Former CMS Official Matthew Albright in the Spotlight

EDITOR’S NOTE:

Matthew Albright oversaw the certification program at the Center for Affordable Quality Healthcare (CAQH) and Committee on Operating Rules for Information Exchange (CORE) to ensure conformance with the requirements of the Patient Protection and Affordable Care Act (PPACA). He also served as Director of the Administrative Simplification Group for the Centers for Medicare & Medicaid Services (CMS). In this role, Matthew was responsible for drafting the regulations that implemented Section 1104 of PPACA which specifies the requirements of the Health Insurance Portability and Accountability Act (HIPAA) administrative transactions. Here, in this exclusive interview with Chuck Buck, Albright, now associated with Zelis Payments, reports on PPACA in light of the Republican’s plan to repeal and replace the current U.S. healthcare system also known as “Obamacare.”

Please refresh our readers about Administrative Simplification (Section 1104) as it relates to the PPACA?

As many in the healthcare industry may remember, the original HIPAA statute and regulations required covered entities to use standard formats when conducting electronic administrative transactions with providers. The idea was that providers and health plans could achieve efficiencies and cost savings through the adoption of electronic business transactions, such as electronic claim submissions and claim payments, versus costly, paper-based methods. Adopting these standards, or consistent and universal formats for basic business transactions, was a logical first step.

By 2010, we were using the Internet to manage nearly all aspects of personal finances, from shopping to paying bills to managing investments. Most U.S. businesses and industries were fully engaged in conducting transactions electronically and garnering incredible efficiencies and cost savings by doing so.

The one exception was the healthcare industry. Studies in 2010 showed that only 10% to 30% of all health plan payments to providers were conducted electronically. The remaining transactions were still being processed with paper checks with EOBs attached.

Section 1104 of PPACA was meant to stimulate the slow adoption rate of electronic transactions since the original HIPAA legislation. The intent of Section 1104 was to make it easier for the various parties, especially physicians and hospitals, to adopt electronic transactions.

The most significant benefit that Section 1104 provided was to require that operating rules – essentially, basic business rules – be developed for all HIPAA electronic transactions. If we think of the standards as “vehicles” that transport data the between providers and health plans, then the operating rules can be thought of as the “rules of the road” for these vehicles. The HIPAA operating rules were modeled on the financial industry’s operating rules. The financial industry’s operating rules were created for electronic funds transfers (EFTs) and were meant to address such things as the timing of the transactions, the respective responsibilities of the sender and receiver, the acknowledgements of receipt, and even specific data elements within the standards.

Section 1104 also placed a deadline on the long-required health plan identifier (HPID) and required a standard be adopted for healthcare payments via EFT. In terms of enforcement of administrative simplification provisions, Section 1104 required the Centers for Medicare & Medicaid Services (CMS) to conduct audits and to create a Certification of Compliance program. Lastly, Section 1104 also mandated the development of an industry-based Review Committee and empowered it to direct CMS to initiate regulations that industry deemed necessary.

How would the wholesale repeal of the PPACA impact Administrative Simplification?

A wholesale repeal of PPACA – removing it “root and branch,” as has been proposed in some of the current House legislation – may not have as large of an impact on Section 1104 provisions as one might think.

If such a wholesale repeal was to occur, the Section 1104 provisions the industry has already implemented will most likely stay. This would include standards on healthcare EFTs, the beginnings of an audit program, and operating rules for eligibility, claim status, electronic remittance advice, and healthcare EFTs. These provisions would likely survive because they all have some authority for their existence in the original HIPAA statute and regulations.

The healthcare EFT is a good example: During my time working with CMS as a regulator, we were required by Section 1104 to adopt a standard for a “new” HIPAA transaction that Congress called the healthcare EFT. However, when thinking about how best to put an EFT standard into regulation, we saw that there was already a healthcare payment and remittance advice transaction. This transaction was authorized by the original HIPAA regulations in 2000 and essentially defined the EFT transaction. Instead of adopting a standard for a new transaction created by PPACA, for convenience sake we simply added a standard to an already existing transaction. Because of the rather accidental way we wrote the regulation, the authority for the EFT standard comes directly from the original HIPAA, not from PPACA.

Similarly, the authority for operating rules and for CMS to audit health plans can also be traced to language in the original HIPAA, although the authority is more indirect.

If a complete repeal was to occur, everything else in Section 1104 that hasn’t been implemented would most likely be swept away. This includes the Certification of Compliance program, Health Plan Identifier, and the Review Committee.

How would the Republicans’ American Health Care Act (AHCA) impact Administration Simplification?

The AHCA does not mention Section 1104, so the section would not be repealed. If the AHCA were to become law (in the version in which it was introduced), then all provisions of Section 1104 would still be the law of the land.

Section 1104 was scored by the Congressional Budget Office when PPACA was introduced, so Section 1104 technically could be repealed through the process of reconciliation. However, I’ve had several discussions with Republican staffers on the Senate side, and they have all said that it is unlikely that Section 1104 will be caught up in the sausage-making going on now in Congress regarding the repeal of PPACA.

What would be the impact on payers and providers?

We think it is unlikely that Section 1104 will be impacted by any PPACA repeal strategies in the near future. But, whether GOP gets their AHCA through this year or not, we’re probably in for a few years when sections of PPACA might come under risk again as Congress considers future legislation on PPACA repeal and replace. There may even be a repair scenario where Section 1104 could have its more contentious elements stripped out; these might include the Certification of Compliance program, the HPID and probably the Review Committee.

However, even when looking at all possible scenarios of a partial or complete repeal or repair, it remains highly likely that the Section 1104 provisions that are already in force today will remain.

This means that, for payers and providers, their money has probably been well spent if they’ve already implemented and are using the EFT standards according to the mandated operating rules. Regardless of what happens to PPACA, CMS is now likely to turn to enforcement of these provisions.

Talk to me about Administrative Simplification enforcement. Are audits likely to be forthcoming?

CMS is being very tight-lipped about what their priorities are now, but this is probably because they themselves are not sure what changes may happen under the new administration.

However, many signs point to the idea that CMS will soon be launching an audit program for compliance with administrative simplification. First, CMS was already working on an enforcement strategy and an audit program prior to the election: About a year ago, the director of the CMS group that regulates administrative simplification provisions lamented that the industry thought there were no consequences to being noncompliant. The director publicly said that her group was “developing a comprehensive compliance strategy” that would challenge that perception.

Second, the CMS administrative simplification group just underwent another reorganization in January. Madhu Annadata heads up the program now, and his resume has been all about enforcement. He previously worked in the CMS Center for Program Integrity, the department that manages all the Medicare and Medicaid fraud and abuse issues, and, up until this reorganization, he was director of the now-defunct Division of Administrative Simplification Enforcement.

Finally, on a broader level, HHS Secretary Price stressed support for audit programs in his confirmation hearings. The new administration actively hired investigators and auditors for HHS before implementing the hiring freeze.

Will CMS enforcement of Administrative Simplification be similar to the enforcement strategy at the Office of Civil Rights (OCR)?

That is exactly what we can expect. HIPAA privacy and HIPAA administrative simplification share the same enforcement rules and the same civil money penalties in the same section of the Code of Federal Regulations (45 CFR), so it would make sense that their enforcement strategies would be more similar than they would be different. In fact, the National Committee on Vital Health Statistics (NCVHS) said as much when it recommended that the CMS’ enforcement strategy be “at the same level of engagement” as OCR’s enforcement.

CMS’ and OCR’s shared rules provide two tools of enforcement: complaint investigations and compliance reviews. For complaint investigations, CMS has spent the last year updating and marketing an online portal where individuals and organizations can submit complaints of noncompliance with admin sim provisions. CMS has stated that they receive an average of 500 complaints a year through the system.

Compliance reviews, on the other hand, are a catch-all tool that allows OCR and CMS to investigate any violation of HIPAA brought to their attention through mechanisms other than a complaint. CMS believes its authority to conduct audits comes from the regulatory ability to use compliance reviews.

OCR and CMS also have the same civil money penalties for non-compliance of their respective provisions. They both have the authority to negotiate resolution agreements where violators “plea bargain” for lower monetary settlements instead of the civil money penalties which, in practice, are always staggeringly high. CMS’ admin sim enforcement has yet to utilize this approach, but OCR is now infamous for it, having collected $46 million using resolution agreements since 2011.

To summarize, there are two current developments in administrative simplification. First, it is likely that the Section 1104 provisions that industry should have already implemented are going to survive the PPACA tempest in the near and far future.

Second, enforcement is on the way, and audits will likely occur. While CMS is still getting acclimated under the new administration, it would behoove health plans, particularly regional and employer sponsored plans, to prepare by doing their own internal audits and to follow up with any business associates that might be conducting transactions on their behalf.

I’d recommend that everyone batten down their hatches in terms of administrative simplification. Confirm that your organization is conducting the healthcare EFT and other transactions per the adopted standards and operating rules.

There’s no certainty and no guarantees in healthcare policy during these times, but we can do what we can to make sure our own houses are in order.

   Matthew Albright, Vice President of Legislative Affairs, Zelis Healthcare