Administrative Simplification: Certification of Compliance for Health Plans
Federal Information & News Dispatch, Inc. |
Proposed rule.
CFR Part: "45 CFR Parts 160 and 162"
RIN Number: "RIN 0938-AQ85"
Citation: "79 FR 298"
Document Number: "CMS-0037-P"
"Proposed Rules"
SUMMARY: This proposed rule would require a controlling health plan (CHP) to submit information and documentation demonstrating that it is compliant with certain standards and operating rules adopted by the Secretary of
   DATES: To be assured consideration, comments must be received at one of the addresses provided, no later than
   ADDRESSES: In commenting, please refer to file code CMS-0037-P. Because of staff and resource limitations, we cannot accept comments by facsimile (FAX) transmission.
   You may submit comments in one of four ways (please choose only one of the ways listed):
   1. Electronically. You may submit electronic comments on this regulation to http://www.regulations.gov. Follow the "Submit a comment" instructions.
   2. By regular mail. You may mail written comments to the following address only:
   Please allow sufficient time for mailed comments to be received before the close of the comment period.
   3. By express or overnight mail. You may send written comments to the following address only:
   4. By hand or courier. Alternatively, you may deliver (by hand or courier) your written comments only to the following addresses prior to the close of the comment period:
   a. For delivery in
   b. For delivery in
   
   If you intend to deliver your comments to the
   Comments erroneously mailed to the addresses indicated as appropriate for hand or courier delivery may be delayed and received after the comment period.
   For information on viewing public comments, see the beginning of the SUPPLEMENTARY INFORMATION section.
   FOR FURTHER INFORMATION CONTACT:
   SUPPLEMENTARY INFORMATION:
   Inspection of Public Comments: All comments received before the close of the comment period are available for viewing by the public, including any personally identifiable or confidential business information that is included in a comment. We post all comments received before the close of the comment period on the following Web site as soon as possible after they have been received: http://www.regulations.gov. Follow the search instructions on that Web site to view public comments.
   Comments received timely will also be available for public inspection as they are received, generally beginning approximately 3 weeks after publication of a document, at the headquarters of the
I. Background
A. Introduction
   Many factors contribute to the high cost of health care in
   FOOTNOTE 2 "Technological Change and the Growth of Health Care Spending," A CBO Paper,
   FOOTNOTE 2 Morra, D., Nicholson, S., Levinson, W., Gans, D. N., Hammons, T., & Casalino, L. P. "U.S. Physician Practices versus Canadians: Spending Nearly Four Times as Much Money Interacting With Payers," Health Affairs: 30(8):1443-1450, 2011.
   Blanchfield, Bonnie B.,
   Although HIPAA standards and operating rules can reduce administrative burden, the health care industry has experienced difficulty transitioning to them by the regulatory compliance dates. Many in the industry attribute at least some implementation difficulties to the lack of a consistent testing process or framework before implementation of new standards and operating rules. This proposed rule is intended to serve as an initial step toward the development of a consistent testing process that will enable entities to better achieve and demonstrate compliance with HIPAA standards and operating rules.
   This rule proposes that controlling health plans (CHPs) must submit certain information and documentation that demonstrates compliance with the adopted standards and operating rules for three electronic transactions: eligibility for a health plan, health care claim status, and health care electronic funds transfers (EFT) and remittance advice. Such documentation would be an indication that a CHP has completed some internal and external testing.
B. Legislative and Regulatory Background
   This section summarizes the legislative and regulatory history of standards, operating rules, and the enforcement processes in order to frame the process we refer to in this proposed rule as certification of compliance.
1. HIPAA Standards and Code Sets
   Section 1172(a) of the Social Security Act (the Act) provides that any standard adopted under HIPAA shall apply, in whole or in part, to the following persons, known as "covered entities": (1) A health plan; (2) a health care clearinghouse; and (3) a health care provider who transmits any health information in electronic form in connection with a HIPAA transaction. Covered entities are required to conduct as standard transactions all electronic transactions for which the Secretary has adopted a standard.
   In the
   In the
   In the
   In the
2. HIPAA Operating Rules
   Section 1173(g) of the Act was added by section 1104 of the Patient Protection and Affordable Care Act (Pub L. 111-148), enacted on
   The Council for
   FOOTNOTE 3 CAQH CORE Web site: http://www.caqh.org/pdf/CORE_MASTER_Presentation_4-15-08.pdf. END FOOTNOTE
   With consensus among health care industry stakeholder members, CAQH CORE, in 2008, developed two sets of operating rules for the eligibility for a health plan and health care claim status transactions (hereinafter referred to as Phase I and Phase II CAQH CORE Operating Rules). The operating rules built upon applicable HIPAA standard transaction requirements, and enabled providers to submit transactions from any system, facilitating administrative and clinical data integration. Numerous health care entities voluntarily adopted the Phase I and II CAQH CORE Operating Rules, and CAQH CORE demonstrated that the use of these rules yielded a positive return on investment for health plans and providers. /4/
   FOOTNOTE 4 CAQH CORE Web site: http://www.caqh.org/pdf/CORE_MASTER_Presentation_4-15-08.pdf. http://www.caqh.org/COREIBMstudy.php. END FOOTNOTE
   In August and September, 2010, the
   FOOTNOTE 5 Established by the
   FOOTNOTE
   After assessing its qualifications and the NCVHS's recommendation, the Secretary determined that CAQH CORE was qualified to be the operating rule authority entity for the eligibility for a health plan and health care claim status transactions. In the
   FOOTNOTE 7 CAQH CORE Phases I and II Operating Rules are available online at no charge at http://www.caqh.org/COREVersion5010.phb. END FOOTNOTE
   FOOTNOTE 8 Provisions of the Operating Rule IFC at 76 FR 40461. Information on the CAQH CORE Rules can be found at: http://www.caqh.org/CORE_phase1.php, http://www.caqh.org/CORE_phase2.php, and http://www.caqh.org/CORE_phase3.php. CAQH CORE FAQS can be found at: http://www.caqh.org/pdf/COREFAQsPartA.pdf for general information; <a href="http://www.caqh.org/pdf/COREFAQsPartC.pdf">http://www.caqh.org/pdf/COREFAQsPartC.pdf for Phase I and II. END FOOTNOTE
   On
   FOOTNOTE
   On
   FOOTNOTE 10 CAQH CORE FAQS for Phase III can be found at http://www.caqh.org/pdf/COREFAQsPartD.pdf. END FOOTNOTE
   The NCVHS recommended in
   FOOTNOTE 11
   FOOTNOTE
3. Current HIPAA Administrative Simplification Enforcement
   Under sections 1176 and 1177 of the Act, covered entities may be subject to civil money penalties (CMPs) and criminal penalties for violations of HIPAA Administrative Simplification rules. HHS administers the CMPs under section 1176 of the Act and the
   Section 1176(b) of the Act sets out limitations on the Secretary's authority and provides the Secretary certain discretion with respect to imposing CMPs. For example, this section provides that no CMPs may be imposed with respect to an act if a penalty has been imposed under section 1177 of the Act with respect to such act. This section also generally precludes the Secretary from imposing a CMP for a violation corrected during the 30-day period beginning when an individual knew or, by exercising reasonable diligence, would have known that the failure to comply occurred. The Secretary promulgated rules pertaining to compliance with, and enforcement of, the HIPAA Administrative Simplification rules that are codified at section 45 part 160, subparts C, D, and E, and collectively referred to as the Enforcement Rule.
   In the
   Section 13410(d) of the Health Information Technology for Economic and Clinical Health Act (HITECH), enacted on
   In the
   In the
4. HIPAA Administrative Simplification Enforcement Under the Affordable Care Act
   Section 1104 of the Affordable Care Act amended the Social Security Act by adding sections 1173(h) and (j). Section 1173(h) of the Act includes certification of compliance requirements for health plans, and requires the Secretary to conduct periodic audits of health plans and entities that have service contracts with health plans. Section 1173(j) of the Act establishes new penalties for health plans that fail to comply with the certification of compliance requirements.
5. Health Plan Certification of Compliance Requirements
   Section 1173(h)(1)(A) of the Act requires health plans to file a statement with the Secretary, in such form as the Secretary may require, by
   In similar fashion, section 1173(h)(1)(B) of the Act mandates, by
   The scope of this proposed rule is limited to the first certification of compliance. Because operating rules for the transactions listed in section 1173(h)(1)(B) of the Act have not yet been adopted, nor has a standard been adopted for health claims attachments, we cannot yet determine what documentation will be necessary to demonstrate compliance with those standards and operating rules. We will adopt certification of compliance requirements for the transactions listed in section 1173(h)(1)(B) of the Act, and for later adopted versions of standards and operating rules, in subsequent rulemaking.
Table 1--Standards and Operating Rules to Which the First Certification of Compliance Applies Transactions Standards Operating rules Eligibility for a ASC X12 Standards The following CAQH CORE Phase I and Health Plan for Electronic Phase II operating rules, excluding (request and Data Interchange where such rules reference and/or response)--Dental, Technical Report pertain to acknowledgements and CORE Professional, and Type 3--Health certification): Institutional Care Eligibility (1) Phase I CORE 152: Eligibility and Benefit Inquiry Benefit Real Time Companion Guide and Response Rule, version 1.1.0, March 2011, and (270/271), April CORE v5010 Master Companion Guide 2008, ASC Template. X12N/005010X279 (2) Phase I CORE 153: Eligibility and Benefits Connectivity Rule, version 1.1.0, March 2011. (3) Phase I CORE 154: Eligibility and Benefits 270/271 Data Content Rule, version 1.1.0, March 2011. (4) Phase I CORE 155: Eligibility and Benefits Batch Response Time Rule, version 1.1.0, March 2011. (5) Phase I CORE 156: Eligibility and Benefits Real Time Response Rule, version 1.1.0, March 2011. (6) Phase I CORE 157: Eligibility and Benefits System Availability Rule, version 1.1.0, March 2011. (7) Phase II CORE 258: Eligibility and Benefits 270/271 Normalizing Patient Last Name Rule, version 2.1.0, March 2011. (8) Phase II CORE 259: Eligibility and Benefits 270/271 AAA Error Code Reporting Rule, version 2.1.0. (9) Phase II CORE 260: Eligibility & Benefits Data Content (270/271) Rule, version 2.1.0, March 2011. (10) Phase II CORE 270: Connectivity Rule, version 2.2.0, March 2011. Eligibility for a Telecommunication Health Standard Plan--Retail Implementation Pharmacy Drugs Guide, Version D, Release 0 (Version D.0), August 2007, and equivalent Batch Standard Implementation Guide, Version 1, Release 2 (Version 1.2), National Council for Prescription Drug Programs Health Care Claim ASC X12 Standards The following CAQH CORE Phase II Status for Electronic operating rules (updated for Version Data Interchange 5010), excluding where such rules Technical Report reference and/or pertain to Type 3--Health acknowledgements and CORE claim status certification: Request and (1) Phase II CORE 250: Claim Status Response Rule, version 2.1.0, March 2011, and (276/277), August CORE v5010 Master Companion Guide, 2006, ASC 00510, 1.2, March 2011. X12N/005010X212, (2) Phase II CORE 270: Connectivity and Errata to Rule, version 2.2.0, March 2011. Health claim status Request and Response (276/277), ASC X12 Standards for Electronic Data Interchange Technical Report Type 3, April 2008, ASC X12N/005010X212E1 Health Care ERA: ASC X12 The following CAQH CORE Phase III EFT Electronic Funds Standards for & ERA Operating Rule Set, approved Transfers (EFT) Electronic Data June 2012: and Remittance Interchange (1) Phase III CORE 380 EFT Enrollment Advice Technical Report Data Rule, version 3.0.0, June 2012. Type 3--Health (2) Phase III CORE 382 ERA Enrollment Care Claim Data Rule, version 3.0.0, June 2012. Payment/Advice (3) Phase III 360 CORE Uniform Use of (835), April 2006, CARCs and RARCs (835) Rule, version ASC 3.0.0, June 2012. X12N/005010X221 (4) CORE-required Code Combinations for CORE-defined Business Scenarios for the Phase III CORE 360 Uniform Use of Claim Adjustment Reason Codes and Remittance Advice Remark Codes (835) Rule, version 3.0.0, June 2012. (5) Phase III CORE 370 EFT & ERA Reassociation (CCD+/835) Rule, version 3.0.0, June 2012. (6) Phase III CORE 350 Health Care Claim Payment/Advice (835) Infrastructure Rule, version 3.0.0, June 2012, except Requirement 4.2 titled "Health Care Claim Payment/Advice Batch Acknowledgement Requirements". (7) ACME Health Plan, CORE v5010 Master Companion Guide Template, 005010, 1.2, March 2011 (incorporated by reference in S. 162.920), as required by the Phase III CORE 350 Health Care Claim Payment/Advice (835) Infrastructure Rule, version 3.0.0, June 2012. Stage 1 Payment Initiation: The National Automated Clearing House Association (NACHA) Corporate Credit or Deposit Entry with Addenda Record (CCD+) implementation specifications as contained in the 2011 NACHA Operating Rules & Guidelines: NACHA Operating Rules, Appendix One: ACH File Exchange Specifications; and NACHA Operating Rules, Appendix Three: ACH Record Format Specifications, Subpart 3.1.8 Sequence of Records for CCD Entries Data content in CCD Addenda Record: Accredited Standards Committee (ASC) X12 Standards for Electronic Data Interchange Technical Report Type 3, "Health Care Claim Payment/Advice (835), April 2006: Section 2.4: 835 Segment Detail: "TRN Reassociation Trace Number," Washington Publishing Company, 005010X221
   Section 1173(h)(2) of the Act provides that a health plan will not be considered to have met section 1173(h)(1) of the Act certification requirements unless it provides the Secretary adequate documentation of compliance that--
    * Demonstrates to the Secretary that it conducts the electronic transactions specified in section 1173(h)(1) of the Act in a manner that fully complies with the regulations of the Secretary; and
    * Shows that it has completed end-to-end testing for such transactions with its partners, such as hospitals and physicians.
   Section 1173(h)(3) of the Act extends the certification and submission requirements to entities that have service contracts with health plans, though the compliance onus remains on the health plan. In addition, the Secretary is authorized by section 1173(h)(4) of the Act to designate independent, outside entities to certify that health plans have complied with the certification requirements, so long as the certification standards used by these entities are in accordance with the standards and operating rules adopted by the Secretary.
6. Penalty Fees
   Section 1173(j) of the Act specifies penalties for health plans that fail to meet section 1173(h) certification and documentation of compliance requirements. Sections 1173(j)(1)(B) through (F) of the Act specify the amount of, and process for assessing, penalty fees against health plans. Section 1173(j)(1)(B) of the Act requires the Secretary to assess a
   Section 1173(j)(1)(D) of the Act directs that the penalty fees be increased on an annual basis by the annual percentage increase in total national health care expenditures, as determined by the Secretary. Finally, section 1173(j)(1)(E) of the Act caps the penalties that may be annually imposed on a health plan to
7. Notice, Dispute, and Penalty Process
   Sections 1173(j)(2) through (4) of the Act outline how the penalty fees are to be assessed and collected. Section 1173(j)(2) of the Act requires the Secretary to establish a process to assess penalty fees that provides a health plan with reasonable notice and a dispute resolution procedure prior to the Secretary of the Treasury sending a notice of assessment to a health plan.
   Section 1173(j)(3) of the Act directs the Secretary, by
8. Audits
   Section 1173(h)(6) of the Act states that the Secretary shall conduct periodic audits to ensure that health plans, including entities that have service contracts with health plans, are in compliance with the adopted standards and operating rules, as referenced in Table 1. The process and scope of these audits are not addressed in this proposed rule.
C. Certification of Compliance and Strategy for a Consistent Testing Processes
   Beyond the first certification of compliance, section 1173(h)(5) of the Act requires health plan certification for new and revised standards and operating rules adopted by the Secretary. We intend for future rulemakings in which we adopt new or modified standards and operating rules to also include certification of compliance processes for those new or modified standards and operating rules. We believe the benefit of including the certification of compliance requirements in those rulemakings is that it will move covered entities toward a consistent, industry-wide testing framework that, we believe, will support a more seamless transition to new and modified standards and operating rules.
   In recent years, the health care industry has experienced challenges in implementing the HIPAA Administrative Simplification requirements, such as Version 5010, ICD-10, and the operating rules for the eligibility for a health plan and health care claim status transaction, by the regulatory compliance dates. We have responded to industry's needs for additional time by delaying implementation or relaxing enforcement periods for the requirements, but such practices can be expensive to industry.
   While many factors may cause a covered entity to have difficulty implementing a new Administrative Simplification requirement, many in industry attribute some implementation issues to the lack of a consistent testing process or framework. /13/ The health care industry reports that testing is critical to ensure the integrity of internal application systems and confirm a system's capability to conduct compliant transactions. /14/ The NCVHS stated that a uniform testing process that included full end-to-end testing well before the compliance dates for Version 5010 would have identified issues that could have been mitigated in advance of the compliance date. /15/
   FOOTNOTE 13 Many of the assumptions in this section come from an NCVHS hearing held on
   FOOTNOTE 14 See "Transaction Compliance and Certification: A White Paper Describing the Recommended Solutions for Compliance Testing and Certification of the HIPAA Transactions," prepared by the Workgroup for Electronic Data Interchange (WEDI) Transactions Workgroup,
   FOOTNOTE 15 Ibid. END FOOTNOTE
   Ideally, certification of compliance, as mandated by section 1173(h) of the Act, should support a standardized process for demonstrating compliance. Such a standardized process for demonstrating compliance should require a health plan to undergo testing within a consistent, industry-wide framework that results in the ability to generate specific documents that demonstrate compliance. We believe such a process would solve some of the significant implementation issues the industry has experienced. The certification of compliance provisions we propose in this rule are the first step toward a standardized testing framework to support a more seamless transition to new and revised standards or operating rules.
II. Provisions of the Proposed Rule
A. Submission Requirements
   Section 1173(h) of the Act requires health plans to provide the Secretary, in such form as the Secretary may require, adequate documentation of compliance with the standards and operating rules. In accordance with section 1173(h) of the Act, we propose the information and documentation that controlling health plans (CHPs) would be required to submit to the Secretary for the first certification of compliance in the new regulation
   In the HPID final rule, we created two categories of health plans /16/ for purposes of specifying enumeration requirements for the health plan identifier (HPID): CHPs and subhealth plans (SHPs). In this proposed rule, we propose that CHPs, on behalf of themselves and their SHPs, if any, be responsible for submitting the information and documentation for the first certification of compliance under
   FOOTNOTE 16 The regulatory definition of health plan at 45 CFR 160.103 was initially adopted in the Transactions and Code Sets final rule. The basis for the additions to, and clarifications of, the statutory definition of health plan is further discussed in the preamble to the
   Under proposed
    * Its number of covered lives on the date it submits the documentation.
    * Documentation that demonstrates it has obtained either a CAQH CORE--
   ++ Certification Seal for Phase III CAQH CORE EFT & ERA Operating Rules (hereinafter referred to as a Phase III CORE Seal); or
   ++ HIPAA Credential for the eligibility for a health plan, health care claim status, and health care electronic funds transfers (EFT) and remittance advice operating rules (hereinafter referred to as the HIPAA Credential).
   Collectively, these constitute the submissions, and we refer to the requirements to submit them to the Secretary as the "submission requirements." The submission requirements, as proposed in this rule, are a "snap shot" of a CHP's compliance with the standards and operating rules. Such information and documentation does not reflect continuing compliance, nor do we do intend the information or documentation to be updated or resubmitted on a regular basis.
   We are not, at this time, proposing the specific format for the submission requirements. We will likely require a CHP to submit its number of covered lives through an online form. We may require an electronic version or copy of a Phase III CORE Seal or the HIPAA Credential to be submitted online, or we may ask for a tracking number that links to CAQH CORE records of such. Information about the mechanics for meeting the submission requirements for the first certification of compliance will be forthcoming at or near the time the final rule is published.
1. Responsibilities of a CHP
   As previously noted, in
    * The number of covered lives of a CHP: The number of "covered lives of a CHP," as the term is proposed to be defined in
    * Documentation that demonstrates the CHP has obtained either a Phase III CORE Seal or the HIPAA Credential.
   In order to obtain the documentation for this submission requirement, a CHP, also representing all of its SHPs, would have to meet the CORE requirements necessary to obtain either a Phase III CORE Seal or the HIPAA Credential. We discuss this documentation requirement in more detail in section II.A.3 of this proposed rule.
   We believe the proposal that the CHP be responsible for meeting the submission requirements for itself and its SHPs is consistent with the framework of the HPID final rule. A CHP is defined at
   We note that a CHP's proposed obligations under
   We emphasize that state and federal government entities that meet the definition of a CHP must meet the requirements of this proposed rule and may be assessed penalty fees as described in the statute and in this rule; section 1173(h) of the Act provides no exemptions for state or federal government health plans.
2. Proposed Submission Requirements: Number of Covered Lives of a CHP
   Section 1173(j)(1) of the Act requires the Secretary to assess a penalty fee against a health plan that fails to meet the certification of compliance requirements of section 1173(h). Section 1173(j)(1) of the Act specifies the penalty fee amount, which is based on the covered lives of a health plan. Because we need to know the number of covered lives of a CHP (including the number of covered lives of its SHPs, if it has any) should circumstances require us to calculate penalty fees, we propose in
   We propose that the number of covered lives of a CHP submitted pursuant to
3. Proposed Submission Requirements: HIPAA Credential or Phase III CORE Seal
   We propose to require CHPs to choose among two options, the HIPAA Credential or a Phase III CORE Seal, as described in this section, to demonstrate compliance for the first certification of compliance.
   There are any number of reasons why a CHP may elect to obtain one of these options over the other. A CHP will find that one or the other better aligns with the implementation process it uses to implement new operating rules.
a. Process and Requirements for Obtaining HIPAA Credential
   We are proposing in
   The scope of the HIPAA Credential would only encompass the HIPAA-mandated standards and operating rules. For example, we have not adopted HIPAA standards and operating rules for acknowledgements, therefore the HIPAA Credential would not require attestation or compliance with respect to standards and operating rules regarding acknowledgements.
   To obtain the HIPAA Credential, a CHP would have to submit to CAQH CORE--
    * The CAQH CORE HIPAA Attestation Form (similar to the form required for the CORE Certification process, /17/ discussed in section II.A.3(b) of this proposed rule);
   FOOTNOTE 17 http://www.caqh.org/pdf/CLEAN5010/COREHIPAAForm.pdf, http://www.caqh.org/pdf/COREPIIHIPAAForm.pdf, and http://caqh.org/Host/CORE/EFT-ERA/CORE_PIII_HIPAA_Form.pdf, http://www.caqh.org/pdf/CLEAN5010/COREHIPAAForm.pdf, http://www.caqh.org/pdf/COREPIIHIPAAForm.pdf, and http://caqh.org/Host/CORE/EFT-ERA/CORE_PIII_HIPAA_Form.pdf for the Phase I, II, and III CAQH CORE HIPAA Attestation Forms respectively. END FOOTNOTE
    * An application form (similar to the form required to obtain a CORE Seal) with signature verifying that all forms have been submitted to CAQH CORE and indicating that HHS may view the application and associated forms if such a request is made to CAQH CORE; and
    * An attestation form, with features or requirements that would include the following:
   ++ Attestation, in which the CHP confirms that it has successfully tested the operating rules for the eligibility for a health plan, health care claim status, and health care electronic funds transfers (EFT) and remittance advice transactions with trading partners. For each of the three transactions, the CHP must confirm that the number of transactions conducted with those trading partners collectively accounts for at least 30 percent of the total number of transactions conducted with providers. For each of the three transactions, the CHP must confirm that it has successfully tested with at least three trading partners, but if the number of transactions conducted with three trading partners does not account for at least 30 percent of the total number of transactions conducted with providers, the CHP could confirm that it has successfully tested with up to 25 trading partners. The CHP would have to list those trading partners.
   We do not define "successfully tested" in this proposed rule, or prescribe any specific kind or level of testing for the HIPAA Credential.
   ++ When a CHP attests that it has successfully tested with trading partners that, collectively, conduct at least 30 percent of the total number of transactions conducted with providers, it is representing itself and its SHPs. When calculating 30 percent of the transactions conducted with providers, the total of the CHP's and SHPs' transactions would be used.
   ++ The CHP would have to provide contact information, including, but not limited to, name, phone number, and email address, for each of the listed trading partners.
   ++ Trading partners may be transaction-specific. For example, a CHP may list the same or different trading partners for each of the three transactions, so a CHP may list three or more trading partners.
   ++ Trading partner testing would only be required for current HIPAA-mandated operating rules and standards, so trading partner testing would not be required for the use of acknowledgments, or optional aspects of standards.
   In reviewing CHPs' HIPAA Credential application packages, CAQH CORE will likely identify applications containing obvious errors, and not award the HIPAA Credential based on such information. CAQH CORE will also identify when required information, such as trading partner contact information, is missing in the HIPAA Credential application package.
   While CAQH CORE will likely identify obvious errors or missing information in the HIPAA Credential application package, CAQH CORE will not be responsible for addressing intent on the part of the CHP with regard to such errors or missing information. That is, CAQH CORE will not investigate what a CHP knew or didn't know when it submitted an inaccurate HIPAA Credential application package to CAQH CORE. Similarly, CAQH CORE will not address any claims that may be submitted to CAQH CORE about a CHP's intent behind any inaccuracies or incomplete information in a HIPAA Credential application; for example, CAQH CORE will not address claims that a CHP knowingly provided inaccurate or incomplete information in its HIPAA Credential application.
   Other aspects of the HIPAA Credential include:
    * Unlike the CORE Seals, it would only be offered to health plans.
    * The HIPAA Credential would not have a requirement for certification testing, as is required for a Phase III CORE Seal. The HIPAA Credential would not have a requirement to test with a third-party testing vendor.
    * The HIPAA Credential requires external testing; however, it does not require a specific approach to external testing, and, thus, does not directly support a consistent, industry-wide testing framework to the extent that a Phase III CORE Seal does. Thus, we view the HIPAA Credential as an initial step toward a consistent testing framework for CHPs that decide not to undergo the certification testing for a CORE Phase III Seal.
b. Process and Requirements for Obtaining a CORE Seal
   The three current CAQH CORE Operating Rule sets are referred to as phases: Phase I is the operating rule set for the eligibility for a health plan transaction; Phase II includes operating rules for both the eligibility for a health plan and the health care claim status transaction; and Phase III is the operating rule set for the health care electronic funds transfers (EFT) and remittance advice transaction. The Secretary has adopted the sets as the operating rules for the respective transactions, with the exceptions we describe in section I.B.2 of this proposed rule.
   CAQH CORE has developed separate certification testing requirements for each of the three phases of operating rules. Any health care entity that conducts the applicable electronic health care transactions may voluntarily undergo certification testing with an independent CORE-authorized testing vendor and a certification process through CORE to demonstrate compliance with the three phases. An entity that successfully completes the testing and submits the appropriate documentation to CAQH CORE is awarded a CORE Seal for the specific phase for which it tested. In order to be awarded a CORE Seal for all three phases, a CHP would be required to conduct certification testing for compliance with the requirements in Phases I, II, and III, which may be done chronologically or concurrently.
   We are proposing a Phase III CORE Seal as one of two options a CHP may choose to meet the submission requirements of the first certification of compliance. The preparation required to apply for, and the documentation required in order to be awarded, a CORE Seal for each phase reflects the kind of consistent internal and external testing and documentation of compliance that we believe will ameliorate many of the challenges industry has recently faced during transitioning to new standards and operating rules.
   Because we propose that CHPs may choose to obtain a CORE Seal to satisfy the requirements of proposed
   FOOTNOTE 18 Step-by step process for certification for Phase I and Phase II can be found at: http://www.caqh.org/CORE_step_by_step.php. END FOOTNOTE
    * Step 1: Conduct A Gap Analysis
   Entities that implement the CAQH CORE Operating Rules conduct a gap analysis in order to determine what system and business process changes may be necessary to ensure their data and information systems are remediated to address any gaps between existing system requirements and CORE Operating Rule requirements. (Certification testing is described later in this section.) Project managers, business analysts, system analysts, architects, and other key staff conduct the gap analyses, which include an inventory of the systems affected by the specific phase of operating rules and the drafting of a detailed project plan. CORE provides an analysis and planning guide as a gap analysis tool for each of its current phases. /19/
   FOOTNOTE 19 http://www.caqh.org/Host/CORE/CAQHCORE_Analysis&PlanningGuide.pdf and http://www.caqh.org/Host/CORE/CAQHCORE_EFT&ERA_Analysis&PlanningGuide.pdf. END FOOTNOTE
    * Step 2: Sign and Submit the CORE Pledge
   An authorized, executive-level employee of the entity that is applying for any of the three CORE Seals signs a binding CORE Certification Pledge to adopt, implement, and comply with the CAQH CORE Operating Rules. By signing the pledge, an entity commits to working with a CORE-authorized Testing Vendor to demonstrate that its product(s) or IT system(s) is operating in accordance with a specific phase of the CORE Operating Rules. (We discuss CORE-authorized Testing Vendors in more depth in section II.A.2.d of this proposed rule.) Testing with a CORE-authorized Testing Vendor must be completed within 180 days of signing the pledge, /20/ though extensions may be granted by signing and submitting a new pledge.
   FOOTNOTE 20 http://www.caqh.org/CORE_certification.php. END FOOTNOTE
    * Step 3: Testing by a CORE-authorized Testing Vendor using CORE Certification Master Test Suites (Certification Testing)
   CAQH CORE developed documents called CORE Certification Master Test Suites (Test Suites) for each of its three operating rule phases. The phase-specific Test Suites are operating rule and documentation requirements that an entity must meet to be awarded a CORE Seal for that phase.
   Test Scripts--which include a description of operating rule-by-operating rule requirements, as well as specific documentation or information necessary to demonstrate compliance with each operating rule requirement--are the primary tools in each phase-specific Test Suite. Tables 2 and 3 illustrate two examples of Test Scripts for two different operating rule requirements. Table 2 illustrates a test script from Phase I CORE 152 Companion Guide Rule Certification Testing and Table 3 illustrates a test script from Phase I CORE 154 Eligibility and Benefits (270/271) Data Content Rule Certification Testing. As illustrated by Table 2 and Table 3, each Test Script includes the following five columns:
    * Column 1--The criteria or description of the requirements of the rule.
    * Column 2--The expected result of a test of compliance with the rule. Entities upload documents or submit transaction files to CORE-authorized Testing Vendors that demonstrate they have met the requirements of each Test Script.
    * Column 3--The actual result that the entity found upon testing the rule (that is, whether the expected outcome was achieved).
    * Column 4--Indicates whether the entity was able to produce the expected result in terms of pass or fail.
    * Column 5--Indicates which stakeholder would be required to produce the expected result.
   For operating rules with requirements about data content, an entity would submit a transaction file to be tested in the CORE-authorized Testing Vendor's testing engine. Using the example of the Test Script illustrated in Table 3, an entity would be required to submit a transaction file, detailed in column 2, and receive a "pass" from the CORE-authorized Testing Vendor in column 4 indicating the file met the requirement.
   In other cases, an entity would submit other types of documents that demonstrate the expected result of the Test Script. Using the example of the Test Script illustrated in Table 2, an entity would be required to submit an electronic version of the table of contents of its ASC X12 v5010 270/271 companion document, including an example of the ASC X12 v5010 270/271 content requirements," to the CORE-authorized Testing Vendor in order for the vendor to give a "pass" to that test.
   The process of submitting documents or uploading files to CORE-authorized Testing Vendors is virtual, and an entity may access the CORE-authorized Testing Vendor's testing portal from a desktop computer.
   The certification testing, described here as a key step in obtaining a CORE Seal, would be conducted after an entity has conducted internal and external testing of the operating rules. CORE's standardized certification testing demonstrates that a consistent and standard IT system testing has been completed. Therefore, certification testing, such as that which is described here, reflects our intent of supporting an industry-wide consistent trading partner testing process or framework.
Table 2--Illustration A: Sample Test Scripts From Phase I Core Certification Test Suite Sample Test Script for Phase I Core 152 Companion Guide Rule Certification Testing Criteria Expected Actual Pass/fail Stakeholder result result Provid- Health Clear- N/A er plan ing house Companion Submission [ ] [ ] [ ] [ ] [ ] [ ] Document of the Pass Fail conforms Table of to the Contents flow and of the format of v5010 the CORE 270/271 master companion Companion document, Document including Template a example of the v5010 270/271 content require- ments
Table 3--Illustration B: Sample Test Scripts From Phase I Core Certification Test Suite A Test Script From Phase I Core 154 Eligibility and Benefits (270/271) Data Content Rule Certification Testing Criteria Expected Actual Pass/Fail Stakeholder result result Provid- Health Clear- N/A er plan ing house Create a Output a [ ] [ ] [ ] [ ] [ ] [ ] valid v5010 valid fully Pass Fail 271 response enveloped transaction v5010 271 as defined eligibility in the CORE response rule transaction indicating set with the the patient correct co- financial insurance, responsibil- co-payment, ity for each and of the deductible benefits patient covering the financial individual responsibil- (Key Rule ities for Requirement both in/out #6 through of network #18) in either EB08-954 or EB07-782 at either the subscriber loop 2110C or dependent loop 2100D levels
    * Step 4: Apply for a CORE Seal
   Once an entity successfully completes the certification testing with a CORE-authorized Testing Vendor, it submits an application package to CAQH CORE, and the CAQH CORE staff then reviews the application package prior to granting the appropriate CORE Seal. The application package includes the following:
   ++ Documentation from a CORE-authorized Testing Vendor demonstrating the entity's compliance with the phase-specific CAQH CORE Operating Rules through successful certification testing.
   ++ The CAQH CORE HIPAA Attestation Form, signed by a senior-level executive, indicating that, to the best of the applicant's knowledge, the entity is HIPAA compliant for security, privacy, and the transaction standards. This form is addressed in more detail in section II.A.3(c) of this proposed rule.
   ++ The CAQH CORE Health Plan IT Exemption Form, if applicable. This form and its relationship with the submission requirements of the first certification of compliance is discussed in section II.A.3(e) of this proposed rule.
   ++ The CAQH CORE Application. This form collects contact information for the individual responsible for the organization's CORE-certification process. The form also outlines the required materials for a complete CORE Certification Application, the process by which CAQH CORE will review and approve applications, and terms and conditions for CORE Certification.
   ++ A fee, as illustrated in Table 4.
   Upon receipt of this documentation, CAQH CORE will complete a final assessment within 30 business days unless there are extenuating circumstances. CAQH CORE reviews test results and maintains records for each entity that is awarded a CORE Seal.
   A health plan must be awarded a CORE Seal in a previous phase to be eligible for a subsequent phase's Seal. /21/ For example, a health plan must be awarded a CORE Seal for Phase I and II Operating Rules in order to be eligible for a CORE Seal for Phase III Operating Rules. CAQH CORE provides the option of applying for and conducting certification testing for all three phases concurrently. In the context of the requirements for the first certification of compliance, this means that a CHP that chooses the option to submit a CORE Seal for Phase III Operating Rules will need to obtain CORE Seals for Phases I and II first, or concurrently.
   FOOTNOTE 21 See question #4, page 9 of 23 at http://www.caqh.org/pdf/COREFAQsPartA.pdf. END FOOTNOTE
   We believe that the CORE Seal, obtained through the CORE certification process, is a reasonable and appropriate demonstration of compliance with the operating rules because--
    * CAQH CORE develops its CORE Seal certification process through a multi-stakeholder approach. CAQH CORE is an industry-wide collaboration committed to the development and adoption of national operating rules for administrative transactions. The more than 140 CORE Participants represent all key stakeholders including providers, health plans, vendors, clearinghouses, government agencies,
    * Through the CORE-authorized Testing Vendor framework, CAQH CORE has created a marketplace for multiple commercial testing vendors to compete, while requiring CORE-authorized Testing Vendors to utilize standardized Test Scripts and specific submission requirements in testing entities. In its role as the "certifier," in contrast to a "tester," CAQH CORE maintains a third party position, independent from both the entity seeking the CORE Seal and the testing vendors with commercial interests. This allows CAQH CORE to carry out the certifying process--and enforcement, appeals and exception policies and processes--in a neutral, transparent manner;
    * CORE Certification is recognized as an Administrative Simplification tool for health plans and states. Currently, over 30 health plans have been awarded or have pledged to seek CORE Seals for Phases I, II, or III, or have pledged to seek the CORE Seal. /22/ CORE Certification is also a crucial element in state-based health care reform initiatives in
   FOOTNOTE 22 For updated information on entities that have CORE-certification or have committed to receive CORE-certification, please refer to http://www.caqh.org/CORE_organizations.php. END FOOTNOTE
   FOOTNOTE 23 O.A.R. 836-100-0115(1): http://arcweb.sos.state.or.us/pages/rules/oars_800/oar_836/836_100.html. END FOOTNOTE
   FOOTNOTE 24 3 CCR 702-4-2-32: http://cdn.colorado.gov/cs/Satellite?blobcol=urldata&blobheadername1=Content-Disposition&blobheadername2=Content-Type&blobheadervalue1=inline%3B+filename%3D%224-2-32+Standardized+Electronic+Identification+And+Communication+Systems+Guidelines+For+Health+Benefit+Plans.pdf%22&blobheadervalue2=application%2Fpdf&blobkey=id&blobtable=MungoBlobs&blobwhere=1251823308663&ssbinary=true. END FOOTNOTE
   FOOTNOTE 25 Ibid., Section 5. END FOOTNOTE
    * CAQH CORE's Certification Infrastructure. CAQH CORE's infrastructure includes: robust on-line and live support for entities during the certification process; a complaint-driven enforcement mechanism that identifies instances of non-compliance; an exemption policy and process; a re-certification process; and an appeals process allowing an entity to request a hearing if it disagrees with CAQH CORE's decision of non-compliance.
   We request comments on a Phase III CORE Seal as an option for CHPS to meet the documentation requirements for the first certification of compliance.
c. CAQH CORE HIPAA Attestation Forms as Documentation of Compliance With the HIPAA Standards
   In order to obtain a CORE Seal for each of the operating rule phases, an entity must sign the CAQH CORE HIPAA Attestation Form by which it attests to compliance with applicable HIPAA transaction provisions, and the HIPAA privacy and security provisions, of 45 CFR Parts 160, 162, and 164. We anticipate that CAQH CORE's HIPAA Credential application process will similarly require such an attestation for the HIPAA Credential, and we find such an attestation to be an essential document of compliance for purposes of the first certification of compliance. We note that, attesting to compliance with the HIPAA privacy and security provisions or obtaining a CORE Seal (or the HIPAA Credential) does not prevent or preclude the
   The proposed submission requirements of
    * Believe that requiring just the CAQH CORE HIPAA Attestation Form minimizes CHPs' burdens in complying with the first certification submission requirements, while not altering or undermining the statutory requirements or our objectives in ensuring compliance; and
    * Are not aware of existing programs that demonstrate consistent testing for compliance with the standards that parallel the proposed process for certifying health plans for compliance with the operating rules. There may be commercial entities that "certify" entities as being compliant with the standards, but we do not know of any that have developed a standards certification process, certification testing, or certification infrastructure with significant participation from industry.
   We also recognize that, while the HIPAA Credential option relies on entities having successfully conducted testing with trading partners, it does not directly support a consistent, industry-wide testing framework of new standards and operating rules. We view the first certification of compliance submission requirements as an initial step in that direction. We solicit comments on our assumptions and proposed approach.
d. CAQH CORE Documentation and Policies
   We are proposing that CHPs may choose between two CAQH CORE documents--a Phase III CORE Seal or the HIPAA Credential--to demonstrate compliance for the first certification of compliance. We believe either of these documents through CAQH CORE is a reasonable approach because CAQH CORE--
    * Is recognized as a technical expert in the implementation of operating rules and supports the standards for those transactions to which the operating rules apply, adopted by the Secretary (after a vetting process discussed in section I.B.2 of this proposed rule). CAQH CORE is the authoring entity of the operating rules and is, therefore, well-versed in the operating rules and their interpretation and implementation, and how they coordinate with the adopted standards;
    * Has infrastructure to reach out to, and educate, CHPs that will be required by this proposed rule to obtain either a Phase III CORE Seal or HIPAA Credential; and
    * Has the ability to convene workgroups with significant and diverse health care industry participation to continually inform, and, where appropriate, improve processes associated with the CORE Seal and HIPAA Credential products.
   We solicit comments on our proposal to limit CHPs' options to documents obtained through processes governed by CAQH CORE.
e. CAQH CORE's Exemption and Enforcement Policies as Applied to the Proposed Submission Requirements
(1) CAQH CORE Certification Exemption Policies
   Under proposed
   FOOTNOTE 26 For Phases I, II, and III, CORE addresses certification exemptions at: http://www.caqh.org/pdf/CLEAN5010/103.pdf, http://www.caqh.org/pdf/CLEAN5010/203.pdf and http://caqh.org/Host/CORE/EFT-ERA/303_Exemption_Policy.pdf Forms at: http://www.caqh.org/pdf/CLEAN5010/COREPII_ITExemptionRequestForm.pdf, http://www.caqh.org/pdf/CLEAN5010/103.pdf, and http://caqh.org/Host/CORE/EFT-ERA/303_Exemption_Policy.pdf for Phases I, II and III. END FOOTNOTE
   CAQH CORE's Certification Exemption Policy enables a health plan, in certain situations, to be awarded a CORE Seal for a particular phase even if all of its IT systems do not pass the Test Scripts for that phase. So long as the remainder of a health plan's IT systems are compliant, CAQH CORE may grant a health plan a Health Plan IT System Exemption if it has a scheduled migration, within the upcoming 12 months, of an existing, non-conforming IT system(s). /27/ Subsequent to the migration(s), CAQH CORE requires the health plan to submit documentation demonstrating the new IT system(s) complies with the operating rules, standards, and other items required by CORE Certification. /28/
   FOOTNOTE 27 These exempted IT systems must serve no more than 30 percent of the health plan's membership or applicable transactions. END FOOTNOTE
   FOOTNOTE 28 For Phases I, II, and III, CORE addresses certification exemptions at: http://www.caqh.org/pdf/CLEAN5010/103.pdf, http://www.caqh.org/pdf/CLEAN5010/203.pdf and http://caqh.org/Host/CORE/EFT-ERA/303_Exemption_Policy.pdf. END FOOTNOTE
   Although a health plan may obtain a CORE Seal under such a CAQH CORE exemption, we make clear in
   CAQH CORE's Health Plan IT System Exemption Policy does not apply to the HIPAA Credential, so a health plan's systems must be fully compliant with the applicable operating rules to obtain the HIPAA Credential.
(2) CORE Enforcement Policy
   CAQH CORE's Enforcement Policy /29/ is a complaint driven process that, under the guidance of the CORE Enforcement Committee comprised of CAQH CORE participants, reviews complaints for completeness and timeliness, and verifies or dismisses complaints.
   FOOTNOTE 29 See http://www.caqh.org/pdf/CLEAN5010/105.pdf, http://www.caqh.org/pdf/CLEAN5010/205.pdf, and http://caqh.org/Host/CORE/EFT-ERA/305_Enforcement_Policy.pdf for Phase I, II, and III enforcement policies. END FOOTNOTE
   CAQH CORE's Enforcement Policy applies to its CORE Seal product (not the HIPAA Credential), and thus would apply to CHPs that elect to obtain a Phase III CORE Seal to fulfill the submission requirements proposed in this rule.
(3) A CHP Is Decertified by CORE
   CAQH CORE's policies specify a number of circumstances by which an entity may be "decertified," could "lose" its CORE Seal, or have its certification "terminated" because of instances of noncompliance with the operating rules for which it is certified. One such policy with this possible consequence is the CAQH CORE IT Exemption Policy, described in section II.A.3 (e) of this proposed rule, whereby a health plan that has obtained a CORE Seal under the policy may be decertified if its new IT system fails to pass the applicable Test Scripts within a prescribed timeframe. /30/ Similarly, CAQH CORE's Enforcement Policy specifies that an entity with a CORE Seal may be decertified if it is found to be out of compliance with an operating rule(s) or standard if the violation is not remedied within the allowed grace period. /31/
   FOOTNOTE 30 http://www.caqh.org/pdf/CLEAN5010/103.pdf, http://caqh.org/Host/CORE/EFT-ERA/303_Exemption_Policy.pdf, http://www.caqh.org/pdf/CLEAN5010/103.pdf, and http://www.caqh.org/pdf/CLEAN5010/203.pdf. END FOOTNOTE
   FOOTNOTE 31 http://www.caqh.org/pdf/CLEAN5010/105.pdf, http://www.caqh.org/pdf/CLEAN5010/205.pdf, and http://caqh.org/Host/CORE/EFT-ERA/305_Enforcement_Policy.pdf. END FOOTNOTE
   As discussed previously, on the date a CHP submits its documentation, none of the CHP's CORE Seals may be terminated or the CHP decertified by CAQH CORE.
   In keeping with the "snap shot" approach described in section II.A. of this proposed rule, we will not track the status of a CHP's CORE Certification (that is, whether it has been terminated or has come under the CAQH CORE IT Exemption Policy) subsequent to the date it meets the proposed submission requirements. /32/
   FOOTNOTE 32 However, to be clear, health plans are covered entities obligated to continually abide by adopted HIPAA standards and operating rules, and the requirements of this proposed rule do not impede our enforcement authority. END FOOTNOTE
(4) CHP's Responsibilities With Respect to Entities Conducting Transactions on Its Behalf
   Section 1173(h)(3) of the Act requires a health plan to "ensure that any entities that provide services pursuant to a contract with such health plan shall comply with any applicable certification and compliance requirements (and provide the Secretary with adequate documentation of such compliance) under this subsection." Because section 1173(h) of the Act is concerned with certification of compliance with the HIPAA standards and operating rules, we believe "services pursuant to contract" means services provided by business associates (BAs), as that term is defined at
   Although we considered requiring CHPs to require their BAs to comply directly with the requirements of
   Under CAQH CORE policy, to obtain a CORE Seal, a health plan must demonstrate that entities or vendor products that conduct all or part of a transaction related to a CAQH CORE are compliant with the operating rules. /33/ This CAQH CORE policy on non-health plan entities that conduct all or part of a transaction related to a CAQH CORE phase on behalf of a health plan aligns with our approach to BAs that conduct part or all of a transaction on behalf of a CHP or its SHPs. Likewise, as we have described here, if a BA that is not a health plan conducts all or part of a transaction on behalf of the CHP or its SHP(s), then the CHP is responsible for ensuring the entity conducts any HIPAA standard transactions in accord with any applicable HIPAA transactions standards and operating rules.
   FOOTNOTE 33 See CAQH CORE FAQs on CORE Certification & Endorsement: http://www.caqh.org/pdf/COREFAQsPartF.pdf. END FOOTNOTE
   As noted previously, CAQH CORE requires that any health plan wishing to obtain a CORE Seal that is dependent on a BA--for the health plan to meet one or more of the CORE operating rule requirements--must have that BA achieve CORE certification. Similarly, if the health plan is dependent on a software vendor to meet one or more of the CORE rule requirements, then the vendor's product name and vendor must be CORE-certified.
(5) Documentation Demonstrating End-to-End Testing
   Section 1173(h)(2)(B) of the Act states that a health plan shall not be considered to have provided adequate documentation of compliance unless it "provides documentation showing that [it] has completed end-to-end testing for such transactions with [its] partners, such as hospitals and physicians."
   Even outside the context of health plan certification, the meaning of the phrase "end-to-end testing"--as well as the types of testing necessary for successful transitions to new or revised standards, code sets, or operating rules--is presently the subject of active discussion in the health care industry. HHS, through the
   Although we know of no standard definition for end-to-end testing at this time, we believe the concept of end-to-end testing likely requires, at a minimum, external testing with trading partners. We emphasize that in order to obtain either a Phase III CORE Seal or the HIPAA Credential, some external testing is required. Note that certification testing, as is required to obtain a CORE Seal, is not the same as internal or external testing. However, certification testing includes submitting documentation that demonstrates certain levels of internal and external testing have taken place. By contrast, the HIPAA Credential directly requires external testing with trading partners. Thus, we believe CHPs that meet the submission requirements proposed in this rule meet the section 1173(h)(2)(B) of the Act's requirement.
(6) Other Considerations About CORE Certification
(a) Cost of CORE Seal and CORE HIPAA Credential
   CAQH CORE charges entities a fee, on a sliding scale according to net annual revenue, for administering and awarding CORE Seals. Table 4 illustrates the current fees that CAQH CORE charges a health plan. Table 4 reflects the total costs for a CHP to obtain three CORE Seals, one for each CAQH CORE Operating Rule phase. /34/ The fees to obtain the CORE Seals do not include the cost for certification testing with a CORE-authorized testing vendor. /35/
   FOOTNOTE 34 The current CORE fee structure for the CORE Seal can be found at: http://www.caqh.org/CORE_phase1_fees.php. END FOOTNOTE
   FOOTNOTE 35 As of this writing, the single CORE-authorized testing vendor does not charge a fee for entities to test with it. END FOOTNOTE
   Table 4 also illustrates the approximate fees that we expect CAQH CORE will charge CHPs for the HIPAA Credential it is currently developing.
   CAQH CORE does not charge federal and state government entities for the CORE Seals, but we expect federal or state government entities will be charged
TABLE 4--CAQH Core Fees for Core Seal and HIPAA Credential Size of health plan Fee for HIPAA Fee for CAQH Phase credential III CORE Seal including Phase I and II Seals Federal and State government$100 No charge. health plans CAQH Member Plans No charge No charge. Below$5 million in net annual$100 $12,000 ($4,000 revenue per phase).$5 million to below$25 $1,000 million net annual revenue$25 million to below$50 $2,000 million net annual revenue$50 million to below$75 $4,000 million net annual revenue$75 million and above net$18,000 ($6,000 annual revenue per phase).
(b) Treatment of Acknowledgements
   We have previously stated in both the Operating Rules IFC and the EFT & ERA Operating Rules IFC that we do not require covered entities to comply with any CAQH CORE Operating Rule requirements pertaining to acknowledgments in Phases I, II, and III (
   By contrast, the requirements underlying CAQH CORE's HIPAA Credential will only apply to the operating rules adopted by the Secretary, so CHPs will not have to comply with the acknowledgements operating rules to obtain the HIPAA Credential.
(7) Compliance Timelines for CHPs To Meet Submission Requirements for the First Certification of Compliance
(a) CHPs That Obtain an HPID Before
(i) Submit Documentation by
   In SEC 162.926(a), we propose that a CHP that obtains an HPID before
   FOOTNOTE 36 In the HPID proposed rule, we concluded there were approximately 138 health maintenance organizations that were small entities by virtue of their nonprofit status though "few, if any of them are small by SBA size standards" (77 FR 23000) and that no other category of health plan could be considered "small" (77 FR 22999). Our conclusions were based on an analysis included in a proposed rule on the establishment of the
   We propose a different date (
    * In section II.A.3(b) of this proposed rule, we discuss the steps a CHP would have to take in order to obtain a CORE Phase III Seal, should it elect to pursue that option. We believe the deadlines proposed in this rule offer CHPs adequate time to complete the gap analysis (planning and evaluation, design and development, and internal and external testing) and subsequent certification testing with a CORE-authorized testing vendor necessary to obtain CORE Seals for Phase I, II, and III Operating Rules. CAQH CORE suggests it will take 20 to 60 days of staff time to conduct certification testing with a CORE-authorized testing vendor and complete and submit one CORE Seal Application packet. /37/ A CHP may also choose to simultaneously pursue CORE Seals for all three phases. Therefore, for CHPs that do not now have, but choose to obtain, a Phase III CORE Seal, it could take up to 180 days to obtain Seals for all three operating rules phases, not including any time that CORE requires to review applications.
   FOOTNOTE 37 See FAQ #11 at http://www.caqh.org/pdf/COREFAQsPartA.pdf. END FOOTNOTE
    * In section II.A.3(a) of this proposed rule, we discuss the broad requirements of the HIPAA Credential. Like a Phase III CORE Seal, it will take some time to meet the requirements for the HIPAA Credential, though many CHPs may have already met the testing requirements.
    * In section II.A.1 of this proposed rule, we propose that a CHP, in meeting the submission requirements for the first certification of compliance requirements, will demonstrate not only that it is compliant with operating rules and standards, but that its SHP(s), if it has any, are compliant. This task will also take time.
    *
   Furthermore, the
   As noted in section I.C of this proposed rule, our goal with the first certification of compliance is to help move the health care industry incrementally toward consistent testing processes in order to transition as seamlessly as possible to new standards or operating rules. We believe a certification of compliance process that penalizes more CHPs than it incentivizes to carry out testing would not accomplish this goal and, for the reasons previously articulated, we believe it would be unreasonable to require CHPs to abide by the statutory date of
   FOOTNOTE 38 Early in 2013, CMS announced a 90-day enforcement discretion period for compliance with the Operating Rules IFC stating that it would not initiate enforcement action until
(2) Date When CHPs Can Begin Submitting Information and Documentation
   We propose that a CHP that obtains an HPID before
(b) CHPs That Obtain an HPID On or After
   We propose in
   Under SEC 162.504, any large or small health plans now extant that meet the definition of a CHP must obtain an HPID on or before
   We propose that a CHP that obtains an HPID after
   We solicit industry and stakeholder comments on our proposed certification of compliance dates.
Table 5--Comparison of Operating Rule Sets Compliance Dates, the Statutory Deadlines for Completing the First Certification of Compliance Requirements, and the Proposed Deadlines for Completing the First Certification of Compliance Requirements Col 1 Col 2 Col 3 Operating rule sets Compliance Deadline for Deadlines for health date for health plans plans * to meet first health plans to meet first certification of to comply certification compliance requirements with the of compliance as proposed in this operating requirements rule rules as mandated by section 1173(h)(1) of the Act Eligibility for a January 1, December 31, December 31, 2015 for health plan 2013 2013 CHPs that obtain an Health care claim HPID before January 1, status 2015. Within 365 calendar days of obtaining an HPID for CHPs that obtain their HPID on or after January 1, 2015 and on or before December 31, 2016. Health care electronicJanuary 1 , funds transfers (EFT) 2014 and remittance advice * Requirements for CHPs that obtain their HPID afterDecember 31, 2016 are not addressed in this proposed rule.
B. Certification of Compliance Penalty Fees
1. Calculating Penalty Fees: Defining Covered Lives of a CHP and Major Medical Policies
   Section 1173(j)(1) of the Act specifies that the penalty fee amount assessed when a health plan does not meet the certification of compliance requirements is based on its number of covered lives. So that we may calculate the potential penalty fee amount should we find a violation(s) of the first certification of compliance, we must know the number of covered lives of a CHP.
   Section 1173(j)(1)(F) of the Act requires the Secretary to determine the number of covered lives under a health plan "based upon the most recent statements and filings that have been submitted by such plan to the
   FOOTNOTE 39 For information on the
   FOOTNOTE 40 10-K filings and other publically available company filings can be viewed through the EDGAR database: http://www.sec.gov/edgar/searchedgar/companysearch.html. For more information on the 10-K see http://www.sec.gov/answers/form10k.htm. For the 10-K form itself: http://www.sec.gov/about/forms/form10-k.pdf. END FOOTNOTE
   FOOTNOTE 41 "Health Care Delivery Covered Lives--Summary of Findings,"
   Therefore, we propose to use the number of covered lives the CHP reports in accordance with the proposed submission requirements under
   In SEC 162.103, we propose to define "covered lives of a CHP" as individuals covered by or enrolled in major medical policies of a CHP and the SHP(s) of that CHP. Individuals may be described in such major medical policies by terms, including, but not limited to the following:--
    * Individuals.
    * Spouses.
    * Dependents.
    * Employees.
    * Subscribers.
    * Policyholders.
    *
    *
    *
    * Veterans.
    * Survivors.
   In section II.B.1 of this proposed rule, we discuss in more detail how the definition of covered lives of a CHP would be used to calculate penalty fees. We include spouses, partners, and dependents in the proposed definition to make clear that covered lives of a CHP includes more than just the policyholder, and encompasses all individuals covered by major medical policies, and also include in the definition examples of terms that government payers may use to describe their covered lives.
   Within the definition, we clarify that covered lives includes only those individuals enrolled in major medical policies. Section 1173(j)(1)(B) of the Act states that penalty fees may only be assessed for persons "covered by the plan for which its data systems for major medical policies are not in compliance." We only include individuals enrolled in major medical policies in the definition since individuals that are not covered by such policies will not be included in the calculation of the penalty fee. In cases in which an individual is covered by both a major medical policy and another policy/(ies) that does not meet the definition of major medical policy, the definition contemplates that such individual would be considered a covered life of a CHP.
   In SEC 160.604, we propose that, for purposes of this proposed rule, "major medical policy" be defined as "an insurance policy that covers accident and sickness and provides outpatient, hospital, medical, and surgical expense coverage." We developed this definition by surveying how the term major medical policy is defined in various contexts.
   To be clear, we propose in
   We indicate in the definition that covered lives of a CHP includes the covered lives of the CHP, and, if it has any, its SHP(s). We include the covered lives of any SHP(s) of the CHP because, under the provisions discussed in section II.A.1 of this proposed rule, the submission requirements and applicable penalty fees are the CHP's, not its SHP's, responsibility.
   We intend to only include those individuals who are enrolled in or covered by health insurance in the definition of covered lives of a CHP, as opposed to those individuals who are merely eligible, but not enrolled or covered.
   We propose to use the phrase "covered by or enrolled in" to indicate a distinction that is sometimes made--but that we are not making here--between voluntary enrollment or automatic coverage in a health plan. That is, irrespective of the actions of an individual, we would consider an individual who has major medical coverage under a health plan to be a covered life of a CHP. For example, we would consider an individual who is automatically enrolled in Medicare Part A upon turning 65 years old to be a covered life of
   We solicit comments on the proposed definition of covered lives of a CHP and the definition of major medical policy.
2. Basis for the Assessment of a Penalty Fee and the Amount of the Penalty Fee
   Section 1173(j)(1)(B) of the Act requires the Secretary to assess a penalty fee against a health plan in the amount of
   In SEC 160.612, we propose the bases for assessing penalty fees and, in
a. Failure To Submit Required Documentation by the Deadlines
   In SEC 160.612(a), we propose that the Secretary would assess a penalty fee against a CHP that fails to comply with the submission requirements specified in
   The basis for the penalty fee proposed in
   In SEC 160.614(a), we propose that a CHP that is assessed a penalty fee under
   We will utilize all reasonable means to ensure that CHPs satisfy their obligations under this proposed rule. Because all CHPs are required to obtain an HPID, we will, for example, once this proposed rule is finalized and implemented, compare a roster of the CHPs that have satisfied the requirements of the rule with a roster of CHPs that have obtained HPIDs. Moreover, we note that section 1173(j)(3) of the Act requires us to report unpaid penalty fees to the Secretary of the Treasury and that unpaid penalty fees, per section 1173(j)(4)(D) of the Act, shall be increased by the interest accrued.
   licit comments on our proposal for assessing penalty fees for CHPs.
b. Knowingly Providing Inaccurate or Incomplete Information
   The penalty fee for knowingly providing inaccurate or incomplete information that we propose in
   In SEC 160.612(b), we propose that a basis for assessment of a penalty fee is providing inaccurate or incomplete information with actual knowledge of the inaccuracy or the incompleteness of the information, or acting in deliberate ignorance or reckless disregard of the accuracy or completeness of the information. We clarify in
   In SEC 160.614(a)(2), we propose that a CHP would be assessed a penalty fee of
   We interpret the statutory language as intending a cap of
    * To obtain a CORE Seal, a CHP would submit documentation to a CORE-authorized testing vendor during certification testing, and to CAQH CORE in applying for the Seal. We would have a basis for assessing a penalty fee under
    * To obtain the HIPAA Credential, a CHP must attest that it has successfully completed testing with at least three of its trading partners. We would have a basis for assessing a penalty fee under
3. Annual Fee Increase
   Section 1173(j)(1)(D) of the Act provides for an annual increase in penalty fees by the annual percentage increase in total national health care expenditures. We are not proposing an annual increase methodology at this time because the first certification of compliance framework we propose here would assess only a one-time penalty fee, not a penalty fee that would be assessed year after year. We may revisit this issue in future rulemaking.
4. Notice of Penalty Fee, CHP's Response to Notice of Penalty Fee, and Defenses
   In SEC 160.616, we propose that the Secretary would provide a CHP notice (sent by certified mail with a return receipt requested) that it meets one or more bases to be assessed a penalty fee under proposed
    * The penalty fee amount;
    * Reference to the bases, under proposed
    * A description of the findings of fact regarding the violations upon which the penalty fee is based; and
    * The reason(s) why the violation(s) subject the CHP to a penalty fee.
   We believe these notice elements would enable a CHP to understand why it met the criteria to potentially be assessed a penalty fee, and the amount proposed to be assessed.
   In SEC 160.618, we propose that a CHP may submit evidence of any of the defenses described in
    * The CHP is not subject to the requirements of
    * The CHP's failure to meet the requirements of
    . The failure to meet the requirements of
   By proposing to limit the scope of the defenses the Secretary will consider in
   We propose to allow a CHP to respond to a notice of penalty fee as an opportunity to present the circumstances that prevented it from meeting the first certification of compliance requirements prior to a potential appeal to an administrative law judge (ALJ). This opportunity to present defenses is analogous to, but much narrower than, our complaint-driven process when a covered entity may resolve a complaint brought against it before CMPs are imposed in a notice of determination under
   We solicit comments on the defenses the Secretary may consider.
5. Notice of Determination and a CHP's Hearing Rights
   In SEC 160.624, we propose sending a notice of determination (by certified mail with return receipt requested) to a CHP indicating whether a penalty fee is, or is not, being assessed. A notice of determination will be sent irrespective of whether a CHP responds to the proposed
   Should a penalty fee will be assessed,
    * A description of the statutory basis for the assessment of the penalty fee;
    * The amount of the penalty fee;
    * The regulatory basis, under
    * The findings of fact regarding the violations on which the assessment of the penalty fee is based;
    * Any defenses described in
    * Instructions for appealing the penalty fee; and
    * A statement that the failure to request a hearing within 90 days results in the imposition of the penalty fee.
   We believe the proposed contents of the notice of determination would be sufficient to enable a CHP to understand why it is being assessed a penalty fee, the amount of the penalty fee, and how the CHP could appeal the penalty fee. We solicit comment on the proposed contents of the notice of determination.
   Should the Secretary determine not to assess a penalty fee, the notice of determination would indicate why any defense(s) raised under
6. Administrative Appeals Process
   In SEC 160.626, we propose that, upon receiving a notice of determination assessing a penalty fee described in
   If a CHP timely requests a hearing with an ALJ, the CHP would participate in a process that is already largely codified at
   Section 160.500 is the Applicability provision for Subpart E--Procedures for Hearings, and provides, "[t]his subpart applies to hearings conducted relating to the imposition of a civil money penalty by the Secretary under 42 U.S.C. 1320d-5." We propose to revise this provision by adding a reference to 42 U.S.C. 1320d-2(j), to indicate that Subpart E also applies to the assessment of a penalty fee under Subpart F.
   The term "respondent" is defined in
   Section 160.506 specifies the rights of the parties. The ALJ authority is delineated in
7. Other Issues
a. Relationship of Certification of Compliance Process to Complaint-Driven Process
   In section I.B.3 of this proposed rule, we describe the current HIPAA complaint-driven enforcement procedure through which an entity may bring a complaint against any entity it believes is not in compliance with adopted HIPAA transaction standards, operating rules, or code sets. Such a complaint would generate a fact-finding and resolution process, which could result in a corrective action plan, the imposition of CMPs, or a hearing before an ALJ.
   The complaint-driven and first certification of compliance enforcement processes are markedly different, even though both may result in a determination that may be appealed to an ALJ. The complaint-driven enforcement process is initiated as a result of a complaint, uses an informal fact-finding process, employs a corrective action plan if the complaint is valid, and imposes CMPs if the corrective action plan is not followed. Conversely, the first certification of compliance requires certain submissions by specific dates, and provides for an enforcement process with respect to a CHP that fails in various ways to abide by these requirements. Notably, the first certification of compliance, as proposed in this rule, does not employ a corrective action plan should a CHP fail to meet the certification of compliance requirements.
   These two distinct enforcement processes assess CMPs (in the case of the complaint-driven process) or penalty fees (in the case of the first certification of compliance) for different reasons. The complaint-driven process addresses complaints regarding a covered entity's failure to comply with any Administrative Simplification requirement, with the exception of a failure to comply with the first certification requirements proposed in this rule (as we describe in this section). The first certification of compliance process assesses penalty fees for CHPs that fail to meet the submission requirements or that knowingly provide inaccurate or incomplete documentation associated with such submissions, as proposed in this rule.
   Nothing in this proposed rule prohibits the Secretary from pursuing both processes at the same time against a CHP--through CMPs, in the case of the complaint-driven process for failure to comply with Administrative Simplification requirements, and through penalty fees for failure to meet the first certification of compliance requirements. Further, an investigation through the complaint-driven process could lead to the assessment of a penalty fee for a first certification of compliance violation if it revealed through that investigation that the CHP failed to meet the first certification of compliance requirements or knowingly provided inaccurate or incomplete information required for the first certification of compliance. For instance, if an investigation based on a complaint revealed that a CHP never submitted documentation or knowingly submitted inaccurate or incomplete documentation in order to be awarded a CORE Phase III Seal or HIPAA Credential under
   Section 160.300 is the Applicability provision under Subpart C--Compliance and Investigations--which is the complaint-driven enforcement process for Administrative Simplification violations. We propose to amend this section, that now states "[t]his subpart applies to actions by the Secretary, covered entities, business associates, and others with respect to ascertaining the compliance by covered entities and business associates with, and the enforcement of, the applicable provisions of this part 160 and parts 162 and 164 of this subchapter," to clarify that the complaint-driven process does not apply to the requirements in
III. Collection of Information Requirements
   Under the Paperwork Reduction Act of 1995 (PRA), we are required to provide 60-day notice in the
    * The need for the information collection and its usefulness in carrying out the proper functions of our agency.
    * The accuracy of our estimate of the information collection burden.
    * The quality, utility, and clarity of the information to be collected.
    * Recommendations to minimize the information collection burden on the affected public, including automated collection techniques.
   We are soliciting public comment on the information collection requirements (ICRs) regarding the first certification of compliance documentation requirements. Among other requirements, the Affordable Care Act requires health plans to file statements with the Secretary certifying that they are compliant with standards and operating rules for specific transactions. The Affordable Care Act also mandates that the Secretary assess a penalty fee against a health plan that fails to file a statement with the Secretary certifying that it is compliant and/or fails to submit adequate documentation of compliance.
   In section II. of this proposed rule, we discuss the proposed requirements for the first certification of compliance. In section II.A.7 of this proposed rule, we discuss our proposal that a CHP must comply with the first certification of compliance requirements based on when it obtains its HPID. Submission requirements are explained in section II.A.2 and .3 of this proposed rule. We discuss the penalty fees that may be assessed on a CHP that does not meet the submission requirements or knowingly provides inaccurate or incomplete information in section II.B. of this proposed rule.
   The provisions in this proposed rule align with existing statutory and regulatory mandates. In previous regulations, specified in section I.B.1 and 2 of this proposed rule, we have mandated compliance with the adopted standards and operating rules for the HIPAA transactions for which documentation of compliance is proposed in this rule. Other existing regulations that are complimented through this proposed rule include
   In this proposed rule and in this ICR, we are focused on the one-time requirement that CHPs, as defined by
   We do not know at this time how many health plans would meet the definition of a CHP as defined in
A. ICRs Regarding Submission of the Number of Covered Lives (
   Proposed SEC 162.926(a)(2) would require that a CHP that obtains an HPID before
   The one-time burden associated with this requirement is the time and effort associated with the CHP to: (1) Obtain the number of covered lives of the CHP (including those of its SHPs); (2) calculate the total number of covered lives of the CHP and its SHPs that would meet the definition of major medical policy as defined in proposed
   We estimate this burden for proposed
   We used the median hourly labor rate of
   We estimate that proposed
   The estimated annual burden for this requirement would be 16,500 (3,000 CHPs x 5.5 hours) to 27,500 hours (5000 CHPs x 5.5 hours). The total estimated one-time cost associated with all of the requirements in proposed
B. ICRs Regarding Submission of a Phase III CORE Seal (
   Section 162.926(a)(2)(i) and (b)(2) would require that a CHP provide documentation demonstrating it obtained a Phase III CORE Seal or the HIPAA Credential. Should a CHP choose to obtain a Phase III CORE Seal, proposed
   In sections II.A.3.(b). and II.A.3.(d). of this proposed rule, we discuss CORE certification testing, CORE-authorized Testing Vendors, and the CORE certification process. We describe the four-step process required to be awarded any of the CORE Seals: (1) Conduct a gap analysis by evaluating, planning, and completing necessary upgrades; (2) sign the CAQH CORE Pledge committing to become CORE certified; (3) conduct testing through a CORE-authorized Testing Vendor (certification testing); and (4) apply for a Phase III CORE Seal. In section II.A.3. of this proposed rule, we explain that the documentation that demonstrates that the CHP has obtained a Phase III CORE Seal is considered adequate documentation of compliance by the CHP and its SHPs with the operating rules for the eligibility for a health plan, health care claim status, and health care electronic funds transfers (EFT) and remittance advice transactions.
   For the purposes of the ICR, we do not include the time and effort for a CHP to obtain a CORE Phase III Seal because we believe that the process of obtaining a Phase III CORE Seal is inherent in the cost of doing business and we accounted for the time and effort as well as the cost for complying with the operating rules in previous rulemaking. As we indicated, we have mandated compliance with the adopted standards and operating rules for HIPAA transactions in previous regulations. The costs associated with compliance includes for example, analyzing existing data capability and infrastructure, development or enhancement of existing infrastructure, and testing of the CHPs systems both internally and externally. We believe that, because CHPs are expected to be compliant with the operating rules, they have undertaken the steps necessary to ensure that they are compliant and are able to perform transactions with their trading partners according to the adopted standards and operating rules. In this rule, we are proposing submission documentation requirements; therefore, in this analysis, we are only analyzing the cost of submitting this documentation.
   We have proposed two options for documentation that demonstrates compliance with the operating rules and standards. We expect that the decision to obtain the CORE Phase I and II Seals and provide documentation of the CORE Phase III Seal would be a business decision based on a health plan's strategy for implementing new standards or operating rules. Therefore, because the time and effort for compliance with standards and operating rules have been addressed in previous rule making and, because a CHP determines if it wishes to obtain the CORE Phase I and II Seal and submit the Phase III CORE Seal to comply with the documentation requirements, we do not include any costs for the time and effort associated with infrastructure development or enhancement or testing of systems to ensure compliance. We also do not include the time and effort costs in the ICR to comply with any of CORE's specific requirements to obtain the CORE Seals. Finally, we do not account for the variability in time, readiness and success that may or may exist for a CHP to meet CORE's requirements for the CORE Seals. There may be CHPs that have undergone extensive testing and will be able to undergo the CORE process efficiently and in a relatively short time. Other CHPs may require assistance and guidance and a more extensive time period to meet CORE's requirements.
   Included in the CORE fee paid by each CHP is assistance and guidance for CHPs. We account for the fee to CORE in the regulatory Impact Statement in this proposed rule. For the purposes of the ICR in this proposed rule, we considered the time and effort for a CHP to obtain documentation of the Phase III CORE Seal awarded by CORE, and the time and effort for the CHP to submit the documentation of that Seal to the Secretary. As we discussed previously, in this proposed rule, we only consider the time and effort to comply with the certification of compliance requirements described in this proposed rule.
   At the current time, we do not know how many CHPs will elect to obtain a Phase III CORE Seal. According to CAQH CORE's Web site at http://www.caqh.org/CORE_organizations.php, 30 health plans have voluntarily obtained CORE Seals for Phases I and II, and it reports at http://www.caqh.org/ben_participating.php that 25 health plans and 16 government agencies are CORE participating organizations. Ten CORE participating health plans have obtained Phase I and Phase II CORE Seals. We assume that any health plan that has obtained the CORE Seal for Phases I and II will obtain a Phase III CORE Seal and therefore meet the requirements of
   Because we are unable to quantify the number of CHPs that will obtain a Phase III CORE Seal, we are unable to estimate the total cost with any certainty. Therefore, for the purposes of the ICR, we estimate that 40 percent of health plans that would meet the definition of a CHP (that is, 1,200 to 2,000 CHPS) will obtain a Phase III CORE Seal and submit documentation of a Phase III CORE Seal to comply with
   The one-time burden associated with
   We estimate that proposed
C. ICRs Regarding Submission of the HIPAA Credential (
   In section II.A.3(a) of this proposed rule, we explain that the HIPAA Credential indicates that the CHP has confirmed that it has successfully tested the operating rules for the eligibility for a health plan, health care claim status, and health care electronic funds transfers (EFT) and remittance advice transactions with trading partners. For each of the three transactions, the CHP must confirm that the number of transactions conducted with those trading partners collectively accounts for at least 30 percent of the total number of transactions conducted with providers. For each of the three transactions, the CHP must confirm that it has successfully tested with at least three trading partners, but if the number of transactions conducted with three trading partners does not account for at least 30 percent of the total number of transactions conducted with providers, the CHP could confirm that it has successfully tested with up to 25 trading partners. The CHP would be required to provide a list of the names of the trading partners and their contact information to CORE. A CHP would be representing itself as well as all of its SHPs with the attestation.
   Should a CHP choose to obtain the HIPAA Credential, proposed
   For the purpose of the ICR, we are not considering the time and effort for a CHP to perform testing with its trading partners because, as we have discussed previously, we addressed the time and effort to comply with the operating rules in previous rule making, which includes testing with the CHPs trading partners. The CORE HIPAA Credential will require testing before being obtained, and we assume that every health plan's implementation preparation plan requires internal and external testing prior to implementing new standards or operating rules.
   However, in previous rule making, we did not account for the time and effort for a CHP to identify at least three trading partners with which it or its SHPs have successfully tested the operating rules for each of the three transactions (eligibility for a health plan, health care claim status, and electronic funds transfers (EFT) and remittance advice transactions).
   The estimated one-time burden associated with
   As mentioned, we are unable to determine how many CHPs will choose to obtain the HIPAA Credential to fulfill the requirements of
   As mentioned, CAQH CORE is currently developing the HIPAA Credential--which we expect to be finalized prior to the time we finalize this proposed rule--and we described in section II.3.(a) the expected process and requirements for obtaining it. Should the requirements for the final HIPAA Credential differ in any way from the way we described it in section II.3.(a), we would reopen the comment period to permit additional comment on the HIPAA Credential, including on the topic of the estimated number of health plans that would obtain the HIPAA Credential.
   We estimate that the burden associated with proposed
   We estimate that proposed
   The total estimated one-time burden associated with all of the requirements in proposed
   Calculations are illustrated in Table 6. For simplicity, Table 6 demonstrates burdens and costs based on the high estimate of CHPs (5,000) that are expected to certify compliance.
Table 6--Estimated Annual Burden for Reporting, Recordkeeping and Third-Party Disclosure Requirements Regulation section OMB Control Respondents Responses Burden per No. response (hours) 162.926(a)(1) and 0938--New 5,000 15,000 2.5 (b)(1) 162.926(a)(1) and 0938--New 5,000 5,000 1 (b)(1) 162.926(a)(1) and 0938--New 5,000 5,000 2 (b)(1) 162.926(a)(2)(i) and 0938--New 2,000 5,000 1.5 (b)(2) 162.926(a)(2)(ii) and 0938--New 3,000 7,500 2.5 (b)(2) 162.926(a)(2)(ii) and 0938--New 3,000 3,000 1 (b)(2) 162.926(a)(2)(ii) and 0938--New 3,000 3,000 2 (b)(2) Total 10,000 27,000
Table 6--Estimated Annual Burden for Reporting, Recordkeeping and Third-Party Disclosure Requirements Regulation section Annual Hourly labor Total labor Total costs burden cost of cost of ( ] (hours) reporting reporting ( ] ( ] 162.926(a)(1) and * 12,500 38.31 478,875 478,875 (b)(1) 162.926(a)(1) and 5,000 80.84 404,200 404,200 (b)(1) 162.926(a)(1) and 10,000 58.15 581,500 581,500 (b)(1) 162.926(a)(2)(i) and * * 3,000 38.31 114,930 114,930 (b)(2) 162.926(a)(2)(ii) and * * 7,500 38.31 287,325 287,325 (b)(2) 162.926(a)(2)(ii) and 3,000 80.84 242,520 242,520 (b)(2) 162.926(a)(2)(ii) and 6,000 58.15 348,900 348,900 (b)(2) Total * * 37,500 2,458,250 * There are no capital or maintenance costs associated with the information collection requirements contained in this notice of proposed rulemaking. Therefore, we have removed the designated column from Table 6. * * Even though the information collection requirements are comprised of one-time burdens, all burden estimates have been annualized over the standard 3-year OMB approval period.
IV. Regulatory Impact Statement
   We have examined the impact of this proposed rule as required by Executive Order 12866 on Regulatory Planning and Review (
   Executive Orders 12866 and 13563 direct agencies to assess all costs and benefits of available regulatory alternatives and, if regulation is necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, public health and safety effects, distributives, and equity). A regulatory analysis (RIA) must be prepared for major rules with economically significant effects (
   The proposed rule would require a CHP to submit documentation to the Secretary that demonstrates compliance with the standards and operating rules adopted by the Secretary under HIPAA, establish the first certification of compliance process, and establish penalty fees for CHPs that fail to comply with the first certification of compliance requirements. This proposed rule would implement elements of the certification of compliance mandate in the Affordable Care Act. We expect that the first certification of compliance provision is an initial step toward a consistent, industry-wide testing framework.
   As discussed in more detail earlier in this proposed rule, many of the requirements of this proposed rule build on already existing statutory and regulatory mandates. In the ICRs, we estimate a total one-time burden of approximately
   In sections II.A.3.(a) and A.3.(b). of this proposed rule, we discuss the two options for meeting the submission requirements: a Phase III CORE Seal and the HIPAA Credential, respectively. A CHP may choose either option. In section II.A.3.(a) and (b) of this proposed rule, we describe the process for obtaining either a Phase III CORE Seal or the HIPAA Credential.
   We expect that certification testing, such as that required for CHPs obtaining the CORE Phase III Seal, would become more widespread as a result of this proposed rule, and thus the rule would generate costs associated with credentialing activities and greater compliance with operating rules (which requires updating infrastructure). We are unable to quantify either the current rate of non-compliance with HIPAA requirements, the number of CHPs that would become newly compliant as a result of this proposed rule, or the cost, per CHP becoming newly compliant, of infrastructure updates and requisite testing.
   A category of impacts for which we have been able to make estimates is the CAQH CORE fees. /42/ In section II.A.6.(a) of this proposed rule, we discuss the cost of a Phase III CORE Seal and HIPAA Credential based on current fees that CAQH CORE charges for a Phase III CORE Seal and the fees that CAQH CORE believes that it will charge for the HIPAA Credential. Federal and state government entities are currently not charged for a Phase III CORE Seal, nor are CAQH member plans. However, CAQH CORE will charge government entities a
   FOOTNOTE 42 We believe that, in general, these fees represent real costs to society, in the form of labor and other resources used by CAQH CORE for conducting certification. END FOOTNOTE
   We assumed the same number of CHPs that we use in the ICRs (that is 1,200 to 2,000 CHPs would obtain a Phase III CORE Seal and 1,800 to 3,000 CHPs would obtain the HIPAA Credential). For the purpose of this analysis, we considered the cost to obtain either the CORE Seals (Phase I, II, and III) or the HIPAA Credential for all of the estimated 3,000 to 5,000 CHPs and did not account for the CHPs that currently have obtained the CORE Seal for Phase I and II or CAQH member plans. That means we did not deduct the number of health plans with current Phase I and Phase II CORE Seals or CAQH member plans that are not assessed a fee by CAQH CORE to obtain a Phase III CORE Seal.
   For the purpose of the impact analysis, we did not account for any penalty fees that could be assessed for CHPs that fail to comply with the certification of compliance submission requirements. We believe that we have structured the provisions of this proposed rule such that most CHPs will be able to meet the submission requirements. They will have had significant time to implement the applicable standards and operating rules, conduct the transactions in a compliant manner, and conduct certification testing or testing with their trading partners. Further, because the penalty fees are substantial, we believe they serve as a strong disincentive for noncompliance. We therefore believe few CHPs will fail to certify compliance, and the total amount of assessed penalty fees will be insignificant.
   For the 1,200 to 3,000 CHPs we estimate would obtain a Phase III CORE Seal, we assumed that 50 percent would have net annual revenues less than
   For the 1,800 to 2,000 CHPs that we estimate would obtain a HIPAA Credential, we assumed that 5 percent would have net annual revenues less than
   Consequently, we estimate the total cost to comply with
   We are proposing in
   In the Modifications final rule, Operating Rules IFC, Health Care EFT Standards IFC, and the EFT & ERA Operating Rule Set IFC, described in the background of this proposed rule, we described the financial and qualitative benefits to implementing the standards and operating rules for the eligibility for a health plan, health claim status, and health care electronic funds transfers (EFT) and remittance advice transactions. Those rules measured the financial benefits of the standards and operating rules from the compliance dates of those particular standards and operating rules:
   The cost and savings of implementing those standards and operating rules on their compliance dates are not addressed in this proposed rule as they are accounted for in the previously mentioned rules, and the first certification of compliance requirements, as proposed in this rule, do not affect the costs and benefits of implementing these standards and operating rules.
   It is possible that some CHPs may view the first certification of compliance deadline,
   FOOTNOTE 43 See map with data on commercially insured lives that have policies with a CORE Certified health plan on CAQH CORE Web site: http://www.caqh.org/pdf/COREPIwebmap.pdf. END FOOTNOTE
   We assume that the CORE-certified health plans include the process of obtaining CORE Seals for each phase of operating rules as part of their process to successfully implement new standards or operating rules. We assume these CORE-certified health plans make CORE Certification part of their implementation strategy regardless of the first certification of compliance submission requirements as proposed in this rule. As discussed in section II.A.7(a)(1) of this proposed rule, the
   Because we believe that a negligible number of CHPs will use the
   The amount in penalty fees that would have been assessed with a
   FOOTNOTE 44 CORE Web page: http://www.caqh.org/ORMandate_EFT.php. END FOOTNOTE
   FOOTNOTE 45 http://www.instamed.com/news-and-events/industry-first-instamed-achieves-phase-iii-caqh-core-certification/. END FOOTNOTE
   Therefore, due to the vast difference in requirements associated with the
   The Regulatory Flexibility Analysis (RFA), as amended, requires agencies to analyze options for regulatory relief of small businesses, if a rule has a significant impact on a substantial number of small entities. For purposes of the RFA, small entities include small businesses, nonprofit organizations, and small governmental jurisdictions.
   The health insurance industry was examined in depth in the RIA prepared for the proposed rule on establishment of the
   However, there are a number of health maintenance organizations (HMOs) that are small entities by virtue of their nonprofit status even though few if any of them are small by SBA size standards. There are approximately 100 such HMOs which may meet the definition of, and therefore define themselves, as CHPs. These HMOs and the
   Accordingly, this proposed rule may affect a number of small entities. We estimate, however, that the costs of this proposed rule on "small" health plans do not remotely approach the amounts necessary to be a "significant economic impact" on firms with revenues of tens of millions of dollars. Therefore, the Secretary proposes to certify that this proposed rule would not have a significant economic impact on a substantial number of small entities. We welcome industry and stakeholder input on our assumption in this regard.
   In addition, section 1102(b) of the Act requires us to prepare a regulatory analysis for "any rule or regulation proposed under title XVIII, title XIX, or part B of [the Act] that may have significant impact on the operations of a substantial number of small rural hospitals." This proposed rule, however, is being proposed under title XI, part C, "Administration Simplification," of the Act, and, therefore, does not apply. Regardless, this requirement of this proposed rule is only applicable to CHPs and will not have a significant impact on the operations of small rural hospitals.
   Section 202 of the Unfunded Mandates Reform Act of 1995 also requires that agencies assess anticipated costs and benefits before issuing any rule whose mandates require spending in any 1 year of
   Executive Order 13132 establishes certain requirements that an agency must meet when it promulgates a proposed rule (and subsequent final rule) that imposes substantial direct requirement costs on state and local governments, preempts state law, or otherwise has federalism implications. Since this regulation does not impose any substantial costs on state or local governments, the requirements of Executive Order 13132 are not applicable.
   In accordance with the provisions of Executive Order 12866, this rule was reviewed by the
List of Subjects
   45 CFR Part 160
   Administrative practice and procedure, Computer technology, Electronic information system, Electronic transactions, Employer benefit plan, Health, Health care, Health facilities, Health insurance, Health records, Hospitals, Investigations,
   45 CFR Part 162
   Administrative practice and procedures, Electronic transactions, Health facilities, Health insurance, Hospitals, Incorporation by reference,
   For the reasons set forth in this preamble, the
PART 160--GENERAL ADMINISTRATIVE REQUIREMENTS
   1. The authority citation for part 160 continues to read as follows:
   Authority: 42 U.S.C. 1302(a); 42 U.S.C. 1320d-1320d-9; sec. 264, Pub. L. 104-191, 110
   2. Section 160.103 is amended by--
   A. Adding the definition of "Penalty fee" in alphabetical order.
   B. Revising the definition of "Respondent".
   The addition and revision read as follows:
* * * * *
   Penalty fee means the amount determined under
* * * * *
   Respondent means a covered entity or business associate upon which the Secretary has imposed, or proposes to impose, a penalty fee under subpart F or a civil money penalty.
* * * * *
   3. Section 160.300 is amended by removing the phrase "parts 162 and" and adding in its place the phrase "parts 162 (excluding
   4. Section 160.500 is revised to read as follows:
   This subpart applies to hearings conducted relating to the following:
   (a) The imposition of a civil money penalty by the Secretary under 42 U.S.C. 1320d-5.
   (b) The assessment of a penalty fee by the Secretary under 42 U.S.C. 1320d-2(j).
   5. Section 160.504 is amended by revising paragraph (c) to read as follows:
* * * * *
   (c) The request for a hearing must do the following:
   (1) Clearly and directly admit, deny, or explain each of the findings of fact contained in the notice of proposed determination under
   (2) State the circumstances or arguments that the respondent alleges constitute the grounds for any defense and the factual and legal basis for opposing the penalty or penalty fee, except that a respondent may raise an affirmative defense under
* * * * *
   6. Section 160.534 is amended by revising paragraphs (b)(1) and (d)(1) to read as follows:
* * * * *
   (b)(1) The respondent has the burden of going forward and the burden of persuasion with respect to any of the following:
   (i) Affirmative defense under
   (ii) Challenge to the amount of a proposed penalty pursuant to
   (iii) Claim that a proposed penalty should be reduced or waived pursuant to
   (iv) Compliance with subpart D of part 164, as provided under
* * * * *
   (d)(1) Subject to the 15-day rule under
   (i) By the Secretary, unless they are material and relevant to the acts or omissions with respect to which the penalty is proposed in the notice of proposed determination under
   (ii) By the respondent, unless they are material and relevant to an admission, denial or explanation of a finding of fact in the notice of proposed determination under
* * * * *
   7. In
   8. Section 160.546 is amended by revising paragraph (b) to read as follows:
* * * * *
   (b) The ALJ may affirm, increase, or reduce the penalties or penalty fees imposed by the Secretary.
* * * * *
   9. Section 160.548 is amended by:
   A. In paragraph (e), removing the phrase "of this part" and adding in its place the phrase "or a defense under
   B. In paragraph (g), removing the phrase "any penalty determined by the ALJ" and adding in its place the phrase "any penalty or penalty fee determined by the ALJ."
   10. In
   11. Subpart F is added to part 160 to read as follows:
Subpart F--Imposition of Penalty Fees
Sec.
160.602 Applicability.
160.604 Definitions.
160.612 Basis for the assessment of a penalty fee.
160.614 Amount of the penalty fee for failure to comply with submission requirements or knowingly providing inaccurate or incomplete information.
160.616 Notice of penalty fee.
160.618 CHP's response to notice of penalty fee.
160.620 Defenses that may be raised in response to notice of penalty fee.
160.624 Notice of determination.
160.626 Right to a hearing.
Subpart F--Imposition of Penalty Fees
   This subpart applies to the imposition of penalty fees by the Secretary under 42 U.S.C. 1320d-2.
   As used in this subpart, the following definitions apply:
   Controlling health plan (CHP) means a health plan as defined at
   Major medical policy means an insurance policy that covers accident and sickness and provides outpatient, hospital, medical and surgical expense coverage.
   The Secretary assesses a penalty fee against a CHP with major medical policies if the Secretary determines the CHP did either of the following:
   (a) Failed to provide the documentation in accordance with
   (b) With respect to information submitted to the Secretary under to
   (1) With actual knowledge of the inaccuracy or incompleteness of the information; or
   (2) Acting in deliberate ignorance or reckless disregard of the accuracy or completeness of the information.
   (a) The penalty fee amounts are as follows:
   (1) For the basis specified at
   (2) For the basis specified at
   (b) A CHP is not assessed more than
   The Secretary provides notice, by certified mail with return receipt requested, to a CHP that meets any of the bases for a penalty fee in
   (a) The penalty fee amount.
   (b) Reference to the regulatory basis, under
   (c) A description of the findings of fact regarding the violations upon which the penalty fee is based.
   (d) The reasons(s) why the violation(s) subject the CHP to a penalty fee.
   (a) In response to a notice of penalty fee under
   (b)(1) A CHP that chooses to assert a defense(s) under paragraph (a) of this section must do so in writing within 30 calendar days of receipt of the notice under
   (2) For purposes of this section, the CHP's date of receipt of the notice of penalty fee is presumed to be 5 days after the date of the notice unless the CHP makes a reasonable showing to the contrary to the Secretary.
   The Secretary will consider no defenses aside from the following in response to a notice of penalty fee under
   (a) The CHP is not subject to the requirements of
   (b) The CHP's failure to meet the requirements of
   (c) The failure to meet the requirements of
   The Secretary sends the CHP, by certified mail with return receipt requested, a notice of determination as to whether a penalty fee is assessed.
   (a) A notice of determination to assess a penalty fee includes all of the following:
   (1) A description of the statutory basis for the assessment of the penalty fee.
   (2) The amount of the penalty fee.
   (3) Reference to the regulatory basis, under
   (4) The findings of fact regarding the violations on which assessment of the penalty fee is based.
   (5) Any defenses described in
   (6) Instructions for requesting a hearing under
   (7) A statement that the failure to request a hearing within 90 days results in the imposition of the penalty fee specified in the notice of determination.
   (b) A notice of determination to not assess a penalty fee includes the following:
   (1) Any defenses described in
   (2) Actions the CHP must take.
   (a) Upon receipt of a notice of determination under
   (b) If a CHP does not request a hearing within the time prescribed by
PART 162--ADMINISTRATIVE REQUIREMENTS
   12. The authority citation for part 162 continues to read as follows:
   Authority: Secs. 1171 through 1180 of the Social Security Act (42 U.S.C. 1320d-1320d-9), as added by sec. 262 of Pub. L. 104-191, 110
   13. Section 162.103 is amended by adding the definitions of "Covered lives of a CHP" and "EFT" in alphabetical order to read as follows:
* * * * *
   Covered lives of a CHP means individuals covered by or enrolled in major medical policies of a CHP and the SHP(s) of that CHP. Individuals may be described in such major medical policies by terms, including, but not limited to, the following:
   (1) Individuals.
   (2) Spouses.
   (3) Dependents.
   (4) Employees.
   (5) Subscribers.
   (6) Policyholders.
   (7)
   (8)
   (9)
   (10) Veterans.
   (11) Survivors.
* * * * *
   EFT stands for electronic funds transfers.
* * * * *
   14. Section 162.926 is added to read as follows:
   (a) Submission requirements for a CHP that obtains an HPID before
   (1) The number of covered lives of a CHP (as that term is defined in
   (2) Documentation that demonstrates the CHP has obtained a
   (i) Certification Seal for Phase III CAQH CORE EFT & ERA Operating Rules. The CHP must not be under the CORE IT Exemption Policy at the time of submission with regard to the CORE Phase I, II, and III Seals; or
   (ii) HIPAA Credential for the operating rules for the transactions listed in paragraph (a) of this section.
   (b) Submission requirements for a CHP that obtains an HPID on or after
   (1) The number of covered lives of a CHP (as that term is defined in
   (2) The documentation required under paragraph (a)(2) of this section.
   Dated:
Administrator,
   Dated:
Secretary,
[FR Doc. 2013-31318 Filed 12-31-13;
BILLING CODE 4120-01-P
Copyright: | (c) 2014 Federal Information & News Dispatch, Inc. |
Wordcount: | 28377 |
Advisor News
Annuity News
Health/Employee Benefits News
Life Insurance News