As published in The Self-Insurer,
Enacted in 1996, the original HIPAA administrative simplification statute required the adoption of a standardized system for identifying employers, health care providers, health plans, and individuals. The intent was to have the same identifier on a national basis so that all electronic transmissions of health information would be uniform. More than a decade later, Section 1104(c)(1) of the Patient Protection and Affordable Care Act (PPACA) mandated that the Secretary issue rules adopting the health plan identifier (HPID). The Office of E-Health Standards and Services (OESS) developed the final rule and the Department of Health and Human Services (HHS) published final regulations on September 5th, 2012, which require that all health plans, fully-insured health plans and self-insured health plans, that are subject to HIPAA, obtain a HPID.
Some important dates to remember! For self-insured health plans, the Plan Sponsor or Plan Administrator must apply for and obtain the HPID. Fully-insured and self-insured health plans have until November 5th of 2014 to obtain a HPID – which is right around the corner!! Small health plans, which have been identified as plans with annual receipts of $5 million or less, have until November 5th of 2015 to obtain a HPID. At this point, ‘annual receipts’ is understood to be receipts of paid claims prior to stop loss reimbursements and exclusive of administrative fees and stop loss premiums.
As of November 7th of 2016, all health plans and other covered entities submitting electronic ‘standard transactions’ under HIPAA must begin using their unique identifier. The purpose of requiring standard unique identifiers is to increase the efficiency and accuracy of the standard transactions. Currently, the industry has varying identifiers and going forward the HPID will be a standardized unique 10-digit identifier for each health plan, all utilizing the same format.
During the comment period following the proposed regulations, numerous comments suggested that self-insured group health plans should not be required to obtain a HPID since most self-insured plans do not engage in the submission of HIPAA transactions themselves. HHS responded by stating, inter alia, “we believe it is important that the requirement to obtain an HPID extend to any entity that meets the definition of CHP. Therefore, we require self- insured group health plans to obtain an HPID to the extent they meet the definition of CHP.” Furthermore, the preamble to the final regulations acknowledged that “very few self- insured group health plans conduct standard transactions themselves; rather, they typically contract with third-party administrators (TPAs) or insurance issuers to administer the plans. Therefore, there will be significantly fewer health plans that use HPIDs in standard transactions than health plans that are required to obtain HPIDs…”
It is anticipated that TPAs and other entities will each have their own HPID which they will use in administering standard transactions for their health plans clients. These non-health plan entities may also need to be identified in HIPAA standard transactions as the entities often perform functions on behalf of health plans and may be identified currently in standard transactions in the same fields as health plans. These entities will be permitted, but not required, to obtain a unique Other Entity Identification Number (OEID) for use in standard transaction, and entities that are required to obtain an HPID are not eligible for an OEID.
It is important to note that the final regulations do not impose any new requirements for when to identify a health plan that has an HPID in standard transactions. It merely requires the use of the HPID where the health plan is identified. The two basic HPID requirements are:
- The health plans must obtain an HPID even if the TPA is conducting the transaction standards on behalf of the health plan.
- When health plans are named in standard transactions, they must use their HPID in the HIPAA transactions.
Although all self-insured health plans are required to obtain HPIDs, there is an important distinction between a “controlling health plans” (CHPs) and “sub-health plans” (SHPs). CHPs are health plans that control their own business activities, actions or policies; or are controlled by entities that are not health plans (i.e. self-insured plan controlled by Plan Sponsor/Plan Administrator). SHPs are health plans whose business activities, actions, or policies are directed by a CHP. SHPs are eligible but not required to obtain a HPID.
So where do we begin? Entities should apply for their unique identifier through the Health Plan and Other Entity Enumeration System (HPOES) within the Health Insurance Oversight System (HIOS), which can be accessed through the CMS Enterprise Portal. The online application to obtain the HPIDs is managed by CMS and is anticipated to take 20-30 minutes to complete the entire process.
Unfortunately, some entities have expended resources obtaining HPIDs that were not issued through the HPOES. However, the final rule requires that HPIDs only be obtained from the HPOES to ensure that HHS oversees the issuance of these unique identifiers. HHS fears that grandfathering in any identifier that was not obtained through the HPOES would simply cause more confusion.
The required data to apply for an HPID is limited to: 1) company name, employer identification number (EIN) and domiciliary address; 2) name, title, phone number and e-mail address of authorizing official (which must be a senior officer or executive); and 3) National Association of Insurance Commission (NAIC) number (for fully-insured health plans) or ‘payer ID’ used in standard transactions. The same information is required for an OEID with the addition of the entity’s business classification.
In theory, the adoption of the HPIDs and the OEIDs will increase standardization within HIPAA standard transactions and provide a platform for other regulatory and industry initiatives.
However, for some it is yet another administrative expense and burden. According to the final regulations, providers will likely yield the most benefit from standardizing the identification process while health plans will bear most of the cost.
So what’s next in the ‘administrative simplification’ process?
In January of this year HHS published a proposed rule, the Certification Rule, to implement the PPACA requirement that health plans “certify” compliance with the rules for the HIPAA standard transactions. Health plans will be required to certify compliance with the rules for eligibility, claim status, electronic funds transfers and electronic remittance advice.
Health plans will certify compliance by obtaining one of two credentials from the Council for Affordable Quality Healthcare Committee on Operating Rules for Information Exchange (CAGQ CORE). In anticipation of a final rule, health plans should access their IT systems and begin identifying gaps in compliance and their ability to obtain the appropriate credentials.
This article is intended for general informational purposes only. It is not intended as professional counsel and should not be used as such. This article is a high-level overview of regulations applicable to certain health plans. Please seek appropriate legal and/or professional counsel to obtain specific advice with respect to the subject matter contained herein.