QUESTION: We sponsor a self-insured health plan for our employees. A TPA handles day-to-day administration of the plan, including processing claims and making payments to health care providers. We understand that HIPAA establishes standards for electronic health care transactions. If the TPA fails to comply with those standards, is the plan potentially liable under HIPAA?
ANSWER: Most self-insured health plans contract with a TPA to handle plan administrative tasks, including claims processing and payment. These and other specified financial and administrative activities are known as “health care transactions” under HIPAA, and they must be conducted in accordance with detailed technical standards and operating rules. Even if a health plan delegates performance of health care transactions to third parties, the health plan remains ultimately responsible for compliance with the HIPAA electronic transaction standards and operating rules. Typical health care transactions a TPA may perform on a health plan’s behalf include making or responding to requests for information about eligibility and coverage (e.g., from a provider to a health plan, or from one health plan to another); responding to claim status inquiries from providers; processing providers’ requests for payment from the plan; and making payments from the plan to providers, including electronic funds transfers.
When performing HIPAA-covered health care transactions on behalf of a health plan, the TPA is considered a HIPAA business associate. Health plans, as HIPAA covered entities, must contractually require their business associates to comply with the electronic transaction standards and operating rules. However, business associates do not have direct liability for noncompliance with these standards and rules, and engaging a business associate does not relieve a covered entity from its own obligation to fully comply with them. Thus, if your TPA fails to comply, then HHS may seek recourse against your health plan for the TPA’s noncompliance.
Moreover, according to HHS’s National Standards Group, a business associate’s noncompliance with an electronic transaction standard could be used as evidence of a covered entity’s failure to require the business associate to comply, even if a contract between the covered entity and a business associate obligates the business associate to comply with all applicable requirements. Accordingly, even with a business associate contract in place between your health plan and the TPA, it is important to monitor your TPA’s compliance.
Note that different liability rules for business associates apply under HIPAA’s privacy and security standards. Consistent with the HITECH Act, business associates are directly liable for compliance with the security standards and some of the privacy standards (see our Checkpoint article) but not the electronic transaction standards. For more information, see EBIA’s HIPAA Portability, Privacy & Security manual at Sections XXIV (“Business Associate Contracts”) and XXXII (“Electronic Transactions and Code Sets”).
Contributing Editors: EBIA Staff.