CMS Withdraws Proposed Compliance Reporting Rule

On October 3, 2017, the U.S. Department of Health and Human Services (HHS) published a withdrawal notice for a proposed rule currently in the Federal Register. The proposed rule, found at 79 FR 298 and titled “Administrative Simplification: Certification of Compliance for Health Plans,” has been on the Federal Register since January 2014.

Had the proposed rule been put into full effect, it would have required controlling health plans (CHPs) to submit certain information and documentation to demonstrate compliance with HIPAA and its accompanying standards and operating rules for three specific types of electronic transactions: eligibility/benefit inquiry and response; health care claim status; and health care electronic funds transfer and remittance advice. The proposed rule also would have established penalty fees for any CHP that failed to comply with the certification of compliance requirements. Although health plans must still comply with all other HIPAA-mandated rules for electronic transactions, the withdrawal of the proposed rule means that health plans will not have to certify their compliance in the ways outlined by the proposed rule.

The withdrawal notice goes on to state that HHS received approximately 72 public comments in response to the posting of the proposed rule on the Federal Register, and in light of the issues raised in those public comments, HHS felt it was best to withdraw the proposed rule in order to re-examine those issues and “explore options and alternatives to comply with statutory requirements.” While noting that HHS has established regulations pertaining to compliance with and enforcement of HIPAA’s Administrative Simplification standards and operating rules, the withdrawal notice stresses that the withdrawal of this specific proposed rule does not remove or change any of the other requirements for covered entities to comply with the regulations codified at 45 C.F.R. Parts 160 and 162.

A withdrawal notice such as this may seem confusing to some, as it effects only a small part of HIPAA and only a small fraction of the entities that must comply with HIPAA. Those that would have been effected by this proposed rule should stay cognizant of any new proposed rules that may take 79 FR 298’s place. Furthermore, those entities that would have been affected under the proposed rule must be familiar with and able to differentiate between those HIPAA regulations they still must comply with, and those that they do not until a new rule is put into place. This highlights the importance of knowing which regulations apply to an entity, and staying abreast of changes in the law. HIPAA compliance is a complex and ongoing process, and is best navigated under the guidance and advisement of an experienced healthcare attorney.

The withdrawal notice can be found here: Withdrawal Notice