If you are a covered entity health plan or clearinghouse, you may be among the nine (un)lucky entities randomly chosen this month for review into compliance with HIPAA’s Administrative Simplification rules governing electronic transactions, code sets, and unique identifiers.  According to an FAQ published in March, the Centers for Medicare & Medicaid Services (CMS), acting on behalf of the U.S. Department of Health and Human Services (HHS) will select five health plans and four clearinghouses for this new compliance review.

CMS has been actively investigating complaints (which can be filed here) related to the Administrative Simplification Rules for some time, publishing summary reports covering complaints submitted beginning in January of 2017.

What will happen if any of these nine selected entities is determined to be non-compliant?

According to CMS,

“If an organization isn’t compliant, HHS will work with the entity to resolve any issues. Corrective Action Plans are commonly used to address non-compliance. In cases of willful and egregious noncompliance, monetary penalties may be assessed and calculated on a case by case basis.

Although covered entity health care providers will not be a part of this 2019 compliance review, health care providers may avoid random selection in a future compliance review if they participate in the voluntary compliance program for providers expected to be rolled out this year.  Participants in the 2018 voluntary compliance program (the “Optimization Pilot Program”) for health plans and clearinghouses are exempt from the 2019 random selection process.  Then again, CMS reported that nine of the ten entities participating in the Optimization Pilot Program were required to undergo a Corrective Action Plan.

Covered entity health care providers may decide to play the odds and forego participation in the voluntary program, but this new round of compliance reviews is another reminder to HIPAA covered entities that HIPAA compliance isn’t solely about privacy and data security.