Under HIPAA, this is the date by which a covered entity must comply with a standard, an implementation specification, or a modification. This is usually 24 months after the effective data of the associated final rule for most entities, but 36 months after the effective data for small health plans. For future changes in the standards, the compliance date would be at least 180 days after the effective data, but can be longer for small health plans and for complex changes.
HIPAA Privacy Standards went into effect April 15, 2001; the two year grace period ends on April 15, 2003, at which time anyone not complying with the standards can be cited and/or charged.
For the electronic rule only, Congress in 2001 enacted legislation allowing a one-year extension for most covered entities provided that they submit a plan for achieving compliance. As a result, covered entities that qualify for the extension will have until October 16, 2003 to meet the electronic standards instead of the original October 16, 2002 deadline. (Small health plans must still meet the October 16, 2003 compliance date and are not eligible for an extension under the new law.)
A "Small health plan" is defined as a plan with annual receipts of $5 million or less. HHS clarified the annual receipt test to mean, for insured plans, $5 million in premiums paid in the most recent fiscal year and, for self-insured plans, $5 million in claims paid in the most recent fiscal year.