HHS Issues Interim Final Rule to Implement the HITECH Act's Strengthened Civil
Money Penalty Scheme



October 30, 2009



The U.S. Department of Health and Human Services (HHS) Office for Civil Rights
(OCR) issued an interim final rule today to conform the enforcement regulations
promulgated under the Health Insurance Portability and Accountability Act of
1996 (HIPAA) to currently effective statutory revisions made pursuant to the
Health Information Technology for Economic and Clinical Health (HITECH) Act,
which was enacted as part of the American Recovery and Reinvestment Act of 2009
(ARRA).



In this interim final rule, published today in the Federal Register, HHS amends
HIPAA's enforcement regulations that relate to the imposition of civil money
penalties to incorporate the HITECH Act's categories of violations, tiered
ranges of civil money penalty amounts, and revised limitations on the
Secretary's authority to impose civil money penalties for established violations
of HIPAA's Administrative Simplification Rules.  This interim final rule does
not make amendments with respect to those enforcement provisions of the HITECH
Act that are not yet effective under the applicable statutory provisions.  This
interim final rule is effective 30 days after today.



HHS has invited public comments on the interim final rule, which will be
considered if received no later than 60 days after today.  This interim final
rule will be available for public comment at www.regulations.gov.

From: HIPAA-TCS@yahoogroups.com [mailto:HIPAA-TCS@yahoogroups.com] On Behalf Of
martin
Sent: Sunday, November 01, 2009 11:36 AM
To: HIPAA-TCS@yahoogroups.com
Subject: [HIPAA-TCS] CMS request for information on HIPAA enforcement


CMS-RFI-100177a

Request for Information:
Monitoring of Compliance with the Transactions and Code Sets, National Provider
Identifier and Unique Employer Identifier Rules

Summary: Six years have elapsed since the first effective date of mandatory
compliance under the Administrative Simplification provisions of the Health
Insurance and Portability Act of 1996 (HIPAA). While the total number of
complaints related to Transactions and Code Sets, National Provider Identifier,
and Unique Identifier is small in comparison to the size of the industry; some
industry representatives believe that the extent of non-compliance is higher
than the figures represented in CMS' complaint statistics. In advance of the
January 1, 2012 compliance date for the updated X12 version 5010, and NCPDP
Version D.0, and 3.0 standards, and the October 1, 2013 compliance deadline for
ICD-10 code sets as set forth in the final rules published on January 16, 2009,
it is important for CMS to ensure that the industry is in compliance with the
current versions of the transactions and code sets. Thus, we are proactively
looking at options to improve and enhance the current enforcement process. We
have prepared this Request for Information (RFI) to secure industry input on
specific topics to help us to refine future strategies for the HIPAA enforcement
process.
Background for HIPAA Regulations: The final rule, Health Insurance Reform:
Standards for Electronic Transactions (TCS), was published on August 17, 2000,
and the subsequent Modifications to the HIPAA Electronic Transaction Standards
rules were published on February 20, 2003 and January 16, 2009 (final rules).
These rules require covered entities (CEs) (health plans, health care
clearinghouses, and certain health care providers) to implement standards and
code sets for certain electronic transactions, including: health care
claims/encounters; health care payment and remittance advice; coordination of
benefits (COB); eligibility inquiry and response; health care claim status and
response; enrollment and dis-enrollment in a health plan; referral certification
and authorization inquiry and response; and health plan premium payments.

On May 31, 2002, the final rule, Health Insurance Reform: Standard Unique
Employer Identifier was published and it became effective in July 2002. The rule
adopted the Employer Identification Number (EIN) as the standard unique employer
identifier and requires CEs to use the EIN in all standard transactions that
require an employer identifier to identify a person or entity as an employer. On
January 23, 2004, the HIPAA Administrative Simplification: Standard Unique
Health Identifier for Health Care Providers final rule was published. It became
effective in May 2005, and compliance was required by May 23, 2008. It adopted
the National Provider Identifier (NPI) as the standard identifier for all
covered health care providers, and requires all CEs to use (send and receive)
this identifier in standard transactions.

On February 16, 2006, HHS published the final Enforcement Rule governing the
investigation of noncompliance with the HIPAA regulations, and made such
investigations and penalties applicable to all of the Administrative
Simplification rules, rather than exclusively to the HIPAA privacy standards.

Enforcement strategy to date: Enforcement of the HIPAA rules is complaint
driven. CMS receives complaints from the public, other government agencies, and
covered entities. Each complaint is investigated, typically through a request
for additional information or documentation from the complainant, as well as
documentation, proof of compliance or a corrective action plan from the filed
against entity (FAE). The results of each investigation have often resulted in
contract changes, and/or modification to trading partner agreements, procedures
or technologies, as appropriate. In some cases, following an entity's immediate
steps to mitigate a particular issue, that entity finds other vulnerabilities or
procedural issues which are also rectified. In some cases a longer term
corrective action plan is developed and is monitored by CMS over an agreed upon
period of time.

The 2006 Enforcement Rule also gave CMS the authority to conduct compliance
reviews, and in 2007, CMS invoked that authority with respect to the Security
Rule. Eleven comprehensive compliance reviews of assorted covered entity types
have been conducted to date. Based on the findings, CMS has provided technical
assistance and guidance to each of the covered entities.

Prevalence of TCS and Unique Identifier complaints: We have received over 600
TCS complaints since 2005, and 43 NPI complaints since 2008 (but no complaints
related to the EIN). We are not certain if these complaints are truly
representative of industry's compliance challenges, particularly since more than
half of the complaints dealt with the issue of negotiating very specific trading
partner agreements. Therefore, additional information about the HIPAA compliance
environment could be invaluable in helping CMS better understand the scope of
non-compliance issues to better target our approach to both outreach and
enforcement.

Nature of current complaints: Though the CMS complaint volume is small, the
nature of the allegations we have received lead us to believe that there may
still be some challenges with respect to effective implementation of the rules,
in spite of the time that has passed since the mandatory compliance date.
Examples of some of the complaints we continue to receive are:
• Failure to implement the full suite of transactions (e.g. COB, eligibility,
referrals and authorizations);
• Non-compliance with format or content requirements from the Implementation
Guides;
• Use of companion guides with requirements that conflict with implementation
guides;
• Code sets and/or code set rule violations - non-compliant use or non-compliant
instructions for uses;
• Continued use of legacy provider numbers;
• Excessive fees charged by clearinghouses.

We hope that the feedback from this RFI will help us determine if the complaints
about compliance are a result of ongoing technical issues with X12 4010 or NCPDP
5.1, or if they are the result of other organizational operational challenges.

Possible barriers to complaints: We understand that some providers have alleged
that they would not file a complaint against a health plan for rejecting a
compliant transaction, because they fear the health plan will slow or reduce
their payment rates, or take other harmful actions. We do not have evidence of
such, but would be interested in hearing from the industry if there have in fact
been instances of retaliation for such communication. We recognize that some
complainants wish to remain anonymous. While there are times when this can be
accommodated, there are certain situations in which anonymity is a barrier to
resolution, since the name of the affected entity and a sample transaction can
assist in researching the complaint. We would like to solicit input on
alternative complaint filing processes to create a more conducive environment
for complainants.

Future enforcement strategy: Based on the substantive findings of the Security
compliance reviews, CMS believes there could be similar benefits from reviews to
assess compliance with the requirements of the Transactions, Code Sets and
Unique Identifier rules. Possible benefits might include an increase in the use
of certain transactions, a decreased reliance on companion guides, and/or an
increase in efficiency and compliance.

We believe that a compliance review program would help us to understand and
target the major contributing factors to non-compliance. Such information could
be instructive in identifying issues related to standards development,
implementation planning and execution for future versions of the standards. It
could also identify educational gaps, program opportunities and outreach
activities for Medicare, Medicaid, and the private sector.

In conclusion, we are soliciting input from the industry to help us to fine-tune
the current complaint-driven enforcement process. We are requesting industry
input and insight on possible improvements to the current enforcement process as
well as the usefulness and structure of a compliance review program. In this
RFI, we've outlined a number of topics about which we would like feedback and
creative recommendations as follows:

1. Information about the extent of the industry's noncompliance.
Describe: (i) key problem areas (technical vs. business); (ii) prevalence of
specific TCS, NPI and EIN non-compliance; (iii) patterns of non-compliance among
specific transaction types and entity types; and (iv) the extent of
implementation of the TCS, NPI and EIN standards.

2. Comments on barriers to complaints being filed, and how to eliminate those
barriers.

3. Comments on the strength and weakness, with explanation, of the current
complaint process.

4. The usefulness of compliance reviews in identifying: (i) problem
implementation areas specific to certain covered entity types (ii) problem
implementation areas specific to certain transaction types; and (iii) challenges
with the standards.

5. The methods that could be employed to execute the compliance reviews,
including the process for identifying entities for review.

6. Recommendations for the logistics for conducting compliance reviews.

7. Any alternative enforcement strategies.

Instructions for submittal of Comments:

Comments must be submitted as Microsoft word documents, using Version 2007. Each
topic should be clearly delineated with an appropriate heading as noted above,
and all recommendations should include specific examples. The submission shall
be no more than 6 single-sided, single-spaced pages (excluding the cover page),
and use a minimum font of 12 point (Time New Roman). Submissions must be
electronic, and to be sent via email to Denise Buenning at OESSRFI@...
by 5:00 p.m., Monday, November 16, 2009.

CMS will use the information submitted in response to this RFI at its discretion
and will not provide comments to any vendor's submission. However, responses to
the RFI submitted may be reflected in a final solicitation. CMS reserves the
right to contact any vendor that responds to this RFI for the sole purpose of
enhancing CMS' understanding of your RFI submission.

This notice is for informational purposes only and does not constitute a
solicitation or Request for Proposal. This RFI is not to be construed as a
commitment by the Government. The Government will not pay for any information
provided as a result of this RFI and will not recognize or reimburse any cost
associated with any RFI submissions.

Contracting Office Address :

7500 Security Blvd.
C2-21-15
Baltimore, Maryland 21244-1850

Place of Performance :

7500 Security Blvd.
Baltimore, Maryland 21244
United States

Primary Point of Contact. :

Denise Buenning

OESSRFI@...

Work on X12's third generation* of HIPAA Type 3 Technical Reports (TR3s)
continues, but there's been a modest change in plan.  Rather than being
based on X12 standard version 005050, X12 is shifting the basis for
the next round of healthcare insurance TR3s to X12 standard version
006020.

X12 standard version 006020 was approved at last month's Trimester
Meeting, and is expected to be published in late January or February,
2010.  Watch for subsequent announcements, or link to
www.disa.org/Bookstore/public/index.cfm?intCartID=0&intUserID=0
around that time.

Once X12 standard version 006020 is published, watch for updates on
development of the third generation HIPAA TR3s ...and others, too.
Anyone desiring particular capabilities be incorporated into X12's third
generation HIPAA TR3s should submit requests immediately via
www.hipaa-dsmo.org/Main.asp  or directly to appropriate workgroups
within X12's healthcare insurance task group (X12N/TG2).

                     Dave Feinberg
                     Rensis Corporation  [A Consulting Company]
                     206-617-1717
                     DAFeinberg@...
                     Author of  "Understanding HIPAA Communications"

___________
*    Generation 1 = version 004010 + 004010A1
       Generation 1.5 = version 004050  [not adopted for HIPAA]
       Generation 2 = version 005010

###

Consumer Preferences Draft Requirements Document - Public Feedback Period Now Open

The Office of Interoperability and Standards and ONC are pleased to announce the release of the Consumer Preferences Draft Requirements Document for public input. The document will be available for public feedback for a period of 10 business days, ending October 16, 2009.  The Requirements Document and instructions for providing feedback can be found at http://healthit.hhs.gov/consumerpreferences.

The Consumer Preferences Draft Requirements Document addresses the processes, information exchanges, stakeholders, functional requirements, and issues and obstacles surrounding consumer preferences. This requirements document is intended to address the various types of consumer preferences and be supportive of current and potential future policies.  This requirements document will assist the Healthcare Information Technology Standards Panel (HITSP) in identifying, harmonizing, and/or facilitating the development of standards which address consumer preferences.

The OIS Consumer Preference Team would greatly appreciate your feedback on the requirements document. Please review the requirements document at your convenience and provide any feedback you may have by October 16, 2009.  Please note that submissions should not contain any proprietary or private information as they may be made available for public inspection.

All comments will be analyzed, dispositioned and utilized where appropriate in the development of the final Consumer Preferences Requirements Document. A disposition report outlining how comments were addressed will be made publicly available after the publication of the final document.

Thank you for your time, attention and input regarding this important matter.

Carol A. Bean, PhD, MLS, MPH
Acting Director
Office of Interoperability and Standards
Office of the National Coordinator for Health Information Technology
###

This email is being sent to you from the OCR-Privacy-list listserv, operated by the Office for Civil Rights (OCR) in the US Department of Health and Human Services.

This is an announce-only list, a resource to distribute information about the HIPAA Privacy and Security Rules. For additional information on a wide range of topics about the the Privacy and Security Rules, please visit the OCR Privacy website at http://www.hhs.gov/ocr/privacy/index.html. You can also call the OCR Privacy toll-free phone line at (866) 627-7748. Information about OCR's civil rights authorities and responsibilities can be found on the OCR home page at http://www.hhs.gov/ocr/office/index.html.

If you believe that a person or organization covered by the Privacy and Security Rules (a "covered entity") violated your health information privacy rights or otherwise violated the Privacy or Security Rules, you may file a complaint with OCR. For additional information about how to file a complaint, visit OCR's web page at http://www.hhs.gov/ocr/privacy/hipaa/complaints/index.html.

To subscribe to or unsubscribe from the list serv, please go to: http://list.nih.gov/cgi-bin/wa?SUBED1=ocr-privacy-list&A;=1

This email is being sent to you from the OCR-Privacy-list listserv, operated by the Office for Civil Rights (OCR) in the US Department of Health and Human Services.

This is an announce-only list, a resource to distribute information about the HIPAA Privacy and Security Rules. For additional information on a wide range of topics about the the Privacy and Security Rules, please visit the OCR Privacy website at http://www.hhs.gov/ocr/privacy/index.html. You can also call the OCR Privacy toll-free phone line at (866) 627-7748. Information about OCR's civil rights authorities and responsibilities can be found on the OCR home page at http://www.hhs.gov/ocr/office/index.html.

If you believe that a person or organization covered by the Privacy and Security Rules (a "covered entity") violated your health information privacy rights or otherwise violated the Privacy or Security Rules, you may file a complaint with OCR. For additional information about how to file a complaint, visit OCR's web page at http://www.hhs.gov/ocr/privacy/hipaa/complaints/index.html.

To subscribe to or unsubscribe from the list serv, please go to: http://list.nih.gov/cgi-bin/wa?SUBED1=ocr-privacy-list&A;=1

HHS Issues Rules Adjusting Penalties under the Patient Safety and Quality Improvement Rule for Inflation

As required by the Federal Civil Penalties Inflation Adjustment Act of 1990 (Inflation Adjustment Act), the U.S. Department of Health and Human Services (HHS) issued both a direct final rule and a proposed rule today adjusting for inflation the maximum civil money penalty amount for violations of the confidentiality provisions of the Patient Safety and Quality Improvement Act.  These confidentiality provisions are enforced by the Office for Civil Rights (OCR).

The Inflation Adjustment Act requires HHS to adjust for inflation the Patient Safety Act’s civil money penalty amount at least once every four years, beginning from the Patient Safety Act’s date of enactment, which was July 29, 2005.  These rules adjust the maximum civil money penalty amount for a violation of the confidentiality provisions of the Patient Safety and Quality Improvement Act from $10,000 to $11,000.  

The public has 30 days to comment on these rules.  If no adverse comments are received, the direct final rule will go into effect 90 days after publication, and the proposed rule with be withdrawn.  If, however, adverse comments are received during the comment period, the direct final rule will be withdrawn.  For more information, visit the OCR web site at http://www.hhs.gov/ocr/privacy/. 

This email is being sent to you from the OCR-Privacy-list listserv, operated by the Office for Civil Rights (OCR) in the US Department of Health and Human Services.

This is an announce-only list, a resource to distribute information about the HIPAA Privacy and Security Rules. For additional information on a wide range of topics about the the Privacy and Security Rules, please visit the OCR Privacy website at http://www.hhs.gov/ocr/privacy/index.html. You can also call the OCR Privacy toll-free phone line at (866) 627-7748. Information about OCR's civil rights authorities and responsibilities can be found on the OCR home page at http://www.hhs.gov/ocr/office/index.html.

If you believe that a person or organization covered by the Privacy and Security Rules (a "covered entity") violated your health information privacy rights or otherwise violated the Privacy or Security Rules, you may file a complaint with OCR. For additional information about how to file a complaint, visit OCR's web page at http://www.hhs.gov/ocr/privacy/hipaa/complaints/index.html.

To subscribe to or unsubscribe from the list serv, please go to: http://list.nih.gov/cgi-bin/wa?SUBED1=ocr-privacy-list&A;=1

NOTICE

The following version 005010 Type 3 Technical Reports (TR3s) [formerly
known as Implementation Guides (IGs)] combined Informational Forum is
scheduled to be held at X12's September, 2009, Trimester Meeting in Los
Angeles, California.

Tuesday, 9/22/2009, 8:00 a.m.
    X291        837 Health Care Predetermination:  Professional
    X292        837 Health Care Predetermination:  Institutional.

This Informational Forum provides a venue for authors of the listed TR3s
to orally respond to comments received during the draft TR3s' public
comment period.  Comments on these TR3s may be viewed at
http://www.wpc-edi.com/conferences/tg2/implementationguides, and the
authors' responses to these comments will be posted there as well by
Monday, 9/07/2009.  Copies of the draft TR3s are available via
http://store.x12.org/x291 and  http://store.x12.org/x292  .

This Informational Forum is the final X12 opportunity to comment on
these draft TR3s -- but comments are generally limited to only those
regarding modifications generated as a consequence of the received
public comments.

Participation at this Informational Forum is open to anybody with
payment of one applicable X12 Trimester Meeting fee [$0.00 for
employees of X12 members, a sliding scale for others].
http://www.x12.org/x12org/meetings/x12trimt/index.cfm lists
logistics for anybody desiring to attend.

                     Dave Feinberg
                     Rensis Corporation  [A Consulting Company]
                     206-617-1717
                     DAFeinberg@...
                     Author of  "Understanding HIPAA Communications"

This email is being sent to you from the OCR-Privacy-list listserv, operated by the Office for Civil Rights (OCR) in the US Department of Health and Human Services.

This is an announce-only list, a resource to distribute information about the HIPAA Privacy and Security Rules. For additional information on a wide range of topics about the the Privacy and Security Rules, please visit the OCR Privacy website at http://www.hhs.gov/ocr/privacy/index.html. You can also call the OCR Privacy toll-free phone line at (866) 627-7748. Information about OCR's civil rights authorities and responsibilities can be found on the OCR home page at http://www.hhs.gov/ocr/office/index.html.

If you believe that a person or organization covered by the Privacy and Security Rules (a "covered entity") violated your health information privacy rights or otherwise violated the Privacy or Security Rules, you may file a complaint with OCR. For additional information about how to file a complaint, visit OCR's web page at http://www.hhs.gov/ocr/privacy/hipaa/complaints/index.html.

To subscribe to or unsubscribe from the list serv, please go to: http://list.nih.gov/cgi-bin/wa?SUBED1=ocr-privacy-list&A;=1

The first of potentially several reduced price arrangements for health
care providers to obtain X12's Version 005010 HIPAA-adopted Type 3
Technical Reports (TR3s) is now in effect.

Through an agreement between X12 and the American Hospital
Association, AHA members who are not X12 members may purchase X12's
Version 005010 HIPAA TR3s at a discount from the listed price.  X12
members already receive an even greater price-break on these TR3s.
Further details on obtaining the AHA discount, or becoming an X12
member, can be found at  http://store.x12.org/aha_discounts.htm .

In order to facilitate better provider understanding and use of X12's
Version 005010 HIPAA TR3s, X12 is also willing to discuss reduced price
arrangements with other provider associations that may be interested.
Representatives of provider associations interested in opening these
discussions should contact Karyn White, Co-Chair of X12's Provider
Caucus, at kmw1291@... for additional information.

                     Dave Feinberg
                     Rensis Corporation  [A Consulting Company]
                     206-617-1717
                     DAFeinberg@...
                     Author of  "Understanding HIPAA Communications"

----- Original Message #1 -----
   From: CMS CMSProviderResource
   Sent: Thursday, July 30, 2009
   Subject: National Plan and Provider Enumeration System (NPPES) -
                Secure, Maintain and Update Your information

   NPPES - Secure, Maintain and Update Your information

   This message is for health care providers, particularly physicians and
other practitioners, who have obtained National Provider Identifiers
(NPIs) and have records in the National Plan and Provider Enumeration
System (NPPES).  The Centers for Medicare & Medicaid Services (CMS)
recommends that each health care provider, including individual
physicians and non-physician practitioners:

   ·         Secure and maintain their own NPPES account information
(i.e., User ID, Password, and Secret Question/Answer) for safety and
accessibility purposes.  Health care providers should maintain the
confidentiality of their User ID, password, and Secret Question/Answer
in order to protect their NPPES information from unauthorized access.

   ·         Reset their NPPES passwords at least once a year.  See the
NPPES Application Help page at https://nppes.cms.hhs.gov/NPPES/Help.do
and select the 'Reset Password Page' for applicable rules.  Those rules
indicate the length, format, content and requirements of NPPES
passwords.

   ·         Review their NPPES records in order to ensure that the
information reflects current and correct information.  Covered health
care providers are required to update their NPPES information within 30
days of the effective date of the change.


   Viewing NPPES Information

   Health care providers, including physicians and non-physician
practitioners, can view their NPPES information in one of two ways:

   (1) By accessing the NPPES record at
https://nppes.cms.hhs.gov/NPPES/Welcome.do and following the NPI
hyperlink and selecting Login.  The user will be prompted to enter the
User ID and password that he/she previously created. *

   * If the health care provider has forgotten the password, enter the
User ID and click the "Reset Forgotten Password" button to navigate to
the Reset Password Page.  If the health care provider enters an
incorrect User ID and Password combination three times, the User ID will
be disabled.  Please contact the NPI Enumerator at 1-800-465-3203 if the
account is disabled or if the health care provider has forgotten the
User ID.


   OR


   (2) By accessing the NPI Registry at
https://nppes.cms.hhs.gov/NPPES/NPIRegistryHome.do.  The NPI Registry
gives the health care provider an online view of Freedom of Information
Act (FOIA)-disclosable NPPES data.  The health care provider can search
for its information using the name or NPI as the criterion.
Information regarding NPPES data that are FOIA-disclosable can be found
at http://www.cms.hhs.gov/NationalProvIdentStand/ by selecting 'Data
Dissemination'.

   Please note:  Business Mailing Address and Business Practice location
information (full address and corresponding telephone numbers) are key
data elements that are FOIA-disclosable.  Health care providers should
not report their residential address unless it is their Business Mailing
Address or Business Practice location.  The NPPES data appearing on the
NPI Registry cannot be deleted; however, it can be updated or changed.


   Updating NPPES Information

   Health care providers, including physicians and non-physician
practitioners, can correct, add, or delete information in their NPPES
records by accessing their NPPES records at
https://nppes.cms.hhs.gov/NPPES/Welcome.do and following the NPI
hyperlink and selecting Login. The user will be prompted to enter the
User ID and password that he/she previously created.

   Please note: Required information cannot be deleted from an NPPES
record; however, required information can be changed/updated to ensure
that NPPES captures the correct information.  Certain information is
inaccessible via the web, thus requiring the change/update to be made
via paper application.  The paper NPI Application/Update Form
(CMS-10114) can be downloaded and printed at
http://www.cms.hhs.gov/cmsforms/downloads/CMS10114.pdf.


   Deactivating the NPI

   Health care providers, including physicians and non-physician
practitioners, can deactivate their NPIs if the NPIs are no longer
required or needed.  Reasons for deactivation include retirement,
business dissolved, or death of the health care provider.  A request for
deactivation must be submitted via paper application.  The paper NPI
Application/Update Form (CMS-10114) can be downloaded and printed at
http://www.cms.hhs.gov/cmsforms/downloads/CMS10114.pdf.  Health care
providers should review the instructions located on the application
regarding deactivations in order to properly complete the deactivation
request.  The Power of Attorney or Executor of the Will may complete the
application for deactivation due to death of the health care provider.




     ----- Original Message #2-----
     From: CMS CMSProviderResource
     Sent: Monday, August 03, 2009
     Subject: National Plan and Provider Enumeration System (NPPES)
                  Update Announcement for Physicians

     PHYSICIANS!

     Did an academic medical institution or university obtain your NPI
for you?
     If so, is your NPPES record up to date?

     Health care providers, including physicians, began applying for
National Provider Identifiers (NPIs) on May 23, 2005.  Since then, the
National Plan and Provider Enumeration System (NPPES) has assigned
nearly 3 million NPIs.  More than 700,000 NPIs have been assigned to
physicians.

     Many physicians were assigned their NPIs upon their graduation from
medical school.  Often, the administrative staff at the physicians'
academic medical centers or universities applied for the physicians'
NPIs.  The administrative staff handled similar actions for their new
physicians and had, in their records, all the information that needed to
be furnished on the application for an NPI.  Some of these NPIs may have
been assigned as long as 4 years ago.

     The Centers for Medicare & Medicaid Services (CMS) is required by
regulation to make available to the public certain information about
health care providers that is contained in their NPPES records.  This
information includes the name, provider type (e.g., physician), business
practice location address, business mailing address, and business
practice location telephone number.  Publicly available NPPES
information can be found in the NPI Registry, a query-only database
which anyone can access on the Internet
(https://nppes.cms.hhs.gov/NPPES/NPIRegistryHome.do), and in a monthly
downloadable file that individuals with the necessary technical
expertise can download from the Internet
(http://nppesdata.cms.hhs.gov/CMS_NPI_files.html).  Health plans, health
care clearinghouses, health care providers, and others with a need to
know can easily use the NPI Registry to view data for a particular
health care provider simply by entering the health care provider's name
or NPI.  The downloadable file is used primarily by health plans and
other large health industry organizations that need information for all
or most of the health care providers who have NPIs and who may need to
sort or otherwise manipulate the data in the file to suit their business
needs.

     Now, months or years later, many of the physicians whose academic
medical centers or universities obtain their NPIs for them have moved on
in their careers to new locations.  Many have not updated their NPPES
information to show new business practice location addresses, business
mailing addresses, or business practice location telephone numbers.  As
a result, the information in the NPI Registry and in the downloadable
file is out of date.  Academic medical centers and universities whose
addresses and telephone numbers were entered into NPPES as the business
practice locations, business mailing addresses, and business practice
location telephone numbers for the physicians who they formerly employed
are now being burdened with the receipt of mail and telephone calls for
physicians who are no longer there.

     It is not the responsibility of the academic medical centers or the
universities to continue to update the NPPES records of physicians who
are no longer working for them.  In most cases, the academic medical
centers and universities do not have the updated information and,
therefore, are unable to contact the physicians to ask that they update
their NPPES information.

     Unless physicians have agreements in place for others to keep their
NPPES information up to date, the physicians themselves are responsible
for ensuring that their NPPES records contain accurate and current
information.

     Some of these physicians may have enrolled in health plans and may
be sending claims electronically to health plans or conducting other
electronic health transactions with health plans.  These physicians are
"covered entities" under the Health Insurance Portability and
Accountability Act (HIPAA).  As covered entities, they are required by
regulation to update their NPPES records within 30 days of any change.
Those who have NPIs but who do not conduct electronic health
transactions with health plans, and, thus, are not covered entities, are
encouraged to keep their NPPES information up to date.

     We remind all health care providers who have NPIs, not just the
physicians specially noted above, to view their NPPES records and, if
corrections are necessary, to furnish the updates.  Health care
providers who established User IDs and passwords in NPPES can easily
access their NPPES records to make updates.  Those who did not establish
User IDs and passwords may do so at any time.  For assistance in setting
up User IDs and passwords, or in situations where the User ID or
password has been forgotten, health care providers should contact the
NPI Enumerator at 1-800-465-3203.  If they prefer, health care providers
may furnish their updates by filling out the paper NPI application (Form
CMS-10114) and mailing the completed form to the NPI Enumerator.  The
instructions are on the form, along with the mailing address of the NPI
Enumerator.  The form may be downloaded from the CMS forms web page
(www.cms.hhs.gov/cmsforms) or one may be obtained by contacting the NPI
Enumerator at the number above.

###

This email is being sent to you from the OCR-Privacy-list listserv, operated by the Office for Civil Rights (OCR) in the US Department of Health and Human Services.

This is an announce-only list, a resource to distribute information about the HIPAA Privacy Rule. For additional information on a wide range of topics about the the Privacy Rule, please visit the OCR Privacy website at www.hhs.gov/ocr/hipaa/. You can also call the OCR Privacy toll-free phone line at (866) 627-7748. Information about OCR's civil rights authorities and responsibilities can be found on the OCR home page at www.hhs.gov/ocr

If you believe that a person or organization covered by the Privacy Rule (a "covered entity") violated your health information privacy rights or otherwise violated the Privacy Rule, you may file a complaint with OCR. For additional information about how to file a complaint, see the Fact Sheet "How to File a Health Information Privacy Complaint," available at http://www.hhs.gov/ocr/privacyhowtofile.htm .

To subscribe to or unsubscribe from the list serv, please go to: http://list.nih.gov/cgi-bin/wa?SUBED1=ocr-privacy-list&A;=1

The following X12N version 005010 draft Implementation Guides are
presently available for free download, review, and public comment:
    005010X291     Health Care Predetermination:  Professional
    005010X292     Health Care Predetermination:  Institutional.
Public comment on these Implementation Guides is a key step in their X12
Type 3 Technical Report (TR3) publication process.

The public comment period for these guides begins on 23 July 2009 and
will close on Saturday, 22 August 2009, at 5:00 p.m. Eastern time.

The Health Care Predetermination Implementation Guides describe the use
of the ANSI ASC X12 Health Care Claim (837) transaction set for the
submission and transfer of predeterminations to health care payers and
clearinghouses.

The authors especially solicit comments on what is needed to support
predetermination or estimate requests for property and casualty
(including worker's comp) and ambulance and other transport-related
services.

This is X12's only unconstrained public comment period.  The authors of
these guides will consider all comments during and following the public
comment period.  For a complete understanding of changes being suggested
and/or made to these guides, reviewers should monitor the on-line
conferences during the public comment period and consider all author
responses prior to the Informational Forums.  Official authoring work
group responses will be posted to the on-line conferences at least 15
days prior to the Informational Forums.

An announcement of the Informational Forums will be made later.  The
Informational Forums, held during an X12 Trimester Meeting, are the
final X12 opportunity to comment:  but generally only on modifications
based on the received public comments.  After that, the guides are
finalized for movement through the Insurance Subcommittee (X12N) and X12
publication approval processes.

The two draft implementation guides are available for free download at:
http://store.x12.org/x291 and  http://store.x12.org/x292 . Comments on
the drafts may be submitted by anybody -- X12 member or not -- via the
on-line conferences at:
http://www.wpc-edi.com/conferences/tg2/implementationguides .

The two Health Care Predetermination Implementation Guides, 005010X291
and 005010X292, are not counterparts of any that have been adopted
under HIPAA, and no official discussions regarding any such adoption are
presently contemplated.  At this juncture, only voluntary use of these
TR3s is anticipated.

Participation in X12's public comment period for the two Health Care
Predetermination Implementation Guides is open to all who may be
interested; whether or not members of Accredited Standards Committee
X12.  Please participate -- this is the highest leverage opportunity for
anybody outside of the authors to impact this document.

                     Dave Feinberg
                     Rensis Corporation  [A Consulting Company]
                     206-617-1717
                     DAFeinberg@...
                     Author of  "Understanding HIPAA Communications"

For your near term planning, be advised that X12N is currently putting
the final touches on drafts of two new version 005010 Type 3 Technical
Reports (TR3s):
    005010X291     Health Care Predetermination:  Professional
    005010X292     Health Care Predetermination:  Institutional.
These TR3s describe "the use of the ANSI ASC X12 Health Care Claim (837)
transaction set for the submission and transfer of  ...
predeterminations to health care payers and clearinghouses."

In accordance with X12N's TR3 creation procedures, both of these new
TR3s will be made available for at least thirty days of public comment.
As of the moment, these public comment periods are targeted to begin
sometime during the latter half of this month:  July, 2009.

Thought you might want to know about this as you make your summer
reading lists.

                     Dave Feinberg
                     Rensis Corporation  [A Consulting Company]
                     206-617-1717
                     DAFeinberg@...
                     Author of  "Understanding HIPAA Communications"

----- Somewhat Edited Original Message -----
From: Nancy Spector
Sent: Thursday, May 21, 2009 2:01 PM
Subject: Survey: Timeframe to rollout possible revised 1500 claim form

The National Uniform Claim Committee (NUCC) is researching the needs for
a possible revised 1500 claim form.  No decision has been made yet about
whether or not we will revise the form, but we need to know if we do
revise it, when would be the best time to roll it out, with the 5010 and
ICD-10 work going on.

We want to make sure that we get the provider perspective on when would
be the best time to roll out a revised form.

The following is a link to a survey asking about the best timeframe to
rollout a revised form.

http://www.surveymonkey.com/s.aspx?sm=E6dM98zYy8EsJp4v_2fqC6hg_3d_3d

Please distribute this link to your constituents and encourage them to
complete the survey.  The deadline for completing the survey is close of
business Wednesday June 10th.

Thanks,

Nancy

Nancy Spector, RN MSC
Director, Electronic Medical Systems
American Medical Association
515 N. State St
Chicago, IL 60654
Phone: 312-464-4059