SECOND OPINIONS: ACA Makes Changes to HIPAA Standard Transaction Rules

April 9, 2014 ( - With all of the other mandates, notices, and penalties included in the Patient Protection and Affordable Care Act (ACA), one section went largely unnoticed but potentially has a big impact on health plans.

The ACA added new requirements to the HIPAA Administrative Simplification Rules, which are the rules that govern privacy and security of protected health information. Two of the changes impose direct requirements on health plans beginning this year—the Health Plan Identifier Rule and the HIPAA Certification Rule. We answer questions about both requirements below.

What is a Health Plan Identifier and how do we obtain one?

The ACA and its regulations require that all health plans obtain a Health Plan Identifier, or HPID.  The HPID is a unique number that will be assigned to the health plan. This number must be used in any HIPAA standard transactions that the health plan conducts or that a business associate conducts on behalf of the health plan. Health plans can register for their HPID at Note that it may take some time to gather the required information and work through the registration screens. The website has instructions and videos explaining the process.

What is the deadline for obtaining an HPID?

Health plans must obtain an HPID by November 5, 2014.  Small health plans, defined under the HIPAA privacy rules as plans with annual receipts of $5 million or less, have an extra year—until November 5, 2015.

What health plans are subject to these rules?

Any health plan that is a “covered entity” under the HIPAA privacy rules will be required to obtain an HPID. There is a special rule allowing a “controlling health plan” to obtain an HPID on behalf of “subhealth plans.” The regulations defined a “controlling health plan” as a plan that controls its own business activities, actions, or policies, and a “subhealth plan” as a plan whose activities are directed by a controlling health plan.

What is a standard transaction?

The transaction rules are a part of the HIPAA administrative simplification rules, which include privacy, security, and transactions. They require that if a HIPAA covered entity conducts certain transactions with another covered entity using electronic media, the two covered entities must use standards and code sets designated by the Secretary of HHS. These standards and code sets establish which data must be provided and fields that must be used when transmitting electronic information. Under the HPID rule, where one of these transactions requires the identification of a health plan, the new HPID would be used. Note that for many employer group health plans, it is their third-party administrator (TPA) or other business associate that performs these transactions for them. They may not even be aware that these transactions are conducted on their behalf.

The list of transactions to which these rules apply include:

  • Claims & Encounter Information – Request from provider to plan to obtain payment or information
  • Eligibility – Transmission from provider to plan, or plan to plan—and their responses—related to eligibility, coverage, or benefits under the plan
  • Authorization & Referrals – Request for authorization for health care or to refer to another provider—and response
  • Claim Status – Inquiry about status
  • Enrollment & Disenrollment – Transfer of subscriber information to plan to establish or terminate coverage
  • Premium Payments – Information about payment, fund transfer, remittance, or payment processing from entity arranging provision of care
  • Coordination of Benefits – Transfer of claims or payment information to plan for purpose of determining relative payment responsibility
  • Electronic Funds Transfer (EFT) – Transmission of any of the following from a health plan to a health care provider: payment, information about the transfer of funds, and payment-processing information
  • Remittance Advice – Transmission of any of the following from a health plan to a health care provider: an explanation of benefits or a remittance advice.

What is the HIPAA Certification?

The ACA requires that health plans certify they are in compliance with the standard transactions rules under two rounds of certification. Under the First Certification, a health plan must certify compliance with the Eligibility, Claim Status, EFT, and Remittance Advice transactions listed above. 

HHS has issued proposed regulations on the First Certification.  79 Fed. Reg. 298 (Jan. 2, 2014). The proposed rules require the health plan to obtain certification from an outside vendor that shows that the plan—or its business associate, where applicable—performs the required standard transactions and has tested these transactions with a minimum number of third parties. 

After obtaining certification, the health plan must file an attestation with HHS that represents that the plan has obtained the required certification and otherwise complies with the privacy and security rules. The attestation filing also must include information about the number of covered lives under the plan so that HHS can be able to assess a penalty on covered lives if it finds noncompliance. Controlling health plans must file on behalf of any subhealth plans.

When is the certification due?

Generally, plans must file their attestation with HHS by December 31, 2015. This means they must go through the testing and certification process before this date. Small health plans will have until December 31, 2016, to file.   

What does the certification require?

Under the proposed rules, a health plan would be required to obtain certification from an outside third party, the Council for Affordable Quality Healthcare Committee on Operating Rules for Information Exchange (CAQH CORE). HHS proposes two types of certification: (1) the HIPAA Credential; and (2) the Phase III Core Seal. The health plan can choose which one it would like to seek. Both require that the health plan, or its business associates where applicable, actually test the standard transactions that are part of the First Certification. (Note that these requirements may change in final rules.)

Is there a penalty for not certifying?

The ACA imposes a penalty on noncompliant plans of $1 per covered life per day until certification is complete with a maximum penalty of $20 per covered life. The ACA also imposes a penalty of up to $40 per covered life if the plan knowingly provides inaccurate or incomplete information.


Got a health-care reform question?  You can ask YOUR health-care reform legislation question online at    

You can find a handy list of Key Provisions of the Patient Protection and Affordable Care Act and their effective dates at


Christy Tinnes is a Principal in the Health & Welfare Group of Groom Law Group in Washington, D.C.  She is involved in all aspects of health and welfare plans, including ERISA, HIPAA portability, HIPAA privacy, COBRA, and Medicare.  She represents employers designing health plans as well as insurers designing new products.  Most recently, she has been extensively involved in the insurance market reform and employer mandate provisions of the health-care reform legislation.

Brigen Winters is a Principal at Groom Law Group, Chartered, where he co-chairs the firm's Policy and Legislation group. He counsels plan sponsors, insurers, and other financial institutions regarding health and welfare, executive compensation, and tax-qualified arrangements, and advises clients on legislative and regulatory matters, with a particular focus on the recently enacted health-reform legislation.

PLEASE NOTE:  This feature is intended to provide general information only, does not constitute legal advice, and cannot be used or substituted for legal or tax advice.