Status of HIPAA Regulations
Compliance Calendar

TITLE

DESCRIPTION

STATUS

Revisions to HIPAA Code Sets

CMS-0013-P

This rule will propose revisions to the adopted transactions and code sets standards detailed in regulations published by HHS on August 17, 2000, and February 20, 2003. The Secretary intends to propose any replacements for specific code sets.

NPRM estimated publication date 3/07.

Guidance on Transactions and Code Sets Compliance Deadline

The guidance outlines CMS' approach to enforcement of the TCS provisions and reiterates what officials have been saying all along: "October 16, 2003 is the deadline... (a)fter that date, covered entities, including health plans, may not conduct noncompliant transactions" and "CMS will focus on obtaining voluntary compliance and use a complaint-driven approach for enforcement...".

Basic Contingency Planning Guidelines from CMS posted 10/03.

Guidance issued 7/24/03.

The Medicare HIPAA inbound claim contingency plan was terminated by CMS effective October 1, 2005.

Modifications to Electronic Transactions and Code Sets

CMS-0009-P

This proposed rule would revise the electronic transactions and code sets standards mandated by HIPAA.

NPRM estimated publication date 6/07.

Modifications to Transactions and Code Sets Standards

CMS-0003-P

CMS-0005-P

This final rule combines two proposed rules and adopts modifications recommended by the Designated Standards Maintenance Organizations, adopts a revised National Council for Prescription Drug Programs (NCPDP) standard for batched retail pharmacy transactions and a revised standard for pharmacy remittance advice and prior authorization, and retracts the NDC code as the standard for drugs in all transactions except retail pharmacies.

Final rule published 2/20/03.

Correction notice published 3/10/03 (PDF).

Compliance date 10/16/03.

Standards for Electronic Transactions

The final rule adopted the initial standards for transactions and code sets

Published 8/17/00.

Compliance date 10/16/02 (10/16/03 for small health plans or if compliance extension plan submitted per ASCA, with a transactions testing deadline of 4/16/03).*

Privacy Guidance

The guidance clarifies and explains policies and key elements of the requirements of the final modified Privacy Rule.

For a particular segment in the Privacy Rule, the guidance provides a brief explanation of the segment and how the Rule works, followed by FAQs about that provision. The guidance does not address all of the relevant provisions in the Rule, although OCR anticipates adding segments in the future as it develops guidance on more Privacy Rule standards.

Revised guidance issued 4/3/03.

First guidance issued 7/6/01.

Modifications to Standards for Privacy of Individually Identifiable Health Information

Final Rule changes:

• Marketing
• Consent and Notice
• Uses and Disclosures Regarding FDA-Regulated Products and Activities
• Incidental Use and Disclosure
• Authorization
• Minimum Necessary
• Parents and Minors
• Business Associates
• Research
• Limited Data Set
• Other provisions:
• Hybrid Entities
• Health Care Operations: Changes in Legal Ownership
• Group Health Plan Disclosures of Enrollment and Disenrollment Information
• Accounting of Disclosures
• Disclosure for Treatment, Payment, or Health Care Operations of Another Entity
• Protected Health Information: Exclusion for Employment
• Technical corrections and additional clarifications related to various sections of the existing rule.

Final rule publication date 8/14/02.

Compliance date 4/14/03 for most covered entities (small health plans have until 4/14/04 to comply with the rule).

Standards for Privacy & Individually Identifiable Health Information

The final rule adopted standards for the privacy of personal health information.

Published 12/28/00.

Security Standards (HIPAA)

CMS-0049-F

This final rule adopts standards for the security of certain electronic identifiable health information of health plans, health care clearinghouses, and certain health care providers. It implements administrative simplification initiatives that have a national scope beyond the Medicare and Medicaid programs.

Final rule published 2/20/03.

Compliance date 4/20/05 for most covered entities (small health plans have until 4/20/06 to comply with the rule) per § 164.318(a)(1) of the regulation text.

Standard Unique Identifier for Employers

CMS-0047-F

This final rule was jointly developed by CMS, Treasury, Labor, and Defense. The regulation adopts an employer's tax ID number or Employer Identification Number (EIN) as the standard for electronic transactions, implementing an administrative simplification initiative that has a national scope beyond the Medicare and Medicaid programs.

Final rule published 5/31/02.

Compliance date 7/30/04 for most covered entities (small health plans have until 8/1/05 to comply with the rule).

Standard Unique Health Care Provider Identifier

CMS-0045-F

This final rule establishes a standard unique indentifier for all health care providers under HIPAA. The rule implements administrative simplification initiatives that have a national scope beyond Medicare and Medicaid.

Final rule published 1/23/04.

Compliance date 5/23/07 for most covered entities (small health plans have until 5/23/08 to comply with the rule). Healthcare providers may apply for NPIs beginning on, but no earlier than, May 23, 2005.

Standard Unique National Health Plan (Payer) Identifier

CMS-6017-P

This proposed rule would implement a standard identifier to identify health plans that process and pay certain electronic health care transactions. It would implement one of the requirements for administrative simplification that have a national scope beyond Medicare and Medicaid.

Withdrawn 2/06. (According to CMS, "withdrawn" simply means that there is not a specific publication date at this time. Development of the rule has been delayed; however, when the exact date is determined, the rule will be put back on the agenda.)

Claims Attachments Standards

CMS-0050-P

This rule proposes standards for electronically requesting and supplying particular types of additional healthcare information in the form of an electronic attachment to support submitted healthcare claims data. It would implement some of the Administrative Simplification requirements of HIPAA.

Final rule estimated publication date 9/08.

NPRM published 9/23/05 (PDF).

This final rule adopts the complete regulatory structure for implementing the civil money penalty authority of the Administrative Simplification part of HIPAA, completing the structure begun when the Privacy Rule was issued in 2000 and expanded by the interim final procedural enforcement rules issued in 2003. (See more on enforcement below.)

Final rule published 2/06.

Standards are required to be implemented generally within two years of the effective date of the final rule. (The effective date of the final rule is generally 60 days after its publication.) The effective date of the final Privacy Rule is 60 days after Congress was officially notified, which happened on 2/13/01. The effective date for the National Provider Identifier was delayed a few months to allow enough time for HHS to develop the system for implementing the identifier.

HIPAA Administrative Simplification Provisions Pending External Input

TITLE

DESCRIPTION

STATUS

Standard for Electronic Signature

An electronic signature standard was proposed in the Security NPRM. The final Security Rule indicates [see 68 FR 8335 (PDF)] that all comments concerning the proposed electronic signature standard, responses to these comments, and a final rule for electronic signatures will be published at a later date.

Regulation will not be developed until NCVHS has made a recommendation.

Implementation of other standards is not affected.

Proposed standard published 8/12/98.

Standard Transaction for First Report of Injury

This transaction was named in the statute, but industry continues to work on a consensus standard.

Industry expected to propose standard later.  Proposed rule will be developed at that time.

Implementation of other standards is not affected.

Unique Identifier for Individuals

Work on this identifier was halted due to privacy concerns.

Appropriations language prohibits CMS from expending funds.

Implementation of other standards is not affected.

*Administrative Simplification Compliance Act Regulations

TITLE

DESCRIPTION

STATUS

Model Compliance Extension Plan

Federal Register Notice

ASCA required the Secretary to develop a model compliance extension plan for use by covered entities when requesting the one-year extension for implementing the HIPAA transactions and code sets.

Covered entities that did not submit an extension request by 10/15/02 should come into compliance as soon as possible, and should be prepared to submit a corrective action plan in the event a complaint is filed against them.

Electronic Medicare Claims Submission

42 CFR Part 424

CMS-0008-F

This final rule implements the requirements for electronic submission of Medicare claims, submitted on or after October 16, 2003. In addition, this rule also implements the conditions upon which a waiver could be granted for these requirements.

CMS will not process incoming non-HIPAA-compliant electronic Medicare claims submitted for payment beginning October 1, 2005.

Final rule estimated publication date 12/06.

Interim final rule published 8/15/03 (PDF).

ASCA waiver application.

Exclusion from Medicare

Proposed Rule

ASCA gives the Secretary discretion to exclude from the Medicare program any covered entities that are not compliant by 10/02 AND have not submitted a compliance extension plan.

Schedule being developed.

Enforcement

Though a rule on enforcement is not required by HIPAA, HHS published on February 16, 2006, the final rule on HIPAA Enforcement, with an effective date of March 16, 2006. The Final Rule covers the enforcement process from its beginning, which will usually be a complaint or a compliance review, through its conclusion. These rules apply to covered entities that violate any of the rules implementing the Administrative Simplification provisions of HIPAA.

PART OF ADMINISTRATIVE SIMPLIFICATION

RESPONSIBLE FOR ENFORCEMENT

Privacy

HHS Office for Civil Rights (OCR)

Fact Sheet: How to File a Health Information Privacy Complaint
Complaints, which must be submitted in writing within 180 days of an unauthorized disclosure, can be faxed or mailed to the appropriate OCR regional office, or sent via email.

Transactions and Code Sets

HHS Office of E-Health Standards and Services (OESS)

The Administrative Simplification Enforcement Tool (ASET) allows complaints to be submitted online about covered entities' non-compliance with the HIPAA transaction standards. Complaints can also be submitted on a paper-based form available by download from CMS' site (PDF).

Security

Office of E-Health Standards and Services (OESS)

Identifiers

Office of E-Health Standards and Services (OESS)

Fines for Non-Compliance

Under "General Penalty for Failure to Comply with Requirements and Standards" of Public Law 104-191, the Health Insurance Portability and Accountability Act of 1996, Section 1176 says that the Secretary can impose fines for noncompliance as high as $100 per offense, with a maximum of $25,000 per year on any person who violates a provision of this part.

Under "Wrongful Disclosure of Individually Identifiable Health Information," Section 1177 states that a person who knowingly:

• uses or causes to be used a unique health identifier;
• obtains individually identifiable health information relating to an individual; or
• discloses individually identifiable health information to another person,
  
  
• shall be fined not more than $50,000, imprisoned not more than 1 year, or both:
  
  
• if the offense is committed under false pretenses, be fined not more than $100,000, imprisoned not more than 5 years, or both; and
  
  
• if the offense is committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, be fined not more than $250,000, imprisoned not more than 10 years, or both.