Download the AssuredPartners NL Jan. 27, 2014 Compliance Observer here: Jan. 27 Compliance Observer.
HIPAA Certification: HHS Proposes Rules and Extends Deadline
The Affordable Care Act (ACA) requires health plans to certify to the Department of Health and Human Services (HHS) that their data and information systems comply with HIPAA’s electronic transaction standards and operating rules. The ACA specified an initial certification deadline of Dec. 31, 2013, for the following transactions: eligibility for a health plan; health care claim status; and health care electronic funds transfers (EFT) and remittance advice.
On Jan. 2, 2014, HHS issued a proposed rule to provide guidance on the initial certification process and penalties for noncompliance. The proposed rule extends the initial certification deadline to Dec. 31, 2015, although small health plans may have additional time to comply.
Affected Health Plans
The proposed rule provides that controlling health plans (CHPs) are responsible for providing the initial HIPAA certification on behalf of themselves and their sub-health plans (SHPs), if any.
A CHP is a health plan that: (1) controls its own business activities, actions or policies; or (2) is controlled by an entity that is not a health plan. An entity will also qualify as a CHP if it directs the business activities, actions or policies of one or more SHPs. An SHP is defined as a health plan whose business activities, actions or policies are directed by a CHP.
Based on this definition, an employer’s self-insured plan will likely qualify as a CHP. For employers with insured health plans, the health insurance issuer will likely be the CHP responsible for providing the certification.
Also, although the responsibility for the initial certification requirement falls on CHPs, all health plans that are HIPAA covered entities are responsible for complying with HIPAA’s electronic transaction requirements.
The ACA’s HIPAA certification requirement is intended to help the health care industry transition to new or revised transaction standards and operating rules by providing a standardized testing framework.
Under the proposed rule, a CHP would be required to submit the following information to HHS for the initial certification:
- Its number of covered lives on the date it submits the documentation; and
- Documentation that demonstrates that the CHP has completed certain internal and external testing and complies with the standards and operating rules for the three electronic transactions (health plan eligibility, health care claim status, and EFT and remittance advice).
Initial Certification Deadline
The ACA included an initial certification deadline of Dec. 31, 2013. The proposed rule would provide CHPs with additional time to provide the initial certification. According to HHS, CHPs need this additional time to complete the necessary testing and obtain their health plan identifiers (HPIDs).
Under the proposed rule:
- A CHP that obtains an HPID before Jan. 1, 2015, must submit the initial certification to HHS by Dec. 31, 2015.
- A CHP that obtains an HPID on or after Jan. 1, 2015, must submit the initial certification to HHS within one year of obtaining an HPID.
All CHPs (except small health plans) must obtain HPIDs by Nov. 5, 2014. CHPs that are small health plans have an additional year to obtain HPIDs, until Nov. 5, 2015. According to HHS, very few CHPs qualify as small health plans and, thus, most CHPs will have obtained HPIDs by Nov. 5, 2014.
Although the proposed rule would delay the initial certification deadline, it does not mean that CHPs may delay compliance with the new HIPAA standards and operating rules. All covered entities were required to comply with the operating rules for health plan eligibility and health care claim status transactions on Jan. 1, 2013. As of Jan. 1, 2014, covered entities must comply with the standards and operating rules for EFT and remittance advice transactions.
The ACA establishes penalties for health plans that fail to comply with the certification requirements. The penalty amount is:
- $1 per covered life per day until the certification is complete. (doubled for a health plan that knowingly provides inaccurate or incomplete information in its certification).
- The annual penalty is capped at $20 per covered life (or $40 per covered life in the case of a plan that knowingly provides inaccurate or incomplete information).
Only the maximum annual penalty ($40 per covered life) would apply for CHPs that knowingly provide inaccurate or incomplete information.
The amount of the penalty is subject to increase. Although all CHPs are subject to the certification requirement, only CHPs with major medical policies are subject to penalties.
To ensure that CHPs satisfy their certification obligations, HHS notes that it will compare a roster of CHPs that have submitted certifications with a roster of CHPs that have obtained HPIDs.
By Dec. 31, 2015, the ACA requires health plan certification for the following HIPAA transactions: health care claims or equivalent encounter information; enrollment and disenrollment in a health plan; health plan premium payments; health claims attachments; and referral certification and authorization. The ACA also requires health plans to meet certification requirements for later versions of the standards and operating rules.
HHS’ proposed rule is limited to the first certification of compliance. HHS intends to adopt certification requirements for these other HIPAA transactions (and for later versions of the standards and operating rules) in the future.Share This: