January 23, 2014

HRB 88 - Certification of Compliance with Electronic Transaction Requirements

Released January 23, 2015I Download as a PDF

January 23, 2014 -- On January 2, 2014, HHS published proposed regulations relating to certification of compliance with the electronic transaction requirements of the Affordable Care Act (ACA).  These regulations are only proposed at this point.  Nevertheless, it is a good time to review certain requirements imposed on health plans; these rules are particularly significant to self-funded health plans.


Generally, a plan sponsor contracts with a business associate, such as a third party administrator (TPA) to handle its claim process.  Therefore, most of the compliance described below will be accomplished by the TPA.  The plan sponsor will want to ensure that its business associate agreement clearly requires the TPA to be compliant with the electronic transaction and operating rules required by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) administrative simplification rules, and subsequent laws including the Health Information Technology for Economic and Clinical Health Act (HITECH) and the ACA.

As background, the administrative simplification standards required under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) include three components:  health care privacy rules, security of health data rules, and the electronic data interchange (EDI) rules.  The EDI rules govern electronic transactions between health plans, providers, and health care clearinghouses. Examples of administrative and financial health care transaction standards include:

  • Health claims and equivalent encounter information;
  • Enrollment and disenrollment in a health plan;
  • Eligibility for a health plan;
  • Health care payment and remittance advice;
  • Health plan premium payments;
  • Health claim status;
  • Referral certification and authorization; and
  • Coordination of benefits.

The ACA modifies certain aspects of EDI rules, now known as the electronic transaction rules.  These rules require the “controlling health plan” to obtain a unique health plan identifier (HPID).  A controlling health plan (CHP) is a health plan that controls its own business activities, actions and policies; or is controlled by an entity that is not a health plan.  A CHP may control the business activities, actions and policies of one or more “subhealth plans” (“SHP”).  A SHP is a health plan whose business activities, actions or policies are controlled by a CHP.  Certainly, more clarity surrounding these definitions would be useful.  In the meantime, it can be assumed that a single employer self-funded plan would be considered a CHP.

A CHP or SHP obtains a health plan identifier (HPID) by an on-line application process through the CMS Enterprise Portal. Steps in the application process include:

  1. A registration process with the CMS portal to obtain a user ID and password. The type of information required for registration includes:
    • Company information (company name, Federal Employer Identification Number and domiciliary address);
    • Authorizing official information (name, title, phone number and e-mail address); and
    • The health plan’s NAIC number or Payer ID used in standard transactions.
  2. Determination and designation of the user’s role for purposes of managing and accessing company information.
  3. Selection of the particular application type as a CHP or SHP.
  4. Review and submission of the application.

Once the application has been submitted, the entity’s authorized official will be notified of the pending application.  If the application is approved, the entity’s authorized official will be notified by e-mail of its assigned HPID number.

Large health plans must obtain an HPID by November 5, 2014; by November 5, 2015 for small plans (those annual receipts of $5 million or less).  The use of an HPID for all plans must begin by November 7, 2016.

Once the CHP or SHP obtains a HPID, it must certify that it is in compliance with certain standards for electronic transactions, as well as certain operating procedures.  The regulations specifically require certification for compliance with applicable standards and operating rules for:

  • Eligibility for a health plan transactions;
  • Health care claim status transactions; and
  • Health care electronic funds transfers (EFT) and remittance advice transactions.

Certification can be accomplished in one of two ways:

  • Obtain a certification seal for  Phase III CAQH CORE Operating Rules by the Council for Affordable Quality Healthcare’s Committee on Operating Rules for Information Exchange (CAQH CORE); or
  •  A HIPAA Credential. In order to receive a HIPAA Credential, a CHP must sign an attestation that states that the CHP has successfully tested with at least three trading partners that collectively conduct at least 30% of the CHP’s transactions with providers (among other requirements).

The certification schedule is as follows:

  • A CHP that obtained a HPID (pursuant to the HIPAA rules) prior to January 1, 2015 would be required to certify its compliance with its data and information systems by December 31, 2015. 
  • A CHP that obtains a HPID on or after January 1, 2015 is required to certify compliance by January 1, 2016.

This proposed rule also establishes penalty fees for CHPs that do not comply with the certification of compliance requirements.

 Next Steps

  • Insured health plans are generally not directly impacted by these rules as the insurer is responsible for the electronic transactions, including certification of compliance and obtaining a unique health plan identifier. 
  • A self-funded plan should:
    • Ensure its business associate agreement requires the TPA to comply with electronic transaction rules; and
    • Work with the TPA to ensure compliance with the certification responsibilities as they become required.
  • Apply for a unique health plan identifier.  Consult with the TPA for any assistance it can provide in obtaining the HPID well before the compliance date.



About the Author:  Karen R. McLeese is Vice President of Employee Benefit Regulatory Affairs for CBIZ Benefits & Insurance Services, Inc., a division of CBIZ, Inc.  She serves as in-house counsel, with particular emphasis on monitoring and interpreting state and federal employee benefits law.  Ms. McLeese is based in the CBIZ Leawood, Kansas office.


The information contained herein is not intended to be legal, accounting, or other professional advice, nor are these comments directed to specific situations. The information contained herein is provided as general guidance and may be affected by changes in law or regulation. The information contained herein is not intended to replace or substitute for accounting or other professional advice. Attorneys or tax advisors must be consulted for assistance in specific situations. This information is provided as-is, with no warranties of any kind. CBIZ shall not be liable for any damages whatsoever in connection with its use and assumes no obligation to inform the reader of any changes in laws or other factors that could affect the information contained herein. As required by U.S. Treasury rules, we inform you that, unless expressly stated otherwise, any U.S. federal tax advice contained herein is not intended or written to be used, and cannot be used, by any person for the purpose of avoiding any penalties that may be imposed by the Internal Revenue Service.