Supporting Statement- Part A
The HIPAA Eligibility Transaction System
(HETS)
(CMS-10157; OMB 0938-0960)
A. Background
The Centers for Medicare and Medicaid Services (CMS) is requesting the Office of Management and
Budget’s (OMB) revision to the currently approved HIPAA Eligibility Transaction System (HETS) Trading Partner Agreement form for reformatting the Page 11 of the form for easy/quick entry of each offshore Organization name, address in a single row along with the offshore location Internet Protocol (IP) address. CMS created the HETS application to provide Health Insurance Portability and Accountability Act of 1996 (HIPAA) compliant 270/271 health care eligibility inquiries (270) and responses (271) on a real-time basis. In creating the HETS application, federal law requires that CMS take precautions to minimize the security risk to federal information systems. Accordingly, CMS is requiring that trading partners who wish to connect to the HETS 270/271 application via the CMS Extranet and/or Internet agree to specific trading partner terms as a condition of receiving access to Medicare eligibility information. Applicants will complete the entire Trading Partner Agreement form to indicate agreement with CMS trading partner terms and provide sufficient information to establish connectivity to the service and assure that those entities that access the Medicare eligibility information are aware of applicable provisions and penalties for the misuse of information.
B. Justification
In its administration of the Medicare Fee-For-Service (FFS) program, CMS is a covered entity under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) rules. As a covered entity, CMS is required to verify the identity of the person requesting the Protected Health Information (PHI) and the person’s authority to have access to that information. In contrast to the other standard transactions which Medicare conducts, provision of information in the 271-response transaction, on a real-time basis, will involve direct access by outside entities to Medicare eligibility information. In order to protect the beneficiary Medicare eligibility data, CMS is requesting the approval of a revised TPA. CMS needs to know the Source (in the form of IP address) of the 270-request transaction, including but not limited to request sent from offshore locations. Obtaining the submitters IP address will allow CMS to receive and send transitions only to trusted partners with offshore locations.
HIPAA regulations require covered entities to verify the identity of the person requesting PHI and the person’s authority to have access to that information. Under the HIPAA Security rules, covered entities, regardless of their size, are required under 45 CFR Subtitle A, Subpart C 164.312(a)(2)(i) to "assign a unique name and/or number for identifying and tracking user identity." A 'user' is defined in 164.304 as a "person or entity with authorized access". Accordingly, the HIPAA Security rule requires covered entities to assign a unique name and/or number to each employee or workforce member who uses a system that receives, maintains or transmits electronic PHI so that system access and activity can be identified and tracked by user. This pertains to workforce members within small or large provider offices, health plans, group health plans, and clearinghouses.
Federal law requires that CMS take precautions to minimize the security risk to the federal information system. Federal Information Processing Standards Publication (FIPS PUB) 1() 1-2 Paragraph 11.7- Security and Authentication states that: "Agencies shall employ risk management techniques to determine the appropriate mix of security controls needed to protect specific data and systems. The selection of controls shall take into account procedures required under applicable laws and regulations." Accordingly, CMS requires that entities who wish to connect to the HETS application via the CMS Extranet and/or Internet are uniquely identified. CMS is required to verify the identity of the person requesting the Protected Health Information (PHI) and the person's authority to have access to Medicare eligibility information. Furthermore, CMS requires that trading partners who wish to conduct eligibility transactions on a real-time basis with CMS provide certain assurances as a condition of receiving access to the Medicare eligibility information for the purpose of conducting real- time 270/271 inquiry/response transactions.
CMS uses the Trading Partner Agreement Form to capture certain information whereby a person certifies that they are fully aware of any and all penalties related to the use of PHI and their access to this data from the HETS application. The information is an attestation by the authorized representative of an entity that wishes to access the Medicare eligibility information to conduct real-time eligibility transactions. The authorized representative is a person responsible for business decisions on behalf of the Organization who is submitting the access request. The data captured includes the authorized representative's name, title contact number and the name of the submitting entity. Other data captured is the submitter's National Provider Identifier (NPI), business name, billing address, physical address, and telephone number.
The Trading Partner Agreement Form is also used by CMS to capture certain information whereby a person identifies the particular connectivity protocol that they will use to connect to CMS as well as specific organization information which is reviewed and authorized prior to the access being granted.
CMS is allowing public access to the HETS 270/271 application via the CMS Extranet and/or Internet in order to offer real-time eligibility inquiries (270) and responses (271) in an electronic format as a method for healthcare providers to ascertain beneficiary eligibility using a secure network connection. The Trading Partner Agreement Form is available on the CMS website. After the form is completed and collected, it is stored in the HETS Program Jira ticket system which is hosted in the CMS/AWS enclave. Responders must complete the Trading Partner Agreement Form prior to gaining access to the CMS Extranet and/or Internet.
Maintenance on the collection form includes review, edits and possible updates of the content.
CMS reserves the right to update the Trading Partner Agreement Form with non-substantive
changes such as:
updating or adding URLs in Appendix A
clarifying the information requested in Appendix B
Changes in contact information for the Medicare Customer Assistance Regarding Eligibility (MCARE) Help Desk
On a yearly basis, existing submitters will be required to resubmit a new copy of the Trading Partner Agreement Form to ensure that CMS has consistent and accurate information for all current submitters. For new submitters this data has not been captured previously as this Trading Partner Agreement Form is the first application where public users will connect to the HETS 270/271 application via the CMS Extranet and/or Internet to access Medicare eligibility information for the purpose of conducting HIPAA transactions.
There will be minimal impact on small businesses as the length of time to read, complete, and submit the Trading Partner Agreement Form is typically less than fifteen minutes.
This information will be collected on a yearly basis for entities wishing to connect to the CMS Extranet and/or Internet and to conduct real-time eligibility transactions with the CMS database.
There are no special circumstances that would require an information collection to be conducted in a manner that requires respondents to:
Report information to the agency more often than quarterly;
Prepare a written response to a collection of information in fewer than 30 days after receipt of it;
Submit more than an original and two copies of any document;
Retain records, other than health, medical, government contract, grant-in-aid, or tax records for more than three years;
Collect data in connection with a statistical survey that is not designed to produce valid and reliable results that can be generalized to the universe of study,
Use a statistical data classification that has not been reviewed and approved by OMB;
Include a pledge of confidentiality that is not supported by authority established in statute or regulation that is not supported by disclosure and data security policies that are consistent with the pledge, or which unnecessarily impedes sharing of data with other agencies for compatible confidential use; or
Submit proprietary trade secret, or other confidential information unless the agency can demonstrate that it has instituted procedures to protect the information's confidentiality to the extent permitted by law.
The 60-day Federal Register Notice (86 FR 64939) published to the Federal Register 11/19/2021.
No comments were received.
The 30-day Federal Register Notice (87 FR 4031) published to the Federal Register 1/26/2022.
No comments were received.
9. Payments/Gifts to Respondents
There are no payments or gifts to respondents.
The information collected will be gathered and used solely by CMS. The data will not be shared with any outside organizations.
11. Sensitive Questions
There are no sensitive questions on the Trading Partner Agreement Form.
CMS currently has agreements in place with approximately 200 trading partners. In the future we anticipate that the provider community will request access to Medicare eligibility information, and we do not foresee the total number of agreements to exceed one thousand at any given time. We do not anticipate a major influx of application as a result of this proposed version, and any increase that occurs will come over a gradual period of time.
The estimated time to read, execute, and submit this form is less than fifteen minutes and the total burden is estimated to be 250 hours.
This form has about twenty-five data collection items on the form to get the Submitters information like Submitter name, Security official name/contact information, National Provider ID etc. and some of the items are only Yes and No answer. Based on the information that we gathered in the last two years about this TPA from these Submitters, it has been estimated that it should not take more than fifteen minutes to read, execute and submit this TPA.
Max number of Users (estimated-annually) who will use and submit this form in a year=1000 Total time to read/execute/Submit this form=15 min.
Total time (estimated-annually) = 1000*15=15000 min. =250 hrs. Total burden (estimated) =250 hours.
These Agreements are completed by Computer Systems Analysts. Based on the most recent Bureau of Labor and Statistics Occupational and Employment Data (May 2020) http://www.bls.gov/oes/current/oes_md.htm) for Category 15-1211 (Computer Systems Analysts), the mean hourly wage for this profession is $47.61.[1] We have added 100% of the mean hourly wage to account for fringe and overhead benefits, which calculates to $95.22 ($47.61 + $47.61). We estimate the total annual cost to be $23,805.00 (250 hours x $95.22/hour).
There are no capital costs to the respondents.
14. Cost to Federal Government.
The cost to the Federal Government is estimated at $50,000. This is to publish the Trading Partner Agreement form on the CMS website, receive, review, and store the completed forms that are submitted by the respondents. The receipt of the Trading Partner Agreement Form from 1,000 respondents at a cost of $50 to receive, review, and store the complete forms was the basis for cost determination.
Format on the Page 11 of the form is updated in tabular form for easy/quick entry of data along with Offshore location IP address. There will be no change to the hourly burden for this collection. Because of the change in hourly wages of the Computer system analysts who filled this form, the annual cost burden has increased from $23,485 to $23,805 (a difference of $320). New applications will be expected, but the volume will be low.
No publication or tabulation of data expected.
17. Expiration Date
The expiration date will be displayed within the PRA disclosure statement of the TPA.
There are no exceptions to the certification statement.
File Type | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
File Title | Supporting Statement -Part_A |
Subject | Supporting Statement- Part A |
Author | Centers for Medicare & Medicaid Services |
File Modified | 0000-00-00 |
File Created | 2022-03-10 |