Buck Bond Group

HHS Withdraws HIPAA Certification Requirements

by and Tags:

Volume 40 | Issue 126

pdf icon Download this FYI as a printable PDF

HHS announced that effective October 4, 2017, it was withdrawing the proposed rule requiring controlling health plans to demonstrate compliance with certain standards and operating rules under HIPAA. It also announced it will re-examine the issues raised in public comments and explore alternatives to comply with the statutory requirements.


HHS issued proposed regulations on January 2, 2014 that would have required a controlling health plan (CHP) to demonstrate that it complied with certain HIPAA operating standards. (See our August 26, 2014 For Your Information.) The proposed rule also set forth penalties for failure to comply with the certification requirements.

The operating standards apply to three electronic transactions: eligibility for a health plan, health care claim status, and health care electronic funds transfers (EFT) and remittance advice – activities usually conducted by business associates and not the plan sponsor. The proposed rule would have required the CHP to demonstrate compliance by obtaining certifications under rules promulgated by the Council for Affordable Quality Healthcare (CAQH) Committee on Operating Rules for Information Exchange (CORE). Some employers maintain a single self-funded plan for several types of coverage such as medical, dental and vision with separate claims administrators. Others maintain multiple plans (e.g., separate plans for actives and retirees or different classes of active employees). Certifications would have been required for each administrator who conducted any of the three transactions.

Proposed Rule Withdrawn

HHS reported that it had received approximately 72 public comments in response to the proposed rule. Noting the issues raised in those comments, the department announced that it was withdrawing the proposed rule in order to re-examine the issues and explore options and alternatives to comply with the statutory requirements.

In withdrawing the proposed rule, HHS noted that the requirements for covered entities to comply with all other HIPAA privacy and security regulations remain in effect.

In Closing

The proposed rule would have required sponsors of self-funded plans to follow a cumbersome process to certify compliance for standard transactions that would have been done by others, such as their claims administrators. Its withdrawal provides welcome relief, for now.