- About PS&F
- Industry Focus
- Client Tools
- Education & Events
May 12, 2014
The Department of Health and Human Services (HHS) has issued guidance regarding HIPAA electronic transactions related to the HIPAA privacy and security rules. According to the guidance, employers who sponsor self-funded health plans will be required to take certain administrative steps, including applying for a health plan identifier number (HPID) and getting certification from certain vendors that they are in compliance with HIPAA transaction rules.
Most employer-sponsored group health plans are considered Covered Entities and are subject to the HIPAA privacy and security rules to varying degrees, depending on such factors as whether the plan is fully insured or self-funded and the level of access to Protected Health Information (PHI).
HIPAA privacy and security rules require Covered Entities to conduct certain transactions electronically using standards set by HHS. These rules apply only to electronic transactions between two covered entities, such as a health insurance company and a medical provider. Importantly, a transaction between the employer’s plan and a member or employee is not a transaction subject to HIPAA transaction rules because the individual is not a Covered Entity.
Even though employer-sponsored health plans are HIPAA Covered Entities, rarely does an employer actually process electronic transactions subject to these rules. Generally, an employer health plan contracts with another entity to process HIPAA transactions. For example:
A small number of employers who internally administer their own benefit plans may be more involved in HIPAA-related transactions and have additional responsibilities. This issue brief does not address these situations. However, recently released regulations require employers who sponsor self-funded health plans to be part of this process in two ways, even though they do not actually process their own electronic transactions:
Note that in the case of a fully insured health plan, it is the health insurance company, not the employer/plan sponsor, who is responsible for compliance with these rules. Both of these new employer responsibilities are described in detail below.
The timing of employer compliance with these requirements depends on whether the plan is considered a large or a small health plan. HHS regulations require large health plans to obtain an HPID by November 5, 2014. Small health plans (with annual receipts of $5 million or less) have until November 5, 2015 to register for an HPID. All health plans, large and small, must then certify compliance with certain standard transaction rules by December 31, 2015.
Determining Small Health Plan Status
When determining small plan status, an employer must consider a number of factors. HHS provided informal guidance on this issue in 2002, but formal regulations were never issued. According to HHS, to determine total receipts for a plan:
Employers must also consider which health plans to count when determining small health plan status. HIPAA privacy rules apply to other types of “health plans” such as dental, vision, and Rx plans. Again, no formal guidance has ever been released defining how to address multiple plans offered by a single employer; however, a reasonable approach may be to align the plan size determination with how the plans are identified in the employer’s 5500 filing. If an employer wraps all plans subject to HIPAA into a single “wrap” plan and files a 5500 under a single plan number, the employer should probably consider the claims in all health-related benefits (e.g. medical, dental, vision, etc.) in determining the $5 million threshold.
An employer whose plans are close to $5 million in receipts may simply decide to acquire the number by the November 5, 2014 large plan deadline.
Health Plan Identifier Number (HPID)
All self-funded health plans must obtain an HPID from HHS, even when the employer’s plan is not directly handling HIPAA transactions. Interestingly, TPAs or claims administrators are not required to use each individual employer’s HPID to process transactions on behalf of the plan at this point. It is unclear whether administrators and vendors will require the employer to provide the HPID for use in future transactions. Employers should enter into a conversation with vendors to ascertain whether and when the HPID will be required by the vendor.
Controlling Health Plan vs. Subhealth Plan
The HPID rules introduce a new concept related to health plans when applying for an HPID and certifying they are in compliance with HIPAA transaction rules.
Each Covered Entity health plan must obtain an HPID. A Controlling Health Plan must obtain its own HPID, but can also apply on behalf of any Subhealth Plans, or the Subhealth Plans may obtain their own HPIDs. The regulations do not effectively spell out how an employer should apply these rules; therefore, until further guidance is issued, the employer may want to apply for the HPID in a manner consistent with their ERISA plan structure (if applicable).
For example, consider a situation in which the employer has a wrap plan that is a single legal entity (i.e., a single ERISA plan) comprising several health plans. If those health plans are all self-funded, they could each be considered an SHP (allowing each to have its own unique HPID), but the ERISA plan would be able to apply as a CHP for a single HPID that would cover all of them, together. However, if an employer sponsors several health benefits that are not organized as a single ERISA entity via a wrap plan structure, then each separate health plan is probably a CHP. The situation is similar to whether a single Form 5500 can be filed or if multiple Form 5500s must be filed by the employer. (In either case, since the obligation to apply for the HPID falls on a “covered entity,” the insurer will still be responsible to apply for an HPID for a fully insured benefit, so the employer would not include the fully insured benefit under the HPID of the CHP in the wrap plan situation. Obviously, some of the details require more guidance. The failure of HHS regulations to coordinate well with ERISA in these areas continues to be a problem.)
HHS has established a website where health plans can register and obtain their HPID. The site lists steps the employer must take to provide information about the plan sponsor and plan. The HHS site can be found at: opens in a new windowhttp://www.cms.gov/Regulations-and-Guidance/HIPAA-Administrative-Simplification/Affordable-Care-Act/Health-Plan-Identifier.html.
Health Plan Certification of Compliance with HIPAA Transaction Rules
In a separate set of requirements, all Covered Entity health plans are required to file a certification with HHS attesting that the plan is in compliance with certain HIPAA transaction requirements by December 31, 2015. The certification process involves going through a specific technical systems testing process defined in the regulations. The rules regarding the certification process are clearly designed to apply to health insurance companies, and employers who sponsor fully insured plans will not need to file a certification directly with HHS. However, due to the fact that employer-sponsored health plans are also considered Covered Entities; the rules will directly affect employers who sponsor self-funded plans.
Employer/plan sponsors with self-funded plans that actually process HIPAA transactions would be responsible for the certification, but as previously mentioned, most employer/plan sponsors do not actually process the relevant HIPAA transactions themselves. Rather, they outsource this function to an administrator or outside vendor. Consequently, most employers will work with existing vendors to make sure that the vendors receive the necessary certification on behalf of the employer’s plan. Additional guidance from HHS on the certification process specific to the employer’s responsibility may be forthcoming.
The ACA imposes a penalty on plans that fail to certify compliance of $1 per covered life per day until certification is complete, with a maximum penalty of $20 per covered life.
To acquire their HPID, employers who sponsor self-funded health plans must plan to take the following steps:
Employers should also begin a conversation with any vendor who processes HIPAA transactions on behalf of the plan to make sure that the vendor completes the required testing and receives the necessary certification prior to December 31, 2015. We expect to hear more from the vendors as the final deadline approaches.
As always, should you have any questions, please contact your
opens in a new windowParker, Smith & Feek Benefits Team.
We strive for the most accurate and up-to-date information. Neither the publisher nor the author can accept liability for any inaccuracies or changed circumstances of any information herein or for the consequences of any reliance placed upon it. This publication is distributed on the Understanding that the publisher is not engaged in rendering legal, accounting or other professional advice or services. Readers should always seek professional advice before entering into any commitments.
The views and opinions expressed within are those of the author(s) and do not necessarily reflect the official policy or position of Parker, Smith & Feek. While every effort has been taken in compiling this information to ensure that its contents are totally accurate, neither the publisher nor the author can accept liability for any inaccuracies or changed circumstances of any information herein or for the consequences of any reliance placed upon it.