April 3, 2014 Submitted Electronically Via Federal Rulemaking Portal: www.regulations.gov Centers for Medicare & Medicaid Services U.S. Department of Health and Human Services Attention: CMS-0037-P Room 445-G Hubert H. Humphrey Building 200 Independence Avenue, S.W. Washington, D.C. 20201 RE: Administrative Simplification: Certification of Compliance for Health Plans; Proposed Rule To Whom It May Concern: The U.S. Chamber of Commerce (the Chamber ) submits these comments in response to the Administrative Simplification: Certification of Compliance for Health Plans Proposed Rule ( Proposed Rule ) issued by the Department of Health and Human Services ( HHS ) Office of the Secretary. 1 Specifically, the Proposed Rule implementing Section 1104 of the Patient Protection and Affordable Care Act, as amended by the Health Care and Education Reconciliation Act of 2010 ( PPACA ) 2 would: Require a controlling health plan ( CHP ) to submit information and documentation demonstrating that it is compliant with certain standards and operating rules adopted by the Secretary of HHS under the Health Insurance Portability and Accountability Act of 1996 ( HIPAA ); and Establish penalty fees for a CHP that fails to comply with the certification of compliance requirements. 3 The Chamber is the world s largest business federation, representing the interests of more than three million businesses and organizations of every size, sector and region, with substantial membership in all 50 states. More than 96 percent of the Chamber s members are small 1 Proposed Rule, 79 Fed. Reg. 298-324 (January 2, 2014) (to be codified at 45 C.F.R. pts 160 and 162.[hereinafter referred to as the Proposed Rule ] http://www.gpo.gov/fdsys/pkg/fr-2014-01-02/pdf/2013-31318.pdf 2 Patient Protection and Affordable Care Act, Pub. L. No. 111-148, 1104, 124 Stat. 119 (2010), amended by Health Care and Education Reconciliation Act of 2010, Pub. L. No. 111-152, 10109, 124 Stat. 1029 (2010). 3 Proposed Rule, 79 Fed. Reg. at 298. 1
businesses with 100 or fewer employees, 70 percent of which have 10 or fewer employees. Yet, virtually all of the nation s largest companies are also active members. Therefore, we are particularly cognizant of the problems of smaller businesses, as well as issues facing the business community at large. Besides representing a cross-section of the American business community in terms of number of employees, the Chamber represents a wide management spectrum by type of business and location. Each major classification of American business manufacturing, retailing, services, construction, wholesaling, and finance is represented. These comments have been developed with the input of member companies with an interest in improving the health care system. OVERVIEW First, the Chamber submits this comment letter to urge HHS to significantly revise the improper and unfounded extension of certification of HIPAA compliance to employers offering selfinsured plans. It is important to note that although the Proposed Rule specifically extends this certification requirement to employers sponsoring self-insured plans and not to employers sponsoring fully-insured plans, 4 we would also similarly reiterate the same points if HHS were to require employers offering fully-insured plans to certify compliance as well. The majority of employers offering self-insured plans (as well as those employers offering fully-insured plans) do not regularly perform the standard transactions which these HIPAA requirements are designed to govern. Therefore, these plans must be permitted to rely on the certification of the third party entities with which they contract to perform these transactions. Second, in the interest of controlling cost and allowing for competition in the certification process, the Chamber urges HHS to not only allow issuers and vendors to self-attest that they are in compliance but to also allow other certifying entities to document compliance in addition to the Council for Affordable Quality Healthcare ( CAQH ). Third, the Proposed Rule s definition of major medical policies must clearly exclude supplemental and excepted benefits, as defined under HIPAA portability rules, as well as other health related accounts and benefits that have historically been categorized as non-major medical policies and do not perform the standard transactions the rule is designed to protect. Fourth, we strongly request an opportunity to review and comment on the final requirements for the HIPAA Credential prior to publication of those requirements in a final rule. I. IMPROPER APPLICATION OF THE CERTIFICATION REQUIREMENT There is a tremendous disconnect between HHS s apparent perceived benefit of the inclusion of self-insured plans as a CHP and the true reality of potential risk and unnecessary cost associated with such inclusion. To demonstrate this disconnect, we point out the first and last sentences of a paragraph in the Proposed Rule where HHS discusses CHP s Responsibilities with respect to 4 Proposed Rule, 79 Fed. Reg. at 316. In the HPID final rule (77 FR 54696), we identified 12,000 self-insured group health plans, 1,827 health insurance issuers, and 60 government health plans that might meet the definition of health plan. This statement suggests that since the number of employers offering fully-insured plans is not included in the income analysis, that the Proposed Rule is only imposing the certification requirement on employers offering self-insured plans. 2
entities conducting transactions on its behalf. 5 The paragraph starts with the decision that Although we considered requiring CHP s to require their Business Associates ( BAs ) to comply directly with the requirements, we are not pursing that option. 6 However, HHS concludes that very paragraph by stating that it believes that Section 1173(h)(30) of the Act places no new requirements or burdens that are not already accounted for. 7 It seems incomprehensible that HHS would not allow a self-insured plan, which contracts out virtually all administrative functions and transactions, to rely on the certification of the vendors or business partners that perform these actions. Given that HIPAA has historically defined Covered Entities as a health plan, a health care clearing house and a health care provider who transmits any health information in electronic form in connection with a HIPAA transaction, to impose compliance certification on a self-insured plan that does not transmit health information electronically in connection with HIPAA transactions is a dramatic and significant change. 8 We urge HHS and the Secretary to recognize that for the majority of self-insured plans, the Proposed Rule s requirements are impossible to satisfy. For example, documentation of testing with providers is something never done by self-insured plans that contract out all of their administrative services. Under business arrangements where HIPAA standard transactions for a self-insured plan are processed by another entity, the self-insured plan must by virtue of the arrangement rely on the other entity to do so in a compliant manner. For this reason, it is only appropriate to allow the self-insured plan to rely on certifications obtained by this other entity processing the transactions to satisfy the evidence of these requirements. In relying on these entities and their documentation of certification of compliance, an employer should not be held liable or assessed a penalty for any misrepresentation or failure to satisfy the compliance requirements on the part of the entity performing the transactions. Similarly, it will be incredibly difficult for entities that perform these transactions to certify to a standard of perfect compliance. In the final rule, rather than requiring the entities conducting the transactions to attest to perfect compliance, HHS should instead ask entities to attest to substantial compliance. Certification to perfection would be an unfair and costly burden. With massive information technology systems impacted, combined with new and upcoming requirements related to operating rules and health plan certification, the potential for good faith error is high. An entity conducting these transactions on behalf of employers should be able to correct errors made in good faith, without being penalized first. If not addressed, these could lead to increased and unnecessary healthcare administrative costs for all parties. Another disconnect is the Proposed Rule's underestimation of the number of self-insured groups. The approach in the Proposed Rule with respect to enumerating the covered lives in each group and then using this as a basis for imposing certification requirements and penalties would be administratively burdensome and could also cause a significant shifting of risk between plan 5 Proposed Rule, 79 Fed. Reg. at 309. 6 Ibid. 7 Ibid. 8 Proposed Rule, 79 Fed. Reg. at 299 (emphasis added). 3
administrators and self-insured plan sponsors that has not been recognized or accounted for in the proposed rule. CMS should re-examine its approach and seek additional input from stakeholders on ways to minimize the administrative burden and costs imposed by the Proposed Rule. II. ADVANCE THE PURPORTED GOAL OF ADMINISTRATIVE SIMPLIFICATION Given that 1104 of the PPACA amends HIPAA to include these new Administrative Simplification requirements for the purpose of reduc[ing] the clerical burden on patients, health care providers and health plans, 9 we urge HHS to consider two important alternatives to include in the Final Rule which will advance this goal. First, HHS should permit employers to self-attest that they are not directly conducting any of the HIPAA transactions and that those transactions are being conducted on behalf of the employer by a service provider. Second, HHS should reverse its decision to allow the entity developing the operating rules to also be the sole source to certify compliance with those operating rules that it developed. This not only reeks of conflict of interest but will hold plans and entities captive to only one certifying body and the fees that it may charge. Instead, HHS should permit other entities to engage in the certification process. III. CLARIFY DEFINTION OF MAJOR MEDICAL POLICY In the Final Rule, HHS should clarify that excepted benefits including stand-alone dental and vision coverage, accident only coverage, specified disease and supplemental health indemnity coverage, flexible spending accounts, health savings accounts, and health reimbursement arrangements as well as certain employer wellness programs and employee assistance programs are excluded from the definition of major medical policies. First, any benefit that qualifies under an excepted benefit for purposes of the HIPAA portability rules should be clearly exempt from inclusion in the definition of major medical policies. The majority of these types of ancillary or limited benefits do not typically get processed using standard transactions and should be exempt from these certification requirements. Second, only plans that conduct the HIPAA standard transactions for which this rule is designed should be subject to these certification and filing requirements. Clarification that the certification requirements (and not just the penalty provisions) do not apply to excepted benefit coverage would be helpful. IV. FINAL RULE The Proposed Rule explains that in addition to certification from CAQH, entities may obtain a HIPAA Credential from CAQH CORE which is currently being developed. While we appreciate the statement that if the final HIPAA Credential differ in any material way 10 from the way described process, a comment period for this topic would be permitted, we urge a more formal comment period for this topic prior to publication of the Final Rule. As only one of two ways for CHPs to demonstrate compliance for the first certification, the process for the HIPAA Credential is very important and its development should subject to public comment prior to finalization. 9 Patient Protection and Affordable Care Act, Pub. L. No. 111-148, 1104(a)(2), 124 Stat. 119 (2010), 10 Proposed Rule, 79 Fed. Reg. at 305. 4
CONCLUSION The Chamber urges HHS to reconsider elements of the Proposed Rule and first and foremost, allow employers offering self-insured (and fully-insured plans) to rely on certification of the entities and vendors with which they contract to perform these transactions. It would contradict the very purpose of the Administrative Simplification section to require employers that do not perform these transactions to certify that the transactions performed by other entities on their behalf comply with the standards and operating rules that these employers do not themselves conduct. The Final Rule must: permit employers to self-attest to compliance if the vendors with whom they contract to perform the transactions are certified; allow additional entities to certify compliance; appropriately define major medical policies, and; seek stakeholder in-put in the development of the final HIPAA Credential requirements. We look forward to continuing to work together in the future to reduce unnecessary administrative burdens with the goal of improving efficiencies and reducing costs. Sincerely, Randel K. Johnson Senior Vice President Labor, Immigration, & Employee Benefits U.S. Chamber of Commerce Katie Mahoney Executive Director Health Policy U.S. Chamber of Commerce 5