The One-Year Extension for Complying with HIPAA's Standards for Electronic Transactions: How Does it Affect You?
Overview of the New Law
On December 27, 2001, President Bush signed into law H.R. 3323, the Administrative Simplification Compliance Act (now known as Public Law 107-105). The Act requires that, by October 16, 2002, hospitals and other covered entities must either:
Be in compliance with the electronic transactions and code sets standards under the Health Insurance Portability and Accountability Act (HIPAA), or
Submit a summary plan to the Secretary of Health and Human Services (HHS) describing how the entity will come into full compliance with the standards by October 16, 2003. No HHS approval of the summary plan is required, however.
Under the law, the Secretary of HHS has the discretion to impose a new penalty - exclusion from the Medicare program - on any hospital or covered entity that is not fully in compliance with the standards or does not submit a compliance plan by the October 2002 deadline. In the original legislation, the Medicare program exclusion was a mandatory penalty. The AHA successfully advocated that the penalty be left to the discretion of the Secretary.
In the legislative history released on December 20, 2001, Congress encourages hospitals and other covered entities that can reasonably become compliant with the transactions standards by the October 16, 2002 deadline to continue their compliance efforts already underway. Also, in the legislative history, the committee encourages HHS to "not penalize a compliant entity that must send non-compliant transactions because their trading partners have filed for the extension." This circumstance is identified explicitly as "good cause" for non-compliance with the transactions and code sets requirement under Section 1176(3) of HIPAA.
The law does not affect the April 14, 2003 deadline for complying with the medical privacy requirements. In fact, the law clearly states that any hospitals and other providers and health care clearinghouses that transmit electronically any protected health information in connection with a transaction between April 14, 2003 and October 16, 2003 must comply with the privacy standards - even if their electronic transactions are not conducted in HIPAA-standard formats during this period. In a separate provision, the law specifies that, as of October 2003, all Medicare claims must be submitted electronically unless:
There is no method for submitting the claim other than in writing.
The submitter of the claim is a small provider as defined in the new law.
Other appropriate circumstances to be prescribed by the Secretary apply.
In addition, the law does not alter the deadline for small health plans to be in compliance with the HIPAA electronic transactions standards.
How the Law Affects Hospitals Unable to Comply with the October 2002 Transactions Standards Deadline
For hospitals that submit a summary compliance plan to the Secretary of HHS by October 16, 2002 because they will not be ready to comply fully with the HIPAA electronic transactions standards, the law effectively grants an additional year - until October 16, 2003 - for compliance with the HIPAA transactions and code sets standards. To receive this year extension, hospitals and other covered entities must submit to the Secretary of HHS a summary plan for coming into full compliance by October 2003 describing the:
Extent of noncompliance and the reasons why the organization is not in compliance;
Budget, timeline, strategy and work plan for achieving compliance;
Timeframe for testing, which must start no later than April 16, 2003; and
Whether the organization plans to use a contractor or other vendor to help achieve compliance.
The Secretary of HHS is instructed to develop and issue by March 31, 2002 a model form that may be used in drafting this required summary compliance plan. Such plans may be submitted electronically.
Under the new law, the National Committee on Vital and Health Statistics (NCVHS) is charged with disseminating information that may assist providers and other covered entities as they work to come into compliance. The Secretary of HHS is required to furnish NCVHS with a sample of the summary compliance plans received. NCVHS must then analyze the samples to identify the most common or challenging compliance problems for covered entities needing more time. NCVHS, in consultation with the Data Standards Maintenance Organizations (DSMOs) like the National Uniform Billing Committee (NUBC) that is chaired by the AHA, must regularly publish and disseminate publicly reports that contain effective solutions to the compliance problems identified through the analysis of summary plans. The reports are not to focus on the compliance problems or challenges experienced by a single organization, but rather are to focus more generally on issues facing multiple organizations.
Next Steps for the AHA
The AHA is working with Workgroup for Electronic Data Interchange (WEDI) and other organizations to develop a streamlined summary compliance plan form that will not add to the paperwork burdens of hospitals.