Client Alerts

Issue 114: Relief from HIPAA Certification Requirement


This is the one hundred and fourteenth issue in our series of alerts for employers on selected topics on health care reform. (Click here to access our general Summary of Health Care Reform and other issues in this series.)  This series of Health Care Reform Management Alerts is designed to provide an in-depth analysis of certain aspects of health care reform and how it will impact your employer-sponsored plans.
As we previously reported, on January 2, 2014, HHS issued a proposed rule addressing how health plans would certify compliance with adopted HIPAA standards and operating rules for three electronic transactions:  eligibility for a health plan, health care claim status, and health care electronic fund transfers (EFT) and remittance advice.  The proposed rule also established penalties for health plans that failed to comply with the certification requirements.  
On October 4, 2017, HHS withdrew the proposed rule in order to reexamine the issues raised in the public comments received.  HHS warned, however, that the “withdrawal of this proposed rule does not remove the requirements for covered entities to comply with any of the [existing HIPAA standards and operating rules for each covered transaction].”
HHS indicated that they received approximately 72 public comments on the proposed rule which, for example, raised the following issues:  
  • The majority of employers offering self-funded health plans do not regularly perform the standard transactions which the HIPAA rules are designed to govern.  Therefore, self-funded plans should be permitted to rely on the certification of their third party vendors with whom they contract to perform these transactions. 
  • The rule should not apply to certain health plans such as:  wellness or employee assistance programs which typically do not process claims electronically using standard transactions;  flexible spending accounts (FSAs) and health savings accounts (HSAs) which are not required to obtain a Health Plan Identifier (HPID); or certain benefits (e.g. accident-only coverage or disability income coverage) which are excepted from HIPAA’s electronic transaction rules.

In a related move, CMS recently updated its webpage with recommendations from an HHS advisory committee regarding HPIDs.  The National Committee on Vital and Health Statistics recommended that HHS rescind the final rule issued September 5, 2012 that would require health plans to obtain and use HPIDs.  HPIDs were going to be used to identify health plans submitting compliance certification.
The withdrawal of this proposed rule is welcome news for employers.  We will continue to monitor developments in this area.