Some time ago, we were asked by a reader, “Is an employer self-funded medical plan required to have a Health Plan Identifier (HPID)?”

We thought this general information might be helpful. Please remember this information and blog is NOT LEGAL ADVICE, and you should consult with your own attorney. The inquirer correctly notes that the underlying question is whether an employer-sponsored self-funded plan is a controlling health plan (CHP) required to obtain an HPID. CMS regulations and guidance indicate that employer-sponsored self-funded health plans are CHPs and must obtain a HPID.

Before providing support for this response, please note that on October 31, 2014, CMS issued an enforcement delay on its HPID rule “until further notice.” There is a reasonable chance that the HPID, as now defined, may be eliminated. CHPs need not obtain a HPID until further notice from CMS.

Here is the background re: regulatory need for an employer-sponsored self-funded health plan to obtain a HPID.

CMS published its final regulations setting forth requirements for health plan receipt of an HPID on September 5, 2012. CMS also developed frequently asked questions (FAQs) giving guidance on compliance with its HPID requirements. One FAQ specifically addresses whether a self-insured health plan must obtain an HPID.

To determine the answer, a self-insured health plan must ask if it meets the HIPAA regulatory definition of a “health plan.” A health plan is an individual or group health plan that provides or pays the cost of medical care. Assuming that the employer self-funded medical plan does so, the next question is whether that self-funded plan meets the regulatory definition for a “controlling health plan” (CHP). A CHP is a health plan that controls its own business activities, actions, or policies, or is controlled by an entity that is not a health plan. An employer’s self-funded medical plan generally would satisfy this definition of a CHP.

It can be confusing because most self-funded plans work with third party administrators (TPAs) which sometimes, themselves, are health plans. TPAs, however, are not CHPs when acting in their roles as TPAs (i.e., providing eligibility, claims administration, and other administrative services). The sponsor of the self-insured plan is responsible for obtaining the plan’s HPID. The sponsor could ask that its TPA obtain a HPID on the plan’s behalf, but the HPID would belong to the sponsored self-funded health plan.

Advisors to the industry also say that employer-sponsored health plans are HIPAA-covered entities and that employers with self-funded health plans are required under the final regulations to obtain an HPID.

HPID compliance deadlines set forth in the September 5, 2012 rule are as follows –

• CHPs are required under the regulation to obtain their HPIDs by November 7, 2014.
• Small CHPs, however, have until November 7, 2015, to obtain a HPID. A CHP is a “small” CHP if its annual receipts are $5 million or less. CMS advises CHPs on processes to utilize in determining whether its receipts are $5 million or less.
• HIPAA-covered entities are required to use HPIDs in HIPAA-covered transactions effective November 7, 2016.

Now, about the delay identified above.

As noted above, shortly before the first HPID regulatory deadline, CMS issued a “discretionary delay” in enforcement of the HPID rule “until further notice.” This delay has been read by the field as putting on hold not only enforcement actions CMS might have taken against health plans that failed to timely obtain their HPIDs, but also putting on hold the need for a health plan to obtain a HPID until further directed by CMS to do so. The HIPAA statute requires CMS, in adopting HPID regulations, to obtain and consider the advice of the National Committee on Vital and Health Statistics (NCVHS). CMS did so in finalizing its HPID rule and, further, in issuing this indefinite delay. NCVHS has advised CMS against use of the HPID in HIPAA standard transactions. It is possible, according to some industry commentators, that the HPID will be done away with in favor of some other form or processes of unique health plan identification.

One other HIPAA regulatory requirement for health plans to be aware of and to watch.

CMS issued regulations on January 2, 2014, requiring all HIPAA covered entity health plans to certify compliance with HIPAA standard transactions for eligibility, health claims status, and electronic payment/electronic remittance advice by December 31, 2015. In certifying compliance, this rule requires health plans to use their HPIDs. The rule’s certification deadline remains in effect. CMS will need to address the rule’s requirement for use of the HPID at some time.

We hope this response is helpful to the inquirer and to others.