After intense lobbying by state Medicaid directors and private insurers, the U.S. House of Representatives (on December 4, 2001) and the U.S. Senate (on December 12, 2001) passed the Administrative Simplification Compliance Act (H.R. 3323). The President is expected to sign the legislation shortly. (For a link to the text of H.R. 3323, click here.)
New Compliance Deadline
The Administrative Simplification Compliance Act waives the penalties for covered entities under the Health Insurance Portability and Accountability Act (HIPAA) that are unable to comply with the final standard transaction and code sets regulations (65 FR 50312, August 17, 2000) by the original deadline of October 16, 2002. However, such a delay comes at a cost. In order to receive the waiver, a covered entity is required to submit a plan to the Secretary of Health and Human Services explaining how it plans to come into compliance by October 16, 2003. The plan must be submitted in accordance with a model form promulgated by the Secretary and the plan is due by the original compliance date of October 16, 2002.
A plan must contain at least the following elements:
- an analysis reflecting the extent to which, and the reasons why, the covered entity is not in compliance;
- a budget, schedule, work plan and implementation strategy for achieving compliance;
- a notification as to whether the covered entity plans to use or might use a contractor or other vendor to assist in achieving compliance; and
- a time frame for testing that begins no later than April 16, 2003.
The result is that each covered entity will first be required to submit its H.R. 3323 plan by October 16, 2002, and then comply with the transactions and code set standards by October 16, 2003, unless it otherwise chooses to comply by October 16, 2002. The act specifies that it should not be construed to modify the compliance deadline for the privacy standards under HIPAA which are effective on April 14, 2003.
The act directs the Secretary to provide for the confidentiality of trade secret, commercial and financial information in using the plans submitted by covered entities. The Secretary is also directed to send a sample of submitted plans to the National Committee on Vital and Health Statistics (NCVHS), which is directed to use them to publish and disseminate to the public reports containing "effective solutions to compliance problems" identified in the plans.
The Delay and Your Operations
While the delay in the transaction and code set compliance date offers some theoretical relief to providers and health plans, the extent of this relief is somewhat misleading. First, both providers and health plans that participate in the Medicare program must remain sufficiently on track towards compliance to be in a position to report in writing their progress to the Secretary on or before October 16, 2002. Failure to report (or elect to be in compliance) by October 16, 2002, could be cause for exclusion from the Medicare program.
As a result, some action is required of every provider and health plan prior to October 16, 2002 regarding whether to report to the Department of Health and Human Services a plan to comply or simply to comply as of the original October 16, 2002 date. In either case, the only reasonable action is to continue to move towards compliance, and then evaluate where you are around the end of August, 2002. Only at that point will it make sense to reach a firm conclusion whether to push toward full compliance as of October 16, 2002, or merely report your plan to comply by October 16, 2003.
Notwithstanding these strategic choices, from an economic standpoint, the expected savings from HIPAA (at least according to the government) stem from the efficiencies of conducting transactions among payors and providers on a common platform. Hence, the sooner payors and providers can communicate effectively, the shorter the time to approve patient eligibility, the faster claims can be processed and, at least theoretically, the sooner payment can be made by payors to providers. It is this aspect of transaction and code set implementation that should continue to drive providers towards compliance sooner rather than later, particularly if area payors choose to be compliant by 2002 (rather than by 2003).
Finally, it is worth re-emphasizing that the delay in the act has no effect on the April 14, 2003, compliance date for the privacy regulations. In fact, the law makes clear that during the period between April 14, 2003, (the privacy compliance date) and October 16, 2003, (the new transaction code set compliance date), even transactions involving providers and clearinghouses that are not "transaction and code set" compliant, must nevertheless be "privacy" compliant. This particular provision of the law should make clear that Congress is serious about health care privacy, is continuing to push the health care industry to follow-through on HIPAA privacy implementation, and is currently offering no parallel delay for HIPAA’s privacy requirements.