CMS-10662_Supporting_Statement_Part_A_508

CMS-10662_Supporting_Statement_Part_A_508.docx

Administrative Simplification HIPAA Compliance Review (CMS-10662)

OMB: 0938-1390

Document [docx]
Download: docx | pdf

Administrative Simplification HIPAA Compliance Review (CMS-10662) Supporting Statement Part A


Background


The authority for administering and enforcing compliance with the Administrative Simplification non-privacy Health Insurance Portability and Accountability Act (HIPAA) rules has been delegated to the Centers for Medicare & Medicaid Services (CMS). (68 FR 60694 Part F, October 23, 2003)


45 CFR 160.308 states, “that the Secretary may conduct compliance reviews to determine whether covered entities are complying with the applicable administrative simplification provisions.” These reviews are conducted at the discretion of the Secretary.


45 CFR 160.310 requires that a covered entity provide records and compliance reports to the Secretary in cooperation with a compliance review. 45 CFR 160.310 provides that a covered entity must permit HHS, or its delegated entity, access during normal business hours to its facilities, books, records, and other information, and other information necessary to determine compliance, but also provides that if the Secretary determines that “exigent circumstances exist, such as when documents may be hidden or destroyed,” the covered entity must permit access at any time without notice.


The purpose of this collection is to retrieve information necessary to conduct a compliance review as described in CMS-0014-N (68 FR 60694). These forms will be submitted to the Centers for Medicare & Medicaid Services (CMS), Program Management National Standards Group, from entities covered by HIPAA Administrative Simplification regulations. This collection is not applicable to HIPAA Privacy and Security Rules.


Justification


  1. Need and Legal Basis


Section 1173 of the Social Security Act (the Act), 42 U.S.C. 1320d–2, and section 264 of HIPAA require the Secretary to adopt a number of national standards to facilitate the exchange of certain health information and to protect the privacy and security of such information.


The Secretary promulgated rules that relate to compliance with, and enforcement of, the HIPAA rules, which are codified at 45 CFR part 160, subparts C, D, and E and collectively referred to as the Enforcement Rule. The Secretary first issued an interim final rule promulgating the procedural requirements for imposition of civil money penalties on violations of the privacy standards on April 17, 2003, Civil Money Penalties: Procedures for Investigations, Imposition of Penalties (68 FR 18896). The Secretary subsequently proposed a rule on April 18, 2005, HIPAA Administrative Simplification: Enforcement; Proposed Rule (70 FR 20224), proposing the amendment of 45 CFR part

160, subparts A (General Provisions), C (Compliance and Enforcement), and E (Procedures for Hearing), and proposing a new subpart D (Imposition of Civil Money Penalties) that addressed the substantive issues related to the imposition of civil money penalties, and proposing that the above provisions be applied to all of the HIPAA rules.


The four forms included in this package request the following information from covered entities:


    • Signed Operating Rules Attestation (Part A)

    • Entity Information (Part B)

    • Artifact Information (Part C)

    • Trading Party Agreement (Part D)


  1. Information Users


It is expected that covered entities under HIPAA (health plans, health care clearinghouses, and health care providers who electronically transmit any health information in connection with transaction for which HHS has adopted standards) will complete these forms during a CMS scheduled compliance review. CMS enforcement staff would use the information provided by covered entities to review HIPAA Administrative Simplification compliance in regards to adopted transaction standards, code sets, unique identifiers and operating rules.


  1. Use of Information Technology


This process involves the use of electronic and paper collection techniques. It is expected that approximately 95% of the compliance review documents will be forwarded by the entity electronically to the Centers for Medicare & Medicaid Services (CMS) Compliance Review Testing Tool (ASETT). The flow of information electronically allows for a more efficient process.


  1. Duplication of Efforts


This information collection does not duplicate any other effort and the information cannot be obtained from any other source.


  1. Small Businesses


This collection would impact covered entities that transmit transactions electronically. The burden is minimized by allowing any covered entity of any size to transmit to CMS these documents electronically.



  1. Less Frequent Collection

Submission of these forms during a compliance review is mandatory.


  1. Special Circumstances


This information collection does not contain any special circumstances.


  1. Federal Register/Outside Consultation


The 60-day Federal Register notice published on October 4, 2019 (84 FR 53156). No comments were received. The 30-day Federal Register notice published on December 18, 2019 (84 FR 69380).


The 30-day Federal Register notice published on [OSORA to insert publication date]. We received [TBD] public comments.


  1. Payments/Gifts to Respondents


There will be no payments and/or gifts to respondents.


  1. Confidentiality


Without the information requested CMS may be unable to proceed with the compliance review process. CMS collects this information under authority of CMS-0014-N (68 FR 60694) issued pursuant to the HIPAA. CMS will use the information provided to conduct HIPAA Administrative Simplification Non-Privacy/Security compliance reviews. Information submitted on these forms is treated confidentially and is protected under the provisions of the Privacy Act of 1974. Names or other identifying information about individuals are disclosed only when it is necessary for investigation of possible HIPAA A.S. Non- Privacy/Security violations, for internal systems operations, or for routine uses, which include disclosure of information outside the Department for purposes associated with HIPAA A.S. Non-Privacy/Security compliance and as permitted by SORN 09-90-0052.


  1. Sensitive Questions


This information collection does not contain any sensitive questions.


  1. Burden Estimates (Cost and Time)


The covered entity reporting burden for the forms collection of information is estimated to average 150 minutes or 2.5 hours) per form and there are 4 forms. The total burden per entity will be 10 hours ((2.5 hours per form) x (4 forms) x 1 entity)) which would include the time for reviewing instructions, gathering the data needed and entering and reviewing the information on the completed complaint form. An entity will only be required to participate in one compliance review per year.

The calculations are based on the Department of Labor, Bureau of Labor Statistics

estimation for a General Health Care Worker (http://www.bls.gov/oes/current/oes_nat.htm#13-0000) . We added 100% of the median hourly labor wage to the value to account for fringe and overhead.

Total annual time burden


(number of entities) x (1 response /entity) x (hours per response) = 10 x1 x 2.5 = 25 hours

Annual cost per entity response per analyst:


(number of artifacts per entity) x (time (hours) required to collect and complete artifact) x (analyst wage) = total analyst wage per entity

(4 artifacts) x (10 hours) x ($18.56/hour) = $742.40


Total cost for all entities for analysts collection and completion


(number of entities participating ) x (total annual cost) = collective analysts wage for 10 entities

(10 entities) x ($742.40) = $7424.00


It is estimated that all 10 covered entities are subject to be placed on a Corrective Action Plan. To correct the entities deficiencies the General Officer may be asked to provide the following:


  1. Structured Corrective Action Plan

  2. Written Follow Up with Explanation of Deficiencies

  3. Subject to Corrective Action Plan Re-assessment


Time, labor, and correspondence may incur an additional cost as indicated below. Labor costs are based on the completion/review by each entity’s General and/or Operational Manager. We used the mean hourly 2017 Department of Labor rate of

$58.70 reported for a General or Operational Manager from the Department of Labor, Bureau of Labor Statistics (http://www.bls.gov/oes/current/oes_nat.htm#13-0000) at

$58.70/hour at 10 hours per correction which comprises of postal costs, administrative burden, hourly wage, overhead and incidentals of structuring and monitoring the CAP. A General/Operational Manager was used because he/she perhaps has approval authority.


(entity placed on CAP) x (time (hours) to complete CAP) x (hourly wage (which includes postage and incidentals)) = collective CAP structuring


(1 entity) x (10 hours to complete) x ($58.70/hour to structure CAP) = $587.00


(total entity placed on CAP) x (time (hours) to complete CAP) x (hourly wage (which

includes postage and incidentals)) = collective CAP structuring


(10 entity) x (10 hours to complete) x ($58.70/hour to structure CAP) = $5870.00


(entity placed on CAP) x (time (hours) to complete CAP) x (hourly wage (which includes postage and incidentals)) = collective CAP monitoring


(1 entity) x (40 hours to complete) x ($58.70/hour to monitor CAP) = $2,348.00


(total entity placed on CAP) x (time (hours) to complete CAP) x (hourly wage (which includes postage and incidentals)) = collective CAP monitoring


(10 entity) x (40 hours to complete) x ($58.70/hour to monitoring CAP) = $23,480.00


TOTAL ADMINISTRATIVE IMPACT TO INDUSTRY


Annual Collective Analyst Cost + Annual Collective General/Operations Manager Cost


$7424.00 + $23,480.00 = $30,904.00



  1. Capital Costs


There are no capital costs for this collection.


  1. Cost to Federal Government


There is no cost burden to the federal government as the requested standard administrative simplification artifacts indicating compliance will be processed in the normal course of federal duties.


  1. Changes to Burden


This is a new information collection request.


  1. Publication/Tabulation Dates


CMS does not plan to publicly disclose any of the information collected.


  1. Expiration Date


CMS will display the expiration date on each collection instrument. It is displayed in the PRA Disclosure Statement as well as in the header of each document.


  1. Certification Statement

There are no exceptions to the certification statement.

Shape1

1


File Typeapplication/vnd.openxmlformats-officedocument.wordprocessingml.document
File TitleAdministrative Simplification HIPAA Compliance Review (CMS-10662)
AuthorStewart, Kevin M. (CMS/OIT)
File Modified0000-00-00
File Created2021-01-14

© 2024 OMB.report | Privacy Policy