CMS Initiates 90-Day Enforcement Discretion for 5010 Compliance

January 1, 2012, is the date for covered entities to achieve compliance with ASC X12 Version 5010, NCPDP Telecom D.0, and NCPDP Medicaid Subrogation 3.0 transaction standards. Covered entities include healthcare providers, health plans, and healthcare clearinghouses. Small health plans have until January 1, 2013, to comply with the NCPDP Medicaid Subrogation 3.0 standard.

The Center for Medicare & Medicaid Services (CMS) Office of E-Health Standards and Services (OESS) is responsible for enforcement of compliance with electronic transaction standards.  CMS announced on November 17, 2011, that “[w]hile enforcement action will not be taken [from January 1-March 31, 2012], OESS will continue to accept complaints associated with compliance with Version 5010, NCPDP D.0 and NCPDP 3.0 transaction standards during the 90-day period….  If requested by OESS, covered entities that are the subject of complaints (known as ‘filed-against entities’) must produce evidence of either compliance or a good faith effort to become compliant with the new HIPAA [version] standards during the 90-day period.” [emphasis added]

CMS further stated:  “OESS made the decision for a discretionary enforcement period based on industry feedback revealing that, with only about 45 days remaining before the January 1, 2012 compliance date, testing between some covered entities and their trading partners has not yet reached a threshold whereby a majority of covered entities would be able to be in compliance by January 1. [emphasis added] Feedback indicates that the number of submitters, the volume of transactions, and other testing data used as indicators of the industry’s readiness to comply with the new standards have been low across some industry sectors.  OESS has also received reports that many covered entities are still awaiting software upgrades.”

CMS also allowed a near last minute compliance contingency period in July 2003, just prior to the October 16, 2003, compliance date for the current version of HIPAA transaction standards.  This allowance of a contingency period is counter to the discussion in the 5010 Final Rule, given the degree of readiness as evidenced in the preceding paragraph, but understandable as many covered entities rely on outside vendors to provide software updates.  At some point, and certainly not as long as the first contingency period, CMS will provide an announcement similar to what it issued on August 4, 2005:  after a date certain, CMS “[would] not process incoming non-HIPAA-compliant electronic Medicare Claims.”

Nevertheless, covered entities (and their business associates) should not believe that the Office for Civil Rights (OCR), responsible for HIPAA privacy and security enforcement, would provide a similar near last minute compliance contingency period for the forthcoming Omnibus HIPAA/HITECH Act Privacy, Security, Breach Notification, and Enforcement Rules, which OCR has indicated on several occasions would be published in the Federal Register by yearend 2011, with compliance expected 240 days after publication. We have discussed these Rules in recent HIPAA.com posts.  Unlike the CMS-enforced transaction standards, the OCR-enforced privacy and security standards for safeguarding protected health information are inside responsibilities of management and Privacy and Security Officials of covered entities and their business associates that know their operational workflows best and can identify threats and vulnerabilities to electronic systems containing protected health information.  The common element is that ultimately compliance is the obligation of the covered entity, and achieving timely compliance with transaction standards in early 2012 and privacy and security standards later in 2012 should be a strategic focus.

Leave a Reply

Your email address will not be published. Required fields are marked *