38 October 2013 | The Self-Insurer © Self-Insurers’ Publishing Corp. All rights reserved.

PPACA, HIPAA and Federal Health Benefi t Mandates: Practical Q&AThe Patent Protection and Affordable Care Act (PPACA), the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and other federal health benefi t mandates (e.g., the Mental Health Parity Act, the Newborns and Mothers Health Protection Act, and the Women’s Health and Cancer Rights Act) dramatically impact the administration of self-insured health plans. This monthly column provides practical answers to administration questions and current guidance on PPACA, HIPAA and other federal benefi t mandates.

Health Plans and the Requirement to Apply for a “HPID”

For purposes of administrative simplifi cation, HIPAA requires HHS to

adopt standards for assigning unique health identifi ers for each individual,

employer, health plan, and health care provider. Providers and employer

have used identifying numbers (NPI and EIN) for some time now.

Health plans will be required to obtain a unique health plan identifi er (HPID)

by November 5, 2014 for large health plans and one year later for small health

plans. It is anticipated that health plans and providers will require TPAs to obtain

identifi cation numbers (OEID) as well.

Section 1104(c)(1) of the Affordable Care Act (“ACA”) required HHS to

promulgate a fi nal rule to establish a unique identifi er (“HPID”) for health plans.1

The HPID is a standardized ten-digit number assigned to health plans, which is

designed to increase standardization and help covered entities verify information

from other covered entities. On April 27, 2012, HHS issued a proposed rule

about HPIDs.2 The fi nal regulations, issued on September 5, 2012, modifi ed the

implementation dates originally set forth in the April rulemaking, but did not

substantively modify them.3

© Self-Insurers’ Publishing Corp. All rights reserved. The Self-Insurer | October 2013 39

Q&AHealth Plans and the Requirement to Apply for a “HPID”

Who Needs an HPID?The regulations draw a distinction

between Controlling Health Plans and Subhealth Plans, based on the level of control the entity has over its activities. Under these regulations, a Controlling Health Plan (“CHP”), including a self-insured CHP, is required to obtain an HPID. A Subhealth Plan (“SHP”) is not required to obtain an HPID, but may do so, either at the request of a related CHP or of its own accord. A CHP can also obtain HPIDs on behalf of its SHPs.

A CHP is defi ned as a health plan that 1) controls its own business activities, actions, or policies; or 2) is controlled by an entity that is not a health plan, and if it has one or more SHPs, exercises suffi cient control over them to direct their business activities, actions, or policies. The regulations list the following considerations in determining whether an entity is a CHP: 1) Does the entity itself meet the defi nition of a health plan at 45 C.F.R. § 160.103? 2) Does either the entity itself or a nonhealth plan control the business activities, actions, or policies of the entity? If the answer to both questions is yes, the entity meets the defi nition of a CHP.

A SHP, by contrast, is defi ned as a health plan whose business activities, actions, or policies are directed by a CHP. In determining whether an entity is a SHP, the following considerations are relevant: 1) Does the entity meet the defi nition of health plan at 45 C.F.R. § 160.103? 2) Does a CHP direct the business activities, actions, or policies of the health plan entity? If the answer to both questions is yes, the entity meets the defi nition of a SHP.

Practice Pointer: A “health plan,” as defi ned in 45 C.F.R. § 160.103, includes, among other entities, a group health

plan, health insurance issuer, or HMO.

Obtaining an HPIDA national enumeration system, known as the Health Plan and Other Entity

Enumeration System (“HPOES”), assigns unique HPIDs through an online

application process. HPOES became available within CMS’ HIOS system in late

March 2013. Information about the data elements that are part of the application

(such as company information, authorizing offi cial information, and NAIC number)

are available here.4 During the application process, entities must register the

organization, provide certain identifying information, select an application type

(CHP or SHP), and then complete and submit an application, which will then be

reviewed. A PDF presentation of the application process is available via CMS.5

Large health plans must obtain an HPID by November 5, 2014. Small health plans

must do so by November 5, 2015.6 By the “full implementation date” of November

7, 2016, all health plans must use the HPID in their standard transactions.7

Practice Pointer: It will be important to secure an HPID well before the mandatory

compliance dates, so that there is suffi cient time to work out any administrative

issues that may arise with multiple entities implementing the new system.

How will an HPID be used?A covered entity is required to use an HPID when it identifi es a health plan

in a standard transaction. If a covered entity uses business associates to conduct

standard transactions on its behalf, the covered entity must require its business

associates to use HPIDs to identify health plans in standard transactions.

There are also several uses for which an entity is permitted, but not required,

to use an HPID. CMS stated that the HPID can be used for “any other lawful

purpose” (in addition to a standard transaction).8 The regulations list the following

potential uses of an HPID, which CMS believes will increase effi ciency: in internal

fi les, to facilitate the processing of transactions; on an enrollee’s health insurance

card; as a cross-reference in healthcare fraud and abuse fi les and other program

integrity fi les; in patient medical records to help specify health care benefi t

packages; in EHRs to identify health plans; in federal and state health insurance

exchanges; and for public health data reporting purposes.

Practice Pointer. While none of these uses currently require an HPID, they are

helpful in that they illustrate how CMS intends the HPID to be used. In addition,

CMS may decide to mandate some of these uses of HPIDs in the future.

Other Entity Identifi ers The HPID regulations also introduce the concept of an Other Entity Identifi er

(“OEID”) for non-health plan entities that may engage in standard transactions.

The possible users of OEIDs include third-party administrators, transaction

vendors, clearinghouses, and other payers. Non-health plan entities that need

to be identifi ed in standard transactions are permitted, but not required, to

obtain an OEID. However, health plans may require their business associates to

obtain OEIDs in contractual agreements. Entities are eligible if they 1) need to

be identifi ed in a transaction for which a standard has been adopted by HHS; 2)

40 October 2013 | The Self-Insurer © Self-Insurers’ Publishing Corp. All rights reserved.

are not eligible to obtain an HPID or a NPI; 3) are not an individual. Because the

adoption of an OEID is voluntary, there is no required compliance date.

Practice Pointer: For employers, the HIPAA standard unique identifier is the

employer’s EIN. For providers, the NPI, or National Provider Identifier, is the

standard unique identifier. n

Attorneys John R. Hickman, Ashley Gillihan, Johann Lee, and Carolyn Smith provide the answers in this column. Mr. Hickman is partner in charge of the Health Benefits Practice with Alston & Bird, LLP, an Atlanta, New York, Los Angeles, Charlotte and Washington, D.C. law firm. Ashley Gillihan, Carolyn Smith and Johann Lee are members of the Health Benefits Practice. Answers are provided as general guidance on the subjects covered in the question and are not provided as legal advice to the questioner’s situation. Any legal issues should be reviewed by your legal counsel to apply the law to the particular facts of your situation. Readers are encouraged to send questions by E-MAIL to Mr. Hickman at john.hickman@alston.com.

We Don’t Just Talk About Successful Teams: We Build Them

Teamwork is the foundation of any successstory. With the right partner, collaboration andsupport, you can achieve lasting results.When you team up with Meritain Health, yougain the experience of our 30 plus years inthe healthcare benefits industry, for a partnership you can rely on.

For more information, contact us today.

1.800.242.6226 www.meritain.com

© 2013. For self-funded accounts, benefits coverage is offeredby your employer, with administrative services only provided byMeritain Health, an independent subsidiary of Aetna Life Insurance Company.2013006

Resources1This requirement is described in Social Security Act § 1173(b). This rule was required to be based on input from the National Committee on Vital and Health Statistics (“NCVHS”) and be effective no later than October 1, 2012.

2Department of Health and Human Services, Administrative Simplification: Adoption of a Standard for a Unique Health Plan Identifier; Addition to the National Provider Identifier Requirements; and a Change to the Compliance Date for ICD–10–CM and ICD–10–PCS Medical Data Code Sets, 77 Fed. Reg. 22950, April 17, 2012.

3Department of Health and Human Services, Administrative Simplification: Adoption of a Standard for a Unique Health Plan Identifier; Addition to the National Provider Identifier Requirements; and a Change to the Compliance Date for the International Classification of Diseases, 10th Edition (ICD–10–CM and ICD–10–PCS) Medical Data Code Sets; Final Rule, 77 Fed. Reg. 54664, September 5, 2012.

4CMS, Health Plan and Other Entity Enumeration System Data Elements, www.cms.gov/Regulations-and-Guidance/HIPAA-Administrative-Simplification/Affordable-Care-Act/Downloads/HPOESDataelements.pdf.

5CMS, HPID and OEID System Overview, March 2013, available at www.cms.gov/Regulations-and-Guidance/HIPAA-Administrative-Simplification/Affordable-Care-Act/Downloads/HPOESTrainingSlidesMarchSlideDeck.pdf.

6“Small health plan” is defined as a health plan with annual receipts of $5 million or less. 45 C.F.R. § 160.103.

745 C.F.R. § 162.504. This was corrected from mistake in the original regulations by 77 Fed. Reg. 60629, Oct. 4, 2012.

8CMS, HPID and OEID System Overview, March 2013, available at www.cms.gov/Regulations-and-Guidance/HIPAA-Administrative-Simplification/Affordable-Care-Act/Downloads/HPOESTrainingSlidesMarchSlideDeck.pdf.