You Ought To Know: HHS Guidance on Health Plan Identifier and Plan Certification
Recently NLRG was asked about the status of Health and Human Services (HHS) guidance
regarding the Health Insurance Portability and Accountability Act (HIPAA) requirements that a
health plan obtain a health plan identifier (HPID) from HHS and submit a certification to HHS that
the plan complies with HIPAA electronic security rules. These topics—HPID and plan
certification—are separately addressed in the discussion below.
Overview of Key Points:
• Under the deadlines established by HHS in 2012, health plans are required to obtain an HPID
by November 5, 2014 (large plans) or November 5, 2015 (small plans) and begin using the
HPID in electronic HIPAA standard transactions by November 7, 2016.
• Health plans are required to obtain and submit to HHS a series of two certifications attesting to
their compliance with certain HIPAA standard transactions and operating rules by December
31, 2015 (large plans) or December 31, 2016 (small plans).
• Only proposed regulations governing the certification process have been issued to date, and
those regulations are extremely limited and leave open a number of issues that will not be
addressed until final regulations are issued.
Health Plan Identifier
Under the 1996 HIPAA administrative simplification statute, HHS was directed to adopt an
identifier system for employers, health care providers, individuals and health plans. The purpose
of this law was to establish a system of identifiers that could be used across the country so that all
electronic transmissions of health information are uniform. HHS has adopted rules for employers,
designating the federal Employer Identification Number (EIN) that an employer uses for federal
wage and tax reporting as the employer’s HIPAA identifier. In addition, HHS has adopted a
national identifier system for health care providers to be used in connection with HPAA standard
transactions. Due to privacy concerns expressed by the American public, no individual identifier
system has been established by HHS to date.
At the time that the Patient Protection and Affordable Care Act (PPACA) was enacted, HHS had
not yet developed an identifier system for health plans. As a result, PPACA again mandated that
HHS develop such a system. Consequently, on September 5, 2012, HHS issued final regulations
addressing that requirement.
Purpose and Use of HPID
The purpose of the HPID is to provide a system for consistently and uniformly identifying a health
plan in connection with certain HIPAA designated benefit-related standard transactions that are
conducted electronically between a health plan (which is a HIPAA covered entity) and another
HIPAA covered entity. Further information regarding “standard transactions” is provided below
in the background section of the “Plan Certification” portion of this article.
Who Must Obtain an HPID?
A health plan which is a Controlling Health Plan (CHP) is required to obtain an HPID. A CHP is a
health plan that either (1) controls its own business activities, actions or policies or (2) is
controlled by an entity that is not a health plan (for example, the employer sponsor of a health
plan), and if the CHP has a Subhealth Plan (SHP), the CHP must exercise sufficient control over
the SHP to direct its business activities, actions or policies, in which case the SHP would not be
required to obtain its own HPID (but could be required to obtain the HPID if the CHP directs it to
do so). A SHP is simply a health plan over which a CHP has control.
Generally all health plans that are HIPAA covered entities are required to obtain an HPID, but a
CHP can choose to either apply for one HPID for itself and its SHPs or allow each SHP to obtain a
separate HPID. The most common example of a CHP/SHP relationship is a “wrap” welfare plan
that includes more than one health benefit option. It appears from these rules that a CHP can
obtain one HPID for all of the SHPs within the “wrap” welfare plan, in much the same way that
the “wrap” plan combines multiple benefit options under one plan number for purposes of filing
the Form 5500.
The HPID requirement applies to group health plans, health insurance companies, and HMOs.
Both self-insured plans and insured plans are required to obtain an HPID if they conduct HIPAA
standard transactions electronically.
HPID Application Process
An application for an HPID is submitted to HHS through its website, which includes substantial
information on the topic. Here is a link to the HHS HPID website.
It is expected that insurance companies will handle obtaining HPIDs for their insured group health
plans as well as their HMOs. Third party administrators are able to assist self-insured plans with
the HPID application process and may be willing to submit the application on behalf of the plan.
The HPID that HHS assigns to a plan will be a 10-digit, all-numeric identification number.
Deadline for Obtaining HPID
Large health plans (with annual receipts of over $5 million) must obtain an HPID by November 5,
2014. Small health plans (with annual receipts of $5 million or less) have an additional year until
November 5, 2015 to obtain an HPID. Information on which plans qualify as small health plans
and how to determine a health plan’s annual receipts is provided by HHS at the HHS website.
All HIPAA covered health plans and other HIPAA covered entities are required to begin using
HPIDs in electronic HIPAA standard transactions by November 7, 2016.
On August 17, 2000, HHS published final regulations adopting the original set of HIPAA standard
transaction rules and identifying a list of specific transactions that are subject to HIPAA electronic
guidelines. Under those rules, if a HIPAA covered entity conducts certain plan health care benefit-
related transactions (i.e., “standard transactions”) with another HIPAA covered entity using
electronic media, the two covered entities must use electronic data interchange (EDI) code sets
designated by HHS. These standards and code sets establish the data that must be provided and
the fields that must be used when transmitting information electronically if such information is
governed by HIPAA privacy and security rules.
Plan Certification Requirements
The PPACA statute expanded HIPAA electronic security requirements by mandating that each
health plan HIPAA covered entity file two one-time certifications with HHS, attesting that the plan
is in compliance with certain standard transactions and operating rules. This requirement applies
to self-insured and insured plans. A CHP must file these certifications on behalf of itself and its
The “First Certification” addresses the following standard transactions:
• Claim status
• Electronic funds transfer and admittance advice
The “Second Certification” addresses the following standard transactions:
• Claims and encounter information
• Enrollment and disenrollment
• Premium payments
• Claims attachment
• Authorization and referrals
On January 2, 2014, HHS issued proposed regulations establishing the requirements for the First
Certification. No guidance has been issued to date regarding the Second Certification requirement.
Since the insurance companies are the entities that conduct these standard transactions, insured
health plans should look to their insurance companies for compliance with the entire certification
process. Self-insured health plans generally rely on their third party administrators to administer
those plans in accordance with these standard transactions, and therefore, self-insured health plans
should be able to look to their third party administrators for assistance with (and possibly take
responsibility for) securing the required certifications and making the submissions. The obligation
for these certifications technically rests with the health plan, however, and therefore, the plan
should verify that its insurers or third party administrators, as applicable, are complying with the
standard transaction criteria.
First Certification Process
Under the HHS proposed regulations, a CHP must obtain the first certification from an outside
third party stating that the plan is electronically conducting the eligibility, claims status, and
electronic funds transfer and admittance advice standard transactions in a proper manner. HHS
has designated the Council for Affordable Quality Healthcare Committee on Operating Rules for
Information Exchange (CAQH CORE) as the third party responsible for issuing the First
To begin the certification process, a CHP must obtain an HPID. The CHP has a choice of one of
two types of certification—Phase III CORE Seal and HIPAA Credential—whichever the plan
determines is the most appropriate. Both certification types are administered by CAQH CORE.
• Phase III CORE Seal Certification
This type of certification requires external testing through a third party. CAQH CORE has
developed three phases for the testing of the First Certification standard transactions. When a
plan successfully completes a phase of testing and submits the appropriate documentation to
CAQH CORE, the plan receives a CORE Seal for that phase.
• HIPAA Credential Certification
Third party testing is also required for this type of certification, but no other guidance has been
published regarding the form or elements of this testing. CAQH CORE is currently developing
the criteria for the HIPAA Credential certification.
As previously indicated, under the proposed regulations, the First Certification is a “one-time”
requirement that provides a snap-shot of a CHP’s compliance with the required standard
transactions. There is no obligation to update or resubmit the First Certification information on a
Covered Lives Information
The First Certification attestation submitted to HHS also must include information on the number
of “covered lives” under the CHP as of the date the plan files the required documentation with
HHS. “Covered lives” refers to the number of individuals covered by or enrolled in the CHP
“Major Medical Policies.” A “Major Medical Policy” is defined as an insurance policy that covers
accident and sickness and provides outpatient, hospital, medical and surgical expense coverage. It
is unclear whether the definition includes a dental, vision, long-term care or EAP insurance policy.
Nor is it clear whether a self-insured plan is required to submit “covered lives” information,
although from the language used by HHS in the proposed regulations it appears that this
requirement does not apply to self-insured plans.
Deadline for First Certification Submission
Although PPACA established December 31, 2013 as the original deadline for the first certification,
the HHS proposed regulations have pushed that due date back to the following:
• Large plans (over $5 million in annual receipts) – December 31, 2015
• Small plans ($5 million or less in annual receipts) – December 31, 2016
Currently the deadline for the Second Certification is set for December 31, 2015 for both large and
small plans. There has been no further guidance on that deadline or any other aspect of the Second
There is a $1 per covered life penalty for every day a CHP fails to comply with the certification
requirement up to $20 per covered life. If a plan knowingly provides inaccurate or incomplete
information in connection with a certification, the penalty can double up to $40 per covered life.
The penalty is based on the number of covered lives that a plan reports to HHS as part of its
certification submission. As previously noted, since under HHS proposed regulations a plan is
only required to submit covered lives information under the plan’s insurance policies, it appears
that the penalty does not apply to a self-insured plan.
Because the plan certification guidance issued to date is in the form of proposed regulations, it
cannot be determined at this time what the final rules will look like and how they will apply when
the First Certification is due. A number of questions remain unanswered, including, but not
limited to, the following:
• What are the final testing criteria and procedures for the Phase III CORE Seal certification?
• What are the testing criteria and procedures for the HIPAA Credential certification?
• Does the covered lives submission apply to self-insured plans?
• Are self-insured plans subject to penalties for failure to comply with the certification
• What are the testing criteria, processes and procedures for the Second Certification?
• Will the deadline for the Second Certification be delayed in lieu of both certifications being
due on the same day for large plans, and the Second Certification being due for small plans
before the First Certification (under current guidance)?
Glossary of Abbreviations of Terms
CAQH CORE Council for Affordable Healthcare Committee on Operating Rules
for Information Exchange
CHP controlling health plan
HPID health plan identifier
SHP subhealth plan
Willis’ National Legal & Research Group will continue to review and provide timely updates on
these and other changes in this area of the law that affect employers.
The information in this publication is not intended as legal or tax advice and has been prepared
solely for informational purposes. You may wish to consult your attorney or tax adviser
regarding issues raised in this publication.