CMS-10662 Compliance_Review_Package

Administrative Simplification HIPAA Compliance Review (CMS-10662)

ASHEPS_Compliance_Review_Package_2024_FINAL_CLEAN

Compliance Review

OMB: 0938-1390

Document [docx]
Download: docx | pdf

Form Approved: OMB # 0938-1390

Expiration 12/31/2025

DEPARTMENT OF HEALTH & HUMAN SERVICES

Centers for Medicare & Medicaid Services

7500 Security Boulevard, Mail Stop N1-19-21

Baltimore, Maryland 21244-1850Shape1

Notice of Compliance Review

Date of Notice: FULLDATE

CONTACTNAME

JOBTITLE

CENAME

ADDRESS1

ADDRESS2

CITY, ST ZIP

Re: Compliance Review Number XXXXX

Dear FIRSTNAME LASTNAME:

The purpose of this notice is to inform you that the Department of Health and Human Services (HHS), National Standards Group (NSG) within the Centers for Medicare & Medicaid Services (CMS), has randomly selected <Covered Entity Name> to be the subject of a Health Insurance Portability and Accountability Act of 1996 (HIPAA) and Affordable Care Act (ACA) compliance review.

As part of the <Covered Entity Name> compliance review, an assessment will be conducted to determine compliance with the Administrative Simplification provisions as outlined in 45 CFR Parts 160 and 162. The assessment includes a review of the HIPAA mandated transactions, code sets, unique identifiers and operating rules, and will take approximately 30 days. Violations discovered during the assessment may result in the implementation of a corrective action plan.

Further in this notice is a request for specific information and artifacts to be provided by your organization (see Parts B and C). All information and artifacts requested within this notice must be uploaded to the ASETT Covered Entity Portal no later than (month, day, year (within 10 business days)). Please refer to the CMS Identity Management (IDM) System and Compliance Review Covered Entity Portal Access Quick Start User Guide to review instructions for accessing the ASETT Covered Entity Portal.

Once received, we will review the documentation and notify you if it is satisfactory or additional information is needed. All sensitive and/or confidential information received will be protected to the full extent required by federal law.

If at any time you are unable to serve as the designated contact person for the <Covered Entity Name> compliance review, please notify us immediately in writing, and provide a replacement contact name, address, telephone number, and email address.

NSG is responsible for promoting compliance of the HIPAA Administrative Simplification requirements as referenced in 45 CFR Part 160.308. Additional information pertaining to compliance can be found on the CMS website at: CMS Regulations and Guidance.

If you have any questions regarding this notice, please send an email to [email protected]. Please include the compliance review number located at the top of this notice.

Sincerely,

Michael Cimmino

Director, National Standards Group

Office of Healthcare Experience and Interoperability

Enclosures: Parts A, B, C

Part A -Assessment Objectives, Scope, and Review Process

Assessment Objectives

The objective of the compliance review program is to conduct assessments and identify whether a covered entity is compliant with the HIPAA adopted standards, and administrative simplification. In addition, it affords the opportunity to correct noted deficiencies, allowing the covered entity to address compliance issues before they potentially result in a complaint.

Assessment Scope

The scope of the assessment consists of the following actions:

  • Random selection of a covered entity

  • Notification to the covered entity

  • Artifact request from the covered entity

  • Artifacts provided by the covered entity

  • Assessment review conducted

  • Assessment outcome reported to covered entity

  • Covered entity reviews assessment outcome

  • Covered entity responds to assessment outcome

  • If necessary, covered entity referred for corrective action

  • Assessment finalized

Assessment Process

The assessment is to determine if the selected covered entity is compliant with adopted standards, including transactions, code sets, unique identifiers, and operating rules. The following are used during the assessment process:

  • HIPAA mandated electronic transactions

  • EDIFECS Onboarding and Testing Cloud Service (OTCS) and Transaction Management (TM) validation tool results, which is accessed through the Administrative Simplification Enforcement and Testing Tool (ASETT)

  • X12 Implementation guides (TR3s) and Requests for Interpretation (RFIs)

  • Applicable code sets

  • Applicable Council for Affordable Quality Healthcare Committee on Operating Rules for Information Exchange (CAQH CORE) operating rules and attestations

  • Applicable companion guides


Part B - Entity Information

This section is intended to collect organization and contact information. A qualified member of the organization must complete all applicable sections.



Section 1. Organization and Point of Contact Information

Organization Information






Organization Name:

Shape2

DBA1:

Shape3

Contact Name:

Shape4

Title:

Shape5

Telephone:

Shape6

E-mail:

Shape7

Business Address:

Shape8

City:

Shape9

State/Province:

Shape10

Country:

Shape11

Zip:

Shape12

URL:

Shape13


Point of Contact Information

Organization Name:

Shape14

Contact Name:

Shape15

Title:

Shape16

Telephone:

Shape17

E-mail:

Shape18

Business Address:

Shape19

City:

Shape20

State/Province:

Shape21

Country:

Shape22

Zip:

Shape23

URL:

Shape24



Section 2. Type of Covered Entity (check all that apply)

Large Health Plan2 Large Provider3 Large Institution

Small Health Plan4 Small Provider5 Small Institution

Clearinghouse Business Associate Other (please specify):


Section 3. Operating Rule Certification

Has your organization obtained a voluntary Operating Rule seal from CORE? If so, when was it obtained? (Certificate status must be current and not revoked.)

YES NO

Date of Certificate:


Section 4. Business Relationships

Does your organization have a relationship with one or more third-party agents (clearinghouses, vendors, etc.) that conduct transactions or operating rules (ORs) on your behalf? Yes No

Please provide company name(s) and points of contact for each third-party relationship:

Company Name

Contact Name

Transaction/OR

Shape25

Shape26

Shape27

Shape28

Shape29

Shape30

Shape31

Shape32

Shape33




Section 5. Acknowledgments


By signing below, I attest that the information provided as part of this questionnaire is true and accurate to the best of my knowledge.

Please double click the “X” to insert an electronic signature.

Shape34

Date: Select a date.

Contact Person Name: Shape35

Title: Shape36



Part C - Artifact Request

ENTITY TYPE:

DUE DATE: Select a date.

Prior to uploading transaction artifacts, you must accept the invitation to register in the Compliance Review Program in Onboarding and Testing Cloud Services (OTCS) via the ASETT Compliance Review Covered Entity Portal. Please refer to the Compliance Review Covered Entity Portal User Manual to review instructions for accepting the Compliance Review Program invitation and testing transaction artifacts in the Compliance Review Covered Entity Portal. A link to the Compliance Review Covered Entity Portal User Manual is provided at the top of the ASETT Covered Entity Portal Welcome Page.

Upload all requested artifacts marked below to the ASETT Covered Entity Portal by or before the established due date. As a reminder, all non-transaction artifacts are to be uploaded via the Upload Documents section in the ASETT Covered Entity Portal. All transaction artifacts must be uploaded in OTCS. Please refer to the Compliance Review Covered Entity Portal User Manual to review instructions for uploading artifacts.

All transaction files must be the original file that was sent to your trading partner and be in a readable text format (.txt, .edi or .dat). Non-transaction documents should be either Microsoft Word, Excel, or PDF formats. Do not copy and paste transaction data into new files as all transaction files must be the original file sent to your trading partner. We reserve the right to contact your trading partners if the need arises.

Please note, the ASETT Compliance Review Covered Entity Portal has a 4.8MB file size limit. Files that exceed 4.8MB, or documents with embedded files or password protection will produce an upload error.

Please use the following file-naming convention for single transaction files:

Transaction Number_Covered Entity Name_Original File Name.File Extension

  • Transaction Number is the transaction set number, e.g., 270, 271, etc.

  • Covered Entity Name is your organization’s (the covered entity) name

  • Original File Name is optional

    • If original file name has multiple nodes (period (.) separators), please replace with underscores (_)

  • File Extension is the file extension type (.txt, .edi, or .dat)

DOCUMENTATION REQUESTS

Completed Assessment Package Form (this notice, Part B).

Companion Guides for transactions marked below, if applicable.

Completed Operating Rule Attestation for the following 5010 transaction(s) and EFT: 270, 271, 276, 277 and 835.

Other: _______________________________________________________________

PROVIDER TRANSACTION REQUESTS

Delete this section if not used.

005010X279A1, 270 Health Care Eligibility Verification Request

    • Starting with the __ day of month, provide the last production 270 unaltered file and all previous 270 unaltered files until a minimum of XX requests has been reached. This may consist of one or more files to meet the minimum request.

005010X212, 276 Health Care Claim Status

    • Starting with the __ day of month, provide the last production 276 unaltered file and all previous 276 unaltered files until a minimum of XX requests has been reached. This may consist of one or more files to meet the minimum request.

005010X217, 278 Health Care Services Review - Request

    • Starting with the __ day of month, provide the last production 278 unaltered file and all previous 278 unaltered files until a minimum of XX requests has been reached. This may consist of one or more files to meet the minimum request.

005010X223A2, 837 Health Care Claim - Institutional

    • Starting with the __ day of month, provide the last production 837I unaltered file and all previous 837I unaltered files until a minimum of XX claims has been reached. This may consist of one or more files to meet the minimum request.

005010X222A1, 837 Health Care Claim - Professional

    • Starting with the __ day of month, provide the last production 837P unaltered file and all previous 837P unaltered files until a minimum of XX claims has been reached. This may consist of one or more files to meet the minimum request.

005010X224A2, 837 Health Care Claim - Dental

    • Starting with the __ day of month, provide the last production 837D unaltered file and all previous 837D unaltered files until a minimum of XX claims has been reached. This may consist of one or more files to meet the minimum request.

NCPDP D.0 Pharmacy Claim

    • Starting with the __ day of month, provide the last production NCPDP D.0 unaltered file and all previous NCPDP D.0 unaltered files until a minimum of XX claims has been reached. This may consist of one or more files to meet the minimum request.

HEALTH PLAN TRANSACTION REQUESTS

Delete this section if not used.

005010X279A1, 271 Health Care Eligibility Verification Response

    • Starting with the __ day of month, provide the last production 271 unaltered file and all previous 271 unaltered files until a minimum of XX responses has been reached. This may consist of one or more files to meet the minimum request.

005010X212, 277 Health Care Claim Status Response

    • Starting with the __ day of month, provide the last production 277 unaltered file and all previous 277 unaltered files until a minimum of XX responses has been reached. This may consist of one or more files to meet the minimum request.

005010X217, 278 Health Care Services Review - Response

    • Starting with the __ day of month, provide the last production 278 unaltered file and all previous 278 unaltered files until a minimum of XX responses has been reached. This may consist of one or more files to meet the minimum request.

005010X221A1, 835 Health Care Claim Payment/Advice Transactions

    • Starting with the __ day of month, provide the last production 835 unaltered file and all previous 835 unaltered files until a minimum of XX claim payments has been reached. This may consist of one or more files to meet the minimum request.

005010X223A2, 837 Health Care Claim - Institutional (COB Only)

    • Starting with the __ day of month, provide the last production 837I unaltered file and all previous 837I unaltered files until a minimum of XX COB claims has been reached. This may consist of one or more files to meet the minimum request.

005010X222A1, 837 Health Care Claim - Professional (COB Only)

    • Starting with the __ day of month, provide the last production 837P unaltered file and all previous 837P unaltered files until a minimum of XX COB claims has been reached. This may consist of one or more files to meet the minimum request.

005010X224A2, 837 Health Care Claim - Dental (COB Only)

    • Starting with the __ day of month, provide the last production 837D unaltered file and all previous 837D unaltered files until a minimum of XX COB claims has been reached. This may consist of one or more files to meet the minimum request.

NCPDP D.0 Pharmacy Claim (COB Only)

    • Starting with the __ day of month, provide the last production NCPDP D.0 unaltered file and all previous NCPDP D.0 unaltered files until a minimum of XX COB claims has been reached. This may consist of one or more files to meet the minimum request.

005010X218, 820 Premium Payment

    • Starting with the __ day of month, provide the last production 820 unaltered file and all previous 820 unaltered files until a minimum of XX premium payments has been reached. This may consist of one or more files to meet the minimum request.

005010X220A1, 834 Benefits Enrollment and Maintenance

    • Starting with the __ day of month, provide the last production 834 unaltered file and all previous 834 unaltered files until a minimum of XX enrollments has been reached. This may consist of one or more files to meet the minimum request

CLEARINGHOUSE TRANSACTION REQUESTS

Delete this section if not used.

005010X79A1, 270 Health Care Eligibility Verification Request

    • Starting with the __ day of month, provide the last production 270 unaltered file and all previous 270 unaltered files until a minimum of XX requests has been reached. This may consist of one or more files to meet the minimum request.

005010X79A1, 271 Health Care Eligibility Verification Response

    • Starting with the __ day of month, provide the last production 271 unaltered file and all previous 271 unaltered files until a minimum of XX responses has been reached. This may consist of one or more files to meet the minimum request.

005010X212, 276 Health Care Claim Status

    • Starting with the __ day of month, provide the last production 276 unaltered file and all previous 276 unaltered files until a minimum of XX requests has been reached. This may consist of one or more files to meet the minimum request.

005010X212, 277 Health Care Claim Status Response

    • Starting with the __ day of month, provide the last production 277 unaltered file and all previous 277 unaltered files until a minimum of XX responses has been reached. This may consist of one or more files to meet the minimum request.

005010X217, 278 Health Care Services Review - Request

    • Starting with the __ day of month, provide the last production 278 unaltered file and all previous 278 unaltered files until a minimum of XX requests has been reached. This may consist of one or more files to meet the minimum request.

005010X217, 278 Health Care Services Review - Response

    • Starting with the __ day of month, provide the last production 278 unaltered file and all previous 278 unaltered files until a minimum of XX responses has been reached. This may consist of one or more files to meet the minimum request.

005010X223A2, 837 Health Care Claim - Institutional

    • Starting with the __ day of month, provide the last production 837I unaltered file and all previous 837I unaltered files until a minimum of XX claims has been reached. This may consist of one or more files to meet the minimum request.

005010X222A1, 837 Health Care Claim - Professional

    • Starting with the __ day of month, provide the last production 837P unaltered file and all previous 837P unaltered files until a minimum of XX claims has been reached. This may consist of one or more files to meet the minimum request.

005010X224A2, 837 Health Care Claim - Dental

    • Starting with the __ day of month, provide the last production 837D unaltered file and all previous 837D unaltered files until a minimum of XX claims has been reached. This may consist of one or more files to meet the minimum request.

NCPDP D.0 Pharmacy Claim

    • Starting with the __ day of month, provide the last production NCPDP D.0 unaltered file and all previous NCPDP D.0 unaltered files until a minimum of XX claims has been reached. This may consist of one or more files to meet the minimum request.

005010X221A1, 835 Health Care Claim Payment/Advice Transactions

    • Starting with the __ day of month, provide the last production 835 unaltered file and all previous 835 unaltered files until a minimum of XX claim payments has been reached. This may consist of one or more files to meet the minimum request.

005010X223A2, 837 Health Care Claim - Institutional (COB Only)

    • Starting with the __ day of month, provide the last production 837I unaltered file and all previous 837I unaltered files until a minimum of XX COB claims has been reached. This may consist of one or more files to meet the minimum request.

005010X222A1, 837 Health Care Claim - Professional (COB Only)

    • Starting with the __ day of month, provide the last production 837P unaltered file and all previous 837P unaltered files until a minimum of XX COB claims has been reached. This may consist of one or more files to meet the minimum request.

005010X224A2, 837 Health Care Claim - Dental (COB Only)

    • Starting with the __ day of month, provide the last production 837D unaltered file and all previous 837D unaltered files until a minimum of XX COB claims has been reached. This may consist of one or more files to meet the minimum request.

NCPDP D.0 Pharmacy Claim (COB Only)

    • Starting with the __ day of month, provide the last production NCPDP D.0 unaltered file and all previous NCPDP D.0 unaltered files until a minimum of XX COB claims has been reached. This may consist of one or more files to meet the minimum request.

005010X218, 820 Premium Payment

    • Starting with the __ day of month, provide the last production 820 unaltered file and all previous 820 unaltered files until a minimum of XX premium payments has been reached. This may consist of one or more files to meet the minimum request.

005010X220A1, 834 Benefit Enrollment and Maintenance

    • Starting with the __ day of month, provide the last production 834 unaltered file and all previous 834 unaltered files until a minimum of XX enrollments has been reached. This may consist of one or more files to meet the minimum request.

1

2 DBA (Doing Business As…)

2 Annual receipts >$5 million

3 Provider with 25 or more full-time employees, or a physician, practitioner, facility, or supplier with 10 or more full-time equivalent employees

4 Annual receipts ≤ $5 million

5 Provider with less than 25 full-time employees, or a physician, practitioner, facility, or supplier with less than 10 full-time equivalent employees

According to the Paperwork Reduction Act of 1995, no persons are required to respond to a collection of information unless it displays a valid OMB control number. The valid OMB control number for this information collection is 0938-1390 from the year of 2024 through 2025. The objective of the HIPAA Administrative Simplification information collection program is to conduct assessments and identify whether a covered entity is compliant with the HIPAA - adopted standards, and administrative simplification. The time required to complete this information collection is estimated to average less than 10 hours per response (4 forms x 60 minutes/form), including the time to review instructions, search existing data resources, gather the data needed, to review and complete the information collection. This information collection is mandatory (under 45 CFR § 160.310) If you have comments concerning the accuracy of the time estimate(s) or suggestions for improving this form, please write to: CMS, 7500 Security Boulevard, Attn: PRA Reports Clearance Officer, Mail Stop C4-26-05, Baltimore, Maryland 21244-1850.

File Typeapplication/vnd.openxmlformats-officedocument.wordprocessingml.document
File Modified0000-00-00
File Created2025-06-19
© 2025 OMB.report | Privacy Policy