CMS Response to Public Comments Received for CMS-10148
MGMA
Comment #1:
The name of the form should be changed from “HIPAA Non-Privacy/Security Complaint Form” to “HIPAA Administrative Simplification Complaint Form” to better reflect the types of complaints that would be covered on this form.
CMS Response #1:
CMS appreciates the suggestion and concern expressed by this commenter but the authority granted to the CMS Administrator by the Department of Health and Human Services (HHS) is specifically limited to the transaction and code set portion of the regulations The intent is for there to be less confusion when it is indicated to the complainant that this collection does not cover the privacy and security aspects of Administrative Simplification. The privacy and security aspects remain squarely with the Office of Civil Rights at HHS.
Comment #2:
In Section 1, the question “Organization Name:” should be “Organization Name (If Applicable)” to reflect the fact that an individual can file a complaint not just an organization.
CMS Response #2:
Accepted
Comment #3:
In Section 1, the question “Role in Organization:” should be “Role in Organization (If Applicable)” to reflect the fact that an individual can file a complaint not just an organization.
CMS Response #3:
Accepted
Comment #4:
The Section 3, Subsection 3 disclaimer (“Would you prefer to remain anonymous during the CMS investigation? YES NO Disclaimer: If you select yes, please note that CMS will not share your information to the Filed against Entity (FAE) during the investigation process. However, information provided in this complaint is subject to the rules and policy under the Freedom of Information Act (FOIA)” should be moved up to immediately follow Section 1 of the form. This placement would emphasize the ability of the complainant to file the form anonymously.
CMS Response #4:
Thank you for your comment. All fields on the hardcopy of the HIPAA complaint form are structured to mimic the form found on the CMS Administrative Simplification Enforcement Testing Tool site in order to provide ease for the user. Movement of the fields may cause confusion to the end-user. Therefore, all fields will remain in their current position.
Comment #5:
The Section 3, Subsection 3 statement “Disclaimer: If you select yes, please note that CMS will not share your information to the Filed against Entity (FAE) during the investigation process. However, information provided in this complaint is subject to the rules and policy under the Freedom of Information Act (FOIA)” should include an explanation of the applicable rules and policy under the Freedom of Information Act, or, at a minimum, include a hyperlink to a government website that can provide additional detail.
CMS Response #5:
Thank you for your comment. Information regarding the Freedom of Information Act can be found under the signature box of the form.
Comment #6:
Section 3, Subsection 4 (“Who are you filing against? Health Plan Covered Health Care Provider Health Care Clearinghouse Vendor”) should be moved up to proceed the current Section 2 “Filed Against Entity” section to allow the complainant to identify the type of entity they are complaining about prior to providing the specific contact information.
CMS Response #6:
Thank you for your comment. All fields on the hardcopy of the HIPAA complaint form are structured to mimic the form found on the CMS Administrative Simplification Enforcement Testing Tool site in order to provide ease for the user. Movement of the fields may cause confusion to the end-user. Therefore, all fields will remain in their current position.
Comment #7:
We recommend adding a new Subsection to Section 3. This new subsection would permit the complainant to explain that they are not sure who the complaint should be lodged against. This is typical in the industry, where a provider is told by their practice management system software vendor, clearinghouse, and health plan that the non-compliance issue resides with one of the other entities. In these cases, the provider knows only that there is a problem that is preventing an administrative transaction from being transmitted or accepted using the national standard. The supporting documentation should then be utilized by CMS to determine where the non-compliance action(s) reside.
CMS Response #7:
Thank you for your comment. It is imperative that in order to properly complete the investigation process CMS know exactly who the entity that the complaint is filed against. Without this information, the investigation process could be hampered or stopped. Therefore, no action will be taken create this subsection.
Comment #8:
Section 3, Subsection 4 (“Who are you filing against? Health Plan Covered Health Care Provider Health Care Clearinghouse Vendor”) could be confusing with the inclusion of the term “Vendor,” as a clearinghouse is also a vendor. We recommend that this section of the form specify only those covered entities included in HIPAA (Health Plans, Clearinghouses, Providers) but include a separate question related to a non-covered entity vendor that the complaint is being lodged against. CMS should consider the following options in this section: (i) practice management system software vendor; (iii) electronic health record software vendor; (iii) billing system vendor; (iv) other (please describe___________. This type of clarification will be important if the agency is to understand if a non-covered entity is not supporting the administrative simplification requirements.
CMS Response #8:
CMS appreciates the concern expressed by this commenter but disagrees with the comment that the CMS-10148 should include the term “Vendor”, however there must be consistency with the regulatory definitions as cited is 45 CFR 160.103 as it related to Covered Entities. It does not however preclude the investigation from determining the precise system component that is the potential cause for the compliant to be filed in the first place.
Comment #9:
In Section 3, Subsection 5, when complainants are asked to “Describe the complaint in detail below (You may attach additional pages as needed, and enclose copies of supporting documentation that may assist CMS with investigating your complaint),” we recommend providing examples of the types of supporting documentation that the agency would find most helpful during an investigation. As well, it should be explained that the complainant may redact information from the documentation in situations where, for example, patient or client-identifying information is included in the documentation.
CMS Response #9:
Thank you for your comment. Every complaint is individual and information needed to complete the investigation properly and thoroughly may vary. Additional information may be requested from separate entities during the investigation process. Please see cms.gov under the HIPAA Enforcement section.
Comment #10:
Section 3, Subsection 6 (“Have you attempted to submit this complaint with another agency”) should be moved to the end of the form, just prior to the signature.
CMS Response #10:
Thank you for your comment. All fields on the hardcopy of the HIPAA complaint form are structured to mimic the form found on the CMS Administrative Simplification Enforcement Testing Tool site in order to provide ease for the user. Movement of the fields may cause confusion to the end-user. Therefore, all fields will remain in their current position.
Comment #11:
Section 3, Subsection 7 (“Have you attempted to resolve this dispute?”) should be moved to be the second last question asked in the form, right before “Have you attempted to submit this complaint with another agency?” Further, we urge that there be added a clarifying statement reminding complainants that while they are encouraged to do so, they are not required to initiate a resolution with the Filed Against Entity prior to lodging a complaint directly to CMS.
CMS Response #11:
Thank you for your comment. All fields on the hardcopy of the HIPAA complaint form are structured to mimic the form found on the CMS Administrative Simplification Enforcement Testing Tool site in order to provide ease for the user. Movement of the fields may cause confusion to the end-user. Therefore, all fields will remain in their current position. Information on the complaint form is treated confidentially and is protected under the provisions of the Privacy Act of 1974. This statement may be found under the signature box of the last form’s page.
Comment #12:
Section 3, Subsection 8 (“Check the appropriate box for this complaint: (Please check all that apply”)) and Subsection 9 (“Transactions”) should be moved to be between current Section 3 Subsections 1 and 2. This flow would allow the complainant to fully describe the issue in question before moving on to the remaining questions.
.
CMS Response #12:
Thank you for your comment. All fields on the hardcopy of the HIPAA complaint form are structured to mimic the form found on the CMS Administrative Simplification Enforcement Testing Tool site in order to provide ease for the user. Movement of the fields may cause confusion to the end-user. Therefore, all fields will remain in their current position.
Comment #13:
With the above ordering change made, Section 3, Subsection 1 (“Select the HIPAA Non-Privacy/Security Complaint Category below:”) should be removed as it now is redundant to the current Section 3, Subsection 8 (“Check the appropriate box for this complaint: (Please check all that apply”)).
.
CMS Response #13:
Accepted. Thank you for your comment. All fields on the hardcopy of the HIPAA complaint form are structured to mimic the form found on the CMS Administrative Simplification Enforcement Testing Tool site in order to provide ease for the user. Any redundancy has been removed.
Comment #14:
Section 3, Subsection 8, First bullet: sentence is missing a period.
CMS Response #14:
Accepted
Comment #15:
Section 3, Subsection 8, there should a separate bullet specific to the failure/refusal of a covered entity to provide payment via electronic funds transfer following a provider request.
CMS Response #15:
Thank you for your comment. Regulations regarding enforcement of standards relating to failing or refusing the transfer of electronic funds are found in 45 CFR 160. No additional language will be added to the form.
Comment #16:
Section 3, Subsection 8, there should a separate bullet specific to the failure of a covered entity to support one or more of the mandated operating rules.
CMS Response #16:
Thank you for your comment. Regulations regarding enforcement of standards relating to operating rules are found in 45 CFR 160. No additional language will be added to the form.
Comment #17:
Section 3, Subsection 9, first bullet should read: “270/271-Insurance Eligibility Verification with a Health Plan.”
CMS Response #17:
Thank you for the comment. Coherent to 45 CFR 160 the language will stand as is.
Comment #18:
Section 3, Subsection 9, for bullets 1, 2, and 5, there should be after each description, the following: “…and/or supporting operating rules.” As an alternative, each operating rule could be its own separate bullet in this list.
CMS Response #18:
Thank you for your comment. Detailed on the form is information regarding the operating rules subdivided by section.
Comment #19:
Section 3, Subsection 10, as we are recommending that this list proceed the description of the issue by the complainant, we recommend “Select the appropriate code sets discussed in your complaint” be changed to read “Select the appropriate code set(s) to be discussed in your complaint.”
CMS Response #19:
Accepted
Comment #20:
We recommended the reordered form be the following: (i) Section 1; (ii) Section 3, Subsection 3; (iii) Section 3, Subsection 4; (iv) Section 2; (v) Section 3, Subsection 8; (vi) Section 3, Subsection 9; (vii) Section 3, Subsection 2; (viii) Section 3, Subsection 5; (ix) Section 3, Subsection 7; (x) Section 3, Subsection 6.
CMS Response #20:
Thank you for your comment. All fields on the hardcopy of the HIPAA complaint form are structured to mimic the form found on the CMS Administrative Simplification Enforcement Testing Tool site in order to provide ease for the user. Movement of the fields may cause confusion to the end-user. Therefore, all fields will remain in their current position.
General Comments
Comment –
We believe one reason why the number of administrative simplification-related complaints is so low is the concern that if physician practices lodge a complaint against a health plan or clearinghouse, those entities could take punitive action against them. CMS is strongly urged to develop a flexible process that will encourage reticent providers to step forward and lodge complaints where appropriate.
The requirement to register in the Administrative Simplification Enforcement and Testing Tool (ASETT) act a deterrent for some potential complainants to submit the form to CMS. Therefore, we recommend that the complaint form be made available outside of the ASETT system to be downloaded, printed, mailed, or emailed to the agency by a potential complainant.
MGMA recommends that CMS accept a complaint form that includes specifics regarding the Filed against Entity and the alleged infraction itself, but does not include the Complainant Information. The infraction allegation information should be sufficient to initiate an investigation yet will not subject a complainant to any potential punitive action from a Filed against Entity.
General comments on administrative simplification enforcement
MGMA members have reported many occurrences of non-compliance on the part of health plans (including commercial plans, state Medicaid agencies, and Veterans Affairs-contracted payers. With no enforcement fines to date levied against a covered entity for non-compliance, there is little reason to submit a complaint on the part of a provider and little incentive to be complaint on the part of a health plan. Conversely, the Office for Civil Rights (OCR) has not only levied fines and reached numerous settlement agreements with non-complaint covered entities, but they have widely communicated each instance of non-compliance through press releases and other communication channels. In addition, the publicly-available HHS Breach Notification website lists every breach of more than 500 patient records. Further, OCR has initiated a series of HIPAA audits over the past several years, conducted through a contracted consultant. These audits not only serve as further motivation for covered entities to develop and implement compliant policies, but they also have served to identify common areas of concern that then can be addressed through OCR and private sector education.
This level of transparency and the conducting of audits that motivate covered entities to improve their privacy and security policies and procedures and encourage individuals to come forward and report potential problems can be emulated by CMS. Recent results from the CAQH Index, measuring use and costs of the HIPAA electronic transactions and operating rules, suggests that the administrative transactions are underutilized and billions of dollars of saving are going unrealized. Health plans and clearinghouses unable or unwilling to support the administrative simplification standards and operating rules force providers to employ manual methods such as phone calls, facsimiles, and web portals, thus diverting scarce provider resources away from patient care. To increase industry use of the administrative simplification standards and achieve increased efficiency and cost savings, we recommend CMS take the following steps:
Halt the recently-announced CMS Optimization Pilot for Administrative Simplification Transactions in which volunteer organizations are to test their compliance with the electronic transactions, operating rules, and code sets. These types of “voluntary” audits will not be productive and will only serve to delay the start of a truly effective compliance- based audit program;
Initiate random audits of health plans and clearinghouses, starting with those who had have a formal complaint previously lodged against them for non-compliance with electronic transactions, operating rules, national identifiers, or code sets; and
Publish the names of every covered entity who either failed a CMS audit, entered into a corrective action plan with CMS, or is levied a fine or reached a settlement agreement with CMS regarding non-compliance with any of the administrative simplification standards.
Response –
CMS appreciates the suggestions, and can take under advisement the points made by the commenter as they relate to the Complaint and Enforcement activities, but as they are not required during the Paperwork Reduction Act process, CMS may addresses program processes in a separate venue.
NUCC
Comment #1:
The form title be changed to "HIPAA Transactions and Code Sets Complaint Form.”
CMS Response #1:
CMS appreciates the suggestion and concern expressed by this commenter but the authority granted to the CMS Administrator by the Department of Health and Human Services (HHS) extends to portions included such as code sets, unique identifiers, transactions and operating rules, as well.
Comment #2:
The form be made available outside of the ASSET system for those who do not wish to register
In ASSET.
CMS Response #2:
CMS thanks the commenter and is pointing out that the CMS-10148 information collection form is available on the CMS.gov website under the HIPAA Enforcement section for downloading.
Comment #3:
CMS accept complaints without the Complainant Information for true anonymity.
CMS Response #3:
Thank you for your comment. The revised form will include the following statement related to the complainant’s selection to remain anonymous, “If the complainant requests to do so, please note CMS will not share information with the Filed against Entity (FAE) during the investigation process. However, information provided in this complaint is subject to rules and policy under the Freedom of Information Action (FOIA).” However, omitting such information may hinder the proper functioning of the complaint process.
Comment #4:
Instructions be added to the form explaining that the Complainant Information can be left blank and that detailed information should be provided for CMS to more effectively investigate the complaint without the Complainant Information.
CMS Response #4:
Thank you for your comment. Although we understand that this is a very sensitive issue, it is impossible to conduct a proper investigation of the complaint without having the complaint and complainant information. However, when there is required follow up with the complainant, without proper contact information, the complaint will end up being closed with no action taken due to this lack of proper contact information being available.
Comment #5:
CMS employ additional enforcement activities.
CMS Response #5:
Thank you for your comment. Although your comment is valid, it falls outside the purview of the complaint form.
| File Type | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
| Author | Cecily Austin |
| File Modified | 0000-00-00 |
| File Created | 2021-01-20 |