Compliance Timeline

2006

2006 Recovery Audit Contractor

Tax Relief and Health Care Act of 2006 makes Recovery Audit Contractor (RAC) Program permanent.

April 21, 2006 HIPAA

SECURITY - Compliance deadline (small health plans)

October 2006 HIPAA

CMS will accept claims that use an existing legacy Medicare billing number and/or an NPI. Medicare strongly recommends that providers continue to submit the legacy number as a secondary identifier.

2007

May 2007 HIPAA

HIPAA-covered providers must have an NPI number when billing electronically.

2008

2008 Electronic Prescribing Incentive Program

MIPPA authorizes e-prescribing incentive program.

2008 PQRI

MIPPA makes the PQRI program permanent, but only authorizes incentive payments through 2010.

May 2008 HIPAA

Small health plans must begin using and accepting NPIs.

August 22, 2008 ICD-10-CM

HHS published a proposed rule to adopt ICD-10-CM (and ICD-10-PCS) to replace ICD-9-CM in HIPAA transactions.

2009

2009 Electronic Prescribing Incentive Program

The bonus payment available to successful e-prescribers for 2009-2010 reporting is 2%.

January 16, 2009 HIPAA 5010 Electronic Standards

Final Rule published requiring HIPAA 5010 Electronic Standard adoption by January 1, 2012.

January 16, 2009 ICD-10-CM

Final Rule published requiring ICD-10-CM implementation by January 1, 2013.

February 17, 2009 HITECH Act

President Obama signed ARRA's HITECH provisions.

March 2009 HIPAA 5010 Electronic Standards

Effective Date of the HIPAA 5010 Electroncic Standard regulation.

HHS permits dual use of existing standards (4010A1 and 5.1) and the new standards (5010 and D.0) from the March 17, 2009, effective date until the January 1, 2012 compliance date to facilitate testing subject to trading partner agreement.

June 1 , 2009 FTC Breach Notification Guidance

FTC Breach Notification Guidance Comments Due.

June 16, 2009 Meaningful Use

Draft Meaningful Use Definition - ONC staff identified a subset of providers eligible for incentive payments who were likely to have different needs of their EHRs than primary care providers (e.g., specialists and non-physician providers). ONC convened brief calls with representatives from these provider groups to promote a better understanding of how EHRs and meaningful use would impact their work.

August 3, 2009 HIPAA

HHS Delegates Authority for the HIPAA Security Rule to Office for Civil Rights (OCR). CMS retains its enforcement authority for these other HIPAA rules.

August 14, 2009 Certification

The Health IT Policy Committee on Aug. 14 approved recommendations to the federal government on establishing a new process for certifying electronic health records. Federal certification means that a system is able to achieve the minimum government requirements for security, privacy and interoperability, and that the system is able to qualify the user for bonuses under meaningful use standards. Currently, the Certification Commission for Health Information Technology is the only certifying body recognized by the federal government. But a policy committee work group noted that "considerable confusion" exists about the certification process used by CCHIT, so the panel recommends expanding the number of approved certifying bodies.

August 18, 2009 HIPAA

Major regulations surrounding breach notifications on PHRs by the Department of Health and Human Services are due.

August 18, 2009 FTC Breach Notification Guidance

Major regulations surrounding breach notifications on PHRs by the Federal Trade Commission and unsecure PHI by the Department of Health and Human Services are due.

September 2009 HIPAA 5010 Electronic Standards

The Data Interchange Standards Association has launched an online testing and certification service for providers, payers and vendors migrating to the HIPAA 5010 standards for electronic claims and related transactions. The latest version of the HIPAA standard transactions, 5010 accommodates the new ICD-10 diagnosis and procedure codes, among other changes.

September 23, 2009 HIPAA

The HIPAA Breach Notification Rule largely follows the HITECH Act, Section 13402, with several important clarifications and modifications. It also provides additional guidance on the technologies and methodologies that render protected health information (PHI) unusable, unreadable, or indecipherable to unauthorized individuals, and therefore not considered "unsecured PHI" subject to the breach notification provisions.

Contained in the document are the following:

• Develop and document policies and procedures for responding to a breach of PHI
• Train workforce members on how to respond to a HIPAA security breach
• Have sanctions procedures in place for workforce members who fail to comply with these policies and procedures
• Permit individuals to file complaints regarding these policies and procedures or a failure to comply with them

The new law becomes effective September 23, 2009. Implementing new policies and procedures and conducting workforce training now will prepare an entity subject to these regulations to comply with the law in the event of a breach, and will eliminate the possibility of failing to timely meet the notification requirements and assist the entity in mitigating the damaging effect of a breach. HHS can impose civil penalties up to $1.5 million per violation per year for non-compliance with these new laws. Do not delay in implementing a program to comply with these new requirements.

September 30, 2009 OSHA

OSHA's Proposed Rule on Hazard Communication Released

The Hazard Communication Standard's (HCS) main purpose is to reduce chemical source illness and injuries. Since the HCS was developed in 1983, chemical injury and illness have decreased 42%, however, there is still a need for information and protection from chronic effects of chemicals. On September 30, 2009, OSHA released a proposed rule to revise the HCS to align with the Globally Harmonized System of Classification and Labelling of Chemicals (GHS). The GHS is a common logical approach to define and classify hazards and communicate information on labels and safety sheets and provides the infrastructure for the establishment of comprehensive national chemical safety programs. There are several benefits to adopting the GHS standards, such as, they: (1) enhance the protection of humans and environment; (2)better facilitate international trade of chemicals (3) reduce the need for duplicate testing and evaluation; and (4) assist countries and international organizations in the management of chemicals.

October 7, 2009 Certification

The Certification Commission for Health Information Technology (CCHIT) will launch its new certification programs on October 7. In addition to an updated comprehensive electronic health record (EHR) certification program, called CCHIT Certified® 2011, the organization will offer a modular certification program called Preliminary ARRA 2011 that is limited to the standards for qualifying EHR technology under the American Recovery and Reinvestment Act (ARRA).

CCHIT will offer three paths to certification to bring wider availability of EHR technologies, stimulate innovation, and address the needs of providers and hospitals at varying stages of technology adoption readiness. They are:

1. CCHIT Certified: A rigorous certification for comprehensive EHR systems that enable providers to meet all meaningful use objectives. Products must significantly exceed minimum Federal standards requirements, are rated for usability, and are verified to be in successful use at multiple sites. This program addresses the needs of providers and hospitals who want maximal assurance of EHR capabilities and compliance.

2. Federal Minimum: A modular certification program for applications that address one or more of the meaningful use objectives. Products must meet minimum Federal standards requirements. This program allows providers and hospitals to combine technologies from multiple certified sources.

3. Site: A simplified, low cost certification for sites or organizations. Technology must meet minimum Federal standards requirements. This program allows providers and hospitals who develop or assemble EHR technologies themselves to qualify for ARRA incentives, offering an open door to encourage continued innovation.

December 2009 Meaningful Use

National Coordinator for Health IT David Blumenthal said a preliminary definition for "meaningful use" of electronic health records will be released by the end of 2009, followed by a 60-day comment period.

December 2009 Certification

Interim final rule expected for Standards and Certification Criteria.

2009-2010 PQRI

The bonus payment for PQRI is capped at 2% of an individual's total allowed Medicare charges for the reporting period, up from 1.5% for 2007 and 2008.

2010

2010 Electronic Prescribing Incentive Program

The bonus payment available to successful e-prescribers for 2009-2010 reporting is 2%.

2010 Meaningful Use

Final definition expected to be issued in mid- to late spring 2010

January 1, 2010 Recovery Audit Contractor

Deadline for RAC program to be expanded to all 50 states

February 12, 2010

EHR Certification criteria interim final rule to take effect.

February 22, 2010 HIPAA

HHS Breach Notification Requirements enforced

February 22, 2010 Breach Notification Guidance

FTC Breach Notification Requirements enforced

March 10, 2010

Deadline for dentists who are covered under HIPAA to notify the department of any breaches of unsecured protected health information between Sept. 23, 2009 -- when the Breach Notification Rule went into effect -- and Dec. 31, 2009.

March 15, 2010 Meaningful Use/Standards

Comments due for proposed rulemaking on Meaningful Use and Interim final rule on EHR certification criteria.

April 1, 2010 HIPAA 5010 Electronic Standards

The CMS Medicare Fee-for-Service schedule is:
Level I - April 1, 2010 through December 31, 2010

June 2010

CMS expected to have meaningful use rule in place.

June 1, 2010 Red Flags Rule

The Federal Trade Commission (FTC) is delaying enforcement of the "Red Flags" Rule, again, until June 1, 2010, for financial institutions and creditors subject to enforcement.

August 2010 HIPAA

HHS will publish 14 modifications to HIPAA guidance and regulations which will expand protections of electronically transmitted patient health information. Each of the rules will take effect 30 days after issuance. They include regulations and/or guidance about:

• added accounting responsibilities for disclosures under the HIPAA Privacy Rule;
• extending certain HIPAA Security Rule provisions to business associates;
• modifying the HIPAA Privacy Rule's accounting of disclosure provisions;
• tighter restrictions on the disclosure of PHI for marketing and fundraising;
• detailed technical safeguards for security;
• providing electronic health records to patients who request access.

December 31, 2010 HIPAA 5010 Electronic Standards

Required Level I compliance with HIPAA 5010 Standard

Level I compliance means "that a covered entity can demonstrably create and receive compliant transactions, resulting from the compliance of all design/build activities and internal testing."

2011

2011 Electronic Prescribing Incentive Program

The bonus payment available to successful e-prescribers for 2011-2012 reporting is 1% with a simultaneous 1% payment reduction for those unsuccessful.

2011 Meaningful Use

Beginning in 2011, physicians who demonstrate "meaningful use" of electronic health records could qualify for up to $44,000 in Medicare incentive payments by implementing Stage 1 Meaningful Use requirements.

Meaningful Use Objectives Goal is to electronically capture in coded format and to report health information and to use that information to track key clinical conditions

2011 Certification

Meaningful use draft call for providers to comply with federal and state medical data privacy laws and for data sharing to comply with the Office of the National Coordinator's National Privacy and Security Framework.

Beginning in 2011, physicians who demonstrate "meaningful use" of electronic health records could qualify for up to $44,000 in Medicare incentive payments.

October 1, 2011 Meaningful Use

Due to the 90-day reporting requirements of the Stage 1 criteria for the first year reporting, this is the last day you can begin reporting to qualify for incentives in 2011.

December 31, 2011 HIPAA 5010 Electronic Standards

Required Level II compliance with HIPAA 5010 Standard

Level II compliance means "that a covered entity has completed end-to-end testing with each of its trading partners, and is able to operate in production mode with the new versions of the standards."

2012

2012 Electronic Prescribing Incentive Program

Penalties go into effect for those providers that are eligible, but not utilizing e-prescribing.

January 2012 HIPAA 5010 Electronic Standards

Health IT departments must be ready to submit claims electronically using the upgraded HIPAA 5010 standards / Full compliance with HIPAA 5010 standard required.

2013

2013 Electronic Prescribing Incentive Program

The bonus payment available to successful e-prescribers for 2013 reporting is 0.5% with a simultaneous 1.5% payment reduction for those unsuccessful.

2013 Meaningful Use

Stage 2 Meaningful Use requirements will be set.

October 2013 ICD-10-CM

ICD-10-CM Implementation Date

2014

2014 Electronic Prescribing Incentive Program

No bonus payment will be made to successful e-prescribers beginning in 2014. Instead those unsuccessful will see a 2% payment reduction in 2014 and each year thereafter.

2015

2015 Meaningful Use/Certification

The government will enact penalties for health care providers who have failed to demonstrate meaningful use.

Doctors would need to achieve medical device interoperability and achieve minimal levels of performance on quality, safety, and efficiency.

2015 Meaningful Use

Stage 3 requirements for Meaningful Use to be set.