Read More

Medicare Part D Disclosure and HIPAA Breach Reporting Due March 1

Medicare Part D Creditable Coverage Disclosure

Entities with a calendar plan year that provide prescription drug coverage to Medicare Part D eligible individuals must complete a disclosure to the Centers for Medicare & Medicaid Services (CMS) stating whether the prescription drug coverage is creditable coverage no later than March 1.

Covered entities must complete the Online Disclosure Form annually, no later than 60 days from the beginning of the plan year. In addition to the annual disclosure, entities must also make a disclosure to CMS: (1) within 30 days after termination of a prescription drug plan, and (2) within 30 days after any change in creditable coverage status.

To complete the Online Disclosure Form, entities must provide the following information:

  • Name of Entity Offering Coverage
  • Entity FEIN, Address and Phone Number
  • Type of Coverage
  • Number of Prescription Drug Options
  • Creditable Coverage Status of Options
  • Period Covered by Disclosure Notice
  • Number of Part D Individuals Covered
  • Number of Individuals on Retiree Plan
  • Date Creditable Coverage Notice Provided
  • Change in Creditable Coverage Status

Tip: This disclosure to CMS is one of two Medicare Part D disclosure requirements. Entities are also required to provide a written notice to all Medicare eligible individuals regarding creditable coverage status prior to October 15 each year.

For additional information on completing the CMS Online Disclosure Form, visit: Creditable Coverage Disclosure User Manual

HIPAA Breach Reporting

Entities that experience a breach of unsecured protected health information (PHI) must provide notification of the breach to individuals impacted by the breach, the Department of Health and Human Services (HHS), and in some instances the media. Covered entities must notify HHS without reasonable delay, but in no case later than:

  • 60 days for a breach that affects 500 or more individuals; and
  • 60 days after the end of the calendar year in which the breach is discovered for a breach that affects less than 500 individuals.

Entities that experienced a breach, in the prior calendar year, affecting less than 500 individuals must report the breach to HHS no later than March 1. Covered entities will complete the reporting via the HHS website where it can fill out and electronically submit the breach report form.