A new provider in our group still pending to get a Medicaid number. Please verify if it is possible to start HMOs enrollments while Medicaid is pending?


Olga Khabinskay Credentialing Department Manager, MBA.

Yes, if the application is pending for more then 30 days you can start applying, HMO will look into the pending list of providers.

Managed Care Organizations (MCO’s) must ensure that during initial credentialing of providers new to the network the Active and Pending Enrollment files are checked to verify enrollment in fee-for-service Medicaid. Pended providers should be allowed provisional credentialing for 120 days while the Department of Health makes its enrollment decision. Make sure that your Medicaid enrollment application will not be denied or rejected due to errors or other reasons, as it may cause problems with HMOs approved enrollments or may lead to application rejections from HMOs. If you need professional help in Credentialing or have additional questions, contact WCH today at 718-934-6714.


What is the difference between addressable and required implementation specifications in the HIPAA Security Rule?


Office for Civil Rights (OCR)

If an implementation specification is described as “required,” the specification must be implemented. The concept of “addressable implementation specifications” was developed to provide covered entities additional flexibility with respect to compliance with the security standards. 

In meeting standards that contain addressable implementation specifications, a covered entity will do one of the following for each addressable specification: 

(a) implement the addressable implementation specifications; 
(b) implement one or more alternative security measures to accomplish the same purpose; 
(c) not implement either an addressable implementation specification or an alternative. 

The covered entity’s choice must be documented. The covered entity must decide whether a given addressable implementation specification is a reasonable and appropriate security measure to apply within its particular security framework. 

For example, a covered entity must implement an addressable implementation specification if it is reasonable and appropriate to do so, and must implement an equivalent alternative if the addressable implementation specification is unreasonable and inappropriate, and there is a reasonable and appropriate alternative. This decision will depend on a variety of factors, such as, among others, the entity’s risk analysis, risk mitigation strategy, what security measures are already in place, and the cost of implementation. 

The decisions that a covered entity makes regarding addressable specifications must be documented in writing. The written documentation should include the factors considered as well as the results of the risk assessment on which the decision was based.