top of page

HIPAA Electronic Transactions - Compliance, Certification, and Penalties

The Department of Health and Human Services (HHS) has issued a new proposed rule for public comment, “Administrative Simplification: Health Plan Certification of Compliance” to implement a requirement that “controlling health plans” must certify compliance with HIPAA’s electronic transaction standards and operating rules. The rule proposes that controlling health plans be required to submit a certification of compliance on or before December 31, 2015. This appears to be a one-time filing requirement. This proposed rule would also establish penalty fees for a health plan that fails to comply with the certification of compliance requirements. While these rules are only proposed, self-insured health plan sponsors will want to become familiar with these requirements. Sponsors of insured health plans appear to not generally be directly impacted by these rules as the insurer is responsible for the electronic transactions.

Definitions. The new rules define “controlling health plans” (CHPs) and “sub-health plans” (SHPs), and address the requirements of such plans to obtain a unique “health plan identifier” (HPID) from the Centers for Medicare and Medicaid (CMS) for later use in certifying that its health plan meets the “electronic data interchange” (EDI) rules. More clarity surrounding the definition of a CHP is expected in the future, but for now, it can be assumed that a single-employer, self-insured plan would be considered a CHP.

Background. Under the administrative simplification provisions of HIPAA, health plans and other covered entities are required to conduct certain transactions electronically using standards and code sets designated by HHS. These include a single set of “operating rules” for eligibility verification transactions relating to billing and standards for electronic fund transfers to pay providers. The Patient Protection and Affordable Care Act (PPACA) added requirements that increase uniformity with respect to these HIPAA standard transactions and further requires CHPs to certify that they are in compliance with the transaction standards and operating rules. Healthcare reform also requires HHS to conduct periodic audits to ensure that health plans (and their contracting parties) are in compliance, and a CHP may be assessed a penalty fee if it fails to meet the certification and documentation requirements.

To date, HHS has issued operating rules for three electronic transactions—eligibility for a health plan, health care claim status and health care electronic funds transfer and remittance advice. The proposed rules explain how CHPs would certify that they are in compliance with the adopted standards and operating rules for these three transactions (First Certification Transactions).

Coordination with TPA. Generally, a self-insured plan sponsor contracts with a third party administrator (TPA) to handle its claim process. Therefore, most of the compliance described herein will be accomplished by the TPA. The plan sponsor will want to ensure its business associate agreement requires the TPA to comply with electronic transaction rules and will need to work with the TPA to ensure compliance with the certification responsibilities as they become required.

Obtaining an HPID. Large CHPs with annual receipts of over $5 million must obtain the HPID by November 5, 2014 (November 5, 2016 for small plans). An HPID is obtained by an online application process through the CMS Enterprise Portal ( Plan sponsors should consult with their TPA for any assistance it can provide in obtaining the HPID well before the compliance date. Once the application has been approved, the entity’s authorized official will be notified by email of its assigned HPID number. The use of an HPID for all plans must then begin by November 7, 2016.

Certification Requirement. Under the new rules, by December 31, 2015 (December 31, 2016 for small plans), CHPs that obtained an HPID prior to January 1, 2015 must obtain outside HIPAA Certification of Compliance and then submit: (1) documentation that demonstrates compliance with the applicable standards and operating rules by using one of two available methods (the HIPAA Credential or the Phase III CORE Seal); and (2) its number of covered lives.

Penalties. The reported number of covered lives would be used to calculate penalties for CHPs failing to adequately certify compliance. Penalties generally would range from $1 to $20 per covered life, but up to $40 per covered life for CHPs submitting inaccurate or incomplete information with actual knowledge or acting in deliberate ignorance or reckless disregard of the accuracy or completeness of the information. The proposed regulations detail an administrative process for HHS to assess, and for CHPs to contest, penalties.

The proposed regulations define “covered lives” to mean all individuals covered by or enrolled in major medical insurance policies of a CHP (including the covered member and any dependents covered by the plan). All CHPs, irrespective of whether they issue major medical policies, must submit a First Certification of Compliance. However, only CHPs with major medical “insurance” policies may be assessed penalty fees. Thus, it appears that self-insured health plans would have to file the First Certification of Compliance but could not be penalized for failing to do so (since, a self-insured plan would not have any “covered lives” under a major medical “insurance” policy). Similarly, the penalty for an employer-sponsored plan that is partially insured and partially self-insured apparently would be based solely on the number of individuals enrolled in the insured coverage.

The methods to demonstrate compliance with these new rules are still being developed and HHS expects to provide details on the final rules when they publish the final regulations. Should you have questions about this or any aspect of healthcare reform, contact your Conner Strong & Buckelew account representative toll free at 1-877-861-3220. For a complete list of Legislative Updates issued by Conner Strong & Buckelew, visit our online Resource Center.


4 views0 comments

Related Posts

See All

IRS PCORI Fees Due by July 31, 2024

The Patient-Centered Outcomes Research Institute (“PCORI”) fee was established as part of the Affordable Care Act (“ACA”) to fund medical research through the PCORI Institute. Employers and plan spons

Reminder: RxDC Reporting Due June 1, 2024

The Centers for Medicare and Medicaid Services (CMS) is now accepting Prescription Drug Data Collection (RxDC) submissions for “reference year” 2023. Data must be submitted through the RxDC Health Ins


bottom of page