HHS Withdraws Rules on HIPAA Certification

OVERVIEW

The Affordable Care Act (ACA) requires health plans to certify to the Department of Health and Human Services (HHS) that their data and information systems comply with the Health Insurance Portability and Accountability Act’s (HIPAA) electronic transaction standards and operating rules. The ACA specified an initial certification deadline of Dec. 31, 2013.

HHS issued a proposed rule that extended this initial deadline to Dec. 31, 2015. However, this deadline was not enforced due to a lack of final guidance on the certification requirement. On Oct. 4, 2017, HHS withdrew its proposed rule in order to re-examine the issues and explore options and alternatives to comply with the HIPAA certification requirement.

ACTION STEPS

Health plan sponsors and their business associates should monitor whether HHS provides any additional guidance on the HIPAA certification requirement. They should also confirm that they are complying with any applicable electronic transaction standards and operating rules. As noted by HHS, there is already an enforcement process in place for these HIPAA requirements.

HIPAA Certification

In order to reduce administrative costs in the health care industry, HIPAA requires covered entities (for example, group health plans) and their business associates to use standardized formats and operating rules when conducting certain electronic transactions. These HIPAA requirements are often referred to as the electronic data interchange (EDI) rules.

The ACA includes a provision that requires health plans to file a statement with HHS by Dec. 31, 2013, certifying their compliance with the EDI rules for the following three electronic transactions:

  • Eligibility for a health plan;
  • Health care claim status; and
  • Health care electronic funds transfer.

On Jan. 2, 2014, HHS issued a proposed rule on the HIPAA certification requirement. The rule extended the initial compliance deadline to Dec. 31, 2015, and proposed a general framework for controlling health plans (CHPs) to certify their HIPAA compliance. It also included penalties for CHPs that failed to comply with the certification requirement. The proposed rule left many questions unanswered regarding the HIPAA certification requirement, including how the requirement would apply to self-funded group health plans that do not directly conduct any electronic HIPAA transactions. Due to a lack of final guidance from HHS, the proposed deadline of Dec. 31, 2015, was not enforced.

Withdrawal of Proposed Rule

On Oct. 4, 2017, HHS withdrew the proposed rule based on issues that have been raised regarding the HIPAA certification process. According to HHS, it will be examining these issues and exploring options and alternatives to comply with the ACA’s requirement. This development is welcome news for group health plan sponsors, who will not be required to certify their HIPAA compliance until HHS issues new guidance.

Although health plans are not required to certify their HIPAA compliance at this time, there is an enforcement process in place for the EDI rules. Civil money penalties and criminal penalties may be imposed on a covered entity that fails to comply with the EDI rules. Thus, health plans and business associates that conduct standard transactions should confirm that they are complying with the EDI rules.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s