You Ought To Know April 8 2014 - HHS Guidance on Health Plan Identifier and Plan Certification


Published on

Published in: Healthcare
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

You Ought To Know April 8 2014 - HHS Guidance on Health Plan Identifier and Plan Certification

  1. 1. You Ought To Know: HHS Guidance on Health Plan Identifier and Plan Certification Recently NLRG was asked about the status of Health and Human Services (HHS) guidance regarding the Health Insurance Portability and Accountability Act (HIPAA) requirements that a health plan obtain a health plan identifier (HPID) from HHS and submit a certification to HHS that the plan complies with HIPAA electronic security rules. These topics—HPID and plan certification—are separately addressed in the discussion below. Overview of Key Points: • Under the deadlines established by HHS in 2012, health plans are required to obtain an HPID by November 5, 2014 (large plans) or November 5, 2015 (small plans) and begin using the HPID in electronic HIPAA standard transactions by November 7, 2016. • Health plans are required to obtain and submit to HHS a series of two certifications attesting to their compliance with certain HIPAA standard transactions and operating rules by December 31, 2015 (large plans) or December 31, 2016 (small plans). • Only proposed regulations governing the certification process have been issued to date, and those regulations are extremely limited and leave open a number of issues that will not be addressed until final regulations are issued. Health Plan Identifier Background Under the 1996 HIPAA administrative simplification statute, HHS was directed to adopt an identifier system for employers, health care providers, individuals and health plans. The purpose of this law was to establish a system of identifiers that could be used across the country so that all electronic transmissions of health information are uniform. HHS has adopted rules for employers, designating the federal Employer Identification Number (EIN) that an employer uses for federal wage and tax reporting as the employer’s HIPAA identifier. In addition, HHS has adopted a national identifier system for health care providers to be used in connection with HPAA standard transactions. Due to privacy concerns expressed by the American public, no individual identifier system has been established by HHS to date. At the time that the Patient Protection and Affordable Care Act (PPACA) was enacted, HHS had not yet developed an identifier system for health plans. As a result, PPACA again mandated that
  2. 2. HHS develop such a system. Consequently, on September 5, 2012, HHS issued final regulations addressing that requirement. Purpose and Use of HPID The purpose of the HPID is to provide a system for consistently and uniformly identifying a health plan in connection with certain HIPAA designated benefit-related standard transactions that are conducted electronically between a health plan (which is a HIPAA covered entity) and another HIPAA covered entity. Further information regarding “standard transactions” is provided below in the background section of the “Plan Certification” portion of this article. Who Must Obtain an HPID? A health plan which is a Controlling Health Plan (CHP) is required to obtain an HPID. A CHP is a health plan that either (1) controls its own business activities, actions or policies or (2) is controlled by an entity that is not a health plan (for example, the employer sponsor of a health plan), and if the CHP has a Subhealth Plan (SHP), the CHP must exercise sufficient control over the SHP to direct its business activities, actions or policies, in which case the SHP would not be required to obtain its own HPID (but could be required to obtain the HPID if the CHP directs it to do so). A SHP is simply a health plan over which a CHP has control. Generally all health plans that are HIPAA covered entities are required to obtain an HPID, but a CHP can choose to either apply for one HPID for itself and its SHPs or allow each SHP to obtain a separate HPID. The most common example of a CHP/SHP relationship is a “wrap” welfare plan that includes more than one health benefit option. It appears from these rules that a CHP can obtain one HPID for all of the SHPs within the “wrap” welfare plan, in much the same way that the “wrap” plan combines multiple benefit options under one plan number for purposes of filing the Form 5500. The HPID requirement applies to group health plans, health insurance companies, and HMOs. Both self-insured plans and insured plans are required to obtain an HPID if they conduct HIPAA standard transactions electronically. HPID Application Process An application for an HPID is submitted to HHS through its website, which includes substantial information on the topic. Here is a link to the HHS HPID website.
  3. 3. It is expected that insurance companies will handle obtaining HPIDs for their insured group health plans as well as their HMOs. Third party administrators are able to assist self-insured plans with the HPID application process and may be willing to submit the application on behalf of the plan. The HPID that HHS assigns to a plan will be a 10-digit, all-numeric identification number. Deadline for Obtaining HPID Large health plans (with annual receipts of over $5 million) must obtain an HPID by November 5, 2014. Small health plans (with annual receipts of $5 million or less) have an additional year until November 5, 2015 to obtain an HPID. Information on which plans qualify as small health plans and how to determine a health plan’s annual receipts is provided by HHS at the HHS website. All HIPAA covered health plans and other HIPAA covered entities are required to begin using HPIDs in electronic HIPAA standard transactions by November 7, 2016. Plan Certification Background On August 17, 2000, HHS published final regulations adopting the original set of HIPAA standard transaction rules and identifying a list of specific transactions that are subject to HIPAA electronic guidelines. Under those rules, if a HIPAA covered entity conducts certain plan health care benefit- related transactions (i.e., “standard transactions”) with another HIPAA covered entity using electronic media, the two covered entities must use electronic data interchange (EDI) code sets designated by HHS. These standards and code sets establish the data that must be provided and the fields that must be used when transmitting information electronically if such information is governed by HIPAA privacy and security rules. Plan Certification Requirements The PPACA statute expanded HIPAA electronic security requirements by mandating that each health plan HIPAA covered entity file two one-time certifications with HHS, attesting that the plan is in compliance with certain standard transactions and operating rules. This requirement applies to self-insured and insured plans. A CHP must file these certifications on behalf of itself and its SHPs. The “First Certification” addresses the following standard transactions: • Eligibility
  4. 4. • Claim status • Electronic funds transfer and admittance advice The “Second Certification” addresses the following standard transactions: • Claims and encounter information • Enrollment and disenrollment • Premium payments • Claims attachment • Authorization and referrals On January 2, 2014, HHS issued proposed regulations establishing the requirements for the First Certification. No guidance has been issued to date regarding the Second Certification requirement. Since the insurance companies are the entities that conduct these standard transactions, insured health plans should look to their insurance companies for compliance with the entire certification process. Self-insured health plans generally rely on their third party administrators to administer those plans in accordance with these standard transactions, and therefore, self-insured health plans should be able to look to their third party administrators for assistance with (and possibly take responsibility for) securing the required certifications and making the submissions. The obligation for these certifications technically rests with the health plan, however, and therefore, the plan should verify that its insurers or third party administrators, as applicable, are complying with the standard transaction criteria. First Certification Process Under the HHS proposed regulations, a CHP must obtain the first certification from an outside third party stating that the plan is electronically conducting the eligibility, claims status, and electronic funds transfer and admittance advice standard transactions in a proper manner. HHS has designated the Council for Affordable Quality Healthcare Committee on Operating Rules for Information Exchange (CAQH CORE) as the third party responsible for issuing the First Certification. To begin the certification process, a CHP must obtain an HPID. The CHP has a choice of one of two types of certification—Phase III CORE Seal and HIPAA Credential—whichever the plan determines is the most appropriate. Both certification types are administered by CAQH CORE. • Phase III CORE Seal Certification
  5. 5. This type of certification requires external testing through a third party. CAQH CORE has developed three phases for the testing of the First Certification standard transactions. When a plan successfully completes a phase of testing and submits the appropriate documentation to CAQH CORE, the plan receives a CORE Seal for that phase. • HIPAA Credential Certification Third party testing is also required for this type of certification, but no other guidance has been published regarding the form or elements of this testing. CAQH CORE is currently developing the criteria for the HIPAA Credential certification. As previously indicated, under the proposed regulations, the First Certification is a “one-time” requirement that provides a snap-shot of a CHP’s compliance with the required standard transactions. There is no obligation to update or resubmit the First Certification information on a regular basis. Covered Lives Information The First Certification attestation submitted to HHS also must include information on the number of “covered lives” under the CHP as of the date the plan files the required documentation with HHS. “Covered lives” refers to the number of individuals covered by or enrolled in the CHP “Major Medical Policies.” A “Major Medical Policy” is defined as an insurance policy that covers accident and sickness and provides outpatient, hospital, medical and surgical expense coverage. It is unclear whether the definition includes a dental, vision, long-term care or EAP insurance policy. Nor is it clear whether a self-insured plan is required to submit “covered lives” information, although from the language used by HHS in the proposed regulations it appears that this requirement does not apply to self-insured plans. Deadline for First Certification Submission Although PPACA established December 31, 2013 as the original deadline for the first certification, the HHS proposed regulations have pushed that due date back to the following: • Large plans (over $5 million in annual receipts) – December 31, 2015 • Small plans ($5 million or less in annual receipts) – December 31, 2016 Currently the deadline for the Second Certification is set for December 31, 2015 for both large and small plans. There has been no further guidance on that deadline or any other aspect of the Second Certification.
  6. 6. Penalties There is a $1 per covered life penalty for every day a CHP fails to comply with the certification requirement up to $20 per covered life. If a plan knowingly provides inaccurate or incomplete information in connection with a certification, the penalty can double up to $40 per covered life. The penalty is based on the number of covered lives that a plan reports to HHS as part of its certification submission. As previously noted, since under HHS proposed regulations a plan is only required to submit covered lives information under the plan’s insurance policies, it appears that the penalty does not apply to a self-insured plan. Pending Questions Because the plan certification guidance issued to date is in the form of proposed regulations, it cannot be determined at this time what the final rules will look like and how they will apply when the First Certification is due. A number of questions remain unanswered, including, but not limited to, the following: • What are the final testing criteria and procedures for the Phase III CORE Seal certification? • What are the testing criteria and procedures for the HIPAA Credential certification? • Does the covered lives submission apply to self-insured plans? • Are self-insured plans subject to penalties for failure to comply with the certification requirements? • What are the testing criteria, processes and procedures for the Second Certification? • Will the deadline for the Second Certification be delayed in lieu of both certifications being due on the same day for large plans, and the Second Certification being due for small plans before the First Certification (under current guidance)? Glossary of Abbreviations of Terms CAQH CORE Council for Affordable Healthcare Committee on Operating Rules for Information Exchange CHP controlling health plan HPID health plan identifier SHP subhealth plan
  7. 7. Willis’ National Legal & Research Group will continue to review and provide timely updates on these and other changes in this area of the law that affect employers. The information in this publication is not intended as legal or tax advice and has been prepared solely for informational purposes. You may wish to consult your attorney or tax adviser regarding issues raised in this publication.