QUESTION: We sponsor a self-insured major medical plan for our employees. We understand that the Affordable Care Act added a requirement for health plans to certify compliance with HIPAA’s transaction standards. What is the status of this requirement?
ANSWER: Although the Affordable Care Act (ACA) added a requirement for health plans to file statements with HHS certifying that their data and information systems comply with any applicable HIPAA standards and operating rules, that requirement is not currently being enforced.
The ACA gave HHS substantial discretion to determine how the requirement would be implemented. In January 2014, HHS issued proposed regulations regarding the certification requirements for three covered transactions: eligibility for a health plan; health claim status; and health care electronic funds transfers and remittance advice (see our Checkpoint article). The proposed regulations targeted a December 31, 2015 submission deadline for large plans (those with at least $5 million in annual receipts). However, the proposed regulations were never finalized, and, in October 2017, HHS withdrew them—including the penalty provisions—before they could take effect (see our Checkpoint article).
Without instructions from HHS, plans have no way to comply with the statutory certification requirement (and there is no penalty for failing to certify). In its withdrawal notice, HHS emphasized that withdrawal of the proposed regulations does not remove the requirement for covered entities to comply with HIPAA’s standards and operating rules for electronic transactions. HHS also noted that it would continue to explore options and alternatives to implement the statutory requirement for health plans to certify compliance.
Until further guidance is issued, your plan—directly or through its business associates—should continue to comply with HIPAA’s standards for electronic transactions, even though a certification statement is not required. You should also keep an eye out for future HHS guidance on this topic.
For more information, see EBIA’s HIPAA Portability, Privacy & Security manual at Section XXXII.C (“What Do the EDI Standards Require?”). See also EBIA’s Health Care Reform manual at Section XXXII.D (“Health Plan Certification and Documentation of Compliance”) and EBIA’s Self-Insured Health Plans manual at Section XXXI.F (“EDI Standards”).
Contributing Editors: EBIA Staff.