Skip to Content
Proposed Rule

Administrative Simplification: Certification of Compliance for Health Plans

Action

Proposed Rule.

Summary

This proposed rule would require a controlling health plan (CHP) to submit information and documentation demonstrating that it is compliant with certain standards and operating rules adopted by the Secretary of Health and Human Services (the Secretary) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). This proposed rule would also establish penalty fees for a CHP that fails to comply with the certification of compliance requirements.

Unified Agenda

Administrative Simplification: Certification of Compliance for Health Plans (CMS-0037-F)

4 actions from January 2nd, 2014 to July 2015

  • January 2nd, 2014
  • March 3rd, 2014
    • NPRM Comment Period End
  • March 5th, 2014
  • July 2015
    • Final Action
 

Table of Contents Back to Top

Tables Back to Top

DATES: Back to Top

To be assured consideration, comments must be received at one of the addresses provided, no later than 5 p.m. on March 3, 2014.

ADDRESSES: Back to Top

In commenting, please refer to file code CMS-0037-P. Because of staff and resource limitations, we cannot accept comments by facsimile (FAX) transmission.

You may submit comments in one of four ways (please choose only one of the ways listed):

1. Electronically. You may submit electronic comments on this regulation to http://www.regulations.gov. Follow the “Submit a comment” instructions.

2. By regular mail. You may mail written comments to the following address only: Centers for Medicare & Medicaid Services, Department of Health and Human Services, Attention: CMS-0037-P, P.O. Box 8013, Baltimore, MD 21244-8013.

Please allow sufficient time for mailed comments to be received before the close of the comment period.

3. By express or overnight mail. You may send written comments to the following address only: Centers for Medicare & Medicaid Services, Department of Health and Human Services, Attention: CMS-0037-P, Mail Stop C4-26-05, 7500 Security Boulevard, Baltimore, MD 21244-1850.

4. By hand or courier. Alternatively, you may deliver (by hand or courier) your written comments only to the following addresses prior to the close of the comment period:

a. For delivery in Washington, DC— Centers for Medicare & Medicaid Services, Department of Health and Human Services, Room 445-G, Hubert H. Humphrey Building, 200 Independence Avenue SW., Washington, DC 20201 (Because access to the interior of the Hubert H. Humphrey Building is not readily available to persons without Federal government identification, commenters are encouraged to leave their comments in the CMS drop slots located in the main lobby of the building. A stamp-in clock is available for persons wishing to retain a proof of filing by stamping in and retaining an extra copy of the comments being filed.)

b. For delivery in Baltimore, MD— Centers for Medicare & Medicaid Services,

Department of Health and Human Services, 7500 Security Boulevard, Baltimore, MD 21244-1850.

If you intend to deliver your comments to the Baltimore address, call telephone number (410) 786-1066 in advance to schedule your arrival with one of our staff members.

Comments erroneously mailed to the addresses indicated as appropriate for hand or courier delivery may be delayed and received after the comment period.

For information on viewing public comments, see the beginning of the SUPPLEMENTARY INFORMATION section.

FOR FURTHER INFORMATION CONTACT: Back to Top

Matthew Albright, (410) 786-2546. Terri Deutsch, (410) 786-9462 for questions regarding Collection of Information and the Regulatory Impact Statement.

SUPPLEMENTARY INFORMATION: Back to Top

Inspection of Public Comments: All comments received before the close of the comment period are available for viewing by the public, including any personally identifiable or confidential business information that is included in a comment. We post all comments received before the close of the comment period on the following Web site as soon as possible after they have been received: http://www.regulations.gov. Follow the search instructions on that Web site to view public comments.

Comments received timely will also be available for public inspection as they are received, generally beginning approximately 3 weeks after publication of a document, at the headquarters of the Centers for Medicare & Medicaid Services, 7500 Security Boulevard, Baltimore, Maryland 21244, Monday through Friday of each week from 8:30 a.m. to 4 p.m. To schedule an appointment to view public comments, call 1-800-743-3951.

I. Background Back to Top

A. Introduction

Many factors contribute to the high cost of health care in the United States, but studies find that administrative costs substantially impact spending growth2 and can likely be reduced.2 Automated processes, through the use of standardized electronic transactions, can lessen health care providers' administrative burden in interacting with health insurers. Under the authority of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Secretary adopts standards and operating rules that facilitate the use of electronic transactions by creating greater uniformity in data exchange and reducing the health care industry's reliance on paper forms and manual processes to transmit data.

Although HIPAA standards and operating rules can reduce administrative burden, the health care industry has experienced difficulty transitioning to them by the regulatory compliance dates. Many in the industry attribute at least some implementation difficulties to the lack of a consistent testing process or framework before implementation of new standards and operating rules. This proposed rule is intended to serve as an initial step toward the development of a consistent testing process that will enable entities to better achieve and demonstrate compliance with HIPAA standards and operating rules.

This rule proposes that controlling health plans (CHPs) must submit certain information and documentation that demonstrates compliance with the adopted standards and operating rules for three electronic transactions: eligibility for a health plan, health care claim status, and health care electronic funds transfers (EFT) and remittance advice. Such documentation would be an indication that a CHP has completed some internal and external testing.

B. Legislative and Regulatory Background

This section summarizes the legislative and regulatory history of standards, operating rules, and the enforcement processes in order to frame the process we refer to in this proposed rule as certification of compliance.

1. HIPAA Standards and Code Sets

Section 1172(a) of the Social Security Act (the Act) provides that any standard adopted under HIPAA shall apply, in whole or in part, to the following persons, known as “covered entities”: (1) A health plan; (2) a health care clearinghouse; and (3) a health care provider who transmits any health information in electronic form in connection with a HIPAA transaction. Covered entities are required to conduct as standard transactions all electronic transactions for which the Secretary has adopted a standard.

In the August 17, 2000 Federal Register (65 FR 50312), we published a final rule titled “Health Insurance Reform: Standards for Electronic Transactions” (hereinafter referred to as the Transactions and Code Sets final rule). That rule implemented some of the HIPAA Administrative Simplification requirements by adopting standards developed by standards development organizations (SDOs) for certain electronic health care transactions, and medical data code sets to be used in those transactions. The Transactions and Code Sets final rule adopted the Accredited Standards Committee (ASC) X12 standards Version 4010/4010A1 and the National Council for Prescription Drug Programs (NCPDP) Telecommunication standard Version 5.1.

In the January 16, 2009 (74 FR 3296) final rule titled, “Health Insurance Reform; Modifications to the Health Insurance Portability and Accountability Act (HIPAA) Electronic Transaction Standards” (hereinafter referred to as the Modifications final rule), we adopted updated versions of the standards (ASC X12 Version 5010) (hereinafter referred to as Version 5010) and NCPDP Telecommunication Standard Implementation Guide, Version D. Release 0 (hereinafter referred to as Version D.0), and equivalent Standard Batch Implementation Guide, Version 1, Release 2 (hereinafter referred to as Version 1.2) for the electronic health care transactions that were originally adopted in the Transactions and Code Sets final rule. We also adopted a new standard for the Medicaid pharmacy subrogation transaction—the Batch Standard Medicaid Subrogation Implementation Guide, Version 3, Release 0 (hereinafter referred to as Version 3.0), which is specified at 45 CFR 162, subpart S. Covered entities were required to comply with Version 5010 and Version D.0, and Version 3.0 for Medicaid pharmacy subrogation transactions, effective January 1, 2012 (except for small health plans, which were required to comply with Version 3.0 on January 1, 2013).

In the January 10, 2012 (77 FR 1556) interim final rule with comment period, titled “Administrative Simplification: Adoption of Standards for Health Care Electronic Funds Transfers (EFT) and Remittance Advice” (hereinafter referred to as the Health Care EFT Standards IFC), we adopted standards for the health care electronic funds transfers (EFT) and remittance advice transaction, defined the transaction, and explained how the adopted standards support and facilitate it.

In the September 5, 2012 Federal Register (77 FR 54664), we published a final rule, “Administrative Simplification: Adoption of a Standard for a Unique Health Plan Identifier; Addition to the National Provider Identifier Requirements; and a Change to the Compliance Date for the International Classification of Diseases, 10th Edition (ICD-10-CM and ICD-10-PCS) Medical Data Code Sets” (hereinafter referred to as the HPID final rule). That rule, as relevant here, adopted the standard for a national unique health plan identifier (HPID), established requirements for HPID implementation, and adopted a data element to serve as an “other entity” identifier (OEID)—an identifier for entities that are not health plans, health care providers, or individuals, but that need to be identified in standard transactions.

2. HIPAA Operating Rules

Section 1173(g) of the Act was added by section 1104 of the Patient Protection and Affordable Care Act (Pub L. 111-148), enacted on March 23, 2010, as amended by the Health Care and Education Reconciliation Act of 2010 (Pub. L. 111-152), enacted on March 30, 2010 (collectively known as and hereinafter referred to as the Affordable Care Act). Section 1173(g) of the Act requires the Secretary to adopt a single set of operating rules for each of the transactions listed in section 1173(a)(1) of the Act. Operating rules are defined by section 1171(9) of the Act as “the necessary business rules and guidelines for the electronic exchange of information that are not defined by a standard or its implementation specifications as adopted for purposes of this part.” Additionally, sections 1173(g)(2)(D), (g)(3)(C), and (g)(3)(D) of the Act clarify aspects of the operating rules and the requirements of the operating rules authoring entity.

The Council for Affordable Quality Healthcare (CAQH) Committee on Operating Rules for Information Exchange (CORE) was established in 2005 as a national initiative, bringing together over 100 health care industry stakeholders to simplify health care administration through the improvement of electronic health care information exchange. CAQH CORE's mission is to “build consensus among healthcare industry stakeholders on a set of operating rules that facilitate administrative interoperability between providers and health plans.” [3]

With consensus among health care industry stakeholder members, CAQH CORE, in 2008, developed two sets of operating rules for the eligibility for a health plan and health care claim status transactions (hereinafter referred to as Phase I and Phase II CAQH CORE Operating Rules). The operating rules built upon applicable HIPAA standard transaction requirements, and enabled providers to submit transactions from any system, facilitating administrative and clinical data integration. Numerous health care entities voluntarily adopted the Phase I and II CAQH CORE Operating Rules, and CAQH CORE demonstrated that the use of these rules yielded a positive return on investment for health plans and providers. [4]

In August and September, 2010, the National Committee on Vital and Health Statistics [5] (NCVHS), in furtherance of its statutory mission to advise the Secretary, engaged in a comprehensive review of health care operating rules and their authors. The NCVHS advised the Secretary that CAQH CORE met the requirements of section 1173(g)(2) of the Act to be the operating rules authoring entity for the non-retail pharmacy eligibility for a health plan and health care claim status transactions. [6]

After assessing its qualifications and the NCVHS's recommendation, the Secretary determined that CAQH CORE was qualified to be the operating rule authority entity for the eligibility for a health plan and health care claim status transactions. In the July 8, 2011 (76 FR 40458) interim final rule with comment period (IFC) titled, “Administrative Simplification: Adoption of Operating Rules for Eligibility for a Health Plan and Health Care Claim Status Transactions” (hereinafter referred to as the Operating Rules IFC), we adopted Phase I and II CAQH CORE Operating Rules for the two transactions. [7] The Operating Rules IFC also defined the term “operating rules,” revised the definition for “standard transaction” to indicate that a standard transaction is one that complies with both the adopted standards and operating rules, and described the relationship between operating rules and standards. In the Operating Rules IFC, we did not adopt the Phase I and II CAQH CORE Operating Rules requirements regarding acknowledgments, nor did we adopt CORE's Certification process by which an entity demonstrates compliance with Phase I and II CAQH CORE Operating Rules. [8]

On March 23, 2011, the NCVHS recommended that CAQH CORE, in collaboration with NACHA—The Electronic Payments Association, be the authoring entity for the health care electronic funds transfers (EFT) and remittance advice transaction operating rules. [9] In developing the health care electronic funds transfers (EFT) and remittance advice transaction operating rules, CAQH CORE held more than thirty open conference calls and conducted over 15 straw polls with industry and government representatives between March and August 2011. More than 80 health care entities analyzed, reviewed, and achieved consensus on the operating rules.

On December 7, 2011, the NCVHS, in its advisory role, recommended to the Secretary (subject to CAQH CORE making certain revisions) that the Phase III CAQH CORE EFT ERA Draft Operating Rule Set (or Phase III Operating Rules) be adopted as the operating rules for the health care electronic funds transfers (EFT) and remittance advice transaction. On August 10, 2012, in 77 FR 48008, we adopted these operating rules in a rule titled “Administrative Simplification: Adoption of Operating Rules for Health Care Electronic Funds Transfers (EFT) and Remittance Advice Transactions; Final Rule” (hereinafter EFT ERA Operating Rule Set IFC). We did not, however, adopt the CAQH CORE operating rule in the EFT ERA Operating Rule Set that required the use of the Version 5010 999 acknowledgements standard in the Phase III CAQH CORE 350 Health Care Claim Payment/Advice (835) Infrastructure Rule requirement 4.2 (77 FR 48017). [10]

The NCVHS recommended in May 2012 that CAQH CORE be the authoring entity for the operating rules for the remaining HIPAA transactions [11] —health care claims or equivalent encounter information, health claims attachments, enrollment and disenrollment in a health plan, health plan premium payments, and referral certification and authorization, with respect to which the Secretary agreed. [12]

3. Current HIPAA Administrative Simplification Enforcement

Under sections 1176 and 1177 of the Act, covered entities may be subject to civil money penalties (CMPs) and criminal penalties for violations of HIPAA Administrative Simplification rules. HHS administers the CMPs under section 1176 of the Act and the U.S. Department of Justice administers the criminal penalties under section 1177 of the Act.

Section 1176(b) of the Act sets out limitations on the Secretary's authority and provides the Secretary certain discretion with respect to imposing CMPs. For example, this section provides that no CMPs may be imposed with respect to an act if a penalty has been imposed under section 1177 of the Act with respect to such act. This section also generally precludes the Secretary from imposing a CMP for a violation corrected during the 30-day period beginning when an individual knew or, by exercising reasonable diligence, would have known that the failure to comply occurred. The Secretary promulgated rules pertaining to compliance with, and enforcement of, the HIPAA Administrative Simplification rules that are codified at section 45 part 160, subparts C, D, and E, and collectively referred to as the Enforcement Rule.

In the April 17, 2003 Federal Register (68 FR 18895), we issued an interim final rule entitled, “Civil Money Penalties: Procedures for Investigations, Imposition of Penalties, and Hearings” that established the procedural requirements for the imposition of CMPs for violations of HIPAA Administrative Simplification requirements. We expanded upon that rule with a February 16, 2006 final rule entitled, “HIPAA Administrative Simplification: Enforcement” (71 FR 8390), that made the compliance rules applicable to all HIPAA Administrative Simplification Rules. That rule also amended the rules relating to the imposition of CMPs and clarified the investigation process, bases for liability, determination of the penalty amount, grounds for waiver, conduct of the hearing, and the appeal process. These rules' preambles provide additional information that may be helpful regarding HIPAA's compliance and enforcement.

Section 13410(d) of the Health Information Technology for Economic and Clinical Health Act (HITECH), enacted on February 17, 2009 as part of the American Recovery and Reinvestment Act of 2009, revised section 1176 of the Act by strengthening enforcement of the HIPAA rules.

In the October 30, 2009 Federal Register (74 FR 56123), we published an IFC titled “HIPAA Administrative Simplification: Enforcement” that conformed HIPAA's enforcement regulations to section 1176 of the Act, as it was modified by section 13410(d) of HITECH. That rule amended HIPAA enforcement regulations as they relate to the imposition of CMPs to incorporate the HITECH categories of violations, tiered ranges of CMP amounts, and revised limitations on the Secretary's authority to impose CMPs for established violations of HIPAA Administrative Simplification rules.

In the January 25, 2013 Federal Register (78 FR 5566), we published a final rule titled “Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules” (hereinafter referred to as the HIPAA Omnibus final rule). Among other modifications to the HIPAA rules, the HIPAA Omnibus final rule modified HIPAA Privacy, Security, and Breach Notification Rules as mandated by HITECH, as well as finalized a number of modifications to the HIPAA Enforcement Rule, including incorporating a tiered civil money penalty structure, that were originally published as an interim final rule on October 30, 2009 (74 FR 56123) and proposed in a notice of proposed rulemaking on July 14, 2010 (75 FR 40868).

4. HIPAA Administrative Simplification Enforcement Under the Affordable Care Act

Section 1104 of the Affordable Care Act amended the Social Security Act by adding sections 1173(h) and (j). Section 1173(h) of the Act includes certification of compliance requirements for health plans, and requires the Secretary to conduct periodic audits of health plans and entities that have service contracts with health plans. Section 1173(j) of the Act establishes new penalties for health plans that fail to comply with the certification of compliance requirements.

5. Health Plan Certification of Compliance Requirements

Section 1173(h)(1)(A) of the Act requires health plans to file a statement with the Secretary, in such form as the Secretary may require, by December 31, 2013, certifying that their data and information systems are in compliance with the standards and operating rules for the following transactions: Eligibility for a health plan, health care claim status, and health care electronic funds transfers (EFT) and remittance advice. In this proposed rule, we refer to the requirements mandated by section 1173(h)(1)(A) of the Act as the “first certification of compliance requirements.” Table 1 displays the specific standards and operating rules to which the requirements for the first certification of compliance apply.

In similar fashion, section 1173(h)(1)(B) of the Act mandates, by December 31, 2015, health plan certification of compliance for the following HIPAA transactions: Health care claims or equivalent encounter information, enrollment and disenrollment in a health plan, health plan premium payments, health claims attachments, and referral certification and authorization. Likewise, section 1173(h)(5) of the Act mandates that health plans meet certification of compliance requirements for later versions of the standards and operating rules.

The scope of this proposed rule is limited to the first certification of compliance. Because operating rules for the transactions listed in section 1173(h)(1)(B) of the Act have not yet been adopted, nor has a standard been adopted for health claims attachments, we cannot yet determine what documentation will be necessary to demonstrate compliance with those standards and operating rules. We will adopt certification of compliance requirements for the transactions listed in section 1173(h)(1)(B) of the Act, and for later adopted versions of standards and operating rules, in subsequent rulemaking.

Table 1—Standards and Operating Rules to Which the First Certification of Compliance Applies Back to Top
Transactions Standards Operating rules
Eligibility for a Health Plan (request and response)—Dental, Professional, and Institutional ASC X12 Standards for Electronic Data Interchange Technical Report Type 3—Health Care Eligibility Benefit Inquiry and Response (270/271), April 2008, ASC X12N/005010X279 The following CAQH CORE Phase I and Phase II operating rules, excluding where such rules reference and/or pertain to acknowledgements and CORE certification): (1) Phase I CORE 152: Eligibility and Benefit Real Time Companion Guide Rule, version 1.1.0, March 2011, and CORE v5010 Master Companion Guide Template. (2) Phase I CORE 153: Eligibility and Benefits Connectivity Rule, version 1.1.0, March 2011. (3) Phase I CORE 154: Eligibility and Benefits 270/271 Data Content Rule, version 1.1.0, March 2011. (4) Phase I CORE 155: Eligibility and Benefits Batch Response Time Rule, version 1.1.0, March 2011.
(5) Phase I CORE 156: Eligibility and Benefits Real Time Response Rule, version 1.1.0, March 2011.
(6) Phase I CORE 157: Eligibility and Benefits System Availability Rule, version 1.1.0, March 2011.
(7) Phase II CORE 258: Eligibility and Benefits 270/271 Normalizing Patient Last Name Rule, version 2.1.0, March 2011.
(8) Phase II CORE 259: Eligibility and Benefits 270/271 AAA Error Code Reporting Rule, version 2.1.0.
(9) Phase II CORE 260: Eligibility & Benefits Data Content (270/271) Rule, version 2.1.0, March 2011.
(10) Phase II CORE 270: Connectivity Rule, version 2.2.0, March 2011.
Eligibility for a Health Plan—Retail Pharmacy Drugs Telecommunication Standard Implementation Guide, Version D, Release 0 (Version D.0), August 2007, and equivalent Batch Standard Implementation Guide, Version 1, Release 2 (Version 1.2), National Council for Prescription Drug Programs
Health Care Claim Status ASC X12 Standards for Electronic Data Interchange Technical Report Type 3—Health claim status Request and Response (276/277), August 2006, ASC X12N/005010X212, and Errata to Health claim status Request and Response (276/277), ASC X12 Standards for Electronic Data Interchange Technical Report Type 3, April 2008, ASC X12N/005010X212E1 The following CAQH CORE Phase II operating rules (updated for Version 5010), excluding where such rules reference and/or pertain to acknowledgements and CORE certification: (1) Phase II CORE 250: Claim Status Rule, version 2.1.0, March 2011, and CORE v5010 Master Companion Guide, 00510, 1.2, March 2011. (2) Phase II CORE 270: Connectivity Rule, version 2.2.0, March 2011.
Health Care Electronic Funds Transfers (EFT) and Remittance Advice ERA: ASC X12 Standards for Electronic Data Interchange Technical Report Type 3—Health Care Claim Payment/Advice (835), April 2006, ASC X12N/005010X221 The following CAQH CORE Phase III EFT & ERA Operating Rule Set, approved June 2012: (1) Phase III CORE 380 EFT Enrollment Data Rule, version 3.0.0, June 2012. (2) Phase III CORE 382 ERA Enrollment Data Rule, version 3.0.0, June 2012. (3) Phase III 360 CORE Uniform Use of CARCs and RARCs (835) Rule, version 3.0.0, June 2012. (4) CORE-required Code Combinations for CORE-defined Business Scenarios for the Phase III CORE 360 Uniform Use of Claim Adjustment Reason Codes and Remittance Advice Remark Codes (835) Rule, version 3.0.0, June 2012. (5) Phase III CORE 370 EFT & ERA Reassociation (CCD+/835) Rule, version 3.0.0, June 2012. (6) Phase III CORE 350 Health Care Claim Payment/Advice (835) Infrastructure Rule, version 3.0.0, June 2012, except Requirement 4.2 titled “Health Care Claim Payment/Advice Batch Acknowledgement Requirements“. (7) ACME Health Plan, CORE v5010 Master Companion Guide Template, 005010, 1.2, March 2011 (incorporated by reference in § 162.920), as required by the Phase III CORE 350 Health Care Claim Payment/Advice (835) Infrastructure Rule, version 3.0.0, June 2012.
Stage 1 Payment Initiation: The National Automated Clearing House Association (NACHA) Corporate Credit or Deposit Entry with Addenda Record (CCD+) implementation specifications as contained in the 2011 NACHA Operating Rules & Guidelines: NACHA Operating Rules, Appendix One: ACH File Exchange Specifications; and NACHA Operating Rules, Appendix Three: ACH Record Format Specifications, Subpart 3.1.8 Sequence of Records for CCD Entries  
Data content in CCD Addenda Record: Accredited Standards Committee (ASC) X12 Standards for Electronic Data Interchange Technical Report Type 3, “Health Care Claim Payment/Advice (835), April 2006: Section 2.4: 835 Segment Detail: “TRN Reassociation Trace Number,” Washington Publishing Company, 005010X221  

Section 1173(h)(2) of the Act provides that a health plan will not be considered to have met section 1173(h)(1) of the Act certification requirements unless it provides the Secretary adequate documentation of compliance that—

  • Demonstrates to the Secretary that it conducts the electronic transactions specified in section 1173(h)(1) of the Act in a manner that fully complies with the regulations of the Secretary; and
  • Shows that it has completed end-to-end testing for such transactions with its partners, such as hospitals and physicians.

Section 1173(h)(3) of the Act extends the certification and submission requirements to entities that have service contracts with health plans, though the compliance onus remains on the health plan. In addition, the Secretary is authorized by section 1173(h)(4) of the Act to designate independent, outside entities to certify that health plans have complied with the certification requirements, so long as the certification standards used by these entities are in accordance with the standards and operating rules adopted by the Secretary.

6. Penalty Fees

Section 1173(j) of the Act specifies penalties for health plans that fail to meet section 1173(h) certification and documentation of compliance requirements. Sections 1173(j)(1)(B) through (F) of the Act specify the amount of, and process for assessing, penalty fees against health plans. Section 1173(j)(1)(B) of the Act requires the Secretary to assess a $1 per covered life per day penalty fee, assessed per person covered by the plan for which its data systems for major medical policies are not in compliance for each day the plan is not in compliance, against a health plan until certification is complete. Section 1173(j)(1)(C) of the Act requires the Secretary to double the amount of the penalty fees assessed against a health plan that knowingly provides inaccurate or incomplete information in certifying compliance. Section 1173(j)(1)(F) of the Act directs the Secretary to determine the number of covered lives underlying the calculation of the penalty fee amount based upon a health plan's most recent statements and filings submitted to the Securities and Exchange Commission.

Section 1173(j)(1)(D) of the Act directs that the penalty fees be increased on an annual basis by the annual percentage increase in total national health care expenditures, as determined by the Secretary. Finally, section 1173(j)(1)(E) of the Act caps the penalties that may be annually imposed on a health plan to $20 per covered life under such plan, or, in the event of misrepresentation under section 1173(j)(1)(C) of the Act, $40 per covered life.

7. Notice, Dispute, and Penalty Process

Sections 1173(j)(2) through (4) of the Act outline how the penalty fees are to be assessed and collected. Section 1173(j)(2) of the Act requires the Secretary to establish a process to assess penalty fees that provides a health plan with reasonable notice and a dispute resolution procedure prior to the Secretary of the Treasury sending a notice of assessment to a health plan.

Section 1173(j)(3) of the Act directs the Secretary, by May 1, 2014, and annually thereafter, to provide the Secretary of the Treasury with a report of health plans that have been assessed penalty fees. Section 1173(j)(4) of the Act directs the Secretary of the Treasury to collect the penalty fees, and by August 1, 2014 and annually thereafter, provide each plan assessed a penalty fee a notice of the amount and due date of the fee. Section 1173(j)(4)(C) of the Act directs health plans assessed penalty fees to make payment to the Secretary of the Treasury by November 1, 2014, and annually thereafter. Section 1173(j)(4)(D) of the Act provides that interest, at a rate as determined pursuant to the underpayment rate established under section 6621 of the Internal Revenue Code of 1986, accrues on any penalty fee not paid by the due date, and that any unpaid penalty fees are to be treated as a past due, legally enforceable debt owed to a federal agency for purposes of section 6402(d) of the Internal Revenue Code of 1986. Finally, section 1173(j)(4)(E) of the Act states that any fee charged or allocated for collection activities conducted by the Department of the Treasury's Financial Management System will be passed on to the health plan on a pro-rated basis and added to the penalty fee collected.

8. Audits

Section 1173(h)(6) of the Act states that the Secretary shall conduct periodic audits to ensure that health plans, including entities that have service contracts with health plans, are in compliance with the adopted standards and operating rules, as referenced in Table 1. The process and scope of these audits are not addressed in this proposed rule.

C. Certification of Compliance and Strategy for a Consistent Testing Processes

Beyond the first certification of compliance, section 1173(h)(5) of the Act requires health plan certification for new and revised standards and operating rules adopted by the Secretary. We intend for future rulemakings in which we adopt new or modified standards and operating rules to also include certification of compliance processes for those new or modified standards and operating rules. We believe the benefit of including the certification of compliance requirements in those rulemakings is that it will move covered entities toward a consistent, industry-wide testing framework that, we believe, will support a more seamless transition to new and modified standards and operating rules.

In recent years, the health care industry has experienced challenges in implementing the HIPAA Administrative Simplification requirements, such as Version 5010, ICD-10, and the operating rules for the eligibility for a health plan and health care claim status transaction, by the regulatory compliance dates. We have responded to industry's needs for additional time by delaying implementation or relaxing enforcement periods for the requirements, but such practices can be expensive to industry.

While many factors may cause a covered entity to have difficulty implementing a new Administrative Simplification requirement, many in industry attribute some implementation issues to the lack of a consistent testing process or framework. [13] The health care industry reports that testing is critical to ensure the integrity of internal application systems and confirm a system's capability to conduct compliant transactions. [14] The NCVHS stated that a uniform testing process that included full end-to-end testing well before the compliance dates for Version 5010 would have identified issues that could have been mitigated in advance of the compliance date. [15]

Ideally, certification of compliance, as mandated by section 1173(h) of the Act, should support a standardized process for demonstrating compliance. Such a standardized process for demonstrating compliance should require a health plan to undergo testing within a consistent, industry-wide framework that results in the ability to generate specific documents that demonstrate compliance. We believe such a process would solve some of the significant implementation issues the industry has experienced. The certification of compliance provisions we propose in this rule are the first step toward a standardized testing framework to support a more seamless transition to new and revised standards or operating rules.

II. Provisions of the Proposed Rule Back to Top

A. Submission Requirements

Section 1173(h) of the Act requires health plans to provide the Secretary, in such form as the Secretary may require, adequate documentation of compliance with the standards and operating rules. In accordance with section 1173(h) of the Act, we propose the information and documentation that controlling health plans (CHPs) would be required to submit to the Secretary for the first certification of compliance in the new regulation § 162.926.

In the HPID final rule, we created two categories of health plans [16] for purposes of specifying enumeration requirements for the health plan identifier (HPID): CHPs and subhealth plans (SHPs). In this proposed rule, we propose that CHPs, on behalf of themselves and their SHPs, if any, be responsible for submitting the information and documentation for the first certification of compliance under § 162.926.

Under proposed § 162.926, a CHP would be required to submit the following information and documentation, in one submission, to the Secretary:

  • Its number of covered lives on the date it submits the documentation.
  • Documentation that demonstrates it has obtained either a CAQH CORE—

++ Certification Seal for Phase III CAQH CORE EFT & ERA Operating Rules (hereinafter referred to as a Phase III CORE Seal); or

++ HIPAA Credential for the eligibility for a health plan, health care claim status, and health care electronic funds transfers (EFT) and remittance advice operating rules (hereinafter referred to as the HIPAA Credential).

Collectively, these constitute the submissions, and we refer to the requirements to submit them to the Secretary as the “submission requirements.” The submission requirements, as proposed in this rule, are a “snap shot” of a CHP's compliance with the standards and operating rules. Such information and documentation does not reflect continuing compliance, nor do we do intend the information or documentation to be updated or resubmitted on a regular basis.

We are not, at this time, proposing the specific format for the submission requirements. We will likely require a CHP to submit its number of covered lives through an online form. We may require an electronic version or copy of a Phase III CORE Seal or the HIPAA Credential to be submitted online, or we may ask for a tracking number that links to CAQH CORE records of such. Information about the mechanics for meeting the submission requirements for the first certification of compliance will be forthcoming at or near the time the final rule is published.

1. Responsibilities of a CHP

As previously noted, in § 162.926 we propose that a CHP be responsible for submitting the following on behalf of itself and, if it has any, its SHP(s):

  • The number of covered lives of a CHP: The number of “covered lives of a CHP,” as the term is proposed to be defined in § 162.103, would include the number of covered lives, if any, of a CHP's SHPs. (We discuss the definition of “covered lives of a CHP” in more detail in section II.B.1 of this proposed rule.) The CHP would be responsible for submitting its total number of covered lives as of the date it meets the submission requirements of § 162.926(a)(1) or (b)(1).
  • Documentation that demonstrates the CHP has obtained either a Phase III CORE Seal or the HIPAA Credential.

In order to obtain the documentation for this submission requirement, a CHP, also representing all of its SHPs, would have to meet the CORE requirements necessary to obtain either a Phase III CORE Seal or the HIPAA Credential. We discuss this documentation requirement in more detail in section II.A.3 of this proposed rule.

We believe the proposal that the CHP be responsible for meeting the submission requirements for itself and its SHPs is consistent with the framework of the HPID final rule. A CHP is defined at § 162.103 as exercising sufficient control over its SHPs to direct its/their business activities, actions, or policies. We believe a CHP has sufficient control over its SHPs to require that it be responsible for the § 162.926 requirements for itself and its SHPs. As described in section II.B.1 of this proposed rule, the CHP would also be responsible for the penalty fees that may be assessed if it fails to meet the first certification of compliance's submission requirements as proposed in § 162.926.

We note that a CHP's proposed obligations under § 162.926 would not necessarily extend to other Administrative Simplification compliance or enforcement activities. Nothing in the provisions of this proposed rule would alter the requirement that all health plans must meet Administrative Simplification requirements per § 160.102. As health plans, SHPs are covered entities and independently responsible for ensuring they are compliant with the standards and operating rules, but, for purposes of this rule, we propose that the responsibility to meet the first certification of compliance submission requirements lies with the CHP.

We emphasize that state and federal government entities that meet the definition of a CHP must meet the requirements of this proposed rule and may be assessed penalty fees as described in the statute and in this rule; section 1173(h) of the Act provides no exemptions for state or federal government health plans.

2. Proposed Submission Requirements: Number of Covered Lives of a CHP

Section 1173(j)(1) of the Act requires the Secretary to assess a penalty fee against a health plan that fails to meet the certification of compliance requirements of section 1173(h). Section 1173(j)(1) of the Act specifies the penalty fee amount, which is based on the covered lives of a health plan. Because we need to know the number of covered lives of a CHP (including the number of covered lives of its SHPs, if it has any) should circumstances require us to calculate penalty fees, we propose in § 162.926(a)(1) and (b)(1) to require CHPs to submit to the Secretary the number of covered lives of a CHP.

We propose that the number of covered lives of a CHP submitted pursuant to § 162.926(a)(1) and (b)(1) would be the number of covered lives as of the date the CHP submits the documentation proposed in § 162.926(a)(2) and (b)(2) to the Secretary. For example, if a CHP submits the documentation required by the first certification of compliance on January 1, 2015, then its submission would reflect its number of covered lives as of that date. In § 162.926 (and discussed in section II.A.7 of this proposed rule), we propose that a CHP would have up to 12 months prior to the certification of compliance deadlines to satisfy the submission requirements. The definition of the “covered lives of a CHP” is best explained in the context of the penalty fees, which we do in section II.B.1 of this proposed rule where we describe the calculation of penalty fees.

3. Proposed Submission Requirements: HIPAA Credential or Phase III CORE Seal

We propose to require CHPs to choose among two options, the HIPAA Credential or a Phase III CORE Seal, as described in this section, to demonstrate compliance for the first certification of compliance.

There are any number of reasons why a CHP may elect to obtain one of these options over the other. A CHP will find that one or the other better aligns with the implementation process it uses to implement new operating rules.

a. Process and Requirements for Obtaining HIPAA Credential

We are proposing in § 162.926(a)(2) and (b)(2) that a CHP has the option of selecting the HIPAA Credential as one of two alternatives for meeting the first certification of compliance submission requirements. The HIPAA Credential is administered by CAQH CORE and demonstrates that a CHP has attested to compliance with HIPAA standards and operating rules for the eligibility for a health plan, health care claim status, and electronic funds transfers (EFT) and remittance advice transactions, and that the CHP has conducted a certain level of testing. CAQH CORE is currently developing the HIPAA Credential—which we expect to be finalized prior to the time we finalize this rule—and we describe here the expected process and requirements for obtaining it. Just as CAQH CORE provides explicit details about the CORE Seals on its Web site, we expect it will do the same for the HIPAA Credential. Should the final HIPAA Credential differ in any material way from the way we describe it herein, we would reopen the comment period for this topic to allow for further comment.

The scope of the HIPAA Credential would only encompass the HIPAA-mandated standards and operating rules. For example, we have not adopted HIPAA standards and operating rules for acknowledgements, therefore the HIPAA Credential would not require attestation or compliance with respect to standards and operating rules regarding acknowledgements.

To obtain the HIPAA Credential, a CHP would have to submit to CAQH CORE—

  • The CAQH CORE HIPAA Attestation Form (similar to the form required for the CORE Certification process, [17] discussed in section II.A.3(b) of this proposed rule);
  • An application form (similar to the form required to obtain a CORE Seal) with signature verifying that all forms have been submitted to CAQH CORE and indicating that HHS may view the application and associated forms if such a request is made to CAQH CORE; and
  • An attestation form, with features or requirements that would include the following:

++ Attestation, in which the CHP confirms that it has successfully tested the operating rules for the eligibility for a health plan, health care claim status, and health care electronic funds transfers (EFT) and remittance advice transactions with trading partners. For each of the three transactions, the CHP must confirm that the number of transactions conducted with those trading partners collectively accounts for at least 30 percent of the total number of transactions conducted with providers. For each of the three transactions, the CHP must confirm that it has successfully tested with at least three trading partners, but if the number of transactions conducted with three trading partners does not account for at least 30 percent of the total number of transactions conducted with providers, the CHP could confirm that it has successfully tested with up to 25 trading partners. The CHP would have to list those trading partners.

We do not define “successfully tested” in this proposed rule, or prescribe any specific kind or level of testing for the HIPAA Credential.

++ When a CHP attests that it has successfully tested with trading partners that, collectively, conduct at least 30 percent of the total number of transactions conducted with providers, it is representing itself and its SHPs. When calculating 30 percent of the transactions conducted with providers, the total of the CHP's and SHPs' transactions would be used.

++ The CHP would have to provide contact information, including, but not limited to, name, phone number, and email address, for each of the listed trading partners.

++ Trading partners may be transaction-specific. For example, a CHP may list the same or different trading partners for each of the three transactions, so a CHP may list three or more trading partners.

++ Trading partner testing would only be required for current HIPAA-mandated operating rules and standards, so trading partner testing would not be required for the use of acknowledgments, or optional aspects of standards.

In reviewing CHPs' HIPAA Credential application packages, CAQH CORE will likely identify applications containing obvious errors, and not award the HIPAA Credential based on such information. CAQH CORE will also identify when required information, such as trading partner contact information, is missing in the HIPAA Credential application package.

While CAQH CORE will likely identify obvious errors or missing information in the HIPAA Credential application package, CAQH CORE will not be responsible for addressing intent on the part of the CHP with regard to such errors or missing information. That is, CAQH CORE will not investigate what a CHP knew or didn't know when it submitted an inaccurate HIPAA Credential application package to CAQH CORE. Similarly, CAQH CORE will not address any claims that may be submitted to CAQH CORE about a CHP's intent behind any inaccuracies or incomplete information in a HIPAA Credential application; for example, CAQH CORE will not address claims that a CHP knowingly provided inaccurate or incomplete information in its HIPAA Credential application.

Other aspects of the HIPAA Credential include:

  • Unlike the CORE Seals, it would only be offered to health plans.
  • The HIPAA Credential would not have a requirement for certification testing, as is required for a Phase III CORE Seal. The HIPAA Credential would not have a requirement to test with a third-party testing vendor.
  • The HIPAA Credential requires external testing; however, it does not require a specific approach to external testing, and, thus, does not directly support a consistent, industry-wide testing framework to the extent that a Phase III CORE Seal does. Thus, we view the HIPAA Credential as an initial step toward a consistent testing framework for CHPs that decide not to undergo the certification testing for a CORE Phase III Seal.

b. Process and Requirements for Obtaining a CORE Seal

The three current CAQH CORE Operating Rule sets are referred to as phases: Phase I is the operating rule set for the eligibility for a health plan transaction; Phase II includes operating rules for both the eligibility for a health plan and the health care claim status transaction; and Phase III is the operating rule set for the health care electronic funds transfers (EFT) and remittance advice transaction. The Secretary has adopted the sets as the operating rules for the respective transactions, with the exceptions we describe in section I.B.2 of this proposed rule.

CAQH CORE has developed separate certification testing requirements for each of the three phases of operating rules. Any health care entity that conducts the applicable electronic health care transactions may voluntarily undergo certification testing with an independent CORE-authorized testing vendor and a certification process through CORE to demonstrate compliance with the three phases. An entity that successfully completes the testing and submits the appropriate documentation to CAQH CORE is awarded a CORE Seal for the specific phase for which it tested. In order to be awarded a CORE Seal for all three phases, a CHP would be required to conduct certification testing for compliance with the requirements in Phases I, II, and III, which may be done chronologically or concurrently.

We are proposing a Phase III CORE Seal as one of two options a CHP may choose to meet the submission requirements of the first certification of compliance. The preparation required to apply for, and the documentation required in order to be awarded, a CORE Seal for each phase reflects the kind of consistent internal and external testing and documentation of compliance that we believe will ameliorate many of the challenges industry has recently faced during transitioning to new standards and operating rules.

Because we propose that CHPs may choose to obtain a CORE Seal to satisfy the requirements of proposed § 162.926(a)(2) or (b)(2), we describe the steps involved for entities to obtain a CORE Seal: [18] (1) Conduct a gap analysis by evaluating, planning, and completing necessary system upgrades; (2) sign and submit the CAQH CORE Pledge to make a commitment to become a CORE-certified entity within 180 days; (3) conduct testing through a CORE-authorized testing vendor; and (4) apply for a Phase III CORE Seal by submitting the proper documentation and fee to CAQH CORE for consideration. This four-step process is described in more detail as follows:

  • Step 1: Conduct A Gap Analysis

Entities that implement the CAQH CORE Operating Rules conduct a gap analysis in order to determine what system and business process changes may be necessary to ensure their data and information systems are remediated to address any gaps between existing system requirements and CORE Operating Rule requirements. (Certification testing is described later in this section.) Project managers, business analysts, system analysts, architects, and other key staff conduct the gap analyses, which include an inventory of the systems affected by the specific phase of operating rules and the drafting of a detailed project plan. CORE provides an analysis and planning guide as a gap analysis tool for each of its current phases. [19]

  • Step 2: Sign and Submit the CORE Pledge

An authorized, executive-level employee of the entity that is applying for any of the three CORE Seals signs a binding CORE Certification Pledge to adopt, implement, and comply with the CAQH CORE Operating Rules. By signing the pledge, an entity commits to working with a CORE-authorized Testing Vendor to demonstrate that its product(s) or IT system(s) is operating in accordance with a specific phase of the CORE Operating Rules. (We discuss CORE-authorized Testing Vendors in more depth in section II.A.2.d of this proposed rule.) Testing with a CORE-authorized Testing Vendor must be completed within 180 days of signing the pledge, [20] though extensions may be granted by signing and submitting a new pledge.

  • Step 3: Testing by a CORE-authorized Testing Vendor using CORE Certification Master Test Suites (Certification Testing)

CAQH CORE developed documents called CORE Certification Master Test Suites (Test Suites) for each of its three operating rule phases. The phase-specific Test Suites are operating rule and documentation requirements that an entity must meet to be awarded a CORE Seal for that phase.

Test Scripts—which include a description of operating rule-by-operating rule requirements, as well as specific documentation or information necessary to demonstrate compliance with each operating rule requirement—are the primary tools in each phase-specific Test Suite. Tables 2 and 3 illustrate two examples of Test Scripts for two different operating rule requirements. Table 2 illustrates a test script from Phase I CORE 152 Companion Guide Rule Certification Testing and Table 3 illustrates a test script from Phase I CORE 154 Eligibility and Benefits (270/271) Data Content Rule Certification Testing. As illustrated by Table 2 and Table 3, each Test Script includes the following five columns:

  • Column 1—The criteria or description of the requirements of the rule.
  • Column 2—The expected result of a test of compliance with the rule. Entities upload documents or submit transaction files to CORE-authorized Testing Vendors that demonstrate they have met the requirements of each Test Script.
  • Column 3—The actual result that the entity found upon testing the rule (that is, whether the expected outcome was achieved).
  • Column 4—Indicates whether the entity was able to produce the expected result in terms of pass or fail.
  • Column 5—Indicates which stakeholder would be required to produce the expected result.

For operating rules with requirements about data content, an entity would submit a transaction file to be tested in the CORE-authorized Testing Vendor's testing engine. Using the example of the Test Script illustrated in Table 3, an entity would be required to submit a transaction file, detailed in column 2, and receive a “pass” from the CORE-authorized Testing Vendor in column 4 indicating the file met the requirement.

In other cases, an entity would submit other types of documents that demonstrate the expected result of the Test Script. Using the example of the Test Script illustrated in Table 2, an entity would be required to submit an electronic version of the table of contents of its ASC X12 v5010 270/271 companion document, including an example of the ASC X12 v5010 270/271 content requirements,” to the CORE-authorized Testing Vendor in order for the vendor to give a “pass” to that test.

The process of submitting documents or uploading files to CORE-authorized Testing Vendors is virtual, and an entity may access the CORE-authorized Testing Vendor's testing portal from a desktop computer.

The certification testing, described here as a key step in obtaining a CORE Seal, would be conducted after an entity has conducted internal and external testing of the operating rules. CORE's standardized certification testing demonstrates that a consistent and standard IT system testing has been completed. Therefore, certification testing, such as that which is described here, reflects our intent of supporting an industry-wide consistent trading partner testing process or framework.

Table 2—Illustration A: Sample Test Scripts From Phase I Core Certification Test Suite Sample Test Script for Phase I Core 152 Companion Guide Rule Certification Testing Back to Top
Criteria Expected result Actual result Pass/fail Stakeholder
Provider Health plan Clearing house N/A
Companion Document conforms to the flow and format of the CORE master Companion Document Template Submission of the Table of Contents of the v5010 270/271 companion document, including a example of the v5010 270/271 content requirements □ Pass □ Fail
Table 3—Illustration B: Sample Test Scripts From Phase I Core Certification Test Suite A Test Script From Phase I Core 154 Eligibility and Benefits (270/271) Data Content Rule Certification Testing Back to Top
Criteria Expected result Actual result Pass/Fail Stakeholder
Provider Health plan Clearing house N/A
Create a valid v5010 271 response transaction as defined in the CORE rule indicating the patient financial responsibility for each of the benefits covering the individual (Key Rule Requirement #6 through #18) Output a valid fully enveloped v5010 271 eligibility response transaction set with the correct co-insurance, co-payment, and deductible patient financial responsibilities for both in/out of network in either EB08-954 or EB07-782 at either the subscriber loop 2110C or dependent loop 2100D levels □ Pass □ Fail
  • Step 4: Apply for a CORE Seal

Once an entity successfully completes the certification testing with a CORE-authorized Testing Vendor, it submits an application package to CAQH CORE, and the CAQH CORE staff then reviews the application package prior to granting the appropriate CORE Seal. The application package includes the following:

++ Documentation from a CORE-authorized Testing Vendor demonstrating the entity's compliance with the phase-specific CAQH CORE Operating Rules through successful certification testing.

++ The CAQH CORE HIPAA Attestation Form, signed by a senior-level executive, indicating that, to the best of the applicant's knowledge, the entity is HIPAA compliant for security, privacy, and the transaction standards. This form is addressed in more detail in section II.A.3(c) of this proposed rule.

++ The CAQH CORE Health Plan IT Exemption Form, if applicable. This form and its relationship with the submission requirements of the first certification of compliance is discussed in section II.A.3(e) of this proposed rule.

++ The CAQH CORE Application. This form collects contact information for the individual responsible for the organization's CORE-certification process. The form also outlines the required materials for a complete CORE Certification Application, the process by which CAQH CORE will review and approve applications, and terms and conditions for CORE Certification.

++ A fee, as illustrated in Table 4.

Upon receipt of this documentation, CAQH CORE will complete a final assessment within 30 business days unless there are extenuating circumstances. CAQH CORE reviews test results and maintains records for each entity that is awarded a CORE Seal.

A health plan must be awarded a CORE Seal in a previous phase to be eligible for a subsequent phase's Seal. [21] For example, a health plan must be awarded a CORE Seal for Phase I and II Operating Rules in order to be eligible for a CORE Seal for Phase III Operating Rules. CAQH CORE provides the option of applying for and conducting certification testing for all three phases concurrently. In the context of the requirements for the first certification of compliance, this means that a CHP that chooses the option to submit a CORE Seal for Phase III Operating Rules will need to obtain CORE Seals for Phases I and II first, or concurrently.

We believe that the CORE Seal, obtained through the CORE certification process, is a reasonable and appropriate demonstration of compliance with the operating rules because—

  • CAQH CORE develops its CORE Seal certification process through a multi-stakeholder approach. CAQH CORE is an industry-wide collaboration committed to the development and adoption of national operating rules for administrative transactions. The more than 140 CORE Participants represent all key stakeholders including providers, health plans, vendors, clearinghouses, government agencies, Medicaid, banks and standard development organizations. CAQH CORE draws on this representation to develop the requirements for CORE Certification (Test Suites and Test Scripts) through a transparent, consensus-based process. To our knowledge, no other entity currently has an equivalent multi-stakeholder process for developing certification testing for operating rules;
  • Through the CORE-authorized Testing Vendor framework, CAQH CORE has created a marketplace for multiple commercial testing vendors to compete, while requiring CORE-authorized Testing Vendors to utilize standardized Test Scripts and specific submission requirements in testing entities. In its role as the “certifier,” in contrast to a “tester,” CAQH CORE maintains a third party position, independent from both the entity seeking the CORE Seal and the testing vendors with commercial interests. This allows CAQH CORE to carry out the certifying process—and enforcement, appeals and exception policies and processes—in a neutral, transparent manner;
  • CORE Certification is recognized as an Administrative Simplification tool for health plans and states. Currently, over 30 health plans have been awarded or have pledged to seek CORE Seals for Phases I, II, or III, or have pledged to seek the CORE Seal. [22] CORE Certification is also a crucial element in state-based health care reform initiatives in Oregon [23] and Colorado. Colorado, for example, requires that, “[w]hen installing new operating systems after December 31, 2012, all carriers are required to use CORE-certified systems for communications, those systems which meet CORE certification standards, or contract with a vendor who has applied by January 1, 2013 to beCORE-certified.” [24] The Colorado regulation also states that “Phase I CORE certification shall be accepted as evidence of compliance” with the CORE operating rules that the regulation also adopted; [25] and
  • CAQH CORE's Certification Infrastructure. CAQH CORE's infrastructure includes: robust on-line and live support for entities during the certification process; a complaint-driven enforcement mechanism that identifies instances of non-compliance; an exemption policy and process; a re-certification process; and an appeals process allowing an entity to request a hearing if it disagrees with CAQH CORE's decision of non-compliance.

We request comments on a Phase III CORE Seal as an option for CHPS to meet the documentation requirements for the first certification of compliance.

c. CAQH CORE HIPAA Attestation Forms as Documentation of Compliance With the HIPAA Standards

In order to obtain a CORE Seal for each of the operating rule phases, an entity must sign the CAQH CORE HIPAA Attestation Form by which it attests to compliance with applicable HIPAA transaction provisions, and the HIPAA privacy and security provisions, of 45 CFR Parts 160, 162, and 164. We anticipate that CAQH CORE's HIPAA Credential application process will similarly require such an attestation for the HIPAA Credential, and we find such an attestation to be an essential document of compliance for purposes of the first certification of compliance. We note that, attesting to compliance with the HIPAA privacy and security provisions or obtaining a CORE Seal (or the HIPAA Credential) does not prevent or preclude the Office for Civil Rights from conducting HIPAA Privacy or Security Rules investigations, compliance reviews or audits; settling cases; making findings of non-compliance; or imposing civil money penalties for HIPAA violations.

The proposed submission requirements of § 162.926(a)(2) and (b)(2) demonstrate a CHP is compliant with applicable standards and operating rules. We considered proposing a framework by which CHPs would demonstrate compliance with applicable standards styled similarly to the proposed framework for demonstrating compliance with operating rules. That is, we considered requiring a CHP to obtain documentation from a third-party demonstrating it has conducted external testing with the standards adopted for the eligibility for a health plan, health care claim status, and health care electronic funds transfers (EFT) and remittance advice transactions. At this time, however, we believe CAQH CORE's HIPAA Attestation Form satisfies the section 1173(h)(2) mandate that health plans submit adequate documentation of compliance with the applicable standards for purposes of the first certification of compliance. We chose this approach because we—

  • Believe that requiring just the CAQH CORE HIPAA Attestation Form minimizes CHPs' burdens in complying with the first certification submission requirements, while not altering or undermining the statutory requirements or our objectives in ensuring compliance; and
  • Are not aware of existing programs that demonstrate consistent testing for compliance with the standards that parallel the proposed process for certifying health plans for compliance with the operating rules. There may be commercial entities that “certify” entities as being compliant with the standards, but we do not know of any that have developed a standards certification process, certification testing, or certification infrastructure with significant participation from industry.

We also recognize that, while the HIPAA Credential option relies on entities having successfully conducted testing with trading partners, it does not directly support a consistent, industry-wide testing framework of new standards and operating rules. We view the first certification of compliance submission requirements as an initial step in that direction. We solicit comments on our assumptions and proposed approach.

d. CAQH CORE Documentation and Policies

We are proposing that CHPs may choose between two CAQH CORE documents—a Phase III CORE Seal or the HIPAA Credential—to demonstrate compliance for the first certification of compliance. We believe either of these documents through CAQH CORE is a reasonable approach because CAQH CORE—

  • Is recognized as a technical expert in the implementation of operating rules and supports the standards for those transactions to which the operating rules apply, adopted by the Secretary (after a vetting process discussed in section I.B.2 of this proposed rule). CAQH CORE is the authoring entity of the operating rules and is, therefore, well-versed in the operating rules and their interpretation and implementation, and how they coordinate with the adopted standards;
  • Has infrastructure to reach out to, and educate, CHPs that will be required by this proposed rule to obtain either a Phase III CORE Seal or HIPAA Credential; and
  • Has the ability to convene workgroups with significant and diverse health care industry participation to continually inform, and, where appropriate, improve processes associated with the CORE Seal and HIPAA Credential products.

We solicit comments on our proposal to limit CHPs' options to documents obtained through processes governed by CAQH CORE.

e. CAQH CORE's Exemption and Enforcement Policies as Applied to the Proposed Submission Requirements

(1) CAQH CORE Certification Exemption Policies

Under proposed § 162.926(a)(2) and (b)(2), we specify that a CHP may not be under the CORE IT Exemption Policy at the time of submission with regard to the CORE Phase I, II, or III CORE Seals that the CHP uses to meet the submission requirements. [26]

CAQH CORE's Certification Exemption Policy enables a health plan, in certain situations, to be awarded a CORE Seal for a particular phase even if all of its IT systems do not pass the Test Scripts for that phase. So long as the remainder of a health plan's IT systems are compliant, CAQH CORE may grant a health plan a Health Plan IT System Exemption if it has a scheduled migration, within the upcoming 12 months, of an existing, non-conforming IT system(s). [27] Subsequent to the migration(s), CAQH CORE requires the health plan to submit documentation demonstrating the new IT system(s) complies with the operating rules, standards, and other items required by CORE Certification. [28]

Although a health plan may obtain a CORE Seal under such a CAQH CORE exemption, we make clear in § 162.926(a)(2) and (b)(2) that, on the date a CHP submits documentation to meet the submission requirements of the first certification of compliance, it may not be under such an exemption with respect to the CORE Phase I, II, or III Seals. To be clear, a CHP may receive a CORE Seal under CAQH CORE's Health Plan IT System Exemption policy. However, a CHP that receives a CORE Seal under CAQH CORE's Health Plan IT System Exemption must no longer be exempted on the date it provides its submissions to the Secretary in order to meet the first certification of compliance requirements.

CAQH CORE's Health Plan IT System Exemption Policy does not apply to the HIPAA Credential, so a health plan's systems must be fully compliant with the applicable operating rules to obtain the HIPAA Credential.

(2) CORE Enforcement Policy

CAQH CORE's Enforcement Policy [29] is a complaint driven process that, under the guidance of the CORE Enforcement Committee comprised of CAQH CORE participants, reviews complaints for completeness and timeliness, and verifies or dismisses complaints.

CAQH CORE's Enforcement Policy applies to its CORE Seal product (not the HIPAA Credential), and thus would apply to CHPs that elect to obtain a Phase III CORE Seal to fulfill the submission requirements proposed in this rule.

(3) A CHP Is Decertified by CORE

CAQH CORE's policies specify a number of circumstances by which an entity may be “decertified,” could “lose” its CORE Seal, or have its certification “terminated” because of instances of noncompliance with the operating rules for which it is certified. One such policy with this possible consequence is the CAQH CORE IT Exemption Policy, described in section II.A.3 (e) of this proposed rule, whereby a health plan that has obtained a CORE Seal under the policy may be decertified if its new IT system fails to pass the applicable Test Scripts within a prescribed timeframe. [30] Similarly, CAQH CORE's Enforcement Policy specifies that an entity with a CORE Seal may be decertified if it is found to be out of compliance with an operating rule(s) or standard if the violation is not remedied within the allowed grace period. [31]

As discussed previously, on the date a CHP submits its documentation, none of the CHP's CORE Seals may be terminated or the CHP decertified by CAQH CORE.

In keeping with the “snap shot” approach described in section II.A. of this proposed rule, we will not track the status of a CHP's CORE Certification (that is, whether it has been terminated or has come under the CAQH CORE IT Exemption Policy) subsequent to the date it meets the proposed submission requirements. [32]

(4) CHP's Responsibilities With Respect to Entities Conducting Transactions on Its Behalf

Section 1173(h)(3) of the Act requires a health plan to “ensure that any entities that provide services pursuant to a contract with such health plan shall comply with any applicable certification and compliance requirements (and provide the Secretary with adequate documentation of such compliance) under this subsection.” Because section 1173(h) of the Act is concerned with certification of compliance with the HIPAA standards and operating rules, we believe “services pursuant to contract” means services provided by business associates (BAs), as that term is defined at § 160.103, that are contracted to conduct all or part of a HIPAA transaction on behalf of a health plan.

Although we considered requiring CHPs to require their BAs to comply directly with the requirements of § 162.926, we are not pursuing that option. Rather, when a CHP submits documentation in accordance with the submission requirements of § 162.926, we believe that, by virtue of meeting the requirements of § 162.923(c) (which requires covered entities that use BAs to conduct transactions on their behalf to require those BAs to comply with the requirements of part 162), it will be certifying that its, and its SHP(s)', BAs that conduct all or part of a HIPAA transactions on its/their behalf are compliant with the HIPAA standards and operating rules. We do not believe section 1173(h)(3) of the Act places any new requirements or burdens on health plans with regard to their BAs that are not already accounted for in § 162.923(c).

Under CAQH CORE policy, to obtain a CORE Seal, a health plan must demonstrate that entities or vendor products that conduct all or part of a transaction related to a CAQH CORE are compliant with the operating rules. [33] This CAQH CORE policy on non-health plan entities that conduct all or part of a transaction related to a CAQH CORE phase on behalf of a health plan aligns with our approach to BAs that conduct part or all of a transaction on behalf of a CHP or its SHPs. Likewise, as we have described here, if a BA that is not a health plan conducts all or part of a transaction on behalf of the CHP or its SHP(s), then the CHP is responsible for ensuring the entity conducts any HIPAA standard transactions in accord with any applicable HIPAA transactions standards and operating rules.

As noted previously, CAQH CORE requires that any health plan wishing to obtain a CORE Seal that is dependent on a BA—for the health plan to meet one or more of the CORE operating rule requirements—must have that BA achieve CORE certification. Similarly, if the health plan is dependent on a software vendor to meet one or more of the CORE rule requirements, then the vendor's product name and vendor must be CORE-certified.

(5) Documentation Demonstrating End-to-End Testing

Section 1173(h)(2)(B) of the Act states that a health plan shall not be considered to have provided adequate documentation of compliance unless it “provides documentation showing that [it] has completed end-to-end testing for such transactions with [its] partners, such as hospitals and physicians.”

Even outside the context of health plan certification, the meaning of the phrase “end-to-end testing”—as well as the types of testing necessary for successful transitions to new or revised standards, code sets, or operating rules—is presently the subject of active discussion in the health care industry. HHS, through the Office of E-Health Standards and Services (OESS), is conducting a pilot that seeks to develop a process and methodology for testing the transaction standards, operating rules, code sets, identifiers, and other Administrative Simplification requirements based on industry feedback and participation. One of the goals of that effort is to establish a definition for end-to-end testing in this context that can be applied industry-wide.

Although we know of no standard definition for end-to-end testing at this time, we believe the concept of end-to-end testing likely requires, at a minimum, external testing with trading partners. We emphasize that in order to obtain either a Phase III CORE Seal or the HIPAA Credential, some external testing is required. Note that certification testing, as is required to obtain a CORE Seal, is not the same as internal or external testing. However, certification testing includes submitting documentation that demonstrates certain levels of internal and external testing have taken place. By contrast, the HIPAA Credential directly requires external testing with trading partners. Thus, we believe CHPs that meet the submission requirements proposed in this rule meet the section 1173(h)(2)(B) of the Act's requirement.

(6) Other Considerations About CORE Certification

(a) Cost of CORE Seal and CORE HIPAA Credential

CAQH CORE charges entities a fee, on a sliding scale according to net annual revenue, for administering and awarding CORE Seals. Table 4 illustrates the current fees that CAQH CORE charges a health plan. Table 4 reflects the total costs for a CHP to obtain three CORE Seals, one for each CAQH CORE Operating Rule phase. [34] The fees to obtain the CORE Seals do not include the cost for certification testing with a CORE-authorized testing vendor. [35]

Table 4 also illustrates the approximate fees that we expect CAQH CORE will charge CHPs for the HIPAA Credential it is currently developing.

CAQH CORE does not charge federal and state government entities for the CORE Seals, but we expect federal or state government entities will be charged $100 to obtain the HIPAA Credential.

TABLE 4—CAQH Core Fees for Core Seal and HIPAA Credential Back to Top
Size of health plan Fee for HIPAA credential Fee for CAQH Phase III CORE Seal including Phase I and II Seals
Federal and State government health plans $100 No charge.
CAQH Member Plans No charge No charge.
Below $5 million in net annual revenue $100 $12,000 ($4,000 per phase).
$5 million to below $25 million net annual revenue $1,000  
$25 million to below $50 million net annual revenue $2,000  
$50 million to below $75 million net annual revenue $4,000  
$75 million and above net annual revenue $18,000 ($6,000 per phase).

(b) Treatment of Acknowledgements

We have previously stated in both the Operating Rules IFC and the EFT & ERA Operating Rules IFC that we do not require covered entities to comply with any CAQH CORE Operating Rule requirements pertaining to acknowledgments in Phases I, II, and III (§ 162.1203, § 162.1403, and § 162.1603). However, each of CORE's three phase-specific Test Suites require that applicants demonstrate compliance with acknowledgments-related operating rules. CHPs that seek to obtain a Phase III CORE Seal will be bound by CAQH CORE's requirements; in other words, the fact that HHS does not require compliance with acknowledgments-related operating rules does not relieve the burden of CHPs seeking a CORE seal to abide by CAQH CORE's requirements.

By contrast, the requirements underlying CAQH CORE's HIPAA Credential will only apply to the operating rules adopted by the Secretary, so CHPs will not have to comply with the acknowledgements operating rules to obtain the HIPAA Credential.

(7) Compliance Timelines for CHPs To Meet Submission Requirements for the First Certification of Compliance

(a) CHPs That Obtain an HPID Before January 1, 2015

(i) Submit Documentation by December 31, 2015

In § 162.926(a), we propose that a CHP that obtains an HPID before January 1, 2015, would be required to meet the submission requirements (proposed in section II.A of this proposed rule) for the first certification of compliance on or before December 31, 2015. See Table 5, Row 1. Per the requirements of § 162.504, all CHPs (except those that are small health plans) must obtain HPIDs on or before November 5, 2014. CHPS that are small health plans must obtain HPIDs on or before November 5, 2015. Based on our analysis, we think very few health plans meet the definition of a small health plan, [36] so we anticipate most CHPs will have obtained HPIDs on or before November 5, 2014.

We propose a different date (December 31, 2015) than that in section 1173(h)(1) of the Act (December 31, 2013) for most CHPs to meet the first certification of compliance requirements because we believe, for the following reasons, CHPs will likely need until the end of 2015 to meet the requirements for the first certification of compliance:

  • In section II.A.3(b) of this proposed rule, we discuss the steps a CHP would have to take in order to obtain a CORE Phase III Seal, should it elect to pursue that option. We believe the deadlines proposed in this rule offer CHPs adequate time to complete the gap analysis (planning and evaluation, design and development, and internal and external testing) and subsequent certification testing with a CORE-authorized testing vendor necessary to obtain CORE Seals for Phase I, II, and III Operating Rules. CAQH CORE suggests it will take 20 to 60 days of staff time to conduct certification testing with a CORE-authorized testing vendor and complete and submit one CORE Seal Application packet. [37] A CHP may also choose to simultaneously pursue CORE Seals for all three phases. Therefore, for CHPs that do not now have, but choose to obtain, a Phase III CORE Seal, it could take up to 180 days to obtain Seals for all three operating rules phases, not including any time that CORE requires to review applications.
  • In section II.A.3(a) of this proposed rule, we discuss the broad requirements of the HIPAA Credential. Like a Phase III CORE Seal, it will take some time to meet the requirements for the HIPAA Credential, though many CHPs may have already met the testing requirements.
  • In section II.A.1 of this proposed rule, we propose that a CHP, in meeting the submission requirements for the first certification of compliance requirements, will demonstrate not only that it is compliant with operating rules and standards, but that its SHP(s), if it has any, are compliant. This task will also take time.
  • October 1, 2014 is the compliance date for the International Classification of Diseases, 10th Edition (ICD-10) Medical Data Code Sets. Facilitating the health care industry's smooth transition to ICD-10 is of paramount importance, and health plans need to prepare and fully test their systems to ensure a smooth and coordinated transition. We expect health plans to be dedicating significant resources towards the ICD-10 transition prior to, and for a time after, the compliance date, which transition may require participation from the same human and IT resources as will be necessary to meet the first certification of compliance submission requirements. We believe the proposed December 31, 2015 deadline for completing the first certification of compliance requirements would allow sufficient time for health plans to deploy resources to make both initiatives successful.

Furthermore, the December 31, 2015 date aligns with the requirement for a CHP to obtain an HPID, as all CHPs must obtain an HPID on or before November 5, 2015. Moreover, by virtue of this alignment of dates, we will have a database of all CHPs that will be required to meet the submission requirements proposed in this rule on or before December 31, 2015, and thus should be able to identify any CHPs that do not meet the submission requirements proposed in this rule.

As noted in section I.C of this proposed rule, our goal with the first certification of compliance is to help move the health care industry incrementally toward consistent testing processes in order to transition as seamlessly as possible to new standards or operating rules. We believe a certification of compliance process that penalizes more CHPs than it incentivizes to carry out testing would not accomplish this goal and, for the reasons previously articulated, we believe it would be unreasonable to require CHPs to abide by the statutory date of December 31, 2013. To be clear, however, this does not mean CHPs may delay compliance with the operating rules beyond their respective compliance dates. All covered entities were required to be compliant with the operating rules for the eligibility for a health plan and health care claim status transactions on January 1, 2013, [38] and must be compliant with the EFT & ERA Operating Rule Set adopted for health care electronic funds transfers (EFT) and remittance advice transactions on January 1, 2014. Those compliance requirements and dates continue to govern HHS's separate HIPAA enforcement processes.

(2) Date When CHPs Can Begin Submitting Information and Documentation

We propose that a CHP that obtains an HPID before January 1, 2015 may begin to meet the submission requirements of proposed § 162.926(a) on January 1, 2015; this is the “start date” by when we will be ready to accept the submission of documents. This does not mean a CHP must obtain a CORE Phase III Seal or HIPAA Credential during the period of January 1, 2015 through December 31, 2015, as the CHP could be awarded either one earlier. For example, a CHP that has been awarded a CORE Phase III Seal prior to January 1, 2015, would already have the documentation required under this proposed rule, which it would then submit on or after January 1, 2015, and on or before December 31, 2015.

(b) CHPs That Obtain an HPID On or After January 1, 2015 and On or Before December 31, 2016

We propose in § 162.926(b) that a CHP that obtains an HPID on or after January 1, 2015, and on or before December 31, 2016 would be required to meet the submission requirements for the first certification of compliance within 365 calendar days of obtaining an HPID (see Table 5, Row 2).

Under § 162.504, any large or small health plans now extant that meet the definition of a CHP must obtain an HPID on or before November 5, 2015, thus any health plans enumerated as CHPs after November 5, 2015 are likely new CHPs. We propose that such CHPs be allowed one year from the time they obtain an HPID to submit the documentation proposed in § 162.926(b). CHPs that obtain HPIDs on or after January 1, 2015 and on or before December 31, 2016 will have to: Coordinate with their SHP(s), if applicable; gather the appropriate documentation to complete certification testing, and apply for a Phase III CORE Seal or HIPAA Credential; and meet the documentation submission requirements for the first certification of compliance. We believe one year from obtaining an HPID will be adequate for a new CHP to complete that process, but solicit comments on this assumption.

We propose that a CHP that obtains an HPID after December 31, 2016 would not be required to meet the requirements proposed in this rule for the first certification of compliance (see Table 5, Row 3). A CHP that obtains an HPID after December 31, 2016, if given the same time to meet the requirements as CHPs that obtain HPIDs on or before December 31, 2016, would be meeting the requirements into 2018. There are too many unknowns that far into the future for us to establish requirements for this category of CHPs. For instance, we may have adopted new or modified versions of the standards and operating rules for the eligibility for a health plan, health care claim status, and health care electronic funds transfers (EFT) and remittance advice transactions. We may address requirements for a CHP that obtains an HPID after December 31, 2016 for the first certification of compliance in a later rule.

We solicit industry and stakeholder comments on our proposed certification of compliance dates.

Table 5—Comparison of Operating Rule Sets Compliance Dates, the Statutory Deadlines for Completing the First Certification of Compliance Requirements, and the Proposed Deadlines for Completing the First Certification of Compliance Requirements Back to Top
Operating rule sets Col 1 Col 2 Col 3
Compliance date for health plans to comply with the operating rules Deadline for health plans to meet first certification of compliance requirements as mandated by section 1173(h)(1) of the Act Deadlines for health plans*to meet first certification of compliance requirements as proposed in this rule
* Requirements for CHPs that obtain their HPID after December 31, 2016 are not addressed in this proposed rule.
Eligibility for a health plan Health care claim status January 1, 2013 December 31, 2013 December 31, 2015 for CHPs that obtain an HPID before January 1, 2015. Within 365 calendar days of obtaining an HPID for CHPs that obtain their HPID on or after January 1, 2015 and on or before December 31, 2016.
Health care electronic funds transfers (EFT) and remittance advice January 1, 2014    

B. Certification of Compliance Penalty Fees

1. Calculating Penalty Fees: Defining Covered Lives of a CHP and Major Medical Policies

Section 1173(j)(1) of the Act specifies that the penalty fee amount assessed when a health plan does not meet the certification of compliance requirements is based on its number of covered lives. So that we may calculate the potential penalty fee amount should we find a violation(s) of the first certification of compliance, we must know the number of covered lives of a CHP.

Section 1173(j)(1)(F) of the Act requires the Secretary to determine the number of covered lives under a health plan “based upon the most recent statements and filings that have been submitted by such plan to the Securities and Exchange Commission” (SEC). We have learned, however, that the SEC only collects data from publicly traded health plans (that represent a mere subset of the total number of health plans), [39] and, even then, health plans submitting filings to the SEC are not required to include in such filings the number of “covered lives” or any comparable measure. Some health plans may volunteer this information in a descriptive text section of a filing called the 10-K, used to describe the business and its attributes, but this is not a requirement of the 10-K. [40] In fact, according to a 2007 study on enrollment in U.S. health insurance products, “[t]here is no national databank containing enrollment figures for all the public and private health insurers in the United States, nor is there a single database linking all the federal programs.” [41]

Therefore, we propose to use the number of covered lives the CHP reports in accordance with the proposed submission requirements under § 160.926(a)(1) and (b)(1) as the primary source for the number of covered lives to calculate penalty fees. Should a CHP fail to include the number of covered lives as part of its § 162.926 submission, or should we have reason to question the CHP's number of self-reported covered lives, we may undertake an independent investigation through means that may include, but would not be limited to: Analyzing recent filings, if any, submitted by the CHP to the SEC; and researching data bases or publicly available documents such as news articles, reports, advertisements, brochures, and Web pages where the number of covered lives of a CHP is referenced or estimated.

In § 162.103, we propose to define “covered lives of a CHP” as individuals covered by or enrolled in major medical policies of a CHP and the SHP(s) of that CHP. Individuals may be described in such major medical policies by terms, including, but not limited to the following:—

  • Individuals.
  • Spouses.
  • Dependents.
  • Employees.
  • Subscribers.
  • Policyholders.
  • Medicaid recipients.
  • Medicare beneficiaries.
  • Tricare beneficiaries.
  • Veterans.
  • Survivors.

In section II.B.1 of this proposed rule, we discuss in more detail how the definition of covered lives of a CHP would be used to calculate penalty fees. We include spouses, partners, and dependents in the proposed definition to make clear that covered lives of a CHP includes more than just the policyholder, and encompasses all individuals covered by major medical policies, and also include in the definition examples of terms that government payers may use to describe their covered lives.

Within the definition, we clarify that covered lives includes only those individuals enrolled in major medical policies. Section 1173(j)(1)(B) of the Act states that penalty fees may only be assessed for persons “covered by the plan for which its data systems for major medical policies are not in compliance.” We only include individuals enrolled in major medical policies in the definition since individuals that are not covered by such policies will not be included in the calculation of the penalty fee. In cases in which an individual is covered by both a major medical policy and another policy/(ies) that does not meet the definition of major medical policy, the definition contemplates that such individual would be considered a covered life of a CHP.

In § 160.604, we propose that, for purposes of this proposed rule, “major medical policy” be defined as “an insurance policy that covers accident and sickness and provides outpatient, hospital, medical, and surgical expense coverage.” We developed this definition by surveying how the term major medical policy is defined in various contexts.

To be clear, we propose in § 162.926 that all CHPs, irrespective of whether they issue major medical policies, must meet the first certification submission requirements. However, only CHPs with major medical policies may be assessed penalty fees. Moreover, should a CHP be assessed a penalty fee, the basis for the assessment calculation would be using only those covered lives that are covered or enrolled in a major medical policy.

We indicate in the definition that covered lives of a CHP includes the covered lives of the CHP, and, if it has any, its SHP(s). We include the covered lives of any SHP(s) of the CHP because, under the provisions discussed in section II.A.1 of this proposed rule, the submission requirements and applicable penalty fees are the CHP's, not its SHP's, responsibility.

We intend to only include those individuals who are enrolled in or covered by health insurance in the definition of covered lives of a CHP, as opposed to those individuals who are merely eligible, but not enrolled or covered.

We propose to use the phrase “covered by or enrolled in” to indicate a distinction that is sometimes made—but that we are not making here—between voluntary enrollment or automatic coverage in a health plan. That is, irrespective of the actions of an individual, we would consider an individual who has major medical coverage under a health plan to be a covered life of a CHP. For example, we would consider an individual who is automatically enrolled in Medicare Part A upon turning 65 years old to be a covered life of Medicare.

We solicit comments on the proposed definition of covered lives of a CHP and the definition of major medical policy.

2. Basis for the Assessment of a Penalty Fee and the Amount of the Penalty Fee

Section 1173(j)(1)(B) of the Act requires the Secretary to assess a penalty fee against a health plan in the amount of $1 per covered life per day until certification is complete. Section 1173(j)(1)(C) of the Act requires the Secretary to double the amount of the penalty fee assessed against a health plan that knowingly provided inaccurate or incomplete information in certifying compliance. Section 1173(j)(1)(E) of the Act caps the penalties that may be imposed on a health plan, providing that a penalty fee against a health plan shall not exceed, on an annual basis, an amount equal to $20 per covered life under such plan, or an amount equal to $40 per covered life where misrepresentation has occurred under section 1173(j)(1)(C) of the Act.

In § 160.612, we propose the bases for assessing penalty fees and, in § 160.614, we propose the amounts of penalty fees that would be assessed. We think the bases for penalty fees that we propose in § 160.612 and the amount of the penalty fee proposed in § 160.614 are sufficiently intertwined so that it is more effective to describe the proposed provisions together.

a. Failure To Submit Required Documentation by the Deadlines

In § 160.612(a), we propose that the Secretary would assess a penalty fee against a CHP that fails to comply with the submission requirements specified in § 162.926(a)(2) or (b)(2). This means the Secretary would assess a penalty fee when a CHP fails to provide the documentation that demonstrates the CHP has been awarded a Phase III CORE Seal or the HIPAA Credential.

The basis for the penalty fee proposed in § 160.612(a) would apply when a CHP does not provide the required documentation at all, or does so after the deadlines specified in § 162.926(a)(2) or (b)(2). A CHP that does not provide the required documentation by the deadlines would be assessed $1 per covered life of the CHP per day until the requirements of § 162.926 have been met, and as limited by the cap described by proposed § 160.614(a)(1). For example, if a CHP with 100 covered lives enrolled in major medical policies obtains an HPID before January 1, 2015 and then submits the required documentation in § 162.926 on January 1, 2016—1 day past December 31, 2015 (the deadline that would be required under § 162.926(a))—the CHP would be assessed a penalty fee of $1 per covered life of the CHP, for a penalty fee totaling $100.

In § 160.614(a), we propose that a CHP that is assessed a penalty fee under § 160.612(a)—failure to provide the required documentation according to the deadlines in § 162.926(a)(2) or (b)(2)—may not be assessed a penalty fee that exceeds $20 per covered life of the CHP. For example, a CHP that obtains an HPID before January 1, 2015 that fails to make the required submissions on or before December 31, 2015 would, starting January 1, 2016, be assessed a $1 per covered life penalty fee that, per section 1173(j)(1)(E)(i) of the Act as implemented by proposed § 160.614(a)(1), would reach its maximum, and be capped, on January 21, 2016 at $20 per covered life of the CHP. The same maximum penalty cap would apply in instances where a CHP fails to ever provide the required documentation.

We will utilize all reasonable means to ensure that CHPs satisfy their obligations under this proposed rule. Because all CHPs are required to obtain an HPID, we will, for example, once this proposed rule is finalized and implemented, compare a roster of the CHPs that have satisfied the requirements of the rule with a roster of CHPs that have obtained HPIDs. Moreover, we note that section 1173(j)(3) of the Act requires us to report unpaid penalty fees to the Secretary of the Treasury and that unpaid penalty fees, per section 1173(j)(4)(D) of the Act, shall be increased by the interest accrued.

We solicit comments on our proposal for assessing penalty fees for CHPs.

b. Knowingly Providing Inaccurate or Incomplete Information

The penalty fee for knowingly providing inaccurate or incomplete information that we propose in § 160.612(b) implements section 1173(j)(1)(C) of the Act, which provides that a “health plan that knowingly provides inaccurate or incomplete information in a statement of certification or documentation of compliance . . . shall be subject to a penalty fee that is double the amount that would otherwise be imposed.”

In § 160.612(b), we propose that a basis for assessment of a penalty fee is providing inaccurate or incomplete information with actual knowledge of the inaccuracy or the incompleteness of the information, or acting in deliberate ignorance or reckless disregard of the accuracy or completeness of the information. We clarify in § 160.612(b) that information may be in the form of statements, in documents, or otherwise. Hereinafter, we refer to the basis for assessment of a penalty fee proposed in § 160.612(b) as “knowingly providing inaccurate or incomplete information.”

In § 160.614(a)(2), we propose that a CHP would be assessed a penalty fee of $40 per covered life of the CHP when assessed a penalty fee on the basis of § 160.612(b). To be clear, we do not believe a “per day” calculation (as described in section II.b.2.a) would apply to a situation in which a CHP has knowingly provided inaccurate or incomplete information. Because the first certification of compliance is a “snap shot” of compliance on the date a CHP makes its § 162.926 submission, the CHP either knowingly provided inaccurate or incomplete information on that day or it did not. A CHP does not knowingly provide inaccurate or incomplete information on the date submitted, and, on the next, or succeeding, day(s), discontinue the state of “knowingly providing inaccurate or incomplete information or documentation.” Hence, we would apply only the maximum penalty fee in such a situation.

We interpret the statutory language as intending a cap of $40, thus, in § 160.614(b), we propose that a CHP may not be assessed more than $40 per covered life of the CHP, even where a CHP meets the bases for penalty fees under both § 160.614(a)(1) and (2). For instance, a CHP may provide the required documentation to the Secretary past the applicable deadline, and, later, also be found to have knowingly provided inaccurate or incomplete information; such a CHP would be assessed a penalty fee of $40 per covered life. Following are two examples (not meant to be inclusive of all possible scenarios) where we would determine a CHP to have knowingly provided inaccurate or incomplete information as described in § 160.612(b):

  • To obtain a CORE Seal, a CHP would submit documentation to a CORE-authorized testing vendor during certification testing, and to CAQH CORE in applying for the Seal. We would have a basis for assessing a penalty fee under § 160.612(b) should a CHP knowingly provide inaccurate information in the documentation it submits to the testing vendor or to CAQH CORE as part of the certification process, that, in turn, would then be submitted as part of the § 162.926 submission requirements.
  • To obtain the HIPAA Credential, a CHP must attest that it has successfully completed testing with at least three of its trading partners. We would have a basis for assessing a penalty fee under § 160.612(b) should a CHP be found to have knowingly provided inaccurate information with respect to the minimum required number of trading partners that would then be submitted as part of the § 162.926 submission requirements. We solicit comment on our proposed penalty fee policy for a CHP that knowingly provides inaccurate or incomplete documentation or information.

3. Annual Fee Increase

Section 1173(j)(1)(D) of the Act provides for an annual increase in penalty fees by the annual percentage increase in total national health care expenditures. We are not proposing an annual increase methodology at this time because the first certification of compliance framework we propose here would assess only a one-time penalty fee, not a penalty fee that would be assessed year after year. We may revisit this issue in future rulemaking.

4. Notice of Penalty Fee, CHP's Response to Notice of Penalty Fee, and Defenses

In § 160.616, we propose that the Secretary would provide a CHP notice (sent by certified mail with a return receipt requested) that it meets one or more bases to be assessed a penalty fee under proposed § 160.612. Such a notice would specify:

  • The penalty fee amount;
  • Reference to the bases, under proposed § 160.612, for the penalty fee;
  • A description of the findings of fact regarding the violations upon which the penalty fee is based; and
  • The reason(s) why the violation(s) subject the CHP to a penalty fee.

We believe these notice elements would enable a CHP to understand why it met the criteria to potentially be assessed a penalty fee, and the amount proposed to be assessed.

In § 160.618, we propose that a CHP may submit evidence of any of the defenses described in § 160.620 in response to the notice of penalty fee. Under proposed § 160.618(b), a CHP must assert any such defense(s) in writing, and within 30 days of receipt of the notice of penalty fee. We propose in § 162.620 that the Secretary will consider only the following defenses:

  • The CHP is not subject to the requirements of § 162.926. For a number of reasons, the documentation or deadline requirements of the first certification of compliance may not apply to a particular CHP. For instance, a CHP may not offer any major medical policies, and, therefore, may not be assessed a penalty fee.
  • The CHP's failure to meet the requirements of § 162.926 was attributable to a ministerial and non-substantive error. We propose to apply this defense narrowly; such a ministerial and non-substantive error might include a typographical mistake made in the process of providing the required documentation to the Secretary.

The failure to meet the requirements of § 162.926 was beyond the control of the CHP. As with the previous defense, we propose to apply this defense narrowly. A failure to meet the documentation or deadline requirements of § 162.926 beyond the control of the CHP conceivably might include an “act of god” (and not an act of the CHP or SHP's own making) that made it impossible for the CHP to meet the requirements. Given the length of time that we propose CHPs would have to meet the submission requirements, however, we believe successful application of this defense would be extraordinarily rare, and limited only to catastrophic situations.

By proposing to limit the scope of the defenses the Secretary will consider in § 160.620, we make clear that that Secretary will not consider any other asserted defense, including, but not limited to, any defense associated with a CHP's cost considerations in meeting the requirements, or lack of knowledge or confusion about either the requirements of the first certification of compliance or about the operating rules and standards themselves.

We propose to allow a CHP to respond to a notice of penalty fee as an opportunity to present the circumstances that prevented it from meeting the first certification of compliance requirements prior to a potential appeal to an administrative law judge (ALJ). This opportunity to present defenses is analogous to, but much narrower than, our complaint-driven process when a covered entity may resolve a complaint brought against it before CMPs are imposed in a notice of determination under § 160.420.

We solicit comments on the defenses the Secretary may consider.

5. Notice of Determination and a CHP's Hearing Rights

In § 160.624, we propose sending a notice of determination (by certified mail with return receipt requested) to a CHP indicating whether a penalty fee is, or is not, being assessed. A notice of determination will be sent irrespective of whether a CHP responds to the proposed § 160.616 notice of penalty fee, and irrespective of whether the Secretary determines to assess, or not to assess, a penalty fee.

Should a penalty fee will be assessed, § 160.624 proposes that the notice of determination would specify:

  • A description of the statutory basis for the assessment of the penalty fee;
  • The amount of the penalty fee;
  • The regulatory basis, under § 160.612, for the assessment of the penalty fee;
  • The findings of fact regarding the violations on which the assessment of the penalty fee is based;
  • Any defenses described in § 160.620 that were considered in determining whether to assess the penalty fee and the reason(s) why the defenses were rejected;
  • Instructions for appealing the penalty fee; and
  • A statement that the failure to request a hearing within 90 days results in the imposition of the penalty fee.

We believe the proposed contents of the notice of determination would be sufficient to enable a CHP to understand why it is being assessed a penalty fee, the amount of the penalty fee, and how the CHP could appeal the penalty fee. We solicit comment on the proposed contents of the notice of determination.

Should the Secretary determine not to assess a penalty fee, the notice of determination would indicate why any defense(s) raised under § 160.620 was/were successful, and what, if any, actions the CHP must take. Because the first certification of compliance process does not otherwise envision the application of a corrective action process, the only actions we contemplate would be associated with remedying the situations associated with the exercise of successful defenses asserted under proposed § 1620.620(b) or (c).

6. Administrative Appeals Process

In § 160.626, we propose that, upon receiving a notice of determination assessing a penalty fee described in § 160.624(a), a CHP may file a request for a hearing before an administrative law judge (ALJ). Should the CHP fail to request a hearing within 90 days of receiving the notice of determination (or otherwise affirmatively waive its right to a hearing within that 90 days), it would forego its right to a hearing and the Secretary would notify it that the penalty fee assessed in the notice of determination is final and inform it how the penalty fee must be paid.

If a CHP timely requests a hearing with an ALJ, the CHP would participate in a process that is already largely codified at § 160.500 through § 160.552. Administrative appeals before ALJs are widely used to adjudicate disputes between government agencies and individuals/entities aggrieved by agency decisions, and such a process is currently used for HIPAA Administrative Simplification violations. We believe that using the ALJs that already have jurisdiction over HIPAA Administrative Simplification violations handled under § 160.300, and using the same appeals process, would support consistency in adjudication of HIPAA Administrative Simplification appeals.

Section 160.500 is the Applicability provision for Subpart E—Procedures for Hearings, and provides, “[t]his subpart applies to hearings conducted relating to the imposition of a civil money penalty by the Secretary under 42 U.S.C. 1320d-5.” We propose to revise this provision by adding a reference to 42 U.S.C. 1320d-2(j), to indicate that Subpart E also applies to the assessment of a penalty fee under Subpart F.

The term “respondent” is defined in § 160.103 as “a covered entity or business associate upon which the Secretary has imposed, or proposes to impose, a civil money penalty.” In order to make clear that the term respondent, when used in Subpart E, includes entities that are assessed a penalty fee pursuant to Subpart F, we propose to revise the definition to state that respondent “means a covered entity or business associate upon which the Secretary has imposed or proposes to impose, a penalty fee under Subpart F or a civil money penalty.”

Section 160.506 specifies the rights of the parties. The ALJ authority is delineated in § 160.508. Sections 160.510 through 160.544 describe the ALJ hearing process. The right to appeal the ALJ decision to the Departmental Appeals Board is addressed in § 160.548. As noted, we propose applying most of § 160.500 through § 160.552, as already promulgated, as the procedure for CHPs to use in appealing a notice of determination. Because it is not always clear from those provisions that the process may apply to penalty fee assessments under Subpart F, in the following sections we propose to revise the regulation text to explicitly account for the specific health plan certification of compliance penalty fees and notice procedures: § 160.500, § 160.504, § 160.534, § 160.540, § 160.546, § 160.548, and § 160.550.

7. Other Issues

a. Relationship of Certification of Compliance Process to Complaint-Driven Process

In section I.B.3 of this proposed rule, we describe the current HIPAA complaint-driven enforcement procedure through which an entity may bring a complaint against any entity it believes is not in compliance with adopted HIPAA transaction standards, operating rules, or code sets. Such a complaint would generate a fact-finding and resolution process, which could result in a corrective action plan, the imposition of CMPs, or a hearing before an ALJ.

The complaint-driven and first certification of compliance enforcement processes are markedly different, even though both may result in a determination that may be appealed to an ALJ. The complaint-driven enforcement process is initiated as a result of a complaint, uses an informal fact-finding process, employs a corrective action plan if the complaint is valid, and imposes CMPs if the corrective action plan is not followed. Conversely, the first certification of compliance requires certain submissions by specific dates, and provides for an enforcement process with respect to a CHP that fails in various ways to abide by these requirements. Notably, the first certification of compliance, as proposed in this rule, does not employ a corrective action plan should a CHP fail to meet the certification of compliance requirements.

These two distinct enforcement processes assess CMPs (in the case of the complaint-driven process) or penalty fees (in the case of the first certification of compliance) for different reasons. The complaint-driven process addresses complaints regarding a covered entity's failure to comply with any Administrative Simplification requirement, with the exception of a failure to comply with the first certification requirements proposed in this rule (as we describe in this section). The first certification of compliance process assesses penalty fees for CHPs that fail to meet the submission requirements or that knowingly provide inaccurate or incomplete documentation associated with such submissions, as proposed in this rule.

Nothing in this proposed rule prohibits the Secretary from pursuing both processes at the same time against a CHP—through CMPs, in the case of the complaint-driven process for failure to comply with Administrative Simplification requirements, and through penalty fees for failure to meet the first certification of compliance requirements. Further, an investigation through the complaint-driven process could lead to the assessment of a penalty fee for a first certification of compliance violation if it revealed through that investigation that the CHP failed to meet the first certification of compliance requirements or knowingly provided inaccurate or incomplete information required for the first certification of compliance. For instance, if an investigation based on a complaint revealed that a CHP never submitted documentation or knowingly submitted inaccurate or incomplete documentation in order to be awarded a CORE Phase III Seal or HIPAA Credential under § 162.926, it is possible both CMPs and penalty fees may be imposed/assessed.

Section 160.300 is the Applicability provision under Subpart C—Compliance and Investigations—which is the complaint-driven enforcement process for Administrative Simplification violations. We propose to amend this section, that now states “[t]his subpart applies to actions by the Secretary, covered entities, business associates, and others with respect to ascertaining the compliance by covered entities and business associates with, and the enforcement of, the applicable provisions of this part 160 and parts 162 and 164 of this subchapter,” to clarify that the complaint-driven process does not apply to the requirements in § 162.926. That is, we propose that a complaint-may not be filed against a health plan alleging that it fails to meet the certification of compliance submission requirements in § 162.926.

III. Collection of Information Requirements Back to Top

Under the Paperwork Reduction Act of 1995 (PRA), we are required to provide 60-day notice in the Federal Register and solicit public comment before a collection of information requirement is submitted to the Office of Management and Budget (OMB) for review and approval. In order to fairly evaluate whether an information collection should be approved by OMB, section 3506(c)(2)(a) of the PRA requires that we solicit comment on the following issues:

  • The need for the information collection and its usefulness in carrying out the proper functions of our agency.
  • The accuracy of our estimate of the information collection burden.
  • The quality, utility, and clarity of the information to be collected.
  • Recommendations to minimize the information collection burden on the affected public, including automated collection techniques.

We are soliciting public comment on the information collection requirements (ICRs) regarding the first certification of compliance documentation requirements. Among other requirements, the Affordable Care Act requires health plans to file statements with the Secretary certifying that they are compliant with standards and operating rules for specific transactions. The Affordable Care Act also mandates that the Secretary assess a penalty fee against a health plan that fails to file a statement with the Secretary certifying that it is compliant and/or fails to submit adequate documentation of compliance.

In section II. of this proposed rule, we discuss the proposed requirements for the first certification of compliance. In section II.A.7 of this proposed rule, we discuss our proposal that a CHP must comply with the first certification of compliance requirements based on when it obtains its HPID. Submission requirements are explained in section II.A.2 and .3 of this proposed rule. We discuss the penalty fees that may be assessed on a CHP that does not meet the submission requirements or knowingly provides inaccurate or incomplete information in section II.B. of this proposed rule.

The provisions in this proposed rule align with existing statutory and regulatory mandates. In previous regulations, specified in section I.B.1 and 2 of this proposed rule, we have mandated compliance with the adopted standards and operating rules for the HIPAA transactions for which documentation of compliance is proposed in this rule. Other existing regulations that are complimented through this proposed rule include § 160.310 which requires covered entities to maintain records and compliance reports and provide these to the Secretary if requested, and § 162.923, that requires covered entities to require their BAs to comply with applicable HIPAA standards and operating rules.

In this proposed rule and in this ICR, we are focused on the one-time requirement that CHPs, as defined by § 162.103, must provide the Secretary the following information and documentation for the first certification of compliance: (1) the number of covered lives of a CHP; and (2) documentation that demonstrates that the CHP has obtained a Phase III CORE Seal or the HIPAA Credential.

We do not know at this time how many health plans would meet the definition of a CHP as defined in § 162.103. In the HPID final rule (77 FR 54696), we identified 12,000 self-insured group health plans, 1,827 health insurance issuers, and 60 government health plans that might meet the definition of health plan. We believe there will be considerably less than the approximately 15,000 health plans that would meet the definition of a CHP, but we will not know the actual number of CHPs until after the deadline for CHPs to obtain an HPID has passed; that is, November 5, 2015. While we do not have objective data that identifies which or how many health plans would be CHPs, for the purpose of the ICRs, we assume that 3,000 to 5,000 health plans may meet the definition of a CHP. Health plans have been increasingly consolidating into larger organizations whereby a single CHP exercises sufficient control over an increasing number of SHPs to direct their business activities, actions, or policies. Thus, we do not believe that more than one-third (5,000) of health plans meet the definition of a CHP and, in fact, believe the number may be significantly less. We solicit comments on our assumption of the number of CHPs.

A. ICRs Regarding Submission of the Number of Covered Lives (§ 162.926(a)(1) and (b)(1))

Proposed § 162.926(a)(2) would require that a CHP that obtains an HPID before January 1, 2015 must provide to the Secretary documents demonstrating compliance as explained in section II.A.3. of this proposed rule. Proposed § 162.926(b)(2) would require that a CHP that obtains an HPID on or after January 1, 2015 and on or before December 31, 2016, must, within 365 days of obtaining an HPID, provide to the Secretary documents demonstrating compliance as explained in section II.A.7. of this proposed rule. Proposed § 162.926(a)(1) and (b)(1) require a CHP to submit the number of covered lives of a CHP (as defined in § 162.103) on the date that the documentation required in § 162.926(a)(2) and (b)(2) is submitted. In section II.A.1. of this proposed rule, we indicate that the number of covered lives must include the number of covered lives of a CHP's SHPs, if it has any. We explain the submission requirements of covered lives in section II.A.2. of this proposed rule, including the reason for including the number of covered lives of the SHPs of the CHP.

The one-time burden associated with this requirement is the time and effort associated with the CHP to: (1) Obtain the number of covered lives of the CHP (including those of its SHPs); (2) calculate the total number of covered lives of the CHP and its SHPs that would meet the definition of major medical policy as defined in proposed § 160.604; (3) have the information reviewed by a CHP executive; and (4) submit the number of covered lives to the Secretary. We believe that a CHP would have accurate records of the number of covered lives of the CHP and each of its SHPs and would be able to access this easily. Therefore, we assume that the CHPs would not need to contact each SHP to obtain the required information. We also believe that CHPs would have easily accessible data on the total number of covered lives of the CHP and its SHPs that have major medical policies. We make these assumptions on the basis that a CHP's data on the number of covered lives and policies—used to determine, for example, risk, costs of care, human resource needs, and other factors—is essential information to have in order to for a CHP to conduct business.

We estimate this burden for proposed § 162.926(a)(1) and (b)(1) would be 2 hours for each CHP to obtain the number of covered lives for the CHP and each of its SHPs, 2 hours to calculate the total number of covered lives that have major medical policies, one hour for an executive to review the number of covered lives with major medical policies, and, 30 minutes to submit the number of covered lives of the CHP and its SHPs to HHS.

We used the median hourly labor rate of $38.31 for a computer information system analyst; $58.15 for a computer and information system manager; and $80.84 for a chief executive as reported by the Department of Labor, Bureau of Labor Statistics, May 2012, found at: http://www.bls.gov/oes/current/oes_nat.htm#13-0000. We believe that a computer analyst would be an appropriate position to obtain the number of covered lives and submit the number to the Secretary, a computer and systems manager to do the calculation, and a chief executive would verify the accuracy of the information to be submitted. All CHPs must comply with these requirements.

We estimate that proposed § 162.926(a)(1) and (b)(1) would impose a one-time, 5.5 hour burden on each CHP. The total burden associated with this task for each of the estimated 3,000 to 5,000 CHPs would be: (1) $76.62 ($38.31 × 2 hours) to obtain the number of covered lives; (2) $116.30 ($58.15 × 2 hours) to calculate the number of covered lives in major medical plans; (3) $80.84 ($80.84 × 1 hour) for an executive to review the number of covered lives; and (4) $19.16 ($38.31 × 0.5 hours) to submit the number of covered lives to the secretary. We estimate that the total cost for each CHP would be $292.92.

The estimated annual burden for this requirement would be 16,500 (3,000 CHPs × 5.5 hours) to 27,500 hours (5000 CHPs × 5.5 hours). The total estimated one-time cost associated with all of the requirements in proposed § 162.926(a)(1) and (b)(1) would be approximately $878,760 ($292.92 × 3000 CHPs) to $1,464,600 ($292.92 × 5000 CHPs).

B. ICRs Regarding Submission of a Phase III CORE Seal (§ 162.926(a)(2)(i) and (b)(2))

Section 162.926(a)(2)(i) and (b)(2) would require that a CHP provide documentation demonstrating it obtained a Phase III CORE Seal or the HIPAA Credential. Should a CHP choose to obtain a Phase III CORE Seal, proposed § 162.926(a)(2)(i) and (b)(2) would require that it provide documentation demonstrating it had obtained a Phase III CORE Seal. We explain in section II.A.3.(b). of this proposed rule that a CHP electing to obtain a Phase III CORE Seal must obtain the seal for each of the three CAQH CORE operating rules phases, or, in other words, a CHP must obtain a CORE Seal for Phases I and II to obtain a Phase III CORE Seal. However, as proposed in § 162.926(a)(2), we require only the submission of a Phase III CORE Seal to comply with the certification compliance documentation requirements. Consequently, for the ICR in this proposed rule, we considered the time and effort for submitting documentation that the CHP has obtained the Phase III CORE Seal and not the time and effort for a CHP to obtain the CORE Phase I and II Seals.

In sections II.A.3.(b). and II.A.3.(d). of this proposed rule, we discuss CORE certification testing, CORE-authorized Testing Vendors, and the CORE certification process. We describe the four-step process required to be awarded any of the CORE Seals: (1) Conduct a gap analysis by evaluating, planning, and completing necessary upgrades; (2) sign the CAQH CORE Pledge committing to become CORE certified; (3) conduct testing through a CORE-authorized Testing Vendor (certification testing); and (4) apply for a Phase III CORE Seal. In section II.A.3. of this proposed rule, we explain that the documentation that demonstrates that the CHP has obtained a Phase III CORE Seal is considered adequate documentation of compliance by the CHP and its SHPs with the operating rules for the eligibility for a health plan, health care claim status, and health care electronic funds transfers (EFT) and remittance advice transactions.

For the purposes of the ICR, we do not include the time and effort for a CHP to obtain a CORE Phase III Seal because we believe that the process of obtaining a Phase III CORE Seal is inherent in the cost of doing business and we accounted for the time and effort as well as the cost for complying with the operating rules in previous rulemaking. As we indicated, we have mandated compliance with the adopted standards and operating rules for HIPAA transactions in previous regulations. The costs associated with compliance includes for example, analyzing existing data capability and infrastructure, development or enhancement of existing infrastructure, and testing of the CHPs systems both internally and externally. We believe that, because CHPs are expected to be compliant with the operating rules, they have undertaken the steps necessary to ensure that they are compliant and are able to perform transactions with their trading partners according to the adopted standards and operating rules. In this rule, we are proposing submission documentation requirements; therefore, in this analysis, we are only analyzing the cost of submitting this documentation.

We have proposed two options for documentation that demonstrates compliance with the operating rules and standards. We expect that the decision to obtain the CORE Phase I and II Seals and provide documentation of the CORE Phase III Seal would be a business decision based on a health plan's strategy for implementing new standards or operating rules. Therefore, because the time and effort for compliance with standards and operating rules have been addressed in previous rule making and, because a CHP determines if it wishes to obtain the CORE Phase I and II Seal and submit the Phase III CORE Seal to comply with the documentation requirements, we do not include any costs for the time and effort associated with infrastructure development or enhancement or testing of systems to ensure compliance. We also do not include the time and effort costs in the ICR to comply with any of CORE's specific requirements to obtain the CORE Seals. Finally, we do not account for the variability in time, readiness and success that may or may exist for a CHP to meet CORE's requirements for the CORE Seals. There may be CHPs that have undergone extensive testing and will be able to undergo the CORE process efficiently and in a relatively short time. Other CHPs may require assistance and guidance and a more extensive time period to meet CORE's requirements.

Included in the CORE fee paid by each CHP is assistance and guidance for CHPs. We account for the fee to CORE in the regulatory Impact Statement in this proposed rule. For the purposes of the ICR in this proposed rule, we considered the time and effort for a CHP to obtain documentation of the Phase III CORE Seal awarded by CORE, and the time and effort for the CHP to submit the documentation of that Seal to the Secretary. As we discussed previously, in this proposed rule, we only consider the time and effort to comply with the certification of compliance requirements described in this proposed rule.

At the current time, we do not know how many CHPs will elect to obtain a Phase III CORE Seal. According to CAQH CORE's Web site at http://www.caqh.org/CORE_organizations.php, 30 health plans have voluntarily obtained CORE Seals for Phases I and II, and it reports at http://www.caqh.org/ben_participating.php that 25 health plans and 16 government agencies are CORE participating organizations. Ten CORE participating health plans have obtained Phase I and Phase II CORE Seals. We assume that any health plan that has obtained the CORE Seal for Phases I and II will obtain a Phase III CORE Seal and therefore meet the requirements of § 162.926(a)(2)(i) or (b)(2). We also assume that there may be CORE participating health plans that will obtain a Phase III CORE Seal.

Because we are unable to quantify the number of CHPs that will obtain a Phase III CORE Seal, we are unable to estimate the total cost with any certainty. Therefore, for the purposes of the ICR, we estimate that 40 percent of health plans that would meet the definition of a CHP (that is, 1,200 to 2,000 CHPS) will obtain a Phase III CORE Seal and submit documentation of a Phase III CORE Seal to comply with § 162.926(a)(2) and (b)(2)(i). We solicit comment on our assumption of the number of CHPs that would obtain a Phase III CORE Seal.

The one-time burden associated with § 162.926(a)(2)(i) or (b)(2) is the time and effort for the estimated 1,200 to 2,000 CHPs to (1) obtain a Phase III CORE Seal from CAQH CORE; and (2) submit the documentation of a Phase III CORE Seal to the Secretary. We estimate this burden to be 1 hour to obtain the Phase III CORE Seal from CAQH CORE and 30 minutes to submit documentation of the CORE Seal to the Secretary. We used the median hourly labor rate of $38.31 for a computer information system analyst as reported by the Department of Labor, Bureau of Labor Statistics, May 2012, found at: http://www.bls.gov/oes/current/oes_nat.htm#13-0000 because we believe that a computer analyst would be required to obtain the Phase III CORE Seal and submit documentation to the Secretary.

We estimate that proposed § 162.926(a)(2)(i) and (b)(2) would impose an estimated one-time, one and one half hour burden on each CHP. The total estimated burden associated with this task for each CHP would be: (1) $38.31 ($38.31 × 1 hour) to obtain the Phase III CORE Seal from CAQH CORE; and (2) $19.16 ($38.31 × 0.50 hours) to submit documentation of the CORE Seal to the Secretary. The estimated one-time burden in proposed § 162.926(a)(2)(i) and (b)(2) would be 1,800 (1,200 CHPs × 1.5 hours) to 3,000 hours (2,000 CHPs × 1.5 hours). The total estimated one-time cost associated with the requirement § 162.926(a)(2)(i) and (b)(2) would be approximately $68,958 ($38.31 × 1,800 hours) to $114,930 ($38.31 × 3,000 hours).

C. ICRs Regarding Submission of the HIPAA Credential (§ 162.926(a)(2)(ii) and (b)(2))

In section II.A.3(a) of this proposed rule, we explain that the HIPAA Credential indicates that the CHP has confirmed that it has successfully tested the operating rules for the eligibility for a health plan, health care claim status, and health care electronic funds transfers (EFT) and remittance advice transactions with trading partners. For each of the three transactions, the CHP must confirm that the number of transactions conducted with those trading partners collectively accounts for at least 30 percent of the total number of transactions conducted with providers. For each of the three transactions, the CHP must confirm that it has successfully tested with at least three trading partners, but if the number of transactions conducted with three trading partners does not account for at least 30 percent of the total number of transactions conducted with providers, the CHP could confirm that it has successfully tested with up to 25 trading partners. The CHP would be required to provide a list of the names of the trading partners and their contact information to CORE. A CHP would be representing itself as well as all of its SHPs with the attestation.

Should a CHP choose to obtain the HIPAA Credential, proposed § 162.926(a)(2)(ii) and (b)(2) would require the CHP to provide documentation that it has obtained the CORE HIPAA Credential. In section II.A.3 of this proposed rule, we explain that the documentation that demonstrates that the CHP has obtained the HIPAA Credential is considered adequate documentation of compliance by the CHP and its SHPs with the operating rules for the applicable transactions.

For the purpose of the ICR, we are not considering the time and effort for a CHP to perform testing with its trading partners because, as we have discussed previously, we addressed the time and effort to comply with the operating rules in previous rule making, which includes testing with the CHPs trading partners. The CORE HIPAA Credential will require testing before being obtained, and we assume that every health plan's implementation preparation plan requires internal and external testing prior to implementing new standards or operating rules.

However, in previous rule making, we did not account for the time and effort for a CHP to identify at least three trading partners with which it or its SHPs have successfully tested the operating rules for each of the three transactions (eligibility for a health plan, health care claim status, and electronic funds transfers (EFT) and remittance advice transactions).

The estimated one-time burden associated with § 162.926(a)(2)(ii) and (b)(2) for the HIPAA Credential is the time and effort to: (1) Confirm that testing has been conducted for each of the three transactions with trading partners that collectively conduct no less than 30 percent of the total number of transactions conducted with providers; (2) list the names of the trading partners and their contact information; (3) verify the accuracy of the trading partner list; (4) obtain the HIPAA Credential from CORE; and (5) submit documentation of the HIPAA Credential to the Secretary. The tasks associated with the application for and submission of the HIPAA Credential—and, therefore, the estimated burden to a CHP—may change if warranted by any changes in the draft requirements for the HIPAA Credential.

As mentioned, we are unable to determine how many CHPs will choose to obtain the HIPAA Credential to fulfill the requirements of § 162.926(a)(2)(ii) and (b)(2)(ii), but we believe that most CHPs will choose the least costly certification option. Because we are unable to quantify the number of health plans that will obtain the HIPAA Credential, we cannot estimate the total cost with any certainty. We estimate that 60 percent of CHPs (that is 1,800 to 3,000 CHPS) will obtain the HIPAA Credential and submit documentation of such the HIPAA Credential to comply with § 162.926(a)(2)(ii) and (b)(2). We solicit comment on our assumption of the number of CHPs likely to obtain the HIPAA Credential.

As mentioned, CAQH CORE is currently developing the HIPAA Credential—which we expect to be finalized prior to the time we finalize this proposed rule—and we described in section II.3.(a) the expected process and requirements for obtaining it. Should the requirements for the final HIPAA Credential differ in any way from the way we described it in section II.3.(a), we would reopen the comment period to permit additional comment on the HIPAA Credential, including on the topic of the estimated number of health plans that would obtain the HIPAA Credential.

We estimate that the burden associated with proposed § 162.926(a)(2)(ii) and (b)(2) for each of the estimated 1,800 to 3,000 CHPs would be 2 hours to obtain documentation of the three testing partners; one hour to prepare the trading partner list; one hour to verify accuracy of the list; one hour to obtain the HIPAA credential form CORE; and 30 minutes to submit the CORE HIPAA Credential to the secretary. We used the median salaries as reported by the Department of Labor, Bureau of Labor Statistics, May 2012, found at: http://www.bls.gov/oes/current/oes_nat.htm#13-0000. We used the median hourly labor rate of $38.31 for a computer information system analyst to prepare the trading partner list, obtain the HIPAA credential from CORE and submit the documentation; $58.15 for a computer and information system manager to confirm that testing has been conducted with trading partners that collectively conduct no less than 30 percent of the total transactions conducted with providers for each of the three transactions (eligibility of a health plan, health care claim status, and the electronic funds transfers (EFT) and remittance advice transactions); and $80.84 for an executive to verify the trading partner list.

We estimate that proposed § 162.926(a)(2)(ii) and (b)(2) will impose a one-time, 5.5 hours burden on each CHP. The total time and effort burden associated with this task for each CHP would be: (1) $116.30 ($58.15 × 2) to obtain the trading partner documentation; (2) $38.31 ($38.31 × 1) to compile the trading partner list; (3) $80.84 ($80.84 × 1) to verify the trading partner list; (4) $38.31 ($38.31 × 1) to obtain the HIPAA Credential from CORE; and (5) $19.16 ($38.31 × 0.5) to submit documentation of the HIPAA Credential to the Secretary. We estimate the total burden for each CHP would be $292.92.

The total estimated one-time burden associated with all of the requirements in proposed § 162.926(a)(2)(ii) and (b)(2) would be 9,900 (1,800 CHPs × 5.5 hours) to 16,500 hours (3,000 CHPs × 5.5 hours) and approximately $527,256 ($292.92 × 1,800 CHPs) to $878,760 ($292.92 × 3,000 CHPs).

Calculations are illustrated in Table 6. For simplicity, Table 6 demonstrates burdens and costs based on the high estimate of CHPs (5,000) that are expected to certify compliance.

Table 6—Estimated Annual Burden for Reporting, Recordkeeping and Third-Party Disclosure Requirements Back to Top
Regulation section OMB Control No. Respondents Responses Burden per response (hours) Annual burden (hours) Hourly labor cost of reporting ($) Total labor cost of reporting ($) Total costs ($)
* There are no capital or maintenance costs associated with the information collection requirements contained in this notice of proposed rulemaking. Therefore, we have removed the designated column from Table 6.
** Even though the information collection requirements are comprised of one-time burdens, all burden estimates have been annualized over the standard 3-year OMB approval period.
162.926(a)(1) and (b)(1) 0938—New 5,000 15,000 2.5 * 12,500 38.31 478,875 478,875
162.926(a)(1) and (b)(1) 0938—New 5,000 5,000 1 5,000 80.84 404,200 404,200
162.926(a)(1) and (b)(1) 0938—New 5,000 5,000 2 10,000 58.15 581,500 581,500
162.926(a)(2)(i) and (b)(2) 0938—New 2,000 5,000 1.5 ** 3,000 38.31 114,930 114,930
162.926(a)(2)(ii) and (b)(2) 0938—New 3,000 7,500 2.5 ** 7,500 38.31 287,325 287,325
162.926(a)(2)(ii) and (b)(2) 0938—New 3,000 3,000 1 3,000 80.84 242,520 242,520
162.926(a)(2)(ii) and (b)(2) 0938—New 3,000 3,000 2 6,000 58.15 348,900 348,900
Total 10,000 27,000 ** 37,500 2,458,250

IV. Regulatory Impact Statement Back to Top

We have examined the impact of this proposed rule as required by Executive Order 12866 on Regulatory Planning and Review (September 30, 1993), Executive Order 13563 on Improving Regulation and Regulatory Review (January 18, 2011), the Regulatory Flexibility Act (RFA) (September 19, 1980, 96), section 1102(b) of the Social Security Act, section 202 of the Unfunded Mandates Reform Act of 1995 (March 22, 1995; Pub. L. 104-4), Executive Order 13132 on Federalism (August 4, 1999) and the Congressional Review Act (5 U.S.C. 804(2)).

Executive Orders 12866 and 13563 direct agencies to assess all costs and benefits of available regulatory alternatives and, if regulation is necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, public health and safety effects, distributives, and equity). A regulatory analysis (RIA) must be prepared for major rules with economically significant effects ($100 million or more in any 1 year). We believe this proposed rule does not reach the economic threshold for being considered economically significant, and thus, is not considered a major rule. We solicit comment on, and data regarding, the assumptions and findings presented in this initial regulatory analysis.

The proposed rule would require a CHP to submit documentation to the Secretary that demonstrates compliance with the standards and operating rules adopted by the Secretary under HIPAA, establish the first certification of compliance process, and establish penalty fees for CHPs that fail to comply with the first certification of compliance requirements. This proposed rule would implement elements of the certification of compliance mandate in the Affordable Care Act. We expect that the first certification of compliance provision is an initial step toward a consistent, industry-wide testing framework.

As discussed in more detail earlier in this proposed rule, many of the requirements of this proposed rule build on already existing statutory and regulatory mandates. In the ICRs, we estimate a total one-time burden of approximately $1,475,000 to $2,458,000 for 3,000 to 5,000 CHPs to comply with the submission requirements of proposed § 162.926.

In sections II.A.3.(a) and A.3.(b). of this proposed rule, we discuss the two options for meeting the submission requirements: a Phase III CORE Seal and the HIPAA Credential, respectively. A CHP may choose either option. In section II.A.3.(a) and (b) of this proposed rule, we describe the process for obtaining either a Phase III CORE Seal or the HIPAA Credential.

We expect that certification testing, such as that required for CHPs obtaining the CORE Phase III Seal, would become more widespread as a result of this proposed rule, and thus the rule would generate costs associated with credentialing activities and greater compliance with operating rules (which requires updating infrastructure). We are unable to quantify either the current rate of non-compliance with HIPAA requirements, the number of CHPs that would become newly compliant as a result of this proposed rule, or the cost, per CHP becoming newly compliant, of infrastructure updates and requisite testing.

A category of impacts for which we have been able to make estimates is the CAQH CORE fees. [42] In section II.A.6.(a) of this proposed rule, we discuss the cost of a Phase III CORE Seal and HIPAA Credential based on current fees that CAQH CORE charges for a Phase III CORE Seal and the fees that CAQH CORE believes that it will charge for the HIPAA Credential. Federal and state government entities are currently not charged for a Phase III CORE Seal, nor are CAQH member plans. However, CAQH CORE will charge government entities a $100 fee for obtaining the HIPAA Credential.

We assumed the same number of CHPs that we use in the ICRs (that is 1,200 to 2,000 CHPs would obtain a Phase III CORE Seal and 1,800 to 3,000 CHPs would obtain the HIPAA Credential). For the purpose of this analysis, we considered the cost to obtain either the CORE Seals (Phase I, II, and III) or the HIPAA Credential for all of the estimated 3,000 to 5,000 CHPs and did not account for the CHPs that currently have obtained the CORE Seal for Phase I and II or CAQH member plans. That means we did not deduct the number of health plans with current Phase I and Phase II CORE Seals or CAQH member plans that are not assessed a fee by CAQH CORE to obtain a Phase III CORE Seal.

For the purpose of the impact analysis, we did not account for any penalty fees that could be assessed for CHPs that fail to comply with the certification of compliance submission requirements. We believe that we have structured the provisions of this proposed rule such that most CHPs will be able to meet the submission requirements. They will have had significant time to implement the applicable standards and operating rules, conduct the transactions in a compliant manner, and conduct certification testing or testing with their trading partners. Further, because the penalty fees are substantial, we believe they serve as a strong disincentive for noncompliance. We therefore believe few CHPs will fail to certify compliance, and the total amount of assessed penalty fees will be insignificant.

For the 1,200 to 3,000 CHPs we estimate would obtain a Phase III CORE Seal, we assumed that 50 percent would have net annual revenues less than $75 million with a CAQH CORE fee of $12,000 each ($4,000 for each of the three CAQH CORE Operating Rule Phases). We assumed that 50 percent of the CHPs would have net annual revenues equal or greater than $75 million with a CAQH CORE fee of $18,000 each ($6,000 for each of the three CAQH CORE Operating Rule Phases). We estimate that the total cost for all CHPs that would obtain a CORE Seal would be approximately $18 million [($12,000 × 600 CHPs) + ($18,000 × 600 CHPs)] to $30 million [($12,000 × 1000 CHPs) + ($18,000 × 1000 CHPs)].

For the 1,800 to 2,000 CHPs that we estimate would obtain a HIPAA Credential, we assumed that 5 percent would have net annual revenues less than $5 million with a CAQH CORE fee of $100 each; 20 percent would have net annual revenues of $5 million to below $25 million with a fee of $1,000 each; 20 percent would have net annual revenues $25 million to less than $50 million with a fee of $2,000 each; and 55 percent would have net annual revenues of greater than $50 million with a fee of $4,000 each. The estimated total cost for all CHPs that would obtain the HIPAA Credential is approximately $5,049,000 [($100 × 90 CHPs) + ($1,000 × 360 CHPs) + ($2,000 × 360 CHPs) + ($4,000 × 990 CHPs)] to $8,415,000 [($100 × 150 CHPs) + ($1,000 × 600 CHPs) + ($2,000 × 600 CHPs) + ($4,000 × 1,650 CHPs)]. We note, because government entities do not generate net annual revenues, they have been included in the 5 percent computation of CHPs with net annual revenues less than $5 million.

Consequently, we estimate the total cost to comply with § 162.926 (that is, for the estimated 3,000 to 5,000 CHPs to provide the documentation of obtaining the CORE Seal or the HIPAA Credential) would be approximately $25 million to $41 million. This total cost includes the time and effort discussed in the ICR. The calculation is as follows: [Time and effort in ICR: $1,475,000 to $2,458,000] + [total fee for CORE Seals: $18,000,000 to $30,000,000] + [total fee for the HIPAA credential: $5,049,000 to $8,415,000] = $24,524,000 to $40,873,000.

We are proposing in § 162.926 that a CHP that obtains an HPID before January 1, 2015 must meet the submission requirements proposed in this rule on or before December 31, 2015. We explained in section II.A.7.(a)(1) of this proposed rule that this date is different than that in section 1173(h)(1) of the Act: December 13, 2013. We describe here the impact in benefits and penalty fees of the 2 year difference between the date in section 1173(h)(1) of the Act and the date proposed in this rule.

In the Modifications final rule, Operating Rules IFC, Health Care EFT Standards IFC, and the EFT & ERA Operating Rule Set IFC, described in the background of this proposed rule, we described the financial and qualitative benefits to implementing the standards and operating rules for the eligibility for a health plan, health claim status, and health care electronic funds transfers (EFT) and remittance advice transactions. Those rules measured the financial benefits of the standards and operating rules from the compliance dates of those particular standards and operating rules: January 1, 2012 is the compliance date for Version 5010 standards for the three transactions; January 1, 2013 is the compliance date for operating rules for the eligibility for a health plan and claim status transactions; and January 1, 2014 is the compliance date for the standards and operating rules for the health care electronic funds transfers (EFT) and remittance advice transaction.

The cost and savings of implementing those standards and operating rules on their compliance dates are not addressed in this proposed rule as they are accounted for in the previously mentioned rules, and the first certification of compliance requirements, as proposed in this rule, do not affect the costs and benefits of implementing these standards and operating rules.

It is possible that some CHPs may view the first certification of compliance deadline, December 31, 2015, as proposed in this rule, as an opportunity to implement the required standards and operating rules later than the compliance dates of those standards and operating rules as required in the applicable regulations. However, we assume that the number of CHPs that would slow or delay implementation based on the first certification of compliance deadline is quite small. As we noted before, thirty health plans have already obtained a Phase I CORE Seal, and many of those have obtained or are pursuing a Phase II CORE Seal. This growing group of CORE Certified entities represents many major health plans with extensive reach in terms of commercially covered lives. [43] Further, the complaint-driven process for enforcing compliance with these standards and operating rules applies as of their respective compliance dates.

We assume that the CORE-certified health plans include the process of obtaining CORE Seals for each phase of operating rules as part of their process to successfully implement new standards or operating rules. We assume these CORE-certified health plans make CORE Certification part of their implementation strategy regardless of the first certification of compliance submission requirements as proposed in this rule. As discussed in section II.A.7(a)(1) of this proposed rule, the December 31, 2015 deadline for submission of information and documentation, proposed in this rule, gives these CORE Certified entities time to obtain the Phase III CORE Seal. It also gives CHPs that would not otherwise use the CORE Certification process time to obtain either the CORE Phase I, II, and III Seals or the HIPAA Credential.

Because we believe that a negligible number of CHPs will use the December 31, 2015 deadline proposed in this rule as a reason to slow implementation of the standards or operating rules required by previous rules, and because the financial benefits for those standards and operating rules were calculated over 10-year periods, we believe the impact of the December 31, 2015 deadline on the overall financial and qualitative benefits to using these standards and operating rules to be negligible.

The amount in penalty fees that would have been assessed with a December 31, 2013 deadline cannot be determined under the proposed certification of compliance requirements because the December 31, 2015 date and other requirements proposed in this rule were developed to align chronologically with other regulatory and commercial sector initiatives. For instance, CAQH CORE began offering a Phase III CORE Seal in 2013; [44] the first entity to receive a Phase III CORE Seal did so in August 2013. [45] Given this timeframe, it is unlikely that many CHPs could have obtained a Phase III CORE Seal earlier than December 31, 2015. Likewise, CHPs have until November 2015 to obtain an HPID, and the first certification of compliance requirements apply only to CHPs.

Therefore, due to the vast difference in requirements associated with the December 31, 2013 and the December 31, 2015 deadlines, we are unable to perform an analysis of the amount of penalty fees that would have been assessed with the December 31, 2013 deadline as it would entail assuming a completely different set of requirements.

The Regulatory Flexibility Analysis (RFA), as amended, requires agencies to analyze options for regulatory relief of small businesses, if a rule has a significant impact on a substantial number of small entities. For purposes of the RFA, small entities include small businesses, nonprofit organizations, and small governmental jurisdictions.

The health insurance industry was examined in depth in the RIA prepared for the proposed rule on establishment of the Medicare Advantage program (69 FR 46866, August 3, 2004). It was determined, in that analysis, that there were few, if any, “insurance firms,” including HMOs that fell below the size thresholds for “small” business established by the SBA Health. We assume that the “insurance firms” are synonymous, for the most part, with health plans that conduct standard transactions with other covered entities and are, therefore, the entities that will have costs associated with meeting the first certification of compliance requirements. In fact, at the time the analysis for the Medicare Advantage program was done, and even more so now, the market for health insurance is dominated by a relative handful of firms with substantial market shares.

However, there are a number of health maintenance organizations (HMOs) that are small entities by virtue of their nonprofit status even though few if any of them are small by SBA size standards. There are approximately 100 such HMOs which may meet the definition of, and therefore define themselves, as CHPs. These HMOs and the Blue Cross and Blue Shield plans that are non-profit organizations, like the other CHPs affected by this proposed rule, will be required to meet the first certification of compliance requirements.

Accordingly, this proposed rule may affect a number of small entities. We estimate, however, that the costs of this proposed rule on “small” health plans do not remotely approach the amounts necessary to be a “significant economic impact” on firms with revenues of tens of millions of dollars. Therefore, the Secretary proposes to certify that this proposed rule would not have a significant economic impact on a substantial number of small entities. We welcome industry and stakeholder input on our assumption in this regard.

In addition, section 1102(b) of the Act requires us to prepare a regulatory analysis for “any rule or regulation proposed under title XVIII, title XIX, or part B of [the Act] that may have significant impact on the operations of a substantial number of small rural hospitals.” This proposed rule, however, is being proposed under title XI, part C, “Administration Simplification,” of the Act, and, therefore, does not apply. Regardless, this requirement of this proposed rule is only applicable to CHPs and will not have a significant impact on the operations of small rural hospitals.

Section 202 of the Unfunded Mandates Reform Act of 1995 also requires that agencies assess anticipated costs and benefits before issuing any rule whose mandates require spending in any 1 year of $100 million in 1995 dollars, updated annually for inflation. In 2013, that threshold is approximately $141 million. This proposed rule would impose a minimal effect on state, local, or tribal governments or on the private sector because the requirements for all CHPs regardless of ownership, to comply with the certification of compliance documentation requirements. The related costs for all 5,000 estimated CHPs is approximately $40 million, which is less than $141 million.

Executive Order 13132 establishes certain requirements that an agency must meet when it promulgates a proposed rule (and subsequent final rule) that imposes substantial direct requirement costs on state and local governments, preempts state law, or otherwise has federalism implications. Since this regulation does not impose any substantial costs on state or local governments, the requirements of Executive Order 13132 are not applicable.

In accordance with the provisions of Executive Order 12866, this rule was reviewed by the Office of Management and Budget.

List of Subjects Back to Top

For the reasons set forth in this preamble, the Department of Health and Human Services proposes to amend 45 CFR parts 160 and 162 to read as follows:

begin regulatory text

PART 160—GENERAL ADMINISTRATIVE REQUIREMENTS Back to Top

1.The authority citation for part 160 continues to read as follows:

Authority:

42 U.S.C. 1302(a); 42 U.S.C. 1320d-1320d-9; sec. 264, Pub. L. 104-191, 110 Stat. 2033-2034 (42 U.S.C. 1320d-2 (note)); 5 U.S.C. 552; secs. 13400-13424, Pub. L. 111-5, 123 Stat. 258-279; and sec. 1104 of Pub. L. 111-148, 124 Stat. 146-154.

2.Section 160.103 is amended by—

A. Adding the definition of “Penalty fee” in alphabetical order.

B. Revising the definition of “Respondent”.

end regulatory text

The addition and revision read as follows:

begin regulatory text

§ 160.103 Definitions.

* * * * *

Penalty fee means the amount determined under § 160.614.

* * * * *

Respondent means a covered entity or business associate upon which the Secretary has imposed, or proposes to impose, a penalty fee under subpart F or a civil money penalty.

* * * * *

§ 160.300 [Amended]

3.Section 160.300 is amended by removing the phrase “parts 162 and” and adding in its place the phrase “parts 162 (excluding § 162.926) and”.

4.Section 160.500 is revised to read as follows:

§ 160.500 Applicability.

This subpart applies to hearings conducted relating to the following:

(a) The imposition of a civil money penalty by the Secretary under 42 U.S.C. 1320d-5.

(b) The assessment of a penalty fee by the Secretary under 42 U.S.C. 1320d-2(j).

5.Section 160.504 is amended by revising paragraph (c) to read as follows:

§ 160.504 Hearing before an ALJ.

* * * * *

(c) The request for a hearing must do the following:

(1) Clearly and directly admit, deny, or explain each of the findings of fact contained in the notice of proposed determination under § 160.420 or in the notice of determination under § 160.624 with regard to which the respondent has any knowledge. If the respondent has no knowledge of a particular finding of fact and so states, the finding shall be deemed denied.

(2) State the circumstances or arguments that the respondent alleges constitute the grounds for any defense and the factual and legal basis for opposing the penalty or penalty fee, except that a respondent may raise an affirmative defense under § 160.410(b)(1) or § 160.620(a) at any time.

* * * * *

6.Section 160.534 is amended by revising paragraphs (b)(1) and (d)(1) to read as follows:

§ 160.534 The hearing.

* * * * *

(b)(1) The respondent has the burden of going forward and the burden of persuasion with respect to any of the following:

(i) Affirmative defense under § 160.410 or defense under§ 160.620 of this part.

(ii) Challenge to the amount of a proposed penalty pursuant to § 160.404 through § 160.408, including any factors raised as mitigating factors, or to the amount of the penalty fee pursuant to § 160.624.

(iii) Claim that a proposed penalty should be reduced or waived pursuant to § 160.412.

(iv) Compliance with subpart D of part 164, as provided under § 164.414(b).

* * * * *

(d)(1) Subject to the 15-day rule under § 160.518(a) and the admissibility of evidence under § 160.540, either party may introduce, during its case in chief, items or information that arose or became known after the date of the issuance of the notice of proposed determination under § 160.420, the notice of determination under § 160.624, or the request for hearing under § 160.504, as applicable. Such items and information may not be admitted into evidence, if introduced—

(i) By the Secretary, unless they are material and relevant to the acts or omissions with respect to which the penalty is proposed in the notice of proposed determination under § 160.420 or in the notice of determination under § 160.624, including circumstances that may increase penalties or penalty fees; or

(ii) By the respondent, unless they are material and relevant to an admission, denial or explanation of a finding of fact in the notice of proposed determination under § 160.420 or in the notice of determination under § 160.624, or to a specific circumstance or argument expressly stated in the request for hearing under § 160.504, including circumstances that may reduce penalties or penalty fees.

* * * * *

§ 160.540 [Amended]

7.In § 160.540, paragraph (g) is amended by removing the phrase” notice of proposed determination under § 160.420 of this part ” and adding in its place the phrase “notice of proposed determination under § 160.420 or in the Secretary's notice of determination under § 160.624.”

8.Section 160.546 is amended by revising paragraph (b) to read as follows:

§ 160.546 ALJ's decision.

* * * * *

(b) The ALJ may affirm, increase, or reduce the penalties or penalty fees imposed by the Secretary.

* * * * *

§ 160.548 [Amended]

9.Section 160.548 is amended by:

A. In paragraph (e), removing the phrase “of this part” and adding in its place the phrase “or a defense under § 160.620(a)”.

B. In paragraph (g), removing the phrase “any penalty determined by the ALJ” and adding in its place the phrase “any penalty or penalty fee determined by the ALJ.”

§ 160.550 [Amended]

10.In § 160.550, paragraphs (a) and (b) are amended by removing the phrase “penalty” and by adding in its place the phrase “penalty or penalty fee” each time it appears.

11.Subpart F is added to part 160 to read as follows:

end regulatory text

Subpart F—Imposition of Penalty Fees Back to Top

§ 160.602 Applicability.

This subpart applies to the imposition of penalty fees by the Secretary under 42 U.S.C. 1320d-2.

§ 160.604 Definitions.

As used in this subpart, the following definitions apply:

Controlling health plan (CHP) means a health plan as defined at § 162.103 of this subchapter.

Major medical policy means an insurance policy that covers accident and sickness and provides outpatient, hospital, medical and surgical expense coverage.

§ 160.612 Basis for the assessment of a penalty fee.

The Secretary assesses a penalty fee against a CHP with major medical policies if the Secretary determines the CHP did either of the following:

(a) Failed to provide the documentation in accordance with § 162.926(a)(2) or (b)(2) of this subchapter.

(b) With respect to information submitted to the Secretary under to § 162.926 of this subchapter—made by statements, in documents, or otherwise—upon which either a CORE Seal (under § 162.926(a)(2) or (b)(2) of this subchapter) or the HIPAA Credential (under § 162.926(a)(2) or (b)(2) of this subchapter) is based, provides inaccurate or incomplete information—

(1) With actual knowledge of the inaccuracy or incompleteness of the information; or

(2) Acting in deliberate ignorance or reckless disregard of the accuracy or completeness of the information.

§ 160.614 Amount of the penalty fee for failure to comply with submission requirements or knowingly providing inaccurate or incomplete information.

(a) The penalty fee amounts are as follows:

(1) For the basis specified at § 160.612(a), $1 per covered life of the CHP per day until the requirements of § 162.926(a)(2) or (b)(2) of this subchapter, as applicable, have been met, not to exceed $20 per covered life.

(2) For the basis specified at § 160.612(b), $40 per covered life of the CHP.

(b) A CHP is not assessed more than $40 per covered life of the CHP under the basis specified at § 160.612.

§ 160.616 Notice of penalty fee.

The Secretary provides notice, by certified mail with return receipt requested, to a CHP that meets any of the bases for a penalty fee in § 160.612. A notice of penalty fee includes all of the following:

(a) The penalty fee amount.

(b) Reference to the regulatory basis, under § 160.612, for the penalty fee.

(c) A description of the findings of fact regarding the violations upon which the penalty fee is based.

(d) The reasons(s) why the violation(s) subject the CHP to a penalty fee.

§ 160.618 CHP's response to notice of penalty fee.

(a) In response to a notice of penalty fee under § 160.616, a CHP may submit to the Secretary evidence of any of the defenses described in § 160.620.

(b)(1) A CHP that chooses to assert a defense(s) under paragraph (a) of this section must do so in writing within 30 calendar days of receipt of the notice under § 160.616.

(2) For purposes of this section, the CHP's date of receipt of the notice of penalty fee is presumed to be 5 days after the date of the notice unless the CHP makes a reasonable showing to the contrary to the Secretary.

§ 160.620 Defenses that may be raised in response to notice of penalty fee.

The Secretary will consider no defenses aside from the following in response to a notice of penalty fee under § 160.616:

(a) The CHP is not subject to the requirements of § 162.926 of this subchapter.

(b) The CHP's failure to meet the requirements of § 162.926 of this subchapter was attributable to a ministerial and non-substantive error.

(c) The failure to meet the requirements of § 162.926 of this subchapter was beyond the CHP's control.

§ 160.624 Notice of determination.

The Secretary sends the CHP, by certified mail with return receipt requested, a notice of determination as to whether a penalty fee is assessed.

(a) A notice of determination to assess a penalty fee includes all of the following:

(1) A description of the statutory basis for the assessment of the penalty fee.

(2) The amount of the penalty fee.

(3) Reference to the regulatory basis, under § 160.612, for the assessment of the penalty fee.

(4) The findings of fact regarding the violations on which assessment of the penalty fee is based.

(5) Any defenses described in § 160.620 that were considered in determining whether to assess the penalty fee and the reason(s) why the defenses were rejected.

(6) Instructions for requesting a hearing under § 160.626.

(7) A statement that the failure to request a hearing within 90 days results in the imposition of the penalty fee specified in the notice of determination.

(b) A notice of determination to not assess a penalty fee includes the following:

(1) Any defenses described in § 160.620 that were considered in determining whether to assess the penalty fee and the reason(s) why the defenses were accepted; and

(2) Actions the CHP must take.

§ 160.626 Right to a hearing.

(a) Upon receipt of a notice of determination under § 160.624(a), a CHP may request a hearing before an ALJ by filing a request in accordance with § 160.504.

(b) If a CHP does not request a hearing within the time prescribed by § 160.504, the Secretary notifies the CHP that the penalty fee in the notice of determination is final and the means by which the CHP must pay the penalty fee.

begin regulatory text

PART 162—ADMINISTRATIVE REQUIREMENTS Back to Top

12.The authority citation for part 162 continues to read as follows:

Authority:

Secs. 1171 through 1180 of the Social Security Act (42 U.S.C. 1320d-1320d-9), as added by sec. 262 of Pub. L. 104-191, 110 Stat. 2021-2031, sec. 105 of Pub. L. 110-233, 122 Stat. 881-922, and sec. 264 of Pub. L. 104-191, 110 Stat. 2033-2034 (42 U.S.C. 1320d-2 (note), and secs. 1104 and 10109 of Pub. L. 111-148, 124 Stat. 146-154 and 915-917.

13.Section 162.103 is amended by adding the definitions of “Covered lives of a CHP” and “EFT” in alphabetical order to read as follows:

§ 162.103 Definitions.

* * * * *

Covered lives of a CHP means individuals covered by or enrolled in major medical policies of a CHP and the SHP(s) of that CHP. Individuals may be described in such major medical policies by terms, including, but not limited to, the following:

(1) Individuals.

(2) Spouses.

(3) Dependents.

(4) Employees.

(5) Subscribers.

(6) Policyholders.

(7) Medicaid recipients.

(8) Medicare beneficiaries.

(9) Tricare beneficiaries.

(10) Veterans.

(11) Survivors.

* * * * *

EFT stands for electronic funds transfers.

* * * * *

14.Section 162.926 is added to read as follows:

§ 162.926 Certification of Compliance—submission requirements

(a) Submission requirements for a CHP that obtains an HPID before January 1, 2015. For the health care electronic funds transfers (EFT) and remittance advice, eligibility for a health plan, and health care claim status transactions, a CHP that obtains an HPID before January 1, 2015 must, on or after January 1, 2015 and on or before December 31, 2015, provide the following to the Secretary in one submission:

(1) The number of covered lives of a CHP (as that term is defined in § 162.103 of this subpart) on the date that the documentation required under paragraph (a) of this section is submitted.

(2) Documentation that demonstrates the CHP has obtained a Council for Affordable Quality Healthcare (CAQH) Committee on Operating Rules for Information Exchange (CORE)—

(i) Certification Seal for Phase III CAQH CORE EFT & ERA Operating Rules. The CHP must not be under the CORE IT Exemption Policy at the time of submission with regard to the CORE Phase I, II, and III Seals; or

(ii) HIPAA Credential for the operating rules for the transactions listed in paragraph (a) of this section.

(b) Submission requirements for a CHP that obtains an HPID on or after January 1, 2015 and on or before December 31, 2016. A CHP that obtains an HPID on or after January 1, 2015 and on or before December 31, 2016, must, within 365 calendar days of obtaining an HPID, provide the following to the Secretary in one submission:

(1) The number of covered lives of a CHP (as that term is defined in § 162.103) on the date the documentation required under paragraph (b) of this section is submitted.

(2) The documentation required under paragraph (a)(2) of this section.

end regulatory text

Dated: December 20, 2013.

Marilyn Tavenner,

Administrator, Centers for Medicare & Medicaid Services.

Dated: December 20, 2013.

Kathleen Sebelius,

Secretary, Department of Health and Human Services.

[FR Doc. 2013-31318 Filed 12-31-13; 8:45 am]

BILLING CODE 4120-01-P

Footnotes Back to Top

2. “Technological Change and the Growth of Health Care Spending,” A CBO Paper, Congressional Budget Office, January 2008, pg. 4, http://www.cbo.gov/ftpdocs/89xx/doc8947/01-31-TechHealth.pdf

2. Morra, D., Nicholson, S., Levinson, W., Gans, D. N., Hammons, T., & Casalino, L. P. “U.S. Physician Practices versus Canadians: Spending Nearly Four Times as Much Money Interacting With Payers,”Health Affairs: 30(8):1443-1450, 2011.

Blanchfield, Bonnie B., James L. Hefferman, Bradford Osgood, Rosemary R. Sheehan, and Gregg S. Meyer, “Saving Billions of Dollars—and Physician's Time—by Streamlining Billing Practices,”Health Affairs: 29(6):1248-1254, 2010.

5. Established by the Congress, the NCVHS is a body that advises the Secretary on health data, statistics, and national health information policy and that has a significant role in the Secretary's adoption of operating rules under section 1173(g)(3) of the Act.

Back to Context

6. September 30, 2010 letter from NCVHS to Secretary Kathleen Sebelius, re: Affordable Care Act, Administrative Simplification: Operating Rules for Eligibility and Claims Status Transactions: http://www.ncvhs.hhs.gov/reptrecs.htm.

Back to Context

7. CAQH CORE Phases I and II Operating Rules are available online at no charge at http://www.caqh.org/COREVersion5010.phb.

Back to Context

8. Provisions of the Operating Rule IFC at 76 FR 40461. Information on the CAQH CORE Rules can be found at: http://www.caqh.org/CORE_phase1.php, http://www.caqh.org/CORE_phase2.php, and http://www.caqh.org/CORE_phase3.php. CAQH CORE FAQS can be found at: http://www.caqh.org/pdf/COREFAQsPartA.pdf for general information; http://www.caqh.org/pdf/COREFAQsPartC.pdf for Phase I and II.

Back to Context

9. March 23, 2011 NCVHS letter to the Secretary: http://ncvhs.hhs.gov/110323lt.pdf.

Back to Context

10. CAQH CORE FAQS for Phase III can be found at http://www.caqh.org/pdf/COREFAQsPartD.pdf.

Back to Context

11. May 5, 2012 NCVHS letter to the Secretary: http://www.ncvhs.hhs.gov/120505lt.pdf.

Back to Context

12. September 12, 2012 letter from Secretary to NCVHS: http://www.ncvhs.hhs.gov/120912lt.pdf.

Back to Context

13. Many of the assumptions in this section come from an NCVHS hearing held on June 20, 2012 in which these issues were discussed. The hearing and the NCVHS' conclusions are summarized in “Re: Findings from NCVHS Hearings on Administrative Simplification in June 2012—an Update on Health Care Administrative Transactions,” September 21, 2012 letter to Secretary Sebelius from the National Committee on Vital and Health Statistics, pg 2. A copy of the letter and testimony from the hearing can be found at: http://www.ncvhs.hhs.gov/.

Back to Context

14. See “Transaction Compliance and Certification: A White Paper Describing the Recommended Solutions for Compliance Testing and Certification of the HIPAA Transactions,” prepared by the Workgroup for Electronic Data Interchange (WEDI) Transactions Workgroup, March 10, 2010.

Back to Context

16. The regulatory definition of health plan at 45 CFR 160.103 was initially adopted in the Transactions and Code Sets final rule. The basis for the additions to, and clarifications of, the statutory definition of health plan is further discussed in the preamble to the December 28, 2000 final rule (65 FR 82478 and 82576) titled “Standards for Privacy of Individually Identifiable Health Information.”

Back to Context

18. Step-by step process for certification for Phase I and Phase II can be found at: http://www.caqh.org/CORE_step_by_step.php.

Back to Context

21. See question #4, page 9 of 23 at http://www.caqh.org/pdf/COREFAQsPartA.pdf.

Back to Context

22. For updated information on entities that have CORE-certification or have committed to receive CORE-certification, please refer to http://www.caqh.org/CORE_organizations.php.

Back to Context

25. Ibid., Section 5.

Back to Context

27. These exempted IT systems must serve no more than 30 percent of the health plan's membership or applicable transactions.

Back to Context

32. However, to be clear, health plans are covered entities obligated to continually abide by adopted HIPAA standards and operating rules, and the requirements of this proposed rule do not impede our enforcement authority.

Back to Context

33. See CAQH CORE FAQs on CORE Certification & Endorsement: http://www.caqh.org/pdf/COREFAQsPartF.pdf.

Back to Context

34. The current CORE fee structure for the CORE Seal can be found at: http://www.caqh.org/CORE_phase1_fees.php.

Back to Context

35. As of this writing, the single CORE-authorized testing vendor does not charge a fee for entities to test with it.

Back to Context

36. In the HPID proposed rule, we concluded there were approximately 138 health maintenance organizations that were small entities by virtue of their nonprofit status though “few, if any of them are small by SBA size standards” (77 FR 23000) and that no other category of health plan could be considered “small” (77 FR 22999). Our conclusions were based on an analysis included in a proposed rule on the establishment of the Medicare Advantage program (69 FR 46866, August 3, 2004).

Back to Context

38. Early in 2013, CMS announced a 90-day enforcement discretion period for compliance with the Operating Rules IFC stating that it would not initiate enforcement action until March 31, 2013. See http://www.cms.gov/Outreach-and-Education/Outreach/OpenDoorForums/Downloads/010213Sec1104ofACAAnnouncement.pdf.

Back to Context

39. For information on the SEC's role, see http://www.sec.gov/about/whatwedo.shtml.

Back to Context

40. 10-K filings and other publically available company filings can be viewed through the EDGAR database: http://www.sec.gov/edgar/searchedgar/companysearch.html. For more information on the 10-K see http://www.sec.gov/answers/form10k.htm. For the 10-K form itself: http://www.sec.gov/about/forms/form10-k.pdf.

Back to Context

41. “Health Care Delivery Covered Lives—Summary of Findings,” John F. Kennedy School of Government: Harvard University, Mossavar-Rahmani Center for Business & Government (http://www.hks.harvard.edu/m-rcbg/hcdp/numbers/Covered%20Lives%20Summary.pdf).

Back to Context

42. We believe that, in general, these fees represent real costs to society, in the form of labor and other resources used by CAQH CORE for conducting certification.

Back to Context

43. See map with data on commercially insured lives that have policies with a CORE Certified health plan on CAQH CORE Web site: http://www.caqh.org/pdf/COREPIwebmap.pdf.

Back to Context
Site Feedback