Click here for a printer-friendly version.


HPIDs Generally Required by November 5, 2014

A health plan identifier (“HPID”) is a numeric code that will be used to identify a health plan1 in HIPAA electronic transactions. Per final HHS regulations,2 health plans that qualify as “controlling health plans” (CHPs) must obtain an HPID by November 5, 2014-small plans3 have an additional year. Plans that qualify as “subhealth plans” (SHPs) may, but are not required to, obtain their own HPIDs.

CHP is a health plan that:

  • controls its own business activities, actions, or policies; or
  • (i) is controlled by an entity that is not a health plan, and (ii) if it has a SHP, exercises sufficient control over the SHP to direct its business activities, actions, or policies.

SHP is a health plan whose business activities, actions, or policies are directed by a CHP.

In the preamble to the final regulations, HHS explained why it distinguishes between CHPs and SHPs for purposes of the HPID requirement:

Health plans today have many different business structures and arrangements that affect how health plans are identified in standard transactions. There is often a ”parent” corporation that meets the definition of health plan, which may be controlled by entities, such as holding companies, that do not meet the definition of health plan. This ”parent” health plan may own and operate several other entities and organizations, which may also meet the definition of a health plan. While these individual health plans that are owned by the same ”parent” corporation may have their own EIN or NAIC number, they may all use a single identifier in covered transactions because of data processing arrangements. In these situations, some health plans may not need to be identified separately in covered transactions, and may not need their own health plan identifier. To differentiate between health plan entities that would be required to obtain an HPID, and those that would be eligible, but not required, to obtain an HPID, we proposed and are adopting in this final rule, to categorize health plans as controlling health plans (CHPs) and subhealth plans (SHPs).4  Beginning November 7, 2016, HPIDs must be used in all electronic transactions where identification of a health plan is required and the plan has an HPID. HHS anticipates that use of HPIDs will help streamline claims processing and other electronic transactions.

The final regulations also allow (but do not require) third-party administrators and other non-covered entities to obtain their own identifier, called an “other entity identifier” (OEID).

HHS has an online system for applying for HPIDs and OEIDs. For details on the application process, see:
. As November 5th is the deadline for obtaining (versus applying for) an HPID, CHPs should begin the application process well in advance.

Proposed Regulations Issued Regarding First HIPAA Certification

The Affordable Care Act requires health plans obtain two separate certifications that they comply with the HIPAA electronic transaction standards and operating rules. The first certification will cover the following standard transactions: (1) eligibility, (2) claim status, and (3) electronic funds transfers and electronic remittance advice. The second certification will cover: (1) claims and encounter information, (2) enrollment and disenrollment, (3) premium payments, (4) claims attachments, and (5) referrals and authorizations.

In January 2014, HHS issued proposed regulations regarding the first certification.5  If the proposed regulations are finalized without change, most CHPs (on behalf of themselves and their SHPs, if any) would have to obtain and submit their first certification to HHS by December 31, 2015.6  The certification process is through a third party-the Council for Affordable Quality Healthcare (CAQH)-and involves a fee and electronic transaction testing. HHS proposed penalties of $1 per covered life per day (capped at $20 per covered life) for CHPs that do not timely submit a certification. Higher penalties would apply if the CHP knowingly provided inaccurate or incomplete information.

According to the preamble to the proposed regulations, a CHP is responsible for submitting the certification even if most or all of its electronic transactions are performed by business associates. Therefore, these plans should confirm that their business associates are contractually required to comply with the electronic transaction rules, and may also want to require business associates timely perform any testing needed to obtain the certification.

HHS has not yet issued guidance regarding the second certification.

ICD-10 Compliance Delayed Until October 1, 2015

The ICD-107 contains procedures and diagnoses that were not included in its predecessor (the ICD-9), and should allow for greater specificity in electronic transactions with respect to diagnoses and preventive care. The ICD-10 was set to go into effect October 1, 2014, but recent legislation required HHS delay a year. HHS announced that it will be issuing regulations reflecting the October 1, 2015 compliance date and requiring covered entities continue using the ICD-9 through September 30, 2015.8

Not intended as legal advice.

  1. For purposes of the HIPAA electronic transaction rules, “health plan” is broadly defined and includes insurers as well as employer-sponsored group health plans. See 45 CFR § 160.103.
  2. The final regulations are available at: <a href=” href=” mce_href=”>
  3. For this purpose, a “small health plan” is one with annual receipts of $5 million or less. 45 CFR § 160.103.
  4. 77 Fed. Reg. 54664, 54667 (Sept. 5, 2012).
  5. The proposed regulations are available at:
  6. However, a CHP that obtained its HPID in 2015 (e.g., a small health plan) or 2016 (e.g., a new health plan) would have to submit its first certification within a year of obtaining the HPID.
  7. The International Classification of Diseases, 10th Ed. diagnosis and procedure codes.
  8. HHS’ brief announcement is available at: