[ Thursday, January 29, 2004 ]
HIPAA complaints, TCS section: You all know that HHS (US Dept. of Health and Human Services) has tasked OCR (HHS' Office of Civil Rights) to be the enforcement agency for HIPAA. Actually, OCR is the enforcement agency of the HIPAA Privacy and Security standards. And you know that the Administrative Simplification subtitle of Title II of HIPAA (sometimes shortened to AdSi or AdminSimp) -- remember, HIPAA includes health insurance portability, medical savings accounts, fraud and abuse, and a bunch of other malarky in the other titles and subtitles -- can effectively be divided into 3 parts: Privacy, Security, and Transaction and Code Sets (or TCS).
[Yes, I know, what about identifiers? Those fall into TCS, which is sometimes called Transactions, Code Sets and Identifiers, but isn't usually called TCSI. Hey, I'm trying to make this simple, and it ain't easy.] Anyway, the point I'm trying to get to here is that OCR isn't tasked with enforcement of all of HIPAA, much less all of AdSi: it's only tasked with enforcement of Privacy and Security. Of course, those are the biggest slices of the pie, at least as regards the parts we non-techies talk about. The other slice, TCS, is enforced by HHS' Office of HIPAA Standards, or OHS. Actually, OHS is an office of CMS [which was originally tasked to enforce TCS, but which delegated it to OHS]. CMS, of course, stands for the Centers for Medicare and Medicaid Services (which should have been CMMS, but the second M was dropped (i) as a cost-saving measure and (ii) to comply with OTN regulations [OTN is the Office of TLA Nomenclature {TLA stands for Three Letter Acronym}]). So, to recap: Privacy and Security belong to OCR, but TCS belongs to OHS, a subsidiary of CMS.
Why do I bring this up? Because OHS now has a complaint mechanism for people in the healthcare stream of commerce to complain about other people in the healthcare stream of commerce not using the HIPAA TCS rules of the road. This AdSi enforcement tool is called ASET, which apparently stands for Administrative Simplification Enforcement Tool. You can find more information on it
here. If you are a provider or a payor and someone else is not using the HIPAA TCS standards to conduct transactions, and that intransigence is preventing you from getting paid, you can file a complaint against them. OHS will check out the complaint and notify the offending party, and give them a chance to correct their systems to no longer be an offending party. To file a complaint using ASET, you have to register; they say that's so they can track the complaint, but it could be that they're just a bunch of Men In Black trying to get your information. Anyway, that means no anonymous complaints.
And remember, ASET is only for complaints about TCS. If you've got privacy complaints, you've got to go
here. And if you've got security complaints, you just have to wait another year before those are final.
UPDATE:
See my 3/1 post above. CMS will also oversee Security, and OCR is only tasked with Privacy. Since there won't be much action on Security for a while (we've got over a year before the rules become final, and you can't file any complaints until then), it hasn't become an issue. And since Privacy and Security are so linked in my mind in practical terms, I personally think it's a mistake to put Security under CMS instead of OCR. I understand the (good) arguments why (it's more technical, like TCS), but think the hand-in-glove nature of Security and Privacy means they should be enforced by the same folks. Anyway, I'm still glad it's not the OIG.
Jeff [10:52 AM]
http://www.blogger.com/template-edit.g?blogID=3380636
Blogger: HIPAA Blog - Edit your Template