HHS Issues Proposed Rule Requiring Health Plans to Demonstrate Compliance with HIPAA Electronic Transaction Standards and Operating Rules

by Ropes & Gray LLP

On January 2, 2014, the U.S. Department of Health and Human Services (HHS) published a proposed rule that would require “controlling health plans” (CHPs) to demonstrate compliance with certain electronic transaction standards and operating rules adopted under the Health Insurance Portability and Accountability Act (HIPAA). A CHP is defined as a health plan that controls its own business activities, actions, or policies, or a health plan controlled by an entity that is not a health plan which exercises sufficient control over subhealth plans (SHPs). CHPs, including the Business Associates conducting transactions on their behalf, will be required to demonstrate compliance with standards and operating rules related to three electronic transactions: (i) eligibility for a health plan; (ii) health care claim status; and (iii) health care electronic funds transfers (EFT) and electronic remittance advice (ERA). The required documentation of compliance would establish that a CHP has completed certain internal and external testing of its electronic transaction capabilities according to pre-approved processes.

This proposed rule is part of a larger set of HIPAA rulemaking aimed at facilitating the use of electronic transactions by creating uniformity in data exchange and reducing reliance on paper and manual processes to transmit data. HHS noted that the healthcare industry has experienced difficulty implementing the HIPAA standards and operating rules due to lack of a consistent testing process. This proposed rule is intended to serve as an initial step toward the development of a consistent testing process that will enable entities to better achieve and demonstrate compliance with HIPAA standards and operating rules. The requirements for certification of compliance were originally set forth under Section 1104 of the Affordable Care Act, which modified the Social Security Act. This proposed rule implements a portion of those modifications, including establishing penalty fees for a CHP that fails to comply with the certification requirements.

HHS proposes that a CHP that received a health plan identifier before January 1, 2015 would be required to submit its first certification of compliance by December 31, 2015. A CHP that received a health plan identifier on or after January 1, 2015 would be required to submit its documentation within a year of receiving the health plan identifier. Comments on the proposed rule are due no later than March 3, 2014.

Submission Requirements

Under the proposed rule, a CHP would be required to submit information and documentation demonstrating that it is compliant with certain standards and operating rules required for electronic transactions under HIPAA. As explained in more depth below, HHS has proposed that a CHP would be responsible for submitting:

  • Information regarding the number of covered lives of the CHP; and
  • Documentation demonstrating that the CHP has obtained from the Council for Affordable Quality Healthcare’s (CAQH) Committee on Operating Rules for Information Exchange (CORE) either:
    • A Certification Seal for Phase III CAQH CORE EFT & ERA Operating Rules (Phase III CORE Seal); or
    • A HIPAA Credential for health plan eligibility, health claim status, as well as EFT and ERA operating rules (HIPAA Credential).

CAQH CORE is a nonprofit alliance of industry stakeholders, including health plans and trade associations, which works to improve the transmission of electronic data by building consensus on operating rules. HHS is relying on CORE designations for this certification of compliance process.

The proposed rule does not currently specify the format for the submission requirements. For example, HHS may require an electronic version or copy of the CORE Seal or HIPAA Credential to be submitted online, or it may ask for a tracking number. A CHP would also be responsible for meeting submission requirements for any SHPs. Furthermore, the proposed rule is not intended to place any new requirements on health plans, including group health plans, with regard to Business Associates that are conducting transactions on their behalf and who, along with any agent or subcontractor, are required by the group health plan to comply the requirements of part 162. We expect further guidance on what, if any, submission requirements will be imposed on group health plans under the rule.

Number of Covered Lives

As noted above, a CHP must submit information regarding the number of covered lives of the CHP. HHS has proposed that the term “covered lives of a CHP” would be defined as individuals covered by or enrolled in major medical policies of the CHP itself, as well as the SHPs of the CHP, if any, as of the submission date. “Major medical policy” would be defined to mean an insurance policy that covers accident and sickness and provides outpatient, hospital, medical and surgical expense coverage. HHS further specified that “individuals,” as described in major medical policy terms, may include but are not limited to: individuals, spouses, dependents, employees, subscribers, policyholders, Medicaid recipients, Medicare beneficiaries, TRICARE beneficiaries, veterans, and survivors.

Phase III CORE Seal

CHPs may opt to fulfill the certification of compliance requirements by applying for and receiving the Phase III CORE Seal. There are four steps to obtaining a CORE Seal from CAQH CORE. First, the entity must undertake a gap analysis in order to determine what system and business process changes may be necessary to ensure data and information systems are remediated to address any gaps between existing system requirements and CORE Operating Rule requirements. Second, the entity must sign and submit a binding CORE Certification Pledge to adopt, implement, and comply with the CAQH CORE Operating Rules and complete required testing within 180 days. Third, the entity must conduct testing through a CORE-authorized testing vendor using approved testing materials from CAQH CORE. Fourth, if the entity successfully completes the certification testing, it must submit an application package and fee to CAQH CORE. Importantly, a health plan must be awarded Phase I and II CORE Seals, which apply to operating rule sets for health plan eligibility and health care claim status transactions, before applying for a Phase III CORE Seal. An entity can also apply for all three phases concurrently.

HIPAA Credential

Alternatively, CHPs may opt to fulfill the certification of compliance requirements by applying for and receiving the HIPAA Credential. CAQH CORE is currently developing the HIPAA Credential process, which HHS expects to be completed prior to the time the proposed rule is finalized. The HIPAA Credential will demonstrate that a CHP has attested to compliance with HIPAA standards and operating rules for health plan eligibility, health care claim status, and EFT and ERA transactions, and that the CHP has conducted a certain level of testing. HHS anticipates that the process would include a CHP’s having to submit to CAQH CORE: (i) the CAQH CORE HIPAA Attestation Form, (ii) an application verifying that all forms have been submitted to CAQH CORE and indicating that HHS may view the application and associated forms, and (iii) an attestation form in which the CHP confirms that it has successfully tested the operating rules for health plan eligibility, health care claim status, and EFT and ERA transactions with trading partners. For each of these three transactions, the CHP must confirm that the number of transactions conducted with those trading partners collectively accounts for at least 30 percent of the total number of transactions conducted with providers and that it has successfully tested with at least three trading partners. Note that, unlike the Phase III Core Seal, the HIPAA Credential would not have a requirement for certification testing by a third-party testing vendor.

Penalty Fees

In accordance with the Affordable Care Act modifications, the proposed rule would also establish penalty fees for a CHP that fails to comply with the certification requirements. CHPs could be penalized for a late submission of documentation to HHS, as well as for knowingly providing inaccurate or incomplete information. The amount of the penalty would be based on the CHP’s number of covered lives as reported. If the CHP does not properly demonstrate receipt of a Phase III CORE Seal or a HIPAA Credential by the deadline, the entity would be fined $1 per covered life per day until the requirements have been met, and as limited by a cap of $20 per covered life. The same maximum penalty cap would apply in instances where a CHP fails to ever provide the required documentation. In cases in which the CHP knowingly, or with deliberate ignorance or reckless disregard, provided inaccurate or incomplete information, the entity would be assessed a fee of $40 per covered life.

Under the proposed rule, the Secretary of HHS would provide a Notice of Penalty Fee to the CHP specifying the penalty fee amount, the basis for the penalty fee, a description of the findings of fact regarding the violations, and the reasons why the violations subject the CHP to a penalty fee. The CHP would then have 30 days to assert a defense. Only the following three defenses would be considered: (i) the CHP is not subject to the requirements; (ii) the CHP’s failure to meet the requirements was attributable to a ministerial and non-substantive error; and (iii) the failure to meet the requirements was beyond the control of the CHP, to be applied narrowly. Upon receiving the notice of determination, a CHP would have 90 days to request a hearing before an administrative law judge or else forgo its right to a hearing.

We continue to monitor developments with respect to HIPAA and related regulations.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Ropes & Gray LLP | Attorney Advertising

Written by:

Ropes & Gray LLP

Ropes & Gray LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.