Basic Contingency Planning Guidelines From CMS

Understanding CMS's compliance policy

CMS has heard the concerns expressed by the health care industry – most notably, that testing rates are low and the process is complex. This means that many covered entities may not be capable of successfully transmitting HIPAA compliant transactions in time for the October 16, 2003 compliance date. This has the potential to affect provider cash flow.

That is why the Department of Health and Human Services wants to ensure that the health care industry understands its enforcement approach – more specifically, the enforcement approach the Centers for Medicare and Medicaid Services will be adopting as the industry moves towards compliance with HIPAA electronic transactions and code sets.

On July 24, 2003, HHS publicly released a document outlining its guidance on compliance with transactions and code sets after October 16, 2003.

In the guidance, CMS discusses two primary goals: First, to move all covered entities towards compliance as soon as possible and second, to avoid the disruption of provider cash flow and any negative impact on access to health care. To achieve these goals, CMS will focus on obtaining voluntary compliance by using a complaint-driven process. If CMS receives a complaint, CMS will evaluate the entity's "good faith efforts" to comply with the standards and will not impose penalties on covered entities who have deployed contingencies to ensure the smooth flow of payments continues. More information on CMS's "good faith policy" can be found in the guidance document.

What is a contingency plan?

A contingency plan is an alternate way of doing business when established routines are disrupted. In the case of the October 16, 2003 deadline, a contingency plan should address the potential interruption of claims processing and claims payment due to problems with transmission using the new HIPAA transaction standards. Just as each covered entity is different, there is no single contingency approach that would be appropriate for all covered entities and all situations. In addition, larger covered entities may need more than one contingency plan.

For example, health plans will need to make their own determinations regarding contingency plans based on their unique business environments. A contingency plan could include maintaining legacy systems, flexibility on data content or interim payments. Other more specific contingency plans may also be appropriate. For example, a plan may decide to continue to receive and process claims for supplies related to drugs using the NCPDP format rather than the 837 format currently specified in the regulations. The appropriateness of a particular contingency or the basis for deploying the contingency will not be subject to review by CMS.

Steps for contingency planning

CMS is encouraging covered entities to consider some common risks associated with the October 16, 2003 deadline and make contingency plans to address those risks. The following seven steps are general guidelines for creating contingency plans:

1. Assess your situation: Determine what business processes are most at risk. Determine whether the risk condition is based on your readiness or the readiness of your business partners. Assess your expected October 2003 financial status. Understand how a disruption in cash flow could impact your daily operations. Estimate what financial obligations will come due at this time.
   
2. Identify risks: For each business process you identified as a potential risk for disruption, assess the likelihood and impact of problems. List each potential risk as high, medium, and low likelihood. Take into consideration the readiness of your trading partners as well. Communicate with your trading partners to assess their level of readiness for October 16, 2003 and what impact their risks may have on your operations. Ask your payers if they intend on maintaining active capability to send and receive your current formats while you transition to HIPAA standards. For each of your trading partners, assess whether you have established a sufficient "good faith" relationship to support each other's contingent operations, as well as your own goals towards compliance.
   
   Document the responses they have given you through discussions and correspondence. Focus on the risks that have the highest risk exposure and that most impact your cash flow. For example, evaluate the potential for delay in payments and take appropriate action.
   
3. Formulate an action plan: Determine what you can do to reduce the likelihood and impact of each risk happening. Choose a strategy that will reduce that risk. Incorporate your strategy into your staffing needs. For instance, you may require more staff time to handle phone calls to resolve problems. Recognize how this could impact your payroll.
   
4. Decide if and when to activate your plan: Decide when you must take action to implement your chosen strategy so as to prevent an interruption in current business. Decide what you can do now to avoid problems later.
   
   Determine what your "trigger" is for putting your strategy into action, and decide who will make that decision, and how.
   
5. Communicate the plan: Record your entire strategy, the person responsible for each action, and the steps that must be taken. Share them with everyone who will have a role in implementing your contingency plan.
   
6. Test your plan: Review the strategy with the key players and run through each potential risk and the steps identified to reduce / avoid each risk.
   
7. Treat your contingency plan as an evolving process: Treat your plan as a business process that is evolving. Continually review your own efforts at readiness, particularly your efforts to inform your business partners of your expectations, and your efforts to test with them. Update your plan as you move forward and add any additional "to do" items you identify along the way. Keeping track of your status will keep you organized and focused, as well as document your "good faith efforts" to comply. Most importantly, keep the lines of communication open between you and your payers and clearinghouse.

Health plan responsibilities

Health plans should announce their contingency plans as soon as possible to allow their trading partners enough time to make any needed adaptations to their business operations. Before deploying a contingency plan, organizations should make an assessment of their outreach and testing efforts to assure they made a "good faith" effort to comply.

For example, Medicare – a covered entity and a health plan – is ready to accept HIPAA-compliant transactions. CMS has directed the Medicare contractors to intensify all HIPAA outreach and testing efforts with their respective provider and submitter communities. On September 23, 2003 CMS also announced that it will implement a contingency plan for the Medicare program to accept noncompliant electronic transactions after the October 16, 2003 compliance deadline. This plan will ensure continued processing of claims from thousands of providers who will not be able to meet the deadline and otherwise would have had their Medicare claims rejected. CMS made the decision to implement its contingency plan after reviewing statistics showing unacceptably low numbers of compliant claims being submitted.

The contingency plan permits CMS to continue to accept and process claims in the electronic formats now in use, giving providers additional time to complete the testing process. CMS will regularly reassess the readiness of its trading partners to determine how long the contingency plan will remain in effect.

Review your good faith efforts to comply

In the days remaining before the October 16th deadline, CMS encourages providers to intensify their efforts toward achieving transaction and code set compliance. Successful contingency planning is an important part of this process and will require the attention and cooperation of all health plans, clearinghouses and of all providers that conduct electronic transactions.

As you develop your contingency plans, ask yourself the following:

• Do you understand CMS's "good faith efforts" guidance on its enforcement approach?
• Have you made reasonable and diligent efforts to become HIPAA compliant?
• Can you provide CMS with documentation of your good faith efforts if a complaint is filed in response to your contingency plan?

CMS is here to help as well. Successful implementation will require the attention and cooperation of the entire health care community. There is considerable industry support for HIPAA transactions and code sets. Your successful contingency plans will greatly enhance communication throughout the industry as it moves towards HIPAA compliance.

Go to TOP