Phase IV CAQH CORE Operating Rules

VI. CAQH CORE 470: Connectivity Rule

NOTE: Implementation of the Phase IV CAQH CORE Operating Rules is currently voluntary. HHS will determine if the Phase IV CAQH CORE Operating Rules will be included in any regulatory mandates. The Phase IV FAQs are for use by entities completing voluntary implementation of the operating rules and/or pursuing Phase IV CORE Certification which will be available in Fall 2016. 

 

  1. If a HIPAA-covered entity uses an agent (e.g., a business associate) to carry out or otherwise perform any of the requirements specified in a Phase IV CAQH CORE Operating Rule, is that agent required to support all of the associated Phase IV CAQH CORE Operating Rules requirements?
  2. The Phase IV CAQH CORE Operating Rules include “Safe Harbor” statements. Does this preclude any trading partner’s implementation testing from taking place prior to the trading partners actually using the Phase IV CAQH CORE 470 Connectivity Rule to exchange the transactions?
  3. Can a HIPAA-covered entity or its agent still use connections that are not compliant with the Phase IV CAQH CORE 470 Connectivity Rule?
  4. Do the Phase IV CAQH CORE 470 Connectivity Rule Payload types have to be implemented for non-compliant connections to the rule?
  5. Do the Phase IV CAQH CORE 470 Connectivity Rule Processing Modes have to be implemented for transactions addressed by this rule even if non-compliant connections are used to conduct these transactions?
  6. What is the CAQH CORE Connectivity “Safe Harbor”?
  7. I am a Healthcare Provider. Do I need to support a Client or Server roles or both for exchanging the HIPAA-mandated transactions?
  8. I am a Health Plan. Do I need to support as a Client or as a Server or both for exchanging the HIPAA-mandated transactions?
  9. I am a Clearinghouse. Do I need to support a Client or Server or both for exchanging the HIPAA-mandated transactions?
  10. What does the term “in-line files (method)” as used in Section 4.2.9.2, Batch Transactions, mean?
  11. If we use SHA-1 algorithm as specified in Table 4.4.2 CAQH CORE Envelope Metadata for the CORE Envelope CheckSum element, but our trading partner requires SHA-2, how can we resolve the different implementations to use the same algorithm?
  12. Will CAQH CORE help negotiate implementation differences between trading partners?
  13. Can an organization use user id + password for either internal or external manual user access to an organization’s computers?
  14. Why are non-normative descriptions provided?
  15. Are the non-normative descriptions mandatory to support?
  16. Can I modify the WSDL field names, data types and syntax of existing fields to meet my organization internal requirements?
  17. Can I add additional SOAP headers?
  18. Does the entire Web Services Definition Language (WSDL) Specification (normative) WSDL need to be implemented for conformance with the Phase IV CAQH CORE 470 Connectivity Rule or only the interactions needed to support the transactions and processing modes we use?
  19. Can a HIPAA-covered entity and its agent reference the XSD and WSDL document on the CAQH CORE website as part of the entity’s or agent’s transaction processing; e.g., for the purpose of message envelope validation?
  20. Can a HIPAA-covered entity or its agent use SFTP/FTPS (Secure File Transfer Protocol/File Transfer Protocol/Secure) to exchange transactions for Batch Processing Mode and be compliant with the Phase IV CAQH CORE 470 Connectivity Rule?
  21. Can we continue to use SFTP/FTPS for our batch transactions after we support the Phase IV CAQH CORE 470 Connectivity Rule requirements?
  22. Does “client” refer to a workstation or human user, i.e., can a client be an internal workstation or a web browser requesting a webpage from an Internet web server?
  23. Do all error conditions addressed in Section 4.2.6 of the Phase IV CAQH CORE 470 Connectivity Rule have to be checked, e.g., the example sequence diagrams do not depict checking SOAP error faults?
  24. Are there recommendations for how frequently to audit the data in Section 4.2.7, Audit Handling?
  25. If a submitter’s transaction real time response is not received from a receiver, can the submitter’s transaction be excluded from the submitter’s response time reporting as a failed transaction caused by external problems?
  26. How is MTOM applied in the Phase II and Phase IV CAQH CORE Connectivity Rules?
1. If a HIPAA-covered entity uses an agent (e.g., a business associate) to carry out or otherwise perform any of the requirements specified in a Phase IV CAQH CORE Operating Rule, is that agent required to support all of the associated Phase IV CAQH CORE Operating Rules requirements?

The Phase IV CAQH CORE Operating Rules requirements are applicable to HIPAA-covered health plans, HIPAA-covered providers, HIPAA-covered entities and their respective agents. Thus, depending on the HIPAA-covered entity’s stakeholder type, its agent is required to support the requirements applicable to the HIPAA-covered entity as specified in the Phase IV CAQH CORE Operating Rules. 

2. The Phase IV CAQH CORE Operating Rules include “Safe Harbor” statements. Does this preclude any trading partner’s implementation testing from taking place prior to the trading partners actually using the Phase IV CAQH CORE 470 Connectivity Rule to exchange the transactions?

No. Per the CAQH CORE Guiding Principles, the Phase I, II and IV CAQH CORE Connectivity Rules are all built around a Safe Harbor principle (see Section 5 of the Phase IV CAQH CORE 470 Rule) which allows HIPAA-covered entities or their agents to implement other connectivity/security methods in addition to the requirement to support the CORE Connectivity Rule. Trading partners are permitted to conduct the necessary planning, implementation and testing activities necessary to begin exchanging the various transactions using the CAQH CORE 470 Rule prior to actually using the CAQH CORE 470 Rule. 

3. Can a HIPAA-covered entity or its agent still use connections that are not compliant with the Phase IV CAQH CORE 470 Connectivity Rule?

Yes. A HIPAA-covered entity or its agent must support the CAQH CORE 470 Rule compliant connections, and use these connections when requested by a trading partner for the Phase IV transactions. Per the CAQH CORE Guiding Principles, the Phase I, II and IV CAQH CORE Connectivity Rules are all built around a Safe Harbor principle (see Section 5 of the Phase IV CAQH CORE 470 Rule) which allows HIPAA-covered entities or their agents to implement other connectivity/security methods in addition to the requirement to support the CORE Connectivity Rule. Such non-compliant connections must support all Payload Processing modes (Batch and Real Time) specified for the transactions in the Phase IV CAQH CORE 470 Connectivity Rule CAQH CORE-Required Processing Mode and Payload Type Tables. 

4. Do the Phase IV CAQH CORE 470 Connectivity Rule Payload types have to be implemented for non-compliant connections to the rule?

No. The Phase IV payload types specified for the transactions in the Phase IV CAQH CORE 470 Connectivity Rule CAQH CORE-Required Processing Mode and Payload Type Tables do not have to be implemented for non-compliant connections. The CAQH CORE 470 Rule Payload types must be implemented in compliant connections. 

5. Do the Phase IV CAQH CORE 470 Connectivity Rule Processing Modes have to be implemented for transactions addressed by this rule even if non-compliant connections are used to conduct these transactions?

Yes. Such non-compliant connections must support all Payload Processing modes (Batch and Real Time) specified for the transactions in the CAQH CORE 470 Rule CAQH CORE-Required Processing Mode and Payload Type Tables

6. What is the CAQH CORE Connectivity “Safe Harbor”?

The CAQH CORE Connectivity Safe Harbor requirements that a health plan must use if requested by a provider are described in the Phase IV CAQH CORE 470 Rule, Section 5, CAQH CORE Safe Harbor. The CAQH CORE Connectivity Safe Harbor specifies connectivity methods that application vendors, providers, and health plans can be assured will be supported by any HIPAA-covered entity, meaning that the entity is capable and ready at the time of the request by a trading partner to exchange data using the CAQH CORE Connectivity Rule. The rule does not require entities to remove existing connections that do not match the rule, nor does it require that all covered entities use this method for all new connections. In some circumstances, you and your trading partners may decide to continue to use your current connection; however, you must support the capability to use the CAQH CORE Connectivity Safe Harbor and be capable and ready to use it when requested

Per the CAQH CORE Guiding Principles, the Phase I, II and IV CAQH CORE Connectivity Rules are all built around the Safe Harbor principle which allows HIPAA-covered entities or their agents to implement other connectivity/security methods in addition to the requirement to support the CORE Connectivity Rule. 

7. I am a Healthcare Provider. Do I need to support a Client or Server roles or both for exchanging the HIPAA-mandated transactions?

The Phase IV CAQH CORE Operating Rules define minimum technical roles for a HIPAA-covered health plan or its agent. The CAQH CORE 470 Rule defines message interactions between providers and health plans which require that at a minimum a provider support a Client role as described in the CAQH CORE 470 Rule for exchanging the HIPAA-mandated transactions addressed in the Phase IV CAQH CORE Operating Rules. 

8. I am a Health Plan. Do I need to support as a Client or as a Server or both for exchanging the HIPAA-mandated transactions?

The Phase IV CAQH CORE Operating Rules require a HIPAA-covered health plan to support the Server requirements at a minimum. A HIPAA-covered health plan may optionally support a Client role when exchanging the ASC X12N v5010 834 and ASC X12N v5010 820 transactions.

9. I am a Clearinghouse. Do I need to support a Client or Server or both for exchanging the HIPAA-mandated transactions?

Given that a Clearinghouse may be acting as an agent (e.g., Business Associate) of either a HIPAA-covered health plan or a HIPAA-covered provider, it must support either a Client or a Server or both roles in the Phase IV CAQH CORE Operating Rules based on which HIPAA-covered entity on whose behalf it is acting.

10. What does the term “in-line files (method)” as used in Section 4.2.9.2, Batch Transactions, mean?

The In-line files method means the text is embedded in the SOAP envelope text structure. The in-line method is used by Phase II CAQH CORE 270 Connectivity Rule v2.2.0 for SOAP Real Time interactions; this method is no longer allowed in the CAQH CORE 470 Rule, which uses MTOM for both SOAP Real Time and Batch Interactions.

11. If we use SHA-1 algorithm as specified in Table 4.4.2 CAQH CORE Envelope Metadata for the CORE Envelope CheckSum element, but our trading partner requires SHA-2, how can we resolve the different implementations to use the same algorithm?

The CAQH CORE 470 Rule, Section 4.3, Publication of Entity-Specific Connectivity Companion Document, requires the publication of a Connectivity Companion Document. Entities acting as Servers specify their required SHA algorithms in their Connectivity Companion Document. Trading partners will need to reach mutual agreement regarding the use of SHA-1.

12. Will CAQH CORE help negotiate implementation differences between trading partners?

No. CAQH CORE does not provide negotiation assistance between trading partners. CAQH CORE does providement implementation resources and education events and will clarify the rules if there are questions. 

13. Can an organization use user id + password for either internal or external manual user access to an organization’s computers?

Manual user access, either internal or external, is not addressed in the CAQH CORE 470 Rule.

14. Why are non-normative descriptions provided?

Non-normative descriptions are informational and educational descriptions only on the use of the normative SOAP+WSDL envelope specifications, and are not intended to be part of the specification.

15. Are the non-normative descriptions mandatory to support?

No. Non-normative descriptions are not mandatory to support.

16. Can I modify the WSDL field names, data types and syntax of existing fields to meet my organization internal requirements?

No. The WSDL field names, data types and syntax of existing fields cannot be modified.

17. Can I add additional SOAP headers?

Yes. Additional elements within the SOAP Header may be added. Server entities that require the use of additional SOAP Header elements must define the element and its use in the entity’s Connectivity Companion Document. Server organizations that don’t require specific SOAP headers must ignore them.

18. Does the entire Web Services Definition Language (WSDL) Specification (normative) WSDL need to be implemented for conformance with the Phase IV CAQH CORE 470 Connectivity Rule or only the interactions needed to support the transactions and processing modes we use?

The WSDL has both required and optional message interactions (e.g., Real Time interaction is optional in Phase IV). Only the interactions needed to support the transactions and processing modes need to be implemented for conformance.

19. Can a HIPAA-covered entity and its agent reference the XSD and WSDL document on the CAQH CORE website as part of the entity’s or agent’s transaction processing; e.g., for the purpose of message envelope validation?

The XSD and WSDL documents on the CAQH CORE website are for reference only for an organization to use to develop its own production transaction processing. The two CAQH CORE documents are not meant to be read directly from the CAQH CORE website as part of any organization’s production transaction processing; for example, for the message envelope validation. The CAQH CORE website is not intended to provide high availability or high performance production read access for these documents, nor is it intended to be part of any organization’s production processing environment.

20. Can a HIPAA-covered entity or its agent use SFTP/FTPS (Secure File Transfer Protocol/File Transfer Protocol/Secure) to exchange transactions for Batch Processing Mode and be compliant with the Phase IV CAQH CORE 470 Connectivity Rule?

No. The CAQH CORE 470 Rule requires HTTP/S. SFTP/FTPS does not meet the requirements of the rule.

NOTE: Per the CAQH CORE Guiding Principles, the Phase I, II and IV CAQH CORE Connectivity Rules are all built around a Safe Harbor principle (see Section 5 of the Phase IV CAQH CORE 470 Rule) which allows HIPAA-covered entities or their agents to implement other connectivity/security methods in addition to the requirement to support the CAQH CORE 470 Rule.

21. Can we continue to use SFTP/FTPS for our batch transactions after we support the Phase IV CAQH CORE 470 Connectivity Rule requirements?

The CAQH CORE 470 Rule requires the use of HTTP/S. Section 5, CAQH CORE Safe Harbor, permits trading partners to agree to use different communication method(s) and/or security requirements than those described in this Rule. When a HIPAA-covered entity or its agent implements a different communication method(s) as permitted by the CAQH CORE Safe Harbor provisions all payload processing modes specified for the transactions addressed by the rule must be supported in each connectivity gateway implemented.

22. Does “client” refer to a workstation or human user, i.e., can a client be an internal workstation or a web browser requesting a webpage from an Internet web server?

The CAQH CORE 470 Rule applies to Business to Business (B2B) transactions. The term “Client” refers to software that is initiating, submitting/sending a request to a receiving “Server." 

23. Do all error conditions addressed in Section 4.2.6 of the Phase IV CAQH CORE 470 Connectivity Rule have to be checked, e.g., the example sequence diagrams do not depict checking SOAP error faults?

Yes. All applicable error conditions that may occur must be checked, including SOAP error faults, even if not displayed in the sequence diagrams examples.

24. Are there recommendations for how frequently to audit the data in Section 4.2.7, Audit Handling?

No. Auditing is a local decision by each trading partner, which includes the frequency of audits.

25. If a submitter’s transaction real time response is not received from a receiver, can the submitter’s transaction be excluded from the submitter’s response time reporting as a failed transaction caused by external problems?

No, all transactions should be recorded for response time tracking. Failed transactions due to external timeouts should be reported and investigated with external trading partners.

26. How is MTOM applied in the Phase II and Phase IV CAQH CORE Connectivity Rules?

The W3C Message Transmission Optimization Mechanism (MTOM) is a method of efficiently sending binary data to and from Web Services which use SOAP over the HTTP protocol. Requirements addressing use of MTOM are specified in both the Phase II CAQH CORE 270 Connectivity Rule and the Phase IV CAQH CORE 470 Connectivity Rule:

  • The Phase II CAQH CORE 270 Connectivity Rule requires the use of MTOM for all SOAP message envelopes only when exchanging data in Batch Processing Mode. The Phase II CAQH CORE Connectivity Rule does not permit the use of MTOM in SOAP message envelopes for Real Time Processing Mode. The SOAP message for Real Time Processing Mode requires the use of an inline CDATA element to carry the payload (for more information, see the normative XSD schema in Section 4.2.2 of the Phase II CAQH CORE 270 Connectivity Rule). 
  • The Phase IV CAQH CORE 470 Connectivity Rule requires the use of MTOM to encapsulate all payloads in a SOAP message for both Real Time AND Batch Processing Modes.