Issue 78: Proposed Rules On HIPAA Certification Requirement Issued

This is the seventy-eighth issue in our series of alerts for employers on selected topics in health care reform.  (Click here to access our general summary of health care reform and other issues in this series)  This series of Health Care Reform Management Alerts is designed to provide an in-depth analysis of certain aspects of health care reform and how it will impact your employer-sponsored plans.

Covered Transactions Health claims Health care payments Health claim status Enrollment or disenrollment in a health plan Eligibility for a health plan Health plan premium payments Referral certification and authorization First report of injury* Health claims attachments* Electronic funds transfers *HHS has not yet adopted standards for these covered transactions.

Proposed rules recently issued by the Department of Health and Human Services (HHS), would require a controlling health plan (CHP) to submit information and documentation demonstrating its compliance with certain standards and operating rules adopted by HHS under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).  These standards for the electronic transmission of certain routine administrative and financial health care transactions were mandated in order to promote the growth of electronic recordkeeping and claims processing in the health care industry.

Background

HIPAA Standards and Operating Rules

If a covered entity or its business associate conducts a “covered transaction” electronically with another covered entity, it must use standardized formats and data content, as well as uniform codes (“standards”)  (See side box for a listing of the covered transactions.)  The Affordable Care Act (ACA) added a requirement that HHS adopt “operating rules” for each covered transaction. While the standards mainly address the content transmitted in a transaction, operating rules describe the methods for how the information should be transmitted.  If a covered entity uses a business associate to conduct a covered transaction, HIPAA provides that the covered entity must  require the business associate to comply with all applicable standards and operating rules. 

ACA also requires health plans to certify compliance with the applicable standards and operating rules through a two-part certification process.  The first certification will apply to following transactions: 

• Eligibility for a health plan -  an inquiry from a provider or a plan to another plan concerning eligibility, coverage, and associated benefits under the applicable plan, and the plan’s response to such an inquiry;
• Claim status - an inquiry or response regarding the status of a health care claim; and

  First Certification Eligibility Claim Status EFT & Remittance Advice Second Certification Claims & Encounter Information Enrollment and Disenrollment Premium Payments Claims Attachments Authorization & Referrals

• Electronic fund transfers (EFT) and remittance advice - a transmission from a health plan to a health care provider of payment, information about the transfer of funds or payment-processing, an explanation of benefits, or remittance advice.

Operating rules have not been adopted for the remaining covered transactions, so HHS has not yet determined what documentation will be necessary for the second certification.

Unique Health Identifiers

HIPAA requires HHS to establish a health plan identifier (HPID) system for the purpose of identifying health plans in standard transactions.  Pursuant to final regulations issued by HHS in 2012, large health plans must obtain an HPID by November 5, 2014. (Small health plans, defined as health plans with annual receipts of $5 million or less,

have until November 5, 2015.)   Beginning November 7, 2016, health plans and their business associates must use this HPID in standard transactions. See Second Quater 2012 Employee Benefits Legal Update here.

Certification Requirements

CHPs Must Certify

The new proposed rules would require CHPs to submit information to HHS in order to certify compliance with the standard transaction rules.  A CHP must also certify compliance for its subhealth plans (SHPs).  For this purpose, a CHP is a HIPAA health plan that (1) controls its own business activities, actions, or policies; or (2) is controlled by an entity that is not a health plan.¹  
An SHP is a health plan whose business activities are directed by a CHP.  Although SHPs are covered entities and independently responsible for ensuring compliance with HIPAA, including the standards and operating rules, the responsibility for certifying compliance rests with the CHP.

Self-funded Plans Self-funded health plans would fall within the definition of a CHP or a SHP.  Most self-funded plans use one or more business associates for plan administration, and the business associate is responsible for conducting the covered transactions.  Hopefully, the final rules will recognize a way to facilitate the certification process for self-funded plans administered by one or more third party administrators. Insured Plans Employer sponsors of insured health plans are generally not directly impacted by these rules as the insurer is responsible for the electronic transactions, including certification of compliance and obtaining a unique health plan identifier.

Information Required

The First Certification of compliance requires a CHP to provide HHS with documentation demonstrating that it conducts the listed transactions in a manner that complies with the standards and operating rules.   

HHS has designated the Council for Affordable Quality Healthcare Committee on Operating Rules for Information Exchange (CAQH CORE) as the independent certification entity.  Under the proposed rules, a CHP would be required to provide the following to HHS, on behalf of itself and any SHPs:

• The number of covered lives on the date it submits the documentation; and
• Documentation that demonstrates the CHP has obtained from CAQH CORE either a:    

1. Phase III CORE Seal; or

2. HIPAA Credential

Both certifications require testing of the covered transactions. The proposed rules provide that the submission will be a “snap-shot” of a CHP’s compliance and HHS does not intend the documentation or information be updated or resubmitted on a regular basis. 

In addition,  the CHP is responsible for ensuring that its business associates comply with the applicable certification requirements.  The preamble states that any health plan that is dependent on a business associate to meet one or more operating rules must have that business associate achieve CORE certification in order for the plan to obtain a CORE Seal.

Counting covered lives 

For purposes of the certification, the “number of covered lives” means the number of individuals enrolled in “major medical policies” of a CHP (including the number of covered lives of its SHPs) on the date the CHP submits the documentation.  The proposed rules define “major medical policy” to mean “an insurance policy that covers accident and sickness and provides outpatient, hospital, medical, and surgical expense coverage.”  It is unclear whether or not this definition includes vision, dental, and long term care, and employee assistance programs (EAPs).   Whether “policies” would include self-insured plans is also unclear.

Phase III CORE Seal

A CORE Seal requires external testing through a third party.  CAQH CORE has developed separate certification testing requirements for each of three phases: Phase I includes operating rules related to eligibility; Phase II includes operating rules for both eligibility and the status of health claims; and Phase III includes operating rules for EFT and remittance advice transactions.  Currently, any health care entity that conducts a covered transaction electronically may voluntarily undergo certification testing with an independent CORE-authorized testing vendor and a certification process to demonstrate compliance with the three phases.  An entity that successfully completes the testing and submits the appropriate documentation to CAQH CORE is awarded a CORE Seal for the specific phase for which it was tested.

In order to be awarded a CORE Seal for all three phases, a CHP will be required to conduct certification testing for compliance with the requirements in Phases I, II, and III.  The proposed rules describe the steps involved for a CHP to obtain a CORE Seal, including testing through a CORE-authorized testing vendor.

HIPAA Credential

The HIPAA Credential is administered by CAQH CORE and demonstrates that a CHP has attested to compliance with the standards and operating rules for eligibility, claim status, and EFT and remittance advice transactions, and that the CHP has “successfully tested” the operating rules with “trading partners.”  The proposed rules do not define ‘‘successfully tested’’ or prescribe any specific kind or level of testing, but do state that the HIPAA Credential will not have a requirement to test with a third-party testing vendor.  CAQH CORE is currently developing the HIPAA Credential which is expected to be finalized prior to the time the rules are finalized. 

Penalties

Important Dates Large Plans November 5, 2014 - Deadline to obtain an HPID December 31, 2015 – Deadline to file first certification with HHS Small Plans November 5, 2015 - Deadline to obtain an HPID December 31, 2016 - Deadline to file first certification with HHS

The proposed rules require HHS to assess a penalty against a CHP with “major medical policies” if the CHP fails to comply with the certification requirements. The preamble states that only CHPs with major medical policies may be assessed penalties.  Arguably, a self-funded plan would not be subject to the penalty.

The amount of the penalty is $1 per covered life (not to exceed $20 per covered life) for every day that the CHP’s data systems for major medical policies are not in compliance.  The penalty is doubled for a plan that knowingly provides inaccurate or incomplete information in certifying compliance.

In addition, the ACA requires HHS to conduct periodic audits to ensure that health plans (including business associates) are in compliance with any standards and operating rules.

To-Do List

Although the final rules are expected to contain substantial changes, while waiting for the final rules, health plans should take the following steps:

• Identify your CHPs and SHPs.
• Determine who’s conducting covered transactions on behalf of your health plans and ensure that business associates are using applicable standards and operating rules.
• Obtain an HPID by the deadline and communicate HPIDs to business associates that conduct standard transactions.  (For information about obtaining an HPID, click here)
• Determine if your business associates have obtained a Phase III CORE Seal, or if they are in the process of obtaining one.  (To see a list of entities that have received, or have committed to receive, CORE-certification can be found here)
• Consider whether you will use a HIPAA Credential or Phase III Core Seal to document compliance. 

HHS has requested comments on various aspects of the proposed rules, including use of a Phase III CORE Seal as an option to meet the documentation requirements, whether one year from obtaining an HPID will be sufficient time for a new CHP to complete the certification, and on the proposed definitions of covered lives and major medical policy.  Comments are due April 3, 2014.

____________________________

¹ A HIPAA health plan includes any plan that provides (or pays for the cost of) medical care, but would not include the following excepted benefits:

• Coverage only for accident, or disability income insurance, or any combination thereof.
• Coverage issued as a supplement to liability insurance.
• Liability insurance, including general liability insurance and automobile liability insurance.
• Workers’ compensation or similar insurance.
• Automobile medical payment insurance.
• Credit-only insurance.
• Coverage for on-site medical clinics
• Other similar insurance coverage, specified in regulations, under which benefits for medical care are secondary or incidental to other insurance benefits.