Time for Health Plans to Create a Unique Identifier Number
Written by Meryl Kaplan
Self-funded health plans must obtain a Health Plan Identifier (HPID). Creating one unique identifying number for each health plan is intended to help standardize electronic transactions as required by the Health Insurance Portability and Accountability Act (HIPAA). These electronic transactions apply to claims administrative functions between carriers, administrators, health care professionals and financial institutions as well as employer/sponsor activities involving eligibility, enrollment and disenrollment and health plan premium payments. These are referred to as “standard transactions.”
On September 24, 2014, the Department of Health and Human Services (HHS) and the Center for Medicare and Medicaid Services (CMS) issued guidance and made available a quick reference guide that includes detailed steps on obtaining a controlling health plan HPID. Under the final rule, a self-funded customer needs to obtain its own HPID if it meets the definition of a controlling health plan (CHP). A controlling health plan is a health plan that:
• Controls its own business activities, actions, or policies; or is controlled by an entity that is not a health plan; and
• If it has a sub-health plan(s) (SHP), exercises sufficient control over the sub-health plan(s) to direct its/their business activities, actions, or policies.
On October 13, 2014, the Department of Health and Human Services (HHS) and the Centers for Medicare and Medicaid Services (CMS) posted an updated quick reference guide and Health Plan ID User Manual to help in obtaining a health plan identifier (HPID). The updated documents reflect changes to the HPID application process that eliminates the requirement that HPID applications be approved by an "Authorizing Official".
Large self-funded health plans, i.e., those with more than $5 million in annual receipts (i.e., benefits paid), must obtain an HPID by November 5, 2014. Small health plans with annual receipts of $5 million or less have until November 5, 2015 to obtain their HPID.
Covered entities under HIPAA – including self-funded plans - must use HPIDs in their standard transactions on or after November 7, 2016. The purpose of using an HPID, which is a standard 10-digit identifier that is unique to each plan, is to increase the efficiency and accuracy of the standard transactions. The HPID will also be used to help HHS implement various administration simplification requirements.
Note that health care flexible spending account plans and employee assistance plans (in many cases) are considered self-funded health plans and, as such, may need to obtain an HPID. However, it is likely that these plans may be sub-health plan(s) that are not required to obtain their own HPID, and will qualify as small group health plans and be subject to the one-year extension.
Obtaining an HPID
CMS has enhanced the functionality of its website, which will help employers and service providers determine whether or how to obtain an HPID. Plan sponsors should apply for their plans’ HPID online through CMS’ Health Plan and Other Entity Enumeration System (HPOES) system housed within the CMS Health Insurance Oversight System (HIOS) at https://portal.cms/gov/. The plan sponsor will complete the New User Registration process by providing data elements such as company information (including name, employer identification number (EIN) and address), name and contract information for the company authorizing official and the plan’s NAIC number or payer ID for standard transactions. Health plans that do not have this number (and most do not) can enter “not applicable.”
It is important for plan sponsors to obtain this HPID now to ensure there it time to work through the process. Also, organizations that have not previously signed up with HIOS should allow several days before the HPID is issued as internal approval will take some time.
Penalties for Failure to Obtain an HPID
Although the regulations do not specifically indicate a penalty for failure to obtain an HPID, it appears that the same penalty that applies to violations of HIPAA’s administrative simplification rules would apply for failure to register for and receive an HPID. Therefore, a plan that does not obtain an HPID due to willful neglect could be subject to a penalty of at least $50,000, plus an additional amount each time a standard transaction occurs that requires an HPID but does not include one. All penalties are capped at $1.5 million per calendar year.
Large health plans will be required to obtain certification of compliance with the HIPAA electronic transaction standards and operating rules from the Council for Affordable Quality Healthcare Committee on Operation Rules for Information Exchange (CAQH CORE) and submit evidence of that to HHS by December 31, 2015. Small health plans that obtain an HPID on or after January 1, 2015, and on or before December 31, 2016, would be required to meet the submission requirements for the first certification of compliance within 365 calendar days of obtaining an HPID. Further information about this process will be forthcoming
What Should Plan Sponsors Do?
Plan sponsors should review whether they, their plans, providers, and business associates have met all HIPAA requirements. Obtaining the HPID and certifying compliance with the HIPAA electronic transaction standards and operating rules are among those requirements.
This also creates a good opportunity for plan sponsors to review and update their HIPAA Security Policies and Procedures to ensure they are compliant with these requirements. Significant penalties that may be imposed for failure to comply with the law can easily be avoided by the plan sponsor reviewing its plans, documents, and policies and procedures and taking actions to be in compliance.