The HIPAA 5010 extension from 1st January to 31st March 2012.

It was found necessary due to the very small proportion of covered entities that predicted they would be fully compliant by the beginning of the year. These totaled just 4.5% of the number surveyed, so it was decided by the CMS (Centers for Medicare & Medicaid Services) that an extension would be appropriate, and that 90 days would be the maximum allowed.

However, contrary to what some covered entities believe, this is not a complete HIPAA 5010 extension, whereby the compliance date has been deferred, but only a partial one. You are still expected to become fully compliant as close to the original date as possible, and not just to leave it until March 31st.

HIPAA 5010 Extension: What it means

The extension means no more than a deferment of sanctions applied to those subject to complaints after the correct date.  If you are subject to any 5010 complaints after 1st January 2012, then these will not be investigated if you can demonstrate that you have satisfactorily settled the complaint yourself, or that you can show that you are showing good faith in your attempts to become compliant as soon as you possibly can.

In the words of CMS:

“If requested by OESS, covered entities that are the subject of complaints (known as “filed-against entities”) must produce evidence of either compliance or a good faith effort to become compliant with the new HIPAA standards during the 90-day period.” (

That means more than just a statement on non-compliance, and you must be able provide proof of the steps you have taken to become compliant. If you fail to do this then a financial penalty may still be applied. Not just that, but no claims made by any covered entity in the 4010 format after 1st January will be considered until 31st March, 2012. Once the entity becomes fully compliant, and can submit claims in the new HIPAA 5010 format, then they will be considered any time after 31st December, 2011.

HIPAA 5010 Extension:  Reasons for Non-Compliance

So what is it about this regulation that a HIPAA 5010 extension was deemed necessary? Is it particularly difficult to conform to? There are a number of reasons, some of which are:

  • Covered entities awaiting software upgrades:  Providers of software have given little priority to developing upgrades to meet the requirements of HIPAA 5010.
  • Many coveted entities still use P.O. Boxes as their postal address – although allowed under HIPAA 4010, this is not permitted by 5010.
  • Most medical practices lack the staff to meet the requirements of the security rule, and are finding it difficult to find committed professional help in this regard.
  • Many physicians lack IT personnel with the knowledge to implement HIPAA 5010, and physicians do not as a rule employ coders.  They are therefore concerned about any issues or claims connected with coding. However, this part does not become law until October 2013.
  • Many covered entities were hoping for a delay in implementation. All they got was a delay in sanctions, and even then only if they could prove they are working hard to implement 5010.

The Potential Cost of Non-Compliance

Although the HIPAA 5010 extension will be welcomed, it is not what most hoped for.  The financial penalties for non-compliance are liable to be large, and in the words of Dennis Winkler, the Director of Technical Programming for Blue Cross Shield Michigan: “Once it goes through there will be huge, huge fines for not being compliant.”

‘Huge, huge’ for Blue Cross Shield is liable to be significantly larger than your ‘huge, huge’! If an investigation is carried out by CMS, you will be notified and asked to provide a statement showing you are compliant, OR, a statement disputing the allegation, OR a corrective action plan acceptable to CMS.

Whatever you are able to do, it is likely that if you are not compliant by January 1st, 2012, you are going to need help to become compliant within 90 days.  You are strongly advised to find a HIPAA or HITECH expert to help you and make sure that you are not eventually subject to one of these ‘huge, huge fines.’

Although perhaps untrue, some have suggested that fines for non-compliance could be a good source of income in the current financial climate. The HIPAA 5010 extension was made in order to give covered entities more time to become fully compliant, although those that have done nothing will likely still be non-compliant in April unless they seek professional advice.

They must identify the reasons for their non-compliance and deal with these one by one. There are many companies offering 5010-compliant software and HIPAA 5010 management systems, so there is no need to remain faithful with trading partners that are letting you down. The HIPAA 5010 extension can now be looked at in a new light, and not perhaps the lifeline that some believed it to be.

The HIPAA 5010 extension is an extension only in terms of penalties for non-compliance in the event of complaints. Covered entities must still prove they are working for compliance, or satisfactorily settle the complaint, otherwise they will still be held responsible. There are many reasons for non-compliance, some of which are discussed.

About the author