Bookmark and Share PrintE-mail
  ICD10 Watch
by Tom Sullivan

Will there, or won't there, be fines for HIPAA 5010, ICD-10 non-compliance?

If you're concerned that CMS (The Centers for Medicare and Medicaid Services) will smack you with a fine for failing to comply with either HIPAA 5010 or ICD-10, then you're not alone.

Indeed, healthcare professionals expressed concern that they will face non-compliance penalties.

“We've synchronized all the speedometers and set the speed limit,” says Larry Watkins, former co-chair and co-founder of WEDI's SNIP (Strategic National Implementation Process). “Now it's just a question of how far over the speed limit we can get away with.”

[Related: 9 ways ICD-10 will better the business of healthcare. See also: Top 5 ICD-10 cost-savings categories.]

A sparkling clear answer is not so easy to find. Denise Buenning, director of the administrative simplification group within the CMS Office of E-Health Standards and Services offered this explanation:

“There are no specific fines or sanctions provided under the final ICD-10 or 5010 final rules. However, both are governed by HIPAA, which includes sanctions for current violations of HIPAA transaction and code sets,” Buenning wrote in an email to ICD10Watch. “HIPAA calls for civil penalties with fines up to $25,000 for multiple violations of the same standard in a calendar year.”

In other words: No fines for failing to comply with ICD-10 or 5010 exactly, at least not yet, but CMS can still slap you under the broader HIPAA umbrella. CMS can, in fact, levy fines and so the question becomes: Will it exercise that option?

There is some debate about that. HHS (Department of Health and Human Services) in late February waged a first-of-its-kind fine against Cignet for violating HIPAA privacy rules, to the unforgettable tune of $4.3 million. That particular situation did not involve either HIPAA 5010 or ICD-10, of course.

David Feinberg, president of Rensis Corp., a healthcare consultancy, asserted that slapping health entities with a hefty ticket for non-compliance would be “illogical,” at least the way things stand today. "Who would the CMS unit file complaints against? Providers?" Feinberg argues. "Seems unlikely as health plans can already penalize non-compliant providers by simply not processing submitted transactions; thereby not paying them."

Agreeing that it's illogical to go after providers, Mandy Willis, an ICD-10 Expert in Seattle, explains that a complaint-based approach is equally nonsensical. “My own interpretation is that CMS is ready to start taking on payers who don't comply with the standards themselves instead of waiting for providers to complain. After all, we all know that providers barely have enough time to see their patients – when would they have time to file complaints?”

[Related: Why 2011 is the year to build hardware into your ICD-10 budget. See also: Top 5 ICD-10 myths, debunked.]

While the healthcare realm waits for the HIPAA 5010 deadline of January 1, 2012 and ICD-10's mandated October 1, 2013 compliance day beyond that to see whether CMS will institute non-compliance fines, Watkins explains that HIPAA 5010 is much less ambiguous than 4010, such that it will be relatively easy to determine whether a healthcare entity is compliant, or is not.

What's more, because many healthcare entities are treating 5010 as a technical or mapping change, testing with trading partners may “look like it's going well – until we switch over to production,” Watkins adds, wherein difficulties due to actual business usage and the complexity of changing definitions and interpretations will arise to spark chaos that, should CMS aggressively audit and issue fines, could land many healthcare organizations in trouble.

“Yes,” Watkins chuckles, after being asked if he's worried about non-compliance fines. “I'm very concerned.”


I believe there is a

I believe there is a probability that at some point after the implementation dates -- whether 6 months or a year, that OCR will be involved in determining fines for those organizations not achieving compliance. OCR has stepped up its enforcement activities and this is one area that will also be on its agenda. OCR will have no choice but to enforce the regulations, and although we all would like to see the industry comply with the dates, we know that unfortunately, there will be a percentage that will not for whatever reason.

The short answer is yes, and

The short answer is yes, and $25,000 is what it is today, but not even close to what it will be starting 3 months after ICD-10 cutover. There is a signficant component of PPACA Section 1104 that points to huge fines for non-compliance with HIPAA transactions and code sets standards AND associated transaction Operating Rules (yet to be published in regulation)as of January 1, 2014. Health plans will have to certify to the Secretary of HHS by December 31, 2013 that they are in compliance, and the Secretary is order to issue the first fines no later than April 1, 2014. The BIG news is the size - $1 per member PER DAY (up to a maximum of $20 per member per year). So if I am a million-member plan, I could be looking at $20 million annual fine. Which could double if there is evidence that the plan has attested falsely to the Secretary. So take a look at Section 1104 (j)(1)(A) Penalties. It's NOT pretty, and everyone should see this as a major risk, in my opinion.

Advertisement. Closing in 15 seconds.