HHS Releases Health Plan Certification of HIPAA Compliance Proposed Rule (Health Insurance Portability and Accountability Act of 1996)
Sunday, January 5, 2014

On January 2, 2014 the U.S. Department of Health and Human Services (HHS) released a proposed rule that would require health plans to submit documentation demonstrating compliance with certain standards and operating rules under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) with respect to specific electronic transactions.  The proposed rule would also establish penalty fees for those health plans that do not comply with the certification of compliance requirements.

HIPAA requires health plans to provide the Secretary of HHS with adequate documentation of compliance with standards and operating rules.  The proposed rule will apply to controlling health plans, which are health plans that either: (1) control their own business activities, actions, or policies; or (2) are controlled by an entity that is not a health plan.  The certification of compliance process outlined in the proposed rule will apply to three electronic transactions: eligibility for a health plan, health claims status, and health care electronic funds transfers (EFT) and remittance advice.

Under the proposed rule, required documentation will need to demonstrate that a plan has completed some internal and external testing, and should include both (1) the number of covered lives (used to calculate penalties, as necessary) and (2) evidence of certification of compliance, which is obtained from the Council for Affordable Quality Healthcare (CAQH) Committee on Operating Rules for Information Exchange (CORE) in one of two ways:

  1. CAQH CORE certification, which requires testing by a CORE-authorized outside vendor and compliance with CORE standards in addition to HIPAA standards for the applicable transactions (called the Phase III CORE Seal); or
  2. HIPAA Credential from CORE documenting compliance with HIPAA standards regarding the electronic transactions, a process which has not yet been finalized but generally requires attestation that the plan has conducted testing for the applicable transactions with its trading partners (called the HIPAA Credential).

Plan submissions will need to certify that the plan, its subhealth plans, and its business associates comply with relevant HIPAA standards and operating rules. In addition, plans will need to ensure that business associates conducting any of the applicable electronic transactions on the health plan’s behalf conduct the transactions in compliance with applicable requirements.

Certification submission requirements will be due by December 31, 2015 for most plans, but the submission deadline depends on when health plans obtain a health plan identifier and whether plans qualify as small plans with annual receipts of $5 million or less.

HHS proposes penalties of up to $20 per covered life for a plan’s failure to comply with compliance certification requirements.  Penalties will double for plans that knowingly provide inaccurate or incomplete information during the certification process.

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins