HHS Proposes to Rescind HIPAA Health Plan Identifier (HPID) Rules

Practical Law Legal Update w-018-1748 (Approx. 5 pages)

HHS Proposes to Rescind HIPAA Health Plan Identifier (HPID) Rules

by Practical Law Employee Benefits & Executive Compensation

The HPID Requirement

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) required HHS to adopt a standard HPID as part of a system of requirements to transmit health information electronically (see Practice Note, HIPAA Electronic Transactions Under the ACA). Among other purposes, the identifier for health plans was intended to reduce clerical errors. In 2010, the Affordable Care Act (ACA) renewed the HPID requirement by directing HHS to issue final regulations establishing HPIDs, based on input from a federal advisory committee called the National Committee on Vital and Health Statistics (NCVHS).

In September 2012, HHS issued final regulations that:

Adopted a unique standard HPID for use in HIPAA transactions.
Included an "other entity identifier" (OEID) for non-health plan entities, including third-party administrators (TPAs).

(See Practice Note, Health Plan Identifiers.)

However, the September 2012 final regulations met with resistance from industry stakeholders, including health plans and insurers, many of whom had begun relying on Payer IDs (rather than HPIDs) in their HIPAA transactions. A Payer ID is one of several identifiers used to denote payers in a HIPAA transaction (for example, the National Association of Insurance Commissioners' (NAIC) company code).

Industry associations and the NCVHS provided feedback to HHS that challenged the need for HPIDs. This feedback, which included formal NCVHS recommendations (June 2014):

Noted confusion regarding:
- how certain aspects of the September 2012 final regulations, such as the controlling health plan (CHP) and sub-health plan (SHP) definitions, would be implemented (see Practice Note, Health Plan Identifiers: Controlling Health Plans); and
- whether use of the HPID was necessary for group health plans that do not conduct HIPAA transactions.
Questioned the need for (and purpose of) HPIDs and OEIDs, particularly in light of accompanying systems difficulties and implementation costs.
Expressed concern that HPIDs might replace Payer IDs, which had become widely used by covered entities.

In response to these concerns, HHS in October 2014 announced an enforcement delay "until further notice" of the use of HPIDs in HIPAA transactions (see Practice Note, Health Plan Identifiers: Effective Date; Enforcement Delayed Until Further Notice: Delayed Enforcement (October 2014)). This nonenforcement policy has been effective since October 31, 2014 (see Legal Update, Last-Minute Delay in Health Plan Identifier Enforcement).

In May 2015, HHS issued a request for information (RFI) concerning:

The HPID enumeration structure outlined in the September 2012 final regulations, including the CHP, SHP, and OEID concepts.
Whether changes to the nation's health care system since September 2012 had undercut the need for an HPID standard.

Comments in response to the RFI overwhelmingly recommended that the HPID not be required in HIPAA transactions. One commenter, for example, indicated that converting from (or mapping) Payer IDs to the HPID could result in:

Misrouted HIPAA transactions and disrupted claims procedures.
Great expense that would not be offset by an accompanying HPID value-add.

Industry leaders raised similar concerns in a May 2017 NCVHS hearing on HPID issues, at which testifiers agreed, almost unanimously, that HHS should rescind the HPID and OEID rules. In June 2017, the NCVHS formally recommended that HHS rescind its September 2012 final regulations.

Proposed Regulations Would Rescind HPID and OEID Requirements

Based on both NCVHS's recommendation and "overwhelming and persistent industry input," HHS concluded in its December 2018 proposed regulations that the HPID and OEID do not, and cannot, serve the purpose for which they were originally adopted. As a result, the proposed regulations would remove:

The standard unique health identifier for health plans (under Subpart E of 45 C.F.R. Part 162).
The CHP and SHP definitions (45 C.F.R. § 162.103).

Practical Impact: Undoing the September 2012 Final Regulations

As HHS acknowledges in proposing to do away with its September 2012 HPID final regulations, few in the industry had taken steps to implement those rules anyway (particularly following HHS's October 2014 nonenforcement policy). That said, two legislative enactments – HIPAA and the ACA – called for adoption of a standard unique health plan identifier. HHS therefore goes to great lengths in its proposed regulations to explain why implementing the HPID became unworkable and inconsistent with the evolving industry practice for HIPAA transactions. As HHS notes, for example, the industry had success developing best practices using Payer IDs to conduct HIPAA transactions, and those practices could not easily be mapped to the HPID. These practices reflect the reality that the payer, rather than the health plan, is the entity that needs to be identified in HIPAA transactions.

If the proposal to rescind the September 2012 regulations is finalized, HHS will:

Deactivate each HPID and OEID record in the Health Plan and Other Entity Enumeration System (HPOES) on behalf of each enumerated entity.
Notify the manager of record at the current email address in the system (rather than having each entity deactivate their HPIDs and OEIDs).

(Regarding the HPOES, see Practice Note, Health Plan Identifiers: Identifiers Must Be Issued Through the Enumeration System.)

HHS would store the numbers for seven years consistent with federal recordkeeping rules, and health plans that acquired HPIDs and OEIDs could retain and use these identifiers at their own discretion.

Comments on the proposed regulations must be submitted on or before February 19, 2019.

HHS Proposes to Rescind HIPAA Health Plan Identifier (HPID) Rules | Practical Law