Employer-sponsored health plans have a lot of work to do over the next couple of years to ensure continued compliance with HIPAA’s electronic transaction standards. HIPAA’s administrative simplification rules require a health plan to conduct certain electronic transactions in accordance with standards, code sets, and operating rules adopted by the Department of Health and Human Services (“HHS”). The PPACA significantly expands on these standards, code sets, and operating rules. The PPACA also adds the requirements that a health plan (1) obtain a health plan identifier (“HPID”) for the health plan to use with respect to the electronic transaction standards; and (2) certify compliance with the applicable electronic transaction standards.
Thus, under the PPACA’s expansion of HIPAA’s electronic transaction standards, a health plan needs to (1) ensure that it is in compliance with all currently applicable standards and operating rules (and prepare to comply with upcoming standards and operating rules); (2) obtain a HPID by November 5, 2014 (or November 5, 2015 if it is a small health plan); and (3) prepare to certify to HHS that it is in compliance with certain electronic transaction standards by December 31, 2015 (or December 31, 2016 if it is a small health plan).
Electronic Transaction Standards, Code Sets and Operating Rules
The PPACA includes an expansion of the HIPAA electronic transaction standards and requires HHS to adopt uniform standards and operating rules governing transactions with health plans. Indeed, under HIPAA’s electronic transaction requirements, health plans that are covered entities (and their business associates) that engage in certain specified covered transactions electronically with other covered entities are required to comply with standards and operating rules that are designed to standardize the format and content of the electronic transactions using standards and code sets designed by the Secretary of HHS. Covered transactions now include (1) health claims or equivalent encounter information; (2) health claims attachments; (3) enrollment and disenrollment in a health plan; (4) eligibility for a health plan; (5) health care payment and remittance advice; (6) health plan premium payments; (7) health claim status; (8) first report of injury; (9) referral certification and authorization; and (10) electronic funds transfer. Standards and operating rules related to many of these covered transaction are already in effect (for example, standards and operating rules related to eligibility for a health plan and health care claim status). Standards and operating rules related to other covered transactions are set to go into effect over the course of the next couple of years (for example, standards and operating rules related to health claims or equivalent encounter information, and health claim attachments).
An employer-sponsored health plan needs to ensure that it is in compliance with all of the currently applicable electronic transaction standards and operating rules, and that it is prepared to comply with the soon-to-be applicable standards and operating rules. For many employer-sponsored plans, electronic transactions are performed by the insurers, third party administrators, or other business associates acting on behalf of the plans. Thus, a plan sponsor needs to also ensure that such third parties that perform electronic covered transactions on behalf of the plan are in compliance with all of the currently applicable electronic transactions standards and are prepared to comply with the upcoming standards and operating rules. Accordingly, a plan sponsor should have applicable third party administrator service agreements and business associate agreements reviewed to ensure that the applicable third party is expressly required to comply with the electronic transaction standards.
Health Plan Identifier
Additionally, the PPACA requires all controlling health plans (“CHP”) to obtain a HPID, which must be used in any HIPAA electronic covered transaction that the health plan conducts or that a business associate conducts on behalf of the health plan. The term “controlling health plan” or “CHP” means a health plan (as defined by HIPAA) that (1) controls its own business activities, actions, or policies; or (2) (i) is controlled by an entity that is not a health plan; and (ii) if it has a subhealth plan [a health plan whose business activities, actions, or policies are directed by a controlling health plan], exercises sufficient control over the subhealth plan to direct its business activities, actions, or policies. A controlling health plan can also obtain an HPID on behalf of its subhealth plans. Alternatively, a subhealth plan may obtain its own HPID. The HPID generally must be obtained by November 5, 2014. However, a small health plan (i.e., a health plan with annual receipts of $5 million or less) has until November 5, 2015 to obtain its HPID. Beginning November 7, 2016, all health plans must use the HPID to identify the health plan in covered transactions where the health plan is identified.
This webpage also includes instructions and videos explaining the application process. Plan sponsors of self-insured health plans will need to obtain the HPID for the plan. With respect to fully-insured plans, the plan sponsor should coordinate with its issuer to determine how the HPID is going to be obtained. While the plan sponsor can delegate its responsibility to obtain a HPID out to a third party, such as its TPA, it is important to note that the ultimate responsibility to obtain an accurate HPID lies with the plan.
Once the HPID is obtained, any covered entity that identifies the health plan in an applicable covered transaction must use the applicable HPID instead of another identifier beginning November 7, 2016. If the plan uses a business associate to conduct any covered transactions on its behalf, the plan must also require the business associate to use the HPID to identify the health plan in an applicable covered transaction beginning November 7, 2016.
Although operational compliance is already required, under the PPACA, a health plan is required to file a statement with HHS (1) certifying that the data and information systems for the health plan are in compliance with any applicable standards and operating rules and (2) which includes information about the number of covered lives under the plan. The deadlines for filing the attestation are currently as follows:
- First Certification—Eligibility for a health plan, health care claim status, health care electronic funds transfers (EFT) and remittance advice—December 31, 2015 (December 31, 2016 for small health plans)
- Second Certification—Health claims or equivalent encounter information; enrollment and disenrollment in a health plan; health plan premium payments; health claims attachment; referral certification and authorization—December 31, 2015 (this deadline is likely to be postponed as the government has yet to issue any regulations related to the subject)
However, under the currently proposed regulations, prior to filing the attestation with HHS, the plan must obtain certification from a third-party vendor (the Council for Affordable Quality Healthcare Committee on Operating Rules for Information Exchange) that shows that the plan (or its business associate, where applicable) performs the applicable covered transactions and has tested these transaction with a certain number of third parties. HHS has proposed two types of certification: (1) HIPAA Credential; and (2) the Phase III Core Seal. The plan can choose which certification it would like to seek. Both options require the health plan (or its business associates, as applicable) to actually test the covered transactions that are part of the First Certification. Thus, while the deadline for filing the attestation related to the First Certification is December 31, 2015 (or December 31, 2016 for a small health plan), a health plan must complete the certification process prior to that date. Additionally, it is important to note that the CHP is responsible for ensuring that any business associate that conducts a covered transaction on the plan’s behalf to also take part in and comply with the applicable certification requirements. As with the process for obtaining the HPID, plan sponsors should coordinate with applicable issuers, third party administrators, and other business associates to ensure that that certification is properly obtained. While the regulations related to the certification process have yet to be finalized, plan sponsors should start assessing their systems and processes to ensure that no compliance gaps exist.
This blog serves solely as a general summary of a health plan’s potential obligations under the electronic transaction standards. Please contact us to discuss the application of these requirements to your plan in detail. Failure to comply with any of these requirements related to covered transactions may subject your health plan to civil penalties under both HIPAA and the PPACA.