The 1996 Health Insurance Portability and Accountability Act (HIPAA) required the Department of Human Health Services (HHS) to issue regulations protecting the privacy of every American’s health information.

Draft regulations were unveiled November 1999 and comments were welcomed. Over 52,000 were received.

Compliance dates for the different elements of HIPAA are all listed below.

Standard Compliance Date Extention Date
Transactions and Code Sets 10/16/2003 10/16/2003
Only if application filed
before Oct 15, 2002.
National Provider Identifier Pending Not Applicable
National Employer Identifier Pending Not Applicable
Security Rule 4/20/2005 Not Applicable
Privacy Rule 4/14/2003 Not Applicable
National Health Plan identifier Pending Not Applicable
Claims Attachments Pending Not Applicable
Enforcement Interim Final Rule is now in effect until 9/16/2004, at which time the Final Enforcement Rule is scheduled to be completed and will replace it. Not Applicable
National Individual Identifier Pending Not Applicable
Business Associates 4/14/2003 4/14/2004
Extension applies ONLY to business associates with exisiting business associate contracts made prior to April 14, 2003.

Overview of The Official HIPAA Compliance Dates

Due to a federal administrative oversight, the HIPAA Regulations were slightly delayed. Technically, the HIPAA Regulations became effective on April 14, 2001 and all health care providers are responsible for adherence to the regulations from that date. Further, from that same date of April 14, 2001, all health care providers are liable for violations of the HIPAA Regulations, and are subject to criminal penalties and/or potentially devasting civil litigation for their share of responsibility in the release (accidental or intentional) of the individual’s protected health information.

From a practical standpoint and to allow the health care industry a grace period to comply, the Federal Government has effectively extended the compliance dates as follows:

  • Health Care Providers are required to comply with the Privacy regulations by April 14, 2003. They are required to comply with the Transaction and Code Set regulations by Oct. 15, 2002 unless they file for a one year extention by Oct. 15, 2002, in which case they are allowed until October 15, 2004 to be compliant. Compliance dates for the Security Regulations is April 20, 2005 for all health care providers covered under HIPAA.
  • Health Care Clearinghouses are required to comply with the Privacy regulations by April 14, 2003. They are required to comply with the Transaction and Code Set regulations by Oct. 15, 2002 unless they file for a one year extention by Oct. 15, 2002. Compliance dates for the Security Regulations is April 20, 2005 for all health care providers covered under HIPAA.
  • Major Health Plans (Plans with revenues of more than $5 Milliion) are required to comply with the Privacy regulations by April 14, 2003. They are required to comply with the Transaction and Code Set regulations by Oct. 15, 2002 unless they file for a one year extention by Oct. 15, 2002. Compliance dates for the Security Regulations is April 20, 2005 for all health care providers covered under HIPAA.
  • Small Health Plans (Plans with renenues of less than $5 Million) are required to comply with the Privacy regulations by April 14, 2004. They are required to comply with the Transaction and Code Set regulations by Oct. 15, 2002 unless they file for a one year extention by Oct. 15, 2002. Compliance dates for the Security Regulations is April 20, 2006 for all health care providers covered under HIPAA.

Anyone may implement the standards earlier than the date specified in the standard.

Status of the HIPAA Administrative Simplification Regulations

Name Description Status
65 FR 50311
Standards for Electronic Transactions and Code Sets
The final rule established the standards for electronic transactions and for code sets required to identify treatment procedures. Published in the Federal Register September 17, 2000. Offically became law 90 days later.

Mandatory compliance date for health care provoders is October 16, 2002 (or October 16, 2003 if an extension application has been submitted. See Appendix A below).

65 FR 82461
Standards for Privacy & Individually Identifiable Health Information
The final rule established the standards for the privacy of individual protected health information. Published in the Federal Register December 28, 2000. Officially became law 90 days later.

The compliance date for all health care providers is April 14, 2003.

67 FR 14775
Modifications to Standards for Privacy of Individually Identifiable Health Information
Modifications by the HHS were made to the following areas of the the Privacy Rule:

  • Consent and Notice
  • Minimum Necessary and Oral Communications
  • Marketing
  • Business Associates
  • Parents and Minors
  • Uses and Disclosures for Research Purposes
  • Uses and Disclosure for which Authorizations are Required
  • Other sections of the Privacy Rule
Notice published by the Department of Health and Human services on March 27, 2002 for 30 days of official comments.

Official comment period ended on April 26, 2002.

Published in the Federal Register August 15, 2000. Offically became law on October 15, 2002. The compliance date for all covered health care providers is April 14, 2003.

CMS-0047-F
Standard For Unique Identifier for Employers
The Final Rule for this standard is being jointly developed by CMS (Centers for Medicare & Medicaid Services, formally the HCFA), Treasury, Labor, and Defense. The rule adopts the employer’s tax ID number or Employer Identification Number (EIN) as the standard for electronic transactions. The Final Rule was published in the Federal Register on May 31, 2002.
CMS-0049-F
Security Standards (HIPAA)
This final rule was developed jointly by CMS (Centers for Medicare & Medicaid Services, formally the HCFA) and the Department of Commerce. This final rule adopts standards for the security of certain electronic identifiable health information of health plans, health care clearinghouses, and certain health care providers. Final Rule published in the Federal Register on February 20, 2003. Officially become law on April 20, 2003.

The compliance date for all health care providers is April 14, 2005.

CMS-0045-F
Standard Unique Health Care Provider Identifier
This final rule establishes a standard unique ID, adopting the NPI as the standard identifier for all health care providers under HIPAA. The estimated publication date for the Final Rule is to be determined.
CMS-0050-P
Standard for Claims Attachments
This rule proposes to adopt a standard for claims attachments, which frequently accompany health care standard transactions. The publication date of the NPRM is pending.
CMS-4145-P
Standard Unique Health Plan Identifier
This rule proposes the standard health plan identifier. The publication date of the NPRM is pending.
CMS-0003-P
Modifications to Standards for Electronic Transactions
This proposed rule adopts a revised National Council for Prescription Drug Programs (NCPDP) standard for batched retail pharmacy transactions, adopts a revised standard for pharmacy remittance advice and prior authorization, and retracts the NDC code as the standard for drugs in all transactions except retail pharmacies. NPRM published 05/31/02.
NPRM Comment Period End 06/30/02.
CMS-0005-P
Revisions to Transactions and Code Set Standards for Electronic Transactions
This proposed rule adopts modifications recommended by the Designated Standards Maintenance Organizations. NPRM published 05/31/02.
NPRM Comment Period End 06/30/02.
Standards are required to be implemented 2 years and 2 months after publication in the Federal Register. The compliance date for all health care providers for final Privacy Rule is April 14, 2003. The compliance date for all health care providers for final Security Rule is April 20, 2005. The effective date for the National Provider Identifier is likely to be delayed a few months to allow enough time for HHS to develop the system for implementing the identifier.

HIPAA Administrative Simplification Provisions Pending External Input

Name Description Status
Standard for Electronic Signature An electronic signature standard was proposed in the Security NPRM. Comments indicated lack of consensus. Industry continues to work on this issue. NCVHS is monitoring progress. Regulation will not be developed until NCVHS has made a recommendation. Mandatory Implementation of other standards is not affected.
Standard Transaction for First Report of Injury This transaction was named in the statute, but industry continues to work on a consensus standard. Industry expected to propose standard later this year. Proposed rule will be developed at that time. Implementation of other standards is not affected.
Unique Identifier for Individuals Work on this identifier was halted due to privacy concerns. Appropriations language prohibits CMS from expending funds. Implementation of other standards is not affected.

Appendix A
Administrative Simplification Compliance Act Regulations

Name Description Status
Model Compliance Extension Plan Administration Simplification Compliance Act (ASCA) requires the secretary to develop a model compliance extension plan for use by covered entities when requesting the one-year extension for implementing the HIPAA transactions and code sets. Plan published March 29, 2002. Extentions allowed if filed before Oct. 15. 2002. Health care providers who miss the extention cut-off date of Oct. 15, 2002 are expected to be compliant on Oct. 16, 2002.
Exclusion from Medicare Proposed Rule Administration Simplification Compliance Act (ASCA) gives the secretary discretion to exclude from the Medicare program any covered entities that are not in compliance by October 2002 AND have not submitted a compliance extension plan. Schedule under development.
Medicare Coverage Requirement for Electronic Submission of Claims in HIPAA-Compliant Format Proposed Rule Administration Simplification Compliance Act (ASCA) adds an additional coverage requirement for Medicare effective October 2003. Claims must be submitted electronically using HIPAA-compliant formats. Specifies exceptions, e.g., for small providers. Schedule under development.