Enter to open, tab to navigate, enter to select
HIPAA Health Plan Certification Rules Include Extended Deadline
Practical Law Legal Update 3-553-5528 (Approx. 4 pages)
HIPAA Health Plan Certification Rules Include Extended Deadline
by Practical Law Employee Benefits & Executive Compensation
| Published on 07 Jan 2014 • USA (National/Federal) |
The Department of Health and Human Services (HHS) has proposed rules addressing the requirement, added by the Affordable Care Act (ACA), that health plans submit information demonstrating that they have complied with certain standards and operating rules under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
On December 31, 2013, HHS issued proposed regulations (79 Fed. Reg. 298-01) addressing the requirement that covered entities under HIPAA, which include health plans, certify compliance with the following three electronic transaction standards (referred to collectively as the first certification of compliance requirements):
- Eligibility for a health plan.
- Health care claim status.
- Health care electronic funds transfers (EFT) and remittance advice (see Practice Note, HIPAA Electronic Transactions under the ACA).
In general, the certification rule requires health plans to submit information and documentation demonstrating that their data and information systems comply with certain HHS standards and operating rules involving use of standardized electronic transactions under HIPAA.
The proposed regulations would extend by two years (from December 31, 2013 to December 31, 2015) the deadline by which most health plans must satisfy the first certification of compliance requirements under the HIPAA electronic transaction rules, reflecting that a plan has completed certain levels of internal and external testing. The proposed rules include penalties for plans that do not meet the certification requirement. Certain of the rules relate to final regulations issued in September 2012 that adopted standards for health plan identifiers (HPIDs) (see Legal Update, Final Health Plan Identifier Rules Include Delayed Compliance and Implementation Dates).
In addition to the certification requirements for health plans, which were added by the Affordable Care Act (ACA), HHS must audit health plans and entities that have service contracts with health plans. Operating rules have yet to be adopted for other types of transactions (for example, health plan enrollment and disenrollment), and additional certification will be required for new and revised standards and operating rules.
Penalties
Penalties for noncompliance with the certification rules are:
- $1 per covered life per day, assessed for each day until health plan certification is complete.
- Doubled for a health plan that knowingly provides inaccurate or incomplete information in certifying compliance.
However, annual penalties against a health plan are capped at:
- $20 per covered life under the plan.
- $40 per covered life for misrepresentations.
Entities Subject to Penalties
The certification requirement falls on a "controlling health plan" (CHP), an entity defined under the HPID rules as a health plan that either:
- Controls its own business activities, actions or policies.
- Is controlled by a non-health plan entity.
If a CHP has one or more subhealth plans (SHPs), it must exercise enough control over the SHPs to direct their business activities, actions or policies.
Under the proposed regulations, the CHP, on behalf of itself and any SHPs, is responsible for submitting documentation to satisfy the first certification of compliance. This information, representing a snapshot of the CHP's compliance, includes:
- The number of covered lives, as of the date the plan submits its documentation, which would mean individuals covered by or enrolled in a CHP's major medical policies (and those of the CHP's SHPs).
- One of two credentials attesting compliance with the HIPAA-required standards and operating rules.
In the preamble, however, HHS notes that SHPs, as health plans, are HIPAA covered entities in their own right and are independently responsible for satisfying HIPAA's standards and operating rules.
In addition, a health plan must:
- Ensure that entities that provide services under a contract with the plan comply with certification and compliance requirements.
- Provide HHS documentation of the compliance.
HHS interprets these services to include services provided by business associates (BAs) that are contracted to conduct all or part of a HIPAA transaction on the plan's behalf. According to HHS, when a CHP submits documentation, it is certifying that the CHPs' BAs (and the BAs of its SHPs) are compliant with the HIPAA standards and operating rules in conducting transactions on the CHPs' (and SHPs') behalf.
The process for obtaining a credential requires the CHP, among other things, to attest that it has successfully tested the operating rules for health plan eligibility, health care claim status and health care EFT and remittance advice transactions with its trading partners.
As an enforcement tool, HHS plans to compare a list of the CHPs that have satisfied the certification requirements against the list of CHPs that have obtained an HPID (because all CHPs are required to obtain an HPID).
Practical Impact
The later certification compliance deadline does not mean CHPs may delay compliance with the HIPAA operating rules beyond their respective compliance date. All HIPAA covered entities were required to comply with:
- The operating rules for health plan eligibility and health care claim status transactions on January 1, 2013.
- EFT and remittance advice transactions on January 1, 2014.