Supporting Statement Part A
Administrative Simplification HIPAA Compliance Review
(CMS-10662; 0938-1390)
CMS is requesting a Revision type of approval from OMB.
The authority for administering and enforcing compliance with the Administrative Simplification non-privacy Health Insurance Portability and Accountability Act (HIPAA) rules has been delegated to the Centers for Medicare & Medicaid Services (CMS). (68 FR 60694 Part F, October 23, 2003)
45 CFR § 160.308(a) states, “The Secretary will conduct a compliance review to determine whether a covered entity is complying with the applicable administrative simplification provisions when a preliminary review of the facts indicates a possible violation due to willful neglect.” Further, 45 CFR § 160.308(b) states, “The Secretary may conduct a compliance review to determine whether a covered entity or business associate is complying with the applicable administrative simplification provisions in any other circumstance.” Reviews conducted under § 160.308(b) are conducted at the discretion of the Secretary.
45 CFR § 160.310 requires that a covered entity provide records and compliance reports to the Secretary in cooperation with a compliance review. 45 CFR § 160.310 provides that a covered entity must permit HHS, or its delegated entity, access during normal business hours to its facilities, books, records, and other information, and other information necessary to determine compliance, but also provides that if the Secretary determines that “exigent circumstances exist, such as when documents may be hidden or destroyed,” the covered entity must permit access at any time without notice.
The purpose of this collection is to retrieve information necessary to conduct a compliance review and carry out the authority delegated to CMS as described in CMS0014-N (68 FR 60694). These forms will be submitted to the Centers for Medicare &
Medicaid Services (CMS), National Standards Group, from entities covered by HIPAA Administrative Simplification regulations. This collection is not applicable to HIPAA Privacy and Security Rules.
Although 45 CFR Part 160 outlined the authority to conduct compliance reviews, we did not have the resources to do so until recent years. A pilot was conducted in 2019 prior to implementation of a regular compliance review program. Since 2020, a contractor has been supporting regular, ongoing compliance reviews. A PRA was approved to support this work in {YEAR}. We’re looking to expand the impact of our compliance review program by increasing the number of covered entities subject to a review.
CMS is requesting a Revision type of approval from OMB due to a few minor and one significant change made to the Compliance Review program between the last PRA request and this renewal request is to the number of entities required to complete the noted documentation. In the last PRA request, we were looking to expand the program from auditing less than nine entities to more than 10 entities annually. The program also made the following updates to communications sent to covered entities since the last PRA request; however, there are no changes to data/information collection requests:
The single Covered Entity Triage Questionnaire submitted in the previous PRA request was duplicated so that there is a unique questionnaire for each covered entity type (Health Plan, Clearinghouse, Provider).
All Operating Rule Attestation questions are now enumerated for ease of reference.
The signature block is updated on the Compliance Review Package and Notice of Corrective Action (which contains the Corrective Action Plan template) to reflect the change in National Standards Group (NSG) personnel.
Section 1173 of the Social Security Act (the Act), 42 U.S.C. 1320d–2, and section 264 of HIPAA require the Secretary to adopt a number of national standards to facilitate the exchange of certain health information and to protect the privacy and security of such information.
The Secretary promulgated rules that relate to compliance with, and enforcement of, the HIPAA rules, which are codified at 45 CFR part 160, subparts C, D, and E and collectively referred to as the Enforcement Rule. The Secretary first issued an interim final rule promulgating the procedural requirements for imposition of civil money penalties on violations of the privacy standards on April 17, 2003, Civil Money Penalties: Procedures for Investigations, Imposition of Penalties (68 FR 18896). The
Secretary subsequently proposed a rule on April 18, 2005, HIPAA Administrative Simplification: Enforcement; Proposed Rule (70 FR 20224), proposing the amendment of 45 CFR part 160, subparts A (General Provisions), C (Compliance and Enforcement), and E (Procedures for Hearing), and proposing a new subpart D (Imposition of Civil Money Penalties) that addressed the substantive issues related to the imposition of civil money penalties and proposing the above provisions be applied to all HIPAA rules.
CMS enforcement staff would use the information provided by covered entities to assess HIPAA Administrative Simplification compliance regarding adopted transaction standards, code sets, unique identifiers, and operating rules. The information provided by covered entities consists of entity transaction files that are tested with an Edifecs transaction testing tools called Onboarding and Testing Cloud Services (OTCS) and Transaction Management (TM). If violations are reported by the testing tools, entities are notified and assisted with developing and completing a corrective action plan. Once corrective action is completed, entities’ transaction files are retested for compliance.
This process involves the use of electronic and paper collection techniques. It is expected that approximately 95% of the compliance review documents will be forwarded by the entity electronically to the Centers for Medicare & Medicaid Services (CMS) Compliance Review Testing Tool (ASETT). The flow of information electronically allows for a more efficient process.
This information collection does not duplicate any other effort and the information cannot be obtained from any other source.
This collection would impact covered entities that transmit transactions electronically. The burden is minimized by allowing any covered entity of any size to transmit to CMS these documents electronically.
This mandatory information collection will be conducted annually with up to 50 entities. We do not anticipate collecting the information less frequently, that is, less than one time per year with the selected covered entities, and still being able to meet our program requirements. We also do not foresee any reduction in the frequency, or the amount of information collected from each covered entity; however, as the Compliance Review Program matures there may be an opportunity to revise our program SOP. There are no known legal obstacles. Our goal is to reduce burden to the extent possible and remain compliant with program requirements. Our overarching goal is to foster industry compliance with HIPAA Administrative Simplification requirements. In furtherance of this goal, we’re looking to increase the number of reviews we’re able to conduct annually. The more compliance reviews that we’re able to conduct, the greater impact our program will have on advancing our authority to ensure widespread compliance across all covered entities. We do this with our compliance reviews that test transaction files for noncompliance. Our Compliance Review Program assists entities with achieving compliance, thereby reducing burden, and increasing industry benefits from administrative simplification.
Explain any special circumstances that would cause an information collection to be conducted in a manner:
requiring respondents to report information to the agency more often than quarterly;
requiring respondents to prepare a written response to a collection of information in fewer than 30 days after receipt of it;
requiring respondents to submit more than an original and two copies of any document;
requiring respondents to retain records, other than health, medical, government contract, grant-in-aid, or tax records for more than three years;
in connection with a statistical survey that is not designed to produce valid and reliable results that can be generalized to the universe of study;
requiring the use of a statistical data classification that has not been reviewed and approved by OMB;
that includes a pledge of confidentiality that is not supported by authority established in statue or regulation that is not supported by disclosure and data security policies that are consistent with the pledge, or which unnecessarily impedes sharing of data with other agencies for compatible confidential use; or
requiring respondents to submit proprietary, trade secret, or other confidential information unless the agency can demonstrate that it has instituted procedures to protect the information's confidentiality to the extent permitted by law.
This information collection does not contain any special circumstances.
8. Federal Register/Outside Consultation
The 60-day Federal Register notice published on 11/15/2023 (88 FR 78367).
One comment was received during the 60-day comment period. No changes were made as a result of our response and can be found within the attached Response to comment document.
The 30-day Federal Register notice published on 02/20/2024. (89 FR 12846).
There will be no payments and/or gifts to respondents. Non-responsiveness to a compliance review notification could result in further investigation and assessed money penalties.
Without the information requested, CMS may be unable to proceed with the compliance review process. CMS collects this information under authority of CMS0014-N (68 FR 60694) issued pursuant to the HIPAA. CMS will use the information provided to conduct HIPAA Administrative Simplification Non-Privacy/Security compliance reviews. Information submitted on these forms is treated confidentially and is protected under the provisions of the Privacy Act of 1974. Names or other identifying information about individuals are disclosed only when it is necessary for investigation of possible HIPAA A.S. Non- Privacy/Security violations, for internal systems operations, or for routine uses, which include disclosure of information outside the Department for purposes associated with HIPAA A.S. Non-Privacy/Security compliance and as permitted by SORN 09-90-0052.
11. Sensitive Questions
This information collection does not contain any sensitive questions.
The covered entity reporting burden for collection of information on the above-note forms is estimated to average 150 minutes (or 2.5 hours) per form and there are 4 forms. The initial forms are assumed to be assigned to a general analyst within the covered entity organization. An entity will only be required to participate in one compliance review per year.
The calculations below for cost and time are based on the 2022 Department of Labor,
Bureau of Labor Statistics estimation for the median hourly labor wage of a General
Healthcare Worker (https://www.bls.gov/oes/current/oes319099.htm). We added
100% of the median hourly labor wage to the value to account for fringe and overhead (which would include the time for reviewing instructions, gathering the data needed, and entering and reviewing the information on the completed form), which brings the total hourly wage to $20.91 + 20.91 = $41.82.
Table 1 - Burden per General Healthcare Worker at $41.82 per Covered Entity
Document |
Time Performed (hours) |
Total |
Triage Questionnaire |
2 |
$83.64 |
Operating Rule Attestation |
2.5 |
$104.55 |
Entity Information (Part B) |
0.5 |
$20.91 |
Artifact Information (Part C) |
5 |
$209.10 |
TOTAL |
10 |
$418.20 |
Table 2 - Total Annual Time Burden
Number of Entities per Year |
Response per Entity |
Hours per Response |
Maximum Annual Time Burden (hours) |
Up to 50 |
1 |
10 |
500 |
Table 3 - Annual Cost per General Healthcare Worker Response per Entity
Number of Artifacts per Entity |
Time (Hours) |
Analyst Wage |
Total Analyst Wage per Entity |
||
4 |
10 |
$41.82 |
$1,672.80 |
||
Table 4 - Total Annual General Healthcare Worker Collection and Completion Cost per Entity |
|
||||
Number of Participating Entities |
Total Analyst Wage per Entity |
Maximum Annual Cost |
|||
Up to 50 |
$1,672.80 |
$83,640.00 |
|||
It is estimated that 80% of the covered entities assessed are subject to be placed on a Corrective Action Plan (CAP). To correct the entities’ deficiencies the Compliance Officer may be asked to provide the following:
Structured CAP
Written Follow-Up with Explanation of Deficiencies
CAP Re-assessment
Time, labor, and correspondence may incur an additional cost as indicated below.
Labor costs are based on the completion/review by each entity’s Compliance Officer.
We used the mean hourly 2022 Department of Labor rate of $37.01 reported for a
Compliance Officer from the Department of Labor, Bureau of Labor Statistics (https://www.bls.gov/oes/current/oes131041.htm) at $37.01/hour at 11 hours per correction, which comprises administrative burden, hourly wage, overhead, and incidentals of structuring and monitoring the CAP. We added 100% of the mean hourly wage, which brings the total hourly wage to $37.01 + 37.01 = $74.02. A Compliance Officer role is used because they have approval authority.
Table 5 - Collective Structuring and Monitoring CAP Cost per Entity
CAP Activity |
Entity Placed on CAP |
Time (hours) |
Hourly Wage |
Collective CAP Cost |
Structuring |
1 |
11 |
$74.02 |
$814.22 |
Monitoring |
1 |
40 |
$74.02 |
$2,690.80 |
|
|
|
TOTAL |
$3505.02 |
Table 6 - Annual Structuring and Monitoring CAP Cost for All Entities
CAP Activity |
Number of Entities Placed on CAP |
Time (hours) |
Hourly Wage |
Maximum Collective CAP Cost |
Structuring |
40 |
11 |
$74.02 |
$32,568.80 |
Monitoring |
40 |
40 |
$74.02 |
$118,432.00 |
|
|
|
TOTAL |
$151,000.80 |
Table 7 - Total Administrative Impact to Industry
Maximum Annual Collective General Healthcare Worker Cost |
Maximum Annual Collective Compliance Officer Cost |
Maximum Industry Impact |
$83,640.00 |
$151,000.80 |
$234,640.80 |
13. Capital Costs
There are no capital costs for this collection.
Table 8- Total Cost Federal Analyst
Time (Hours) |
Analyst Annual Wage |
2080 (1 FTE) |
$112, 015 (GS13 Step 1) |
Table 9- Total Cost Federal Contractor
Number of Entities under Compliance Review |
Time (hours) |
Hourly Analyst II Wage |
Maximum Contractor Cost |
Up to 50 |
30 |
$107.47 |
$3,224.10 |
|
|
|
|
|
|
|
|
This is a renewed information collection request. The following document changes were made since the last PRA; however, there are no changes to data/information collection requests:
The single Covered Entity Triage Questionnaire submitted in the previous PRA request was duplicated so that there is a unique questionnaire for each covered entity type (Health Plan, Clearinghouse, Provider).
All Operating Rule Attestation questions are enumerated for ease of reference.
The signature block is updated on the Compliance Review Package and Notice of Corrective Action (which contains the CAP template) to reflect the change in National Standards Group (NSG) personnel.
Additionally, NSG is looking to increase the number of reviews we’re able to conduct annually-up to 50 annually. The more compliance reviews that we’re able to conduct, the greater impact our program will have on advancing our authority to ensure widespread compliance across all covered entities.
16. Publication/Tabulation Dates
CMS does not plan to publicly disclose any of the information collected.
CMS will display the expiration date on each collection instrument. It is displayed in the PRA Disclosure Statement as well as in the header and footer of each document.
There are no exceptions to the certification statement.
| File Type | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
| File Title | Administrative Simplification HIPAA Compliance Review (CMS-10662) |
| Author | Stewart, Kevin M. (CMS/OIT) |
| File Modified | 0000-00-00 |
| File Created | 2024-07-31 |