HIPAA Regulations Compliance Delayed, Only If Plan is Filed on Time

By: Gregory J. Naclerio,
Chair, Health Law Regulatory Department,
and Jay. B. Silverman,
Health Law Department

On December 27, 2001, President Bush signed legislation enabling entities covered by the Health Insurance Portability and Accountability Act (HIPAA) Transactions and Code Sets regulations, to qualify for an extension of the deadline for compliance. Initially, the HIPAA Transactions and Code Sets compliance deadline was October 16, 2002. The new legislation permits covered entities to extend this deadline until October 16, 2003, provided that they submit a compliance plan to the Department of Health and Human Services by October 16, 2002. The HIPAA Transactions and Code Sets compliance plan must include a budget, schedule, work plan, and an implementation strategy.

A covered entity that does not submit a compliance plan by October 16, 2002 could be excluded from participation in the Medicare program. The new legislation extending the deadline for compliance with the Transactions and Code Sets regulations does not affect the April 14, 2003 deadline for compliance with the HIPAA Privacy regulations.

The HIPAA Transactions and Code Sets regulations require covered entities to use a uniform format and set of codes when electronically processing certain health claims and performing other covered transactions, such as obtaining eligibility verification and referral authorization. Covered entities include health plans, health care clearinghouses and health care providers who conduct covered transactions. Covered entities may include health insurance companies, medical billing companies, physicians, radiologists, dentists, orthopedists, and many other health care providers and entities in the health care industry.

Many third parties who perform covered transactions on behalf of covered entities will have to comply with the Transactions and Code Sets regulations. A business associate engaged by a covered entity that performs a covered transaction must also require the business associate to comply with the Transactions and Code Sets regulations. For example, a billing company could be a business associate of a physician practice. That physician practice, a covered entity, should carefully draft agreements with business associates to incorporate the HIPAA requirements. The billing company, a covered entity and a business associate of the physician practice, should be aware of its responsibility to comply with the Transactions and Code Sets regulations so that it does not collect penalties applicable to covered entities that violate the regulations or jeopardize its business relationship with the physician practice.
Gregory Naclerio, a senior partner with the law firm Ruskin Moscou Faltischek, P.C., P.C. and  Chair of the firm’s Healthcare Regulatory Department, is formerly the Director of the Long Island Regional Office of the Deputy Attorney General’s Medicaid Fraud Control Unit. He can be reached at (516) 663-6633 or gnaclerio@rmfpc.com.

Jay Silverman, is a senior associate at the firm, counsel to the Suffolk County Medical Society and the former Assistant General Counsel of the Medical Society of the State of New York. He can be reached at (516) 663-6606 or jsilverman@rmfpc.com.