On December 27, 2001, President Bush signed into law H.R 3323, the “Administrative Simplification Compliance Act,” which revises the final compliance date for the Health Insurance Portability and Accountability Act (HIPAA) electronic health care transactions standards and code sets implementation, solidifies the April 14, 2003 privacy rule implementation date, and authorizes additional funding for the Department of Health and Human Services (HHS).
One-Year Delay in Electronic Health Care Transactions Standards
Under the final electronic health care transactions rule authorized by HIPAA, healthcare providers, payers and claims clearinghouses conducting electronic transactions (“covered entities”) faced an October 16, 2002 deadline to implement standard transaction formats.(1) The new legislation delays the compliance date of the HIPAA electronic final transactions and code sets rule by one year, to October 16, 2003; but only if the covered entity submits a plan in writing to the Secretary of HHS by October 16, 2002 which explains why it cannot meet the 2002 deadline and outlines how it will meet the extended deadline.
Compliance Plan Required
Specifically, the compliance plan must contain:
- An analysis reflecting the extent to which, and the reasons why, the entity is not in compliance;
- A budget, schedule, work plan, and implementation strategy for achieving compliance;
- An indication whether the entity plans to use or might use a contractor or other vendor to assist it in achieving compliance; and
- A timeframe for testing that begins not later than April 16, 2003.
Congress directed the Secretary of HHS to create a model form by March 31, 2002 that covered entities may use in drafting compliance plans and to allow electronic submission of the compliance plans. Congress appropriated $44.2 million to HHS for HIPAA compliance activities, but mandated significant reductions in funding if HHS fails to timely complete the model form for compliance plans necessary to obtain the one-year delay in implementation of the electronic transactions standards. HHS would lose all $44.2 million if it fails to promulgate the model form for compliance plans within 60 days of the March 31, 2002 deadline.
Increased Sanctions for HIPAA Non-Compliance
The Administrative Simplification Compliance Act also significantly raises the stakes for HIPAA non-compliance. Failure to either submit a compliance plan or be in compliance with the transaction standards by October 16, 2002 can result in exclusion from participating in the Medicare plan. The enforcement provision gives the HHS Secretary discretion to exclude a non-compliant entity from Medicare.
The change in sanctions is noteworthy because it creates a much more draconian penalty for noncompliance than that originally created by HIPAA. As originally enacted, the general penalty for a violation of the Administrative Simplification subpart of HIPAA was a monetary fine of only $100 per violation and total fines for the same violation could not exceed $25,000 per calendar year. HIPAA also stipulates that fines may not be imposed if the failure to comply was due to reasonable cause and the failure to comply is corrected within 30 days. Now, covered entities that fail to comply with HIPAA’s transactions standards face a possible death penalty in the form of exclusion from participation in Medicare.
No Delay for Privacy Rule
The new legislation does not change the April 14, 2003 compliance date for the final medical privacy rule.(2) Covered entities will likely need to upgrade data processing systems to handle HIPAA’s privacy requirements such as de-identification of health information and the minimum necessary standard. Ideally, covered entities would implement any changes in data processing systems required to comply with all of HIPAA’s components (privacy, security and electronic health care transactions) at the same time. Testing of compliance with the transactions rule must begin by April 16, 2003. Even with the delay, covered entities must act immediately to meet HIPAA’s deadlines.
(1) Small health plans (annual receipts of $5 million or less) had an additional year to comply, to October 16, 2003.
(2) Small health plans have an additional year to comply with the HIPAA medical privacy rule.