Why the 3-month HIPAA 5010 enforcement delay is benign

By David A. Feinberg, CDP
10:15 AM

Now that the initial rush to comment on the three months CMS / Office of E-Health Standards and Services (OESS) enforcement delay announcement is somewhat passed, following are my thoughts and analyses. Keep in mind as you read this that in order for any OESS enforcement process to even begin, some entity -- HIPAA covered entity or business associate -- must file a complaint against a HIPAA covered entity; typically using the Administrative Simplification Enforcement Tool (ASET) at https://htct.hhs.gov/aset.

First of all, who, really, might be affected by this enforcement -- but not compliance -- delay. There are four situations to consider starting on 1/01/2012.

Situation 1: Health Plan is running 005010 and Provider is running 005010
This is the desired outcome. No regulatory violations are occurring. No complaint would be filed.

Situation 2: Health Plan is running 004010 and Provider is running 004010
Neither entity is compliant. Which pot would complain that the other kettle is black? My guess is neither. So, no complaint would likely be filed.

Situation 3: Health Plan is running 005010 and Provider is running 004010
Starting on 1/01/2012, health plans could simply start rejecting no longer compliant version 004010 transactions. The golden rule -- she with the gold, rules -- would be in effect. Where permitted, providers would have to revert to non-HIPAA communications, and this would cause delays in all sorts of processes: particularly providers' receipt of payments. There's really no need for health plans to file complaints. The business realities would take care of this situation -- which, by the way, is what I continue to suspect will be the case with Medicare Fee For Service (FFS). Note that Medicare FFS is a different portion of CMS than OESS, and, based on repeated messages I've been receiving prior to the 11/17/2011 OESS announcement, Medicare FFS could stay the course on its 1/01/2012 hard cut-over to version 005010. We'll have to wait to see if Medicare FFS wavers, too.

Situation 4: Health Plan is running 004010 and Provider is running 005010
This is the situation where OESS enforcement provides leverage to override the golden rule. And this is the situation where a provider or a provider's business associate would most likely file a complaint. In this situation, health plans could be the entities most affected by this enforcement -- but not compliance -- delay.

Now, let's drill down a bit on the assumption that an immediate complaint is filed based on Situation 4.

  • Since the version 005010 compliance date is 1/01/2012 [and that's a Sunday], no legitimate complaint could likely be filed until at least then.
  • Arbitrarily assume that it would take a few days for a provider entity to get final approvals to file a complaint against a contracted health plan. Thus, any complaint would be received by OESS via ASET on/about 1/09/2012.
  • As stated in ¶3 of OESS' official enforcement delay statement at http://www.cms.gov/ICD10/Downloads/CMSStatement5010EnforcementDiscretion... , complaints will continue to be accepted, and OESS may request "filed-against entities" -- i.e., in Situation 4, a health plan -- to "produce evidence of either compliance or a good faith effort to become compliant". Arbitrarily assume it takes OESS two weeks to formally ask the health plan to produce this evidence; which would be on/about 1/23/2012.
  • Under the most adverse circumstances, a filed-against entity would have at least thirty days to produce OESS' requested evidence. See 45 CFR 160.312 ... especially 45 CFR 160.312(a)(3)(i). This brings us to at least 2/22/2012.
  • Arbitrarily assume it takes OESS four weeks to evaluate the produced evidence and obtain all necessary approvals to commence the process for fining the health plan. This is the real part of "enforcement" ... where an "informal" resolution could not be achieved. This takes us to on/about 3/21/2012.
  • Even a little slippage in the above dates or arbitrarily assumed time flows brings us to 3/31/2012. This is the stated "initiate enforcement" date contained in OESS' official enforcement delay statement.

So what's the big deal, eh?!


David A Feinberg specializes in inter-computer healthcare information interfacing and EDI, along with Master Person Index (MPI) mediation. He’s the author of the book, “Understanding HIPAA Communications.” Additionally, he's a voting member of ANSI accredited standards development organizations X12 and Health Level Seven (HL7). He's earned the Certificate in Data Processing (C.D.P.), a Master of Science degree in Administration and Operations Research, and a Bachelor of Science degree in Mathematics. In 2008, Dave was honored with X12’s Earl J. Bass e-Business Achievement Award. He's currently the president of Rensis Corporation -- a consulting company, and can be contacted at DAFeinberg@computer.org.