HIPAA was enacted in 1996 to stimulate the use of electronic health plan claims transactions. That’s a worthy objective but unfortunately Congress chose to the path of bogging down technology by embedding technical standards in law. Technology moves faster than the law. Plus the banking industry did not need the government to mandate electronic banking standards. The banking industry developed those standards because there is a financial incentive in lowering administrative costs.

Almost twenty years after HIPAA was enacted, HHS which administers the law still has not fully implemented all of the standards, and Congress put the kibosh on implementing a key requirement — the patient identifier.

Nevertheless, in the Affordable Care Act, Congress and the President doubled down on HIPAA by hijacking an industry initiative to create common operating rules for the HIPAA transactions. The ACA required HHS to promulgate those operating rules as federal regulations. Mission accomplished there.

The ACA also required HHS for 2013 to issue regulations requiring health plans to certify their compliance with the HIPAA standards subject to a significant civil monetary penalty for non-compliance.  HHS issued a proposed rule implementing this requirement yesterday.  Fierce Health Payer reports on the proposed rule here. Interestingly, the proposed rule requires health plans to obtain compliance certification from the industry resource CAQH CORE that was developing the standards that Congress hijacked (that’s not the only alternative). Also the anticipated deadline for the initial certification submission will be the end of 2015. Fierce Health Payer notes that

That will give health plans enough time for planning, evaluating, designing, and internal and external testing. The new date also better aligns with the requirement for CHPs to obtain a unique health plan identifier on or before Nov. 5, 2015, according to HHS.

Of course, the big HIPAA compliance date for this year is October 1, 2014, when the massive ICD-10 code set becomes the standard for all healthcare transactions.

HHS’s Office for Civil Rights is responsible for enforcing the HIPAA Security and Privacy Rules. The FEHBlog has no problem with the government regulating these areas. Fierce Healthcare reports that OCR’s Director Leon Rodriguez (who spoke at the 2013 OPM AHIP FEHBP carrier conference) may be leaving his post to become director of U.S. Citizenship and Immigration Services. The article discusses a contretemps between OCR and the HHS Inspector General over whether OCR is doing an effective enforcement job. In support of OCR, the FEHBlog notes that OCR recently negotiated a $150,000 penalty with a small dermatology practice that was not minding its HIPAA Ps & Qs. These HIPAA penalties for non-compliance with Privacy and Security Rules are no joke. Cybersecurity insurance is a good buy for health plans.