Frequently Asked Questions - I. Overview: ACA Section 1104 Provisions for Federal Operating Rules

As the ACA Administrative Simplification provisions build on and update the provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), ACA Section 1104 requires all HIPAA-covered entities to comply with the ACA-mandated standards and applicable operating rules by their compliance dates. The CMS website provides charts to help organizations determine whether an organization or individual is a HIPAA-covered entity.

NOTE: ACA Section 1104 also mandates a certification process for health plans only to demonstrate compliance with the ACA-mandated operating rules. 

ACA Section 1104 requires all HIPAA-covered entities to comply with the ACA-mandated operating rules. The CMS website provides charts to help organizations determine whether an organization or individual is a HIPAA-covered entity. CAQH CORE is not authorized to make this determination for entities.

A vendor’s customers are likely HIPAA-covered entities that must be compliant with the ACA-mandated rules. If vendor’s product(s) or services support the use of the HIPAA transaction standards addressed by the operating rules, its customers are reliant upon the vendor to offer to them product(s) or services that enable them to be compliant. In many cases, a Business Associate relationship exists.

NOTE: ACA Section 1104 also mandates a certification process for health plans only. ACA Section 1104 specifies that, as part of the health plan certification, “a health plan shall be required to ensure that any entities that provide services pursuant to a contract with such health plan shall comply with any applicable certification and compliance requirements (and provide the Secretary with adequate documentation of such compliance).” 

Yes. In December 2011, HHS adopted the CAQH CORE Eligibility & Benefits and Claim Status Operating Rules to fulfill the ACA Section 1104 Federal mandate, with the exception of rule requirements pertaining to use of Acknowledgements.

Yes. In August 2012, HHS issued an Interim Final Rule adopting the CAQH CORE Payment & Remittance Operating Rules to fulfill the ACA Section 1104 mandate, with the exception of rule requirements pertaining to use of Acknowledgements. On April 19, 2013, HHS issued an industry notice that the IFR is a Final Rule now in effect.

On September 12, 2012, HHS issued a letter concurring with the NCVHS recommendation to designate CAQH CORE as the authoring entity for the remaining ACA-mandated operating rules. From December 2013 – September 2015, the CAQH CORE Participating Organizations used the open CAQH CORE rules-making process to produce a set of operating rules for consideration to fulfill the ACA Section 1104 third set. These CAQH CORE Operating Rules address the following transactions: Prior Authorization & Referrals, Health Care Claims, Benefit Enrollment and Premium Payment.

NOTE:

• These CAQH CORE Operating Rules have not been adopted by HHS for mandatory use by HIPAA-covered entities. HHS will determine if they will be included in any regulatory mandates. Any such considerations will include an HHS public comment period.

As the ACA Administrative Simplification provisions build on and update the provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), ACA Section 1104 requires all HIPAA-covered entities to comply with the ACA-mandated CAQH CORE Operating Rules for Eligibility & Benefits, Claim Status and Payment & Remittance.

CAQH CORE is not authorized to determine if an organization or individual is a HIPAA-covered entity or a Business Associate. CMS provides charts to help organizations determine if they are a HIPAA-covered entity. The Department of Health and Human Services (HHS) also provides FAQs on whether an organization constitutes a covered entity or Business Associate. As the regulator, additional questions regarding HIPAA and ACA compliance should be directed to the CMS Division of National Standards (DNS).

As the ACA Administrative Simplification provisions build on and update the provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), ACA Section 1104 requires all HIPAA-covered entities to comply with the ACA-mandated CAQH CORE Operating Rules for Eligibility & Benefits, Claim Status and Payment & Remittance.

Demonstration of Compliance Requirements: All HIPAA-covered Entities

The Secretary of HHS delegated to the CMS Administrator the authority to investigate complaints of noncompliance with the HIPAA and ACA Administrative Simplification provisions. Within CMS, the Division of National Standards (DNS) enforces the HIPAA regulations addressing Transactions and Code Sets and National Identifiers (Employer, Provider, and Health Plan identifiers) and the ACA requirements for operating rules, health plan certification, and additional standards.

The CMS Enforcement website specifies:

The current HIPAA Transaction and code Sets (TCS) and ACA operating rules enforcement process is primarily complaint-driven. To date, the CMS enforcement strategy has been to provide technical assistance and seek the cooperation of all parties to the complaint, to help achieve compliance. With the implementation of Version 5010 and D.0 and the requirements of both the American Recovery and Reinvestment Act, and the Patient Protection and Affordable Care Act, we recognized the need for an enhanced enforcement process whereby CMS would proactively address HIPAA/ACA Transactions and Code Sets, Unique Identifiers, Operating Rule and Health Plan Certification compliance issues through a compliance audit process. Information on the CMS compliance audit process and potential non-compliance penalties is in development and will be forthcoming.

Additional Demonstration of Compliance Requirements: HIPAA-covered Health Plans

In addition to general HIPAA compliance, ACA Section 1104 requires health plans to certify with HHS that their data and information systems are in compliance with HIPAA-mandated transaction standards and associated operating rules. HHS has not yet developed any regulations to support this ACA requirement. NOTE: The ACA-mandated health plan certification applies to health plans only.

Yes. As the ACA Administrative Simplification provisions build on and update the provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), ACA Section 1104 requires all HIPAA-covered entities to comply with the ACA-mandated CAQH CORE Operating Rules for Eligibility & Benefits, Claim Status and Payment & Remittance..

All HIPAA-covered Entities

The penalties to be assessed for HIPAA non-compliance were formalized in the original HIPAA legislation and updated by the HITECH rules in 2009. Due to HITECH, the  penalties for HIPAA non-compliance have increased, now up to $1.5 million per entity per year for all violations of an identical provision. More information on the operating rules compliance and enforcement requirements is available on the CMS website.

Additional Penalties: HIPAA-covered Health Plans

In addition to general HIPAA compliance, ACA Section 1104 requires health plans to certify with HHS that their data and information systems are in compliance with HIPAA-mandated transaction standards and associated operating rules. HHS has not yet developed any regulations to support this ACA requirement. NOTE: The ACA-mandated health plan certification applies to health plans only.

ACA Section 1104 also directs the HHS Secretary to assess penalties against health plans that fail to complete the ACA-mandated HHS Health Plan Certification. Per ACA Subsection 1104(b)(2):

• The penalty fee will be $1 per covered life until certification is complete. The penalty shall be assessed per person covered by the plan for which its data systems for major medical policies are not in compliance and shall be imposed against the health plan for each day that the plan is not in compliance.
• A health plan that knowingly provides inaccurate or incomplete information in a statement of certification or documentation of compliance shall be subject to a penalty fee that is double the amount that would otherwise be imposed.
• The amount of the penalty fee imposed shall be increased on an annual basis by the annual percentage increase in total national health care expenditures, as determined by the HHS Secretary.
• A penalty fee assessed against a health plan shall not exceed, on an annual basis, either: 1) $20 per covered life under such plan OR 2) $40 per covered life under the plan if such plan has knowingly provided inaccurate or incomplete information.

ACA Section 1104 requires all HIPAA covered entities to comply with the ACA-mandated operating rules. The CMS website provides charts to help organizations determine whether an organization or individual is a HIPAA covered entity. CAQH CORE is not authorized to make this determination for entities although dental plans are typically considered HIPAA-covered health plans. ACA Section 1104 also mandates a certification process for health plans only.

As the ACA Administrative Simplification provisions build on and update the provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), ACA Section 1104 requires all HIPAA-covered entities to comply with the ACA-mandated standards and applicable operating rules by their compliance dates. Business associates of a health plan or other HIPAA-covered entity will need to work with their clients to ensure HIPAA compliance support.

As a TPA, you will need to determine if your organization is a HIPAA-covered entity or a business associate:

• If your organization is a business associate, you will need to speak with your health plan clients to determine compliance requirements or assistance applicable to your organization based on your individual business agreements.
• If your organization is a HIPAA-covered entity, the compliance requirements for the HIPAA standard transactions and applicable operating rules apply to the transactions for which your organization provides services.

CAQH CORE is not authorized to determine if an entity is a HIPAA-covered entity or a business associate. CMS provides tools to help determine if an organization or individual is a HIPAA-covered entity. Additionally, the HHS website has published a set of FAQs HERE that provide guidance on determining if an organization is a HIPAA-covered entity. You may also find useful to review the January 2013 HHS HIPAA Privacy and Security omnibus final rule which includes a revised definition of “business associates” and their status as HIPAA-covered entities.

Please Note: CMS is the HHS delegated authority on any decisions regarding interpretation, implementation, and enforcement of the regulations adopting the HIPAA and ACA Administrative Simplification standards and provisions. Within CMS, the Division of National Standards (DNS) enforces the regulations addressing the HIPAA and ACA-mandated transactions, national identifiers, operating rules, health plan certification, and additional standards. More detailed information on the provisions, as well as compliance and enforcement requirements, is available on the CMS website and via the CMS FAQs.

Under the HIPAA Administrative Simplification provisions, health plans are required to have the capacity to accept and/or send a standard transaction that is otherwise conducts but does not currently support electronically. This requirement applies to all HIPAA-mandated transaction standards. Additionally, when using the HIPAA-mandated transaction standards, all HIPAA-covered entities must comply with any associated ACA-mandated operating rules. Please Note: CAQH CORE is not authorized to determine if an entity is a HIPAA-covered entity. CMS provides tools to help determine if an organization or individual is a HIPAA-covered entity.

The Secretary of HHS delegated to the CMS Administrator the authority to investigate complaints of noncompliance with the HIPAA and ACA Administrative Simplification provisions. Within CMS, the Division of National Standards (DNS) enforces the regulations addressing the HIPAA and ACA-mandated transactions, national identifiers, operating rules, health plan certification, and additional standards. The Administrative Simplification Enforcement and Training Tool (ASETT) is a web-based application, maintained by CMS, which enables individuals or organizations to file a HIPAA complaint against a health care provider, health plan, or clearinghouse covered entity for potential non-compliance with the HIPAA Administrative Simplification provisions. Anyone may use ASETT to file a HIPAA complaint related to Transactions and Code Sets and Unique Identifiers. Additional guidance on the HIPAA and ACA compliance enforcement procedures, including the process for filing a complaint of non-compliance with CMS NSG, is available on the CMS website HERE.