HHS Issues Proposed Rule Requiring Health Plans to Demonstrate Compliance with HIPAA Electronic Transaction Standards and Operating Rules

On January 2, 2014, the U.S. Department of Health and Human Services (HHS) published a proposed rule that would require “controlling health plans” (CHPs) to demonstrate compliance with certain electronic transaction standards and operating rules adopted under the Health Insurance Portability and Accountability Act (HIPAA). A CHP is defined as a health plan that controls its own business activities, actions, or policies, or a health plan controlled by an entity that is not a health plan which exercises sufficient control over subhealth plans (SHPs). CHPs, including the Business Associates conducting transactions on their behalf, will be required to demonstrate compliance with standards and operating rules related to three electronic transactions: (i) eligibility for a health plan; (ii) health care claim status; and (iii) health care electronic funds transfers (EFT) and electronic remittance advice (ERA). The required documentation of compliance would establish that a CHP has completed certain internal and external testing of its electronic transaction capabilities according to pre-approved processes.

This proposed rule is part of a larger set of HIPAA rulemaking aimed at facilitating the use of electronic transactions by creating uniformity in data exchange and reducing reliance on paper and manual processes to transmit data. HHS noted that the healthcare industry has experienced difficulty implementing the HIPAA standards and operating rules due to lack of a consistent testing process. This proposed rule is intended to serve as an initial step toward the development of a consistent testing process that will enable entities to better achieve and demonstrate compliance with HIPAA standards and operating rules. The requirements for certification of compliance were originally set forth under Section 1104 of the Affordable Care Act, which modified the Social Security Act. This proposed rule implements a portion of those modifications, including establishing penalty fees for a CHP that fails to comply with the certification requirements.

HHS proposes that a CHP that received a health plan identifier before January 1, 2015 would be required to submit its first certification of compliance by December 31, 2015. A CHP that received a health plan identifier on or after January 1, 2015 would be required to submit its documentation within a year of receiving the health plan identifier. Comments on the proposed rule are due no later than March 3, 2014.

Submission Requirements

Under the proposed rule, a CHP would be required to submit information and documentation demonstrating that it is compliant with certain standards and operating rules required for electronic transactions under HIPAA. As explained in more depth below, HHS has proposed that a CHP would be responsible for submitting:

• Information regarding the number of covered lives of the CHP; and
• Documentation demonstrating that the CHP has obtained from the Council for Affordable Quality Healthcare’s (CAQH) Committee on Operating Rules for Information Exchange (CORE) either:
• A Certification Seal for Phase III CAQH CORE EFT & ERA Operating Rules (Phase III CORE Seal); or
• A HIPAA Credential for health plan eligibility, health claim status, as well as EFT and ERA operating rules (HIPAA Credential).

CAQH CORE is a nonprofit alliance of industry stakeholders, including health plans and trade associations, which works to improve the transmission of electronic data by building consensus on operating rules. HHS is relying on CORE designations for this certification of compliance process.

The proposed rule does not currently specify the format for the submission requirements. For example, HHS may require an electronic version or copy of the CORE Seal or HIPAA Credential to be submitted online, or it may ask for a tracking number. A CHP would also be responsible for meeting submission requirements for any SHPs. Furthermore, the proposed rule is not intended to place any new requirements on health plans, including group health plans, with regard to Business Associates that are conducting transactions on their behalf and who, along with any agent or subcontractor, are required by the group health plan to comply the requirements of part 162. We expect further guidance on what, if any, submission requirements will be imposed on group health plans under the rule.

Number of Covered Lives

As noted above, a CHP must submit information regarding the number of covered lives of the CHP. HHS has proposed that the term “covered lives of a CHP” would be defined as individuals covered by or enrolled in major medical policies of the CHP itself, as well as the SHPs of the CHP, if any, as of the submission date. “Major medical policy” would be defined to mean an insurance policy that covers accident and sickness and provides outpatient, hospital, medical and surgical expense coverage. HHS further specified that “individuals,” as described in major medical policy terms, may include but are not limited to: individuals, spouses, dependents, employees, subscribers, policyholders, Medicaid recipients, Medicare beneficiaries, TRICARE beneficiaries, veterans, and survivors.

Phase III CORE Seal

CHPs may opt to fulfill the certification of compliance requirements by applying for and receiving the Phase III CORE Seal. There are four steps to obtaining a CORE Seal from CAQH CORE. First, the entity must undertake a gap analysis in order to determine what system and business process changes may be necessary to ensure data and information systems are remediated to address any gaps between existing system requirements and CORE Operating Rule requirements. Second, the entity must sign and submit a binding CORE Certification Pledge to adopt, implement, and comply with the CAQH CORE Operating Rules and complete required testing within 180 days. Third, the entity must conduct testing through a CORE-authorized testing vendor using approved testing materials from CAQH CORE. Fourth, if the entity successfully completes the certification testing, it must submit an application package and fee to CAQH CORE. Importantly, a health plan must be awarded Phase I and II CORE Seals, which apply to operating rule sets for health plan eligibility and health care claim status transactions, before applying for a Phase III CORE Seal. An entity can also apply for all three phases concurrently.

HIPAA Credential

Alternatively, CHPs may opt to fulfill the certification of compliance requirements by applying for and receiving the HIPAA Credential. CAQH CORE is currently developing the HIPAA Credential process, which HHS expects to be completed prior to the time the proposed rule is finalized. The HIPAA Credential will demonstrate that a CHP has attested to compliance with HIPAA standards and operating rules for health plan eligibility, health care claim status, and EFT and ERA transactions, and that the CHP has conducted a certain level of testing. HHS anticipates that the process would include a CHP’s having to submit to CAQH CORE: (i) the CAQH CORE HIPAA Attestation Form, (ii) an application verifying that all forms have been submitted to CAQH CORE and indicating that HHS may view the application and associated forms, and (iii) an attestation form in which the CHP confirms that it has successfully tested the operating rules for health plan eligibility, health care claim status, and EFT and ERA transactions with trading partners. For each of these three transactions, the CHP must confirm that the number of transactions conducted with those trading partners collectively accounts for at least 30 percent of the total number of transactions conducted with providers and that it has successfully tested with at least three trading partners. Note that, unlike the Phase III Core Seal, the HIPAA Credential would not have a requirement for certification testing by a third-party testing vendor.

Penalty Fees

In accordance with the Affordable Care Act modifications, the proposed rule would also establish penalty fees for a CHP that fails to comply with the certification requirements. CHPs could be penalized for a late submission of documentation to HHS, as well as for knowingly providing inaccurate or incomplete information. The amount of the penalty would be based on the CHP’s number of covered lives as reported. If the CHP does not properly demonstrate receipt of a Phase III CORE Seal or a HIPAA Credential by the deadline, the entity would be fined $1 per covered life per day until the requirements have been met, and as limited by a cap of $20 per covered life. The same maximum penalty cap would apply in instances where a CHP fails to ever provide the required documentation. In cases in which the CHP knowingly, or with deliberate ignorance or reckless disregard, provided inaccurate or incomplete information, the entity would be assessed a fee of $40 per covered life.

Under the proposed rule, the Secretary of HHS would provide a Notice of Penalty Fee to the CHP specifying the penalty fee amount, the basis for the penalty fee, a description of the findings of fact regarding the violations, and the reasons why the violations subject the CHP to a penalty fee. The CHP would then have 30 days to assert a defense. Only the following three defenses would be considered: (i) the CHP is not subject to the requirements; (ii) the CHP’s failure to meet the requirements was attributable to a ministerial and non-substantive error; and (iii) the failure to meet the requirements was beyond the control of the CHP, to be applied narrowly. Upon receiving the notice of determination, a CHP would have 90 days to request a hearing before an administrative law judge or else forgo its right to a hearing.

We continue to monitor developments with respect to HIPAA and related regulations. If you have questions with regard to this proposed rule, please contact the Ropes & Gray attorneys with whom you regularly work. If you would like to discuss the foregoing or any other related matter, please contact Debbie Gersh, Tim McCrystal or your usual Ropes & Gray advisor.