Certification: ACA Section 1104 Certification, CORE Certification, Proposed CORE HIPAA Credential, and CORE Endorsement

I. Background on ACA Section 1104 Certification

  1. Has HHS issued any guidance on the ACA-mandated process by which health plans must certify their compliance with the HIPAA-mandated transaction standards and associated operating rules?
  2. What is the proposed timeframe for health plans to comply with the first ACA-mandated Department of Health and Human Services (HHS) Certification of Compliance program addressing the eligibility, claim status, electronic funds transfer (EFT), and electronic remittance advice (ERA) transactions?
  3. What is the Health Plan Identifier (HPID)?
  4. Can penalties be assessed against health plans that fail to complete the ACA-mandated health plan certification with HHS?
  5. ACA Section 1104 requires the HHS Secretary to adopt standards and operating rules addressing nine electronic healthcare administrative and financial transactions. Why does the December 31, 2013 HHS Notice of Proposed Rulemaking (NPRM) on the ACA-mandated health plan certification address only four of the transactions?
  6. Has HHS issued guidance on the health plan certification requirements for the remaining transactions addressed by ACA Section 1104?
  7. My organization is a HIPAA-covered health plan. We currently do not support some of the HIPAA-mandated transactions addressed by the proposed ACA-mandated HHS Certification of Compliance program. As we do not use the transaction standards, are we exempt from compliance with the ACA-mandated certification for these transactions?
  8. My organization is a Third Party Administrator (TPA) that is contracted to process claims on behalf of a health plan (i.e., a contracted business associate of a health plan). Are we required under ACA Section 1104 to certify compliance with HHS?
  9. Where can I obtain a copy of the HHS Notice of Proposed Rule Making (NPRM) on the ACA-mandated HHS Certification of Compliance program?
  10. Will CAQH CORE be submitting a comment letter on the HHS Notice of Proposed Rule Making (NPRM) on the first ACA-mandated health plan certification to HHS?
1. Has HHS issued any guidance on the ACA-mandated process by which health plans must certify their compliance with the HIPAA-mandated transaction standards and associated operating rules?

Yes. On January 2, 2014, HHS issued a Notice of Proposed Rulemaking (NPRM) on the ACA-mandated health plan certification. The NPRM (RIN 0938–AQ85) addresses certification requirements for: eligibility, claim status, electronic funds transfers (EFT), and electronic remittance advice (ERA).

According to the Centers for Medicare & Medicaid Services website, “CMS is currently developing a second proposed rule [regarding the ACA-mandated HHS Certification of Compliance program] that would revise the initial proposed provisions in response to public feedback received through the rulemaking process.”

2. What is the proposed timeframe for health plans to comply with the first ACA-mandated Department of Health and Human Services (HHS) Certification of Compliance program addressing the eligibility, claim status, electronic funds transfer (EFT), and electronic remittance advice (ERA) transactions?

On January 2, 2014, the Department of Health and Human Services (HHS) published a Notice of Proposed Rulemaking (NPRM or “proposed rule”)  that would require a controlling health plan (CHP) to submit information and documentation demonstrating that it is compliant with certain standards and operating rules adopted by the Secretary of HHS under the Health Insurance Portability and Accountability Act (HIPAA). The program proposed in the NPRM is referred to as the ACA-mandated HHS Certification of Compliance program.

The January 2, 2014 NPRM proposed a December 31, 2015 deadline by which CHPs were required to certify compliance. However, the proposed rule, including the December 31, 2015 deadline, was not mandated in a final regulation before December 31, 2015.

According to the Centers for Medicare & Medicaid Services website, “CMS is currently developing a second proposed rule [regarding the ACA-mandated HHS Certification of Compliance program] that would revise the initial proposed provisions in response to public feedback received through the rulemaking process.”

3. What is the Health Plan Identifier (HPID)?

The Health Insurance Portability and Accountability Act (HIPAA) Administrative Simplification provisions include a requirement for the Secretary of the Department of Health and Human Services (HHS) to establish an HPID for the purpose of identifying health plans in HIPAA-mandated transactions .

On September 5, 2012, the Department of Health and Human Services (HHS) published the final rule (CMS-0040F), which adopted a unique identifier (HPID) for Health Plans. As of October 1, 2014, CMS announced a delay, until further notice, in enforcement of rules for obtaining and using HPIDs.

For more information, see the Centers for Medicare & Medicaid Services webpage on the HPID here.

4. Can penalties be assessed against health plans that fail to complete the ACA-mandated health plan certification with HHS?

Yes. ACA Section 1104 directs the HHS Secretary to conduct periodic audits to ensure that health plans, including entities that have service contracts with health plans, are in compliance with any HIPAA-mandated standards and associated operating rules. Additionally, ACA Subsection 1104(b)(2) mandates the following requirements regarding penalties to be against health plans that fail to certify compliance with HHS:

  • HHS Secretary shall assess a penalty fee against a health plan that has failed to meet the requirements for certification and documentation of compliance with the HIPAA-mandated transaction standards and associated operating rules.
  • The penalty fee will be $1 per covered life until certification is complete. The penalty shall be assessed per person covered by the plan for which its data systems for major medical policies are not in compliance and shall be imposed against the health plan for each day that the plan is not in compliance.
  • A health plan that knowingly provides inaccurate or incomplete information in a statement of certification or documentation of compliance shall be subject to a penalty fee that is double the amount that would otherwise be imposed.
  • The amount of the penalty fee imposed shall be increased on an annual basis by the annual percentage increase in total national health care expenditures, as determined by the HHS Secretary.
  • A penalty fee assessed against a health plan shall not exceed, on an annual basis, either: 1) $20 per covered life under such plan OR 2) $40 per covered life under the plan if such plan has knowingly provided inaccurate or incomplete information.

For more information on the ACA-mandated health plan certification, see the CMS website.

Please Note: CMS is the HHS designated authority on any decisions regarding interpretation, implementation, and enforcement of the regulations adopting the HIPAA and ACA Administrative Simplification standards and provisions. Within CMS, the Office of E-Health Standards and Services (OESS) enforces the regulations addressing the HIPAA and ACA-mandated transactions, national identifiers (Employer, Provider, and Health Plan identifiers), operating rules, health plan certification, and additional standards. As the authority, questions on the regulations should be directed to CMS OESS.

5. ACA Section 1104 requires the HHS Secretary to adopt standards and operating rules addressing nine electronic healthcare administrative and financial transactions. Why does the December 31, 2013 HHS Notice of Proposed Rulemaking (NPRM) on the ACA-mandated health plan certification address only four of the transactions?

ACA Section 1104 requires health plans to file a statement with HHS certifying that their data and information systems are in compliance with the HIPAA-mandated transaction standards and associated operating rules for nine healthcare administrative and financial electronic transactions.

Per ACA Section 1104, this certification will occur in two stages. The first certification addresses the first four transactions: eligibility, claim status, electronic funds transfers (EFT), and electronic remittance advice (ERA). The second certification addresses the: health claims or equivalent encounter information, health plan enrollment/disenrollment, health plan premium payment, referral certification and authorization, and claims attachments transactions. The HHS NPRM states that HHS will adopt certification requirements for these transactions in subsequent rulemaking.

6. Has HHS issued guidance on the health plan certification requirements for the remaining transactions addressed by ACA Section 1104?

No. To date, HHS has only issued proposed regulations for the first certification of ACA-mandated health plan certification addressing the eligibility, claim status, electronic funds transfers, and healthcare payment and remittance advice transactions. The HHS Notice of Proposed Rulemaking (NPRM) on the first certification specifies that HHS will adopt certification requirements for the remaining five transactions in subsequent rulemaking.

7. My organization is a HIPAA-covered health plan. We currently do not support some of the HIPAA-mandated transactions addressed by the proposed ACA-mandated HHS Certification of Compliance program. As we do not use the transaction standards, are we exempt from compliance with the ACA-mandated certification for these transactions?

Under the HIPAA Administrative Simplification provisions, health plans are “required to have the capacity to accept and/or send (either itself, or by hiring a health care clearinghouse to accept and/or send on its behalf) a standard transaction that it otherwise conducts but does not currently support electronically” (see CMS FAQ #8121). This requirement applies to all of the HIPAA-mandated transaction standards. As the ACA Administrative Simplification provisions build on and update the HIPAA provisions, ACA Section 1104 requires all HIPAA-covered entities, including health plans, to comply with any associated mandated operating rules for the HIPAA-mandated transaction standards.

Beyond general HIPAA compliance, ACA Section 1104 requires health plans to file a statement with HHS certifying that their data and information systems are in compliance with any applicable HIPAA-mandated transaction standards and associated operating rules for the following nine healthcare administrative and financial transactions:

  • Eligibility for a health plan
  • Health claim status
  • Electronic funds transfers
  • Healthcare payment and remittance advice
  • Health claims or equivalent encounter information
  • Enrollment and disenrollment in a health plan
  • Health plan premium payments
  • Health claims attachments
  • Referral certification and authorization

On January 2, 2014, HHS issued a Notice of Proposed Rulemaking (NPRM) proposing requirements for the ACA-mandated HHS Certification of Compliance program addressing four of the nine transactions: eligibility, claim status, electronic funds transfers (EFT), and electronic remittance advice (ERA) transactions. To date, the NPRM for these four transaction is still only proposed, and a final rule has not been published on the ACA-mandated HHS Certification of Compliance program. Further, HHS has not issued regulations regarding health plan certification for the remaining five transactions.

In Sum: Under the HIPAA and ACA Administrative Simplification provisions, HIPAA-covered health plans must both: 1) Have the capability to accept and/or send the HIPAA-mandated transaction standards and 2) Certify with HHS that their data and information systems are in compliance with the HIPAA-mandated transaction standards and associated operating rules.

8. My organization is a Third Party Administrator (TPA) that is contracted to process claims on behalf of a health plan (i.e., a contracted business associate of a health plan). Are we required under ACA Section 1104 to certify compliance with HHS?

ACA Section 1104 requires all HIPAA-covered entities to comply with the HIPAA-mandated transaction standards and associated operating rules. Beyond general HIPAA compliance, ACA Section 1104 requires health plans to certify their compliance with HHS. As part of this documentation of compliance, ACA Subsection 1104(b)(1)(c) specifies that “a health plan shall be required to ensure that any entities that provide services pursuant to a contract with such health plan shall comply with any applicable certification and compliance requirements (and provide the Secretary with adequate documentation of such compliance).”

On January 2, 2014, HHS issued a Notice of Proposed Rulemaking (NPRM) on the ACA-mandated HHS Certification of Compliance program addressing the eligibility, claim status, electronic funds transfers (EFT), and electronic remittance advice (ERA) transactions. Section I(B)(5) of the NPRM specifies that “the [Social Security] Act extends the certification and submission requirements to entities that have service contracts with health plans, though the compliance onus remains on the health plan (emphasis added).” To date, the NPRM for these four transaction is still only proposed, and a final rule has not been published on the ACA-mandated health plan certification.

In Sum: As a TPA, you will need to determine if your organization is a HIPAA-covered health plan or a contracted business associate in order to determine appropriate certification and compliance requirements. CAQH CORE is not authorized to make this determination.

Please Note: CAQH CORE is not authorized to determine if an organization or individual is a HIPAA-covered entity. CMS provides charts to help organizations determine if they are a HIPAA-covered entity. HHS also provides FAQs on whether an organization constitutes a covered entity.

 

9. Where can I obtain a copy of the HHS Notice of Proposed Rule Making (NPRM) on the ACA-mandated HHS Certification of Compliance program?

On January 2, 2014, HHS issued an NPRM proposing requirements for the ACA-mandated HHS Certification of Compliance program addressing the eligibility, claim status, electronic funds transfers (EFT), and electronic remittance advice (ERA) transactions. The HHS NPRM, RIN 0938–AQ85, is available online in the Federal Register HERE. To date, the NPRM for these four transaction is still only proposed, and a final rule has not been published on the ACA-mandated HHS Certification of Compliance program.

10. Will CAQH CORE be submitting a comment letter on the HHS Notice of Proposed Rule Making (NPRM) on the first ACA-mandated health plan certification to HHS?

Yes. HHS is accepting public comments on the NPRM through April 3, 2014. CAQH CORE developed a timeline to collect industry input and submit a comment letter on the NPRM to HHS. On February 21, 2014 CAQH CORE issued a Final Model Comment Letter that both CORE and non-CORE Participants may customize and use as they deem appropriate in submitting comments on the NPRM to HHS. The Model Comment Letter is available on the CAQH CORE website HERE.