Guest Article

(From the May 14, 2007 issue of Deloitte's Washington Bulletin, a periodic update of legal and regulatory developments relating to Employee Benefits.)

Deadline for Complying with National Provider Identifier Standard Is May 23, 2007

The May 23, 2007 deadline for most health care providers, health plans, and health care clearinghouses (collectively "covered entities") to begin using National Provider Identifiers (NPI) to identify providers for billing and other electronic health-related transactions is fast approaching. Although health care providers are responsible for obtaining NPIs, the deadline is relevant to health plans (other than small plans, which have a May 23, 2008 compliance deadline), too. For example, health plans need to modify their systems to use the NPI by this deadline and reach out to their health care providers to make certain they have obtained their NPIs.

Most covered entities should be ready -- or well on their way to being ready -- to comply with the NPI standards by now. However, recent guidance on complying with the NPI rule after the May 23, 2007 deadline indicates some flexibility will be available for the first twelve months. This guidance, which is discussed in more detail below, is available at www.cms.hhs.gov/NationalProvIdentStand/Downloads/NPI_Contingency.pdf.

Background

Currently, health plans assign identifiers to each health care provider they do business with. As a result, providers that interact with multiple plans end up with numerous identifiers. Also, the Medicare and Medicaid programs assign identifiers to providers. To make the health care system more efficient and effective Congress included a series of "administrative simplification" provisions in the Health Insurance Portability and Accountability Act (HIPAA) of 1996 that require the Department of Health and Human Services (HHS) to "adopt national standards for electronic health care transactions and code sets and identifiers to be used in those transactions." The result is the NPI, which is intended to replace all these "legacy" identifiers that health plans currently use.

Final NPI Regulations

HHS issued final regulations implementing the NPI requirement early in 2004. 69 FR 3434 (January 23, 2004). Although the final regulations became effective on May 23, 2005, the compliance deadline for most covered entities is May 23, 2007. The only exception is for small health plans, which must begin complying no later than May 23, 2008.

HIPAA's administrative simplification provisions also mandate standard unique identifiers for employers offering health plans, individuals, and health plans. The tax identification number is the unique identifier for employers. To date no identifiers have been designated for health plans or individuals. (The concept of assigning a unique identifier to individuals is very controversial, and as a result may not be implemented.)

How Will the NPI Rule Be Enforced?

Beginning May 23, 2007 (or May 23, 2008 for small plans) covered entities are required to use the NPI to identify providers on all HIPAA covered transactions that call for health care provider identifiers. Examples of noncompliant transactions include transmitting covered transactions that require a health care provider's identifier with only legacy identifiers or with both legacy identifiers and NPIs.

The Centers for Medicare & Medicaid Services (CMS) is responsible for enforcing HIPAA's identifier provisions, including the NPI. CMS may assess a civil penalty against covered entities engaging in noncompliant transactions, but it can consider good faith efforts to comply with the NPI requirements. Also, CMS may not impose a civil money penalty where the failure to comply is based on reasonable cause and is not due to willful neglect, and the failure is cured within a 30-day period. CMS has the authority to extend this 30-day period to cure a violation "based on the nature and extent of the failure to comply."

According to CMS guidance, it will carry out its enforcement responsibility by focusing on "obtaining voluntary compliance" and using "a complaint-driven approach." When CMS receives a complaint, it will notify the covered entity and give the covered entity the opportunity to 1) demonstrate compliance, 2) document its good faith efforts to comply with the standards, and/or 3) submit a corrective action plan.

Due to concerns about the health care industry's readiness for the NPI requirements, CMS has announced two special rules for carrying out its enforcement duties during the twelve-month period immediately following the May 23, 2007 compliance deadline. The first special rule is designed to recognize the fact that any covered transaction will be noncompliant if one of the covered entities participating in the transaction is not compliant with the NPI requirements. In other words, a covered entity that does everything right still could have problems if a trading partner is less diligent. Thus, according to CMS, "during the 12 month period immediately following the May 23, 2007 compliance date for all covered entities other than small health plans, CMS intends to look at both covered (non-small health plans) entities' good faith efforts to come into compliance with the NPI standards in determining, on a case-by-case basis, whether reasonable cause for the noncompliance exists and, if so, the extent to which the time for curing the noncompliance should be extended."

The second special rule establishes a "no penalty" safe harbor for the same twelve-month period immediately following the May 23, 2007 compliance deadline for covered entities that are not ready to comply but who implement "contingency plans" designed to "ensure the smooth flow of payments." The safe harbor will be available to covered entities who implement contingency plans only "if they have made reasonable and diligent efforts to become compliant and, in the case of health plans (that are not small health plans), to facilitate the compliance of their trading partners." Specifically, according to CMS, "as long as a health plan (that is not a small health plan) can demonstrate to CMS its active outreach/testing efforts, it can continue processing payments to providers." Covered entities must end their contingency plans on or before May 23, 2008.

Example of Enforcement Process

CMS guidance provides the following example of how the enforcement process will work.

The information in this Washington Bulletin is general in nature only and not intended to provide advice or guidance for specific situations. If you have any questions or need additional information about articles appearing in this or previous versions of Washington Bulletin, please contact: Robert Davis 202.879.3094, Elizabeth Drigotas 202.879.4985, Taina Edlund 202.879.4956, Laura Edwards 202.879.4981, Mike Haberman 202.879.4963, Stephen LaGarde 202.879-5608, Erinn Madden 202.572.7677, Bart Massey 202.220.2104, Laura Morrison 202.879.5653, Martha Priddy Patterson 202.879.5634, Tom Pevarnik 202.879.5314, Tom Veal 312.946.2595, Deborah Walker 202.879.4955. Copyright 2007, Deloitte.