The ACA added
new requirements to the HIPAA Administrative Simplification Rules, which are
the rules that govern privacy and security of protected health information. Two
of the changes impose direct requirements on health plans beginning this year—the
Health Plan Identifier Rule and the HIPAA Certification Rule. We answer questions
about both requirements below.
What is a Health Plan Identifier and how do we obtain one?
The ACA and
its regulations require that all health plans obtain a Health Plan Identifier,
or HPID. The HPID is a unique number
that will be assigned to the health plan. This number must be used in any HIPAA
standard transactions that the health plan conducts or that a business
associate conducts on behalf of the health plan. Health plans can register for
their HPID at http://www.cms.gov/Regulations-and-Guidance/HIPAA-Administrative-Simplification/Affordable-Care-Act/Health-Plan-Identifier.html. Note that it may take some time to gather the required
information and work through the registration screens. The website has
instructions and videos explaining the process.
What is the deadline for obtaining an HPID?
must obtain an HPID by November 5, 2014.
Small health plans, defined under the HIPAA privacy rules as plans with annual
receipts of $5 million or less, have an extra year—until November 5, 2015.
What health plans are subject to these rules?
Any health plan that is a “covered entity” under the HIPAA privacy rules
will be required to obtain an HPID. There is a special rule allowing a
“controlling health plan” to obtain an HPID on behalf of “subhealth plans.” The
regulations defined a “controlling health plan” as a plan that controls its own
business activities, actions, or policies, and a “subhealth plan” as a plan
whose activities are directed by a controlling health plan.