The U.S. Department of Health and Human Services (HHS) withdrew a proposed rule that would have required health plans, including employer group health plans, to certify compliance with the Health Insurance Portability and Accountability Act (HIPAA) transaction standards or face potentially stiff penalties.
HHS received 72 comments on the certification rule after proposing it in January 2014, the agency explained in an October 4 notice (82 Fed. Reg. 46182). “In light of the issues raised in the public comments received, we have decided to withdraw the January 2014 proposed rule in order to re-examine the issues and explore options and alternatives to comply with the statutory requirements,” HHS stated.
Employer groups had been among the harshest critics of the certification rules, which were designed to implement a provision of the Affordable Care Act (ACA). As proposed, the rules did not specifically address the extent to which employer plans would have to submit these certifications if they were delegating transactions such as claims processing to another entity.
“The approach taken in the proposed regulations would impose significant costs on self-insured plans that hire vendors to perform Covered Transactions without generating a corresponding benefit,” according to written comments submitted in April 2014 by the ERISA Industry Committee. “As these vendors typically deal with the Covered Transactions on behalf of self-insured plans, they are in the best position to make the kinds of attestations or certifications required by the proposed regulations.”
A self-insured plan would be able to certify compliance “only through its arrangement with those third parties that actually carry out standard transactions in the administration of the plan, and the multiplicity of such arrangements could make the effort both time-consuming and burdensome,” agreed the American Benefits Council.
Under HIPAA’s “administrative simplification” provisions, HHS established standard formats for certain electronic healthcare transactions, and related code sets and identifiers. To address concerns that many health plans were not following these standards, ACA Section 1104 called for rules that would require health plans to certify and document that their “data and information systems” are complying with any applicable standards and operating rules. A penalty of $1 per covered life per day (up to $20 per covered life) was to apply for every day the certification is late, and this would double for “knowingly providing inaccurate or incomplete information.”
The withdrawal of the proposed certification rule does not affect the underlying requirements of HIPAA’s standard transaction, code set and identifier rules (45 C.F.R. parts 160 and 162), HHS indicated in the recent Federal Register notice.
| David A. Slaughter, JD, is a Senior Legal Editor for BLR’s Thompson HR products, focusing on benefits compliance. Before coming to BLR, he served as editor of Thompson Information Services’ (TIS) HIPAA guides, along with other writing and editing duties related to TIS’ HR/benefits offerings. Mr. Slaughter received his law degree from the University of Virginia and his B.A. from Dartmouth College. He is an associate member of the Virginia State Bar.
Questions? Comments? Contact David at firstname.lastname@example.org for more information on this topic.