Proposal Summary: Under the statute, failure to comply with standards may result in monetary penalties. The Secretary is required by statute to impose penalties of not more than $100 per violation on any person who fails to comply with a standard, except that the total amount imposed on any one person in each calendar year may not exceed $25,000 for violations of a single standard for a calendar year.
We did not propose any enforcement procedures, but we will do so in a future Federal Register document.
We did, however, solicit input on appropriate mechanisms to permit independent assessment of compliance.
Comments and Responses on Enforcement
1. Comment: We received many comments regarding the timing of enforcement. Several commenters stated an enforcement and mediating body is needed immediately. The majority of commenters called for the delay of enforcement. Commenters also requested that HCFA permit initial compliance testing of these standard transactions to be based on good faith. It was also recommended that actual testing for compliance occur later. Several commenters said that we should not assess penalties in the first year. A few commenters requested that we establish a body to which a health care provider may go for help. Others requested advance notice of enforcement procedures.
A few commenters requested that we define the terms “person” and “violation,” as well as provide examples of violations and provide descriptions of how penalties will apply. Several commenters requested that fines apply only to health plans and health care clearinghouses, and not to health care providers.
One commenter suggested that the Electronic Healthcare Network Accreditation Commission (EHNAC) be endorsed as a process for establishing compliance in using the standards.
Response: The proposed rule, like the other three notices of proposed rulemakings (NPRMs) published in 1998 to implement the administrative simplification requirements of HIPAA, did not contain provisions for compliance and enforcement. We are, therefore, not adopting any compliance or enforcement provisions in this final rule. As we indicated in the proposed rule, we will be developing a separate compliance and enforcement rule to establish compliance and enforcement procedures for these and other administrative simplification requirements. We plan to publish an NPRM requesting public comments next year, and to subsequently issue a final compliance and enforcement regulation that will become effective prior to the first compliance dates of these rules. We anticipate addressing the specific issues of compliance, timing, appeals, and technical assistance in the projected compliance and enforcement rulemaking. We also plan to address the practicability of using some type of self- certification or certification by external parties to demonstrate compliance with some or all of the requirements.
We encourage covered entities, trading partners and business associates to address issues relating to compliance and resolution of disputes concerning use of these standards in their trading partner agreements. The following resources are available to assist with questions of interpretation and application of specific transactions standards and implementation guides:
For assistance in resolving a particular X12N issue, submit the issue to the X12N Insurance list serve. To subscribe to the X12N Insurance list serve, go to http://www.x12.org.
For additional information regarding the interpretation of the NCPDP standards, go to http://www.ncpdp.org.
The Department will develop a plan for providing technical assistance to covered entities and others affected by the rule. We plan to announce the availability of technical assistance through the Federal Register, various web sites including the Department’s Administrative Simplification web site and the web sites identified above, and through other means.
2. Comment: Several commenters suggested we address educational activities. It was stated that the changes required by the administrative simplification provisions of HIPAA cannot be implemented without a concerted and sustained educational effort.
Response: We agree that HIPAA educational activities are critical to the successful implementation of the standards. Industry organizations, such as X12N have begun to provide education about standard transactions. While not required by this rule, we encourage health care clearinghouses and vendors to educate their customers as well. The Health Care Financing Administration (HCFA) has scheduled a series of regional training sessions for Medicare and Medicaid. They have contracted with instructors who are nationally recognized experts in EDI standards. Medicare and Medicaid have also published health care provider education articles. Copies of these articles may be obtained from local HCFA contractors.