Legislative & Regulatory Information

Transcription

1 Americas - U.S. Legislative, Privacy & Projects Jurisdiction Effective Date Author Release Date File No. UFS Topic Citation: Reference: Federal Various Louis Enahoro 2/20/14 LI-485 HIPAA, Electronic Commerce 45 CRF Parts 160 and 162 Supplements LI-179R, LI-236, LI-376, LI-449, LI-457 ACA INCLUDES NEW HIPAA ELECTRONIC TRANSACTION REQUIREMENTS Executive Summary On March 23, 2010, President Obama signed the Affordable Care Act (ACA) into law. Among other things, Section 1104 of the ACA makes the following changes to HIPAA s provisions relating to electronic health care transactions; 1 includes new standards for Electronic Funds Transfer (EFT) and health care claims attachment transactions; requires the adoption of operating rules which set requirements to assure efficiency for HIPAA Electronic Data Interchange (EDI) transactions; 2 directs health plans to certify they are complying with the HIPAA standard electronic transactions and operating rules; and penalizes health plans that fail to comply with the new requirements to certify their compliance to the Department of Health and Human Services (HHS). Background Congress passed the Health Insurance Portability and Accountability Act (HIPAA) in HIPAA s administrative simplification provisions are intended to improve the efficiency and 1 See Legislative & Release Information releases LI-179R, LI-236, and LI-376 for more information on HIPAA s administrative simplification provisions. 2 The ACA requires the Department of Health and Human Services (HHS) to issue operating rules between July 1, 2011 and July 1, 2014 for the following HIPAA EDI transactions: (a) eligibility for a health plan, (b) health care claims status; (c) electronic funds transfer & electronic remittance advice (ERA); (d) health care claims or equivalent encounter information; (e) health care claims attachment; (f) enrollment and disenrollment in a health plan; (g) health plan premium payment; and (h) referral certification and authorization. A separate ACA requirement still being implemented is the use of a Health Plan Identifier (HPID) by HIPAA covered entities in all electronic data interchange transactions. (See Legislative & Release Information release LI-449 for more information). 3 P.L Legislative & Regulatory Information 2014 Metropolitan Life Insurance Company

2 2 effectiveness of the health care system by requiring health care providers, health plans and health care clearinghouses to use uniform standards when processing health care transactions electronically, while at the same time safeguarding the health information contained in these transactions. HIPAA requires HHS to issue regulations adopting uniform standards for electronic health care transactions, privacy, security and unique identifiers. Prior Legislative & Regulatory Information releases have described and analyzed regulations issued by HHS relating to HIPAA. See Releases LI-179R (electronic transactions); LI-187 (privacy); LI-202 (HHS privacy guidance); LI-207 (ASCA EDI delay law); LI-217 (standard employer identifier); LI-221 (modifications to privacy rule); LI-233 (security); LI-236 (EDI modifications); LI-243 (HHS EDI guidance); LI-261 (national provider identifier); LI-308 (final enforcement rule); LI-374 (federal stimulus law); LI-376 (electronic transaction standards modifications); LI-377 (ICD-10); LI-386 (protected health information technical safeguards); LI-388 (security breach guidelines); LI-449 (HPID, delay of ICD-10 compliance date & national provider identifier changes); and LI-457 (New HIPAA Privacy and Security Omnibus Rule). On December 24, 2009, the United States Senate (Senate) passed the Patient Protection and Affordable Care Act (ACA), which was later passed by the United States House of Representatives (House) on March 21, An amendment bill, the Health Care and Education Reconciliation Act, was also passed by the House on March 21. President Obama signed the ACA on March 23, The ACA was reconciled with the amendment bill by the Senate on March 25, 2010, and signed by President Obama on March 30, Section 1104 of the ACA includes new HIPAA related requirements with the goals of improving the quality and efficiency of health care; creating uniformity in electronic transactions used across the health care industry; and reducing costs in using these electronic transactions. Significant Terms A Controlling Health Plan or CHP is a health plan that either: 1. exercises control over its own business activities, actions, or policies; or 2. is controlled by a non-health plan entity and, if it has one or more Subhealth plans, exercises sufficient control over the Subhealth plan(s) to direct its/their business activities. Electronic data interchange (EDI) is the electronic transfer of information between health plans, heath care clearinghouses and health care providers (e.g., an electronic transmission of a health claim). Health Plan Identifier or HPID is a unique 10 digit numeric identifier which must be obtained by health plans from HHS, and which must be used in HIPAA EDI transactions. 4 The ACA has also been referred to as PPACA, healthcare reform and Obamacare.

3 3 Operating Rules are necessary business rules and guidelines for the electronic exchange of information that are not defined by a standard or its implementation specifications. A Standard EDI Transaction is an electronic transaction which has been established as being necessary for conducting health care business. This transaction complies with the adopted national standard. Analysis In an effort to improve the efficiency of the health care system, the ACA provides more guidance for the administrative simplification provisions which started when HIPAA was first enacted. The ACA created two new electronic Standard EDI Transactions, an Operating Rule for each Standard Transaction, and a new requirement that health plans certify they meet the Standard EDI Transactions and their associated Operating Rule requirements. Each is discussed below. New Standard EDI Transactions The original HIPAA administrative simplification regulation issued in 2000 established eight national Standard EDI Transactions. 5 Many health plans and providers now process their business electronically, thanks to these Standard EDI Transactions. The ACA established two new Standard EDI Transactions: Electronic Funds Transfer Transaction (EFT): An EFT is the transfer of money from one bank account to another. For example, a doctor is paid by the health insurer using EFT. Health Care Claims Attachments: This transaction allows providers to attach information needed to process a claim. For example, a doctor includes x-rays to justify the treatment of a fracture. Operating Rules The ACA required HHS to establish Operating Rules for each Standard EDI Transaction. These Operating Rules provide additional rules and guidance to assure consistency across the health care industry. HHS is issuing these Operating Rules several at a time, as discussed below. 6 Eligibility and Health Care Claim Status Operating Rules: HHS issued an interim final rule on July 8, 2011 adopting Operating Rules for two Standard EDI Transactions 7 as follows: eligibility for a health plan, which includes verifying if a patient has sufficient coverage, type of coverage, amount of deductible, co-pay, etc.; and health care claim status, which provides the stage of a health claim (e.g., if a claim is pending, denied, approved, settled, etc.). 5 The eight Standard EDI Transactions from 2000 are: (a) health care claims or equivalent encounter information; (b) eligibility for a health plan; (c) referral certification and authorization; (d) enrollment and disenrollment in a health plan; (e) health care payment and remittance advice; (f) health plan premium payments; (g) health care claim status; and (h) coordination of benefits. In addition, see Legislative & Release Information releases LI-179R, LI-236, and LI-376 for more information on these standards. 6 For details on all operating rules required under the ACA, see Footnote 2 above. 7 See 45 C.F.R. Parts 160 and 162; 76 F.R

4 4 Electronic Funds Transfer (EFT) and Electronic Remittance Advice (ERA) Operating Rules: HHS issued the interim final rule for the EFT and ERA Operating Rules on January 10, Among other things, it specifies, how an EFT made by a health plan can be reconciled with the corresponding ERA. ERA is the information that goes along with the EFT. For example, when a claim payment is reduced from the full claim amount, an ERA advice transaction containing an explanation is sent along with the payment to the doctor. Future Operating Rules: The Operating Rules are expected to be issued by HHS between January 1, 2014 and July 31, for the following Standard EDI Transactions: (a) health care claims; (b) health care claims attachments; (c) enrollment and disenrollment in a health plan; (d) health plan premium payment; and (e) referral certification and authorization. Certification All Controlling Health Plans are required to certify that that they are in compliance with the Standard EDI Transactions and Operating Rules 10. As part of the certification process, Controlling Health Plans must also provide evidence demonstrating their compliance. Controlling Health Plans must certify they have implemented the HIPAA Omnibus Rule 11 requirements, and the following Standard EDI Transactions and Operating Rules: (a) eligibility for a health plan; (b) health care claims status; and (c) EFT and ERA. 12 After the first certification, Controlling Health Plans will have to submit a second certification that they have implemented the following Standard EDI Transactions and Operating Rules: (a) health care claims; (b) health care claims attachments; (c) enrollment and disenrollment in a health plan; (d) health plan premium payment; and (e) referral certification and authorization. 13 Penalties The ACA imposes penalties on Controlling Health Plans for failing to comply with the certification requirements, and for knowingly providing inaccurate or incomplete information to HHS: Non-Implementation of HIPAA EDI Transactions & Operating Rules: Controlling Health Plans will be subject to a fine of $1.5 million per year if they have not implemented requirements of the Standard EDI Transactions and their associated Operating Rules which are in effect. 8 See 45 C.F.R. Parts 160 and 162; 77 FR While the ACA dates have not changed, HHS has indicated it will issue the regulations in late Health plans will also be required to certify that their business associates are in compliance with this regulation. 11 The HIPAA Omnibus Rule imposed additional privacy and security obligations on HIPAA covered entities. See Legislative & Release Information release LI-457 for more information on the requirements of the HIPAA Omnibus Rule. 12 HHS issued a proposed rule on January 2, 2014, regarding the first part of the Health Plan Certification, with comments due back to HHS by March 3, As a result of the late publication of this rule, HHS is proposing new compliance dates for health plans to certify their compliance (See 45 C.F.R. Parts 160 and 162; 79 F.R ). 13 The second health certification which originally had a compliance date of 12/31/2015 will now most certainly be extended, in view of the extension of the compliance date for the first health certification.

5 5 Health Plan Certification: If a Controlling Health Plan fails to meet the certification requirements, HHS may assess penalties of $1 on each covered life 14 per day until the certification is complete, subject to an annual maximum of $20 per covered life and $40 per covered life for deliberate misrepresentation. Compliance Dates The ACA contains a number of different compliance dates as follows: New Standards or Regulations Electronic Funds Transfer 1/1/2014 Health Care Claims Attachment 1/1/2016 Operating Rules Eligibility for a health plan 1/1/2013 Health Care Claims Status 1/1/2013 Electronic Funds Transfer & Remittance Advice 1/1/2014 Health Care Claims 1/1/2016 Health Care Claims Attachment 1/1/2016 Enrollment & Disenrollment 1/1/2016 Health plan premium payment 1/1/2016 Referral Certification and Authorization 1/1/2016 Certification Certification dates are yet to be finalized. 15 For the first certification, HHS has proposed a compliance date of December 31, 2015 for Controlling Health Plans that obtain an HPID before January 1, For those Controlling Health Plans that obtain an HPID on or after January 1, 2015, HHS has proposed a compliance date of December 31, HHS will announce the compliance date for the other certification once it issues the accompanying regulation. 14 The proposed rule has defined a covered life as a person insured by a major medical policy (i.e., an insurance policy that covers accident and sickness and provides outpatient, hospital, medical and surgical expense coverage). See 45 C.F.R. Parts 160 and 162; 79 F.R For the first certification, HHS has proposed a compliance date of December 31, 2015 for Controlling Health Plans that obtain an HPID before January 1, For those Controlling Health Plans that obtain an HPID on or after January 1, 2015, HHS has proposed a compliance date of December 31, HHS will announce the compliance date for the other certification once it issues the accompanying regulation.

6 6 Impact All Controlling Health Plans must take steps to implement the new Standard EDI Transactions and Operating Rules by the compliance dates above. MetLife is taking appropriate steps to assure MetLife s compliance with these new requirements. This LEGISLATIVE & REGULATORY INFORMATION release is not intended to supply legal advice or to offer solutions to individual problems. Those who require such advice should consult their attorneys.