Form CMS-10157 Medicare HIPAA Eligibility Transaction System (HETS) to

The HIPAA Eligibility Transaction System (HETS) (CMS-10157)

TPA-PRA-Form-Revision-V4.3-Final-

HIPAA Eligibility Transaction System (HETS) Trading Partner Agreement (TPA)

OMB: 0938-0960

Document [docx]
Download: docx | pdf



Shape2

Shape1

DEPART MENT OF HEALT H AND HUMAN SERVICES Form Approved

CENT ERS FOR MEDICARE & MEDICAID SERVICES OMB No. 0938-0960

Shape3

FORM INSTRUCTIONS

Shape4

Check 1 box to indicate the type of Agreement you’re submitting.

Shape5

CENTERS FOR MEDICARE & MEDICAID SERVICES (CMS) TRADING PARTNER AGREEMENT

Shape6

For the use of the Medicare Health Insurance Portability and Accountability Act of 1996 (HIPAA) Eligibility Transaction System (HETS) to share health care eligibility inquiry and response transactions.

This Trading Partner Agreement (“Agreement”) is made on <Enter Date> between CMS and <Enter Trading Partner Name> .

The Trading Partner intends to conduct eligibility transactions with CMS in electronic form. Both parties acknowledge and agree that data privacy and security are the highest priority. Each party agrees to take all steps reasonably necessary to ensure all electronic transactions between them conform to HIPAA and its regulations. Unless defined in this Agreement, all terms have the same meaning as in the regulations established to implement the Administrative Simplification provisions of HIPAA at 45 CFR Parts 160-164.

PAPERWORK REDUCTION ACT (PRA) DISCLOSURE STATEM ENT

According to the Paperwork Reduction Act of 1995, no persons are required to respond to a collection of information unless it displays a valid OMB control number. The valid OMB control number for this information collection is 0938-0960. This information collection is per the federal law that requires CMS to take precautions to minimize the security risk to federal information systems who (Trading Partners) wants to connect to the HETS 270/271 system via the CMS Extranet and/or Internet to provide their details to identify, assign a unique name, agree to the HETS Rules of Behavior and the HETS Authorized Representative Roles and Responsibilities terms as a condition of receiving protected Medicare eligibility information.

The time required to complete this information collection is estimated to average less than 15 minutes per response, including the time to review instructions, search existing data resources, gather the data needed, to review and complete the information collection. This information collection is mandatory per HIPAA regulations that require covered entities to verify the identity of the person requesting PHI and the person’s authority to have access to that information. Under the HIPAA Security rules, covered entities, regardless of their size, are required under 45 CFR Subtitle A, Subpart C 164.312(a)(2)(i) to "assign a unique name and/or number for identifying and tracking user identity." If you have comments concerning the accuracy of the time estimate(s) or suggestions for improving this form, please write to: CMS, 7500 Security Boulevard, Attn: PRA Reports Clearance Officer, Mail Stop C4-26-05, Baltimore, Maryland 21244-1850.

CMS-Version 4.3

Shape7

  1. BACKGROUND

Shape8

CMS maintains the integrity and security of Medicare health care data according to applicable laws and regulations. The Privacy Act of 1974 (Privacy Act) and HIPAA restrict the disclosure of Medicare beneficiary eligibility data. HETS may be used ONLY for business functions of health care providers and suppliers (collectively referred to as “providers”) with respect to Medicare Fee-for-Service (FFS). HETS may not be used for any other purpose, including that it may not be used by providers who may also participate in the Medicare FFS system with respect to any non-Medicare-FFS patients.

We administer HETS as a covered entity under HIPAA rules. HETS uses the ASC X12 270/271 standard. This Agreement is for non-CMS entities that want to obtain Medicare eligibility information. We will use information in this Agreement to establish connectivity, define data exchange requirements, and explain the responsibilities of HETS Trading Partners.

Shape9

  1. AUTHORIZED USES

Shape10

You may only use Medicare eligibility data for Medicare FFS activities, including preparing accurate FFS claims or determining eligibility for certain services. The HETS Rules of Behavior, referenced in Appendix A, specifies what activities are authorized and unauthorized.

You may not electronically store, reuse, or disclose Medicare beneficiary Protected Health Information (PHI) you get from HETS, except:

  • To record transaction processing history

  • For security procedures, like routine system backups for disaster recovery

  • To update patient records in the Medicare FFS provider’s system

You and your Business Associates, as defined by 45 CFR § 160.103, must comply with the HETS Rules of Behavior when you store data.

Shape11

  1. SYSTEM INTEGRITY

Shape12

CMS monitors inquiries in HETS, and we will contact you if we find discrepancies. For example, we will check if you submit a high ratio of eligibility inquiries compared to your FFS claims. If we suspect improper use or if you violate the HETS Rules of Behavior, we may suspend your HETS access, place you on a corrective action plan, or refer you for investigation and you could be subject to other penalties, including civil or criminal actions.

Shape13

  1. CONNECTIVITY

Shape14

You can connect to HETS via the extranet or internet.

  • Extranet: o Transmission Control/Internet Protocol (TCP/IP)

  • Internet:

o Simple Object Access Protocol (SOAP) + Web Services Description Language (WSDL) o Hypertext Transfer Protocol (HTTP) / Multipart Internet Mail Extensions (MIME) You must submit the required information in Appendix B to request connectivity. Review the HETS 270/271 Companion Guide for more information.

Shape15

  1. ASSURANCES

Shape16

Your access to HETS is contingent on your assurances in this section. We can revoke HETS access without notice if we determine that you are not complying with these assurances.

You agree to and assure:

No. Assurance Agreement

Shape17

  1. I will abide by all applicable federal laws, regulations, and guidance governing access to, use, and disclosure, of:

    • CMS data Agree

    • PHI as defined in 45 CFR § 160.103

Disagree

    • Personally Identifiable Information (PII) as defined in OMB Memorandum M-17-12 (January 03, 2017))

I understand that individuals or entities may be subject to civil or criminal penalties for failing to abide by such provisions.

Shape18

  1. I will cooperate with CMS and its contractors to test the transmission and processing systems to ensure the accuracy, timeliness, completeness, and security of each data transmission before initiating any transmission Agree in HIPAA standard 270/271 transaction format, and through the term of Disagree this Agreement.

    Shape19

  2. I will take reasonable care to ensure the information I submit in each electronic transaction is timely, complete, accurate, and secure, and I will take reasonable precautions to prevent unauthorized access of the Agree transmission and processing systems. I will ensure that each electronic Disagree transaction I submit to CMS conforms with the requirements applicable to the transaction.

Shape20

Shape21

  1. I will only submit electronic transactions for an active enrolled Medicare FFS provider or as a Business Associate working on behalf of a provider serving active enrolled Medicare FFS beneficiaries. I agree to notify CMS when my relationship with a Medicare FFS provider begins and ends. Agree Business Associates must provide current information about the FFS providers for whom they submit transactions pursuant to the HETS Rules of Disagree

Behavior. I understand and agree that CMS reserves the right to confirm the status of a Business Associate relationship with a FFS provider directly.

Shape22

  1. This Agreement takes effect and is binding when both CMS and I sign. Agree

Disagree

Shape23

  1. Notwithstanding any expiration or termination of this Agreement, I understand that my obligation survives to ensure the privacy and security Agree of PHI and PII and the confidentiality of CMS proprietary information, and to comply with federal and state laws and regulations that apply to this Disagree information.

  2. If I perform Medicare work offshore (any location outside of the United

States where U.S. law is non-binding), I attest to the terms specified in

Agree

Appendix D. If I do not perform any Medicare work offshore or directly or indirectly employ any offshore labor, I will mark this assurance as ‘Not Disagree

Applicable.’ Not Applicable

Shape24

The person listed below must be authorized to bind your organization as a HETS Trading Partner. By completing and signing the section below, you agree that your organization will comply with the provisions of this Agreement.

Trading Partner Authorized Representative Signature

Title

Printed Name of Trading Partner Authorized Signer

Date Signed

Telephone Number

E-Mail Address

Shape25

APPENDIX A – REFERENCES – REQUIRED

Shape26

HETS Rules of Behavior

The HETS Rules of Behavior explains your responsibilities to get and use Medicare eligibility data. You must comply with the HETS Rules of Behavior to use HETS.

HETS Authorized Representative Roles and Responsibilities

The Authorized Representative (AR) Roles and Responsibilities explains your role as the Trading Partner Authorized Representative. It is written confirmation you understand your responsibilities related to HETS.

Acknowledgement

You must acknowledge to complete this Agreement:

Shape27

I acknowledge I read, understand, and will follow the HETS Rules of Behavior. I also shared the HETS Rules of Behavior with my customers or users and will enforce compliance.

I acknowledge I read, understand, and will follow the HETS Authorized Representative Roles and Responsibilities.

Shape28

APPENDIX B – INFORMATION TO REQUEST ACCESS TO HETS – REQUIRED

Shape29

Trading Partner Organization’s Information:

You must complete all fields in this table.

Trading Partner Organization Name:

Trading Partner Organization Legal Business Name:

Trading Partner Organization Billing Address:

City

State

Zip Code

Trading Partner Organization Physical Address:

City Shape30 State Shape31 Zip Code

Trading Partner Organization Technical Representative Name:

Trading Partner Organization Technical Representative Telephone Number:

Trading Partner Organization Technical Representative E-mail Address:

Note: CMS requires only one National Provider Identifier ( NPI) from an active and valid enrolled Medicare provider on this form. You’ll have the opportunity to provide other NPIs later.

Medicare Provider’s Name:

Medicare Provider’s NPI:

Trading Partner Organization Security Officer Contact Information (Optional):

Name: (Optional)

Title: (Optional)

Telephone number: (Optional)

E-mail address: (Optional)

Shape32

APPENDIX C – CONNECTIVITY – REQUIRED

Indicate the type of connectivity.

Extranet:



Yes


No




If yes, Name of Network Service Vendor (NSV) used


Internet:



Yes


No




If yes, Message Envelope Used



SOAP + WSDL


HTTP MIME Multipart



Trading Partner IP Address(es) for SOAP/MIME transaction (if sending multiple IP addresses, use a Classless Inter-Domain Routing (CIDR) notation, i.e., 192.0.1.0/24) SOAP + WSDL and HTTP MIME Multipart submitters only must fill out the fields below.

IP Address(es):

X.509 Digital Certificate Issuer Name:

X.509 Digital Certificate Type:

X.509 Digital Certificate Serial Number:

If you use SOAP + WSDL or HTTP MIME Multipart, you must include a copy of your organization’s public x.509 digital certificate as a separate attachment. We won’t process agreements without a copy of the public digital certificate.

Shape33

I agree to include the originating IP address on every transaction to HETS. We’ll revoke your HETS access if you purposefully manipulate or obscure the originating IP address(es).

Shape34

APPENDIX D – OFFSHORE DATA PROTECTION – SITUATIONAL (IF YOU HAVE

OFFSHORE ARRANGEMENT)

Offshore Data Protection Safeguards

Affirm all the following safeguards are actively in place.

Attestation of Safeguards to Protect Beneficiary Information Offshore

No. Assurance

Agreement

Shape35

The Trading Partner Authorized Representative must be able to attest to the Offshore Data Protection Safeguards Appendix D of the Agreement. Please complete the table below and then check the box at the bottom of the form to acknowledge your offshore data protection responsibilities.

Offshore Work Site

Organization Name*

Offshore Work Site Organization Address including Country Name*

Offshore Work Site

Organization Originating

IP Address(es)*

*If multiple Organizations, then provide all

Note: Enter each/every Offshore Work Site’s non-US Originating IP Addresses

Acknowledgement

You must acknowledge to complete this Agreement:

I, the Trading Partner Authorized Representative, acknowledge I have read and Shape36 understand the offshore data protection safeguards. I will ensure that the offshore organizations and addresses listed above will follow the offshore data protection safeguards.



File Typeapplication/vnd.openxmlformats-officedocument.wordprocessingml.document
File TitleMEDICARE HIPAA ELIGIBILITY TRANSACTION SYSTEM (HETS) TRADING PARTNER AGREEMENT (TPA)
SubjectMEDICARE HIPAA ELIGIBILITY TRANSACTION SYSTEM (HETS) TRADING PARTNER AGREEMENT (TPA)
AuthorCenters for Medicare & Medicaid Services
File Modified0000-00-00
File Created2024-10-07
© 2024 OMB.report | Privacy Policy