| HIPAA Compliance
Dates |
| Standard |
Compliance
Date |
Extention
Date |
| Transactions and Code
Sets |
10/16/2003 |
10/16/2003
Only if application filed
before
Oct 15, 2002. |
 |
| National Provider
Identifier |
Pending |
Not Applicable |
|
| National Employer
Identifier |
Pending |
Not Applicable |
|
| Security
Rule |
4/20/2005 |
Not Applicable |
|
| Privacy
Rule |
4/14/2003 |
Not Applicable |
|
| National Health Plan
identifier |
Pending |
Not Applicable |
|
| Claims
Attachments |
Pending |
Not Applicable |
|
| Enforcement |
Interim Final
Rule is now in effect until 9/16/2004, at which time the Final Enforcement Rule
is scheduled to be completed and will replace it.
|
Not Applicable |
|
| National Individual
Identifier |
Pending |
Not Applicable |
|
| Business
Associates |
4/14/2003 |
4/14/2004
Extension applies ONLY to business
associates with exisiting business associate contracts made prior to April 14,
2003. |
|
|
|
| Overview of The Official HIPAA
Compliance Dates |
Due to a
federal administrative oversight, the HIPAA Regulations were slightly delayed.
Technically, the HIPAA Regulations became effective on April 14, 2001 and all
health care providers are responsible for adherence to the regulations from
that date. Further, from that same date of April 14, 2001, all health care
providers are liable for violations of the HIPAA Regulations, and are subject
to criminal penalties and/or potentially devasting civil litigation for their
share of responsibility in the release (accidental or intentional) of the
individual's protected health information.
From a practical standpoint
and to allow the health care industry a grace period to comply, the Federal
Government has effectively extended the compliance dates as follows:
- Health Care
Providers are required to comply with the Privacy regulations by April 14,
2003. They are required to comply with the Transaction and Code Set regulations
by Oct. 15, 2002 unless they file for a one year extention by Oct. 15, 2002, in
which case they are allowed until October 15, 2004 to be compliant. Compliance
dates for the Security Regulations is April 20, 2005 for all health care
providers covered under HIPAA.
- Health Care Clearinghouses are required to comply with
the Privacy regulations by April 14, 2003. They are required to comply with the
Transaction and Code Set regulations by Oct. 15, 2002 unless they file for a
one year extention by Oct. 15, 2002. Compliance dates for the Security
Regulations is April 20, 2005 for all health care providers covered under
HIPAA.
- Major Health Plans (Plans with revenues of more than $5
Milliion) are required to comply with the Privacy regulations by April 14,
2003. They are required to comply with the Transaction and Code Set regulations
by Oct. 15, 2002 unless they file for a one year extention by Oct. 15, 2002.
Compliance dates for the Security Regulations is April 20, 2005 for all health
care providers covered under HIPAA.
- Small Health Plans (Plans with renenues of less than $5
Million) are required to comply with the Privacy regulations by April 14,
2004. They are required to comply with the Transaction and Code Set regulations
by Oct. 15, 2002 unless they file for a one year extention by Oct. 15, 2002.
Compliance dates for the Security Regulations is April 20, 2006 for all health
care providers covered under HIPAA.
Anyone may implement
the standards earlier than the date specified in the standard. |
|
|
Status of the HIPAA Administrative
Simplification Regulations
as of |
65 FR 50311
Standards for Electronic Transactions
and Code Sets |
The final rule established the standards for electronic
transactions and for code sets required to identify treatment
procedures. |
Published in the Federal Register September 17, 2000.
Offically became law 90 days later.
Mandatory compliance date for health
care provoders is October 16, 2002 (or October 16, 2003 if an extension
application has been submitted. See Appendix A below). |
65 FR 82461
Standards for Privacy &
Individually Identifiable Health Information |
The final rule established the standards for the privacy
of individual protected health information. |
Published in the Federal Register December 28, 2000.
Officially became law 90 days later.
The compliance date for all health
care providers is April 14, 2003. |
|
67 FR 14775
Modifications to Standards for Privacy
of Individually Identifiable Health Information |
Modifications by the HHS were made to the following areas
of the the Privacy Rule:
- Consent and Notice
- Minimum Necessary and Oral Communications
- Marketing
- Business Associates
- Parents and Minors
- Uses and Disclosures for Research
Purposes
- Uses and Disclosure for which
Authorizations are Required
- Other sections of the Privacy Rule
|
Notice published by the Department of Health and Human
services on March 27, 2002 for 30 days of official comments.
Official
comment period ended on April 26, 2002.
Published in the Federal
Register August 15, 2000. Offically became law on October 15, 2002. The
compliance date for all covered health care providers is April 14,
2003. |
|
CMS-0047-F
Standard For Unique Identifier for
Employers |
The Final Rule for this standard is being jointly
developed by CMS (Centers for Medicare & Medicaid Services, formally the
HCFA), Treasury, Labor, and Defense. The rule adopts the employer's tax ID
number or Employer Identification Number (EIN) as the standard for electronic
transactions. |
The Final Rule was published in the Federal Register on
May 31, 2002. |
CMS-0049-F
Security Standards
(HIPAA) |
This final rule was developed jointly by CMS (Centers for
Medicare & Medicaid Services, formally the HCFA) and the Department of
Commerce. This final rule adopts standards for the security of certain
electronic identifiable health information of health plans, health care
clearinghouses, and certain health care providers. |
Final Rule published in the Federal Register on February
20, 2003. Officially become law on April 20, 2003.
The compliance date
for all health care providers is April 14, 2005. |
CMS-0045-F
Standard Unique Health Care Provider
Identifier |
This final rule establishes a standard unique ID,
adopting the NPI as the standard identifier for all health care providers under
HIPAA. |
The estimated publication date for the Final Rule is to
be determined. |
CMS-0050-P
Standard for Claims
Attachments |
This rule proposes to adopt a standard for claims
attachments, which frequently accompany health care standard
transactions. |
The publication date of the NPRM is pending. |
CMS-4145-P
Standard Unique Health Plan
Identifier |
This rule proposes the standard health plan
identifier. |
The publication date of the NPRM is pending. |
CMS-0003-P
Modifications to Standards for
Electronic Transactions |
This proposed rule adopts a revised National Council for
Prescription Drug Programs (NCPDP) standard for batched retail pharmacy
transactions, adopts a revised standard for pharmacy remittance advice and
prior authorization, and retracts the NDC code as the standard for drugs in all
transactions except retail pharmacies. |
NPRM published 05/31/02.
NPRM Comment Period End
06/30/02. |
CMS-0005-P
Revisions to Transactions and Code Set
Standards for Electronic Transactions |
This proposed rule adopts modifications recommended by
the Designated Standards Maintenance Organizations. |
NPRM published 05/31/02.
NPRM Comment Period End
06/30/02. |
| Standards are required to be implemented 2 years and 2 months
after publication in the Federal Register. The compliance date for all health
care providers for final Privacy Rule is April 14, 2003. The compliance date
for all health care providers for final Security Rule is April 20, 2005. The
effective date for the National Provider Identifier is likely to be delayed a
few months to allow enough time for HHS to develop the system for implementing
the identifier. |
|
|
HIPAA Administrative Simplification
Provisions Pending External Input
as of |
|
Standard for Electronic Signature |
An electronic signature standard was proposed in the
Security NPRM. Comments indicated lack of consensus. Industry continues to work
on this issue. NCVHS is monitoring progress. |
Regulation will not be developed until NCVHS has made a
recommendation. Mandatory Implementation of other standards is not
affected. |
|
Standard Transaction for First Report of
Injury |
This transaction was named in the statute, but industry
continues to work on a consensus standard. |
Industry expected to propose standard later this year.
Proposed rule will be developed at that time. Implementation of other standards
is not affected. |
|
Unique Identifier for Individuals |
Work on this identifier was halted due to privacy
concerns. |
Appropriations language prohibits CMS from expending
funds. Implementation of other standards is not affected. |
|
|
Appendix A
Administrative
Simplification Compliance Act Regulations
as of |
|
Model Compliance Extension Plan |
Administration Simplification Compliance Act (ASCA)
requires the secretary to develop a
model compliance extension plan for use by
covered entities when requesting the one-year extension for implementing the
HIPAA transactions and code sets. |
Plan published March 29, 2002. Extentions allowed if
filed before Oct. 15. 2002. Health care providers who miss the extention
cut-off date of Oct. 15, 2002 are expected to be compliant on Oct. 16,
2002. |
|
Exclusion from Medicare Proposed Rule |
Administration Simplification Compliance Act (ASCA) gives
the secretary discretion to exclude from the Medicare program any covered
entities that are not in compliance by October 2002 AND have not submitted a
compliance extension plan. |
Schedule under development. |
|
Medicare Coverage Requirement for Electronic
Submission of Claims in HIPAA-Compliant Format Proposed Rule |
Administration Simplification Compliance Act (ASCA) adds
an additional coverage requirement for Medicare effective October 2003. Claims
must be submitted electronically using HIPAA-compliant formats. Specifies
exceptions, e.g., for small providers. |
Schedule under development. |
|
|
|
