Don't fear HIPAA police if rules deadline is missed

Officials promised leniency but stopped short of telling physicians they could have more time to comply.

By Joel B. Finkelstein, AMNews staff. Aug. 11, 2003.

Washington -- Federal enforcers won't scour the nation in search of physicians who fail to comply with new electronic transaction standards by the Oct. 16 deadline, government officials said at a recent meeting. But regulators' assurances left some experts unsatisfied.

The rule governing electronic data interchange of medical records and claims was mandated by the Health Insurance Portability and Accountability Act.

At their meeting to release new guidance on the rule, Dept. of Health and Human Services officials made it clear that their enforcement policies will focus more on helping physicians and other covered entities achieve compliance than on imposing penalties and fines.

"We're not going to be out looking for you," said Leslie Norwalk, deputy administrator for the Centers for Medicare & Medicaid Services. CMS is the agency responsible for enforcing the rule.

Instead, CMS will deal with noncompliance on a case-by-case basis, she said. "We have no authority to do safe harbors, so you're not going to see a blanket exception."

She admitted that the agency does not really have the resources to proactively seek out those who have not complied with the regulation. Enforcement efforts will be based on complaints from members of the medical community.

When CMS receives a complaint about a covered entity, such as a physician, it will notify the entity in writing that a grievance has been filed, the HHS guidance states. After notification, the entity will have the opportunity to demonstrate compliance, document its good-faith efforts to meet the standards and/or submit a corrective action plan.