Home Approach Services Auditors Online Learning
FAQ Contact Us Site Map Newsletter

HIPAA News and Information

CMS CLARIFIES GUIDELINES FOR NATIONAL PROVIDER IDENTIFIER (NPI) DEADLINE IMPLEMENTATION

The final rule establishing the NPI as the standard unique health provider identifier for health care providers was published in 2004 and requires all covered entities to be in compliance with its provisions by May 23, 2007, except for small health plans, which must be in compliance by May 23, 2008.

Today, the Centers for Medicare & Medicaid Services (CMS) announced that it is implementing a contingency plan for covered entities (other than small health plans) who will not meet the May 23, 2007, deadline for compliance with the National Provider Identifier (NPI) regulations under the Health Insurance Portability and Accountability Act (HIPAA) of 1996.

“The enforcement guidance released today clarifies that covered entities that have been making a good faith effort to comply with the NPI provisions may, for up to 12 months, implement contingency plans that could include accepting legacy provider numbers on HIPAA transactions in order to maintain operations and cash flows.” said CMS Acting Administrator Leslie V. Norwalk, Esq.

The NPI is an identifier that will be used by covered entities to identify health care providers, eliminating the current need for multiple identifiers for the same provider. The NPI replaces all “legacy” identifiers that are currently being used, such as Medicaid provider IDs, individual plan provider IDs, UPINs, etc., and will be required for use on health care claims and other HIPAA transactions.

CMS made the decision to announce this guidance on its enforcement approach after it became apparent that many covered entities would not be able to fully comply with the NPI standard by May 23, 2007. This guidance would protect covered entities from enforcement action if they continue to act in good faith to come into compliance, and they develop and implement contingency plans to enable them and their trading partners to continue to move toward compliance. HHS recognizes that transactions often require the participation of two covered entities and that non-compliance by one covered entity may put the second covered entity in a difficult position.

The enforcement process is complaint driven and will allow covered entities to demonstrate good faith efforts and employ contingency plans. If a complaint is filed against a covered entity, CMS will evaluate the entity's "good faith efforts" to comply with the standards and would not impose penalties on covered entities that have deployed contingencies to ensure that the smooth flow of payment continues. Each covered entity will determine the specifics of its contingency plan. Contingency plans may not extend beyond May 23, 2008, but entities may elect to end their contingency plans sooner. Medicare will announce its own contingency plan shortly.

CMS encourages health plans to assess the readiness of their provider communities to determine the need to implement contingency plans to maintain the flow of payments while continuing to work toward compliance. Likewise, we encourage health care providers that have not yet obtained NPIs to do so immediately, and to use their NPIs in HIPAA transactions as soon as possible. Applying for an NPI is fast, easy and free. Visit the National Plan/Provider Enumeration System (NPPES) website at https://nppes.cms.hs.gov/.

A critical aspect of implementing the NPI is the ability for covered entities to match a provider’s NPI with the many legacy provider identifiers that have been used to process administrative transactions. CMS plans to make data available from the NPPES system that will assist covered entities in developing these “crosswalks.” Further information concerning this issue is available on the CMS Web-site at http://www.cms.hhs.gov. The site also contains contingency plan guidance for the industry in a document titled “Guidance on Compliance with the HIPAA National Provider Identifier Rule.”

HIPAA – PROVIDERS READY – CONCERNS ABOUT VENDORS
In a recent survey, almost 9 out of 10 providers told the OIG that they are moderately or highly satisfied they will meet the deadline on October 16th. Almost half-expressed concern that their software vendors or other parties may impede their compliance efforts.

HIPAA Enforcement
While many of us are still trying to figure out how to comply, the feds already know how to nail you for violations.

A interim final rule concerning civil money penalties related to violations was released on April 15 by the Department of Health and Human Services.

The regulation establishes civil money penalties criminal penalties for violations. The HHS will enforce the civil money penalties and the US Dept. of Justice will enforce the criminal penalties. To read the rule in its entirety click here.


Countdown to HIPAA
Are you prepared for the impending HIPAA deadline? Find out by reading this quick checklist:

  • Are you a covered entity? Health Plans, Clearinghouses, Health Care Providers and Business Associates are considered covered entities.
  • Assign a privacy officer, education of privacy officer, develop time-line and cost estimate.
  • Identify how the PHI is used in your organization. What does your organization create or hold?
  • Based on how PHI is used, define your organization’s privacy notice.
  • Convey your privacy notice to patients or customers and obtain a written receipt of acknowledgement for the file.
  • Establish additional privacy policies and forms as needed based on projected or actual uses and disclosures of PHI in your practice.
  • Establish a complaint procedure and form.
  • Establish procedures for a separate written authorization to permit use or disclosure of health information for non-medical purposes.
  • Establish procedures for personal access, amendment and request for history of disclosures of PHI.
  • Establish procedures to allow disclosures required by law, recognizing local privacy disclosure requirements.
  • Review job responsibilities for those positions handling PHI and make adjustments to incorporate PHI policies.
  • Perform an assessment of your location and records-handling of PHI.
  • Amend procedures which may allow unacceptable management of PHI.
  • Establish checks and balances so that unauthorized release of PHI does not occur.
  • Complete your staff’s training before the compliance date remembering that this is an on-going process as new employees are added.
  • Establish and maintain files as needed which document the actions your practice has taken to comply with the medical privacy rule.

Back to service list


Home | Approach | Services | Auditors | Forms | ACE eLearning Center | Resources | Contact Us | Site Map | Newsletter |

© 2006. Created and maintained by WSI
This site is optimized for Netscape 5 and Internet Explorer 5 or higher. Please download an updated version now.