HHS Withdraws HIPAA Certification Requirements

HHS Withdraws HIPAA Certification Requirements

[subscribe2 hide="unsubscribe"]

Volume 40 | Issue 126

pdf icon Download this FYI as a printable PDF

HHS announced that effective October 4, 2017, it was withdrawing the proposed rule requiring controlling health plans to demonstrate compliance with certain standards and operating rules under HIPAA. It also announced it will re-examine the issues raised in public comments and explore alternatives to comply with the statutory requirements.


HHS issued proposed regulations on January 2, 2014 that would have required a controlling health plan (CHP) to demonstrate that it complied with certain HIPAA operating standards. (See our August 26, 2014 For Your Information.) The proposed rule also set forth penalties for failure to comply with the certification requirements.

The operating standards apply to three electronic transactions: eligibility for a health plan, health care claim status, and health care electronic funds transfers (EFT) and remittance advice – activities usually conducted by business associates and not the plan sponsor. The proposed rule would have required the CHP to demonstrate compliance by obtaining certifications under rules promulgated by the Council for Affordable Quality Healthcare (CAQH) Committee on Operating Rules for Information Exchange (CORE). Some employers maintain a single self-funded plan for several types of coverage such as medical, dental and vision with separate claims administrators. Others maintain multiple plans (e.g., separate plans for actives and retirees or different classes of active employees). Certifications would have been required for each administrator who conducted any of the three transactions.

Proposed Rule Withdrawn

HHS reported that it had received approximately 72 public comments in response to the proposed rule. Noting the issues raised in those comments, the department announced that it was withdrawing the proposed rule in order to re-examine the issues and explore options and alternatives to comply with the statutory requirements.

In withdrawing the proposed rule, HHS noted that the requirements for covered entities to comply with all other HIPAA privacy and security regulations remain in effect.

In Closing

The proposed rule would have required sponsors of self-funded plans to follow a cumbersome process to certify compliance for standard transactions that would have been done by others, such as their claims administrators. Its withdrawal provides welcome relief, for now.

Produced by the Knowledge Resource Center of Conduent Human Resource Services

The Knowledge Resource Center is responsible for national multi-practice compliance consulting, analysis and publications, government relations, research, surveys, training and knowledge management. For more information, please contact your account executive or email fyi@conduent.com.

You are welcome to distribute FYI® publications in their entireties. To manage your subscriptions, or to sign up to receive our mailings, visit our Subscription Center.

This publication is for information only and does not constitute legal advice; consult with legal, tax and other advisors before applying this information to your specific situation.