On October 31, 2014, the Department of Health and Human Services announced a non-enforcement policy “until further notice” regarding the HIPAA Health Plan Identifier (“HPID”) requirement that otherwise would have gone into effect November 5, 2014. In light of this announcement and pending further guidance from the agencies, health plans that have not yet obtained an HPID should not need to do so until further notice from HHS. Health plans that have obtained an HPID also do not need to take any further action at this time.
The Department of Health and Human Services (HHS) recently issued rules that apply to health plans that are covered entities under the HIPAA privacy and security rules. The Affordable Care Act, ACA, added new requirements to these rules and a deadline for one of them is approaching.
Self-insured health plans must obtain a 10-digit Health Plan Identifier (HPID) by November 5, 2014 to use in electronic *HIPAA transactions. Small plans (defined as those with annual receipts of $5 million or less) have a one-year delay, to November 5, 2015. The amount the employer takes out of its general assets to pay claims and expenses should be considered receipts. All self-funded “controlling health plans” must obtain HPIDs. Controlling Health Plans are health plans that control their own business activities, actions or policies; or are controlled by entities that are not health plans (e.g., self-funded plans controlled by their plan sponsors/ employer).
HHS has established a website where health plans can register and obtain their HPID. There are a series of screens the plan must walk through to provide information about the plan sponsor and plan. Learn more about the application, see video that walks you through the application process for a controlling health plan. For more information see http://www.cms.gov/Regulations-and-Guidance/HIPAA-Administrative-Simplification/Affordable-Care-Act/Health-Plan-Identifier.html.
The ACA also mandates that health plans must file two one-time certifications with the Secretary attesting that the plan is in compliance with the applicable standard transaction requirements. The certifications are due by December 31, 2015 and final regulations for the certification process have not yet been released.
Even if TPAs or business associates conduct HIPAA standard transactions on behalf of the self-insured plans they administer (and use their own unique standard identifiers in transactions), the rules place responsibilities directly on the health plan to obtain its own HPID. The HPID will be used to help HHS implement various administrative simplification initiatives. Actual use of HPIDs will not be required until Nov. 7, 2016.
* HIPAA transactions include: medical and dental claims and encounters, payment and remittance advice, claims status request and response, eligibility and benefit inquiry and response, benefit enrollment and disenrollment, referrals and authorizations, and premium payment.