ACA Section 1104 Mandate for Federal Operating Rules

I. Overview: ACA Section 1104 Provisions for Federal Operating Rules

The FAQs in this section have been developed to provide clarification on the Patient Protection and Affordable Care Act (ACA) Section 1104 Administrative Simplification provisions requiring the Secretary of Health and Human Services (HHS) to adopt operating rules for the HIPAA-mandated transaction standards.

Please Note: The Centers for Medicare & Medicaid Services (CMS) is the HHS designated authority on any decisions regarding interpretation, implementation, and enforcement of the regulations adopting the HIPAA and ACA Administrative Simplification standards and provisions. Within CMS, the National Standards Group (NSG), formerly the Office of E-Health Standards and Services (OESS), enforces the regulations addressing the HIPAA and ACA-mandated transactions, national identifiers, operating rules, health plan certification, and additional standards. More detailed information on the provisions, as well as compliance and enforcement requirements, is available on the CMS website and via the CMS FAQs.

1. For what standard transactions does ACA Section 1104 require the HHS Secretary to adopt operating rules?

ACA Section 1104 requires the HHS Secretary to adopt and regularly update three sets of operating rules for the HIPAA-mandated healthcare administrative transactions:

  • The first set of Federal operating rules addresses the eligibility and claims status transactions; the compliance date for these operating rules was January 1, 2013.
  • The second set of Federal operating rules addresses the healthcare Electronic Funds Transfer (EFT) and Electronic Remittance Advice (ERA) transactions; the compliance date for these operating rules was January 1, 2014.
  • The third set of Federal operating rules addresses the health claims or equivalent encounter information, health plan enrollment/disenrollment, health plan premium payments, referral certification and authorization, and health claims attachments transactions. The compliance date for these operating rules is January 1, 2016.[1]
 

[1]NOTE: HHS has not yet published any regulations on the third set of ACA-mandated Federal operating rules. It is expected that such regulations will include an Interim Final Rule and public comment period. As such, it is anticipated that the January 1, 2016 compliance date will be adjusted.

    2. What operating rules have been adopted by HHS to fulfill the ACA Section 1104 mandate?

    First Set of ACA Section 1104 Mandated Operating Rules: In December 2011, HHS adopted the Phase I & Phase II CAQH CORE Eligibility & Claim Status Operating Rules to fulfill the ACA Section 1104 Federal mandate, with the exception of rule requirements pertaining to use of Acknowledgements.

    Second Set of ACA Section 1104 Mandated Operating Rules: In August 2012, HHS issued an Interim Final Rule adopting the CAQH CORE EFT & ERA Operating Rules to fulfill the ACA Section 1104 mandate, with the exception of rule requirements pertaining to use of Acknowledgements. On April 19, 2013, HHS issued an industry notice that the IFR is a Final Rule now in effect.

    Third Set of ACA Section 1104 Mandated Operating Rules: Regulations on the ACA-mandated third set have not yet been published. On September 12, 2012, HHS issued a letter concurring with the NCVHS recommendation to designate CAQH CORE as the authoring entity for the remaining ACA-mandated operating rules. From December 2013 - September 2015, the CAQH CORE Participants used the open CAQH CORE rule-making process to produce a set of operating rules for the following transactions: health claims or equivalent encounter information, health plan enrollment/disenrollment, health plan premium payments, and referral certification and authorization. The complete set of Phase IV CAQH CORE Operating Rules was approved per the formal CAQH CORE voting process in September 2015.

    NOTE:

    • The Phase IV CAQH CORE Operating Rules have not been adopted by HHS for mandatory use by HIPAA-covered entities. HHS will determine if the Phase IV CAQH CORE Operating Rules will be included in any regulatory mandates. Any such considerations will include an HHS public comment period.
    • The Phase IV CAQH CORE Operating Rules do not include operating rules addressing the health claims attachment as HHS has not yet adopted a standard for health claims attachments or indicated what standard(s) it might consider for the transaction.
    3. What entities are required to comply with the ACA-mandated operating rules?

    As the ACA Administrative Simplification provisions build on and update the provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), ACA Section 1104 requires all HIPAA-covered entities to comply with the ACA-mandated standards and applicable operating rules by their compliance dates. The CMS website provides charts to help organizations determine whether an organization or individual is a HIPAA-covered entity.

    NOTE: ACA Section 1104 also mandates a certification process for health plans only to demonstrate compliance with the ACA-mandated operating rules. For information on the ACA-mandated health plan certification, see the CAQH CORE FAQs Part G.

    4. Are product vendors required to comply with the ACA-mandated operating rules?

    ACA Section 1104 requires all HIPAA-covered entities to comply with the ACA-mandated operating rules. The CMS website provides charts to help organizations determine whether an organization or individual is a HIPAA-covered entity. CAQH CORE is not authorized to make this determination for entities.

    A vendor’s customers are likely HIPAA-covered entities that must be compliant with the ACA-mandated rules. If vendor’s product(s) or services support the use of the HIPAA transaction standards addressed by the operating rules, its customers are reliant upon the vendor to offer to them product(s) or services that enable them to be compliant. In many cases, a Business Associate relationship exists.

    NOTE: ACA Section 1104 also mandates a certification process for health plans only. ACA Section 1104 specifies that, as part of the health plan certification, “a health plan shall be required to ensure that any entities that provide services pursuant to a contract with such health plan shall comply with any applicable certification and compliance requirements (and provide the Secretary with adequate documentation of such compliance).” For information on the ACA-mandated health plan certification and provider, vendor support role or Business Associate role, see the CAQH CORE FAQs Part G.

    5. Is CAQH CORE the authoring entity for the first set of ACA-mandated operating rules adopted by HHS?

    Yes. In December 2011, HHS adopted the Phase I & Phase II CAQH CORE Eligibility & Claim Status Operating Rules to fulfill the ACA Section 1104 Federal mandate, with the exception of rule requirements pertaining to use of Acknowledgements.

    6. Is CAQH CORE the authoring entity for the second set of ACA-mandated operating rules adopted by HHS?

    Yes. In August 2012, HHS issued an Interim Final Rule adopting the CAQH CORE EFT & ERA Operating Rules to fulfill the ACA Section 1104 mandate, with the exception of rule requirements pertaining to use of Acknowledgements. On April 19, 2013, HHS issued an industry notice that the IFR is a Final Rule now in effect.

    7. Is CAQH CORE the authoring entity for the third set of ACA-mandated operating rules?

    On September 12, 2012, HHS issued a letter concurring with the NCVHS recommendation to designate CAQH CORE as the authoring entity for the remaining ACA-mandated operating rules. From December 2013 – September 2015, the CAQH CORE Participating Organizations used the open CAQH CORE rules-making process to produce a set of operating rules for consideration to fulfill the ACA Section 1104 third set. The Phase IV CAQH CORE Operating Rules address the following transactions: health claims or equivalent encounter information, health plan enrollment/disenrollment, health plan premium payments and referral certification and authorization. The complete set of Phase IV CAQH CORE Operating Rules was approved per the formal CAQH CORE voting process in September 2015.

    NOTE:

    • The Phase IV CAQH CORE Operating Rules have not been adopted by HHS for mandatory use by HIPAA-covered entities. HHS will determine if the Phase IV Operating Rules will be included in any regulatory mandates. Any such considerations will include an HHS public comment period.
    • The Phase IV CAQH CORE Operating Rules do not include operating rules addressing the health claims attachment as HHS has not yet adopted a standard for health claims attachments or indicated what standard(s) it might consider for the transaction.
    8. How do I determine if my organization is Federally required to comply with the ACA-mandated operating rules?

    As the ACA Administrative Simplification provisions build on and update the provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), ACA Section 1104 requires all HIPAA-covered entities to comply with the ACA-mandated CAQH CORE Operating Rules (Phase I & Phase II Eligibility & Claim Status Operating Rules and Phase III CAQH CORE EFT & ERA Operating Rules).

    CAQH CORE is not authorized to determine if an organization or individual is a HIPAA-covered entity or a Business Associate. CMS provides charts to help organizations determine if they are a HIPAA-covered entity. The Department of Health and Human Services (HHS) also provides FAQs on whether an organization constitutes a covered entity or Business Associate. As the regulator, additional questions regarding HIPAA and ACA compliance should be directed to the CMS National Standards Group (NSG), formerly the Office of E-Health Standards and Services (OESS).

    9. As a HIPAA-covered entity, does HHS require my organization to demonstrate compliance with the ACA-mandated operating rules?

    As the ACA Administrative Simplification provisions build on and update the provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), ACA Section 1104 requires all HIPAA-covered entities to comply with the ACA-mandated CAQH CORE Operating Rules (Phase I & Phase II Eligibility & Claim Status Operating Rules and Phase III CAQH CORE EFT & ERA Operating Rules).

    Demonstration of Compliance Requirements: All HIPAA-covered Entities

    The Secretary of HHS delegated to the CMS Administrator the authority to investigate complaints of noncompliance with the HIPAA and ACA Administrative Simplification provisions. Within CMS, the National Standards Group (NSG), formerly the Office of E-Health Standards and Services (OESS), enforces the HIPAA regulations addressing Transactions and Code Sets and National Identifiers (Employer, Provider, and Health Plan identifiers) and the ACA requirements for operating rules, health plan certification, and additional standards (see CMS FAQ#1793).

    The CMS Enforcement website specifies:

    The current HIPAA Transaction and code Sets (TCS) and ACA operating rules enforcement process is primarily complaint-driven. To date, the CMS enforcement strategy has been to provide technical assistance and seek the cooperation of all parties to the complaint, to help achieve compliance. With the implementation of Version 5010 and D.0 and the requirements of both the American Recovery and Reinvestment Act, and the Patient Protection and Affordable Care Act, we recognized the need for an enhanced enforcement process whereby CMS would proactively address HIPAA/ACA Transactions and Code Sets, Unique Identifiers, Operating Rule and Health Plan Certification compliance issues through a compliance audit process. Information on the CMS compliance audit process and potential non-compliance penalties is in development and will be forthcoming..

    Additional Demonstration of Compliance Requirements: HIPAA-covered Health Plans

    In addition to general HIPAA compliance, ACA Section 1104 requires health plans to certify with HHS that their data and information systems are in compliance with HIPAA-mandated transaction standards and associated operating rules. NOTE: The ACA-mandated health plan certification applies to health plans only.

    For more information on the ACA-mandated HHS Health Plan Certification, please see the CAQH CORE FAQs Part G.

    10. Can penalties be assessed against HIPAA-covered entities that fail to comply with the ACA-mandated operating rules?

    Yes. As the ACA Administrative Simplification provisions build on and update the provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), ACA Section 1104 requires all HIPAA-covered entities to comply with the ACA-mandated CAQH CORE Operating Rules (Phase I & Phase II Eligibility & Claim Status Operating Rules and Phase III CAQH CORE EFT & ERA Operating Rules).

    All HIPAA-covered Entities

    The penalties to be assessed for HIPAA non-compliance were formalized in the original HIPAA legislation and updated by the HITECH rules in 2009. Due to HITECH, CMS’ National Standards Group (NSG), formerly the Office of E-Health Standards and Services (OESS), penalties for HIPAA non-compliance have increased, now up to $1.5 million per entity per year for all violations of an identical provision. More information on the operating rules compliance and enforcement requirements is available on the CMS website.

    Additional Penalties: HIPAA-covered Health Plans

    In addition to general HIPAA compliance, ACA Section 1104 requires health plans to certify with HHS that their data and information systems are in compliance with HIPAA-mandated transaction standards and associated operating rules. NOTE: The ACA-mandated health plan certification applies to health plans only.

    ACA Section 1104 also directs the HHS Secretary to assess penalties against health plans that fail to complete the ACA-mandated HHS Health Plan Certification. Per ACA Subsection 1104(b)(2):

    • The penalty fee will be $1 per covered life until certification is complete. The penalty shall be assessed per person covered by the plan for which its data systems for major medical policies are not in compliance and shall be imposed against the health plan for each day that the plan is not in compliance.
    • A health plan that knowingly provides inaccurate or incomplete information in a statement of certification or documentation of compliance shall be subject to a penalty fee that is double the amount that would otherwise be imposed.
    • The amount of the penalty fee imposed shall be increased on an annual basis by the annual percentage increase in total national health care expenditures, as determined by the HHS Secretary.
    • A penalty fee assessed against a health plan shall not exceed, on an annual basis, either: 1) $20 per covered life under such plan OR 2) $40 per covered life under the plan if such plan has knowingly provided inaccurate or incomplete information.

    For more information on the ACA-mandated health plan certification see the CAQH CORE FAQs Part F.

    11. Are dental plans required to comply with the ACA-mandated operating rules?

    ACA Section 1104 requires all HIPAA covered entities to comply with the ACA-mandated operating rules. The CMS website provides charts to help organizations determine whether an organization or individual is a HIPAA covered entity. CAQH CORE is not authorized to make this determination for entities although dental plans are typically considered HIPAA-covered health plans.

    NOTE: ACA Section 1104 also mandates a certification process for health plans only. For information on the ACA-mandated health plan certification and provider vendor support role or Business Associate role, see the CAQH CORE FAQs Part G.

    12. My organization is a Third Party Administrator (TPA), are we required to comply with the ACA-mandated CAQH CORE Operating Rules?

    As the ACA Administrative Simplification provisions build on and update the provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), ACA Section 1104 requires all HIPAA-covered entities to comply with the ACA-mandated standards and applicable operating rules by their compliance dates. Business associates of a health plan or other HIPAA-covered entity will need to work with their clients to ensure HIPAA compliance support.

    As a TPA, you will need to determine if your organization is a HIPAA-covered entity or a business associate:

    • If your organization is a business associate, you will need to speak with your health plan clients to determine compliance requirements or assistance applicable to your organization based on your individual business agreements.
    • If your organization is a HIPAA-covered entity, the compliance requirements for the HIPAA standard transactions and applicable operating rules apply to the transactions for which your organization provides services.

    CAQH CORE is not authorized to determine if an entity is a HIPAA-covered entity or a business associate. CMS provides tools to help determine if an organization or individual is a HIPAA-covered entity. Additionally, the HHS website has published a set of FAQs HERE that provide guidance on determining if an organization is a HIPAA-covered entity. You may also find useful to review the January 2013 HHS HIPAA Privacy and Security omnibus final rule which includes a revised definition of “business associates” and their status as HIPAA-covered entities.

    Please Note: CMS is the HHS delegated authority on any decisions regarding interpretation, implementation, and enforcement of the regulations adopting the HIPAA and ACA Administrative Simplification standards and provisions. Within CMS, the National Standards Group (NSG) enforces the regulations addressing the HIPAA and ACA-mandated transactions, national identifiers, operating rules, health plan certification, and additional standards. More detailed information on the provisions, as well as compliance and enforcement requirements, is available on the CMS website and via the CMS FAQs.

    13. My organization is a provider. We currently have a HIPAA-covered health plan trading partner that is not compliant with the ACA-mandated CAQH CORE Operating Rules. How can we file a complaint of HIPAA-noncompliance against this health plan?

    Under the HIPAA Administrative Simplification provisions, health plans are “required to have the capacity to accept and/or send (either itself, or by hiring a health care clearinghouse to accept and/or send on its behalf) a standard transaction that it otherwise conducts but does not currently support electronically” (see CMS FAQ #8121). This requirement applies to all HIPAA-mandated transaction standards. Additionally, when using the HIPAA-mandated transaction standards, all HIPAA-covered entities must comply with any associated ACA-mandated operating rules. Please Note: CAQH CORE is not authorized to determine if an entity is a HIPAA-covered entity. CMS provides tools to help determine if an organization or individual is a HIPAA-covered entity.

    The Secretary of HHS delegated to the CMS Administrator the authority to investigate complaints of noncompliance with the HIPAA and ACA Administrative Simplification provisions. Within CMS, the National Standards Group (NSG) enforces the regulations addressing the HIPAA and ACA-mandated transactions, national identifiers, operating rules, health plan certification, and additional standards. The Administrative Simplification Enforcement and Training Tool (ASETT) is a web-based application, maintained by CMS, which enables individuals or organizations to file a HIPAA complaint against a health care provider, health plan, or clearinghouse covered entity for potential non-compliance with the HIPAA Administrative Simplification provisions. Anyone may use ASETT to file a HIPAA complaint related to Transactions and Code Sets and Unique Identifiers. Additional guidance on the HIPAA and ACA compliance enforcement procedures, including the process for filing a complaint of non-compliance with CMS NSG, is available on the CMS website HERE.