CMS releases MLN Matters article clarifying NPI enumerator's responsibilities

The Centers for Medicare & Medicaid Services (CMS) released MLN Matters (SE0751) on December 10, in an attempt to clarify the type of assistance that the national provider identifier (NPI) enumerator can and cannot provide to healthcare providers.

CMS states that the NPI Enumerator is responsible for assisting healthcare providers in applying for their NPIs and updating their information in the National Plan and Provider Enumeration System (NPPES).

According to the article, some of the enumerator's responsibilities include:

• Processing NPI applications, updates, and deactivations, and assisting providers with questions or problems with the relevant electronic or paper forms
• Providing application forms to healthcare providers upon request
• Resolving errors on applications/updates/deactivations
• Investigating potential duplicate applications/updates/deactivations to ensure the uniqueness of the provider
• Resetting Web users' NPPES passwords

The article also indicates that it is not the responsibility of the NPI enumerator to deal with the following issues:

• Medicare NPI Crosswalk and Medicare claims processing issues
• Information disseminated or not disseminated via the NPI Registry or the NPPES downloadable file
• Medicare-related provider enrollment information
• NPI-to-legacy number linkages (i.e., how to properly link multiple legacy numbers to one NPI or how to properly link one legacy number to multiple NPIs)

For more information, click here.

[ via HIPAA Weekly Advisor ]

WEDI publishes report on NPPES dissemination

On December 11, the Workgroup for Electronic Data Interchange (WEDI) released a paper on the health care industry's initial experiences, comments, reactions, and recommendations on the two NPPES dissemination methods. The report, "NPPES Dissemination: The NPI Registry and the NPPES Downloadable File-Initial Industry Experiences and Recommendations," contains WEDI's recommendations for ways CMS can improve its NPI downloadable file and query-based NPI registry.

To read the report, click here.

[ via HIPAA Weekly Advisor ]

CMS hires contractor to conduct HIPAA security audits

CMS has established a year-long contract with PricewaterhouseCoopers (PwC) to conduct security audits of covered entities. Karen Trudel, deputy director of CMS' Office of Electronic Standards and Services, confirms that CMS has contracted with PwC to conduct security audits. PwC will target covered entities against which CMS has already received a complaint.

PwC may evaluate for overall security preparedness or for the implementation of corrective action plans in response to a complaint. According to the most recent information on CMS' Web site, the agency has received 370 security-related complaints. Of those, 230 are closed; 140 are still the subject of ongoing investigations. The most common security complaints, in descending order, relate to:

• Information access management
• Security awareness and training
• Access control
• Workstation use
• Device and media controls

The agency also hopes to put more information on its Web site regarding security rule enforcement, including situational vignettes similar to those that OCR put on its Web site in April 2007. (See www.hhs.gov/ocr/privacy/enforcement for more information.)

[ via HIPAA Weekly Advisor ]

HHS Agenda Includes Plans To Step Up Health Data Security

CMS in July expects to propose a rule that will include additional "remote security requirements" aimed at reducing the chance of unauthorized access to sensitive health data on laptops and other mobile computing devices, according to an HHS notice published on April 30 in the Federal Register, Health Data Management reports.

The notice is HHS' semi-annual regulatory agenda, which includes:

• Proposed updates, expected in December, to HIPAA transactions standards, and updates, expected in August, to HIPAA code sets;
• The May publication of the data dissemination processes for the National Provider Identifier;
• A proposed rule, slated to be released in August, to set electronic prescribing standards under the Medicare Part D drug benefit program;
• A proposed rule to exempt some investigatory materials in databases from certain provisions in the Privacy Act in order to restrict the disclosure of confidential data that can impede ongoing investigations, invade personal privacy and reveal confidential sources;
• An FDA review, beginning now and ending in December, to identify any necessary changes to good manufacturing practices for medical devices;
• Several FDA proposed rules to continue the transition of manual reporting procedures to electronic media;
• The establishment in September 2008 of a standard format for electronic claims attachments; and
• Final HHS action, expected for June 2009, to identify version 8.1 of the National Council for Prescription Drug Programs' SCRIPT standard as a "backward compatible" update.

Deadlines for actions on the agenda are not always accurate, but the agenda provides a glimpse of what areas the department is focusing on, according to Health Data Management (Health Data Management, 4/30). The complete regulatory agenda is available online.

[ via iHealthBeat ]

CMS announces National Provider Identifier contingency plan

The Centers for Medicare & Medicaid Services on April 2 issued a notice describing its contingency plan for health care providers, health plans and others that must implement a National Provider Identifier under the Health Insurance Portability and Accountability Act. According to the CMS plan, covered entities that acted in “good faith” to become NPI compliant can continue to accept legacy numbers through May 23, 2008, one year after the NPI rule takes effect.

AHA encouraged the 12-month extension in comments submitted to CMS in January. The notice protects covered entities from enforcement action so long as they continue to pursue “good faith efforts” to meet the NPI requirements, and indicates the Department of Health and Human Services will investigate only when a complaint is filed, as it has for other HIPAA standards.

The notice does not indicate when CMS will issue long-awaited instructions for accessing the NPI database, but says the instructions await clearance from the Office of Management and Budget. CMS expects to issue a separate contingency plan for Medicare.

[ via AHA News Now ]

OIG starts HIPAA security audits

The OIG confirmed that it has begun auditing covered entities for HIPAA compliance.

The OIG's 2007 Work Plan mentions the audits briefly in connection with health information technology. "The wider use of electronic medical records and personal health records raises concerns over privacy and security of patient data," the OIG notes in the document, thus raising the need for the audits.

A source at Piedmont Hospital in Atlanta confirmed that the OIG is performing an audit of the technical aspects of the security rule. The audit is apparently not the result of any complaint.

[ via Compliance Monitor ]

Group urges HHS to extend NPI transition period, permit contingency plans

The HIPAA Implementation Working Group urged the Department of Health and Human Services in a letter recently to extend the period for transitioning to National Provider Identifiers by at least 12 months and permit the use of contingency plans to assure successful implementation of the new standard. “We agree with other industry estimates that the Implementation Phase of NPI adoption will require a minimum of 12 months,” the group said.

NPI contingency plans that permit the continued processing of health care transactions using legacy identifiers would give the field a transition period to resolve problems experienced using the NPI, especially since the policy for accessing the NPI database has yet to be released, the letter added. The group, which includes AHA, works to increase health care provider and vendor involvement in the standards-setting process, and to promote a rational transition plan for the adoption of the Health Insurance Portability and Accountability Act’s Administrative Simplification requirements.

[ via AHA News Now ]

CMS issues guidance on securing remotely accessed health data

The Centers for Medicare & Medicaid Services has released guidance to help organizations comply with the Health Insurance Portability and Accountability Act’s security standards when they allow remote access to electronic protected health information through portable devices or external systems or hardware. In general, CMS said HIPAA-covered entities should be “extremely cautious” about allowing offsite use of or access to EPHI, and must implement policies and procedures to protect EPHI that is stored on remote or portable devices/media or transmitted over an electronic communications network.

The agency said it may rely on the guidance in determining whether actions by a HIPAA-covered entity are reasonable and appropriate for safeguarding the confidentiality, integrity and availability of EPHI.

[ via AHA News Now ]

NCVHS charman questions NPI readiness

Although the health care industry is making significant progress toward meeting the May 23, 2007, compliance deadline for national provider identifiers (NPI), there will possibly be disruptions to payments to providers, according to a November 29 letter from the chairman of the National Committee on Vital and Health Statistics (NCVHS) to HHS Secretary Michael Leavitt.

“To date, over 1.4 million NPIs have been issued, which [CMS] estimates represents approximately 60% of the total provider universe. However, based on testimony, few of the providers who have obtained NPIs have communicated their NPIs to their health plans or facilities where they practice, and few are sending NPIs in HIPAA transactions,” Simon Cohn, MD, MPH, writes.

Cohn also pressed CMS to release the delayed data dissemination notice regarding the National Plan/Provider Enumeration System database. The information is necessary for health plans to complete NPI crosswalks, Cohn adds.

Click here to read Cohn’s letter.

[ via HIPAA Weekly Advisor ]

WEDI survey examines costs, benefits of updating HIPAA standard

The Workgroup for Electronic Data Interchange is making available a survey to examine the costs and benefits of updating to a newer version of the HIPAA claims standard. Hospitals can comment on the new version of the Health Insurance Portability and Accountability Act’s transaction standard for claims (ASC X12 837x) by completing the WEDI online survey.

WEDI and the Designated Standard Maintenance Organizations will use the responses to provide the federal government with a cost-benefit analysis for transitioning to the new version of the standard (version 5010). Survey responses are due by Nov. 15.

[ via AHA News Now ]