Under the Health Insurance Portability and Accountability Act (HIPAA), employers who sponsor group health plans are subject to requirements to: (1) update each grandfathered business associate agreement (BAA) to comply with the most recent regulations (generally known as the “Omnibus Rule”), and (2) register for a health plan identifier number (HPID).
Update Business Associate Agreements by September 23, 2014
Under the Omnibus Rule, BAAs in existence prior to January 25, 2013, that were not modified after this date have until September 23, 2014, to comply with the Omnibus Rule. Updated BAAs should, for example, require business associates to report breaches of unsecured protected health information (PHI) and require the business associate to ensure that any subcontractors that create, receive, maintain or transmit PHI on behalf of the business associate agree to the same restrictions and conditions that apply to the business associate with respect to such PHI.
Although a BAA is required to have certain provisions, it is not a “standardized” document. It can and should have important provisions that are not required by law. All provisions of a BAA should be reviewed and understood before the document is signed. Thus, whether you are a representative of a group health plan required to have a BAA, a business associate or a subcontractor of a business associate, a BAA should reflect your consideration and input. Provisions regarding actions to be taken following a data breach and indemnification provisions can significantly affect your organization’s rights and responsibilities.
Obtain Health Plan Identifier Number for Large Self-funded Plans by November 5, 2014
In order to increase efficiencies in health care processing, the Affordable Care Act required HHS to issue rules establishing a unique health plan identifier to be used in standard electronic transactions. Under current guidance, an employer that sponsors a large self-funded health plan must obtain an HPID by November 5, 2014. Small health plans are given an additional year to obtain an HPID. HHS guidance indicates that a small self-funded health plan is a plan that pays claims of $5 million or less in the prior plan year. For an insured plan, the insurer, rather than the employer, must obtain the HPID.
Many comments on the HPID regulations argued that most self-funded plans do not conduct standard transactions; TPAs conduct the transactions for the plan. In the final regulations, however, HHS took the position that the plan sponsor must nonetheless obtain the HPID. Moreover, the employer sponsoring the plan, and not the TPA administering claims for the plan, must obtain the HPID.
Many employers offer multiple group health benefit packages. Similar to Form 5500 requirements for ERISA covered plans, the number of required HPIDs appears to depend on how the plan is structured and documented. Only a controlling health plan (CHP) must obtain an HPID. A CHP is a health plan that controls its own activities or is controlled by an entity that is not a health plan. Thus if two benefit options are combined under a single plan structure (i.e., a wrap plan) for purposes of Form 5500 filing, only one HPID is required. If they are maintained as two separate plans, two HPIDs are required.
Employers can obtain information about the HPID application process at this HHS website.