Will there, or won't there, be fines for HIPAA 5010, ICD-10 non-compliance?

Carl Natale
by Carl Natale

If you're concerned that CMS (The Centers for Medicare and Medicaid Services) will smack you with a fine for failing to comply with either HIPAA 5010 or ICD-10, then you're not alone.

Indeed, healthcare professionals expressed concern that they will face non-compliance penalties.

“We've synchronized all the speedometers and set the speed limit,” says Larry Watkins, former co-chair and co-founder of WEDI's SNIP (Strategic National Implementation Process). “Now it's just a question of how far over the speed limit we can get away with.”

[Related: 9 ways ICD-10 will better the business of healthcare. See also: Top 5 ICD-10 cost-savings categories.]

A sparkling clear answer is not so easy to find. Denise Buenning, director of the administrative simplification group within the CMS Office of E-Health Standards and Services offered this explanation:

“There are no specific fines or sanctions provided under the final ICD-10 or 5010 final rules. However, both are governed by HIPAA, which includes sanctions for current violations of HIPAA transaction and code sets,” Buenning wrote in an email to ICD10Watch. “HIPAA calls for civil penalties with fines up to $25,000 for multiple violations of the same standard in a calendar year.”

In other words: No fines for failing to comply with ICD-10 or 5010 exactly, at least not yet, but CMS can still slap you under the broader HIPAA umbrella. CMS can, in fact, levy fines and so the question becomes: Will it exercise that option?

There is some debate about that. HHS (Department of Health and Human Services) in late February waged a first-of-its-kind fine against Cignet for violating HIPAA privacy rules, to the unforgettable tune of $4.3 million. That particular situation did not involve either HIPAA 5010 or ICD-10, of course.

David Feinberg, president of Rensis Corp., a healthcare consultancy, asserted that slapping health entities with a hefty ticket for non-compliance would be “illogical,” at least the way things stand today. "Who would the CMS unit file complaints against? Providers?" Feinberg argues. "Seems unlikely as health plans can already penalize non-compliant providers by simply not processing submitted transactions; thereby not paying them."

Agreeing that it's illogical to go after providers, Mandy Willis, an ICD-10 Expert in Seattle, explains that a complaint-based approach is equally nonsensical. “My own interpretation is that CMS is ready to start taking on payers who don't comply with the standards themselves instead of waiting for providers to complain. After all, we all know that providers barely have enough time to see their patients – when would they have time to file complaints?”

[Related: Why 2011 is the year to build hardware into your ICD-10 budget. See also: Top 5 ICD-10 myths, debunked.]

While the healthcare realm waits for the HIPAA 5010 deadline of January 1, 2012 and ICD-10's mandated October 1, 2013 compliance day beyond that to see whether CMS will institute non-compliance fines, Watkins explains that HIPAA 5010 is much less ambiguous than 4010, such that it will be relatively easy to determine whether a healthcare entity is compliant, or is not.

What's more, because many healthcare entities are treating 5010 as a technical or mapping change, testing with trading partners may “look like it's going well – until we switch over to production,” Watkins adds, wherein difficulties due to actual business usage and the complexity of changing definitions and interpretations will arise to spark chaos that, should CMS aggressively audit and issue fines, could land many healthcare organizations in trouble.

“Yes,” Watkins chuckles, after being asked if he's worried about non-compliance fines. “I'm very concerned.”