The HIPAA Eligibility Transaction System (HETS)
(CMS-10157; OMB# 0938-0960)
A. Background
The Centers for Medicare and Medicaid Services (CMS) is requesting the Office of Management and Budget's (OMB) revision to the currently approved HIPAA Eligibility Transaction System (HETS) Trading Partner Agreement form. CMS created the HETS application to provide Health Insurance Portability and Accountability Act of 1996 (HIPAA) compliant 270/271 health care eligibility inquiries (270) and responses (271) on a real-time basis. In creating the HETS application, federal law requires that CMS take precautions to minimize the security risk to federal information systems. Accordingly, CMS is requiring that trading partners who wish to connect to the HETS 270/271 application via the CMS Extranet and/or Internet agree to specific trading partner terms as a condition of receiving access to Medicare eligibility information. Applicants will complete the entire Trading Partner Agreement form to indicate agreement with CMS trading partner terms and provide sufficient information to establish connectivity to the service and assure that those entities that access the Medicare eligibility information are aware of applicable provisions and penalties for the misuse of information.
B. Justification
In its administration of the Medicare Fee-For-Service (FFS) program, CMS is a covered entity under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) rules. As a covered entity, CMS is required to verify the identity of the person requesting the Protected Health Information (PHI) and the person’s authority to have access to that information. In contrast to the other standard transactions which Medicare conducts, provision of information in the 271 response transaction, on a real-time basis, will involve direct access by outside entities to Medicare eligibility information. In order to improve security of Medicare beneficiary information, a new section was added to the revised TPA to determine and collect demographic information for any organizations that offshore Medicare eligibility information. The revised TPA will also improve usability by clearly defining whether the submission of the form is a new user application, annual re-certification or an ad-hoc update.
It is important to note that CMS does not have the authority to restrict offshoring. However, we do closely monitor submitter (e.g. clearinghouse, vendor, provider) transaction volume, error rates, etc. Based on this data collection and our transaction monitoring, if we see offshoring is widespread, we will consider that in our risk management exercise and determine if we need additional measures to mitigate the risk. For example, maybe we need to expand our vetting of the end user if we see widespread access by HIPAA non-covered entities.
1 . Need and Legal Basis
HIPAA regulations require covered entities to verify the identity of the person requesting PHI and the person’s authority to have access to that information. Under the HIPAA Security rules, covered entities, regardless of their size, are required under 45 CFR Subtitle A, Subpart C 164.312(a)(2)(i) to "assign a unique name and/or number for identifying and tracking user identity." A 'user' is defined in 164.304 as a "person or entity with authorized access."
Accordingly, the HIPAA Security rule requires covered entities to assign a unique name and/or number to each employee or workforce member who uses a system that receives, maintains or transmits electronic PHI so that system access and activity can be identified and tracked by user. This pertains to workforce members within small or large provider offices, health plans, group health plans, and clearinghouses.
Federal law requires that CMS take precautions to minimize the security risk to the federal information system. Federal Information Processing Standards Publication(FIPS PUB) 1() 1-2 Paragraph 11.7- Security and Authentication states that: "Agencies shall employ risk management techniques to determine the appropriate mix of security controls needed to protect specific data and systems. The selection of controls shall take into account procedures required under applicable laws and regulations." Accordingly, CMS requires that entities who wish to connect to the HETS application via the CMS Extranet and/or Internet are uniquely identified.
CMS is required to verify the identity of the person requesting the Protected Health Information (PHI) and the person's authority to have access to Medicare eligibility information. Furthermore, CMS requires that trading partners who wish to conduct eligibility transactions on a real-time basis with CMS provide certain assurances as a condition of receiving access to the Medicare eligibility information for the purpose of conducting real- time 270/271 inquiry/response transactions.
2. Information Users
CMS uses the Trading Partner Agreement Form to capture certain information whereby a person certifies that they are fully aware of any and all penalties related to the use of PHI and their access to this data from the HETS application. The information is an attestation by the authorized representative of an entity that wishes to access the Medicare eligibility information to conduct real-time eligibility transactions. The authorized representative is a person responsible for business decisions on behalf of the Organization who is submitting the access request. The data captured includes the authorized representative's name, title contact number and the name of the submitting entity. Other data captured is the submitter's National Provider Identifier (NPI), business name, billing address, physical address, telephone number and, if applicable, all information about offshore subsidiary or partner locations.
The Trading Partner Agreement Form is also used by CMS to capture certain information whereby a person identifies the particular connectivity protocol that they will use to connect to CMS as well as specific organization information which is reviewed and authorized prior to the access being granted.
3. Use of Information Technology
CMS is allowing public access to the HETS 270/271 application via the CMS Extranet and/or Internet in order to offer real-time eligibility inquiries (270) and responses (271) in an electronic format as a method for healthcare providers to ascertain beneficiary eligibility using a secure network connection. The Trading Partner Agreement Form is available on the CMS website. After the form is completed and collected, it is stored in the Enterprise Sharepoint at the CMS Data Center.
Maintenance on the collection form includes review, edits and possible updates of the content. CMS reserves the right to update the Trading Partner Agreement Form with non-substantive changes such as:
updating or adding URLs in Appendix A
clarifying the information requested in Appendix B
Changes in contact information for the Medicare Customer Assistance Regarding Eligibility (MCARE) Help Desk
4. Duplication of Efforts
On a yearly basis, existing submitters will be required to resubmit a new copy of the Trading Partner Agreement Form to ensure that CMS has consistent and accurate information for all current submitters. For new submitters this data has not been captured previously as this Trading Partner Agreement Form is the first application where public users will connect to the HETS 270/271 application via the CMS Extranet and/or Internet to access Medicare eligibility information for the purpose of conducting HIPAA transactions.
5. Small Businesses
There will be minimal impact on small businesses as the length of time to read, complete, and submit the Trading Partner Agreement Form is typically less than fifteen minutes.
6. Less Frequent Collection
This information will be collected on a yearly basis for entities wishing to connect to the CMS Extranet and/or Internet and to conduct real-time eligibility transactions with the CMS database.
7. Special Circumstances
Responders must complete the Trading Partner Agreement Form prior to gaining access to the CMS Extranet and/or Internet.
8. Federal Register/Outside Consultation
The 60-day Federal Register notice for this information collection published on March 18, 2019(84 FR 9801) and the 30-day Federal Register notice published on May 24, 2019(84 FR 24154). No comments were received.
9. Payments/Gifts to Respondents
There are no payments or gifts to respondents.
10. Confidentiality
The information collected will be gathered and used solely by CMS. The data will not be shared with any outside organizations.
11. Sensitive Questions
There are no sensitive questions on the Trading Partner Agreement Form.
12. Burden Estimates (Hours & Wages)
Currently we have around 200 trading partners and in the near future the provider community that is expected to request access to Medicare eligibility information is estimated to be at a maximum of 1000 trading partners annually with 100% of the respondents replying electronically. The estimated time to read, execute, and submit this form is less than fifteen minutes and the total burden is estimated to be 250 hours.
This form has about twenty five data collection items on the form to get the Submitters information like Submitter name, Security official name/contact information, National Provider ID etc. and some of the items are only Yes and No answer. Based on the information that we gathered in the last two years about this TPA from these Submitters, it has been estimated that it should not take more than fifteen minutes to read, execute and submit this TPA.
Max number of Users (estimated-annually) who will use and submit this form in a year=1000 Total time to read/execute/Submit this form=15 min.
Total time (estimated-annually) =1000*15=15000 min. =250 hrs.
Total burden (estimated) =250 hours.
These Agreements are completed by Computer Systems Analysts. Based on the most recent Bureau of Labor and Statistics Occupational and Employment Data (May 2017 http://www.bls.gov/oes/current/oes_md.htm) for Category 15-1121 (Computer Systems Analysts), the mean hourly wage for this profession is $46.97.[1] We have added 100% of the mean hourly wage to account for fringe and overhead benefits, which calculates to $93.94 ($46.97 + $46.97). We estimate the total annual cost to be $23,485.00 (250 hours x $93.94/hour).
13. Capital Costs
There are no capital costs to the respondents.
14. Cost to Federal Government
The cost to the Federal Government is estimated at $50,000. This is to publish the Trading Partner Agreement form on the CMS website, receive, review, and store the completed forms that are submitted by the respondents. The receipt of the Trading Partner Agreement form from 1,000 respondents at a cost of $50 to receive, review, and store the complete forms was the basis for cost determination.
15. Changes to Burden
The annual cost burden has changed in from $21,680 to $23,485(a difference of $1805). There will be no changes to the burden for this collection. Only 47 number of new applications using this TPA has been submitted in the last 2 years and so new applications will be expected but the volume will be low.
16. Publication/Tabulation Dates
N/A
17. Expiration Date
The expiration date will be posted on the instrument itself. On page 1 of the document, the expiration date is listed next to the OMB control number in the PRA Disclosure Statement.
18. Certification Statement
There are no exceptions to the certification statement.
File Type | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
File Modified | 0000-00-00 |
File Created | 0000-00-00 |