HHS: Guidance Letter 2022-04—Health plans’ payment of health care claims using Virtual Credit Cards (VCCs) and adopted Health Insurance Portability and Accountability Act of 1996 (HIPAA) standards for Health Care Electronic Funds Transfers (EFT) and Electronic Remittance Advice (ERA) transactions; 45 Code of Federal Regulations (CFR) §§ 162.1601 and 162.1602(d) FAQs (July 14, 2022)
HHS’s National Standards Group (NSG) has released FAQs to elaborate on issues discussed in Guidance Letter 2022-04, issued in March 2022, which addressed the HIPAA standards for health care electronic funds transfers (EFT) and electronic remittance advice (ERA) transactions between health plans and health care providers (see our Checkpoint article). As background, NSG administers HHS’s compliance review program to ensure that covered entities adhere to the HIPAA administrative simplification rules for electronic health care transactions. NSG’s guidance letters are not legally binding but explain NSG’s interpretations of HIPAA’s administrative simplification provisions. NSG’s FAQs provide brief operational or technical information.
Consistent with the guidance letter, the FAQs reiterate that health plans cannot compel health care providers to accept virtual credit card payments for services and must comply with a provider’s request to use adopted standards for EFT payments through the automated clearing house (ACH) network or for ERA transactions. The FAQs also emphasize that a provider need not be part of a health plan’s network, or otherwise affiliated with a health plan, to receive EFT and ERA transactions using the adopted standards. As noted in the guidance letter, HIPAA does not provide exceptions to the requirement that health plans conduct a transaction as a standard transaction when requested by a provider. However, a provider must enroll to conduct EFT and ERA transactions with each health plan that the provider bills. NSG cautions that the guidance letter does not speak to whether charging fees to conduct standard transactions, in and of itself, violates the HIPAA requirements—the question is whether the health plan’s actions “adversely affect” a standard transaction. Moreover, although health plans must adhere to the transaction standards in response to provider requests, plans need not agree to a provider’s request to send payments through other means (e.g., via paper check). Also, a health plan is not prohibited from offering to process an ERA transaction in a nonstandard format on the provider’s behalf, but the provider may reject that offer and request delivery in the standard format. The FAQs explain that providers may use the ASETT application to file complaints against health plans that fail to comply with a request to send EFT and ERA transactions using the adopted standards.
EBIA Comment: Although NSG has an enforcement focus, the FAQs note that NSG is not authorized to reimburse providers for costs they incur due to a health plan’s noncompliance with HIPAA requirements. Rather, any civil monetary penalty is deposited with the United States Treasury. This is another area of contrast with enforcement of the privacy, security, and breach notification provisions, which require HHS to establish a methodology to distribute a percentage of civil monetary penalties or settlement amounts to individuals harmed by noncompliance (see our Checkpoint article). Covered entities and business associates interested in avoiding the cost and inconvenience of enforcement actions should review the FAQs and associated resources, including fact sheets (see our Checkpoint article). For more information, see EBIA’s HIPAA Portability, Privacy & Security manual at Sections XX (“Enforcement of Privacy, Security, and EDI Rules”) and XXXII (“Electronic Transactions and Code Sets”).
Contributing Editors: EBIA Staff.