3 Things to Know about CMS’ HIPAA Electronic Transactions Audit and How to Pass

by Matthew Albright, Chief Legislative Affairs Officer, Zelis Healthcare

Is your organization prepared to pass the Centers for Medicare & Medicaid Services’ (CMS) Compliance Review Program?

CMS is launching a Compliance Review Program, an audit to ensure compliance with the Health Insurance Portability and Accountability Act (HIPAA) rules for electronic healthcare transactions.  Starting in April, nine HIPAA-covered entities will be randomly selected for compliance review.  Any clearinghouse or health plan, including fully and self-insured plans, may be chosen, regardless of whether they work with Medicare or Medicaid.

The audits will evaluate the most common administrative transactions that health plans conduct with providers. Health plans and clearinghouses will be audited for compliance with standardized formats and operating rules that have been adopted under the HIPAA Administrative Simplification provisions.

Zelis has tested its electronic remittance advice using the same test engine that CMS will use for the Compliance Reviews, and we’ve written a handy guide on how to use the system to prepare. Download it for free here:

Three Things Payers Should Know about the Audits

  • While the goal is remediation, health plans and clearinghouses can be penalized
    CMS has stated that the audit program will use a “progressive penalty process with the goal of remediation, not punishment.” In that spirit, CMS will provide corrective action plans (CAP) and technical assistance. However, CMS has also warned that it may “impose financial penalties on any entity that is non-compliant and has failed to correct its violations.”
  • Healthcare electronic payments and other business transactions are under review
    A health plan’s compliance with healthcare EFT payments standards and operating rules are part of the audit program. One foundational requirement for the EFT is that, when requested by a provider, a health plan must deliver payments via EFT without delay, using appropriate standards, operating rules and code sets.Other transactions that may be reviewed include the eligibility for benefits request, claim status request, and electronic remittance advice (ERA). CMS will test these transaction files and ask entities to attest to whether the transactions comply with operating rules.Zelis is CAQH CORE-certified for EFT healthcare payments and ERA , which means Zelis has demonstrated that its IT system or product is operating in conformance with federally mandated EFT & ERA Operating Rules.
  • CMS uses an in-house test engine to test health plans’ transaction files
    For the audit, health plans and clearinghouses are asked to submit transaction files to CMS for testing through CMS’ in-house testing system, called the Administrative Simplification Enforcement Testing Tool or ASETT.Zelis self-tested its ERA transaction files (X12 835) using CMS’ ASETT engine just last year, so we have insight on what the test looks like and how to prepare for it. By the way, we passed.

How Payers can Pass the Audit

Health plans, third-party administrators and clearinghouses can pass the audits by:

  • Making sure they are offering basic administrative electronic transactions to providers – including claims, eligibility, claim status and EFT/ERA – and are conducting those transactions according to adopted standards and operating rules.
  • Confirming their vendor/business associate contracts include compliance requirements with HIPAA transaction standards and operating rules and asking these owners how they are confirming ongoing compliance.
  • Self-testing their transactions by submitting files through the same ASETT testing engine that CMS uses to conduct the audits or undergoing third-party testing or certifications.
  • Reading the FAQs and “Prep Steps” from CMS and the “Get Prepared” guide that Zelis has created.