Effective October 31, 2014, and until further notice, CMS is delaying enforcement of the HIPAA requirements concerning HPID enumeration and use in HIPAA transactions. Employer-sponsored plans that have not yet applied for an HPID do not need to take any action at this time. We will be monitoring ongoing developments with respect to the HPID and other HIPAA requirements. Contact your Alston & Bird attorney (or any attorney listed to the right) for advice on how any developments may affect your compliance obligations.
Click here for an update in light of new guidance from CMS.
While much has been written about Affordable Care Act (ACA) compliance obligations for employer-sponsored plans–such as the “pay or play” rules, various fees and taxes and insurance reforms–the ACA’s changes to the administrative simplification rules in the Health Insurance Portability and Accountability Act of 1996 (HIPAA) have received less attention. As deadlines approach, however, it is important for plans to ensure compliance with these requirements. This article discusses two major developments applicable in 2014 and 2015: the requirements to obtain a unique health plan identifier (HPID) and file a certification of compliance with the Department of Health and Human Services (HHS).
Section 1104(c)(1) of the ACA requires HHS to promulgate rules regarding HPIDs for health plans. The HPID is a standardized 10-digit number assigned to health plans, which is designed to increase standardization and help covered entities verify information from other covered entities. The level of control a plan has over its own activities determines whether it must apply for its own HPID or whether it might be able to rely on the HPID of another health plan. If the HPID requirement applies, large health plans must obtain one by November 5, 2014, and small health plans must do so by November 5, 2015.
In addition, HHS has issued proposed regulations regarding the “certification of compliance” with HIPAA’s electronic transaction standards required by ACA § 1104(h). Most health plans must file the first of two certifications with HHS by December 31, 2015. While much detail regarding this certification remains to be developed, health plans should begin planning so that they can complete the certification’s required testing process when final regulations are issued.
On April 27, 2012, HHS issued a proposed rule about HPIDs. The final regulations, issued on September 5, 2012, modified the implementation dates originally set forth in the April rulemaking, but did not substantively modify them.
Who Needs an HPID?
The regulations draw a distinction between Controlling Health Plans and Subhealth Plans based on the level of control the entity has over its activities. Under these regulations, a Controlling Health Plan (CHP) is required to obtain an HPID. A Subhealth Plan (SHP) is not required to obtain an HPID, but may do so, or a CHP can obtain an HPID on its behalf.
A CHP is defined as a health plan that (i) controls its own business activities, actions, or policies; or (ii) is controlled by an entity that is not a health plan and, if it has one or more SHPs, exercises sufficient control over them to direct their business activities, actions or policies. The regulations list the following considerations in determining whether an entity is a CHP: 1) Does the entity itself meet the definition of a health plan at 45 C.F.R. § 160.103? 2) Does either the entity itself or a nonhealth plan control the business activities, actions, or policies of the entity? If the answer to both questions is yes, the entity meets the definition of a CHP. This includes self-insured plans that satisfy the definition of a CHP.
A SHP, by contrast, is defined as a health plan whose business activities, actions, or policies are directed by a CHP. In determining whether an entity is a SHP, the following considerations are relevant: 1) Does the entity meet the definition of health plan at 45 C.F.R. § 160.103? 2) Does a CHP direct the business activities, actions, or policies of the health plan entity? If the answer to both questions is yes, the entity meets the definition of a SHP.
While it is not entirely clear from the regulations, it appears that insurers may apply for HPIDs on behalf of fully-insured plans. Specifically, the insurer’s health plan would be considered the CHP because it controls its own business activities, actions, and policies, while the employer’s fully-insured health plan would be considered a SHP because its business activities, actions, and policies are controlled by the insurer’s CHP. Nonetheless, more guidance to clarify this issue would be welcome.
|Practice Pointer: A “health plan,” as defined in 45 C.F.R. § 160.103, includes, among other entities, a group health plan, health insurance issuer, or HMO. Thus, for example, even excepted benefits such as dental or vision
only coverage and health flexible spending accounts would be required to obtain HPIDs. Likewise, HRAs and retiree only health plans would be required to obtain HPIDs as well. However, it appears that plans may file for one HPID for bundled plans (e.g., if the plan constitutes one plan for Form 5500 filings), so some of these types of coverage may be bundled with other coverage for HPID purposes, depending on the structure of the plan.
For example, the following plan arrangements would likely have the HPID responsibilities discussed below:
|A single medical plan with three self-insured options
|Employer obtains one HPID for the entire plan
|Employer obtains one HPID for the entire plan
|Employer obtains HPID for self-insured options, but insurer
also obtains HPID for the fully-insured option.
|Employer obtains HPID for self-insured options, but insurer also obtains HPID for the fully-insured option.
|Insurer obtains HPID. Employer’s medical plan is a SHP and may be able to rely on the insurer’s CHP HPID.
|Medical plan with three fully-insured options and a health flexible spending account (FSA)
|Employer obtains HPID for health FSA, but insurer obtains HPIDs for the fully-insured options. Employer may have
until November 5, 2015 to apply for HPID if health FSA qualifies as a small plan as discussed below.
Are any health plans excluded from the HPID requirement?
HIPAA’s definition of health plan is broad and includes any “individual or group plan that provides, or pays the cost of, medical care.” However, plans that are not subject to HIPAA’s administrative simplification rules are not required to obtain an HPID. HIPAA’s administrative simplification rules do not apply to the excepted benefits described in PHSA §2791(c), including:
- Coverage only for accident, or disability income insurance, or any combination thereof;
- Coverage issued as a supplement to liability insurance;
- Liability insurance, including general liability insurance and automobile liability insurance;
- Workers’ compensation or similar insurance;
- Automobile medical payment insurance;
- Credit-only insurance;
- Coverage for on-site medical clinics; and
- Other similar insurance coverage, specified in regulations, under which benefits for medical care are secondary or incidental to other insurance benefits.
Employer obtains HPID for health FSA, but insurer obtains HPIDs for the fully-insured options. Employer may have until November 5, 2015 to apply for HPID if health FSA qualifies as a small plan as discussed below.
|Practice Pointer: Not all excepted benefits under HIPAA’s portability rules are excepted benefits under the administrative simplification rules. For example, although health flexible spending accounts, stand-alone dental and vision policies, and retiree-only plans might be excepted benefits under HIPAA’s portability rules, they are not excepted benefits under the administrative simplification rules and must obtain an HPID.
Obtaining an HPID
A national enumeration system, known as the Health Plan and Other Entity Enumeration System (HPOES), assigns unique HPIDs through an online application process. HPOES became available within the Centers for Medicare & Medicaid Services’ (CMS) Health Insurance Oversight System (HIOS) in late March 2013. As noted above, large health plans must obtain an HPID by November 5, 2014, and small health plans must do so by November 5, 2015. For this purpose, a “small health plan” is defined as a health plan with annual receipts (i.e., benefits for a self-funded plan or premiums for an insured plan) of $5 million or less. Thus, many excepted benefit coverages (e.g., FSAs, dental or vision only coverage) should be eligible for a one-year extension. By the full implementation date of November 7, 2016, all health plans must use the HPID in their standard transactions.
|Practice Pointer: Many individuals consider Employee Assistance Programs (EAPs) to be self-insured plans because they are not generally subject to state insurance laws, but other individuals consider EAPs to be insured. Assuming that an EAP is treated as a self-insured plan, an employer must apply for an HPID if it offers an EAP even if all of its other benefits are fully-insured. However, most EAPs will qualify as small health plans and have until November 5, 2015 to do so. EAP providers should work with counsel to determine if they must obtain an HPID. Additional guidance on this issue would be helpful.
How does the application process work?
To sign up for an HPID, entities must first be registered for HIOS at https://portal.cms.gov/wps/portal/unauthportal/home/ . First, users must sign up as individuals and request to be linked to the relevant company. The user will then select whether the application is for an HPID (SHP or CHP) or Other Entity Identifier (OEID), which, as described below, may be obtained by entities like third-party administrators (TPAs) who are not required to obtain HPIDs. Keep in mind that plans must sign up for a CHP before signing up for any SHPs (although, as discussed above, HPIDs are permissive, not required, for SHPs). The data elements requested in the application for employer-sponsored plans include company information (including name, employer identification number (EIN) and address), authorizing official information (including name and contact information) and the plan’s NAIC number or payer ID for standard transactions. Although not defined by HHS, it is generally expected that health plans will use the plan sponsor’s EIN for the payer ID since they do not have a NAIC number.
After the information is submitted, an “authorizing official” within the company must approve the application. CMS has created several videos, presentations, and explanatory slides to guide plans through the application process.
|Practice Pointer: It will be important to secure an HPID well before the mandatory compliance dates so that there is sufficient time to work out any administrative issues that may arise with multiple entities implementing
the new system. Companies that have not previously signed up within HIOS should allow several days for the various internal approvals that must take place before they can obtain an HPID.
Penalties if HPID not obtained
HHS’ HPID regulations do not specify a separate penalty for failing to obtain an HPID. Although not clear, it appears that the same civil monetary penalty that applies to violations of HIPAA’s administrative simplification rules would apply to a plan that failed to obtain an HPID. Thus, a plan that by willful neglect does not obtain an HPID would be subject to a penalty of at least $50,000 for failing to obtain an HPID, plus at least $50,000 each time a standard transaction occurs that requires an HPID but fails to include an HPID. This penalty is capped at $1.5 million for violations of an identical requirement or prohibition within the same calendar year.
How an HPID will be used
A covered entity is required to use an HPID when it identifies a health plan in a standard transaction. Note that this requirement also applies to business associates when they conduct standard transactions on a covered entity’s behalf. While multiple standard transactions apply to health plans, a transaction employer-sponsored plans may directly perform (rather than relying on TPAs) is the eligibility for a health plan standard (270/271), which applies to inquiries between health care providers and health plans regarding a participant’s eligibility, coverage or benefits under a plan.
Practice pointer: Covered entities, including health plans, are required to comply with HIPAA’s standard transaction rules when they communicate electronically with each other. The following electronic transactions are subject to HIPAA’s rules for standard transactions:
There are also several uses for which an entity is permitted, but not required, to use an HPID. CMS has stated that the HPID can be used for “any other lawful purpose” (in addition to a standard transaction). The regulations list the following potential uses of an HPID, which CMS believes will increase efficiency: in internal files, to facilitate the processing of transactions; on an enrollee’s health insurance card; as a cross-reference in health care fraud and abuse files and other program integrity files; in patient medical records to help specify health care benefit packages; in electronic health records to identify health plans; in federal and state health insurance exchanges; and for public health data reporting purposes.
|Practice Pointer: While none of these uses currently require an HPID, they are helpful in that they illustrate how CMS intends the HPID to be used. In addition, CMS may decide to mandate some of these uses of HPIDs in the future
Other Entity Identifiers
The HPID regulations also introduce the concept of an OEID for non-health plan entities that may engage in, and thus must be identified in, standard transactions. The possible users of OEIDs include third-party administrators, transaction vendors, clearinghouses, and other payers. Non-health plan entities are permitted, but not required, to obtain an OEID. However, health plans will want to require their business associates to obtain OEIDs in contractual agreements, particularly any TPAs handling eligibility or claim status issues on the plan’s behalf.
Entities are eligible to apply for an OEID if they need to be identified in a transaction for which a standard has been adopted by HHS, are not eligible to obtain an HPID or a National Provider Identifier (NPI) and are not an individual. Because the adoption of an OEID is voluntary, there is no required compliance date.
|Practice Pointer: For employers, the HIPAA standard unique identifier is the employer’s EIN. For providers, the NPI is the standard unique identifier.
Another important requirement imposed on plans by HIPAA’s administrative simplification rules is the certification of compliance. Section 1104(h)(1) of the ACA requires CHPs to file two separate statements with HHS certifying that their data and operating systems are in compliance with the applicable standards and operating rules. The first “certification of compliance” applies to eligibility for a health plan, health care claim status; and health care electronic funds transfers and remittance advice. It is due by December 31, 2015 for plans that have applied for an HPID by January 1, 2015 (i.e., most large health plan CHPs), and within a year of applying for an HPID for plans that apply for an HPID between January 1, 2015, and December 31, 2016 (i.e., small and new CHPs). Thus, as a practical matter, many health plans that provide excepted benefits or otherwise qualify as a small health plan will have an additional year for compliance.
The second certification of compliance—applicable to health claims or equivalent encounter information, enrollment or disenrollment in a health plan, health plan premium payments, health claims attachment and referral certification and authorization transactions—is, according to the statute, also due on December 31, 2015. However, there are currently no standards or operating rules for these transactions.
HHS issued proposed rules on January 2, 2014, setting forth the requirements for the first certification of compliance. While much remains to be worked out in the final rules, the proposed rules give a sense of what compliance obligations CHPs should prepare for by the end of 2015. HHS stated in the proposed rules that it intends for the certification to serve as a “snapshot” of compliance, so this is likely a one-time compliance obligation for each required certification.
|Practice Pointer: The certification requirements will take some time to satisfy because they require external testing, so plans should be prepared to act when the final regulations are issued by HHS. In most cases, plans will need to rely on their business associates to conduct this testing, so plans should consider adding provisions to new business associate agreements that require the business associate to conduct this testing on their behalf.
Details of certification requirement
The proposed rules would require CHPs to submit to HHS:
- Number of covered lives, including covered lives in SHPs, on the date the certification is submitted; and
- Documentation that the CHP has obtained one of two permissible certifications:
- HIPAA Credential, or
- The Phase III Core Seal.
CHPs will report this information on their own behalf and on behalf of SHPs and business associates conducting standard transactions on their behalf. The term “covered lives” means individuals (including spouses and dependents) covered by major medical policies of a CHP and its SHPs.
|Practice Pointer: The use of the term “policy” in the definition of covered lives suggests that the proposed rules only contemplate reporting enrollment counts for fully-insured plans; further guidance on this subject would be welcome.
The HIPAA Credential certification is still under development, but as currently envisioned by HHS, would involve:
- Attestation about completing certain external testing of operating rules (although no specific testing process is specified),
- Application form, and
- Attestation of compliance with HIPAA’s security, privacy and electronic transaction standards by a senior
The Phase III CORE Certification Seal would involve a:
- Specified external testing process through a CORE-authorized vendor to obtain the Seal,
- Application form, and
- Attestation by a senior level executive of compliance with HIPAA’s security, privacy and electronic
Plans should watch for further developments on these methods of certification in the final rules.
Plans that fail to comply with the certification and documentation of compliance requirements (either by submitting the required information late or not at all) may face penalties of $1 per covered life per day, up to a maximum of $20 for covered life or $40 per covered life if the plan knowingly provides incomplete or inaccurate information.
|Practice Pointer: The penalties for violations of these provisions are less draconian than other ACA penalties, such as for violations of the “pay or play” rules (under IRC § 4980H) and the PHSA Mandates. However, this penalty will likely be very easy for HHS to enforce, as HHS states that it can compare the list of entities that applied for an HPID with the list of entities that complied with the certification requirement.
ICD-9 to ICD-10 code change delay
HIPAA requires standardized code sets to be used in certain electronic communications of medical data. Currently, HHS has adopted the International Classification of Diseases, Ninth Revision, Clinical Modification (ICD-9-CM), for diseases, injuries, impairments, health problems and their causes, as well as inpatient hospital services. However, the final HPID regulations adopted the International Classification of Diseases, Tenth Revision, Clinical Modification (ICD-10-CM) for diseases, injuries, impairments, health problems and their causes, as well as the International Classification of Diseases, Tenth Revision, Procedure Classification System (ICD-10-PCS) for inpatient hospital services, beginning October 1, 2014. However, the Protecting Access to Medicare Act of 2014 delayed implementation of the ICD-10-CM and ICD-10-PCS code sets until at least October 1, 2015. In a final rule issued August 4, 2014, HHS stated that covered entities must continue to use ICD-9-CM through September 30, 2015, and that compliance with ICD-10-CM and ICD-10-PCS will be required beginning October 1, 2015.
Generally, this delay will not impact employers or third-party administrators of flexible spending accounts and health reimbursement arrangements, but third-party administrators of self-insured major medical plans and insurers (who have already incurred costs related to the transition to ICD-10) must hold off using the new standard until October 1, 2015.
 This requirement is described in Social Security Act § 1173(b). This rule was required to be based on input from the National Committee on Vital and Health Statistics and be effective no later than October 1, 2012.
 Department of Health and Human Services, Administrative Simplification: Adoption of a Standard for a Unique Health Plan Identifier; Addition to the National Provider Identifier Requirements; and a Change to the Compliance Date for ICD–10–CM and ICD–10–PCS Medical Data Code Sets, 77 Fed. Reg. 22950, April 17, 2012.
 Department of Health and Human Services, Administrative Simplification: Adoption of a Standard for a Unique Health Plan Identifier; Addition to the National Provider Identifier Requirements; and a Change to the Compliance Date for the International Classification of Diseases, Tenth Revision (ICD–10–CM and ICD–10–PCS) Medical Data Code Sets; Final Rule, 77 Fed. Reg. 54664, September 5, 2012.
 As written, HHS’s rules could be read to indicate that even a health plan that is fully insured with no self-insured options must apply for its own HPID. However, HHS has typically excluded fully-insured employer health plans from many of HIPAA’s requirements if they do not have access to protected health information and have shifted the primary compliance burden, such as the responsibility for providing a Notice of Privacy Practices, to the insurer. Although it is not clear, it appears that HHS may have done the same regarding HPIDs.
 45 C.F.R. § 160.103.
 The regulations do not currently specify any “[o]ther similar medical coverage.”
 Fully-insured plans should use the total premiums that they paid for health insurance during the plan’s last fiscal year to determine their annual receipts. Self-insured plans should use the total amount of claims paid by the employer, plan sponsor or benefit fund, as applicable, on behalf of the plan during the plan’s last full fiscal year.
 45 C.F.R. § 162.504. This was corrected from a mistake in the original regulations by 77 Fed. Reg. 60629, Oct. 4, 2012.
 Similarly, although also not clear, we expect that a health plan that pays benefits through a voluntary employee beneficiary association (VEBA) should use the VEBA’s EIN since the VEBA is the payer.
 CMS, “Health Plan Identifier,” March 30, 2014, available at http://www.cms.gov/Regulations-and-Guidance/HIPAA-Administrative-Simplification/Affordable-Care-Act/Health-Plan-Identifier.html.
 CMS, HPID and OEID System Overview, February 13, 2013, available at http://www.cms.gov/Regulations-and-Guidance/HIPAA-Administrative-Simplification/Affordable-Care-Act/Downloads/HPOESTrainingSlides02132013.pdf.
 This requirement is described in Social Security Act § 1173(h).
 Department of Health and Human Services, Administrative Simplification: Certification of Compliance for Health Plans; Proposed Rule, 79 Fed. Reg. 298, January 2, 2014.
 Language in the proposed rules suggests that this penalty only applies to a “major medical policy,” which is defined as “an insurance policy that covers accident and sickness and provides outpatient, hospital, medical, and surgical expense coverage.” 79 Fed. Reg. 313 (Jan. 2, 2014).Although self-insured plans must obtain certification, the proposed rules do not specify a penalty for those that fail to do so. We expect this will be clarified in the final regulations.
 79 Fed. Reg. 45128 (August 4, 2014).
This advisory is published by Alston & Bird LLP’s Employee Benefits & Executive Compensation practice area to provide a summary of significant developments to our clients and friends. It is intended to be informational and does not constitute legal advice regarding any specific situation. This material may also be considered attorney advertising under court rules of certain jurisdictions.