Supporting Statement- Part A
“The HIPAA Eligibility Transaction System (HETS)”
A. Background
The Centers for Medicare and Medicaid Services (CMS) is requesting the Office of Management and Budget's (OMB) extension to the currently approved HIPAA Eligibility Transaction System
(HETS) Trading Partner Agreement form. CMS created the HETS application to provide Health
Insurance Portability and Accountability Act of 1996 (HIPAA) compliant
270/271 health care eligibility inquiries (270) and responses (271) on a real-time basis. In creating the HETS application, federal law requires that CMS take precautions to minimize the security risk to federal information systems. Accordingly, CMS is requiring that trading partners who wish to connect to the HETS 270/271 application via the CMS Extranet and/or Internet agree to specific trading partner terms as a condition of receiving access to Medicare eligibility information. Applicants will complete the entire Trading Partner Agreement form to indicate agreement with CMS trading partner terms and provide sufficient information to establish connectivity to the service and assure that those entities that access the Medicare eligibility information are aware of applicable provisions and penalties for the misuse of information.
B. Justification
In its administration of the Medicare Fee-For-Service (FFS) program, CMS is a covered entity under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) rules. As a covered entity, CMS is required to verify the identity of the person requesting the Protected Health Information (PHI) and the person’s authority to have access to that information. In contrast to the other standard transactions which Medicare conducts, provision of information in the 271 response transaction, on a real-time basis, will involve direct access by outside entities to Medicare eligibility information.
HIPAA regulations require covered entities to verify the identity of the person requesting PHI and the person’s authority to have access to that information. Under the HIPAA Security rules, covered entities, regardless of their size, are required under 45 CFR Subtitle A, Subpart C 164.312(a)(2)(i) to "assign a unique name and/or number for identifying and tracking user identity." A 'user' is defined in 164.304 as a "person or entity with authorized access"
Accordingly, the HIPAA Security rule requires covered entities to assign a unique name and/or number to each employee or workforce member who uses a system that receives, maintains or transmits electronic PHI so that system access and activity can be identified and tracked by user. This pertains to workforce members within small or large provider offices, health plans, group health plans, and clearinghouses.
Federal law requires that CMS take precautions to minimize the security risk to the federal information system. Federal Information Processing Standards Publication(FIPS PUB) 1() 1-2 Paragraph 11.7- Security and Authentication states that: "Agencies shall employ risk management techniques to determine the appropriate mix of security controls needed to protect specific data and systems. The selection of controls shall take into account procedures required under applicable laws and regulations." Accordingly, CMS requires that entities who wish to connect to the HETS application via the CMS Extranet and/or Internet are uniquely identified. CMS is required to verify the identity of the person requesting the Protected Health Information (PHI) and the person's authority to have access to Medicare eligibility information. Furthermore, CMS requires that trading partners who wish to conduct eligibility transactions on a real-time basis with CMS provide certain assurances as a condition of receiving access to the Medicare eligibility information for the purpose of conducting real-time 270/271 inquiry/response transactions.
CMS uses the Trading Partner Agreement Form to capture certain information whereby a person certifies that they are fully aware of any and all penalties related to the use of PHI and their access to this data from the HETS application. The information is an attestation by the authorized representative of an entity that wishes to access the Medicare eligibility information to conduct real-time eligibility transactions. The authorized representative is a person responsible for business decisions on behalf of the Organization who is submitting the access request. The data captured includes the authorized representative's name, title contact number and the name of the submitting entity. Other data captured is the submitter's National Provider Identifier (NPI), business name, billing address, physical address, and telephone number.
The Trading Partner Agreement Form is also used by CMS to capture certain information whereby a person identifies the particular connectivity protocol that they will use to connect to CMS as well as specific organization information which is reviewed and authorized prior to the access being granted.
CMS is allowing public access to the HETS 270/271 application via the CMS Extranet and/or Internet in order to offer real-time eligibility inquiries (270) and responses (271) in an electronic format as a method for healthcare providers to ascertain beneficiary eligibility using a secure network connection. The Trading Partner Agreement Form is available on the CMS website. After the form is completed and collected, it is stored in the Enterprise Sharepoint at the CMS Data Center.
Maintenance on the collection form includes review, edits and possible updates of the content. CMS reserves the right to update the Trading Partner Agreement Form with non-substantive changes such as:
updating or adding URLs in Appendix A
clarifying the information requested in Appendix B
Changes in contact information for the Medicare Customer Assistance Regarding Eligibility (MCARE) Help Desk
On a yearly basis, existing submitters will be required to resubmit a new copy of the Trading Partner Agreement Form to ensure that CMS has consistent and accurate information for all current submitters. For new submitters this data has not been captured previously as this Trading Partner Agreement Form is the first application where public users will connect to the HETS 270/271 application via the CMS Extranet and/or Internet to access Medicare eligibility information for the purpose of conducting HIPAA transactions.
There will be minimal impact on small businesses as the length of time to read, complete, and submit the Trading Partner Agreement Form is typically less than fifteen minutes.
This information will be collected on a yearly basis for entities wishing to connect to the CMS Extranet and/or Internet and to conduct real-time eligibility transactions with the CMS database.
Responders must complete the Trading Partner Agreement Form prior to gaining access to the CMS Extranet and/or Internet.
Federal Register/Outside Consultation
The 60-day Federal Register notice for this information collection is May 16, 2016(81FR30308). The 30-day Federal Register notice was published on July 19, 2016(81FR46925).
Payments/Gifts to Respondents
There are no payments or gifts to respondents.
The information collected will be gathered and used solely by CMS. The data will not be shared with any outside organizations.
11. Sensitive Questions
There are no sensitive questions on the Trading Partner Agreement Form.
Currently we have around 200 trading partners and in the near future the provider community that is expected to request access to Medicare eligibility information is estimated to be at a maximum of 1000 trading partners annually with 100% of the respondents replying electronically.
The estimated time to read, execute, and submit this form is less than fifteen minutes and the total burden is estimated to be 250 hours.
This form has about twenty five data collection items on the form to get the Submitters information like Submitter name, Security official name/contact information, National Provider ID etc. and some of the items are only Yes and No answer. Based on the information that we gathered in the last two years about this TPA from these Submitters, it has been estimated that it should not take more than fifteen minutes to read, execute and submit this TPA.
Max number of Users (estimated-annually) who will use and submit this form in a year=1000
Total time to read/execute/Submit this form=15 min.
Total time (estimated-annually) = 1000*15=15000 min. =250 hrs.
Total burden (estimated) =250 hours.
These Agreements are completed by Computer Systems Analysts. Based on the most recent Bureau of Labor and Statistics Occupational and Employment Data (May 2015 http://www.bls.gov/oes/current/oes_md.htm) for Category 15-1121 (Computer Systems Analysts), the mean hourly wage for this profession is $43.36.[1] We have added 100% of the mean hourly wage to account for fringe and overhead benefits, which calculates to $86.72 ($43.36 + $43.36). We estimate the total annual cost to be $21,680.00 (250 hours x $86.72/hour).
There are no capital costs to the respondents.
14. Cost to Federal Government.
The cost to the Federal Government is estimated at $50,000. This is to publish the Trading Partner Agreement form on the CMS website, receive, review, and store the completed forms that are submitted by the respondents. The receipt of the Trading Partner Agreement form from 1,000 respondents at a cost of $50 to receive, review, and store the complete forms was the basis for cost determination.
The burden estimate is remaining the same in numbers and cost. New applications will be expected but volumes will be low.
16. Publication/Tabulation Dates
N/A
Upon receiving OMB approval, CMS will publish a notice in the Federal Register to inform the public of both the approval as well as the expiration date update on the proper forms.
There are no exceptions to the certification statement.
| File Type | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
| File Title | Supporting Statement -Part_A |
| Author | KAYLA WILLIAMS |
| File Modified | 0000-00-00 |
| File Created | 2021-01-22 |