Health plans and clearinghouses unable or unwilling to support the administrative simplification standards and operating rules force providers to employ manual methods such as phone calls, facsimiles, and web portals, thus diverting scarce provider resources away from patient care. To increase industry use of the administrative simplification standards and achieve increased efficiency and cost savings, we recommend CMS take the following steps:
•    Halt the recently-announced CMS Optimization Pilot for Administrative Simplification Transactions in which volunteer organizations are to test their compliance with the electronic transactions, operating rules, and code sets. These types of “voluntary” audits will not be productive and will only serve to delay the start of a truly effective compliance-based audit program;

•    Initiate random audits of health plans and clearinghouses, starting with those who had have a formal complaint previously lodged against them for non-compliance with electronic transactions, operating rules, national identifiers, or code sets; and  

•    Publish the names of every covered entity who either failed a CMS audit, entered into a corrective action plan with CMS, or is levied a fine or reached a settlement agreement with CMS regarding non-compliance with any of the administrative simplification standards.

We appreciate the opportunity to share our recommendations for improving the process for physician practices to submit a complaint to CMS and for the federal government to more effectively enforce the longstanding HIPAA and ACA administrative simplification requirements. If we as an industry are to take full advantage of the mandated transactions, operating rules, national identifiers, and code sets, it is imperative that health plans and clearinghouses fully support these standards. 

Thank you for your consideration of these proposals and please contact Robert Tennant at rtennant@mgma.org or 202-293-3450 should you have any questions. 
 
Sincerely, 
 
/s/ 
 
Anders Gilberg, MGA, Senior Vice President, Government Affairs

 
Download the full letter
Loading...