HHS HIPAA Compliance

ACA Section 1104 Mandated Certification Process

Section 1104 of the ACA requires HIPAA covered health plans to file a statement with HHS certifying that their data and information systems are in compliance with certain HIPAA-mandated transaction standards and associated operating rules. The intent of the ACA-mandated health plan certification is to move the health care industry toward a consistent testing framework that will support a more seamless transition to new and modified standards and operating rules for administrative transactions.  The goal of these transactions is to reduce the clerical burden on patients, health care providers, and health plans.

HHS Activity

January 2, 2014: HHS published the Notice of Proposed Rule Making (NPRM), "Administrative Simplification: Certification of Compliance for Health Plans" (CMS-0037-P), in the Federal Register. The NPRM proposes that controlling health plans (CHPs) certify to HHS their demonstrated compliance with the HIPAA-mandated standards and operating rules for the following:  eligibility for a health plan, health care claim status, and health care electronic funds transfers (EFT) and remittance advice transactions. The NPRM proposes two options for health plans to meet the documentation of compliance requirements: 

  • Option 1: Obtain a HIPAA Credential; OR
  • Option 2: Obtain a Phase III CORE Certification Seal

October 2017: HHS withdrew the NPRM requiring health plans to certify compliance with HIPAA-mandated standards and operating rules.

  • CAQH CORE will not move forward with the finalization of the Draft HIPAA Credential Forms, but will continue to offer its CORE Certification Program to the industry to provide a means where organizations can assure confidence that their systems conform with mandated operating rules and are providing value to the industry.

Although proposed certification requirements were withdrawn by HHS, HIPAA-covered entities and business associates are still mandated to adopt the Phase I-III CAQH CORE Operating Rules with the exception of rule requirements pertaining to acknowledgments. To enforce industry compliance, CMS has been issued authority, on behalf of HHS, to investigate complaints and audit for compliance with HIPAA standards related to transactions, code sets, and operating rules. CMS has reported that it has investigated 38 instances of non-compliance between January and August 2017 and continues to review complaints submitted through its ASSETT tool. Penalties for failing to comply with HIPAA-mandated transactions and operating rules can reach up to $1.5 million per calendar year if found in violation.


CAQH Program: