HHS Withdraws Rules on HIPAA Certification

In order to reduce administrative costs in the health care industry, HIPAA requires covered entities (for example, group health plans) and their business associates to use standardized formats and operating rules when conducting certain electronic transactions. These HIPAA requirements are often referred to as the electronic data interchange (EDI) rules.

The ACA includes a provision that requires health plans to file a statement with HHS by Dec. 31, 2013, certifying their compliance with the EDI rules for the following three electronic transactions:

• Eligibility for a health plan;
• Health care claim status; and
• Health care electronic funds transfer.

On Jan. 2, 2014, HHS issued a proposed rule on the HIPAA certification requirement. The rule extended the initial compliance deadline to Dec. 31, 2015, and proposed a general framework for controlling health plans (CHPs) to certify their HIPAA compliance. It also included penalties for CHPs that failed to comply with the certification requirement. The proposed rule left many questions unanswered regarding the HIPAA certification requirement, including how the requirement would apply to self-funded group health plans that do not directly conduct any electronic HIPAA transactions. Due to a lack of final guidance from HHS, the proposed deadline of Dec. 31, 2015, was not enforced.

On Oct. 4, 2017, HHS withdrew the proposed rule based on issues that have been raised regarding the HIPAA certification process. According to HHS, it will be examining these issues and exploring options and alternatives to comply with the ACA’s requirement. This development is welcome news for group health plan sponsors, who will not be required to certify their HIPAA compliance until HHS issues new guidance.

Although health plans are not required to certify their HIPAA compliance at this time, there is an enforcement process in place for the EDI rules. Civil money penalties and criminal penalties may be imposed on a covered entity that fails to comply with the EDI rules. Thus, health plans and business associates that conduct standard transactions should confirm that they are complying with the EDI rules.