By December 31, 2015, group health plans must complete a testing process and certify that they are able to conduct electronic transactions in accordance with uniform standards and operating rules.  Plans must also ensure that third-party administrators and other outside vendors are in compliance with the electronic transaction rules if the vendors conduct transactions on the plans’ behalf.

December 2015 might seem a long way off to group health plan sponsors and administrators focused on ACA’s shared responsibility rules.  Plan sponsors should bear in mind, though, that compliance with the certification requirements for electronic transactions can involve significant lead time.  Failure to comply carries substantial penalties.  Accordingly, group health plan sponsors that have not already addressed the electronic transaction rules might wish to develop a timetable for compliance.

Uniform Standards for Electronic Transactions

The Health Insurance Portability and Accountability Act (HIPAA) required the Department of Health and Human Services to establish uniform standards for electronic data transmission between group health plans and health care providers such as doctors, pharmacies, and hospitals.  Once HHS establishes a standard for a particular transaction, the parties must conform to the standard when they conduct the transaction electronically.

Starting in 2011, HHS must also adopt a single set of operating rules for each standard transaction.  The operating rules provide additional guidelines for conducting the transaction electronically.  For example, the operating rules might specify the transmission method or define the circumstances in which the plan must provide particular data.  When the operating rules for a transaction become effective, the parties must also comply with the operating rules when they conduct that transaction electronically.

Most employer group health plans with 50 or more participants (and smaller plans administered by outside vendors) are subject to the electronic transaction standards.  Self-insured plans must have the ability to transmit and receive information electronically for any standard transaction, either directly or through a business partner.  Insured plans generally rely on the insurer to satisfy these requirements.

As we explained in an earlier post, here, each group health plan must also obtain a unique health plan identifying number (HPID) this fall and must use the HPID in standard transactions.  HHS will use the HPID to track which plans have met the certification requirement.

ACA Imposes a Certification Requirement

Although HHS published the first set of electronic transaction standards more than a decade ago, the health care industry has—as HHS puts it—“experienced difficulty transitioning to [the standards] by the regulatory compliance dates.”  In order to ensure that plan sponsors take the electronic transaction standards seriously, the Affordable Care Act created a new enforcement structure.  Under the ACA regime, group health plans must file statements with HHS certifying their compliance with the electronic transaction standards.  ACA also requires HHS to conduct periodic audits of health plans and their service-providers, and establishes a penalty (up to $40 per covered life) for failure to satisfy the certification requirement.

The first compliance statement must certify that the group health plan complies with the standards and operating rules for the following electronic transactions:

1. Eligibility for a health plan;

2. Health care claim status; and

3. Health care electronic funds transfers and remittance advice.

HHS has issued a proposed rule explaining how a plan must provide the first certification of compliance.   Although the statutory deadline for the first certification was the end of 2013, HHS has extended the deadline to December 31, 2015.

ACA requires health plans to provide a second certification of compliance for the following electronic transactions: health care claims or equivalent encounter information; enrollment and disenrollment in a health plan; health plan premium payments; health claims attachments; and referral certification and authorization.  Although the statutory deadline for the second certification is the end of 2015, HHS has not yet published operating rules for these transactions (and has not even published the standard for health claims attachments).  HHS has said that it will explain the requirements for the second certification in future regulations.  It seems reasonable to expect that HHS will also extend the 2015 compliance deadline for the second certification, although HHS has not yet announced an extension.

Certifying Compliance with Electronic Transaction Rules

ACA requires a group health plan to demonstrate that it conducts the covered electronic transactions in a manner that fully complies with regulations.  The plan must also provide documentation showing that it has completed end-to-end testing with its transaction partners, such as doctors and hospitals.

HHS’s proposed regulation describes two ways in which a group health plan can satisfy these requirements.  Both options will be administered by the Committee on Operating Rules for Information Exchange (CORE) of the Council for Affordable Quality Healthcare (CAQH), a non-profit organization that works with industry stakeholders to implement the electronic transaction rules.

Under the first option, a group health plan will obtain a “Phase III CORE Seal,” which confirms that the health plan has successfully completed certification testing with an independent CORE-authorized testing vendor for each of the electronic transactions covered by the initial certification of compliance.  CAQH CORE charges a fee based on “net annual revenue,” capped at $18,000, for the Phase III Core Seal.

Under the second option, a group health plan will obtain a “HIPAA Credential.”  Although CAQH CORE is still developing the HIPAA Credential, current indications are that the credential will be less expensive and easier to obtain than the Phase III CORE Seal.  Unlike the Phase III Core Seal, the HIPAA Credential does not require the health plan to test with an independent CORE-authorized testing vendor.  Instead, the health plan must certify that it has “successfully tested” the covered electronic transactions with at least three providers that collectively account for at least 30% of the plan’s transactions.  The HIPAA Credential does not require a specific approach to external testing with providers (whereas the Phase III CORE Seal does require plans to meet a uniform testing standard).  The maximum fee for the HIPAA Credential is expected to be approximately $4,000.  (Additional information about the HIPAA Credential and draft application forms are available on CAQH CORE’s website, here.)

In addition to documenting the fact that it has obtained a Phase III Core Seal or HIPAA Credential, the group health plan must notify HHS of its number of covered lives on the date when it submits the documentation.  Commenters on the proposed regulation have noted that it is impossible to conduct an accurate headcount in real time, and have requested that plans be permitted to provide the number of covered lives as of an earlier date, such as the first day of the plan year.

Certifying Compliance with Privacy and Security Requirements

In order to obtain a Phase III CORE Seal, a group health plan representative must attest that the plan complies with HIPAA’s privacy and security provisions.  In the preamble to the proposed regulation, HHS states that the same attestation will be required for the HIPAA Credential.  Consistent with this statement, CAQH CORE’s draft application forms for the HIPAA Credential include an attestation that the plan “is and shall remain” in compliance with the privacy and security requirements).  Accordingly, although the first certification of compliance nominally relates only to the covered electronic transactions, the group health plan must be able to confirm that it is (and will remain) in compliance with a broad array of statutory and regulatory requirements—many of which have nothing to do with electronic transactions—in order to provide the necessary attestation.

Certifying Compliance by Business Associates

To the extent that a group health plan conducts standard transactions through business associates—such as claims administrators, pharmacy benefit managers, or COBRA administrators—the group health plan must require the business associates (and their agents and subcontractors) to comply with the standards and operating rules for electronic transactions.  The group health plan’s certification to HHS that it complies with the electronic transaction rules includes a certification that it has met this requirement with respect to its business associates.

Group health plan sponsors should consider whether they need to amend their business associate agreements or other agreements with third-party administrators in order to address ongoing compliance with the electronic transaction standards and operating rules.  All HIPAA business associate agreements must be amended no later than September 22, 2014, to comply with the requirements of the final HITECH omnibus regulation; plan sponsors executing amended agreements might wish to include provisions concerning electronic transactions.