Overview

The Patient Protection and Affordable Care Act (ACA) requires health plans, including self-insured plans with more than 50 members, to certify to the Department of Health and Human Services (DHHS) by December 31, 2013, their compliance with HIPAA Standard Transaction Rule requirements for eligibility inquiries, claims status, and electronic funds transfer and remittance advice. In support of this certification, health plans also must supply examples of compliant transactions with trading partners (such as health care providers).

Health plans that delegate these transactions to third parties must include with their certification proof that business associates providing such services are complying with applicable standards and operating rules. A Business Associate Agreement provision requiring compliance with transaction standards and rules would seem prudent in such circumstances. Health plans must ensure and document compliance by third parties with these HIPAA requirements.

DHHS has promised rulemaking in this area but none has issued to date. The ACA authorizes enforcement of certification requirements beginning in April 2014. Penalties of $1 per covered life per day may be levied, and doubled in the case of knowing provision of inaccurate or incomplete certification. These penalties are capped at $20 and $40 per life, respectively.

Documentation of compliance by the plan or its business associates with the Standard Transaction Rule, and especially the three standards identified for certification at the end of 2013, is essential to the certification requirement and should be undertaken without delay. Rulemaking by DHHS will hopefully provide more detail concerning the nature of the certification obligation.

For further information or questions regarding the HIPAA Security, Privacy, Enforcement, and Data Breach rules, please contact the Schwabe attorney with whom you work or Kelly Hagan at 503-796-2423 or khagan@schwabe.com.