CMS-10157. Crosswalk

HETS TPA CROSSWALK
Current Published version-3 vs. New Version-4 (Feb-2019)
1. Added form main page with form name.
2. Added form table of contents.
3. Added form instructions to select the Type of Agreement that is being used: initial
application, update, or re-certification.
4. Updated the layout to a standardized format which includes highlighting the
Paperwork Reduction Act statement, updated section headers, added footers and
headers, and updated the fillable form to include table structures for all of the
requested data elements.
5. Section III- HIPAA violation language updated to remove the specified calendar year
limit and replace it with the statutory citation. Additionally, updated language to
clarify violations may incur monetary penalties, incarceration, or both. Specifically:
• Replaced “Privacy Rule requirement, up to an annual calendar year limit of
$1,500,000 for multiple violations of the identical Privacy Rule requirement”
with “provision in the Privacy, Security, and Breach Notification Rules, with
maximum annual limits for violations of identical provisions, which are set
forth at 42 U.S.C. 1320d-5(a).”
• Added “or both” when describing the penalties which may be imposed for
HIPAA violations.
6. Section III- False Claims Act civil payment amount was adjusted for inflation and a
clarifying parenthetical was added. Specifically:
• Updated the civil penalty range to “$11,181 to $22,363”.
• Added the parenthetical “note that the civil penalty amounts are subject to an
inflation adjustment; these were the amounts for calendar year 2018.”
7. Section IV- Removed the reference to allow two types of connectivity. Specifically:
• Removed the following sentence from the paragraph “Trading Partners are
allowed to use both forms of connectivity, but must select a primary
approach.”
8. Section V- Updated the assurances to require Submitters to individually
agree/disagree to each of the nine assurances. Added a ninth assurance. Specifically:
• Each assurance includes a separate check box for the Submitter to “agree” or
“disagree” with the statement.
• Added “Submitters who perform Medicare work offshore (any location
outside of the United States where U.S. law is non-binding) must attest that
safeguards to protect Medicare Beneficiary Information are actively enforced.
Any Submitters who perform work or either directly or indirectly employ
offshore labor must attest to the terms specified in Appendix E. Submitters
who do not perform any Medicare work offshore (or directly or indirectly
employ any offshore labor should mark this assurance as ‘Not Applicable.’”
9. Appendix A- Clarified header to identify this section is required. Additionally,
replaced the descriptive language of, and link to, the HETS Companion Guide with a
description of, and link to, the HETS Authorized Representative Role and
Responsibilities. Specifically:
• Removed “HETS Companion Guide

This document defines the Medicare eligibility request sent from Medicareauthorized Trading Partners and the corresponding response from the
Medicare Health Insurance Portability and Accountability Act (HIPAA)
Eligibility Transaction System (HETS) 270/271 application.
http://cms.gov/Research-Statistics-Data-and-Systems/CMS-InformationTechnology/HETSHelp/Downloads/HETS270271CompanionGuide5010.pdf”
• Added “HETS Authorized Representative Roles and Responsibilities
This document details the Authorized Representatives HETS roles and
responsibilities. It is written confirmation that the Submitter’s Authorized
Representative understands his/her responsibility for the organization’s use of
HETS and compliance with the HETS Rules of Behavior.
https://www.cms.gov/Research-Statistics-Data-and-Systems/CMSInformation-Technology/HETSHelp/Downloads/TPA-AR-RoleResponsibilities.pdf”
10. Appendix B- Clarified header to identify this section is required, clarified the fillable
fields to more accurately describe the requested information should represent the
Submitter’s organization, and added which requires the Medicare Provider’s name in
addition to their NPI. Specifically:
• Replaced “Security Officer Contact Information (Optional)” with “Submitter
Organization Security Officer Contact Information (Optional)”.
• Replaced “Submitter’s Information” with “Submitter Organization’s
Information” and made corresponding clarifications to the fillable field
descriptions that follow in the table below.
• Replaced “NPI(s): Note: only one NPI for an active enrolled Medicare provider
must be indicated on this form. Any additional NPIs for whom the trading partner
submits transactions must be shared with CMS in accordance with item 4 in the
Assurances section of the Agreement” with “CMS requires only one NPI from an
active/valid enrolled Medicare provider(s) on this form. In accordance with item
4 in the Assurances section of the Agreement, submitter organization must later
share any/all additional NPIs with CMS.”
• Added field for “Medicare Provider’s Name” at the end of the Submitter
Organization’s Information table.
11. Appendix C- Added Appendix C requiring information associated with the Submitter’s
connectivity type, this information was requested under Appendix B in the previous
version. Additionally, two clarifying instructions were added, specifically:
• Added “Trading Partner IP Address (es) for SOAP/MIME transaction (Note: If
sending multiple IP addresses, please use a Classless Inter-Domain Routing
[CIDR] notation, i.e., 192.0.1.0/24).”
• Added “Note: If using SOAP + WSDL or HTTP MIME Multipart, applicants
must send a copy of their organization’s public x.509 digital certificate. The
Trading Partner Agreement will not be processed without a copy of the public
digital certificate.”
12. Appendix D- Added Appendix D requiring information associated with
Disproportionate Share Hospital (DSH) information, this information was requested
under Appendix B in the previous version. Additionally, modified the information
requested so that it is now optional to complete this section. Specifically:

•

Grammatical changes to the paragraph include adding “has” as the second
word in the first sentence and clarifying “[t]his data assists hospitals verify
CMS’ determination of the hospital’s SSI ratio (i.e., the total number of Medicare
days compared to the number of Medicare/SSI days)” to “[t]his data assists
hospitals when verifying CMS’ determination of the hospital’s SSI ratio (i.e., the
total number of Medicare days compared to the number of Medicare/SSI days).”
• Replaced “Eligible Trading Partners must have a separate Submitter ID in order
to request this view” with “Eligible Trading Partners must request a separate
DSH Submitter ID in order to utilize this view.”
• Removed the request asking the submitter to identify whether or not they are
requesting the DSH view. Appendix D now identifies this appendix as
“situational” and requests the Submitter, if they are a DSH trading partner, to
identify whether they want the DSH view only, or if they want the DSH view in
addition to standard HETS 270/271. Added a requirement for the submitter to
include the DSH Hospital NPI(s), if applicable.
13. Appendix E- This Appendix requesting information concerning offshore data protection
safeguards is new and was not included in the previous version.