• Home
  • Blog
  • Contact
HIPAA ComplianceHIPAA Compliance
HIPAA ComplianceHIPAA Compliance
  • Home
  • Blog
  • Contact

CMS Initiates 90-Day Enforcement Discretion for 5010 Compliance

November 18, 2011 5010, Enforcement, HIPAA Law, Transactions & Code Sets No Comments

January 1, 2012, is the date for covered entities to achieve compliance with ASC X12 Version 5010, NCPDP Telecom D.0, and NCPDP Medicaid Subrogation 3.0 transaction standards. Covered entities include healthcare providers, health plans, and healthcare clearinghouses. Small health plans have until January 1, 2013, to comply with the NCPDP Medicaid Subrogation 3.0 standard.

The Center for Medicare & Medicaid Services (CMS) Office of E-Health Standards and Services (OESS) is responsible for enforcement of compliance with electronic transaction standards.  CMS announced on November 17, 2011, that “[w]hile enforcement action will not be taken [from January 1-March 31, 2012], OESS will continue to accept complaints associated with compliance with Version 5010, NCPDP D.0 and NCPDP 3.0 transaction standards during the 90-day period….  If requested by OESS, covered entities that are the subject of complaints (known as ‘filed-against entities’) must produce evidence of either compliance or a good faith effort to become compliant with the new HIPAA [version] standards during the 90-day period.” [emphasis added]

CMS further stated:  “OESS made the decision for a discretionary enforcement period based on industry feedback revealing that, with only about 45 days remaining before the January 1, 2012 compliance date, testing between some covered entities and their trading partners has not yet reached a threshold whereby a majority of covered entities would be able to be in compliance by January 1. [emphasis added] Feedback indicates that the number of submitters, the volume of transactions, and other testing data used as indicators of the industry’s readiness to comply with the new standards have been low across some industry sectors.  OESS has also received reports that many covered entities are still awaiting software upgrades.”

CMS also allowed a near last minute compliance contingency period in July 2003, just prior to the October 16, 2003, compliance date for the current version of HIPAA transaction standards.  This allowance of a contingency period is counter to the discussion in the 5010 Final Rule, given the degree of readiness as evidenced in the preceding paragraph, but understandable as many covered entities rely on outside vendors to provide software updates.  At some point, and certainly not as long as the first contingency period, CMS will provide an announcement similar to what it issued on August 4, 2005:  after a date certain, CMS “[would] not process incoming non-HIPAA-compliant electronic Medicare Claims.”

Nevertheless, covered entities (and their business associates) should not believe that the Office for Civil Rights (OCR), responsible for HIPAA privacy and security enforcement, would provide a similar near last minute compliance contingency period for the forthcoming Omnibus HIPAA/HITECH Act Privacy, Security, Breach Notification, and Enforcement Rules, which OCR has indicated on several occasions would be published in the Federal Register by yearend 2011, with compliance expected 240 days after publication. We have discussed these Rules in recent HIPAA.com posts.  Unlike the CMS-enforced transaction standards, the OCR-enforced privacy and security standards for safeguarding protected health information are inside responsibilities of management and Privacy and Security Officials of covered entities and their business associates that know their operational workflows best and can identify threats and vulnerabilities to electronic systems containing protected health information.  The common element is that ultimately compliance is the obligation of the covered entity, and achieving timely compliance with transaction standards in early 2012 and privacy and security standards later in 2012 should be a strategic focus.

Tags: 5010 Final RuleASC X12Breach Notificationbusiness associateCenters for Medicare & Medicaid ServicesCMScomplaintcompliancecontingency periodcovered entitiesD.0Enforcementevidencefiled-against entitiesgood faith efforthealth planshealthcare clearinghousehealthcare providerHIPAAHIPAA PrivacyHIPAA securityJanuary 1 2012managementMedicaid Subrogation 3.0NCPDPOCROESSOffice for Civil RightsOffice of E-Health Standards and ServicesPrivacy Officialprotected health informationreadinesssafeguardSecurity Officialsoftware upgradestestingtrading partnersTransaction Standardsvendorversion 5010
No Comments
Share
0

You also might be interested in

HHS Pulls Breach Notification Final Rule

Jul 30, 2010

The HIPAA Administrative Simplification; Notification in the Case of Breach[...]

Is Certification a Surrogate for HIPAA Privacy and Security Training?

Sep 14, 2009

Several visitors to HIPAA.com have asked if ‘certification’ can substitute[...]

Access Control: What This HIPAA Security Rule Technical Safeguard Standard Means

Jun 2, 2009

This is the first Technical Safeguard Standard of the HIPAA[...]

Leave a Reply Cancel Reply

Categories

  • 5010
  • American Recovery and Reinvestment Act
  • Enforcement
  • GINA
  • Health Care Reform
  • Health IT and HITECH
  • HIPAA Law
  • Identifiers
  • Meaningful Use
  • Privacy
  • Red Flags Rules
  • Security
  • Transactions & Code Sets
  • Uncategorized

Recent Posts

  • Contracting with Vendors that are NOT HIPAA Business Associates: Best Practices
  • HIPAA Breach: Who You Gonna Call?
  • Can I Be Sued for a HIPAA Violation?
  • Business Associate Agreements – a First Look at Indemnification
  • Gmail, Google Apps for Business HIPAA Business Associate Agreements

Archives

Contact Us

We're currently offline. Send us an email and we'll get back to you, asap.

Send Message
HIPAA- Health Insurance Portability Accountability Act

© 2023 · hipaa.com

Prev Next