HHS Rescinds HIPAA Health Plan Identifier (HPID) Rules | Practical Law

HHS Rescinds HIPAA Health Plan Identifier (HPID) Rules | Practical Law

In final regulations, the Department of Health and Human Services (HHS) has rescinded earlier rules governing health plan identifiers (HPIDs) (and their related implementation specifications and requirements), which were intended for use in standard electronic transactions under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The final regulations are effective December 27, 2019.

HHS Rescinds HIPAA Health Plan Identifier (HPID) Rules

Practical Law Legal Update w-022-6180 (Approx. 5 pages)

HHS Rescinds HIPAA Health Plan Identifier (HPID) Rules

by Practical Law Employee Benefits & Executive Compensation
Published on 30 Oct 2019USA (National/Federal)
In final regulations, the Department of Health and Human Services (HHS) has rescinded earlier rules governing health plan identifiers (HPIDs) (and their related implementation specifications and requirements), which were intended for use in standard electronic transactions under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The final regulations are effective December 27, 2019.
In final regulations, HHS has rescinded earlier rules governing health plan identifiers (HPIDs) (and their related HIPAA implementation specifications and requirements), which were intended for use in HIPAA standard electronic transactions (84 Fed. Reg. 57621 (Oct. 28, 2019); see Legal Update, Final Health Plan Identifier Rules Include Delayed Compliance and Implementation Dates). The final regulations are effective December 27, 2019.

HPID Requirements Criticized in "Overwhelming Industry Input"

HIPAA required HHS to adopt a standard HPID as part of requirements for transmitting health information electronically (see Practice Note, HIPAA Electronic Transactions Under the ACA). In 2010, the Affordable Care Act (ACA) renewed the HPID requirement by directing HHS to issue final regulations establishing HPIDs, based on input from a federal advisory committee called the National Committee on Vital and Health Statistics (NCVHS) (see Practice Note, Affordable Care Act (ACA) Overview: Electronic Transactions under HIPAA; Health Plan Identifiers).
In September 2012, HHS issued final regulations that:
  • Adopted a unique standard HPID for use in HIPAA electronic transactions.
  • Included an "other entity identifier" (OEID) for non-health plan entities, including third-party administrators (TPAs).
(See Practice Note, Health Plan Identifiers.)
However, the September 2012 final regulations met with significant resistance from industry stakeholders, including health plans and insurers, many of whom had begun relying on Payer IDs (rather than HPIDs) in their HIPAA electronic transactions. Payer IDs route electronic transactions and identify recipients of plan eligibility requests or entities responsible for paying claims.
In feedback to HHS, industry associations and the NCVHS challenged the need for HPIDs and OEIDs. This feedback, which included formal NCVHS recommendations (June 2014):
  • Noted confusion regarding:
    • how certain aspects of the September 2012 final regulations, such as the controlling health plan (CHP) and sub-health plan (SHP) definitions, would be implemented (see Practice Note, Health Plan Identifiers: Controlling Health Plans); and
    • whether use of HPIDs was necessary for group health plans that do not conduct HIPAA transactions.
  • Questioned the need for (and purpose of) HPIDs and OEIDs, particularly in light of accompanying systems difficulties and implementation costs.
  • Expressed concern that HPIDs might replace Payer IDs, which had become widely used.
In response to these concerns, HHS in October 2014 announced an enforcement delay "until further notice" of the use of HPIDs in HIPAA transactions (see Practice Note, Health Plan Identifiers: Delayed Enforcement (October 2014)). This nonenforcement policy has been effective since October 31, 2014 (see Legal Update, Last-minute Delay in Health Plan Identifier Enforcement).
In May 2015, HHS issued a request for information (RFI) concerning:
  • The HPID enumeration structure outlined in the September 2012 final regulations, including the CHP, SHP, and OEID concepts.
  • Whether changes to the nation's health care system since September 2012 had undercut the need for HPIDs.
Comments in response to the RFI overwhelmingly recommended that HPIDs not be required in HIPAA transactions. One commenter, for example, indicated that converting from (or mapping) Payer IDs to HPIDs could result in:
  • Misrouted HIPAA transactions and disrupted claims procedures.
  • Great expense that would not be offset by an accompanying HPID value-add.
Industry leaders raised similar concerns in a May 2017 NCVHS hearing on HPID issues, at which testifiers agreed, almost unanimously, that HHS should rescind the HPID and OEID rules. In June 2017, the NCVHS formally recommended that HHS rescind its September 2012 final regulations.
In December 2018, HHS issued proposed regulations to rescind the September 2012 final regulations (83 Fed. Reg. 65118 (Dec. 19, 2018)).

Final Regulations Rescind HPID and OEID Requirements

The final regulations, which adopt the proposed version with minor changes, remove:
  • The standard unique health identifier for health plans (under Subpart E of 45 C.F.R. Part 162).
  • The CHP and SHP definitions (45 C.F.R. § 162.103).

Deactivation Procedures

Following issuance of its final regulations, HHS will deactivate each HPID and OEID record in the "Health Plan and Other Entity Enumeration System" (HPOES) (that is, the system for assigning and managing identifiers) on behalf of adopting entities. (HPOES is part of HHS's "Health Insurance Oversight System" (HIOS), which is a web-based application for collecting and storing information about certain health plans and insurers.) The entities will not need to carry out deactivation themselves.
HHS will send all active HIOS users an email notice that explains HPID/OEID deactivation. HHS acknowledged that many HIOS users have not obtained HPIDs or OEIDs, but the agency wishes to reach a large number of potentially affected entities and individuals with its notice (in part because personnel may have changed over time). HPOES will remain open for 60 days after HPID/OEID deactivation so that users may collect data about their HPIDs or OEIDs.
HHS will also:
  • Post a notice on the HPOES and Centers for Medicare & Medicaid Services (CMS) websites regarding the deactivation (including help desk information and an HHS email for requesting assistance).
  • Update the CMS website with information about deactivation activities and a related timeline.
In addition, HHS plans to store the deactivated numbers for seven years (consistent with federal recordkeeping rules) and allow entities with HPIDs and OEIDs to use these identifiers at their own discretion.
Acknowledging that adoption of a standard unique health plan identifier is a statutory requirement, HHS plans to consult with industry stakeholders before adopting a standard identifier in the future.

Practical Impact

The effectiveness of Payer IDs in avoiding transaction routing issues appears to have rendered HPIDs an unnecessary, expensive, and potentially confusing burden for plans, payers, and health providers. According to HHS, these entities (and others) commented favorably on the government's decision to rescind the identifier regulations. Rescission of the HPID rules should also be welcome news to TPAs, who often carry out health care transactions (such as eligibility determinations, claims status, or electronic funds transfers (EFTs) and remittance advice) on behalf of health plans (see Practice Note, HIPAA Electronic Transactions Under the ACA: Electronic Funds Transfers and Remittance Advice).