Administrative Simplification: Certification of Compliance for Health Plans, 297-324 [2013-31318]

Download as PDF Vol. 79 Thursday, No. 1 January 2, 2014 Part IV Department of Health and Human Services mstockstill on DSK4VPTVN1PROD with PROPOSALS2 45 CFR Parts 160 and 162 Administrative Simplification: Certification of Compliance for Health Plans; Proposed Rule VerDate Mar<15>2010 17:36 Dec 31, 2013 Jkt 232001 PO 00000 Frm 00001 Fmt 4717 Sfmt 4717 E:\FR\FM\02JAP2.SGM 02JAP2 298 Federal Register / Vol. 79, No. 1 / Thursday, January 2, 2014 / Proposed Rules DEPARTMENT OF HEALTH AND HUMAN SERVICES Office of the Secretary 45 CFR Parts 160 and 162 [CMS–0037–P] RIN 0938–AQ85 Administrative Simplification: Certification of Compliance for Health Plans Office of the Secretary, HHS. Proposed rule. AGENCY: ACTION: This proposed rule would require a controlling health plan (CHP) to submit information and documentation demonstrating that it is compliant with certain standards and operating rules adopted by the Secretary of Health and Human Services (the Secretary) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). This proposed rule would also establish penalty fees for a CHP that fails to comply with the certification of compliance requirements. SUMMARY: To be assured consideration, comments must be received at one of the addresses provided, no later than 5 p.m. on March 3, 2014. ADDRESSES: In commenting, please refer to file code CMS–0037–P. Because of staff and resource limitations, we cannot accept comments by facsimile (FAX) transmission. You may submit comments in one of four ways (please choose only one of the ways listed): 1. Electronically. You may submit electronic comments on this regulation to https://www.regulations.gov. Follow the ‘‘Submit a comment’’ instructions. 2. By regular mail. You may mail written comments to the following address only: Centers for Medicare & Medicaid Services, Department of Health and Human Services, Attention: CMS–0037–P, P.O. Box 8013, Baltimore, MD 21244–8013. Please allow sufficient time for mailed comments to be received before the close of the comment period. 3. By express or overnight mail. You may send written comments to the following address only: Centers for Medicare & Medicaid Services, Department of Health and Human Services, Attention: CMS–0037–P, Mail Stop C4–26–05, 7500 Security Boulevard, Baltimore, MD 21244–1850. 4. By hand or courier. Alternatively, you may deliver (by hand or courier) your written comments only to the mstockstill on DSK4VPTVN1PROD with PROPOSALS2 DATES: VerDate Mar<15>2010 17:36 Dec 31, 2013 Jkt 232001 following addresses prior to the close of the comment period: a. For delivery in Washington, DC— Centers for Medicare & Medicaid Services, Department of Health and Human Services, Room 445–G, Hubert H. Humphrey Building, 200 Independence Avenue SW., Washington, DC 20201 (Because access to the interior of the Hubert H. Humphrey Building is not readily available to persons without Federal government identification, commenters are encouraged to leave their comments in the CMS drop slots located in the main lobby of the building. A stamp-in clock is available for persons wishing to retain a proof of filing by stamping in and retaining an extra copy of the comments being filed.) b. For delivery in Baltimore, MD— Centers for Medicare & Medicaid Services, Department of Health and Human Services, 7500 Security Boulevard, Baltimore, MD 21244–1850. If you intend to deliver your comments to the Baltimore address, call telephone number (410) 786–1066 in advance to schedule your arrival with one of our staff members. Comments erroneously mailed to the addresses indicated as appropriate for hand or courier delivery may be delayed and received after the comment period. For information on viewing public comments, see the beginning of the SUPPLEMENTARY INFORMATION section. FOR FURTHER INFORMATION CONTACT: Matthew Albright, (410) 786–2546. Terri Deutsch, (410) 786–9462 for questions regarding Collection of Information and the Regulatory Impact Statement. SUPPLEMENTARY INFORMATION: Inspection of Public Comments: All comments received before the close of the comment period are available for viewing by the public, including any personally identifiable or confidential business information that is included in a comment. We post all comments received before the close of the comment period on the following Web site as soon as possible after they have been received: https:// www.regulations.gov. Follow the search instructions on that Web site to view public comments. Comments received timely will also be available for public inspection as they are received, generally beginning approximately 3 weeks after publication of a document, at the headquarters of the Centers for Medicare & Medicaid Services, 7500 Security Boulevard, Baltimore, Maryland 21244, Monday through Friday of each week from 8:30 a.m. to 4 p.m. To schedule an PO 00000 Frm 00002 Fmt 4701 Sfmt 4702 appointment to view public comments, call 1–800–743–3951. I. Background A. Introduction Many factors contribute to the high cost of health care in the United States, but studies find that administrative costs substantially impact spending growth 2 and can likely be reduced.2 Automated processes, through the use of standardized electronic transactions, can lessen health care providers’ administrative burden in interacting with health insurers. Under the authority of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Secretary adopts standards and operating rules that facilitate the use of electronic transactions by creating greater uniformity in data exchange and reducing the health care industry’s reliance on paper forms and manual processes to transmit data. Although HIPAA standards and operating rules can reduce administrative burden, the health care industry has experienced difficulty transitioning to them by the regulatory compliance dates. Many in the industry attribute at least some implementation difficulties to the lack of a consistent testing process or framework before implementation of new standards and operating rules. This proposed rule is intended to serve as an initial step toward the development of a consistent testing process that will enable entities to better achieve and demonstrate compliance with HIPAA standards and operating rules. This rule proposes that controlling health plans (CHPs) must submit certain information and documentation that demonstrates compliance with the adopted standards and operating rules for three electronic transactions: eligibility for a health plan, health care claim status, and health care electronic funds transfers (EFT) and remittance advice. Such documentation would be an indication that a CHP has completed some internal and external testing. 2 ‘‘Technological Change and the Growth of Health Care Spending,’’ A CBO Paper, Congressional Budget Office, January 2008, pg. 4, https://www.cbo.gov/ftpdocs/89xx/doc8947/01-31TechHealth.pdf 2 Morra, D., Nicholson, S., Levinson, W., Gans, D. N., Hammons, T., & Casalino, L. P. ‘‘U.S. Physician Practices versus Canadians: Spending Nearly Four Times as Much Money Interacting With Payers,’’ Health Affairs: 30(8):1443–1450, 2011. Blanchfield, Bonnie B., James L. Hefferman, Bradford Osgood, Rosemary R. Sheehan, and Gregg S. Meyer, ‘‘Saving Billions of Dollars—and Physician’s Time—by Streamlining Billing Practices,’’ Health Affairs: 29(6):1248–1254, 2010. E:\FR\FM\02JAP2.SGM 02JAP2 Federal Register / Vol. 79, No. 1 / Thursday, January 2, 2014 / Proposed Rules B. Legislative and Regulatory Background This section summarizes the legislative and regulatory history of standards, operating rules, and the enforcement processes in order to frame the process we refer to in this proposed rule as certification of compliance. mstockstill on DSK4VPTVN1PROD with PROPOSALS2 1. HIPAA Standards and Code Sets Section 1172(a) of the Social Security Act (the Act) provides that any standard adopted under HIPAA shall apply, in whole or in part, to the following persons, known as ‘‘covered entities’’: (1) A health plan; (2) a health care clearinghouse; and (3) a health care provider who transmits any health information in electronic form in connection with a HIPAA transaction. Covered entities are required to conduct as standard transactions all electronic transactions for which the Secretary has adopted a standard. In the August 17, 2000 Federal Register (65 FR 50312), we published a final rule titled ‘‘Health Insurance Reform: Standards for Electronic Transactions’’ (hereinafter referred to as the Transactions and Code Sets final rule). That rule implemented some of the HIPAA Administrative Simplification requirements by adopting standards developed by standards development organizations (SDOs) for certain electronic health care transactions, and medical data code sets to be used in those transactions. The Transactions and Code Sets final rule adopted the Accredited Standards Committee (ASC) X12 standards Version 4010/4010A1 and the National Council for Prescription Drug Programs (NCPDP) Telecommunication standard Version 5.1. In the January 16, 2009 (74 FR 3296) final rule titled, ‘‘Health Insurance Reform; Modifications to the Health Insurance Portability and Accountability Act (HIPAA) Electronic Transaction Standards’’ (hereinafter referred to as the Modifications final rule), we adopted updated versions of the standards (ASC X12 Version 5010) (hereinafter referred to as Version 5010) and NCPDP Telecommunication Standard Implementation Guide, Version D. Release 0 (hereinafter referred to as Version D.0), and equivalent Standard Batch Implementation Guide, Version 1, Release 2 (hereinafter referred to as Version 1.2) for the electronic health care transactions that were originally adopted in the Transactions and Code Sets final rule. We also adopted a new standard for the Medicaid pharmacy subrogation transaction—the Batch VerDate Mar<15>2010 17:36 Dec 31, 2013 Jkt 232001 Standard Medicaid Subrogation Implementation Guide, Version 3, Release 0 (hereinafter referred to as Version 3.0), which is specified at 45 CFR 162, subpart S. Covered entities were required to comply with Version 5010 and Version D.0, and Version 3.0 for Medicaid pharmacy subrogation transactions, effective January 1, 2012 (except for small health plans, which were required to comply with Version 3.0 on January 1, 2013). In the January 10, 2012 (77 FR 1556) interim final rule with comment period, titled ‘‘Administrative Simplification: Adoption of Standards for Health Care Electronic Funds Transfers (EFT) and Remittance Advice’’ (hereinafter referred to as the Health Care EFT Standards IFC), we adopted standards for the health care electronic funds transfers (EFT) and remittance advice transaction, defined the transaction, and explained how the adopted standards support and facilitate it. In the September 5, 2012 Federal Register (77 FR 54664), we published a final rule, ‘‘Administrative Simplification: Adoption of a Standard for a Unique Health Plan Identifier; Addition to the National Provider Identifier Requirements; and a Change to the Compliance Date for the International Classification of Diseases, 10th Edition (ICD–10–CM and ICD–10– PCS) Medical Data Code Sets’’ (hereinafter referred to as the HPID final rule). That rule, as relevant here, adopted the standard for a national unique health plan identifier (HPID), established requirements for HPID implementation, and adopted a data element to serve as an ‘‘other entity’’ identifier (OEID)—an identifier for entities that are not health plans, health care providers, or individuals, but that need to be identified in standard transactions. 2. HIPAA Operating Rules Section 1173(g) of the Act was added by section 1104 of the Patient Protection and Affordable Care Act (Pub L. 111– 148), enacted on March 23, 2010, as amended by the Health Care and Education Reconciliation Act of 2010 (Pub. L. 111–152), enacted on March 30, 2010 (collectively known as and hereinafter referred to as the Affordable Care Act). Section 1173(g) of the Act requires the Secretary to adopt a single set of operating rules for each of the transactions listed in section 1173(a)(1) of the Act. Operating rules are defined by section 1171(9) of the Act as ‘‘the necessary business rules and guidelines for the electronic exchange of information that are not defined by a standard or its implementation PO 00000 Frm 00003 Fmt 4701 Sfmt 4702 299 specifications as adopted for purposes of this part.’’ Additionally, sections 1173(g)(2)(D), (g)(3)(C), and (g)(3)(D) of the Act clarify aspects of the operating rules and the requirements of the operating rules authoring entity. The Council for Affordable Quality Healthcare (CAQH) Committee on Operating Rules for Information Exchange (CORE) was established in 2005 as a national initiative, bringing together over 100 health care industry stakeholders to simplify health care administration through the improvement of electronic health care information exchange. CAQH CORE’s mission is to ‘‘build consensus among healthcare industry stakeholders on a set of operating rules that facilitate administrative interoperability between providers and health plans.’’ 3 With consensus among health care industry stakeholder members, CAQH CORE, in 2008, developed two sets of operating rules for the eligibility for a health plan and health care claim status transactions (hereinafter referred to as Phase I and Phase II CAQH CORE Operating Rules). The operating rules built upon applicable HIPAA standard transaction requirements, and enabled providers to submit transactions from any system, facilitating administrative and clinical data integration. Numerous health care entities voluntarily adopted the Phase I and II CAQH CORE Operating Rules, and CAQH CORE demonstrated that the use of these rules yielded a positive return on investment for health plans and providers.4 In August and September, 2010, the National Committee on Vital and Health Statistics 5 (NCVHS), in furtherance of its statutory mission to advise the Secretary, engaged in a comprehensive review of health care operating rules and their authors. The NCVHS advised the Secretary that CAQH CORE met the requirements of section 1173(g)(2) of the Act to be the operating rules authoring entity for the non-retail pharmacy eligibility for a health plan and health care claim status transactions.6 After assessing its qualifications and the NCVHS’s recommendation, the 3 CAQH CORE Web site: https://www.caqh.org/ pdf/CORE_MASTER_Presentation_4-15-08.pdf. 4 CAQH CORE Web site: https://www.caqh.org/ pdf/CORE_MASTER_Presentation_4-15-08.pdf. https://www.caqh.org/COREIBMstudy.php. 5 Established by the Congress, the NCVHS is a body that advises the Secretary on health data, statistics, and national health information policy and that has a significant role in the Secretary’s adoption of operating rules under section 1173(g)(3) of the Act. 6 September 30, 2010 letter from NCVHS to Secretary Kathleen Sebelius, re: Affordable Care Act, Administrative Simplification: Operating Rules for Eligibility and Claims Status Transactions: https://www.ncvhs.hhs.gov/reptrecs.htm. E:\FR\FM\02JAP2.SGM 02JAP2 300 Federal Register / Vol. 79, No. 1 / Thursday, January 2, 2014 / Proposed Rules mstockstill on DSK4VPTVN1PROD with PROPOSALS2 Secretary determined that CAQH CORE was qualified to be the operating rule authority entity for the eligibility for a health plan and health care claim status transactions. In the July 8, 2011 (76 FR 40458) interim final rule with comment period (IFC) titled, ‘‘Administrative Simplification: Adoption of Operating Rules for Eligibility for a Health Plan and Health Care Claim Status Transactions’’ (hereinafter referred to as the Operating Rules IFC), we adopted Phase I and II CAQH CORE Operating Rules for the two transactions.7 The Operating Rules IFC also defined the term ‘‘operating rules,’’ revised the definition for ‘‘standard transaction’’ to indicate that a standard transaction is one that complies with both the adopted standards and operating rules, and described the relationship between operating rules and standards. In the Operating Rules IFC, we did not adopt the Phase I and II CAQH CORE Operating Rules requirements regarding acknowledgments, nor did we adopt CORE’s Certification process by which an entity demonstrates compliance with Phase I and II CAQH CORE Operating Rules.8 On March 23, 2011, the NCVHS recommended that CAQH CORE, in collaboration with NACHA—The Electronic Payments Association, be the authoring entity for the health care electronic funds transfers (EFT) and remittance advice transaction operating rules.9 In developing the health care electronic funds transfers (EFT) and remittance advice transaction operating rules, CAQH CORE held more than thirty open conference calls and conducted over 15 straw polls with industry and government representatives between March and August 2011. More than 80 health care entities analyzed, reviewed, and achieved consensus on the operating rules. On December 7, 2011, the NCVHS, in its advisory role, recommended to the Secretary (subject to CAQH CORE making certain revisions) that the Phase III CAQH CORE EFT & ERA Draft Operating Rule Set (or Phase III Operating Rules) be adopted as the 7 CAQH CORE Phases I and II Operating Rules are available online at no charge at https:// www.caqh.org/COREVersion5010.phb. 8 Provisions of the Operating Rule IFC at 76 FR 40461. Information on the CAQH CORE Rules can be found at: https://www.caqh.org/CORE_ phase1.php, https://www.caqh.org/CORE_ phase2.php, and https://www.caqh.org/CORE_ phase3.php. CAQH CORE FAQS can be found at: https://www.caqh.org/pdf/COREFAQsPartA.pdf for general information; https://www.caqh.org/pdf/ COREFAQsPartC.pdf for Phase I and II. 9 March 23, 2011 NCVHS letter to the Secretary: https://ncvhs.hhs.gov/110323lt.pdf. VerDate Mar<15>2010 17:36 Dec 31, 2013 Jkt 232001 operating rules for the health care electronic funds transfers (EFT) and remittance advice transaction. On August 10, 2012, in 77 FR 48008, we adopted these operating rules in a rule titled ‘‘Administrative Simplification: Adoption of Operating Rules for Health Care Electronic Funds Transfers (EFT) and Remittance Advice Transactions; Final Rule’’ (hereinafter EFT & ERA Operating Rule Set IFC). We did not, however, adopt the CAQH CORE operating rule in the EFT & ERA Operating Rule Set that required the use of the Version 5010 999 acknowledgements standard in the Phase III CAQH CORE 350 Health Care Claim Payment/Advice (835) Infrastructure Rule requirement 4.2 (77 FR 48017).10 The NCVHS recommended in May 2012 that CAQH CORE be the authoring entity for the operating rules for the remaining HIPAA transactions 11— health care claims or equivalent encounter information, health claims attachments, enrollment and disenrollment in a health plan, health plan premium payments, and referral certification and authorization, with respect to which the Secretary agreed.12 3. Current HIPAA Administrative Simplification Enforcement Under sections 1176 and 1177 of the Act, covered entities may be subject to civil money penalties (CMPs) and criminal penalties for violations of HIPAA Administrative Simplification rules. HHS administers the CMPs under section 1176 of the Act and the U.S. Department of Justice administers the criminal penalties under section 1177 of the Act. Section 1176(b) of the Act sets out limitations on the Secretary’s authority and provides the Secretary certain discretion with respect to imposing CMPs. For example, this section provides that no CMPs may be imposed with respect to an act if a penalty has been imposed under section 1177 of the Act with respect to such act. This section also generally precludes the Secretary from imposing a CMP for a violation corrected during the 30-day period beginning when an individual knew or, by exercising reasonable diligence, would have known that the failure to comply occurred. The Secretary promulgated rules pertaining to compliance with, and enforcement of, the HIPAA Administrative 10 CAQH CORE FAQS for Phase III can be found at https://www.caqh.org/pdf/COREFAQsPartD.pdf. 11 May 5, 2012 NCVHS letter to the Secretary: https://www.ncvhs.hhs.gov/120505lt.pdf. 12 September 12, 2012 letter from Secretary to NCVHS: https://www.ncvhs.hhs.gov/120912lt.pdf. PO 00000 Frm 00004 Fmt 4701 Sfmt 4702 Simplification rules that are codified at section 45 part 160, subparts C, D, and E, and collectively referred to as the Enforcement Rule. In the April 17, 2003 Federal Register (68 FR 18895), we issued an interim final rule entitled, ‘‘Civil Money Penalties: Procedures for Investigations, Imposition of Penalties, and Hearings’’ that established the procedural requirements for the imposition of CMPs for violations of HIPAA Administrative Simplification requirements. We expanded upon that rule with a February 16, 2006 final rule entitled, ‘‘HIPAA Administrative Simplification: Enforcement’’ (71 FR 8390), that made the compliance rules applicable to all HIPAA Administrative Simplification Rules. That rule also amended the rules relating to the imposition of CMPs and clarified the investigation process, bases for liability, determination of the penalty amount, grounds for waiver, conduct of the hearing, and the appeal process. These rules’ preambles provide additional information that may be helpful regarding HIPAA’s compliance and enforcement. Section 13410(d) of the Health Information Technology for Economic and Clinical Health Act (HITECH), enacted on February 17, 2009 as part of the American Recovery and Reinvestment Act of 2009, revised section 1176 of the Act by strengthening enforcement of the HIPAA rules. In the October 30, 2009 Federal Register (74 FR 56123), we published an IFC titled ‘‘HIPAA Administrative Simplification: Enforcement’’ that conformed HIPAA’s enforcement regulations to section 1176 of the Act, as it was modified by section 13410(d) of HITECH. That rule amended HIPAA enforcement regulations as they relate to the imposition of CMPs to incorporate the HITECH categories of violations, tiered ranges of CMP amounts, and revised limitations on the Secretary’s authority to impose CMPs for established violations of HIPAA Administrative Simplification rules. In the January 25, 2013 Federal Register (78 FR 5566), we published a final rule titled ‘‘Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules’’ (hereinafter referred to as the HIPAA Omnibus final rule). Among other modifications to the HIPAA rules, the HIPAA Omnibus final rule modified HIPAA Privacy, Security, and Breach E:\FR\FM\02JAP2.SGM 02JAP2 Federal Register / Vol. 79, No. 1 / Thursday, January 2, 2014 / Proposed Rules Notification Rules as mandated by HITECH, as well as finalized a number of modifications to the HIPAA Enforcement Rule, including incorporating a tiered civil money penalty structure, that were originally published as an interim final rule on October 30, 2009 (74 FR 56123) and proposed in a notice of proposed rulemaking on July 14, 2010 (75 FR 40868). 4. HIPAA Administrative Simplification Enforcement Under the Affordable Care Act Section 1104 of the Affordable Care Act amended the Social Security Act by adding sections 1173(h) and (j). Section 1173(h) of the Act includes certification of compliance requirements for health plans, and requires the Secretary to conduct periodic audits of health plans and entities that have service contracts with health plans. Section 1173(j) of the Act establishes new penalties for health plans that fail to comply with the certification of compliance requirements. 5. Health Plan Certification of Compliance Requirements Section 1173(h)(1)(A) of the Act requires health plans to file a statement with the Secretary, in such form as the Secretary may require, by December 31, 2013, certifying that their data and information systems are in compliance with the standards and operating rules for the following transactions: Eligibility for a health plan, health care claim status, and health care electronic funds transfers (EFT) and remittance advice. In this proposed rule, we refer to the requirements mandated by section 1173(h)(1)(A) of the Act as the ‘‘first certification of compliance requirements.’’ Table 1 displays the specific standards and operating rules to which the requirements for the first certification of compliance apply. In similar fashion, section 1173(h)(1)(B) of the Act mandates, by December 31, 2015, health plan certification of compliance for the following HIPAA transactions: Health care claims or equivalent encounter 301 information, enrollment and disenrollment in a health plan, health plan premium payments, health claims attachments, and referral certification and authorization. Likewise, section 1173(h)(5) of the Act mandates that health plans meet certification of compliance requirements for later versions of the standards and operating rules. The scope of this proposed rule is limited to the first certification of compliance. Because operating rules for the transactions listed in section 1173(h)(1)(B) of the Act have not yet been adopted, nor has a standard been adopted for health claims attachments, we cannot yet determine what documentation will be necessary to demonstrate compliance with those standards and operating rules. We will adopt certification of compliance requirements for the transactions listed in section 1173(h)(1)(B) of the Act, and for later adopted versions of standards and operating rules, in subsequent rulemaking. TABLE 1—STANDARDS AND OPERATING RULES TO WHICH THE FIRST CERTIFICATION OF COMPLIANCE APPLIES Standards Operating rules Eligibility for a Health Plan (request and response)—Dental, Professional, and Institutional. ASC X12 Standards for Electronic Data Interchange Technical Report Type 3—Health Care Eligibility Benefit Inquiry and Response (270/271), April 2008, ASC X12N/005010X279. The following CAQH CORE Phase I and Phase II operating rules, excluding where such rules reference and/or pertain to acknowledgements and CORE certification): (1) Phase I CORE 152: Eligibility and Benefit Real Time Companion Guide Rule, version 1.1.0, March 2011, and CORE v5010 Master Companion Guide Template. (2) Phase I CORE 153: Eligibility and Benefits Connectivity Rule, version 1.1.0, March 2011. (3) Phase I CORE 154: Eligibility and Benefits 270/271 Data Content Rule, version 1.1.0, March 2011. (4) Phase I CORE 155: Eligibility and Benefits Batch Response Time Rule, version 1.1.0, March 2011. (5) Phase I CORE 156: Eligibility and Benefits Real Time Response Rule, version 1.1.0, March 2011. (6) Phase I CORE 157: Eligibility and Benefits System Availability Rule, version 1.1.0, March 2011. (7) Phase II CORE 258: Eligibility and Benefits 270/271 Normalizing Patient Last Name Rule, version 2.1.0, March 2011. (8) Phase II CORE 259: Eligibility and Benefits 270/271 AAA Error Code Reporting Rule, version 2.1.0. (9) Phase II CORE 260: Eligibility & Benefits Data Content (270/271) Rule, version 2.1.0, March 2011. (10) Phase II CORE 270: Connectivity Rule, version 2.2.0, March 2011. Eligibility for a Health Plan—Retail Pharmacy Drugs. mstockstill on DSK4VPTVN1PROD with PROPOSALS2 Transactions Telecommunication Standard Implementation Guide, Version D, Release 0 (Version D.0), August 2007, and equivalent Batch Standard Implementation Guide, Version 1, Release 2 (Version 1.2), National Council for Prescription Drug Programs. VerDate Mar<15>2010 17:36 Dec 31, 2013 Jkt 232001 PO 00000 Frm 00005 Fmt 4701 Sfmt 4702 E:\FR\FM\02JAP2.SGM 02JAP2 302 Federal Register / Vol. 79, No. 1 / Thursday, January 2, 2014 / Proposed Rules TABLE 1—STANDARDS AND OPERATING RULES TO WHICH THE FIRST CERTIFICATION OF COMPLIANCE APPLIES— Continued Transactions Standards Operating rules Health Care Claim Status ............... ASC X12 Standards for Electronic Data Interchange Technical Report Type 3—Health claim status Request and Response (276/277), August 2006, ASC X12N/005010X212, and Errata to Health claim status Request and Response (276/277), ASC X12 Standards for Electronic Data Interchange Technical Report Type 3, April 2008, ASC X12N/005010X212E1. ERA: ASC X12 Standards for Electronic Data Interchange Technical Report Type 3— Health Care Claim Payment/Advice (835), April 2006, ASC X12N/005010X221. The following CAQH CORE Phase II operating rules (updated for Version 5010), excluding where such rules reference and/or pertain to acknowledgements and CORE certification: (1) Phase II CORE 250: Claim Status Rule, version 2.1.0, March 2011, and CORE v5010 Master Companion Guide, 00510, 1.2, March 2011. (2) Phase II CORE 270: Connectivity Rule, version 2.2.0, March 2011. mstockstill on DSK4VPTVN1PROD with PROPOSALS2 Health Care Electronic Funds Transfers (EFT) and Remittance Advice. The following CAQH CORE Phase III EFT & ERA Operating Rule Set, approved June 2012: (1) Phase III CORE 380 EFT Enrollment Data Rule, version 3.0.0, June 2012. (2) Phase III CORE 382 ERA Enrollment Data Rule, version 3.0.0, June 2012. (3) Phase III 360 CORE Uniform Use of CARCs and RARCs (835) Rule, version 3.0.0, June 2012. (4) CORE-required Code Combinations for CORE-defined Business Scenarios for the Phase III CORE 360 Uniform Use of Claim Adjustment Reason Codes and Remittance Advice Remark Codes (835) Rule, version 3.0.0, June 2012. (5) Phase III CORE 370 EFT & ERA Reassociation (CCD+/835) Rule, version 3.0.0, June 2012. (6) Phase III CORE 350 Health Care Claim Payment/Advice (835) Infrastructure Rule, version 3.0.0, June 2012, except Requirement 4.2 titled ‘‘Health Care Claim Payment/Advice Batch Acknowledgement Requirements‘‘. (7) ACME Health Plan, CORE v5010 Master Companion Guide Template, 005010, 1.2, March 2011 (incorporated by reference in § 162.920), as required by the Phase III CORE 350 Health Care Claim Payment/Advice (835) Infrastructure Rule, version 3.0.0, June 2012. Stage 1 Payment Initiation: The National Automated Clearing House Association (NACHA) Corporate Credit or Deposit Entry with Addenda Record (CCD+) implementation specifications as contained in the 2011 NACHA Operating Rules & Guidelines: NACHA Operating Rules, Appendix One: ACH File Exchange Specifications; and NACHA Operating Rules, Appendix Three: ACH Record Format Specifications, Subpart 3.1.8 Sequence of Records for CCD Entries. Data content in CCD Addenda Record: Accredited Standards Committee (ASC) X12 Standards for Electronic Data Interchange Technical Report Type 3, ‘‘Health Care Claim Payment/ Advice (835), April 2006: Section 2.4: 835 Segment Detail: ‘‘TRN Reassociation Trace Number,’’ Washington Publishing Company, 005010X221. Section 1173(h)(2) of the Act provides that a health plan will not be considered to have met section 1173(h)(1) of the Act certification requirements unless it VerDate Mar<15>2010 17:36 Dec 31, 2013 Jkt 232001 provides the Secretary adequate documentation of compliance that— • Demonstrates to the Secretary that it conducts the electronic transactions specified in section 1173(h)(1) of the PO 00000 Frm 00006 Fmt 4701 Sfmt 4702 Act in a manner that fully complies with the regulations of the Secretary; and • Shows that it has completed end-toend testing for such transactions with its E:\FR\FM\02JAP2.SGM 02JAP2 Federal Register / Vol. 79, No. 1 / Thursday, January 2, 2014 / Proposed Rules mstockstill on DSK4VPTVN1PROD with PROPOSALS2 partners, such as hospitals and physicians. Section 1173(h)(3) of the Act extends the certification and submission requirements to entities that have service contracts with health plans, though the compliance onus remains on the health plan. In addition, the Secretary is authorized by section 1173(h)(4) of the Act to designate independent, outside entities to certify that health plans have complied with the certification requirements, so long as the certification standards used by these entities are in accordance with the standards and operating rules adopted by the Secretary. 6. Penalty Fees Section 1173(j) of the Act specifies penalties for health plans that fail to meet section 1173(h) certification and documentation of compliance requirements. Sections 1173(j)(1)(B) through (F) of the Act specify the amount of, and process for assessing, penalty fees against health plans. Section 1173(j)(1)(B) of the Act requires the Secretary to assess a $1 per covered life per day penalty fee, assessed per person covered by the plan for which its data systems for major medical policies are not in compliance for each day the plan is not in compliance, against a health plan until certification is complete. Section 1173(j)(1)(C) of the Act requires the Secretary to double the amount of the penalty fees assessed against a health plan that knowingly provides inaccurate or incomplete information in certifying compliance. Section 1173(j)(1)(F) of the Act directs the Secretary to determine the number of covered lives underlying the calculation of the penalty fee amount based upon a health plan’s most recent statements and filings submitted to the Securities and Exchange Commission. Section 1173(j)(1)(D) of the Act directs that the penalty fees be increased on an annual basis by the annual percentage increase in total national health care expenditures, as determined by the Secretary. Finally, section 1173(j)(1)(E) of the Act caps the penalties that may be annually imposed on a health plan to $20 per covered life under such plan, or, in the event of misrepresentation under section 1173(j)(1)(C) of the Act, $40 per covered life. 7. Notice, Dispute, and Penalty Process Sections 1173(j)(2) through (4) of the Act outline how the penalty fees are to be assessed and collected. Section 1173(j)(2) of the Act requires the Secretary to establish a process to assess penalty fees that provides a health plan with reasonable notice and a dispute VerDate Mar<15>2010 17:36 Dec 31, 2013 Jkt 232001 resolution procedure prior to the Secretary of the Treasury sending a notice of assessment to a health plan. Section 1173(j)(3) of the Act directs the Secretary, by May 1, 2014, and annually thereafter, to provide the Secretary of the Treasury with a report of health plans that have been assessed penalty fees. Section 1173(j)(4) of the Act directs the Secretary of the Treasury to collect the penalty fees, and by August 1, 2014 and annually thereafter, provide each plan assessed a penalty fee a notice of the amount and due date of the fee. Section 1173(j)(4)(C) of the Act directs health plans assessed penalty fees to make payment to the Secretary of the Treasury by November 1, 2014, and annually thereafter. Section 1173(j)(4)(D) of the Act provides that interest, at a rate as determined pursuant to the underpayment rate established under section 6621 of the Internal Revenue Code of 1986, accrues on any penalty fee not paid by the due date, and that any unpaid penalty fees are to be treated as a past due, legally enforceable debt owed to a federal agency for purposes of section 6402(d) of the Internal Revenue Code of 1986. Finally, section 1173(j)(4)(E) of the Act states that any fee charged or allocated for collection activities conducted by the Department of the Treasury’s Financial Management System will be passed on to the health plan on a prorated basis and added to the penalty fee collected. 8. Audits Section 1173(h)(6) of the Act states that the Secretary shall conduct periodic audits to ensure that health plans, including entities that have service contracts with health plans, are in compliance with the adopted standards and operating rules, as referenced in Table 1. The process and scope of these audits are not addressed in this proposed rule. C. Certification of Compliance and Strategy for a Consistent Testing Processes Beyond the first certification of compliance, section 1173(h)(5) of the Act requires health plan certification for new and revised standards and operating rules adopted by the Secretary. We intend for future rulemakings in which we adopt new or modified standards and operating rules to also include certification of compliance processes for those new or modified standards and operating rules. We believe the benefit of including the certification of compliance requirements in those rulemakings is that it will move covered entities toward a consistent, PO 00000 Frm 00007 Fmt 4701 Sfmt 4702 303 industry-wide testing framework that, we believe, will support a more seamless transition to new and modified standards and operating rules. In recent years, the health care industry has experienced challenges in implementing the HIPAA Administrative Simplification requirements, such as Version 5010, ICD–10, and the operating rules for the eligibility for a health plan and health care claim status transaction, by the regulatory compliance dates. We have responded to industry’s needs for additional time by delaying implementation or relaxing enforcement periods for the requirements, but such practices can be expensive to industry. While many factors may cause a covered entity to have difficulty implementing a new Administrative Simplification requirement, many in industry attribute some implementation issues to the lack of a consistent testing process or framework.13 The health care industry reports that testing is critical to ensure the integrity of internal application systems and confirm a system’s capability to conduct compliant transactions.14 The NCVHS stated that a uniform testing process that included full end-to-end testing well before the compliance dates for Version 5010 would have identified issues that could have been mitigated in advance of the compliance date.15 Ideally, certification of compliance, as mandated by section 1173(h) of the Act, should support a standardized process for demonstrating compliance. Such a standardized process for demonstrating compliance should require a health plan to undergo testing within a consistent, industry-wide framework that results in the ability to generate specific documents that demonstrate compliance. We believe such a process would solve some of the significant implementation issues the industry has experienced. The certification of compliance provisions we propose in this rule are the first step toward a standardized testing framework to 13 Many of the assumptions in this section come from an NCVHS hearing held on June 20, 2012 in which these issues were discussed. The hearing and the NCVHS’ conclusions are summarized in ‘‘Re: Findings from NCVHS Hearings on Administrative Simplification in June 2012—an Update on Health Care Administrative Transactions,’’ September 21, 2012 letter to Secretary Sebelius from the National Committee on Vital and Health Statistics, pg 2. A copy of the letter and testimony from the hearing can be found at: https://www.ncvhs.hhs.gov/. 14 See ‘‘Transaction Compliance and Certification: A White Paper Describing the Recommended Solutions for Compliance Testing and Certification of the HIPAA Transactions,’’ prepared by the Workgroup for Electronic Data Interchange (WEDI) Transactions Workgroup, March 10, 2010. 15 Ibid. E:\FR\FM\02JAP2.SGM 02JAP2 304 Federal Register / Vol. 79, No. 1 / Thursday, January 2, 2014 / Proposed Rules support a more seamless transition to new and revised standards or operating rules. mstockstill on DSK4VPTVN1PROD with PROPOSALS2 II. Provisions of the Proposed Rule A. Submission Requirements Section 1173(h) of the Act requires health plans to provide the Secretary, in such form as the Secretary may require, adequate documentation of compliance with the standards and operating rules. In accordance with section 1173(h) of the Act, we propose the information and documentation that controlling health plans (CHPs) would be required to submit to the Secretary for the first certification of compliance in the new regulation § 162.926. In the HPID final rule, we created two categories of health plans 16 for purposes of specifying enumeration requirements for the health plan identifier (HPID): CHPs and subhealth plans (SHPs). In this proposed rule, we propose that CHPs, on behalf of themselves and their SHPs, if any, be responsible for submitting the information and documentation for the first certification of compliance under § 162.926. Under proposed § 162.926, a CHP would be required to submit the following information and documentation, in one submission, to the Secretary: • Its number of covered lives on the date it submits the documentation. • Documentation that demonstrates it has obtained either a CAQH CORE— ++ Certification Seal for Phase III CAQH CORE EFT & ERA Operating Rules (hereinafter referred to as a Phase III CORE Seal); or ++ HIPAA Credential for the eligibility for a health plan, health care claim status, and health care electronic funds transfers (EFT) and remittance advice operating rules (hereinafter referred to as the HIPAA Credential). Collectively, these constitute the submissions, and we refer to the requirements to submit them to the Secretary as the ‘‘submission requirements.’’ The submission requirements, as proposed in this rule, are a ‘‘snap shot’’ of a CHP’s compliance with the standards and operating rules. Such information and documentation does not reflect continuing compliance, nor do we do intend the information or documentation to be updated or resubmitted on a regular basis. 16 The regulatory definition of health plan at 45 CFR 160.103 was initially adopted in the Transactions and Code Sets final rule. The basis for the additions to, and clarifications of, the statutory definition of health plan is further discussed in the preamble to the December 28, 2000 final rule (65 FR 82478 and 82576) titled ‘‘Standards for Privacy of Individually Identifiable Health Information.’’ VerDate Mar<15>2010 17:36 Dec 31, 2013 Jkt 232001 We are not, at this time, proposing the specific format for the submission requirements. We will likely require a CHP to submit its number of covered lives through an online form. We may require an electronic version or copy of a Phase III CORE Seal or the HIPAA Credential to be submitted online, or we may ask for a tracking number that links to CAQH CORE records of such. Information about the mechanics for meeting the submission requirements for the first certification of compliance will be forthcoming at or near the time the final rule is published. 1. Responsibilities of a CHP As previously noted, in § 162.926 we propose that a CHP be responsible for submitting the following on behalf of itself and, if it has any, its SHP(s): • The number of covered lives of a CHP: The number of ‘‘covered lives of a CHP,’’ as the term is proposed to be defined in § 162.103, would include the number of covered lives, if any, of a CHP’s SHPs. (We discuss the definition of ‘‘covered lives of a CHP’’ in more detail in section II.B.1 of this proposed rule.) The CHP would be responsible for submitting its total number of covered lives as of the date it meets the submission requirements of § 162.926(a)(1) or (b)(1). • Documentation that demonstrates the CHP has obtained either a Phase III CORE Seal or the HIPAA Credential. In order to obtain the documentation for this submission requirement, a CHP, also representing all of its SHPs, would have to meet the CORE requirements necessary to obtain either a Phase III CORE Seal or the HIPAA Credential. We discuss this documentation requirement in more detail in section II.A.3 of this proposed rule. We believe the proposal that the CHP be responsible for meeting the submission requirements for itself and its SHPs is consistent with the framework of the HPID final rule. A CHP is defined at § 162.103 as exercising sufficient control over its SHPs to direct its/their business activities, actions, or policies. We believe a CHP has sufficient control over its SHPs to require that it be responsible for the § 162.926 requirements for itself and its SHPs. As described in section II.B.1 of this proposed rule, the CHP would also be responsible for the penalty fees that may be assessed if it fails to meet the first certification of compliance’s submission requirements as proposed in § 162.926. We note that a CHP’s proposed obligations under § 162.926 would not necessarily extend to other Administrative Simplification PO 00000 Frm 00008 Fmt 4701 Sfmt 4702 compliance or enforcement activities. Nothing in the provisions of this proposed rule would alter the requirement that all health plans must meet Administrative Simplification requirements per § 160.102. As health plans, SHPs are covered entities and independently responsible for ensuring they are compliant with the standards and operating rules, but, for purposes of this rule, we propose that the responsibility to meet the first certification of compliance submission requirements lies with the CHP. We emphasize that state and federal government entities that meet the definition of a CHP must meet the requirements of this proposed rule and may be assessed penalty fees as described in the statute and in this rule; section 1173(h) of the Act provides no exemptions for state or federal government health plans. 2. Proposed Submission Requirements: Number of Covered Lives of a CHP Section 1173(j)(1) of the Act requires the Secretary to assess a penalty fee against a health plan that fails to meet the certification of compliance requirements of section 1173(h). Section 1173(j)(1) of the Act specifies the penalty fee amount, which is based on the covered lives of a health plan. Because we need to know the number of covered lives of a CHP (including the number of covered lives of its SHPs, if it has any) should circumstances require us to calculate penalty fees, we propose in § 162.926(a)(1) and (b)(1) to require CHPs to submit to the Secretary the number of covered lives of a CHP. We propose that the number of covered lives of a CHP submitted pursuant to § 162.926(a)(1) and (b)(1) would be the number of covered lives as of the date the CHP submits the documentation proposed in § 162.926(a)(2) and (b)(2) to the Secretary. For example, if a CHP submits the documentation required by the first certification of compliance on January 1, 2015, then its submission would reflect its number of covered lives as of that date. In § 162.926 (and discussed in section II.A.7 of this proposed rule), we propose that a CHP would have up to 12 months prior to the certification of compliance deadlines to satisfy the submission requirements. The definition of the ‘‘covered lives of a CHP’’ is best explained in the context of the penalty fees, which we do in section II.B.1 of this proposed rule where we describe the calculation of penalty fees. E:\FR\FM\02JAP2.SGM 02JAP2 Federal Register / Vol. 79, No. 1 / Thursday, January 2, 2014 / Proposed Rules mstockstill on DSK4VPTVN1PROD with PROPOSALS2 3. Proposed Submission Requirements: HIPAA Credential or Phase III CORE Seal We propose to require CHPs to choose among two options, the HIPAA Credential or a Phase III CORE Seal, as described in this section, to demonstrate compliance for the first certification of compliance. There are any number of reasons why a CHP may elect to obtain one of these options over the other. A CHP will find that one or the other better aligns with the implementation process it uses to implement new operating rules. a. Process and Requirements for Obtaining HIPAA Credential We are proposing in § 162.926(a)(2) and (b)(2) that a CHP has the option of selecting the HIPAA Credential as one of two alternatives for meeting the first certification of compliance submission requirements. The HIPAA Credential is administered by CAQH CORE and demonstrates that a CHP has attested to compliance with HIPAA standards and operating rules for the eligibility for a health plan, health care claim status, and electronic funds transfers (EFT) and remittance advice transactions, and that the CHP has conducted a certain level of testing. CAQH CORE is currently developing the HIPAA Credential— which we expect to be finalized prior to the time we finalize this rule—and we describe here the expected process and requirements for obtaining it. Just as CAQH CORE provides explicit details about the CORE Seals on its Web site, we expect it will do the same for the HIPAA Credential. Should the final HIPAA Credential differ in any material way from the way we describe it herein, we would reopen the comment period for this topic to allow for further comment. The scope of the HIPAA Credential would only encompass the HIPAAmandated standards and operating rules. For example, we have not adopted HIPAA standards and operating rules for acknowledgements, therefore the HIPAA Credential would not require attestation or compliance with respect to standards and operating rules regarding acknowledgements. To obtain the HIPAA Credential, a CHP would have to submit to CAQH CORE— • The CAQH CORE HIPAA Attestation Form (similar to the form required for the CORE Certification process,17 discussed in section II.A.3(b) of this proposed rule); 17 https://www.caqh.org/pdf/CLEAN5010/ COREHIPAAForm.pdf, https://www.caqh.org/pdf/ COREPIIHIPAAForm.pdf, and https://caqh.org/Host/ VerDate Mar<15>2010 17:36 Dec 31, 2013 Jkt 232001 • An application form (similar to the form required to obtain a CORE Seal) with signature verifying that all forms have been submitted to CAQH CORE and indicating that HHS may view the application and associated forms if such a request is made to CAQH CORE; and • An attestation form, with features or requirements that would include the following: ++ Attestation, in which the CHP confirms that it has successfully tested the operating rules for the eligibility for a health plan, health care claim status, and health care electronic funds transfers (EFT) and remittance advice transactions with trading partners. For each of the three transactions, the CHP must confirm that the number of transactions conducted with those trading partners collectively accounts for at least 30 percent of the total number of transactions conducted with providers. For each of the three transactions, the CHP must confirm that it has successfully tested with at least three trading partners, but if the number of transactions conducted with three trading partners does not account for at least 30 percent of the total number of transactions conducted with providers, the CHP could confirm that it has successfully tested with up to 25 trading partners. The CHP would have to list those trading partners. We do not define ‘‘successfully tested’’ in this proposed rule, or prescribe any specific kind or level of testing for the HIPAA Credential. ++ When a CHP attests that it has successfully tested with trading partners that, collectively, conduct at least 30 percent of the total number of transactions conducted with providers, it is representing itself and its SHPs. When calculating 30 percent of the transactions conducted with providers, the total of the CHP’s and SHPs’ transactions would be used. ++ The CHP would have to provide contact information, including, but not limited to, name, phone number, and email address, for each of the listed trading partners. ++ Trading partners may be transaction-specific. For example, a CHP may list the same or different trading partners for each of the three transactions, so a CHP may list three or more trading partners. ++ Trading partner testing would only be required for current HIPAACORE/EFT-ERA/CORE_PIII_HIPAA_Form.pdf, https://www.caqh.org/pdf/CLEAN5010/ COREHIPAAForm.pdf, https://www.caqh.org/pdf/ COREPIIHIPAAForm.pdf, and https://caqh.org/Host/ CORE/EFT-ERA/CORE_PIII_HIPAA_Form.pdf for the Phase I, II, and III CAQH CORE HIPAA Attestation Forms respectively. PO 00000 Frm 00009 Fmt 4701 Sfmt 4702 305 mandated operating rules and standards, so trading partner testing would not be required for the use of acknowledgments, or optional aspects of standards. In reviewing CHPs’ HIPAA Credential application packages, CAQH CORE will likely identify applications containing obvious errors, and not award the HIPAA Credential based on such information. CAQH CORE will also identify when required information, such as trading partner contact information, is missing in the HIPAA Credential application package. While CAQH CORE will likely identify obvious errors or missing information in the HIPAA Credential application package, CAQH CORE will not be responsible for addressing intent on the part of the CHP with regard to such errors or missing information. That is, CAQH CORE will not investigate what a CHP knew or didn’t know when it submitted an inaccurate HIPAA Credential application package to CAQH CORE. Similarly, CAQH CORE will not address any claims that may be submitted to CAQH CORE about a CHP’s intent behind any inaccuracies or incomplete information in a HIPAA Credential application; for example, CAQH CORE will not address claims that a CHP knowingly provided inaccurate or incomplete information in its HIPAA Credential application. Other aspects of the HIPAA Credential include: • Unlike the CORE Seals, it would only be offered to health plans. • The HIPAA Credential would not have a requirement for certification testing, as is required for a Phase III CORE Seal. The HIPAA Credential would not have a requirement to test with a third-party testing vendor. • The HIPAA Credential requires external testing; however, it does not require a specific approach to external testing, and, thus, does not directly support a consistent, industry-wide testing framework to the extent that a Phase III CORE Seal does. Thus, we view the HIPAA Credential as an initial step toward a consistent testing framework for CHPs that decide not to undergo the certification testing for a CORE Phase III Seal. b. Process and Requirements for Obtaining a CORE Seal The three current CAQH CORE Operating Rule sets are referred to as phases: Phase I is the operating rule set for the eligibility for a health plan transaction; Phase II includes operating rules for both the eligibility for a health plan and the health care claim status transaction; and Phase III is the E:\FR\FM\02JAP2.SGM 02JAP2 mstockstill on DSK4VPTVN1PROD with PROPOSALS2 306 Federal Register / Vol. 79, No. 1 / Thursday, January 2, 2014 / Proposed Rules operating rule set for the health care electronic funds transfers (EFT) and remittance advice transaction. The Secretary has adopted the sets as the operating rules for the respective transactions, with the exceptions we describe in section I.B.2 of this proposed rule. CAQH CORE has developed separate certification testing requirements for each of the three phases of operating rules. Any health care entity that conducts the applicable electronic health care transactions may voluntarily undergo certification testing with an independent CORE-authorized testing vendor and a certification process through CORE to demonstrate compliance with the three phases. An entity that successfully completes the testing and submits the appropriate documentation to CAQH CORE is awarded a CORE Seal for the specific phase for which it tested. In order to be awarded a CORE Seal for all three phases, a CHP would be required to conduct certification testing for compliance with the requirements in Phases I, II, and III, which may be done chronologically or concurrently. We are proposing a Phase III CORE Seal as one of two options a CHP may choose to meet the submission requirements of the first certification of compliance. The preparation required to apply for, and the documentation required in order to be awarded, a CORE Seal for each phase reflects the kind of consistent internal and external testing and documentation of compliance that we believe will ameliorate many of the challenges industry has recently faced during transitioning to new standards and operating rules. Because we propose that CHPs may choose to obtain a CORE Seal to satisfy the requirements of proposed § 162.926(a)(2) or (b)(2), we describe the steps involved for entities to obtain a CORE Seal: 18 (1) Conduct a gap analysis by evaluating, planning, and completing necessary system upgrades; (2) sign and submit the CAQH CORE Pledge to make a commitment to become a COREcertified entity within 180 days; (3) conduct testing through a COREauthorized testing vendor; and (4) apply for a Phase III CORE Seal by submitting the proper documentation and fee to CAQH CORE for consideration. This four-step process is described in more detail as follows: • Step 1: Conduct A Gap Analysis Entities that implement the CAQH CORE Operating Rules conduct a gap 18 Step-by step process for certification for Phase I and Phase II can be found at: https://www.caqh.org/ CORE_step_by_step.php. VerDate Mar<15>2010 17:36 Dec 31, 2013 Jkt 232001 analysis in order to determine what system and business process changes may be necessary to ensure their data and information systems are remediated to address any gaps between existing system requirements and CORE Operating Rule requirements. (Certification testing is described later in this section.) Project managers, business analysts, system analysts, architects, and other key staff conduct the gap analyses, which include an inventory of the systems affected by the specific phase of operating rules and the drafting of a detailed project plan. CORE provides an analysis and planning guide as a gap analysis tool for each of its current phases.19 • Step 2: Sign and Submit the CORE Pledge An authorized, executive-level employee of the entity that is applying for any of the three CORE Seals signs a binding CORE Certification Pledge to adopt, implement, and comply with the CAQH CORE Operating Rules. By signing the pledge, an entity commits to working with a CORE-authorized Testing Vendor to demonstrate that its product(s) or IT system(s) is operating in accordance with a specific phase of the CORE Operating Rules. (We discuss CORE-authorized Testing Vendors in more depth in section II.A.2.d of this proposed rule.) Testing with a COREauthorized Testing Vendor must be completed within 180 days of signing the pledge,20 though extensions may be granted by signing and submitting a new pledge. • Step 3: Testing by a COREauthorized Testing Vendor using CORE Certification Master Test Suites (Certification Testing) CAQH CORE developed documents called CORE Certification Master Test Suites (Test Suites) for each of its three operating rule phases. The phasespecific Test Suites are operating rule and documentation requirements that an entity must meet to be awarded a CORE Seal for that phase. Test Scripts—which include a description of operating rule-byoperating rule requirements, as well as specific documentation or information necessary to demonstrate compliance with each operating rule requirement— are the primary tools in each phasespecific Test Suite. Tables 2 and 3 illustrate two examples of Test Scripts for two different operating rule requirements. Table 2 illustrates a test 19 https://www.caqh.org/Host/CORE/CAQHCORE_ Analysis&PlanningGuide.pdf and https:// www.caqh.org/Host/CORE/CAQHCORE_EFT&ERA_ Analysis&PlanningGuide.pdf. 20 https://www.caqh.org/CORE_certification.php. PO 00000 Frm 00010 Fmt 4701 Sfmt 4702 script from Phase I CORE 152 Companion Guide Rule Certification Testing and Table 3 illustrates a test script from Phase I CORE 154 Eligibility and Benefits (270/271) Data Content Rule Certification Testing. As illustrated by Table 2 and Table 3, each Test Script includes the following five columns: • Column 1—The criteria or description of the requirements of the rule. • Column 2—The expected result of a test of compliance with the rule. Entities upload documents or submit transaction files to CORE-authorized Testing Vendors that demonstrate they have met the requirements of each Test Script. • Column 3—The actual result that the entity found upon testing the rule (that is, whether the expected outcome was achieved). • Column 4—Indicates whether the entity was able to produce the expected result in terms of pass or fail. • Column 5—Indicates which stakeholder would be required to produce the expected result. For operating rules with requirements about data content, an entity would submit a transaction file to be tested in the CORE-authorized Testing Vendor’s testing engine. Using the example of the Test Script illustrated in Table 3, an entity would be required to submit a transaction file, detailed in column 2, and receive a ‘‘pass’’ from the COREauthorized Testing Vendor in column 4 indicating the file met the requirement. In other cases, an entity would submit other types of documents that demonstrate the expected result of the Test Script. Using the example of the Test Script illustrated in Table 2, an entity would be required to submit an electronic version of the table of contents of its ASC X12 v5010 270/271 companion document, including an example of the ASC X12 v5010 270/271 content requirements,’’ to the COREauthorized Testing Vendor in order for the vendor to give a ‘‘pass’’ to that test. The process of submitting documents or uploading files to CORE-authorized Testing Vendors is virtual, and an entity may access the CORE-authorized Testing Vendor’s testing portal from a desktop computer. The certification testing, described here as a key step in obtaining a CORE Seal, would be conducted after an entity has conducted internal and external testing of the operating rules. CORE’s standardized certification testing demonstrates that a consistent and standard IT system testing has been completed. Therefore, certification testing, such as that which is described here, reflects our intent of supporting an E:\FR\FM\02JAP2.SGM 02JAP2 307 Federal Register / Vol. 79, No. 1 / Thursday, January 2, 2014 / Proposed Rules industry-wide consistent trading partner testing process or framework. TABLE 2—ILLUSTRATION A: SAMPLE TEST SCRIPTS FROM PHASE I CORE CERTIFICATION TEST SUITE SAMPLE TEST SCRIPT FOR PHASE I CORE 152 COMPANION GUIDE RULE CERTIFICATION TESTING Criteria Expected result Actual result Pass/fail Stakeholder Provider Companion Document conforms to the flow and format of the CORE master Companion Document Template. Submission of the Table of Contents of the v5010 270/271 companion document, including a example of the v5010 270/271 content requirements. .................... b Pass b Fail b Health plan b Clearing house b N/A b TABLE 3—ILLUSTRATION B: SAMPLE TEST SCRIPTS FROM PHASE I CORE CERTIFICATION TEST SUITE A TEST SCRIPT FROM PHASE I CORE 154 ELIGIBILITY AND BENEFITS (270/271) DATA CONTENT RULE CERTIFICATION TESTING Criteria Expected result Actual result Pass/Fail Stakeholder Provider mstockstill on DSK4VPTVN1PROD with PROPOSALS2 Create a valid v5010 271 response transaction as defined in the CORE rule indicating the patient financial responsibility for each of the benefits covering the individual (Key Rule Requirement #6 through #18). Output a valid fully enveloped v5010 271 eligibility response transaction set with the correct co-insurance, co-payment, and deductible patient financial responsibilities for both in/ out of network in either EB08-954 or EB07-782 at either the subscriber loop 2110C or dependent loop 2100D levels. • Step 4: Apply for a CORE Seal Once an entity successfully completes the certification testing with a COREauthorized Testing Vendor, it submits an application package to CAQH CORE, and the CAQH CORE staff then reviews the application package prior to granting the appropriate CORE Seal. The application package includes the following: ++ Documentation from a COREauthorized Testing Vendor demonstrating the entity’s compliance with the phase-specific CAQH CORE Operating Rules through successful certification testing. ++ The CAQH CORE HIPAA Attestation Form, signed by a seniorlevel executive, indicating that, to the best of the applicant’s knowledge, the entity is HIPAA compliant for security, privacy, and the transaction standards. This form is addressed in more detail in section II.A.3(c) of this proposed rule. ++ The CAQH CORE Health Plan IT Exemption Form, if applicable. This form and its relationship with the submission requirements of the first certification of compliance is discussed in section II.A.3(e) of this proposed rule. ++ The CAQH CORE Application. This form collects contact information for the individual responsible for the organization’s CORE-certification process. The form also outlines the required materials for a complete CORE Certification Application, the process by VerDate Mar<15>2010 19:50 Dec 31, 2013 Jkt 232001 .................... b Pass b Fail which CAQH CORE will review and approve applications, and terms and conditions for CORE Certification. ++ A fee, as illustrated in Table 4. Upon receipt of this documentation, CAQH CORE will complete a final assessment within 30 business days unless there are extenuating circumstances. CAQH CORE reviews test results and maintains records for each entity that is awarded a CORE Seal. A health plan must be awarded a CORE Seal in a previous phase to be eligible for a subsequent phase’s Seal.21 For example, a health plan must be awarded a CORE Seal for Phase I and II Operating Rules in order to be eligible for a CORE Seal for Phase III Operating Rules. CAQH CORE provides the option of applying for and conducting certification testing for all three phases concurrently. In the context of the requirements for the first certification of compliance, this means that a CHP that chooses the option to submit a CORE Seal for Phase III Operating Rules will need to obtain CORE Seals for Phases I and II first, or concurrently. We believe that the CORE Seal, obtained through the CORE certification process, is a reasonable and appropriate demonstration of compliance with the operating rules because— 21 See question #4, page 9 of 23 at https:// www.caqh.org/pdf/COREFAQsPartA.pdf. PO 00000 Frm 00011 Fmt 4701 Sfmt 4702 b Health plan b Clearing house b N/A b • CAQH CORE develops its CORE Seal certification process through a multi-stakeholder approach. CAQH CORE is an industry-wide collaboration committed to the development and adoption of national operating rules for administrative transactions. The more than 140 CORE Participants represent all key stakeholders including providers, health plans, vendors, clearinghouses, government agencies, Medicaid, banks and standard development organizations. CAQH CORE draws on this representation to develop the requirements for CORE Certification (Test Suites and Test Scripts) through a transparent, consensus-based process. To our knowledge, no other entity currently has an equivalent multi-stakeholder process for developing certification testing for operating rules; • Through the CORE-authorized Testing Vendor framework, CAQH CORE has created a marketplace for multiple commercial testing vendors to compete, while requiring COREauthorized Testing Vendors to utilize standardized Test Scripts and specific submission requirements in testing entities. In its role as the ‘‘certifier,’’ in contrast to a ‘‘tester,’’ CAQH CORE maintains a third party position, independent from both the entity seeking the CORE Seal and the testing vendors with commercial interests. This E:\FR\FM\02JAP2.SGM 02JAP2 308 Federal Register / Vol. 79, No. 1 / Thursday, January 2, 2014 / Proposed Rules allows CAQH CORE to carry out the certifying process—and enforcement, appeals and exception policies and processes—in a neutral, transparent manner; • CORE Certification is recognized as an Administrative Simplification tool for health plans and states. Currently, over 30 health plans have been awarded or have pledged to seek CORE Seals for Phases I, II, or III, or have pledged to seek the CORE Seal.22 CORE Certification is also a crucial element in state-based health care reform initiatives in Oregon 23 and Colorado. Colorado, for example, requires that, ‘‘[w]hen installing new operating systems after December 31, 2012, all carriers are required to use CORE-certified systems for communications, those systems which meet CORE certification standards, or contract with a vendor who has applied by January 1, 2013 to be CORE-certified.’’ 24 The Colorado regulation also states that ‘‘Phase I CORE certification shall be accepted as evidence of compliance’’ with the CORE operating rules that the regulation also adopted; 25 and • CAQH CORE’s Certification Infrastructure. CAQH CORE’s infrastructure includes: robust on-line and live support for entities during the certification process; a complaint-driven enforcement mechanism that identifies instances of non-compliance; an exemption policy and process; a recertification process; and an appeals process allowing an entity to request a hearing if it disagrees with CAQH CORE’s decision of non-compliance. We request comments on a Phase III CORE Seal as an option for CHPS to meet the documentation requirements for the first certification of compliance. mstockstill on DSK4VPTVN1PROD with PROPOSALS2 c. CAQH CORE HIPAA Attestation Forms as Documentation of Compliance With the HIPAA Standards In order to obtain a CORE Seal for each of the operating rule phases, an entity must sign the CAQH CORE HIPAA Attestation Form by which it 22 For updated information on entities that have CORE-certification or have committed to receive CORE-certification, please refer to https:// www.caqh.org/CORE_organizations.php. 23 O.A.R. 836–100–0115(1): https:// arcweb.sos.state.or.us/pages/rules/oars_800/oar_ 836/836_100.html. 24 3 CCR 702–4–2–32: https://cdn.colorado.gov/cs/ Satellite?blobcol=urldata&blobheadername1= Content-Disposition&blobheadername2=ContentType&blobheadervalue1=inline%3B+ filename%3D%224–2–32+Standardized+ Electronic+Identification+And+Communication+ Systems+Guidelines+For+Health+Benefit+Plans. pdf%22&blobheadervalue2=application%2Fpdf& blobkey=id&blobtable=MungoBlobs&blobwhere= 1251823308663&ssbinary=true. 25 Ibid., Section 5. VerDate Mar<15>2010 17:36 Dec 31, 2013 Jkt 232001 attests to compliance with applicable HIPAA transaction provisions, and the HIPAA privacy and security provisions, of 45 CFR Parts 160, 162, and 164. We anticipate that CAQH CORE’s HIPAA Credential application process will similarly require such an attestation for the HIPAA Credential, and we find such an attestation to be an essential document of compliance for purposes of the first certification of compliance. We note that, attesting to compliance with the HIPAA privacy and security provisions or obtaining a CORE Seal (or the HIPAA Credential) does not prevent or preclude the Office for Civil Rights from conducting HIPAA Privacy or Security Rules investigations, compliance reviews or audits; settling cases; making findings of noncompliance; or imposing civil money penalties for HIPAA violations. The proposed submission requirements of § 162.926(a)(2) and (b)(2) demonstrate a CHP is compliant with applicable standards and operating rules. We considered proposing a framework by which CHPs would demonstrate compliance with applicable standards styled similarly to the proposed framework for demonstrating compliance with operating rules. That is, we considered requiring a CHP to obtain documentation from a third-party demonstrating it has conducted external testing with the standards adopted for the eligibility for a health plan, health care claim status, and health care electronic funds transfers (EFT) and remittance advice transactions. At this time, however, we believe CAQH CORE’s HIPAA Attestation Form satisfies the section 1173(h)(2) mandate that health plans submit adequate documentation of compliance with the applicable standards for purposes of the first certification of compliance. We chose this approach because we— • Believe that requiring just the CAQH CORE HIPAA Attestation Form minimizes CHPs’ burdens in complying with the first certification submission requirements, while not altering or undermining the statutory requirements or our objectives in ensuring compliance; and • Are not aware of existing programs that demonstrate consistent testing for compliance with the standards that parallel the proposed process for certifying health plans for compliance with the operating rules. There may be commercial entities that ‘‘certify’’ entities as being compliant with the standards, but we do not know of any that have developed a standards certification process, certification testing, or certification infrastructure PO 00000 Frm 00012 Fmt 4701 Sfmt 4702 with significant participation from industry. We also recognize that, while the HIPAA Credential option relies on entities having successfully conducted testing with trading partners, it does not directly support a consistent, industrywide testing framework of new standards and operating rules. We view the first certification of compliance submission requirements as an initial step in that direction. We solicit comments on our assumptions and proposed approach. d. CAQH CORE Documentation and Policies We are proposing that CHPs may choose between two CAQH CORE documents—a Phase III CORE Seal or the HIPAA Credential—to demonstrate compliance for the first certification of compliance. We believe either of these documents through CAQH CORE is a reasonable approach because CAQH CORE— • Is recognized as a technical expert in the implementation of operating rules and supports the standards for those transactions to which the operating rules apply, adopted by the Secretary (after a vetting process discussed in section I.B.2 of this proposed rule). CAQH CORE is the authoring entity of the operating rules and is, therefore, well-versed in the operating rules and their interpretation and implementation, and how they coordinate with the adopted standards; • Has infrastructure to reach out to, and educate, CHPs that will be required by this proposed rule to obtain either a Phase III CORE Seal or HIPAA Credential; and • Has the ability to convene workgroups with significant and diverse health care industry participation to continually inform, and, where appropriate, improve processes associated with the CORE Seal and HIPAA Credential products. We solicit comments on our proposal to limit CHPs’ options to documents obtained through processes governed by CAQH CORE. e. CAQH CORE’s Exemption and Enforcement Policies as Applied to the Proposed Submission Requirements (1) CAQH CORE Certification Exemption Policies Under proposed § 162.926(a)(2) and (b)(2), we specify that a CHP may not be under the CORE IT Exemption Policy at the time of submission with regard to the CORE Phase I, II, or III CORE Seals E:\FR\FM\02JAP2.SGM 02JAP2 Federal Register / Vol. 79, No. 1 / Thursday, January 2, 2014 / Proposed Rules that the CHP uses to meet the submission requirements.26 CAQH CORE’s Certification Exemption Policy enables a health plan, in certain situations, to be awarded a CORE Seal for a particular phase even if all of its IT systems do not pass the Test Scripts for that phase. So long as the remainder of a health plan’s IT systems are compliant, CAQH CORE may grant a health plan a Health Plan IT System Exemption if it has a scheduled migration, within the upcoming 12 months, of an existing, non-conforming IT system(s).27 Subsequent to the migration(s), CAQH CORE requires the health plan to submit documentation demonstrating the new IT system(s) complies with the operating rules, standards, and other items required by CORE Certification.28 Although a health plan may obtain a CORE Seal under such a CAQH CORE exemption, we make clear in § 162.926(a)(2) and (b)(2) that, on the date a CHP submits documentation to meet the submission requirements of the first certification of compliance, it may not be under such an exemption with respect to the CORE Phase I, II, or III Seals. To be clear, a CHP may receive a CORE Seal under CAQH CORE’s Health Plan IT System Exemption policy. However, a CHP that receives a CORE Seal under CAQH CORE’s Health Plan IT System Exemption must no longer be exempted on the date it provides its submissions to the Secretary in order to meet the first certification of compliance requirements. CAQH CORE’s Health Plan IT System Exemption Policy does not apply to the HIPAA Credential, so a health plan’s systems must be fully compliant with the applicable operating rules to obtain the HIPAA Credential. (2) CORE Enforcement Policy mstockstill on DSK4VPTVN1PROD with PROPOSALS2 CAQH CORE’s Enforcement Policy 29 is a complaint driven process that, 26 For Phases I, II, and III, CORE addresses certification exemptions at: https://www.caqh.org/ pdf/CLEAN5010/103.pdf, https://www.caqh.org/pdf/ CLEAN5010/203.pdf and https://caqh.org/Host/ CORE/EFT-ERA/303_Exemption_Policy.pdf Forms at: https://www.caqh.org/pdf/CLEAN5010/COREPII_ ITExemptionRequestForm.pdf, https:// www.caqh.org/pdf/CLEAN5010/103.pdf, and https:// caqh.org/Host/CORE/EFT-ERA/303_Exemption_ Policy.pdf for Phases I, II and III. 27 These exempted IT systems must serve no more than 30 percent of the health plan’s membership or applicable transactions. 28 For Phases I, II, and III, CORE addresses certification exemptions at: https://www.caqh.org/ pdf/CLEAN5010/103.pdf, https://www.caqh.org/pdf/ CLEAN5010/203.pdf and https://caqh.org/Host/ CORE/EFT-ERA/303_Exemption_Policy.pdf. 29 See https://www.caqh.org/pdf/CLEAN5010/ 105.pdf, https://www.caqh.org/pdf/CLEAN5010/ VerDate Mar<15>2010 17:36 Dec 31, 2013 Jkt 232001 under the guidance of the CORE Enforcement Committee comprised of CAQH CORE participants, reviews complaints for completeness and timeliness, and verifies or dismisses complaints. CAQH CORE’s Enforcement Policy applies to its CORE Seal product (not the HIPAA Credential), and thus would apply to CHPs that elect to obtain a Phase III CORE Seal to fulfill the submission requirements proposed in this rule. (3) A CHP Is Decertified by CORE CAQH CORE’s policies specify a number of circumstances by which an entity may be ‘‘decertified,’’ could ‘‘lose’’ its CORE Seal, or have its certification ‘‘terminated’’ because of instances of noncompliance with the operating rules for which it is certified. One such policy with this possible consequence is the CAQH CORE IT Exemption Policy, described in section II.A.3 (e) of this proposed rule, whereby a health plan that has obtained a CORE Seal under the policy may be decertified if its new IT system fails to pass the applicable Test Scripts within a prescribed timeframe.30 Similarly, CAQH CORE’s Enforcement Policy specifies that an entity with a CORE Seal may be decertified if it is found to be out of compliance with an operating rule(s) or standard if the violation is not remedied within the allowed grace period.31 As discussed previously, on the date a CHP submits its documentation, none of the CHP’s CORE Seals may be terminated or the CHP decertified by CAQH CORE. In keeping with the ‘‘snap shot’’ approach described in section II.A. of this proposed rule, we will not track the status of a CHP’s CORE Certification (that is, whether it has been terminated or has come under the CAQH CORE IT Exemption Policy) subsequent to the date it meets the proposed submission requirements.32 205.pdf, and https://caqh.org/Host/CORE/EFT-ERA/ 305_Enforcement_Policy.pdf for Phase I, II, and III enforcement policies. 30 https://www.caqh.org/pdf/CLEAN5010/103.pdf, https://caqh.org/Host/CORE/EFT-ERA/303_ Exemption_Policy.pdf, https://www.caqh.org/pdf/ CLEAN5010/103.pdf, and https://www.caqh.org/pdf/ CLEAN5010/203.pdf. 31 https://www.caqh.org/pdf/CLEAN5010/105.pdf, https://www.caqh.org/pdf/CLEAN5010/205.pdf, and https://caqh.org/Host/CORE/EFT-ERA/305_ Enforcement_Policy.pdf. 32 However, to be clear, health plans are covered entities obligated to continually abide by adopted HIPAA standards and operating rules, and the requirements of this proposed rule do not impede our enforcement authority. PO 00000 Frm 00013 Fmt 4701 Sfmt 4702 309 (4) CHP’s Responsibilities With Respect to Entities Conducting Transactions on Its Behalf Section 1173(h)(3) of the Act requires a health plan to ‘‘ensure that any entities that provide services pursuant to a contract with such health plan shall comply with any applicable certification and compliance requirements (and provide the Secretary with adequate documentation of such compliance) under this subsection.’’ Because section 1173(h) of the Act is concerned with certification of compliance with the HIPAA standards and operating rules, we believe ‘‘services pursuant to contract’’ means services provided by business associates (BAs), as that term is defined at § 160.103, that are contracted to conduct all or part of a HIPAA transaction on behalf of a health plan. Although we considered requiring CHPs to require their BAs to comply directly with the requirements of § 162.926, we are not pursuing that option. Rather, when a CHP submits documentation in accordance with the submission requirements of § 162.926, we believe that, by virtue of meeting the requirements of § 162.923(c) (which requires covered entities that use BAs to conduct transactions on their behalf to require those BAs to comply with the requirements of part 162), it will be certifying that its, and its SHP(s)’, BAs that conduct all or part of a HIPAA transactions on its/their behalf are compliant with the HIPAA standards and operating rules. We do not believe section 1173(h)(3) of the Act places any new requirements or burdens on health plans with regard to their BAs that are not already accounted for in § 162.923(c). Under CAQH CORE policy, to obtain a CORE Seal, a health plan must demonstrate that entities or vendor products that conduct all or part of a transaction related to a CAQH CORE are compliant with the operating rules.33 This CAQH CORE policy on non-health plan entities that conduct all or part of a transaction related to a CAQH CORE phase on behalf of a health plan aligns with our approach to BAs that conduct part or all of a transaction on behalf of a CHP or its SHPs. Likewise, as we have described here, if a BA that is not a health plan conducts all or part of a transaction on behalf of the CHP or its SHP(s), then the CHP is responsible for ensuring the entity conducts any HIPAA standard transactions in accord with 33 See CAQH CORE FAQs on CORE Certification & Endorsement: https://www.caqh.org/pdf/ COREFAQsPartF.pdf. E:\FR\FM\02JAP2.SGM 02JAP2 310 Federal Register / Vol. 79, No. 1 / Thursday, January 2, 2014 / Proposed Rules any applicable HIPAA transactions standards and operating rules. As noted previously, CAQH CORE requires that any health plan wishing to obtain a CORE Seal that is dependent on a BA—for the health plan to meet one or more of the CORE operating rule requirements—must have that BA achieve CORE certification. Similarly, if the health plan is dependent on a software vendor to meet one or more of the CORE rule requirements, then the vendor’s product name and vendor must be CORE-certified. (5) Documentation Demonstrating Endto-End Testing Section 1173(h)(2)(B) of the Act states that a health plan shall not be considered to have provided adequate documentation of compliance unless it ‘‘provides documentation showing that [it] has completed end-to-end testing for such transactions with [its] partners, such as hospitals and physicians.’’ Even outside the context of health plan certification, the meaning of the phrase ‘‘end-to-end testing’’—as well as the types of testing necessary for successful transitions to new or revised standards, code sets, or operating rules—is presently the subject of active discussion in the health care industry. HHS, through the Office of E-Health Standards and Services (OESS), is conducting a pilot that seeks to develop a process and methodology for testing the transaction standards, operating rules, code sets, identifiers, and other Administrative Simplification requirements based on industry feedback and participation. One of the goals of that effort is to establish a definition for end-to-end testing in this context that can be applied industrywide. Although we know of no standard definition for end-to-end testing at this time, we believe the concept of end-toend testing likely requires, at a minimum, external testing with trading partners. We emphasize that in order to obtain either a Phase III CORE Seal or the HIPAA Credential, some external testing is required. Note that certification testing, as is required to obtain a CORE Seal, is not the same as internal or external testing. However, certification testing includes submitting documentation that demonstrates certain levels of internal and external testing have taken place. By contrast, the HIPAA Credential directly requires external testing with trading partners. Thus, we believe CHPs that meet the submission requirements proposed in this rule meet the section 1173(h)(2)(B) of the Act’s requirement. (6) Other Considerations About CORE Certification (a) Cost of CORE Seal and CORE HIPAA Credential CAQH CORE charges entities a fee, on a sliding scale according to net annual revenue, for administering and awarding CORE Seals. Table 4 illustrates the current fees that CAQH CORE charges a health plan. Table 4 reflects the total costs for a CHP to obtain three CORE Seals, one for each CAQH CORE Operating Rule phase.34 The fees to obtain the CORE Seals do not include the cost for certification testing with a CORE-authorized testing vendor.35 Table 4 also illustrates the approximate fees that we expect CAQH CORE will charge CHPs for the HIPAA Credential it is currently developing. CAQH CORE does not charge federal and state government entities for the CORE Seals, but we expect federal or state government entities will be charged $100 to obtain the HIPAA Credential. TABLE 4—CAQH CORE FEES FOR CORE SEAL AND HIPAA CREDENTIAL Fee for CAQH Phase III CORE Seal including Phase I and II Seals Size of health plan Fee for HIPAA credential Federal and State government health plans .......................... CAQH Member Plans ............................................................. Below $5 million in net annual revenue .................................. $5 million to below $25 million net annual revenue ............... $25 million to below $50 million net annual revenue ............. $50 million to below $75 million net annual revenue ............. $75 million and above net annual revenue ............................ $100 ....................................................... No charge .............................................. $100 ....................................................... $1,000. $2,000. $4,000. ................................................................ mstockstill on DSK4VPTVN1PROD with PROPOSALS2 (b) Treatment of Acknowledgements We have previously stated in both the Operating Rules IFC and the EFT & ERA Operating Rules IFC that we do not require covered entities to comply with any CAQH CORE Operating Rule requirements pertaining to acknowledgments in Phases I, II, and III (§ 162.1203, § 162.1403, and § 162.1603). However, each of CORE’s three phase-specific Test Suites require that applicants demonstrate compliance with acknowledgments-related operating rules. CHPs that seek to obtain a Phase III CORE Seal will be bound by CAQH CORE’s requirements; in other words, the fact that HHS does not require compliance with 34 The current CORE fee structure for the CORE Seal can be found at: https://www.caqh.org/CORE_ phase1_fees.php. VerDate Mar<15>2010 17:36 Dec 31, 2013 Jkt 232001 acknowledgments-related operating rules does not relieve the burden of CHPs seeking a CORE seal to abide by CAQH CORE’s requirements. By contrast, the requirements underlying CAQH CORE’s HIPAA Credential will only apply to the operating rules adopted by the Secretary, so CHPs will not have to comply with the acknowledgements operating rules to obtain the HIPAA Credential. No charge. No charge. $12,000 ($4,000 per phase). $18,000 ($6,000 per phase). (7) Compliance Timelines for CHPs To Meet Submission Requirements for the First Certification of Compliance (a) CHPs That Obtain an HPID Before January 1, 2015 (i) Submit Documentation by December 31, 2015 In § 162.926(a), we propose that a CHP that obtains an HPID before January 1, 2015, would be required to meet the submission requirements (proposed in section II.A of this proposed rule) for the first certification of compliance on or before December 31, 2015. See Table 5, Row 1. Per the requirements of § 162.504, all CHPs (except those that are small health 35 As of this writing, the single CORE-authorized testing vendor does not charge a fee for entities to test with it. PO 00000 Frm 00014 Fmt 4701 Sfmt 4702 E:\FR\FM\02JAP2.SGM 02JAP2 Federal Register / Vol. 79, No. 1 / Thursday, January 2, 2014 / Proposed Rules mstockstill on DSK4VPTVN1PROD with PROPOSALS2 plans) must obtain HPIDs on or before November 5, 2014. CHPS that are small health plans must obtain HPIDs on or before November 5, 2015. Based on our analysis, we think very few health plans meet the definition of a small health plan,36 so we anticipate most CHPs will have obtained HPIDs on or before November 5, 2014. We propose a different date (December 31, 2015) than that in section 1173(h)(1) of the Act (December 31, 2013) for most CHPs to meet the first certification of compliance requirements because we believe, for the following reasons, CHPs will likely need until the end of 2015 to meet the requirements for the first certification of compliance: • In section II.A.3(b) of this proposed rule, we discuss the steps a CHP would have to take in order to obtain a CORE Phase III Seal, should it elect to pursue that option. We believe the deadlines proposed in this rule offer CHPs adequate time to complete the gap analysis (planning and evaluation, design and development, and internal and external testing) and subsequent certification testing with a COREauthorized testing vendor necessary to obtain CORE Seals for Phase I, II, and III Operating Rules. CAQH CORE suggests it will take 20 to 60 days of staff time to conduct certification testing with a CORE-authorized testing vendor and complete and submit one CORE Seal Application packet.37 A CHP may also choose to simultaneously pursue CORE Seals for all three phases. Therefore, for CHPs that do not now have, but choose to obtain, a Phase III CORE Seal, it could take up to 180 days to obtain Seals for all three operating rules phases, not including any time that CORE requires to review applications. • In section II.A.3(a) of this proposed rule, we discuss the broad requirements of the HIPAA Credential. Like a Phase III CORE Seal, it will take some time to meet the requirements for the HIPAA Credential, though many CHPs may have already met the testing requirements. • In section II.A.1 of this proposed rule, we propose that a CHP, in meeting the submission requirements for the first certification of compliance requirements, will demonstrate not only 36 In the HPID proposed rule, we concluded there were approximately 138 health maintenance organizations that were small entities by virtue of their nonprofit status though ‘‘few, if any of them are small by SBA size standards’’ (77 FR 23000) and that no other category of health plan could be considered ‘‘small’’ (77 FR 22999). Our conclusions were based on an analysis included in a proposed rule on the establishment of the Medicare Advantage program (69 FR 46866, August 3, 2004). 37 See FAQ #11 at https://www.caqh.org/pdf/ COREFAQsPartA.pdf. VerDate Mar<15>2010 17:36 Dec 31, 2013 Jkt 232001 that it is compliant with operating rules and standards, but that its SHP(s), if it has any, are compliant. This task will also take time. • October 1, 2014 is the compliance date for the International Classification of Diseases, 10th Edition (ICD–10) Medical Data Code Sets. Facilitating the health care industry’s smooth transition to ICD–10 is of paramount importance, and health plans need to prepare and fully test their systems to ensure a smooth and coordinated transition. We expect health plans to be dedicating significant resources towards the ICD– 10 transition prior to, and for a time after, the compliance date, which transition may require participation from the same human and IT resources as will be necessary to meet the first certification of compliance submission requirements. We believe the proposed December 31, 2015 deadline for completing the first certification of compliance requirements would allow sufficient time for health plans to deploy resources to make both initiatives successful. Furthermore, the December 31, 2015 date aligns with the requirement for a CHP to obtain an HPID, as all CHPs must obtain an HPID on or before November 5, 2015. Moreover, by virtue of this alignment of dates, we will have a database of all CHPs that will be required to meet the submission requirements proposed in this rule on or before December 31, 2015, and thus should be able to identify any CHPs that do not meet the submission requirements proposed in this rule. As noted in section I.C of this proposed rule, our goal with the first certification of compliance is to help move the health care industry incrementally toward consistent testing processes in order to transition as seamlessly as possible to new standards or operating rules. We believe a certification of compliance process that penalizes more CHPs than it incentivizes to carry out testing would not accomplish this goal and, for the reasons previously articulated, we believe it would be unreasonable to require CHPs to abide by the statutory date of December 31, 2013. To be clear, however, this does not mean CHPs may delay compliance with the operating rules beyond their respective compliance dates. All covered entities were required to be compliant with the operating rules for the eligibility for a health plan and health care claim status transactions on January 1, 2013,38 and 38 Early in 2013, CMS announced a 90-day enforcement discretion period for compliance with the Operating Rules IFC stating that it would not PO 00000 Frm 00015 Fmt 4701 Sfmt 4702 311 must be compliant with the EFT & ERA Operating Rule Set adopted for health care electronic funds transfers (EFT) and remittance advice transactions on January 1, 2014. Those compliance requirements and dates continue to govern HHS’s separate HIPAA enforcement processes. (2) Date When CHPs Can Begin Submitting Information and Documentation We propose that a CHP that obtains an HPID before January 1, 2015 may begin to meet the submission requirements of proposed § 162.926(a) on January 1, 2015; this is the ‘‘start date’’ by when we will be ready to accept the submission of documents. This does not mean a CHP must obtain a CORE Phase III Seal or HIPAA Credential during the period of January 1, 2015 through December 31, 2015, as the CHP could be awarded either one earlier. For example, a CHP that has been awarded a CORE Phase III Seal prior to January 1, 2015, would already have the documentation required under this proposed rule, which it would then submit on or after January 1, 2015, and on or before December 31, 2015. (b) CHPs That Obtain an HPID On or After January 1, 2015 and On or Before December 31, 2016 We propose in § 162.926(b) that a CHP that obtains an HPID on or after January 1, 2015, and on or before December 31, 2016 would be required to meet the submission requirements for the first certification of compliance within 365 calendar days of obtaining an HPID (see Table 5, Row 2). Under § 162.504, any large or small health plans now extant that meet the definition of a CHP must obtain an HPID on or before November 5, 2015, thus any health plans enumerated as CHPs after November 5, 2015 are likely new CHPs. We propose that such CHPs be allowed one year from the time they obtain an HPID to submit the documentation proposed in § 162.926(b). CHPs that obtain HPIDs on or after January 1, 2015 and on or before December 31, 2016 will have to: Coordinate with their SHP(s), if applicable; gather the appropriate documentation to complete certification testing, and apply for a Phase III CORE Seal or HIPAA Credential; and meet the documentation submission requirements for the first certification of compliance. We believe one year from obtaining an HPID will be adequate for initiate enforcement action until March 31, 2013. See https://www.cms.gov/Outreach-and-Education/ Outreach/OpenDoorForums/Downloads/ 010213Sec1104ofACAAnnouncement.pdf. E:\FR\FM\02JAP2.SGM 02JAP2 312 Federal Register / Vol. 79, No. 1 / Thursday, January 2, 2014 / Proposed Rules a new CHP to complete that process, but solicit comments on this assumption. We propose that a CHP that obtains an HPID after December 31, 2016 would not be required to meet the requirements proposed in this rule for the first certification of compliance (see Table 5, Row 3). A CHP that obtains an HPID after December 31, 2016, if given the same time to meet the requirements as CHPs that obtain HPIDs on or before December 31, 2016, would be meeting the requirements into 2018. There are too many unknowns that far into the future for us to establish requirements for this category of CHPs. For instance, we may have adopted new or modified versions of the standards and operating rules for the eligibility for a health plan, health care claim status, and health care electronic funds transfers (EFT) and remittance advice transactions. We may address requirements for a CHP that obtains an HPID after December 31, 2016 for the first certification of compliance in a later rule. We solicit industry and stakeholder comments on our proposed certification of compliance dates. TABLE 5—COMPARISON OF OPERATING RULE SETS COMPLIANCE DATES, THE STATUTORY DEADLINES FOR COMPLETING THE FIRST CERTIFICATION OF COMPLIANCE REQUIREMENTS, AND THE PROPOSED DEADLINES FOR COMPLETING THE FIRST CERTIFICATION OF COMPLIANCE REQUIREMENTS Col 1 Col 2 Col 3 Operating rule sets Compliance date for health plans to comply with the operating rules Deadline for health plans to meet first certification of compliance requirements as mandated by section 1173(h)(1) of the Act Deadlines for health plans* to meet first certification of compliance requirements as proposed in this rule Eligibility for a health plan .......................... Health care claim status January 1, 2013 ............. December 31, 2013 ........... Health care electronic funds transfers (EFT) and remittance advice. January 1, 2014. December 31, 2015 for CHPs that obtain an HPID before January 1, 2015. Within 365 calendar days of obtaining an HPID for CHPs that obtain their HPID on or after January 1, 2015 and on or before December 31, 2016. * Requirements for CHPs that obtain their HPID after December 31, 2016 are not addressed in this proposed rule. mstockstill on DSK4VPTVN1PROD with PROPOSALS2 B. Certification of Compliance Penalty Fees 1. Calculating Penalty Fees: Defining Covered Lives of a CHP and Major Medical Policies Section 1173(j)(1) of the Act specifies that the penalty fee amount assessed when a health plan does not meet the certification of compliance requirements is based on its number of covered lives. So that we may calculate the potential penalty fee amount should we find a violation(s) of the first certification of compliance, we must know the number of covered lives of a CHP. Section 1173(j)(1)(F) of the Act requires the Secretary to determine the number of covered lives under a health plan ‘‘based upon the most recent statements and filings that have been submitted by such plan to the Securities and Exchange Commission’’ (SEC). We have learned, however, that the SEC only collects data from publicly traded health plans (that represent a mere subset of the total number of health plans),39 and, even then, health plans submitting filings to the SEC are not required to include in such filings the number of ‘‘covered lives’’ or any comparable measure. Some health plans may volunteer this information in a descriptive text section of a filing called 39 For information on the SEC’s role, see https:// www.sec.gov/about/whatwedo.shtml. VerDate Mar<15>2010 17:36 Dec 31, 2013 Jkt 232001 the 10–K, used to describe the business and its attributes, but this is not a requirement of the 10–K.40 In fact, according to a 2007 study on enrollment in U.S. health insurance products, ‘‘[t]here is no national databank containing enrollment figures for all the public and private health insurers in the United States, nor is there a single database linking all the federal programs.’’ 41 Therefore, we propose to use the number of covered lives the CHP reports in accordance with the proposed submission requirements under § 160.926(a)(1) and (b)(1) as the primary source for the number of covered lives to calculate penalty fees. Should a CHP fail to include the number of covered lives as part of its § 162.926 submission, or should we have reason to question the CHP’s number of self-reported covered lives, we may undertake an independent investigation through means that may include, but would not 40 10–K filings and other publically available company filings can be viewed through the EDGAR database: https://www.sec.gov/edgar/searchedgar/ companysearch.html. For more information on the 10–K see https://www.sec.gov/answers/form10k.htm. For the 10–K form itself: https://www.sec.gov/about/ forms/form10-k.pdf. 41 ‘‘Health Care Delivery Covered Lives— Summary of Findings,’’ John F. Kennedy School of Government: Harvard University, MossavarRahmani Center for Business & Government (https://www.hks.harvard.edu/m-rcbg/hcdp/ numbers/Covered%20Lives%20Summary.pdf). PO 00000 Frm 00016 Fmt 4701 Sfmt 4702 be limited to: Analyzing recent filings, if any, submitted by the CHP to the SEC; and researching data bases or publicly available documents such as news articles, reports, advertisements, brochures, and Web pages where the number of covered lives of a CHP is referenced or estimated. In § 162.103, we propose to define ‘‘covered lives of a CHP’’ as individuals covered by or enrolled in major medical policies of a CHP and the SHP(s) of that CHP. Individuals may be described in such major medical policies by terms, including, but not limited to the following:— • Individuals. • Spouses. • Dependents. • Employees. • Subscribers. • Policyholders. • Medicaid recipients. • Medicare beneficiaries. • Tricare beneficiaries. • Veterans. • Survivors. In section II.B.1 of this proposed rule, we discuss in more detail how the definition of covered lives of a CHP would be used to calculate penalty fees. We include spouses, partners, and dependents in the proposed definition to make clear that covered lives of a CHP includes more than just the policyholder, and encompasses all individuals covered by major medical E:\FR\FM\02JAP2.SGM 02JAP2 mstockstill on DSK4VPTVN1PROD with PROPOSALS2 Federal Register / Vol. 79, No. 1 / Thursday, January 2, 2014 / Proposed Rules policies, and also include in the definition examples of terms that government payers may use to describe their covered lives. Within the definition, we clarify that covered lives includes only those individuals enrolled in major medical policies. Section 1173(j)(1)(B) of the Act states that penalty fees may only be assessed for persons ‘‘covered by the plan for which its data systems for major medical policies are not in compliance.’’ We only include individuals enrolled in major medical policies in the definition since individuals that are not covered by such policies will not be included in the calculation of the penalty fee. In cases in which an individual is covered by both a major medical policy and another policy/(ies) that does not meet the definition of major medical policy, the definition contemplates that such individual would be considered a covered life of a CHP. In § 160.604, we propose that, for purposes of this proposed rule, ‘‘major medical policy’’ be defined as ‘‘an insurance policy that covers accident and sickness and provides outpatient, hospital, medical, and surgical expense coverage.’’ We developed this definition by surveying how the term major medical policy is defined in various contexts. To be clear, we propose in § 162.926 that all CHPs, irrespective of whether they issue major medical policies, must meet the first certification submission requirements. However, only CHPs with major medical policies may be assessed penalty fees. Moreover, should a CHP be assessed a penalty fee, the basis for the assessment calculation would be using only those covered lives that are covered or enrolled in a major medical policy. We indicate in the definition that covered lives of a CHP includes the covered lives of the CHP, and, if it has any, its SHP(s). We include the covered lives of any SHP(s) of the CHP because, under the provisions discussed in section II.A.1 of this proposed rule, the submission requirements and applicable penalty fees are the CHP’s, not its SHP’s, responsibility. We intend to only include those individuals who are enrolled in or covered by health insurance in the definition of covered lives of a CHP, as opposed to those individuals who are merely eligible, but not enrolled or covered. We propose to use the phrase ‘‘covered by or enrolled in’’ to indicate a distinction that is sometimes made— but that we are not making here— between voluntary enrollment or VerDate Mar<15>2010 17:36 Dec 31, 2013 Jkt 232001 automatic coverage in a health plan. That is, irrespective of the actions of an individual, we would consider an individual who has major medical coverage under a health plan to be a covered life of a CHP. For example, we would consider an individual who is automatically enrolled in Medicare Part A upon turning 65 years old to be a covered life of Medicare. We solicit comments on the proposed definition of covered lives of a CHP and the definition of major medical policy. 2. Basis for the Assessment of a Penalty Fee and the Amount of the Penalty Fee Section 1173(j)(1)(B) of the Act requires the Secretary to assess a penalty fee against a health plan in the amount of $1 per covered life per day until certification is complete. Section 1173(j)(1)(C) of the Act requires the Secretary to double the amount of the penalty fee assessed against a health plan that knowingly provided inaccurate or incomplete information in certifying compliance. Section 1173(j)(1)(E) of the Act caps the penalties that may be imposed on a health plan, providing that a penalty fee against a health plan shall not exceed, on an annual basis, an amount equal to $20 per covered life under such plan, or an amount equal to $40 per covered life where misrepresentation has occurred under section 1173(j)(1)(C) of the Act. In § 160.612, we propose the bases for assessing penalty fees and, in § 160.614, we propose the amounts of penalty fees that would be assessed. We think the bases for penalty fees that we propose in § 160.612 and the amount of the penalty fee proposed in § 160.614 are sufficiently intertwined so that it is more effective to describe the proposed provisions together. a. Failure To Submit Required Documentation by the Deadlines In § 160.612(a), we propose that the Secretary would assess a penalty fee against a CHP that fails to comply with the submission requirements specified in § 162.926(a)(2) or (b)(2). This means the Secretary would assess a penalty fee when a CHP fails to provide the documentation that demonstrates the CHP has been awarded a Phase III CORE Seal or the HIPAA Credential. The basis for the penalty fee proposed in § 160.612(a) would apply when a CHP does not provide the required documentation at all, or does so after the deadlines specified in § 162.926(a)(2) or (b)(2). A CHP that does not provide the required documentation by the deadlines would be assessed $1 per covered life of the CHP per day until the requirements of PO 00000 Frm 00017 Fmt 4701 Sfmt 4702 313 § 162.926 have been met, and as limited by the cap described by proposed § 160.614(a)(1). For example, if a CHP with 100 covered lives enrolled in major medical policies obtains an HPID before January 1, 2015 and then submits the required documentation in § 162.926 on January 1, 2016—1 day past December 31, 2015 (the deadline that would be required under § 162.926(a))—the CHP would be assessed a penalty fee of $1 per covered life of the CHP, for a penalty fee totaling $100. In § 160.614(a), we propose that a CHP that is assessed a penalty fee under § 160.612(a)—failure to provide the required documentation according to the deadlines in § 162.926(a)(2) or (b)(2)—may not be assessed a penalty fee that exceeds $20 per covered life of the CHP. For example, a CHP that obtains an HPID before January 1, 2015 that fails to make the required submissions on or before December 31, 2015 would, starting January 1, 2016, be assessed a $1 per covered life penalty fee that, per section 1173(j)(1)(E)(i) of the Act as implemented by proposed § 160.614(a)(1), would reach its maximum, and be capped, on January 21, 2016 at $20 per covered life of the CHP. The same maximum penalty cap would apply in instances where a CHP fails to ever provide the required documentation. We will utilize all reasonable means to ensure that CHPs satisfy their obligations under this proposed rule. Because all CHPs are required to obtain an HPID, we will, for example, once this proposed rule is finalized and implemented, compare a roster of the CHPs that have satisfied the requirements of the rule with a roster of CHPs that have obtained HPIDs. Moreover, we note that section 1173(j)(3) of the Act requires us to report unpaid penalty fees to the Secretary of the Treasury and that unpaid penalty fees, per section 1173(j)(4)(D) of the Act, shall be increased by the interest accrued. We solicit comments on our proposal for assessing penalty fees for CHPs. b. Knowingly Providing Inaccurate or Incomplete Information The penalty fee for knowingly providing inaccurate or incomplete information that we propose in § 160.612(b) implements section 1173(j)(1)(C) of the Act, which provides that a ‘‘health plan that knowingly provides inaccurate or incomplete information in a statement of certification or documentation of compliance . . . shall be subject to a penalty fee that is double the amount that would otherwise be imposed.’’ E:\FR\FM\02JAP2.SGM 02JAP2 mstockstill on DSK4VPTVN1PROD with PROPOSALS2 314 Federal Register / Vol. 79, No. 1 / Thursday, January 2, 2014 / Proposed Rules In § 160.612(b), we propose that a basis for assessment of a penalty fee is providing inaccurate or incomplete information with actual knowledge of the inaccuracy or the incompleteness of the information, or acting in deliberate ignorance or reckless disregard of the accuracy or completeness of the information. We clarify in § 160.612(b) that information may be in the form of statements, in documents, or otherwise. Hereinafter, we refer to the basis for assessment of a penalty fee proposed in § 160.612(b) as ‘‘knowingly providing inaccurate or incomplete information.’’ In § 160.614(a)(2), we propose that a CHP would be assessed a penalty fee of $40 per covered life of the CHP when assessed a penalty fee on the basis of § 160.612(b). To be clear, we do not believe a ‘‘per day’’ calculation (as described in section II.b.2.a) would apply to a situation in which a CHP has knowingly provided inaccurate or incomplete information. Because the first certification of compliance is a ‘‘snap shot’’ of compliance on the date a CHP makes its § 162.926 submission, the CHP either knowingly provided inaccurate or incomplete information on that day or it did not. A CHP does not knowingly provide inaccurate or incomplete information on the date submitted, and, on the next, or succeeding, day(s), discontinue the state of ‘‘knowingly providing inaccurate or incomplete information or documentation.’’ Hence, we would apply only the maximum penalty fee in such a situation. We interpret the statutory language as intending a cap of $40, thus, in § 160.614(b), we propose that a CHP may not be assessed more than $40 per covered life of the CHP, even where a CHP meets the bases for penalty fees under both § 160.614(a)(1) and (2). For instance, a CHP may provide the required documentation to the Secretary past the applicable deadline, and, later, also be found to have knowingly provided inaccurate or incomplete information; such a CHP would be assessed a penalty fee of $40 per covered life. Following are two examples (not meant to be inclusive of all possible scenarios) where we would determine a CHP to have knowingly provided inaccurate or incomplete information as described in § 160.612(b): • To obtain a CORE Seal, a CHP would submit documentation to a CORE-authorized testing vendor during certification testing, and to CAQH CORE in applying for the Seal. We would have a basis for assessing a penalty fee under § 160.612(b) should a CHP knowingly provide inaccurate information in the VerDate Mar<15>2010 17:36 Dec 31, 2013 Jkt 232001 documentation it submits to the testing vendor or to CAQH CORE as part of the certification process, that, in turn, would then be submitted as part of the § 162.926 submission requirements. • To obtain the HIPAA Credential, a CHP must attest that it has successfully completed testing with at least three of its trading partners. We would have a basis for assessing a penalty fee under § 160.612(b) should a CHP be found to have knowingly provided inaccurate information with respect to the minimum required number of trading partners that would then be submitted as part of the § 162.926 submission requirements. We solicit comment on our proposed penalty fee policy for a CHP that knowingly provides inaccurate or incomplete documentation or information. 3. Annual Fee Increase Section 1173(j)(1)(D) of the Act provides for an annual increase in penalty fees by the annual percentage increase in total national health care expenditures. We are not proposing an annual increase methodology at this time because the first certification of compliance framework we propose here would assess only a one-time penalty fee, not a penalty fee that would be assessed year after year. We may revisit this issue in future rulemaking. 4. Notice of Penalty Fee, CHP’s Response to Notice of Penalty Fee, and Defenses In § 160.616, we propose that the Secretary would provide a CHP notice (sent by certified mail with a return receipt requested) that it meets one or more bases to be assessed a penalty fee under proposed § 160.612. Such a notice would specify: • The penalty fee amount; • Reference to the bases, under proposed § 160.612, for the penalty fee; • A description of the findings of fact regarding the violations upon which the penalty fee is based; and • The reason(s) why the violation(s) subject the CHP to a penalty fee. We believe these notice elements would enable a CHP to understand why it met the criteria to potentially be assessed a penalty fee, and the amount proposed to be assessed. In § 160.618, we propose that a CHP may submit evidence of any of the defenses described in § 160.620 in response to the notice of penalty fee. Under proposed § 160.618(b), a CHP must assert any such defense(s) in writing, and within 30 days of receipt of the notice of penalty fee. We propose in § 162.620 that the Secretary will consider only the following defenses: PO 00000 Frm 00018 Fmt 4701 Sfmt 4702 • The CHP is not subject to the requirements of § 162.926. For a number of reasons, the documentation or deadline requirements of the first certification of compliance may not apply to a particular CHP. For instance, a CHP may not offer any major medical policies, and, therefore, may not be assessed a penalty fee. • The CHP’s failure to meet the requirements of § 162.926 was attributable to a ministerial and nonsubstantive error. We propose to apply this defense narrowly; such a ministerial and non-substantive error might include a typographical mistake made in the process of providing the required documentation to the Secretary. • The failure to meet the requirements of § 162.926 was beyond the control of the CHP. As with the previous defense, we propose to apply this defense narrowly. A failure to meet the documentation or deadline requirements of § 162.926 beyond the control of the CHP conceivably might include an ‘‘act of god’’ (and not an act of the CHP or SHP’s own making) that made it impossible for the CHP to meet the requirements. Given the length of time that we propose CHPs would have to meet the submission requirements, however, we believe successful application of this defense would be extraordinarily rare, and limited only to catastrophic situations. By proposing to limit the scope of the defenses the Secretary will consider in § 160.620, we make clear that that Secretary will not consider any other asserted defense, including, but not limited to, any defense associated with a CHP’s cost considerations in meeting the requirements, or lack of knowledge or confusion about either the requirements of the first certification of compliance or about the operating rules and standards themselves. We propose to allow a CHP to respond to a notice of penalty fee as an opportunity to present the circumstances that prevented it from meeting the first certification of compliance requirements prior to a potential appeal to an administrative law judge (ALJ). This opportunity to present defenses is analogous to, but much narrower than, our complaintdriven process when a covered entity may resolve a complaint brought against it before CMPs are imposed in a notice of determination under § 160.420. We solicit comments on the defenses the Secretary may consider. E:\FR\FM\02JAP2.SGM 02JAP2 Federal Register / Vol. 79, No. 1 / Thursday, January 2, 2014 / Proposed Rules 5. Notice of Determination and a CHP’s Hearing Rights mstockstill on DSK4VPTVN1PROD with PROPOSALS2 In § 160.624, we propose sending a notice of determination (by certified mail with return receipt requested) to a CHP indicating whether a penalty fee is, or is not, being assessed. A notice of determination will be sent irrespective of whether a CHP responds to the proposed § 160.616 notice of penalty fee, and irrespective of whether the Secretary determines to assess, or not to assess, a penalty fee. Should a penalty fee will be assessed, § 160.624 proposes that the notice of determination would specify: • A description of the statutory basis for the assessment of the penalty fee; • The amount of the penalty fee; • The regulatory basis, under § 160.612, for the assessment of the penalty fee; • The findings of fact regarding the violations on which the assessment of the penalty fee is based; • Any defenses described in § 160.620 that were considered in determining whether to assess the penalty fee and the reason(s) why the defenses were rejected; • Instructions for appealing the penalty fee; and • A statement that the failure to request a hearing within 90 days results in the imposition of the penalty fee. We believe the proposed contents of the notice of determination would be sufficient to enable a CHP to understand why it is being assessed a penalty fee, the amount of the penalty fee, and how the CHP could appeal the penalty fee. We solicit comment on the proposed contents of the notice of determination. Should the Secretary determine not to assess a penalty fee, the notice of determination would indicate why any defense(s) raised under § 160.620 was/ were successful, and what, if any, actions the CHP must take. Because the first certification of compliance process does not otherwise envision the application of a corrective action process, the only actions we contemplate would be associated with remedying the situations associated with the exercise of successful defenses asserted under proposed § 1620.620(b) or (c). 6. Administrative Appeals Process In § 160.626, we propose that, upon receiving a notice of determination assessing a penalty fee described in § 160.624(a), a CHP may file a request for a hearing before an administrative law judge (ALJ). Should the CHP fail to request a hearing within 90 days of receiving the notice of determination (or VerDate Mar<15>2010 17:36 Dec 31, 2013 Jkt 232001 otherwise affirmatively waive its right to a hearing within that 90 days), it would forego its right to a hearing and the Secretary would notify it that the penalty fee assessed in the notice of determination is final and inform it how the penalty fee must be paid. If a CHP timely requests a hearing with an ALJ, the CHP would participate in a process that is already largely codified at § 160.500 through § 160.552. Administrative appeals before ALJs are widely used to adjudicate disputes between government agencies and individuals/entities aggrieved by agency decisions, and such a process is currently used for HIPAA Administrative Simplification violations. We believe that using the ALJs that already have jurisdiction over HIPAA Administrative Simplification violations handled under § 160.300, and using the same appeals process, would support consistency in adjudication of HIPAA Administrative Simplification appeals. Section 160.500 is the Applicability provision for Subpart E—Procedures for Hearings, and provides, ‘‘[t]his subpart applies to hearings conducted relating to the imposition of a civil money penalty by the Secretary under 42 U.S.C. 1320d–5.’’ We propose to revise this provision by adding a reference to 42 U.S.C. 1320d–2(j), to indicate that Subpart E also applies to the assessment of a penalty fee under Subpart F. The term ‘‘respondent’’ is defined in § 160.103 as ‘‘a covered entity or business associate upon which the Secretary has imposed, or proposes to impose, a civil money penalty.’’ In order to make clear that the term respondent, when used in Subpart E, includes entities that are assessed a penalty fee pursuant to Subpart F, we propose to revise the definition to state that respondent ‘‘means a covered entity or business associate upon which the Secretary has imposed or proposes to impose, a penalty fee under Subpart F or a civil money penalty.’’ Section 160.506 specifies the rights of the parties. The ALJ authority is delineated in § 160.508. Sections 160.510 through 160.544 describe the ALJ hearing process. The right to appeal the ALJ decision to the Departmental Appeals Board is addressed in § 160.548. As noted, we propose applying most of § 160.500 through § 160.552, as already promulgated, as the procedure for CHPs to use in appealing a notice of determination. Because it is not always clear from those provisions that the process may apply to penalty fee assessments under Subpart F, in the following sections we propose to revise the regulation text to explicitly PO 00000 Frm 00019 Fmt 4701 Sfmt 4702 315 account for the specific health plan certification of compliance penalty fees and notice procedures: § 160.500, § 160.504, § 160.534, § 160.540, § 160.546, § 160.548, and § 160.550. 7. Other Issues a. Relationship of Certification of Compliance Process to ComplaintDriven Process In section I.B.3 of this proposed rule, we describe the current HIPAA complaint-driven enforcement procedure through which an entity may bring a complaint against any entity it believes is not in compliance with adopted HIPAA transaction standards, operating rules, or code sets. Such a complaint would generate a fact-finding and resolution process, which could result in a corrective action plan, the imposition of CMPs, or a hearing before an ALJ. The complaint-driven and first certification of compliance enforcement processes are markedly different, even though both may result in a determination that may be appealed to an ALJ. The complaint-driven enforcement process is initiated as a result of a complaint, uses an informal fact-finding process, employs a corrective action plan if the complaint is valid, and imposes CMPs if the corrective action plan is not followed. Conversely, the first certification of compliance requires certain submissions by specific dates, and provides for an enforcement process with respect to a CHP that fails in various ways to abide by these requirements. Notably, the first certification of compliance, as proposed in this rule, does not employ a corrective action plan should a CHP fail to meet the certification of compliance requirements. These two distinct enforcement processes assess CMPs (in the case of the complaint-driven process) or penalty fees (in the case of the first certification of compliance) for different reasons. The complaint-driven process addresses complaints regarding a covered entity’s failure to comply with any Administrative Simplification requirement, with the exception of a failure to comply with the first certification requirements proposed in this rule (as we describe in this section). The first certification of compliance process assesses penalty fees for CHPs that fail to meet the submission requirements or that knowingly provide inaccurate or incomplete documentation associated with such submissions, as proposed in this rule. E:\FR\FM\02JAP2.SGM 02JAP2 316 Federal Register / Vol. 79, No. 1 / Thursday, January 2, 2014 / Proposed Rules Nothing in this proposed rule prohibits the Secretary from pursuing both processes at the same time against a CHP—through CMPs, in the case of the complaint-driven process for failure to comply with Administrative Simplification requirements, and through penalty fees for failure to meet the first certification of compliance requirements. Further, an investigation through the complaint-driven process could lead to the assessment of a penalty fee for a first certification of compliance violation if it revealed through that investigation that the CHP failed to meet the first certification of compliance requirements or knowingly provided inaccurate or incomplete information required for the first certification of compliance. For instance, if an investigation based on a complaint revealed that a CHP never submitted documentation or knowingly submitted inaccurate or incomplete documentation in order to be awarded a CORE Phase III Seal or HIPAA Credential under § 162.926, it is possible both CMPs and penalty fees may be imposed/assessed. Section 160.300 is the Applicability provision under Subpart C— Compliance and Investigations—which is the complaint-driven enforcement process for Administrative Simplification violations. We propose to amend this section, that now states ‘‘[t]his subpart applies to actions by the Secretary, covered entities, business associates, and others with respect to ascertaining the compliance by covered entities and business associates with, and the enforcement of, the applicable provisions of this part 160 and parts 162 and 164 of this subchapter,’’ to clarify that the complaint-driven process does not apply to the requirements in § 162.926. That is, we propose that a complaint-may not be filed against a health plan alleging that it fails to meet the certification of compliance submission requirements in § 162.926. mstockstill on DSK4VPTVN1PROD with PROPOSALS2 III. Collection of Information Requirements Under the Paperwork Reduction Act of 1995 (PRA), we are required to provide 60-day notice in the Federal Register and solicit public comment before a collection of information requirement is submitted to the Office of Management and Budget (OMB) for review and approval. In order to fairly evaluate whether an information collection should be approved by OMB, section 3506(c)(2)(a) of the PRA requires that we solicit comment on the following issues: VerDate Mar<15>2010 17:36 Dec 31, 2013 Jkt 232001 • The need for the information collection and its usefulness in carrying out the proper functions of our agency. • The accuracy of our estimate of the information collection burden. • The quality, utility, and clarity of the information to be collected. • Recommendations to minimize the information collection burden on the affected public, including automated collection techniques. We are soliciting public comment on the information collection requirements (ICRs) regarding the first certification of compliance documentation requirements. Among other requirements, the Affordable Care Act requires health plans to file statements with the Secretary certifying that they are compliant with standards and operating rules for specific transactions. The Affordable Care Act also mandates that the Secretary assess a penalty fee against a health plan that fails to file a statement with the Secretary certifying that it is compliant and/or fails to submit adequate documentation of compliance. In section II. of this proposed rule, we discuss the proposed requirements for the first certification of compliance. In section II.A.7 of this proposed rule, we discuss our proposal that a CHP must comply with the first certification of compliance requirements based on when it obtains its HPID. Submission requirements are explained in section II.A.2 and .3 of this proposed rule. We discuss the penalty fees that may be assessed on a CHP that does not meet the submission requirements or knowingly provides inaccurate or incomplete information in section II.B. of this proposed rule. The provisions in this proposed rule align with existing statutory and regulatory mandates. In previous regulations, specified in section I.B.1 and 2 of this proposed rule, we have mandated compliance with the adopted standards and operating rules for the HIPAA transactions for which documentation of compliance is proposed in this rule. Other existing regulations that are complimented through this proposed rule include § 160.310 which requires covered entities to maintain records and compliance reports and provide these to the Secretary if requested, and § 162.923, that requires covered entities to require their BAs to comply with applicable HIPAA standards and operating rules. In this proposed rule and in this ICR, we are focused on the one-time requirement that CHPs, as defined by § 162.103, must provide the Secretary the following information and PO 00000 Frm 00020 Fmt 4701 Sfmt 4702 documentation for the first certification of compliance: (1) the number of covered lives of a CHP; and (2) documentation that demonstrates that the CHP has obtained a Phase III CORE Seal or the HIPAA Credential. We do not know at this time how many health plans would meet the definition of a CHP as defined in § 162.103. In the HPID final rule (77 FR 54696), we identified 12,000 selfinsured group health plans, 1,827 health insurance issuers, and 60 government health plans that might meet the definition of health plan. We believe there will be considerably less than the approximately 15,000 health plans that would meet the definition of a CHP, but we will not know the actual number of CHPs until after the deadline for CHPs to obtain an HPID has passed; that is, November 5, 2015. While we do not have objective data that identifies which or how many health plans would be CHPs, for the purpose of the ICRs, we assume that 3,000 to 5,000 health plans may meet the definition of a CHP. Health plans have been increasingly consolidating into larger organizations whereby a single CHP exercises sufficient control over an increasing number of SHPs to direct their business activities, actions, or policies. Thus, we do not believe that more than one-third (5,000) of health plans meet the definition of a CHP and, in fact, believe the number may be significantly less. We solicit comments on our assumption of the number of CHPs. A. ICRs Regarding Submission of the Number of Covered Lives (§ 162.926(a)(1) and (b)(1)) Proposed § 162.926(a)(2) would require that a CHP that obtains an HPID before January 1, 2015 must provide to the Secretary documents demonstrating compliance as explained in section II.A.3. of this proposed rule. Proposed § 162.926(b)(2) would require that a CHP that obtains an HPID on or after January 1, 2015 and on or before December 31, 2016, must, within 365 days of obtaining an HPID, provide to the Secretary documents demonstrating compliance as explained in section II.A.7. of this proposed rule. Proposed § 162.926(a)(1) and (b)(1) require a CHP to submit the number of covered lives of a CHP (as defined in § 162.103) on the date that the documentation required in § 162.926(a)(2) and (b)(2) is submitted. In section II.A.1. of this proposed rule, we indicate that the number of covered lives must include the number of covered lives of a CHP’s SHPs, if it has any. We explain the submission requirements of covered lives in section II.A.2. of this proposed rule, including E:\FR\FM\02JAP2.SGM 02JAP2 mstockstill on DSK4VPTVN1PROD with PROPOSALS2 Federal Register / Vol. 79, No. 1 / Thursday, January 2, 2014 / Proposed Rules the reason for including the number of covered lives of the SHPs of the CHP. The one-time burden associated with this requirement is the time and effort associated with the CHP to: (1) Obtain the number of covered lives of the CHP (including those of its SHPs); (2) calculate the total number of covered lives of the CHP and its SHPs that would meet the definition of major medical policy as defined in proposed § 160.604; (3) have the information reviewed by a CHP executive; and (4) submit the number of covered lives to the Secretary. We believe that a CHP would have accurate records of the number of covered lives of the CHP and each of its SHPs and would be able to access this easily. Therefore, we assume that the CHPs would not need to contact each SHP to obtain the required information. We also believe that CHPs would have easily accessible data on the total number of covered lives of the CHP and its SHPs that have major medical policies. We make these assumptions on the basis that a CHP’s data on the number of covered lives and policies— used to determine, for example, risk, costs of care, human resource needs, and other factors—is essential information to have in order to for a CHP to conduct business. We estimate this burden for proposed § 162.926(a)(1) and (b)(1) would be 2 hours for each CHP to obtain the number of covered lives for the CHP and each of its SHPs, 2 hours to calculate the total number of covered lives that have major medical policies, one hour for an executive to review the number of covered lives with major medical policies, and, 30 minutes to submit the number of covered lives of the CHP and its SHPs to HHS. We used the median hourly labor rate of $38.31 for a computer information system analyst; $58.15 for a computer and information system manager; and $80.84 for a chief executive as reported by the Department of Labor, Bureau of Labor Statistics, May 2012, found at: https://www.bls.gov/oes/current/oes_ nat.htm#13-0000. We believe that a computer analyst would be an appropriate position to obtain the number of covered lives and submit the number to the Secretary, a computer and systems manager to do the calculation, and a chief executive would verify the accuracy of the information to be submitted. All CHPs must comply with these requirements. We estimate that proposed § 162.926(a)(1) and (b)(1) would impose a one-time, 5.5 hour burden on each CHP. The total burden associated with this task for each of the estimated 3,000 to 5,000 CHPs would be: (1) $76.62 VerDate Mar<15>2010 17:36 Dec 31, 2013 Jkt 232001 ($38.31 × 2 hours) to obtain the number of covered lives; (2) $116.30 ($58.15 × 2 hours) to calculate the number of covered lives in major medical plans; (3) $80.84 ($80.84 × 1 hour) for an executive to review the number of covered lives; and (4) $19.16 ($38.31 × 0.5 hours) to submit the number of covered lives to the secretary. We estimate that the total cost for each CHP would be $292.92. The estimated annual burden for this requirement would be 16,500 (3,000 CHPs × 5.5 hours) to 27,500 hours (5000 CHPs × 5.5 hours). The total estimated one-time cost associated with all of the requirements in proposed § 162.926(a)(1) and (b)(1) would be approximately $878,760 ($292.92 × 3000 CHPs) to $1,464,600 ($292.92 × 5000 CHPs). B. ICRs Regarding Submission of a Phase III CORE Seal (§ 162.926(a)(2)(i) and (b)(2)) Section 162.926(a)(2)(i) and (b)(2) would require that a CHP provide documentation demonstrating it obtained a Phase III CORE Seal or the HIPAA Credential. Should a CHP choose to obtain a Phase III CORE Seal, proposed § 162.926(a)(2)(i) and (b)(2) would require that it provide documentation demonstrating it had obtained a Phase III CORE Seal. We explain in section II.A.3.(b). of this proposed rule that a CHP electing to obtain a Phase III CORE Seal must obtain the seal for each of the three CAQH CORE operating rules phases, or, in other words, a CHP must obtain a CORE Seal for Phases I and II to obtain a Phase III CORE Seal. However, as proposed in § 162.926(a)(2), we require only the submission of a Phase III CORE Seal to comply with the certification compliance documentation requirements. Consequently, for the ICR in this proposed rule, we considered the time and effort for submitting documentation that the CHP has obtained the Phase III CORE Seal and not the time and effort for a CHP to obtain the CORE Phase I and II Seals. In sections II.A.3.(b). and II.A.3.(d). of this proposed rule, we discuss CORE certification testing, CORE-authorized Testing Vendors, and the CORE certification process. We describe the four-step process required to be awarded any of the CORE Seals: (1) Conduct a gap analysis by evaluating, planning, and completing necessary upgrades; (2) sign the CAQH CORE Pledge committing to become CORE certified; (3) conduct testing through a CORE-authorized Testing Vendor (certification testing); and (4) apply for a Phase III CORE Seal. In section II.A.3. PO 00000 Frm 00021 Fmt 4701 Sfmt 4702 317 of this proposed rule, we explain that the documentation that demonstrates that the CHP has obtained a Phase III CORE Seal is considered adequate documentation of compliance by the CHP and its SHPs with the operating rules for the eligibility for a health plan, health care claim status, and health care electronic funds transfers (EFT) and remittance advice transactions. For the purposes of the ICR, we do not include the time and effort for a CHP to obtain a CORE Phase III Seal because we believe that the process of obtaining a Phase III CORE Seal is inherent in the cost of doing business and we accounted for the time and effort as well as the cost for complying with the operating rules in previous rulemaking. As we indicated, we have mandated compliance with the adopted standards and operating rules for HIPAA transactions in previous regulations. The costs associated with compliance includes for example, analyzing existing data capability and infrastructure, development or enhancement of existing infrastructure, and testing of the CHPs systems both internally and externally. We believe that, because CHPs are expected to be compliant with the operating rules, they have undertaken the steps necessary to ensure that they are compliant and are able to perform transactions with their trading partners according to the adopted standards and operating rules. In this rule, we are proposing submission documentation requirements; therefore, in this analysis, we are only analyzing the cost of submitting this documentation. We have proposed two options for documentation that demonstrates compliance with the operating rules and standards. We expect that the decision to obtain the CORE Phase I and II Seals and provide documentation of the CORE Phase III Seal would be a business decision based on a health plan’s strategy for implementing new standards or operating rules. Therefore, because the time and effort for compliance with standards and operating rules have been addressed in previous rule making and, because a CHP determines if it wishes to obtain the CORE Phase I and II Seal and submit the Phase III CORE Seal to comply with the documentation requirements, we do not include any costs for the time and effort associated with infrastructure development or enhancement or testing of systems to ensure compliance. We also do not include the time and effort costs in the ICR to comply with any of CORE’s specific requirements to obtain the CORE Seals. Finally, we do not account for the variability in time, E:\FR\FM\02JAP2.SGM 02JAP2 mstockstill on DSK4VPTVN1PROD with PROPOSALS2 318 Federal Register / Vol. 79, No. 1 / Thursday, January 2, 2014 / Proposed Rules readiness and success that may or may exist for a CHP to meet CORE’s requirements for the CORE Seals. There may be CHPs that have undergone extensive testing and will be able to undergo the CORE process efficiently and in a relatively short time. Other CHPs may require assistance and guidance and a more extensive time period to meet CORE’s requirements. Included in the CORE fee paid by each CHP is assistance and guidance for CHPs. We account for the fee to CORE in the regulatory Impact Statement in this proposed rule. For the purposes of the ICR in this proposed rule, we considered the time and effort for a CHP to obtain documentation of the Phase III CORE Seal awarded by CORE, and the time and effort for the CHP to submit the documentation of that Seal to the Secretary. As we discussed previously, in this proposed rule, we only consider the time and effort to comply with the certification of compliance requirements described in this proposed rule. At the current time, we do not know how many CHPs will elect to obtain a Phase III CORE Seal. According to CAQH CORE’s Web site at https:// www.caqh.org/CORE_ organizations.php, 30 health plans have voluntarily obtained CORE Seals for Phases I and II, and it reports at https://www.caqh.org/ben_ participating.php that 25 health plans and 16 government agencies are CORE participating organizations. Ten CORE participating health plans have obtained Phase I and Phase II CORE Seals. We assume that any health plan that has obtained the CORE Seal for Phases I and II will obtain a Phase III CORE Seal and therefore meet the requirements of § 162.926(a)(2)(i) or (b)(2). We also assume that there may be CORE participating health plans that will obtain a Phase III CORE Seal. Because we are unable to quantify the number of CHPs that will obtain a Phase III CORE Seal, we are unable to estimate the total cost with any certainty. Therefore, for the purposes of the ICR, we estimate that 40 percent of health plans that would meet the definition of a CHP (that is, 1,200 to 2,000 CHPS) will obtain a Phase III CORE Seal and submit documentation of a Phase III CORE Seal to comply with § 162.926(a)(2) and (b)(2)(i). We solicit comment on our assumption of the number of CHPs that would obtain a Phase III CORE Seal. The one-time burden associated with § 162.926(a)(2)(i) or (b)(2) is the time and effort for the estimated 1,200 to 2,000 CHPs to (1) obtain a Phase III CORE Seal from CAQH CORE; and (2) submit the documentation of a Phase III CORE Seal to the Secretary. We estimate VerDate Mar<15>2010 17:36 Dec 31, 2013 Jkt 232001 this burden to be 1 hour to obtain the Phase III CORE Seal from CAQH CORE and 30 minutes to submit documentation of the CORE Seal to the Secretary. We used the median hourly labor rate of $38.31 for a computer information system analyst as reported by the Department of Labor, Bureau of Labor Statistics, May 2012, found at: https://www.bls.gov/oes/current/oes_ nat.htm#13-0000 because we believe that a computer analyst would be required to obtain the Phase III CORE Seal and submit documentation to the Secretary. We estimate that proposed § 162.926(a)(2)(i) and (b)(2) would impose an estimated one-time, one and one half hour burden on each CHP. The total estimated burden associated with this task for each CHP would be: (1) $38.31 ($38.31 × 1 hour) to obtain the Phase III CORE Seal from CAQH CORE; and (2) $19.16 ($38.31 × 0.50 hours) to submit documentation of the CORE Seal to the Secretary. The estimated one-time burden in proposed § 162.926(a)(2)(i) and (b)(2) would be 1,800 (1,200 CHPs × 1.5 hours) to 3,000 hours (2,000 CHPs × 1.5 hours). The total estimated onetime cost associated with the requirement § 162.926(a)(2)(i) and (b)(2) would be approximately $68,958 ($38.31 × 1,800 hours) to $114,930 ($38.31 × 3,000 hours). C. ICRs Regarding Submission of the HIPAA Credential (§ 162.926(a)(2)(ii) and (b)(2)) In section II.A.3(a) of this proposed rule, we explain that the HIPAA Credential indicates that the CHP has confirmed that it has successfully tested the operating rules for the eligibility for a health plan, health care claim status, and health care electronic funds transfers (EFT) and remittance advice transactions with trading partners. For each of the three transactions, the CHP must confirm that the number of transactions conducted with those trading partners collectively accounts for at least 30 percent of the total number of transactions conducted with providers. For each of the three transactions, the CHP must confirm that it has successfully tested with at least three trading partners, but if the number of transactions conducted with three trading partners does not account for at least 30 percent of the total number of transactions conducted with providers, the CHP could confirm that it has successfully tested with up to 25 trading partners. The CHP would be required to provide a list of the names of the trading partners and their contact information to CORE. A CHP would be representing PO 00000 Frm 00022 Fmt 4701 Sfmt 4702 itself as well as all of its SHPs with the attestation. Should a CHP choose to obtain the HIPAA Credential, proposed § 162.926(a)(2)(ii) and (b)(2) would require the CHP to provide documentation that it has obtained the CORE HIPAA Credential. In section II.A.3 of this proposed rule, we explain that the documentation that demonstrates that the CHP has obtained the HIPAA Credential is considered adequate documentation of compliance by the CHP and its SHPs with the operating rules for the applicable transactions. For the purpose of the ICR, we are not considering the time and effort for a CHP to perform testing with its trading partners because, as we have discussed previously, we addressed the time and effort to comply with the operating rules in previous rule making, which includes testing with the CHPs trading partners. The CORE HIPAA Credential will require testing before being obtained, and we assume that every health plan’s implementation preparation plan requires internal and external testing prior to implementing new standards or operating rules. However, in previous rule making, we did not account for the time and effort for a CHP to identify at least three trading partners with which it or its SHPs have successfully tested the operating rules for each of the three transactions (eligibility for a health plan, health care claim status, and electronic funds transfers (EFT) and remittance advice transactions). The estimated one-time burden associated with § 162.926(a)(2)(ii) and (b)(2) for the HIPAA Credential is the time and effort to: (1) Confirm that testing has been conducted for each of the three transactions with trading partners that collectively conduct no less than 30 percent of the total number of transactions conducted with providers; (2) list the names of the trading partners and their contact information; (3) verify the accuracy of the trading partner list; (4) obtain the HIPAA Credential from CORE; and (5) submit documentation of the HIPAA Credential to the Secretary. The tasks associated with the application for and submission of the HIPAA Credential— and, therefore, the estimated burden to a CHP—may change if warranted by any changes in the draft requirements for the HIPAA Credential. As mentioned, we are unable to determine how many CHPs will choose to obtain the HIPAA Credential to fulfill the requirements of § 162.926(a)(2)(ii) and (b)(2)(ii), but we believe that most CHPs will choose the least costly E:\FR\FM\02JAP2.SGM 02JAP2 319 Federal Register / Vol. 79, No. 1 / Thursday, January 2, 2014 / Proposed Rules certification option. Because we are unable to quantify the number of health plans that will obtain the HIPAA Credential, we cannot estimate the total cost with any certainty. We estimate that 60 percent of CHPs (that is 1,800 to 3,000 CHPS) will obtain the HIPAA Credential and submit documentation of such the HIPAA Credential to comply with § 162.926(a)(2)(ii) and (b)(2). We solicit comment on our assumption of the number of CHPs likely to obtain the HIPAA Credential. As mentioned, CAQH CORE is currently developing the HIPAA Credential—which we expect to be finalized prior to the time we finalize this proposed rule—and we described in section II.3.(a) the expected process and requirements for obtaining it. Should the requirements for the final HIPAA Credential differ in any way from the way we described it in section II.3.(a), we would reopen the comment period to permit additional comment on the HIPAA Credential, including on the topic of the estimated number of health plans that would obtain the HIPAA Credential. We estimate that the burden associated with proposed § 162.926(a)(2)(ii) and (b)(2) for each of the estimated 1,800 to 3,000 CHPs would be 2 hours to obtain documentation of the three testing partners; one hour to prepare the trading partner list; one hour to verify accuracy of the list; one hour to obtain the HIPAA credential form CORE; and 30 minutes to submit the CORE HIPAA Credential to the secretary. We used the median salaries as reported by the Department of Labor, Bureau of Labor Statistics, May 2012, found at: https://www.bls.gov/oes/ current/oes_nat.htm#13-0000. We used the median hourly labor rate of $38.31 for a computer information system analyst to prepare the trading partner list, obtain the HIPAA credential from CORE and submit the documentation; $58.15 for a computer and information system manager to confirm that testing has been conducted with trading partners that collectively conduct no less than 30 percent of the total transactions conducted with providers for each of the three transactions (eligibility of a health plan, health care claim status, and the electronic funds transfers (EFT) and remittance advice transactions); and $80.84 for an executive to verify the trading partner list. We estimate that proposed § 162.926(a)(2)(ii) and (b)(2) will impose a one-time, 5.5 hours burden on each CHP. The total time and effort burden associated with this task for each CHP would be: (1) $116.30 ($58.15 × 2) to obtain the trading partner documentation; (2) $38.31 ($38.31 × 1) to compile the trading partner list; (3) $80.84 ($80.84 × 1) to verify the trading partner list; (4) $38.31 ($38.31 × 1) to obtain the HIPAA Credential from CORE; and (5) $19.16 ($38.31 × 0.5) to submit documentation of the HIPAA Credential to the Secretary. We estimate the total burden for each CHP would be $292.92. The total estimated one-time burden associated with all of the requirements in proposed § 162.926(a)(2)(ii) and (b)(2) would be 9,900 (1,800 CHPs × 5.5 hours) to 16,500 hours (3,000 CHPs × 5.5 hours) and approximately $527,256 ($292.92 × 1,800 CHPs) to $878,760 ($292.92 × 3,000 CHPs). Calculations are illustrated in Table 6. For simplicity, Table 6 demonstrates burdens and costs based on the high estimate of CHPs (5,000) that are expected to certify compliance. TABLE 6—ESTIMATED ANNUAL BURDEN FOR REPORTING, RECORDKEEPING AND THIRD-PARTY DISCLOSURE REQUIREMENTS Regulation section 162.926(a)(1) and (b)(1) .................... 162.926(a)(1) and (b)(1) .................... 162.926(a)(1) and (b)(1) .................... 162.926(a)(2)(i) and (b)(2) ................ 162.926(a)(2)(ii) and (b)(2) ................ 162.926(a)(2)(ii) and (b)(2) ................ 162.926(a)(2)(ii) and (b)(2) ................ Total ........................................... OMB Control No. Burden per response (hours) Hourly labor cost of reporting ($) Annual burden (hours) Total labor cost of reporting ($) Total costs ($) Respondents Responses .......... .......... .......... .......... .......... .......... .......... 5,000 5,000 5,000 2,000 3,000 3,000 3,000 15,000 5,000 5,000 5,000 7,500 3,000 3,000 2.5 1 2 1.5 2.5 1 2 * 12,500 5,000 10,000 ** 3,000 ** 7,500 3,000 6,000 38.31 80.84 58.15 38.31 38.31 80.84 58.15 478,875 404,200 581,500 114,930 287,325 242,520 348,900 478,875 404,200 581,500 114,930 287,325 242,520 348,900 .............................. 10,000 27,000 ...................... ** 37,500 .................... .................... 2,458,250 0938—New 0938—New 0938—New 0938—New 0938—New 0938—New 0938—New * There are no capital or maintenance costs associated with the information collection requirements contained in this notice of proposed rulemaking. Therefore, we have removed the designated column from Table 6. ** Even though the information collection requirements are comprised of one-time burdens, all burden estimates have been annualized over the standard 3-year OMB approval period. mstockstill on DSK4VPTVN1PROD with PROPOSALS2 IV. Regulatory Impact Statement We have examined the impact of this proposed rule as required by Executive Order 12866 on Regulatory Planning and Review (September 30, 1993), Executive Order 13563 on Improving Regulation and Regulatory Review (January 18, 2011), the Regulatory Flexibility Act (RFA) (September 19, 1980, Pub. L. 96–354), section 1102(b) of the Social Security Act, section 202 of the Unfunded Mandates Reform Act of 1995 (March 22, 1995; Pub. L. 104–4), Executive Order 13132 on Federalism (August 4, 1999) and the Congressional Review Act (5 U.S.C. 804(2)). VerDate Mar<15>2010 17:36 Dec 31, 2013 Jkt 232001 Executive Orders 12866 and 13563 direct agencies to assess all costs and benefits of available regulatory alternatives and, if regulation is necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, public health and safety effects, distributives, and equity). A regulatory analysis (RIA) must be prepared for major rules with economically significant effects ($100 million or more in any 1 year). We believe this proposed rule does not reach the economic threshold for being considered economically significant, and thus, is not considered a major rule. PO 00000 Frm 00023 Fmt 4701 Sfmt 4702 We solicit comment on, and data regarding, the assumptions and findings presented in this initial regulatory analysis. The proposed rule would require a CHP to submit documentation to the Secretary that demonstrates compliance with the standards and operating rules adopted by the Secretary under HIPAA, establish the first certification of compliance process, and establish penalty fees for CHPs that fail to comply with the first certification of compliance requirements. This proposed rule would implement elements of the certification of compliance mandate in the Affordable Care Act. We expect that the E:\FR\FM\02JAP2.SGM 02JAP2 mstockstill on DSK4VPTVN1PROD with PROPOSALS2 320 Federal Register / Vol. 79, No. 1 / Thursday, January 2, 2014 / Proposed Rules first certification of compliance provision is an initial step toward a consistent, industry-wide testing framework. As discussed in more detail earlier in this proposed rule, many of the requirements of this proposed rule build on already existing statutory and regulatory mandates. In the ICRs, we estimate a total one-time burden of approximately $1,475,000 to $2,458,000 for 3,000 to 5,000 CHPs to comply with the submission requirements of proposed § 162.926. In sections II.A.3.(a) and A.3.(b). of this proposed rule, we discuss the two options for meeting the submission requirements: a Phase III CORE Seal and the HIPAA Credential, respectively. A CHP may choose either option. In section II.A.3.(a) and (b) of this proposed rule, we describe the process for obtaining either a Phase III CORE Seal or the HIPAA Credential. We expect that certification testing, such as that required for CHPs obtaining the CORE Phase III Seal, would become more widespread as a result of this proposed rule, and thus the rule would generate costs associated with credentialing activities and greater compliance with operating rules (which requires updating infrastructure). We are unable to quantify either the current rate of non-compliance with HIPAA requirements, the number of CHPs that would become newly compliant as a result of this proposed rule, or the cost, per CHP becoming newly compliant, of infrastructure updates and requisite testing. A category of impacts for which we have been able to make estimates is the CAQH CORE fees.42 In section II.A.6.(a) of this proposed rule, we discuss the cost of a Phase III CORE Seal and HIPAA Credential based on current fees that CAQH CORE charges for a Phase III CORE Seal and the fees that CAQH CORE believes that it will charge for the HIPAA Credential. Federal and state government entities are currently not charged for a Phase III CORE Seal, nor are CAQH member plans. However, CAQH CORE will charge government entities a $100 fee for obtaining the HIPAA Credential. We assumed the same number of CHPs that we use in the ICRs (that is 1,200 to 2,000 CHPs would obtain a Phase III CORE Seal and 1,800 to 3,000 CHPs would obtain the HIPAA Credential). For the purpose of this analysis, we considered the cost to 42 We believe that, in general, these fees represent real costs to society, in the form of labor and other resources used by CAQH CORE for conducting certification. VerDate Mar<15>2010 17:36 Dec 31, 2013 Jkt 232001 obtain either the CORE Seals (Phase I, II, and III) or the HIPAA Credential for all of the estimated 3,000 to 5,000 CHPs and did not account for the CHPs that currently have obtained the CORE Seal for Phase I and II or CAQH member plans. That means we did not deduct the number of health plans with current Phase I and Phase II CORE Seals or CAQH member plans that are not assessed a fee by CAQH CORE to obtain a Phase III CORE Seal. For the purpose of the impact analysis, we did not account for any penalty fees that could be assessed for CHPs that fail to comply with the certification of compliance submission requirements. We believe that we have structured the provisions of this proposed rule such that most CHPs will be able to meet the submission requirements. They will have had significant time to implement the applicable standards and operating rules, conduct the transactions in a compliant manner, and conduct certification testing or testing with their trading partners. Further, because the penalty fees are substantial, we believe they serve as a strong disincentive for noncompliance. We therefore believe few CHPs will fail to certify compliance, and the total amount of assessed penalty fees will be insignificant. For the 1,200 to 3,000 CHPs we estimate would obtain a Phase III CORE Seal, we assumed that 50 percent would have net annual revenues less than $75 million with a CAQH CORE fee of $12,000 each ($4,000 for each of the three CAQH CORE Operating Rule Phases). We assumed that 50 percent of the CHPs would have net annual revenues equal or greater than $75 million with a CAQH CORE fee of $18,000 each ($6,000 for each of the three CAQH CORE Operating Rule Phases). We estimate that the total cost for all CHPs that would obtain a CORE Seal would be approximately $18 million [($12,000 × 600 CHPs) + ($18,000 × 600 CHPs)] to $30 million [($12,000 × 1000 CHPs) + ($18,000 × 1000 CHPs)]. For the 1,800 to 2,000 CHPs that we estimate would obtain a HIPAA Credential, we assumed that 5 percent would have net annual revenues less than $5 million with a CAQH CORE fee of $100 each; 20 percent would have net annual revenues of $5 million to below $25 million with a fee of $1,000 each; 20 percent would have net annual revenues $25 million to less than $50 million with a fee of $2,000 each; and 55 percent would have net annual revenues of greater than $50 million with a fee of $4,000 each. The estimated total cost for all CHPs that would obtain PO 00000 Frm 00024 Fmt 4701 Sfmt 4702 the HIPAA Credential is approximately $5,049,000 [($100 × 90 CHPs) + ($1,000 × 360 CHPs) + ($2,000 × 360 CHPs) + ($4,000 × 990 CHPs)] to $8,415,000 [($100 × 150 CHPs) + ($1,000 × 600 CHPs) + ($2,000 × 600 CHPs) + ($4,000 × 1,650 CHPs)]. We note, because government entities do not generate net annual revenues, they have been included in the 5 percent computation of CHPs with net annual revenues less than $5 million. Consequently, we estimate the total cost to comply with § 162.926 (that is, for the estimated 3,000 to 5,000 CHPs to provide the documentation of obtaining the CORE Seal or the HIPAA Credential) would be approximately $25 million to $41 million. This total cost includes the time and effort discussed in the ICR. The calculation is as follows: [Time and effort in ICR: $1,475,000 to $2,458,000] + [total fee for CORE Seals: $18,000,000 to $30,000,000] + [total fee for the HIPAA credential: $5,049,000 to $8,415,000] = $24,524,000 to $40,873,000. We are proposing in § 162.926 that a CHP that obtains an HPID before January 1, 2015 must meet the submission requirements proposed in this rule on or before December 31, 2015. We explained in section II.A.7.(a)(1) of this proposed rule that this date is different than that in section 1173(h)(1) of the Act: December 13, 2013. We describe here the impact in benefits and penalty fees of the 2 year difference between the date in section 1173(h)(1) of the Act and the date proposed in this rule. In the Modifications final rule, Operating Rules IFC, Health Care EFT Standards IFC, and the EFT & ERA Operating Rule Set IFC, described in the background of this proposed rule, we described the financial and qualitative benefits to implementing the standards and operating rules for the eligibility for a health plan, health claim status, and health care electronic funds transfers (EFT) and remittance advice transactions. Those rules measured the financial benefits of the standards and operating rules from the compliance dates of those particular standards and operating rules: January 1, 2012 is the compliance date for Version 5010 standards for the three transactions; January 1, 2013 is the compliance date for operating rules for the eligibility for a health plan and claim status transactions; and January 1, 2014 is the compliance date for the standards and operating rules for the health care electronic funds transfers (EFT) and remittance advice transaction. The cost and savings of implementing those standards and operating rules on E:\FR\FM\02JAP2.SGM 02JAP2 mstockstill on DSK4VPTVN1PROD with PROPOSALS2 Federal Register / Vol. 79, No. 1 / Thursday, January 2, 2014 / Proposed Rules their compliance dates are not addressed in this proposed rule as they are accounted for in the previously mentioned rules, and the first certification of compliance requirements, as proposed in this rule, do not affect the costs and benefits of implementing these standards and operating rules. It is possible that some CHPs may view the first certification of compliance deadline, December 31, 2015, as proposed in this rule, as an opportunity to implement the required standards and operating rules later than the compliance dates of those standards and operating rules as required in the applicable regulations. However, we assume that the number of CHPs that would slow or delay implementation based on the first certification of compliance deadline is quite small. As we noted before, thirty health plans have already obtained a Phase I CORE Seal, and many of those have obtained or are pursuing a Phase II CORE Seal. This growing group of CORE Certified entities represents many major health plans with extensive reach in terms of commercially covered lives.43 Further, the complaint-driven process for enforcing compliance with these standards and operating rules applies as of their respective compliance dates. We assume that the CORE-certified health plans include the process of obtaining CORE Seals for each phase of operating rules as part of their process to successfully implement new standards or operating rules. We assume these CORE-certified health plans make CORE Certification part of their implementation strategy regardless of the first certification of compliance submission requirements as proposed in this rule. As discussed in section II.A.7(a)(1) of this proposed rule, the December 31, 2015 deadline for submission of information and documentation, proposed in this rule, gives these CORE Certified entities time to obtain the Phase III CORE Seal. It also gives CHPs that would not otherwise use the CORE Certification process time to obtain either the CORE Phase I, II, and III Seals or the HIPAA Credential. Because we believe that a negligible number of CHPs will use the December 31, 2015 deadline proposed in this rule as a reason to slow implementation of the standards or operating rules required by previous rules, and because the financial benefits for those standards and operating rules were calculated over 43 See map with data on commercially insured lives that have policies with a CORE Certified health plan on CAQH CORE Web site: https:// www.caqh.org/pdf/COREPIwebmap.pdf. VerDate Mar<15>2010 17:36 Dec 31, 2013 Jkt 232001 10-year periods, we believe the impact of the December 31, 2015 deadline on the overall financial and qualitative benefits to using these standards and operating rules to be negligible. The amount in penalty fees that would have been assessed with a December 31, 2013 deadline cannot be determined under the proposed certification of compliance requirements because the December 31, 2015 date and other requirements proposed in this rule were developed to align chronologically with other regulatory and commercial sector initiatives. For instance, CAQH CORE began offering a Phase III CORE Seal in 2013; 44 the first entity to receive a Phase III CORE Seal did so in August 2013.45 Given this timeframe, it is unlikely that many CHPs could have obtained a Phase III CORE Seal earlier than December 31, 2015. Likewise, CHPs have until November 2015 to obtain an HPID, and the first certification of compliance requirements apply only to CHPs. Therefore, due to the vast difference in requirements associated with the December 31, 2013 and the December 31, 2015 deadlines, we are unable to perform an analysis of the amount of penalty fees that would have been assessed with the December 31, 2013 deadline as it would entail assuming a completely different set of requirements. The Regulatory Flexibility Analysis (RFA), as amended, requires agencies to analyze options for regulatory relief of small businesses, if a rule has a significant impact on a substantial number of small entities. For purposes of the RFA, small entities include small businesses, nonprofit organizations, and small governmental jurisdictions. The health insurance industry was examined in depth in the RIA prepared for the proposed rule on establishment of the Medicare Advantage program (69 FR 46866, August 3, 2004). It was determined, in that analysis, that there were few, if any, ‘‘insurance firms,’’ including HMOs that fell below the size thresholds for ‘‘small’’ business established by the SBA Health. We assume that the ‘‘insurance firms’’ are synonymous, for the most part, with health plans that conduct standard transactions with other covered entities and are, therefore, the entities that will have costs associated with meeting the first certification of compliance requirements. In fact, at the time the analysis for the Medicare Advantage 44 CORE Web page: https://www.caqh.org/ ORMandate_EFT.php. 45 https://www.instamed.com/news-and-events/ industry-first-instamed-achieves-phase-iii-caqhcore-certification/. PO 00000 Frm 00025 Fmt 4701 Sfmt 4702 321 program was done, and even more so now, the market for health insurance is dominated by a relative handful of firms with substantial market shares. However, there are a number of health maintenance organizations (HMOs) that are small entities by virtue of their nonprofit status even though few if any of them are small by SBA size standards. There are approximately 100 such HMOs which may meet the definition of, and therefore define themselves, as CHPs. These HMOs and the Blue Cross and Blue Shield plans that are non-profit organizations, like the other CHPs affected by this proposed rule, will be required to meet the first certification of compliance requirements. Accordingly, this proposed rule may affect a number of small entities. We estimate, however, that the costs of this proposed rule on ‘‘small’’ health plans do not remotely approach the amounts necessary to be a ‘‘significant economic impact’’ on firms with revenues of tens of millions of dollars. Therefore, the Secretary proposes to certify that this proposed rule would not have a significant economic impact on a substantial number of small entities. We welcome industry and stakeholder input on our assumption in this regard. In addition, section 1102(b) of the Act requires us to prepare a regulatory analysis for ‘‘any rule or regulation proposed under title XVIII, title XIX, or part B of [the Act] that may have significant impact on the operations of a substantial number of small rural hospitals.’’ This proposed rule, however, is being proposed under title XI, part C, ‘‘Administration Simplification,’’ of the Act, and, therefore, does not apply. Regardless, this requirement of this proposed rule is only applicable to CHPs and will not have a significant impact on the operations of small rural hospitals. Section 202 of the Unfunded Mandates Reform Act of 1995 also requires that agencies assess anticipated costs and benefits before issuing any rule whose mandates require spending in any 1 year of $100 million in 1995 dollars, updated annually for inflation. In 2013, that threshold is approximately $141 million. This proposed rule would impose a minimal effect on state, local, or tribal governments or on the private sector because the requirements for all CHPs regardless of ownership, to comply with the certification of compliance documentation requirements. The related costs for all 5,000 estimated CHPs is approximately $40 million, which is less than $141 million. E:\FR\FM\02JAP2.SGM 02JAP2 322 Federal Register / Vol. 79, No. 1 / Thursday, January 2, 2014 / Proposed Rules Executive Order 13132 establishes certain requirements that an agency must meet when it promulgates a proposed rule (and subsequent final rule) that imposes substantial direct requirement costs on state and local governments, preempts state law, or otherwise has federalism implications. Since this regulation does not impose any substantial costs on state or local governments, the requirements of Executive Order 13132 are not applicable. In accordance with the provisions of Executive Order 12866, this rule was reviewed by the Office of Management and Budget. List of Subjects 45 CFR Part 160 Administrative practice and procedure, Computer technology, Electronic information system, Electronic transactions, Employer benefit plan, Health, Health care, Health facilities, Health insurance, Health records, Hospitals, Investigations, Medicaid, Medical research, Medicare, Penalties, Privacy, Reporting and recordkeeping requirements, Security. 45 CFR Part 162 Administrative practice and procedures, Electronic transactions, Health facilities, Health insurance, Hospitals, Incorporation by reference, Medicaid, Medicare, Reporting and recordkeeping requirements. For the reasons set forth in this preamble, the Department of Health and Human Services proposes to amend 45 CFR parts 160 and 162 to read as follows: PART 160—GENERAL ADMINISTRATIVE REQUIREMENTS 1. The authority citation for part 160 continues to read as follows: ■ Authority: 42 U.S.C. 1302(a); 42 U.S.C. 1320d–1320d–9; sec. 264, Pub. L. 104–191, 110 Stat. 2033–2034 (42 U.S.C. 1320d–2 (note)); 5 U.S.C. 552; secs. 13400–13424, Pub. L. 111–5, 123 Stat. 258–279; and sec. 1104 of Pub. L. 111–148, 124 Stat. 146–154. 2. Section 160.103 is amended by— A. Adding the definition of ‘‘Penalty fee’’ in alphabetical order. ■ B. Revising the definition of ‘‘Respondent’’. The addition and revision read as follows: mstockstill on DSK4VPTVN1PROD with PROPOSALS2 ■ ■ § 160.103 Definitions. * * * * * Penalty fee means the amount determined under § 160.614. * * * * * VerDate Mar<15>2010 17:36 Dec 31, 2013 Jkt 232001 Respondent means a covered entity or business associate upon which the Secretary has imposed, or proposes to impose, a penalty fee under subpart F or a civil money penalty. * * * * * § 160.300 [Amended] 3. Section 160.300 is amended by removing the phrase ‘‘parts 162 and’’ and adding in its place the phrase ‘‘parts 162 (excluding § 162.926) and’’. ■ 4. Section 160.500 is revised to read as follows: ■ § 160.500 Applicability. This subpart applies to hearings conducted relating to the following: (a) The imposition of a civil money penalty by the Secretary under 42 U.S.C. 1320d–5. (b) The assessment of a penalty fee by the Secretary under 42 U.S.C. 1320d– 2(j). ■ 5. Section 160.504 is amended by revising paragraph (c) to read as follows: § 160.504 Hearing before an ALJ. * * * * * (c) The request for a hearing must do the following: (1) Clearly and directly admit, deny, or explain each of the findings of fact contained in the notice of proposed determination under § 160.420 or in the notice of determination under § 160.624 with regard to which the respondent has any knowledge. If the respondent has no knowledge of a particular finding of fact and so states, the finding shall be deemed denied. (2) State the circumstances or arguments that the respondent alleges constitute the grounds for any defense and the factual and legal basis for opposing the penalty or penalty fee, except that a respondent may raise an affirmative defense under § 160.410(b)(1) or § 160.620(a) at any time. * * * * * ■ 6. Section 160.534 is amended by revising paragraphs (b)(1) and (d)(1) to read as follows: § 160.534 The hearing. * Frm 00026 Fmt 4701 Sfmt 4702 § 160.540 [Amended] 7. In § 160.540, paragraph (g) is amended by removing the phrase’’ notice of proposed determination under § 160.420 of this part ’’ and adding in its place the phrase ‘‘notice of proposed determination under § 160.420 or in the Secretary’s notice of determination under § 160.624.’’ ■ 8. Section 160.546 is amended by revising paragraph (b) to read as follows: ■ § 160.546 * * * * (b)(1) The respondent has the burden of going forward and the burden of persuasion with respect to any of the following: (i) Affirmative defense under § 160.410 or defense under§ 160.620 of this part. (ii) Challenge to the amount of a proposed penalty pursuant to § 160.404 through § 160.408, including any factors raised as mitigating factors, or to the amount of the penalty fee pursuant to § 160.624. PO 00000 (iii) Claim that a proposed penalty should be reduced or waived pursuant to § 160.412. (iv) Compliance with subpart D of part 164, as provided under § 164.414(b). * * * * * (d)(1) Subject to the 15-day rule under § 160.518(a) and the admissibility of evidence under § 160.540, either party may introduce, during its case in chief, items or information that arose or became known after the date of the issuance of the notice of proposed determination under § 160.420, the notice of determination under § 160.624, or the request for hearing under § 160.504, as applicable. Such items and information may not be admitted into evidence, if introduced— (i) By the Secretary, unless they are material and relevant to the acts or omissions with respect to which the penalty is proposed in the notice of proposed determination under § 160.420 or in the notice of determination under § 160.624, including circumstances that may increase penalties or penalty fees; or (ii) By the respondent, unless they are material and relevant to an admission, denial or explanation of a finding of fact in the notice of proposed determination under § 160.420 or in the notice of determination under § 160.624, or to a specific circumstance or argument expressly stated in the request for hearing under § 160.504, including circumstances that may reduce penalties or penalty fees. * * * * * ALJ’s decision. * * * * * (b) The ALJ may affirm, increase, or reduce the penalties or penalty fees imposed by the Secretary. * * * * * § 160.548 [Amended] 9. Section 160.548 is amended by: A. In paragraph (e), removing the phrase ‘‘of this part’’ and adding in its place the phrase ‘‘or a defense under § 160.620(a)’’. ■ B. In paragraph (g), removing the phrase ‘‘any penalty determined by the ■ ■ E:\FR\FM\02JAP2.SGM 02JAP2 Federal Register / Vol. 79, No. 1 / Thursday, January 2, 2014 / Proposed Rules ALJ’’ and adding in its place the phrase ‘‘any penalty or penalty fee determined by the ALJ.’’ § 160.550 [Amended] 10. In § 160.550, paragraphs (a) and (b) are amended by removing the phrase ‘‘penalty’’ and by adding in its place the phrase ‘‘penalty or penalty fee’’ each time it appears. ■ 11. Subpart F is added to part 160 to read as follows: ■ Subpart F—Imposition of Penalty Fees Sec. 160.602 Applicability. 160.604 Definitions. 160.612 Basis for the assessment of a penalty fee. 160.614 Amount of the penalty fee for failure to comply with submission requirements or knowingly providing inaccurate or incomplete information. 160.616 Notice of penalty fee. 160.618 CHP’s response to notice of penalty fee. 160.620 Defenses that may be raised in response to notice of penalty fee. 160.624 Notice of determination. 160.626 Right to a hearing. Subpart F—Imposition of Penalty Fees § 160.602 Applicability. This subpart applies to the imposition of penalty fees by the Secretary under 42 U.S.C. 1320d–2. § 160.604 Definitions. As used in this subpart, the following definitions apply: Controlling health plan (CHP) means a health plan as defined at § 162.103 of this subchapter. Major medical policy means an insurance policy that covers accident and sickness and provides outpatient, hospital, medical and surgical expense coverage. mstockstill on DSK4VPTVN1PROD with PROPOSALS2 § 160.612 Basis for the assessment of a penalty fee. The Secretary assesses a penalty fee against a CHP with major medical policies if the Secretary determines the CHP did either of the following: (a) Failed to provide the documentation in accordance with § 162.926(a)(2) or (b)(2) of this subchapter. (b) With respect to information submitted to the Secretary under to § 162.926 of this subchapter—made by statements, in documents, or otherwise—upon which either a CORE Seal (under § 162.926(a)(2) or (b)(2) of this subchapter) or the HIPAA Credential (under § 162.926(a)(2) or (b)(2) of this subchapter) is based, provides inaccurate or incomplete information— VerDate Mar<15>2010 17:36 Dec 31, 2013 Jkt 232001 323 (1) With actual knowledge of the inaccuracy or incompleteness of the information; or (2) Acting in deliberate ignorance or reckless disregard of the accuracy or completeness of the information. subchapter was attributable to a ministerial and non-substantive error. (c) The failure to meet the requirements of § 162.926 of this subchapter was beyond the CHP’s control. § 160.614 Amount of the penalty fee for failure to comply with submission requirements or knowingly providing inaccurate or incomplete information. § 160.624 (a) The penalty fee amounts are as follows: (1) For the basis specified at § 160.612(a), $1 per covered life of the CHP per day until the requirements of § 162.926(a)(2) or (b)(2) of this subchapter, as applicable, have been met, not to exceed $20 per covered life. (2) For the basis specified at § 160.612(b), $40 per covered life of the CHP. (b) A CHP is not assessed more than $40 per covered life of the CHP under the basis specified at § 160.612. § 160.616 Notice of penalty fee. The Secretary provides notice, by certified mail with return receipt requested, to a CHP that meets any of the bases for a penalty fee in § 160.612. A notice of penalty fee includes all of the following: (a) The penalty fee amount. (b) Reference to the regulatory basis, under § 160.612, for the penalty fee. (c) A description of the findings of fact regarding the violations upon which the penalty fee is based. (d) The reasons(s) why the violation(s) subject the CHP to a penalty fee. § 160.618 CHP’s response to notice of penalty fee. (a) In response to a notice of penalty fee under § 160.616, a CHP may submit to the Secretary evidence of any of the defenses described in § 160.620. (b)(1) A CHP that chooses to assert a defense(s) under paragraph (a) of this section must do so in writing within 30 calendar days of receipt of the notice under § 160.616. (2) For purposes of this section, the CHP’s date of receipt of the notice of penalty fee is presumed to be 5 days after the date of the notice unless the CHP makes a reasonable showing to the contrary to the Secretary. § 160.620 Defenses that may be raised in response to notice of penalty fee. The Secretary will consider no defenses aside from the following in response to a notice of penalty fee under § 160.616: (a) The CHP is not subject to the requirements of § 162.926 of this subchapter. (b) The CHP’s failure to meet the requirements of § 162.926 of this PO 00000 Frm 00027 Fmt 4701 Sfmt 4702 Notice of determination. The Secretary sends the CHP, by certified mail with return receipt requested, a notice of determination as to whether a penalty fee is assessed. (a) A notice of determination to assess a penalty fee includes all of the following: (1) A description of the statutory basis for the assessment of the penalty fee. (2) The amount of the penalty fee. (3) Reference to the regulatory basis, under § 160.612, for the assessment of the penalty fee. (4) The findings of fact regarding the violations on which assessment of the penalty fee is based. (5) Any defenses described in § 160.620 that were considered in determining whether to assess the penalty fee and the reason(s) why the defenses were rejected. (6) Instructions for requesting a hearing under § 160.626. (7) A statement that the failure to request a hearing within 90 days results in the imposition of the penalty fee specified in the notice of determination. (b) A notice of determination to not assess a penalty fee includes the following: (1) Any defenses described in § 160.620 that were considered in determining whether to assess the penalty fee and the reason(s) why the defenses were accepted; and (2) Actions the CHP must take. § 160.626 Right to a hearing. (a) Upon receipt of a notice of determination under § 160.624(a), a CHP may request a hearing before an ALJ by filing a request in accordance with § 160.504. (b) If a CHP does not request a hearing within the time prescribed by § 160.504, the Secretary notifies the CHP that the penalty fee in the notice of determination is final and the means by which the CHP must pay the penalty fee. PART 162—ADMINISTRATIVE REQUIREMENTS 12. The authority citation for part 162 continues to read as follows: ■ Authority: Secs. 1171 through 1180 of the Social Security Act (42 U.S.C. 1320d–1320d– 9), as added by sec. 262 of Pub. L. 104–191, 110 Stat. 2021–2031, sec. 105 of Pub. L. 110– 233, 122 Stat. 881–922, and sec. 264 of Pub. L. 104–191, 110 Stat. 2033–2034 (42 U.S.C. E:\FR\FM\02JAP2.SGM 02JAP2 324 Federal Register / Vol. 79, No. 1 / Thursday, January 2, 2014 / Proposed Rules 1320d–2 (note), and secs. 1104 and 10109 of Pub. L. 111–148, 124 Stat. 146–154 and 915– 917. 13. Section 162.103 is amended by adding the definitions of ‘‘Covered lives of a CHP’’ and ‘‘EFT’’ in alphabetical order to read as follows: ■ § 162.103 Definitions. * * * * Covered lives of a CHP means individuals covered by or enrolled in major medical policies of a CHP and the SHP(s) of that CHP. Individuals may be described in such major medical policies by terms, including, but not limited to, the following: (1) Individuals. (2) Spouses. (3) Dependents. (4) Employees. (5) Subscribers. (6) Policyholders. (7) Medicaid recipients. (8) Medicare beneficiaries. (9) Tricare beneficiaries. (10) Veterans. (11) Survivors. * * * * * EFT stands for electronic funds transfers. * * * * * ■ 14. Section 162.926 is added to read as follows: mstockstill on DSK4VPTVN1PROD with PROPOSALS2 * VerDate Mar<15>2010 17:36 Dec 31, 2013 Jkt 232001 § 162.926 Certification of Compliance— submission requirements (a) Submission requirements for a CHP that obtains an HPID before January 1, 2015. For the health care electronic funds transfers (EFT) and remittance advice, eligibility for a health plan, and health care claim status transactions, a CHP that obtains an HPID before January 1, 2015 must, on or after January 1, 2015 and on or before December 31, 2015, provide the following to the Secretary in one submission: (1) The number of covered lives of a CHP (as that term is defined in § 162.103 of this subpart) on the date that the documentation required under paragraph (a) of this section is submitted. (2) Documentation that demonstrates the CHP has obtained a Council for Affordable Quality Healthcare (CAQH) Committee on Operating Rules for Information Exchange (CORE)— (i) Certification Seal for Phase III CAQH CORE EFT & ERA Operating Rules. The CHP must not be under the CORE IT Exemption Policy at the time of submission with regard to the CORE Phase I, II, and III Seals; or PO 00000 Frm 00028 Fmt 4701 Sfmt 9990 (ii) HIPAA Credential for the operating rules for the transactions listed in paragraph (a) of this section. (b) Submission requirements for a CHP that obtains an HPID on or after January 1, 2015 and on or before December 31, 2016. A CHP that obtains an HPID on or after January 1, 2015 and on or before December 31, 2016, must, within 365 calendar days of obtaining an HPID, provide the following to the Secretary in one submission: (1) The number of covered lives of a CHP (as that term is defined in § 162.103) on the date the documentation required under paragraph (b) of this section is submitted. (2) The documentation required under paragraph (a)(2) of this section. Dated: December 20, 2013. Marilyn Tavenner, Administrator, Centers for Medicare & Medicaid Services. Dated: December 20, 2013. Kathleen Sebelius, Secretary, Department of Health and Human Services. [FR Doc. 2013–31318 Filed 12–31–13; 8:45 am] BILLING CODE 4120–01–P E:\FR\FM\02JAP2.SGM 02JAP2

Agencies

[Federal Register Volume 79, Number 1 (Thursday, January 2, 2014)]
[Proposed Rules]
[Pages 297-324]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 2013-31318]



[[Page 297]]

Vol. 79

Thursday,

No. 1

January 2, 2014

Part IV





Department of Health and Human Services





-----------------------------------------------------------------------





45 CFR Parts 160 and 162





 Administrative Simplification: Certification of Compliance for Health 
Plans; Proposed Rule

Federal Register / Vol. 79 , No. 1 / Thursday, January 2, 2014 / 
Proposed Rules

[[Page 298]]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Office of the Secretary

45 CFR Parts 160 and 162

[CMS-0037-P]
RIN 0938-AQ85


Administrative Simplification: Certification of Compliance for 
Health Plans

AGENCY: Office of the Secretary, HHS.

ACTION: Proposed rule.

-----------------------------------------------------------------------

SUMMARY: This proposed rule would require a controlling health plan 
(CHP) to submit information and documentation demonstrating that it is 
compliant with certain standards and operating rules adopted by the 
Secretary of Health and Human Services (the Secretary) under the Health 
Insurance Portability and Accountability Act of 1996 (HIPAA). This 
proposed rule would also establish penalty fees for a CHP that fails to 
comply with the certification of compliance requirements.

DATES: To be assured consideration, comments must be received at one of 
the addresses provided, no later than 5 p.m. on March 3, 2014.

ADDRESSES: In commenting, please refer to file code CMS-0037-P. Because 
of staff and resource limitations, we cannot accept comments by 
facsimile (FAX) transmission.
    You may submit comments in one of four ways (please choose only one 
of the ways listed):
    1. Electronically. You may submit electronic comments on this 
regulation to https://www.regulations.gov. Follow the ``Submit a 
comment'' instructions.
    2. By regular mail. You may mail written comments to the following 
address only: Centers for Medicare & Medicaid Services, Department of 
Health and Human Services, Attention: CMS-0037-P, P.O. Box 8013, 
Baltimore, MD 21244-8013.
    Please allow sufficient time for mailed comments to be received 
before the close of the comment period.
    3. By express or overnight mail. You may send written comments to 
the following address only: Centers for Medicare & Medicaid Services, 
Department of Health and Human Services, Attention: CMS-0037-P, Mail 
Stop C4-26-05, 7500 Security Boulevard, Baltimore, MD 21244-1850.
    4. By hand or courier. Alternatively, you may deliver (by hand or 
courier) your written comments only to the following addresses prior to 
the close of the comment period:
    a. For delivery in Washington, DC-- Centers for Medicare & Medicaid 
Services, Department of Health and Human Services, Room 445-G, Hubert 
H. Humphrey Building, 200 Independence Avenue SW., Washington, DC 20201 
(Because access to the interior of the Hubert H. Humphrey Building is 
not readily available to persons without Federal government 
identification, commenters are encouraged to leave their comments in 
the CMS drop slots located in the main lobby of the building. A stamp-
in clock is available for persons wishing to retain a proof of filing 
by stamping in and retaining an extra copy of the comments being 
filed.)
    b. For delivery in Baltimore, MD-- Centers for Medicare & Medicaid 
Services,
    Department of Health and Human Services, 7500 Security Boulevard, 
Baltimore, MD 21244-1850.
    If you intend to deliver your comments to the Baltimore address, 
call telephone number (410) 786-1066 in advance to schedule your 
arrival with one of our staff members.
    Comments erroneously mailed to the addresses indicated as 
appropriate for hand or courier delivery may be delayed and received 
after the comment period.
    For information on viewing public comments, see the beginning of 
the SUPPLEMENTARY INFORMATION section.

FOR FURTHER INFORMATION CONTACT: Matthew Albright, (410) 786-2546. 
Terri Deutsch, (410) 786-9462 for questions regarding Collection of 
Information and the Regulatory Impact Statement.

SUPPLEMENTARY INFORMATION:
    Inspection of Public Comments: All comments received before the 
close of the comment period are available for viewing by the public, 
including any personally identifiable or confidential business 
information that is included in a comment. We post all comments 
received before the close of the comment period on the following Web 
site as soon as possible after they have been received: https://www.regulations.gov. Follow the search instructions on that Web site to 
view public comments.
    Comments received timely will also be available for public 
inspection as they are received, generally beginning approximately 3 
weeks after publication of a document, at the headquarters of the 
Centers for Medicare & Medicaid Services, 7500 Security Boulevard, 
Baltimore, Maryland 21244, Monday through Friday of each week from 8:30 
a.m. to 4 p.m. To schedule an appointment to view public comments, call 
1-800-743-3951.

I. Background

A. Introduction

    Many factors contribute to the high cost of health care in the 
United States, but studies find that administrative costs substantially 
impact spending growth \2\ and can likely be reduced.\2\ Automated 
processes, through the use of standardized electronic transactions, can 
lessen health care providers' administrative burden in interacting with 
health insurers. Under the authority of the Health Insurance 
Portability and Accountability Act of 1996 (HIPAA), the Secretary 
adopts standards and operating rules that facilitate the use of 
electronic transactions by creating greater uniformity in data exchange 
and reducing the health care industry's reliance on paper forms and 
manual processes to transmit data.
---------------------------------------------------------------------------

    \2\ ``Technological Change and the Growth of Health Care 
Spending,'' A CBO Paper, Congressional Budget Office, January 2008, 
pg. 4, https://www.cbo.gov/ftpdocs/89xx/doc8947/01-31-TechHealth.pdf
    \2\ Morra, D., Nicholson, S., Levinson, W., Gans, D. N., 
Hammons, T., & Casalino, L. P. ``U.S. Physician Practices versus 
Canadians: Spending Nearly Four Times as Much Money Interacting With 
Payers,'' Health Affairs: 30(8):1443-1450, 2011.
    Blanchfield, Bonnie B., James L. Hefferman, Bradford Osgood, 
Rosemary R. Sheehan, and Gregg S. Meyer, ``Saving Billions of 
Dollars--and Physician's Time--by Streamlining Billing Practices,'' 
Health Affairs: 29(6):1248-1254, 2010.
---------------------------------------------------------------------------

    Although HIPAA standards and operating rules can reduce 
administrative burden, the health care industry has experienced 
difficulty transitioning to them by the regulatory compliance dates. 
Many in the industry attribute at least some implementation 
difficulties to the lack of a consistent testing process or framework 
before implementation of new standards and operating rules. This 
proposed rule is intended to serve as an initial step toward the 
development of a consistent testing process that will enable entities 
to better achieve and demonstrate compliance with HIPAA standards and 
operating rules.
    This rule proposes that controlling health plans (CHPs) must submit 
certain information and documentation that demonstrates compliance with 
the adopted standards and operating rules for three electronic 
transactions: eligibility for a health plan, health care claim status, 
and health care electronic funds transfers (EFT) and remittance advice. 
Such documentation would be an indication that a CHP has completed some 
internal and external testing.

[[Page 299]]

B. Legislative and Regulatory Background

    This section summarizes the legislative and regulatory history of 
standards, operating rules, and the enforcement processes in order to 
frame the process we refer to in this proposed rule as certification of 
compliance.
1. HIPAA Standards and Code Sets
    Section 1172(a) of the Social Security Act (the Act) provides that 
any standard adopted under HIPAA shall apply, in whole or in part, to 
the following persons, known as ``covered entities'': (1) A health 
plan; (2) a health care clearinghouse; and (3) a health care provider 
who transmits any health information in electronic form in connection 
with a HIPAA transaction. Covered entities are required to conduct as 
standard transactions all electronic transactions for which the 
Secretary has adopted a standard.
    In the August 17, 2000 Federal Register (65 FR 50312), we published 
a final rule titled ``Health Insurance Reform: Standards for Electronic 
Transactions'' (hereinafter referred to as the Transactions and Code 
Sets final rule). That rule implemented some of the HIPAA 
Administrative Simplification requirements by adopting standards 
developed by standards development organizations (SDOs) for certain 
electronic health care transactions, and medical data code sets to be 
used in those transactions. The Transactions and Code Sets final rule 
adopted the Accredited Standards Committee (ASC) X12 standards Version 
4010/4010A1 and the National Council for Prescription Drug Programs 
(NCPDP) Telecommunication standard Version 5.1.
    In the January 16, 2009 (74 FR 3296) final rule titled, ``Health 
Insurance Reform; Modifications to the Health Insurance Portability and 
Accountability Act (HIPAA) Electronic Transaction Standards'' 
(hereinafter referred to as the Modifications final rule), we adopted 
updated versions of the standards (ASC X12 Version 5010) (hereinafter 
referred to as Version 5010) and NCPDP Telecommunication Standard 
Implementation Guide, Version D. Release 0 (hereinafter referred to as 
Version D.0), and equivalent Standard Batch Implementation Guide, 
Version 1, Release 2 (hereinafter referred to as Version 1.2) for the 
electronic health care transactions that were originally adopted in the 
Transactions and Code Sets final rule. We also adopted a new standard 
for the Medicaid pharmacy subrogation transaction--the Batch Standard 
Medicaid Subrogation Implementation Guide, Version 3, Release 0 
(hereinafter referred to as Version 3.0), which is specified at 45 CFR 
162, subpart S. Covered entities were required to comply with Version 
5010 and Version D.0, and Version 3.0 for Medicaid pharmacy subrogation 
transactions, effective January 1, 2012 (except for small health plans, 
which were required to comply with Version 3.0 on January 1, 2013).
    In the January 10, 2012 (77 FR 1556) interim final rule with 
comment period, titled ``Administrative Simplification: Adoption of 
Standards for Health Care Electronic Funds Transfers (EFT) and 
Remittance Advice'' (hereinafter referred to as the Health Care EFT 
Standards IFC), we adopted standards for the health care electronic 
funds transfers (EFT) and remittance advice transaction, defined the 
transaction, and explained how the adopted standards support and 
facilitate it.
    In the September 5, 2012 Federal Register (77 FR 54664), we 
published a final rule, ``Administrative Simplification: Adoption of a 
Standard for a Unique Health Plan Identifier; Addition to the National 
Provider Identifier Requirements; and a Change to the Compliance Date 
for the International Classification of Diseases, 10th Edition (ICD-10-
CM and ICD-10-PCS) Medical Data Code Sets'' (hereinafter referred to as 
the HPID final rule). That rule, as relevant here, adopted the standard 
for a national unique health plan identifier (HPID), established 
requirements for HPID implementation, and adopted a data element to 
serve as an ``other entity'' identifier (OEID)--an identifier for 
entities that are not health plans, health care providers, or 
individuals, but that need to be identified in standard transactions.
2. HIPAA Operating Rules
    Section 1173(g) of the Act was added by section 1104 of the Patient 
Protection and Affordable Care Act (Pub L. 111-148), enacted on March 
23, 2010, as amended by the Health Care and Education Reconciliation 
Act of 2010 (Pub. L. 111-152), enacted on March 30, 2010 (collectively 
known as and hereinafter referred to as the Affordable Care Act). 
Section 1173(g) of the Act requires the Secretary to adopt a single set 
of operating rules for each of the transactions listed in section 
1173(a)(1) of the Act. Operating rules are defined by section 1171(9) 
of the Act as ``the necessary business rules and guidelines for the 
electronic exchange of information that are not defined by a standard 
or its implementation specifications as adopted for purposes of this 
part.'' Additionally, sections 1173(g)(2)(D), (g)(3)(C), and (g)(3)(D) 
of the Act clarify aspects of the operating rules and the requirements 
of the operating rules authoring entity.
    The Council for Affordable Quality Healthcare (CAQH) Committee on 
Operating Rules for Information Exchange (CORE) was established in 2005 
as a national initiative, bringing together over 100 health care 
industry stakeholders to simplify health care administration through 
the improvement of electronic health care information exchange. CAQH 
CORE's mission is to ``build consensus among healthcare industry 
stakeholders on a set of operating rules that facilitate administrative 
interoperability between providers and health plans.'' \3\
---------------------------------------------------------------------------

    \3\ CAQH CORE Web site: https://www.caqh.org/pdf/CORE_MASTER_Presentation_4-15-08.pdf.
---------------------------------------------------------------------------

    With consensus among health care industry stakeholder members, CAQH 
CORE, in 2008, developed two sets of operating rules for the 
eligibility for a health plan and health care claim status transactions 
(hereinafter referred to as Phase I and Phase II CAQH CORE Operating 
Rules). The operating rules built upon applicable HIPAA standard 
transaction requirements, and enabled providers to submit transactions 
from any system, facilitating administrative and clinical data 
integration. Numerous health care entities voluntarily adopted the 
Phase I and II CAQH CORE Operating Rules, and CAQH CORE demonstrated 
that the use of these rules yielded a positive return on investment for 
health plans and providers.\4\
---------------------------------------------------------------------------

    \4\ CAQH CORE Web site: https://www.caqh.org/pdf/CORE_MASTER_Presentation_4-15-08.pdf. https://www.caqh.org/COREIBMstudy.php.
---------------------------------------------------------------------------

    In August and September, 2010, the National Committee on Vital and 
Health Statistics \5\ (NCVHS), in furtherance of its statutory mission 
to advise the Secretary, engaged in a comprehensive review of health 
care operating rules and their authors. The NCVHS advised the Secretary 
that CAQH CORE met the requirements of section 1173(g)(2) of the Act to 
be the operating rules authoring entity for the non-retail pharmacy 
eligibility for a health plan and health care claim status 
transactions.\6\
---------------------------------------------------------------------------

    \5\ Established by the Congress, the NCVHS is a body that 
advises the Secretary on health data, statistics, and national 
health information policy and that has a significant role in the 
Secretary's adoption of operating rules under section 1173(g)(3) of 
the Act.
    \6\ September 30, 2010 letter from NCVHS to Secretary Kathleen 
Sebelius, re: Affordable Care Act, Administrative Simplification: 
Operating Rules for Eligibility and Claims Status Transactions: 
https://www.ncvhs.hhs.gov/reptrecs.htm.
---------------------------------------------------------------------------

    After assessing its qualifications and the NCVHS's recommendation, 
the

[[Page 300]]

Secretary determined that CAQH CORE was qualified to be the operating 
rule authority entity for the eligibility for a health plan and health 
care claim status transactions. In the July 8, 2011 (76 FR 40458) 
interim final rule with comment period (IFC) titled, ``Administrative 
Simplification: Adoption of Operating Rules for Eligibility for a 
Health Plan and Health Care Claim Status Transactions'' (hereinafter 
referred to as the Operating Rules IFC), we adopted Phase I and II CAQH 
CORE Operating Rules for the two transactions.\7\ The Operating Rules 
IFC also defined the term ``operating rules,'' revised the definition 
for ``standard transaction'' to indicate that a standard transaction is 
one that complies with both the adopted standards and operating rules, 
and described the relationship between operating rules and standards. 
In the Operating Rules IFC, we did not adopt the Phase I and II CAQH 
CORE Operating Rules requirements regarding acknowledgments, nor did we 
adopt CORE's Certification process by which an entity demonstrates 
compliance with Phase I and II CAQH CORE Operating Rules.\8\
---------------------------------------------------------------------------

    \7\ CAQH CORE Phases I and II Operating Rules are available 
online at no charge at https://www.caqh.org/COREVersion5010.phb.
    \8\ Provisions of the Operating Rule IFC at 76 FR 40461. 
Information on the CAQH CORE Rules can be found at: https://www.caqh.org/CORE_phase1.php, https://www.caqh.org/CORE_phase2.php, 
and https://www.caqh.org/CORE_phase3.php. CAQH CORE FAQS can be 
found at: https://www.caqh.org/pdf/COREFAQsPartA.pdf for general 
information; https://www.caqh.org/pdf/COREFAQsPartC.pdf for Phase I 
and II.
---------------------------------------------------------------------------

    On March 23, 2011, the NCVHS recommended that CAQH CORE, in 
collaboration with NACHA--The Electronic Payments Association, be the 
authoring entity for the health care electronic funds transfers (EFT) 
and remittance advice transaction operating rules.\9\ In developing the 
health care electronic funds transfers (EFT) and remittance advice 
transaction operating rules, CAQH CORE held more than thirty open 
conference calls and conducted over 15 straw polls with industry and 
government representatives between March and August 2011. More than 80 
health care entities analyzed, reviewed, and achieved consensus on the 
operating rules.
---------------------------------------------------------------------------

    \9\ March 23, 2011 NCVHS letter to the Secretary: https://ncvhs.hhs.gov/110323lt.pdf.
---------------------------------------------------------------------------

    On December 7, 2011, the NCVHS, in its advisory role, recommended 
to the Secretary (subject to CAQH CORE making certain revisions) that 
the Phase III CAQH CORE EFT & ERA Draft Operating Rule Set (or Phase 
III Operating Rules) be adopted as the operating rules for the health 
care electronic funds transfers (EFT) and remittance advice 
transaction. On August 10, 2012, in 77 FR 48008, we adopted these 
operating rules in a rule titled ``Administrative Simplification: 
Adoption of Operating Rules for Health Care Electronic Funds Transfers 
(EFT) and Remittance Advice Transactions; Final Rule'' (hereinafter EFT 
& ERA Operating Rule Set IFC). We did not, however, adopt the CAQH CORE 
operating rule in the EFT & ERA Operating Rule Set that required the 
use of the Version 5010 999 acknowledgements standard in the Phase III 
CAQH CORE 350 Health Care Claim Payment/Advice (835) Infrastructure 
Rule requirement 4.2 (77 FR 48017).\10\
---------------------------------------------------------------------------

    \10\ CAQH CORE FAQS for Phase III can be found at https://www.caqh.org/pdf/COREFAQsPartD.pdf.
---------------------------------------------------------------------------

    The NCVHS recommended in May 2012 that CAQH CORE be the authoring 
entity for the operating rules for the remaining HIPAA transactions 
\11\--health care claims or equivalent encounter information, health 
claims attachments, enrollment and disenrollment in a health plan, 
health plan premium payments, and referral certification and 
authorization, with respect to which the Secretary agreed.\12\
---------------------------------------------------------------------------

    \11\ May 5, 2012 NCVHS letter to the Secretary: https://www.ncvhs.hhs.gov/120505lt.pdf.
    \12\ September 12, 2012 letter from Secretary to NCVHS: https://www.ncvhs.hhs.gov/120912lt.pdf.
---------------------------------------------------------------------------

3. Current HIPAA Administrative Simplification Enforcement
    Under sections 1176 and 1177 of the Act, covered entities may be 
subject to civil money penalties (CMPs) and criminal penalties for 
violations of HIPAA Administrative Simplification rules. HHS 
administers the CMPs under section 1176 of the Act and the U.S. 
Department of Justice administers the criminal penalties under section 
1177 of the Act.
    Section 1176(b) of the Act sets out limitations on the Secretary's 
authority and provides the Secretary certain discretion with respect to 
imposing CMPs. For example, this section provides that no CMPs may be 
imposed with respect to an act if a penalty has been imposed under 
section 1177 of the Act with respect to such act. This section also 
generally precludes the Secretary from imposing a CMP for a violation 
corrected during the 30-day period beginning when an individual knew 
or, by exercising reasonable diligence, would have known that the 
failure to comply occurred. The Secretary promulgated rules pertaining 
to compliance with, and enforcement of, the HIPAA Administrative 
Simplification rules that are codified at section 45 part 160, subparts 
C, D, and E, and collectively referred to as the Enforcement Rule.
    In the April 17, 2003 Federal Register (68 FR 18895), we issued an 
interim final rule entitled, ``Civil Money Penalties: Procedures for 
Investigations, Imposition of Penalties, and Hearings'' that 
established the procedural requirements for the imposition of CMPs for 
violations of HIPAA Administrative Simplification requirements. We 
expanded upon that rule with a February 16, 2006 final rule entitled, 
``HIPAA Administrative Simplification: Enforcement'' (71 FR 8390), that 
made the compliance rules applicable to all HIPAA Administrative 
Simplification Rules. That rule also amended the rules relating to the 
imposition of CMPs and clarified the investigation process, bases for 
liability, determination of the penalty amount, grounds for waiver, 
conduct of the hearing, and the appeal process. These rules' preambles 
provide additional information that may be helpful regarding HIPAA's 
compliance and enforcement.
    Section 13410(d) of the Health Information Technology for Economic 
and Clinical Health Act (HITECH), enacted on February 17, 2009 as part 
of the American Recovery and Reinvestment Act of 2009, revised section 
1176 of the Act by strengthening enforcement of the HIPAA rules.
    In the October 30, 2009 Federal Register (74 FR 56123), we 
published an IFC titled ``HIPAA Administrative Simplification: 
Enforcement'' that conformed HIPAA's enforcement regulations to section 
1176 of the Act, as it was modified by section 13410(d) of HITECH. That 
rule amended HIPAA enforcement regulations as they relate to the 
imposition of CMPs to incorporate the HITECH categories of violations, 
tiered ranges of CMP amounts, and revised limitations on the 
Secretary's authority to impose CMPs for established violations of 
HIPAA Administrative Simplification rules.
    In the January 25, 2013 Federal Register (78 FR 5566), we published 
a final rule titled ``Modifications to the HIPAA Privacy, Security, 
Enforcement, and Breach Notification Rules Under the Health Information 
Technology for Economic and Clinical Health Act and the Genetic 
Information Nondiscrimination Act; Other Modifications to the HIPAA 
Rules'' (hereinafter referred to as the HIPAA Omnibus final rule). 
Among other modifications to the HIPAA rules, the HIPAA Omnibus final 
rule modified HIPAA Privacy, Security, and Breach

[[Page 301]]

Notification Rules as mandated by HITECH, as well as finalized a number 
of modifications to the HIPAA Enforcement Rule, including incorporating 
a tiered civil money penalty structure, that were originally published 
as an interim final rule on October 30, 2009 (74 FR 56123) and proposed 
in a notice of proposed rulemaking on July 14, 2010 (75 FR 40868).
4. HIPAA Administrative Simplification Enforcement Under the Affordable 
Care Act
    Section 1104 of the Affordable Care Act amended the Social Security 
Act by adding sections 1173(h) and (j). Section 1173(h) of the Act 
includes certification of compliance requirements for health plans, and 
requires the Secretary to conduct periodic audits of health plans and 
entities that have service contracts with health plans. Section 1173(j) 
of the Act establishes new penalties for health plans that fail to 
comply with the certification of compliance requirements.
5. Health Plan Certification of Compliance Requirements
    Section 1173(h)(1)(A) of the Act requires health plans to file a 
statement with the Secretary, in such form as the Secretary may 
require, by December 31, 2013, certifying that their data and 
information systems are in compliance with the standards and operating 
rules for the following transactions: Eligibility for a health plan, 
health care claim status, and health care electronic funds transfers 
(EFT) and remittance advice. In this proposed rule, we refer to the 
requirements mandated by section 1173(h)(1)(A) of the Act as the 
``first certification of compliance requirements.'' Table 1 displays 
the specific standards and operating rules to which the requirements 
for the first certification of compliance apply.
    In similar fashion, section 1173(h)(1)(B) of the Act mandates, by 
December 31, 2015, health plan certification of compliance for the 
following HIPAA transactions: Health care claims or equivalent 
encounter information, enrollment and disenrollment in a health plan, 
health plan premium payments, health claims attachments, and referral 
certification and authorization. Likewise, section 1173(h)(5) of the 
Act mandates that health plans meet certification of compliance 
requirements for later versions of the standards and operating rules.
    The scope of this proposed rule is limited to the first 
certification of compliance. Because operating rules for the 
transactions listed in section 1173(h)(1)(B) of the Act have not yet 
been adopted, nor has a standard been adopted for health claims 
attachments, we cannot yet determine what documentation will be 
necessary to demonstrate compliance with those standards and operating 
rules. We will adopt certification of compliance requirements for the 
transactions listed in section 1173(h)(1)(B) of the Act, and for later 
adopted versions of standards and operating rules, in subsequent 
rulemaking.

 Table 1--Standards and Operating Rules to Which the First Certification
                          of Compliance Applies
------------------------------------------------------------------------
         Transactions               Standards         Operating rules
------------------------------------------------------------------------
Eligibility for a Health Plan   ASC X12 Standards  The following CAQH
 (request and response)--        for Electronic     CORE Phase I and
 Dental, Professional, and       Data Interchange   Phase II operating
 Institutional.                  Technical Report   rules, excluding
                                 Type 3--Health     where such rules
                                 Care Eligibility   reference and/or
                                 Benefit Inquiry    pertain to
                                 and Response       acknowledgements and
                                 (270/271), April   CORE certification):
                                 2008, ASC X12N/   (1) Phase I CORE 152:
                                 005010X279.        Eligibility and
                                                    Benefit Real Time
                                                    Companion Guide
                                                    Rule, version 1.1.0,
                                                    March 2011, and CORE
                                                    v5010 Master
                                                    Companion Guide
                                                    Template.
                                                   (2) Phase I CORE 153:
                                                    Eligibility and
                                                    Benefits
                                                    Connectivity Rule,
                                                    version 1.1.0, March
                                                    2011.
                                                   (3) Phase I CORE 154:
                                                    Eligibility and
                                                    Benefits 270/271
                                                    Data Content Rule,
                                                    version 1.1.0, March
                                                    2011.
                                                   (4) Phase I CORE 155:
                                                    Eligibility and
                                                    Benefits Batch
                                                    Response Time Rule,
                                                    version 1.1.0, March
                                                    2011.
                                                   (5) Phase I CORE 156:
                                                    Eligibility and
                                                    Benefits Real Time
                                                    Response Rule,
                                                    version 1.1.0, March
                                                    2011.
                                                   (6) Phase I CORE 157:
                                                    Eligibility and
                                                    Benefits System
                                                    Availability Rule,
                                                    version 1.1.0, March
                                                    2011.
                                                   (7) Phase II CORE
                                                    258: Eligibility and
                                                    Benefits 270/271
                                                    Normalizing Patient
                                                    Last Name Rule,
                                                    version 2.1.0, March
                                                    2011.
                                                   (8) Phase II CORE
                                                    259: Eligibility and
                                                    Benefits 270/271 AAA
                                                    Error Code Reporting
                                                    Rule, version 2.1.0.
                                                   (9) Phase II CORE
                                                    260: Eligibility &
                                                    Benefits Data
                                                    Content (270/271)
                                                    Rule, version 2.1.0,
                                                    March 2011.
                                                   (10) Phase II CORE
                                                    270: Connectivity
                                                    Rule, version 2.2.0,
                                                    March 2011.
Eligibility for a Health Plan-- Telecommunication  .....................
 Retail Pharmacy Drugs.          Standard
                                 Implementation
                                 Guide, Version
                                 D, Release 0
                                 (Version D.0),
                                 August 2007, and
                                 equivalent Batch
                                 Standard
                                 Implementation
                                 Guide, Version
                                 1, Release 2
                                 (Version 1.2),
                                 National Council
                                 for Prescription
                                 Drug Programs.

[[Page 302]]

 
Health Care Claim Status......  ASC X12 Standards  The following CAQH
                                 for Electronic     CORE Phase II
                                 Data Interchange   operating rules
                                 Technical Report   (updated for Version
                                 Type 3--Health     5010), excluding
                                 claim status       where such rules
                                 Request and        reference and/or
                                 Response (276/     pertain to
                                 277), August       acknowledgements and
                                 2006, ASC X12N/    CORE certification:
                                 005010X212, and   (1) Phase II CORE
                                 Errata to Health   250: Claim Status
                                 claim status       Rule, version 2.1.0,
                                 Request and        March 2011, and CORE
                                 Response (276/     v5010 Master
                                 277), ASC X12      Companion Guide,
                                 Standards for      00510, 1.2, March
                                 Electronic Data    2011.
                                 Interchange       (2) Phase II CORE
                                 Technical Report   270: Connectivity
                                 Type 3, April      Rule, version 2.2.0,
                                 2008, ASC X12N/    March 2011.
                                 005010X212E1.
Health Care Electronic Funds    ERA: ASC X12       The following CAQH
 Transfers (EFT) and             Standards for      CORE Phase III EFT &
 Remittance Advice.              Electronic Data    ERA Operating Rule
                                 Interchange        Set, approved June
                                 Technical Report   2012:
                                 Type 3--Health    (1) Phase III CORE
                                 Care Claim         380 EFT Enrollment
                                 Payment/Advice     Data Rule, version
                                 (835), April       3.0.0, June 2012.
                                 2006, ASC X12N/   (2) Phase III CORE
                                 005010X221.        382 ERA Enrollment
                                                    Data Rule, version
                                                    3.0.0, June 2012.
                                                   (3) Phase III 360
                                                    CORE Uniform Use of
                                                    CARCs and RARCs
                                                    (835) Rule, version
                                                    3.0.0, June 2012.
                                                   (4)
                                                    CORE[dash]required
                                                    Code Combinations
                                                    for
                                                    CORE[dash]defined
                                                    Business Scenarios
                                                    for the Phase III
                                                    CORE 360 Uniform Use
                                                    of Claim Adjustment
                                                    Reason Codes and
                                                    Remittance Advice
                                                    Remark Codes (835)
                                                    Rule, version 3.0.0,
                                                    June 2012.
                                                   (5) Phase III CORE
                                                    370 EFT & ERA
                                                    Reassociation (CCD+/
                                                    835) Rule, version
                                                    3.0.0, June 2012.
                                                   (6) Phase III CORE
                                                    350 Health Care
                                                    Claim Payment/Advice
                                                    (835) Infrastructure
                                                    Rule, version 3.0.0,
                                                    June 2012, except
                                                    Requirement 4.2
                                                    titled ``Health Care
                                                    Claim Payment/Advice
                                                    Batch
                                                    Acknowledgement
                                                    Requirements``.
                                                   (7) ACME Health Plan,
                                                    CORE v5010 Master
                                                    Companion Guide
                                                    Template, 005010,
                                                    1.2, March 2011
                                                    (incorporated by
                                                    reference in Sec.
                                                    162.920), as
                                                    required by the
                                                    Phase III CORE 350
                                                    Health Care Claim
                                                    Payment/Advice (835)
                                                    Infrastructure Rule,
                                                    version 3.0.0, June
                                                    2012.
                                Stage 1 Payment
                                 Initiation: The
                                 National
                                 Automated
                                 Clearing House
                                 Association
                                 (NACHA)
                                 Corporate Credit
                                 or Deposit Entry
                                 with Addenda
                                 Record (CCD+)
                                 implementation
                                 specifications
                                 as contained in
                                 the 2011 NACHA
                                 Operating Rules
                                 & Guidelines:
                                 NACHA Operating
                                 Rules, Appendix
                                 One: ACH File
                                 Exchange
                                 Specifications;
                                 and NACHA
                                 Operating Rules,
                                 Appendix Three:
                                 ACH Record
                                 Format
                                 Specifications,
                                 Subpart 3.1.8
                                 Sequence of
                                 Records for CCD
                                 Entries.
                                Data content in
                                 CCD Addenda
                                 Record:
                                 Accredited
                                 Standards
                                 Committee (ASC)
                                 X12 Standards
                                 for Electronic
                                 Data Interchange
                                 Technical Report
                                 Type 3, ``Health
                                 Care Claim
                                 Payment/Advice
                                 (835), April
                                 2006: Section
                                 2.4: 835 Segment
                                 Detail: ``TRN
                                 Reassociation
                                 Trace Number,''
                                 Washington
                                 Publishing
                                 Company,
                                 005010X221.
------------------------------------------------------------------------

    Section 1173(h)(2) of the Act provides that a health plan will not 
be considered to have met section 1173(h)(1) of the Act certification 
requirements unless it provides the Secretary adequate documentation of 
compliance that--
     Demonstrates to the Secretary that it conducts the 
electronic transactions specified in section 1173(h)(1) of the Act in a 
manner that fully complies with the regulations of the Secretary; and
     Shows that it has completed end-to-end testing for such 
transactions with its

[[Page 303]]

partners, such as hospitals and physicians.
    Section 1173(h)(3) of the Act extends the certification and 
submission requirements to entities that have service contracts with 
health plans, though the compliance onus remains on the health plan. In 
addition, the Secretary is authorized by section 1173(h)(4) of the Act 
to designate independent, outside entities to certify that health plans 
have complied with the certification requirements, so long as the 
certification standards used by these entities are in accordance with 
the standards and operating rules adopted by the Secretary.
6. Penalty Fees
    Section 1173(j) of the Act specifies penalties for health plans 
that fail to meet section 1173(h) certification and documentation of 
compliance requirements. Sections 1173(j)(1)(B) through (F) of the Act 
specify the amount of, and process for assessing, penalty fees against 
health plans. Section 1173(j)(1)(B) of the Act requires the Secretary 
to assess a $1 per covered life per day penalty fee, assessed per 
person covered by the plan for which its data systems for major medical 
policies are not in compliance for each day the plan is not in 
compliance, against a health plan until certification is complete. 
Section 1173(j)(1)(C) of the Act requires the Secretary to double the 
amount of the penalty fees assessed against a health plan that 
knowingly provides inaccurate or incomplete information in certifying 
compliance. Section 1173(j)(1)(F) of the Act directs the Secretary to 
determine the number of covered lives underlying the calculation of the 
penalty fee amount based upon a health plan's most recent statements 
and filings submitted to the Securities and Exchange Commission.
    Section 1173(j)(1)(D) of the Act directs that the penalty fees be 
increased on an annual basis by the annual percentage increase in total 
national health care expenditures, as determined by the Secretary. 
Finally, section 1173(j)(1)(E) of the Act caps the penalties that may 
be annually imposed on a health plan to $20 per covered life under such 
plan, or, in the event of misrepresentation under section 1173(j)(1)(C) 
of the Act, $40 per covered life.
7. Notice, Dispute, and Penalty Process
    Sections 1173(j)(2) through (4) of the Act outline how the penalty 
fees are to be assessed and collected. Section 1173(j)(2) of the Act 
requires the Secretary to establish a process to assess penalty fees 
that provides a health plan with reasonable notice and a dispute 
resolution procedure prior to the Secretary of the Treasury sending a 
notice of assessment to a health plan.
    Section 1173(j)(3) of the Act directs the Secretary, by May 1, 
2014, and annually thereafter, to provide the Secretary of the Treasury 
with a report of health plans that have been assessed penalty fees. 
Section 1173(j)(4) of the Act directs the Secretary of the Treasury to 
collect the penalty fees, and by August 1, 2014 and annually 
thereafter, provide each plan assessed a penalty fee a notice of the 
amount and due date of the fee. Section 1173(j)(4)(C) of the Act 
directs health plans assessed penalty fees to make payment to the 
Secretary of the Treasury by November 1, 2014, and annually thereafter. 
Section 1173(j)(4)(D) of the Act provides that interest, at a rate as 
determined pursuant to the underpayment rate established under section 
6621 of the Internal Revenue Code of 1986, accrues on any penalty fee 
not paid by the due date, and that any unpaid penalty fees are to be 
treated as a past due, legally enforceable debt owed to a federal 
agency for purposes of section 6402(d) of the Internal Revenue Code of 
1986. Finally, section 1173(j)(4)(E) of the Act states that any fee 
charged or allocated for collection activities conducted by the 
Department of the Treasury's Financial Management System will be passed 
on to the health plan on a pro-rated basis and added to the penalty fee 
collected.
8. Audits
    Section 1173(h)(6) of the Act states that the Secretary shall 
conduct periodic audits to ensure that health plans, including entities 
that have service contracts with health plans, are in compliance with 
the adopted standards and operating rules, as referenced in Table 1. 
The process and scope of these audits are not addressed in this 
proposed rule.

C. Certification of Compliance and Strategy for a Consistent Testing 
Processes

    Beyond the first certification of compliance, section 1173(h)(5) of 
the Act requires health plan certification for new and revised 
standards and operating rules adopted by the Secretary. We intend for 
future rulemakings in which we adopt new or modified standards and 
operating rules to also include certification of compliance processes 
for those new or modified standards and operating rules. We believe the 
benefit of including the certification of compliance requirements in 
those rulemakings is that it will move covered entities toward a 
consistent, industry-wide testing framework that, we believe, will 
support a more seamless transition to new and modified standards and 
operating rules.
    In recent years, the health care industry has experienced 
challenges in implementing the HIPAA Administrative Simplification 
requirements, such as Version 5010, ICD-10, and the operating rules for 
the eligibility for a health plan and health care claim status 
transaction, by the regulatory compliance dates. We have responded to 
industry's needs for additional time by delaying implementation or 
relaxing enforcement periods for the requirements, but such practices 
can be expensive to industry.
    While many factors may cause a covered entity to have difficulty 
implementing a new Administrative Simplification requirement, many in 
industry attribute some implementation issues to the lack of a 
consistent testing process or framework.\13\ The health care industry 
reports that testing is critical to ensure the integrity of internal 
application systems and confirm a system's capability to conduct 
compliant transactions.\14\ The NCVHS stated that a uniform testing 
process that included full end-to-end testing well before the 
compliance dates for Version 5010 would have identified issues that 
could have been mitigated in advance of the compliance date.\15\
---------------------------------------------------------------------------

    \13\ Many of the assumptions in this section come from an NCVHS 
hearing held on June 20, 2012 in which these issues were discussed. 
The hearing and the NCVHS' conclusions are summarized in ``Re: 
Findings from NCVHS Hearings on Administrative Simplification in 
June 2012--an Update on Health Care Administrative Transactions,'' 
September 21, 2012 letter to Secretary Sebelius from the National 
Committee on Vital and Health Statistics, pg 2. A copy of the letter 
and testimony from the hearing can be found at: https://www.ncvhs.hhs.gov/.
    \14\ See ``Transaction Compliance and Certification: A White 
Paper Describing the Recommended Solutions for Compliance Testing 
and Certification of the HIPAA Transactions,'' prepared by the 
Workgroup for Electronic Data Interchange (WEDI) Transactions 
Workgroup, March 10, 2010.
    \15\ Ibid.
---------------------------------------------------------------------------

    Ideally, certification of compliance, as mandated by section 
1173(h) of the Act, should support a standardized process for 
demonstrating compliance. Such a standardized process for demonstrating 
compliance should require a health plan to undergo testing within a 
consistent, industry-wide framework that results in the ability to 
generate specific documents that demonstrate compliance. We believe 
such a process would solve some of the significant implementation 
issues the industry has experienced. The certification of compliance 
provisions we propose in this rule are the first step toward a 
standardized testing framework to

[[Page 304]]

support a more seamless transition to new and revised standards or 
operating rules.

II. Provisions of the Proposed Rule

A. Submission Requirements

    Section 1173(h) of the Act requires health plans to provide the 
Secretary, in such form as the Secretary may require, adequate 
documentation of compliance with the standards and operating rules. In 
accordance with section 1173(h) of the Act, we propose the information 
and documentation that controlling health plans (CHPs) would be 
required to submit to the Secretary for the first certification of 
compliance in the new regulation Sec.  162.926.
    In the HPID final rule, we created two categories of health plans 
\16\ for purposes of specifying enumeration requirements for the health 
plan identifier (HPID): CHPs and subhealth plans (SHPs). In this 
proposed rule, we propose that CHPs, on behalf of themselves and their 
SHPs, if any, be responsible for submitting the information and 
documentation for the first certification of compliance under Sec.  
162.926.
---------------------------------------------------------------------------

    \16\ The regulatory definition of health plan at 45 CFR 160.103 
was initially adopted in the Transactions and Code Sets final rule. 
The basis for the additions to, and clarifications of, the statutory 
definition of health plan is further discussed in the preamble to 
the December 28, 2000 final rule (65 FR 82478 and 82576) titled 
``Standards for Privacy of Individually Identifiable Health 
Information.''
---------------------------------------------------------------------------

    Under proposed Sec.  162.926, a CHP would be required to submit the 
following information and documentation, in one submission, to the 
Secretary:
     Its number of covered lives on the date it submits the 
documentation.
     Documentation that demonstrates it has obtained either a 
CAQH CORE--
    ++ Certification Seal for Phase III CAQH CORE EFT & ERA Operating 
Rules (hereinafter referred to as a Phase III CORE Seal); or
    ++ HIPAA Credential for the eligibility for a health plan, health 
care claim status, and health care electronic funds transfers (EFT) and 
remittance advice operating rules (hereinafter referred to as the HIPAA 
Credential).
    Collectively, these constitute the submissions, and we refer to the 
requirements to submit them to the Secretary as the ``submission 
requirements.'' The submission requirements, as proposed in this rule, 
are a ``snap shot'' of a CHP's compliance with the standards and 
operating rules. Such information and documentation does not reflect 
continuing compliance, nor do we do intend the information or 
documentation to be updated or resubmitted on a regular basis.
    We are not, at this time, proposing the specific format for the 
submission requirements. We will likely require a CHP to submit its 
number of covered lives through an online form. We may require an 
electronic version or copy of a Phase III CORE Seal or the HIPAA 
Credential to be submitted online, or we may ask for a tracking number 
that links to CAQH CORE records of such. Information about the 
mechanics for meeting the submission requirements for the first 
certification of compliance will be forthcoming at or near the time the 
final rule is published.
1. Responsibilities of a CHP
    As previously noted, in Sec.  162.926 we propose that a CHP be 
responsible for submitting the following on behalf of itself and, if it 
has any, its SHP(s):
     The number of covered lives of a CHP: The number of 
``covered lives of a CHP,'' as the term is proposed to be defined in 
Sec.  162.103, would include the number of covered lives, if any, of a 
CHP's SHPs. (We discuss the definition of ``covered lives of a CHP'' in 
more detail in section II.B.1 of this proposed rule.) The CHP would be 
responsible for submitting its total number of covered lives as of the 
date it meets the submission requirements of Sec.  162.926(a)(1) or 
(b)(1).
     Documentation that demonstrates the CHP has obtained 
either a Phase III CORE Seal or the HIPAA Credential.
    In order to obtain the documentation for this submission 
requirement, a CHP, also representing all of its SHPs, would have to 
meet the CORE requirements necessary to obtain either a Phase III CORE 
Seal or the HIPAA Credential. We discuss this documentation requirement 
in more detail in section II.A.3 of this proposed rule.
    We believe the proposal that the CHP be responsible for meeting the 
submission requirements for itself and its SHPs is consistent with the 
framework of the HPID final rule. A CHP is defined at Sec.  162.103 as 
exercising sufficient control over its SHPs to direct its/their 
business activities, actions, or policies. We believe a CHP has 
sufficient control over its SHPs to require that it be responsible for 
the Sec.  162.926 requirements for itself and its SHPs. As described in 
section II.B.1 of this proposed rule, the CHP would also be responsible 
for the penalty fees that may be assessed if it fails to meet the first 
certification of compliance's submission requirements as proposed in 
Sec.  162.926.
    We note that a CHP's proposed obligations under Sec.  162.926 would 
not necessarily extend to other Administrative Simplification 
compliance or enforcement activities. Nothing in the provisions of this 
proposed rule would alter the requirement that all health plans must 
meet Administrative Simplification requirements per Sec.  160.102. As 
health plans, SHPs are covered entities and independently responsible 
for ensuring they are compliant with the standards and operating rules, 
but, for purposes of this rule, we propose that the responsibility to 
meet the first certification of compliance submission requirements lies 
with the CHP.
    We emphasize that state and federal government entities that meet 
the definition of a CHP must meet the requirements of this proposed 
rule and may be assessed penalty fees as described in the statute and 
in this rule; section 1173(h) of the Act provides no exemptions for 
state or federal government health plans.
2. Proposed Submission Requirements: Number of Covered Lives of a CHP
    Section 1173(j)(1) of the Act requires the Secretary to assess a 
penalty fee against a health plan that fails to meet the certification 
of compliance requirements of section 1173(h). Section 1173(j)(1) of 
the Act specifies the penalty fee amount, which is based on the covered 
lives of a health plan. Because we need to know the number of covered 
lives of a CHP (including the number of covered lives of its SHPs, if 
it has any) should circumstances require us to calculate penalty fees, 
we propose in Sec.  162.926(a)(1) and (b)(1) to require CHPs to submit 
to the Secretary the number of covered lives of a CHP.
    We propose that the number of covered lives of a CHP submitted 
pursuant to Sec.  162.926(a)(1) and (b)(1) would be the number of 
covered lives as of the date the CHP submits the documentation proposed 
in Sec.  162.926(a)(2) and (b)(2) to the Secretary. For example, if a 
CHP submits the documentation required by the first certification of 
compliance on January 1, 2015, then its submission would reflect its 
number of covered lives as of that date. In Sec.  162.926 (and 
discussed in section II.A.7 of this proposed rule), we propose that a 
CHP would have up to 12 months prior to the certification of compliance 
deadlines to satisfy the submission requirements. The definition of the 
``covered lives of a CHP'' is best explained in the context of the 
penalty fees, which we do in section II.B.1 of this proposed rule where 
we describe the calculation of penalty fees.

[[Page 305]]

3. Proposed Submission Requirements: HIPAA Credential or Phase III CORE 
Seal
    We propose to require CHPs to choose among two options, the HIPAA 
Credential or a Phase III CORE Seal, as described in this section, to 
demonstrate compliance for the first certification of compliance.
    There are any number of reasons why a CHP may elect to obtain one 
of these options over the other. A CHP will find that one or the other 
better aligns with the implementation process it uses to implement new 
operating rules.
a. Process and Requirements for Obtaining HIPAA Credential
    We are proposing in Sec.  162.926(a)(2) and (b)(2) that a CHP has 
the option of selecting the HIPAA Credential as one of two alternatives 
for meeting the first certification of compliance submission 
requirements. The HIPAA Credential is administered by CAQH CORE and 
demonstrates that a CHP has attested to compliance with HIPAA standards 
and operating rules for the eligibility for a health plan, health care 
claim status, and electronic funds transfers (EFT) and remittance 
advice transactions, and that the CHP has conducted a certain level of 
testing. CAQH CORE is currently developing the HIPAA Credential--which 
we expect to be finalized prior to the time we finalize this rule--and 
we describe here the expected process and requirements for obtaining 
it. Just as CAQH CORE provides explicit details about the CORE Seals on 
its Web site, we expect it will do the same for the HIPAA Credential. 
Should the final HIPAA Credential differ in any material way from the 
way we describe it herein, we would reopen the comment period for this 
topic to allow for further comment.
    The scope of the HIPAA Credential would only encompass the HIPAA-
mandated standards and operating rules. For example, we have not 
adopted HIPAA standards and operating rules for acknowledgements, 
therefore the HIPAA Credential would not require attestation or 
compliance with respect to standards and operating rules regarding 
acknowledgements.
    To obtain the HIPAA Credential, a CHP would have to submit to CAQH 
CORE--
     The CAQH CORE HIPAA Attestation Form (similar to the form 
required for the CORE Certification process,\17\ discussed in section 
II.A.3(b) of this proposed rule);
---------------------------------------------------------------------------

    \17\ https://www.caqh.org/pdf/CLEAN5010/COREHIPAAForm.pdf, https://www.caqh.org/pdf/COREPIIHIPAAForm.pdf, and https://caqh.org/Host/CORE/EFT-ERA/CORE_PIII_HIPAA_Form.pdf, https://www.caqh.org/pdf/CLEAN5010/COREHIPAAForm.pdf, https://www.caqh.org/pdf/COREPIIHIPAAForm.pdf, and https://caqh.org/Host/CORE/EFT-ERA/CORE_PIII_HIPAA_Form.pdf for the Phase I, II, and III CAQH CORE HIPAA 
Attestation Forms respectively.
---------------------------------------------------------------------------

     An application form (similar to the form required to 
obtain a CORE Seal) with signature verifying that all forms have been 
submitted to CAQH CORE and indicating that HHS may view the application 
and associated forms if such a request is made to CAQH CORE; and
     An attestation form, with features or requirements that 
would include the following:
    ++ Attestation, in which the CHP confirms that it has successfully 
tested the operating rules for the eligibility for a health plan, 
health care claim status, and health care electronic funds transfers 
(EFT) and remittance advice transactions with trading partners. For 
each of the three transactions, the CHP must confirm that the number of 
transactions conducted with those trading partners collectively 
accounts for at least 30 percent of the total number of transactions 
conducted with providers. For each of the three transactions, the CHP 
must confirm that it has successfully tested with at least three 
trading partners, but if the number of transactions conducted with 
three trading partners does not account for at least 30 percent of the 
total number of transactions conducted with providers, the CHP could 
confirm that it has successfully tested with up to 25 trading partners. 
The CHP would have to list those trading partners.
    We do not define ``successfully tested'' in this proposed rule, or 
prescribe any specific kind or level of testing for the HIPAA 
Credential.
    ++ When a CHP attests that it has successfully tested with trading 
partners that, collectively, conduct at least 30 percent of the total 
number of transactions conducted with providers, it is representing 
itself and its SHPs. When calculating 30 percent of the transactions 
conducted with providers, the total of the CHP's and SHPs' transactions 
would be used.
    ++ The CHP would have to provide contact information, including, 
but not limited to, name, phone number, and email address, for each of 
the listed trading partners.
    ++ Trading partners may be transaction-specific. For example, a CHP 
may list the same or different trading partners for each of the three 
transactions, so a CHP may list three or more trading partners.
    ++ Trading partner testing would only be required for current 
HIPAA-mandated operating rules and standards, so trading partner 
testing would not be required for the use of acknowledgments, or 
optional aspects of standards.
    In reviewing CHPs' HIPAA Credential application packages, CAQH CORE 
will likely identify applications containing obvious errors, and not 
award the HIPAA Credential based on such information. CAQH CORE will 
also identify when required information, such as trading partner 
contact information, is missing in the HIPAA Credential application 
package.
    While CAQH CORE will likely identify obvious errors or missing 
information in the HIPAA Credential application package, CAQH CORE will 
not be responsible for addressing intent on the part of the CHP with 
regard to such errors or missing information. That is, CAQH CORE will 
not investigate what a CHP knew or didn't know when it submitted an 
inaccurate HIPAA Credential application package to CAQH CORE. 
Similarly, CAQH CORE will not address any claims that may be submitted 
to CAQH CORE about a CHP's intent behind any inaccuracies or incomplete 
information in a HIPAA Credential application; for example, CAQH CORE 
will not address claims that a CHP knowingly provided inaccurate or 
incomplete information in its HIPAA Credential application.
    Other aspects of the HIPAA Credential include:
     Unlike the CORE Seals, it would only be offered to health 
plans.
     The HIPAA Credential would not have a requirement for 
certification testing, as is required for a Phase III CORE Seal. The 
HIPAA Credential would not have a requirement to test with a third-
party testing vendor.
     The HIPAA Credential requires external testing; however, 
it does not require a specific approach to external testing, and, thus, 
does not directly support a consistent, industry-wide testing framework 
to the extent that a Phase III CORE Seal does. Thus, we view the HIPAA 
Credential as an initial step toward a consistent testing framework for 
CHPs that decide not to undergo the certification testing for a CORE 
Phase III Seal.
b. Process and Requirements for Obtaining a CORE Seal
    The three current CAQH CORE Operating Rule sets are referred to as 
phases: Phase I is the operating rule set for the eligibility for a 
health plan transaction; Phase II includes operating rules for both the 
eligibility for a health plan and the health care claim status 
transaction; and Phase III is the

[[Page 306]]

operating rule set for the health care electronic funds transfers (EFT) 
and remittance advice transaction. The Secretary has adopted the sets 
as the operating rules for the respective transactions, with the 
exceptions we describe in section I.B.2 of this proposed rule.
    CAQH CORE has developed separate certification testing requirements 
for each of the three phases of operating rules. Any health care entity 
that conducts the applicable electronic health care transactions may 
voluntarily undergo certification testing with an independent CORE-
authorized testing vendor and a certification process through CORE to 
demonstrate compliance with the three phases. An entity that 
successfully completes the testing and submits the appropriate 
documentation to CAQH CORE is awarded a CORE Seal for the specific 
phase for which it tested. In order to be awarded a CORE Seal for all 
three phases, a CHP would be required to conduct certification testing 
for compliance with the requirements in Phases I, II, and III, which 
may be done chronologically or concurrently.
    We are proposing a Phase III CORE Seal as one of two options a CHP 
may choose to meet the submission requirements of the first 
certification of compliance. The preparation required to apply for, and 
the documentation required in order to be awarded, a CORE Seal for each 
phase reflects the kind of consistent internal and external testing and 
documentation of compliance that we believe will ameliorate many of the 
challenges industry has recently faced during transitioning to new 
standards and operating rules.
    Because we propose that CHPs may choose to obtain a CORE Seal to 
satisfy the requirements of proposed Sec.  162.926(a)(2) or (b)(2), we 
describe the steps involved for entities to obtain a CORE Seal: \18\ 
(1) Conduct a gap analysis by evaluating, planning, and completing 
necessary system upgrades; (2) sign and submit the CAQH CORE Pledge to 
make a commitment to become a CORE-certified entity within 180 days; 
(3) conduct testing through a CORE-authorized testing vendor; and (4) 
apply for a Phase III CORE Seal by submitting the proper documentation 
and fee to CAQH CORE for consideration. This four-step process is 
described in more detail as follows:
---------------------------------------------------------------------------

    \18\ Step-by step process for certification for Phase I and 
Phase II can be found at: https://www.caqh.org/CORE_step_by_step.php.
---------------------------------------------------------------------------

     Step 1: Conduct A Gap Analysis
    Entities that implement the CAQH CORE Operating Rules conduct a gap 
analysis in order to determine what system and business process changes 
may be necessary to ensure their data and information systems are 
remediated to address any gaps between existing system requirements and 
CORE Operating Rule requirements. (Certification testing is described 
later in this section.) Project managers, business analysts, system 
analysts, architects, and other key staff conduct the gap analyses, 
which include an inventory of the systems affected by the specific 
phase of operating rules and the drafting of a detailed project plan. 
CORE provides an analysis and planning guide as a gap analysis tool for 
each of its current phases.\19\
---------------------------------------------------------------------------

    \19\ https://www.caqh.org/Host/CORE/CAQHCORE_Analysis&PlanningGuide.pdf and https://www.caqh.org/Host/CORE/CAQHCORE_EFT&ERA_Analysis&PlanningGuide.pdf.
---------------------------------------------------------------------------

     Step 2: Sign and Submit the CORE Pledge
    An authorized, executive-level employee of the entity that is 
applying for any of the three CORE Seals signs a binding CORE 
Certification Pledge to adopt, implement, and comply with the CAQH CORE 
Operating Rules. By signing the pledge, an entity commits to working 
with a CORE-authorized Testing Vendor to demonstrate that its 
product(s) or IT system(s) is operating in accordance with a specific 
phase of the CORE Operating Rules. (We discuss CORE-authorized Testing 
Vendors in more depth in section II.A.2.d of this proposed rule.) 
Testing with a CORE-authorized Testing Vendor must be completed within 
180 days of signing the pledge,\20\ though extensions may be granted by 
signing and submitting a new pledge.
---------------------------------------------------------------------------

    \20\ https://www.caqh.org/CORE_certification.php.
---------------------------------------------------------------------------

     Step 3: Testing by a CORE-authorized Testing Vendor using 
CORE Certification Master Test Suites (Certification Testing)
    CAQH CORE developed documents called CORE Certification Master Test 
Suites (Test Suites) for each of its three operating rule phases. The 
phase-specific Test Suites are operating rule and documentation 
requirements that an entity must meet to be awarded a CORE Seal for 
that phase.
    Test Scripts--which include a description of operating rule-by-
operating rule requirements, as well as specific documentation or 
information necessary to demonstrate compliance with each operating 
rule requirement--are the primary tools in each phase-specific Test 
Suite. Tables 2 and 3 illustrate two examples of Test Scripts for two 
different operating rule requirements. Table 2 illustrates a test 
script from Phase I CORE 152 Companion Guide Rule Certification Testing 
and Table 3 illustrates a test script from Phase I CORE 154 Eligibility 
and Benefits (270/271) Data Content Rule Certification Testing. As 
illustrated by Table 2 and Table 3, each Test Script includes the 
following five columns:
     Column 1--The criteria or description of the requirements 
of the rule.
     Column 2--The expected result of a test of compliance with 
the rule. Entities upload documents or submit transaction files to 
CORE-authorized Testing Vendors that demonstrate they have met the 
requirements of each Test Script.
     Column 3--The actual result that the entity found upon 
testing the rule (that is, whether the expected outcome was achieved).
     Column 4--Indicates whether the entity was able to produce 
the expected result in terms of pass or fail.
     Column 5--Indicates which stakeholder would be required to 
produce the expected result.
    For operating rules with requirements about data content, an entity 
would submit a transaction file to be tested in the CORE-authorized 
Testing Vendor's testing engine. Using the example of the Test Script 
illustrated in Table 3, an entity would be required to submit a 
transaction file, detailed in column 2, and receive a ``pass'' from the 
CORE-authorized Testing Vendor in column 4 indicating the file met the 
requirement.
    In other cases, an entity would submit other types of documents 
that demonstrate the expected result of the Test Script. Using the 
example of the Test Script illustrated in Table 2, an entity would be 
required to submit an electronic version of the table of contents of 
its ASC X12 v5010 270/271 companion document, including an example of 
the ASC X12 v5010 270/271 content requirements,'' to the CORE-
authorized Testing Vendor in order for the vendor to give a ``pass'' to 
that test.
    The process of submitting documents or uploading files to CORE-
authorized Testing Vendors is virtual, and an entity may access the 
CORE-authorized Testing Vendor's testing portal from a desktop 
computer.
    The certification testing, described here as a key step in 
obtaining a CORE Seal, would be conducted after an entity has conducted 
internal and external testing of the operating rules. CORE's 
standardized certification testing demonstrates that a consistent and 
standard IT system testing has been completed. Therefore, certification 
testing, such as that which is described here, reflects our intent of 
supporting an

[[Page 307]]

industry-wide consistent trading partner testing process or framework.

  Table 2--Illustration A: Sample Test Scripts From Phase I Core Certification Test Suite Sample Test Script for Phase I Core 152 Companion Guide Rule
                                                                  Certification Testing
--------------------------------------------------------------------------------------------------------------------------------------------------------
 
--------------------------------------------------------------------------------------------------------------------------------------------------------
            Criteria               Expected result      Actual              Pass/fail
                                                        result
                                                          Stakeholder
                                                                                               ---------------------------------------------------------
                                                                                                   Provider     Health plan     Clearing         N/A
                                                                                                                                  house
--------------------------------------------------------------------------------------------------------------------------------------------------------
Companion Document conforms to   Submission of the   ...........  [square] Pass  [square] Fail  [square]       [square]       [square]      [square]
 the flow and format of the       Table of Contents
 CORE master Companion Document   of the v5010 270/
 Template.                        271 companion
                                  document,
                                  including a
                                  example of the
                                  v5010 270/271
                                  content
                                  requirements.
--------------------------------------------------------------------------------------------------------------------------------------------------------


  Table 3--Illustration B: Sample Test Scripts From Phase I Core Certification Test Suite A Test Script From Phase I Core 154 Eligibility and Benefits
                                                    (270/271) Data Content Rule Certification Testing
--------------------------------------------------------------------------------------------------------------------------------------------------------
 
--------------------------------------------------------------------------------------------------------------------------------------------------------
            Criteria               Expected result      Actual              Pass/Fail
                                                        result
                                                          Stakeholder
                                                                                               ---------------------------------------------------------
                                                                                                   Provider     Health plan     Clearing         N/A
                                                                                                                                  house
--------------------------------------------------------------------------------------------------------------------------------------------------------
Create a valid v5010 271         Output a valid      ...........  [square] Pass  [square] Fail  [square]       [square]       [square]      [square]
 response transaction as          fully enveloped
 defined in the CORE rule         v5010 271
 indicating the patient           eligibility
 financial responsibility for     response
 each of the benefits covering    transaction set
 the individual (Key Rule         with the correct
 Requirement 6 through   co[dash]insurance
 18).                    ,
                                  co[dash]payment,
                                  and deductible
                                  patient financial
                                  responsibilities
                                  for both in/out
                                  of network in
                                  either
                                  EB08[dash]954 or
                                  EB07[dash]782 at
                                  either the
                                  subscriber loop
                                  2110C or
                                  dependent loop
                                  2100D levels.
--------------------------------------------------------------------------------------------------------------------------------------------------------

     Step 4: Apply for a CORE Seal
    Once an entity successfully completes the certification testing 
with a CORE-authorized Testing Vendor, it submits an application 
package to CAQH CORE, and the CAQH CORE staff then reviews the 
application package prior to granting the appropriate CORE Seal. The 
application package includes the following:
    ++ Documentation from a CORE-authorized Testing Vendor 
demonstrating the entity's compliance with the phase-specific CAQH CORE 
Operating Rules through successful certification testing.
    ++ The CAQH CORE HIPAA Attestation Form, signed by a senior-level 
executive, indicating that, to the best of the applicant's knowledge, 
the entity is HIPAA compliant for security, privacy, and the 
transaction standards. This form is addressed in more detail in section 
II.A.3(c) of this proposed rule.
    ++ The CAQH CORE Health Plan IT Exemption Form, if applicable. This 
form and its relationship with the submission requirements of the first 
certification of compliance is discussed in section II.A.3(e) of this 
proposed rule.
    ++ The CAQH CORE Application. This form collects contact 
information for the individual responsible for the organization's CORE-
certification process. The form also outlines the required materials 
for a complete CORE Certification Application, the process by which 
CAQH CORE will review and approve applications, and terms and 
conditions for CORE Certification.
    ++ A fee, as illustrated in Table 4.
    Upon receipt of this documentation, CAQH CORE will complete a final 
assessment within 30 business days unless there are extenuating 
circumstances. CAQH CORE reviews test results and maintains records for 
each entity that is awarded a CORE Seal.
    A health plan must be awarded a CORE Seal in a previous phase to be 
eligible for a subsequent phase's Seal.\21\ For example, a health plan 
must be awarded a CORE Seal for Phase I and II Operating Rules in order 
to be eligible for a CORE Seal for Phase III Operating Rules. CAQH CORE 
provides the option of applying for and conducting certification 
testing for all three phases concurrently. In the context of the 
requirements for the first certification of compliance, this means that 
a CHP that chooses the option to submit a CORE Seal for Phase III 
Operating Rules will need to obtain CORE Seals for Phases I and II 
first, or concurrently.
---------------------------------------------------------------------------

    \21\ See question 4, page 9 of 23 at https://www.caqh.org/pdf/COREFAQsPartA.pdf.
---------------------------------------------------------------------------

    We believe that the CORE Seal, obtained through the CORE 
certification process, is a reasonable and appropriate demonstration of 
compliance with the operating rules because--
     CAQH CORE develops its CORE Seal certification process 
through a multi-stakeholder approach. CAQH CORE is an industry-wide 
collaboration committed to the development and adoption of national 
operating rules for administrative transactions. The more than 140 CORE 
Participants represent all key stakeholders including providers, health 
plans, vendors, clearinghouses, government agencies, Medicaid, banks 
and standard development organizations. CAQH CORE draws on this 
representation to develop the requirements for CORE Certification (Test 
Suites and Test Scripts) through a transparent, consensus-based 
process. To our knowledge, no other entity currently has an equivalent 
multi-stakeholder process for developing certification testing for 
operating rules;
     Through the CORE-authorized Testing Vendor framework, CAQH 
CORE has created a marketplace for multiple commercial testing vendors 
to compete, while requiring CORE-authorized Testing Vendors to utilize 
standardized Test Scripts and specific submission requirements in 
testing entities. In its role as the ``certifier,'' in contrast to a 
``tester,'' CAQH CORE maintains a third party position, independent 
from both the entity seeking the CORE Seal and the testing vendors with 
commercial interests. This

[[Page 308]]

allows CAQH CORE to carry out the certifying process--and enforcement, 
appeals and exception policies and processes--in a neutral, transparent 
manner;
     CORE Certification is recognized as an Administrative 
Simplification tool for health plans and states. Currently, over 30 
health plans have been awarded or have pledged to seek CORE Seals for 
Phases I, II, or III, or have pledged to seek the CORE Seal.\22\ CORE 
Certification is also a crucial element in state-based health care 
reform initiatives in Oregon \23\ and Colorado. Colorado, for example, 
requires that, ``[w]hen installing new operating systems after December 
31, 2012, all carriers are required to use CORE-certified systems for 
communications, those systems which meet CORE certification standards, 
or contract with a vendor who has applied by January 1, 2013 to be 
CORE-certified.'' \24\ The Colorado regulation also states that ``Phase 
I CORE certification shall be accepted as evidence of compliance'' with 
the CORE operating rules that the regulation also adopted; \25\ and
---------------------------------------------------------------------------

    \22\ For updated information on entities that have CORE-
certification or have committed to receive CORE-certification, 
please refer to https://www.caqh.org/CORE_organizations.php.
    \23\ O.A.R. 836-100-0115(1): https://arcweb.sos.state.or.us/pages/rules/oars_800/oar_836/836_100.html.
    \24\ 3 CCR 702-4-2-32: https://cdn.colorado.gov/cs/Satellite?blobcol=urldata&blobheadername1=Content-Disposition&blobheadername2=Content-Type&blobheadervalue1=inline%3B+filename%3D%224-2-32+Standardized+Electronic+Identification+And+Communication+Systems+Guidelines+For+Health+Benefit+Plans.pdf%22&blobheadervalue2=application%2Fpdf&blobkey=id&blobtable=MungoBlobs&blobwhere=1251823308663&ssbinary=true.
    \25\ Ibid., Section 5.
---------------------------------------------------------------------------

     CAQH CORE's Certification Infrastructure. CAQH CORE's 
infrastructure includes: robust on-line and live support for entities 
during the certification process; a complaint-driven enforcement 
mechanism that identifies instances of non-compliance; an exemption 
policy and process; a re-certification process; and an appeals process 
allowing an entity to request a hearing if it disagrees with CAQH 
CORE's decision of non-compliance.
    We request comments on a Phase III CORE Seal as an option for CHPS 
to meet the documentation requirements for the first certification of 
compliance.
c. CAQH CORE HIPAA Attestation Forms as Documentation of Compliance 
With the HIPAA Standards
    In order to obtain a CORE Seal for each of the operating rule 
phases, an entity must sign the CAQH CORE HIPAA Attestation Form by 
which it attests to compliance with applicable HIPAA transaction 
provisions, and the HIPAA privacy and security provisions, of 45 CFR 
Parts 160, 162, and 164. We anticipate that CAQH CORE's HIPAA 
Credential application process will similarly require such an 
attestation for the HIPAA Credential, and we find such an attestation 
to be an essential document of compliance for purposes of the first 
certification of compliance. We note that, attesting to compliance with 
the HIPAA privacy and security provisions or obtaining a CORE Seal (or 
the HIPAA Credential) does not prevent or preclude the Office for Civil 
Rights from conducting HIPAA Privacy or Security Rules investigations, 
compliance reviews or audits; settling cases; making findings of non-
compliance; or imposing civil money penalties for HIPAA violations.
    The proposed submission requirements of Sec.  162.926(a)(2) and 
(b)(2) demonstrate a CHP is compliant with applicable standards and 
operating rules. We considered proposing a framework by which CHPs 
would demonstrate compliance with applicable standards styled similarly 
to the proposed framework for demonstrating compliance with operating 
rules. That is, we considered requiring a CHP to obtain documentation 
from a third-party demonstrating it has conducted external testing with 
the standards adopted for the eligibility for a health plan, health 
care claim status, and health care electronic funds transfers (EFT) and 
remittance advice transactions. At this time, however, we believe CAQH 
CORE's HIPAA Attestation Form satisfies the section 1173(h)(2) mandate 
that health plans submit adequate documentation of compliance with the 
applicable standards for purposes of the first certification of 
compliance. We chose this approach because we--
     Believe that requiring just the CAQH CORE HIPAA 
Attestation Form minimizes CHPs' burdens in complying with the first 
certification submission requirements, while not altering or 
undermining the statutory requirements or our objectives in ensuring 
compliance; and
     Are not aware of existing programs that demonstrate 
consistent testing for compliance with the standards that parallel the 
proposed process for certifying health plans for compliance with the 
operating rules. There may be commercial entities that ``certify'' 
entities as being compliant with the standards, but we do not know of 
any that have developed a standards certification process, 
certification testing, or certification infrastructure with significant 
participation from industry.
    We also recognize that, while the HIPAA Credential option relies on 
entities having successfully conducted testing with trading partners, 
it does not directly support a consistent, industry-wide testing 
framework of new standards and operating rules. We view the first 
certification of compliance submission requirements as an initial step 
in that direction. We solicit comments on our assumptions and proposed 
approach.
d. CAQH CORE Documentation and Policies
    We are proposing that CHPs may choose between two CAQH CORE 
documents--a Phase III CORE Seal or the HIPAA Credential--to 
demonstrate compliance for the first certification of compliance. We 
believe either of these documents through CAQH CORE is a reasonable 
approach because CAQH CORE--
     Is recognized as a technical expert in the implementation 
of operating rules and supports the standards for those transactions to 
which the operating rules apply, adopted by the Secretary (after a 
vetting process discussed in section I.B.2 of this proposed rule). CAQH 
CORE is the authoring entity of the operating rules and is, therefore, 
well-versed in the operating rules and their interpretation and 
implementation, and how they coordinate with the adopted standards;
     Has infrastructure to reach out to, and educate, CHPs that 
will be required by this proposed rule to obtain either a Phase III 
CORE Seal or HIPAA Credential; and
     Has the ability to convene workgroups with significant and 
diverse health care industry participation to continually inform, and, 
where appropriate, improve processes associated with the CORE Seal and 
HIPAA Credential products.
    We solicit comments on our proposal to limit CHPs' options to 
documents obtained through processes governed by CAQH CORE.
e. CAQH CORE's Exemption and Enforcement Policies as Applied to the 
Proposed Submission Requirements
(1) CAQH CORE Certification Exemption Policies
    Under proposed Sec.  162.926(a)(2) and (b)(2), we specify that a 
CHP may not be under the CORE IT Exemption Policy at the time of 
submission with regard to the CORE Phase I, II, or III CORE Seals

[[Page 309]]

that the CHP uses to meet the submission requirements.\26\
---------------------------------------------------------------------------

    \26\ For Phases I, II, and III, CORE addresses certification 
exemptions at: https://www.caqh.org/pdf/CLEAN5010/103.pdf, https://www.caqh.org/pdf/CLEAN5010/203.pdf and https://caqh.org/Host/CORE/EFT-ERA/303_Exemption_Policy.pdf Forms at: https://www.caqh.org/pdf/CLEAN5010/COREPII_ITExemptionRequestForm.pdf, https://www.caqh.org/pdf/CLEAN5010/103.pdf, and https://caqh.org/Host/CORE/EFT-ERA/303_Exemption_Policy.pdf for Phases I, II and III.
---------------------------------------------------------------------------

    CAQH CORE's Certification Exemption Policy enables a health plan, 
in certain situations, to be awarded a CORE Seal for a particular phase 
even if all of its IT systems do not pass the Test Scripts for that 
phase. So long as the remainder of a health plan's IT systems are 
compliant, CAQH CORE may grant a health plan a Health Plan IT System 
Exemption if it has a scheduled migration, within the upcoming 12 
months, of an existing, non-conforming IT system(s).\27\ Subsequent to 
the migration(s), CAQH CORE requires the health plan to submit 
documentation demonstrating the new IT system(s) complies with the 
operating rules, standards, and other items required by CORE 
Certification.\28\
---------------------------------------------------------------------------

    \27\ These exempted IT systems must serve no more than 30 
percent of the health plan's membership or applicable transactions.
    \28\ For Phases I, II, and III, CORE addresses certification 
exemptions at: https://www.caqh.org/pdf/CLEAN5010/103.pdf, https://www.caqh.org/pdf/CLEAN5010/203.pdf and https://caqh.org/Host/CORE/EFT-ERA/303_Exemption_Policy.pdf.
---------------------------------------------------------------------------

    Although a health plan may obtain a CORE Seal under such a CAQH 
CORE exemption, we make clear in Sec.  162.926(a)(2) and (b)(2) that, 
on the date a CHP submits documentation to meet the submission 
requirements of the first certification of compliance, it may not be 
under such an exemption with respect to the CORE Phase I, II, or III 
Seals. To be clear, a CHP may receive a CORE Seal under CAQH CORE's 
Health Plan IT System Exemption policy. However, a CHP that receives a 
CORE Seal under CAQH CORE's Health Plan IT System Exemption must no 
longer be exempted on the date it provides its submissions to the 
Secretary in order to meet the first certification of compliance 
requirements.
    CAQH CORE's Health Plan IT System Exemption Policy does not apply 
to the HIPAA Credential, so a health plan's systems must be fully 
compliant with the applicable operating rules to obtain the HIPAA 
Credential.
(2) CORE Enforcement Policy
    CAQH CORE's Enforcement Policy \29\ is a complaint driven process 
that, under the guidance of the CORE Enforcement Committee comprised of 
CAQH CORE participants, reviews complaints for completeness and 
timeliness, and verifies or dismisses complaints.
---------------------------------------------------------------------------

    \29\ See https://www.caqh.org/pdf/CLEAN5010/105.pdf, https://www.caqh.org/pdf/CLEAN5010/205.pdf, and https://caqh.org/Host/CORE/EFT-ERA/305_Enforcement_Policy.pdf for Phase I, II, and III 
enforcement policies.
---------------------------------------------------------------------------

    CAQH CORE's Enforcement Policy applies to its CORE Seal product 
(not the HIPAA Credential), and thus would apply to CHPs that elect to 
obtain a Phase III CORE Seal to fulfill the submission requirements 
proposed in this rule.
(3) A CHP Is Decertified by CORE
    CAQH CORE's policies specify a number of circumstances by which an 
entity may be ``decertified,'' could ``lose'' its CORE Seal, or have 
its certification ``terminated'' because of instances of noncompliance 
with the operating rules for which it is certified. One such policy 
with this possible consequence is the CAQH CORE IT Exemption Policy, 
described in section II.A.3 (e) of this proposed rule, whereby a health 
plan that has obtained a CORE Seal under the policy may be decertified 
if its new IT system fails to pass the applicable Test Scripts within a 
prescribed timeframe.\30\ Similarly, CAQH CORE's Enforcement Policy 
specifies that an entity with a CORE Seal may be decertified if it is 
found to be out of compliance with an operating rule(s) or standard if 
the violation is not remedied within the allowed grace period.\31\
---------------------------------------------------------------------------

    \30\ https://www.caqh.org/pdf/CLEAN5010/103.pdf, https://caqh.org/Host/CORE/EFT-ERA/303_Exemption_Policy.pdf, https://www.caqh.org/pdf/CLEAN5010/103.pdf, and https://www.caqh.org/pdf/CLEAN5010/203.pdf.
    \31\ https://www.caqh.org/pdf/CLEAN5010/105.pdf, https://www.caqh.org/pdf/CLEAN5010/205.pdf, and https://caqh.org/Host/CORE/EFT-ERA/305_Enforcement_Policy.pdf.
---------------------------------------------------------------------------

    As discussed previously, on the date a CHP submits its 
documentation, none of the CHP's CORE Seals may be terminated or the 
CHP decertified by CAQH CORE.
    In keeping with the ``snap shot'' approach described in section 
II.A. of this proposed rule, we will not track the status of a CHP's 
CORE Certification (that is, whether it has been terminated or has come 
under the CAQH CORE IT Exemption Policy) subsequent to the date it 
meets the proposed submission requirements.\32\
---------------------------------------------------------------------------

    \32\ However, to be clear, health plans are covered entities 
obligated to continually abide by adopted HIPAA standards and 
operating rules, and the requirements of this proposed rule do not 
impede our enforcement authority.
---------------------------------------------------------------------------

(4) CHP's Responsibilities With Respect to Entities Conducting 
Transactions on Its Behalf
    Section 1173(h)(3) of the Act requires a health plan to ``ensure 
that any entities that provide services pursuant to a contract with 
such health plan shall comply with any applicable certification and 
compliance requirements (and provide the Secretary with adequate 
documentation of such compliance) under this subsection.'' Because 
section 1173(h) of the Act is concerned with certification of 
compliance with the HIPAA standards and operating rules, we believe 
``services pursuant to contract'' means services provided by business 
associates (BAs), as that term is defined at Sec.  160.103, that are 
contracted to conduct all or part of a HIPAA transaction on behalf of a 
health plan.
    Although we considered requiring CHPs to require their BAs to 
comply directly with the requirements of Sec.  162.926, we are not 
pursuing that option. Rather, when a CHP submits documentation in 
accordance with the submission requirements of Sec.  162.926, we 
believe that, by virtue of meeting the requirements of Sec.  162.923(c) 
(which requires covered entities that use BAs to conduct transactions 
on their behalf to require those BAs to comply with the requirements of 
part 162), it will be certifying that its, and its SHP(s)', BAs that 
conduct all or part of a HIPAA transactions on its/their behalf are 
compliant with the HIPAA standards and operating rules. We do not 
believe section 1173(h)(3) of the Act places any new requirements or 
burdens on health plans with regard to their BAs that are not already 
accounted for in Sec.  162.923(c).
    Under CAQH CORE policy, to obtain a CORE Seal, a health plan must 
demonstrate that entities or vendor products that conduct all or part 
of a transaction related to a CAQH CORE are compliant with the 
operating rules.\33\ This CAQH CORE policy on non-health plan entities 
that conduct all or part of a transaction related to a CAQH CORE phase 
on behalf of a health plan aligns with our approach to BAs that conduct 
part or all of a transaction on behalf of a CHP or its SHPs. Likewise, 
as we have described here, if a BA that is not a health plan conducts 
all or part of a transaction on behalf of the CHP or its SHP(s), then 
the CHP is responsible for ensuring the entity conducts any HIPAA 
standard transactions in accord with

[[Page 310]]

any applicable HIPAA transactions standards and operating rules.
---------------------------------------------------------------------------

    \33\ See CAQH CORE FAQs on CORE Certification & Endorsement: 
https://www.caqh.org/pdf/COREFAQsPartF.pdf.
---------------------------------------------------------------------------

    As noted previously, CAQH CORE requires that any health plan 
wishing to obtain a CORE Seal that is dependent on a BA--for the health 
plan to meet one or more of the CORE operating rule requirements--must 
have that BA achieve CORE certification. Similarly, if the health plan 
is dependent on a software vendor to meet one or more of the CORE rule 
requirements, then the vendor's product name and vendor must be CORE-
certified.
(5) Documentation Demonstrating End-to-End Testing
    Section 1173(h)(2)(B) of the Act states that a health plan shall 
not be considered to have provided adequate documentation of compliance 
unless it ``provides documentation showing that [it] has completed end-
to-end testing for such transactions with [its] partners, such as 
hospitals and physicians.''
    Even outside the context of health plan certification, the meaning 
of the phrase ``end-to-end testing''--as well as the types of testing 
necessary for successful transitions to new or revised standards, code 
sets, or operating rules--is presently the subject of active discussion 
in the health care industry. HHS, through the Office of E-Health 
Standards and Services (OESS), is conducting a pilot that seeks to 
develop a process and methodology for testing the transaction 
standards, operating rules, code sets, identifiers, and other 
Administrative Simplification requirements based on industry feedback 
and participation. One of the goals of that effort is to establish a 
definition for end-to-end testing in this context that can be applied 
industry-wide.
    Although we know of no standard definition for end-to-end testing 
at this time, we believe the concept of end-to-end testing likely 
requires, at a minimum, external testing with trading partners. We 
emphasize that in order to obtain either a Phase III CORE Seal or the 
HIPAA Credential, some external testing is required. Note that 
certification testing, as is required to obtain a CORE Seal, is not the 
same as internal or external testing. However, certification testing 
includes submitting documentation that demonstrates certain levels of 
internal and external testing have taken place. By contrast, the HIPAA 
Credential directly requires external testing with trading partners. 
Thus, we believe CHPs that meet the submission requirements proposed in 
this rule meet the section 1173(h)(2)(B) of the Act's requirement.
(6) Other Considerations About CORE Certification
(a) Cost of CORE Seal and CORE HIPAA Credential
    CAQH CORE charges entities a fee, on a sliding scale according to 
net annual revenue, for administering and awarding CORE Seals. Table 4 
illustrates the current fees that CAQH CORE charges a health plan. 
Table 4 reflects the total costs for a CHP to obtain three CORE Seals, 
one for each CAQH CORE Operating Rule phase.\34\ The fees to obtain the 
CORE Seals do not include the cost for certification testing with a 
CORE-authorized testing vendor.\35\
---------------------------------------------------------------------------

    \34\ The current CORE fee structure for the CORE Seal can be 
found at: https://www.caqh.org/CORE_phase1_fees.php.
    \35\ As of this writing, the single CORE-authorized testing 
vendor does not charge a fee for entities to test with it.
---------------------------------------------------------------------------

    Table 4 also illustrates the approximate fees that we expect CAQH 
CORE will charge CHPs for the HIPAA Credential it is currently 
developing.
    CAQH CORE does not charge federal and state government entities for 
the CORE Seals, but we expect federal or state government entities will 
be charged $100 to obtain the HIPAA Credential.

       TABLE 4--CAQH Core Fees for Core Seal and HIPAA Credential
------------------------------------------------------------------------
                                                      Fee for CAQH Phase
                                     Fee for HIPAA       III CORE Seal
       Size of health plan            credential       including Phase I
                                                         and II Seals
------------------------------------------------------------------------
Federal and State government      $100..............  No charge.
 health plans.
CAQH Member Plans...............  No charge.........  No charge.
Below $5 million in net annual    $100..............  $12,000 ($4,000
 revenue.                                              per phase).
$5 million to below $25 million   $1,000............
 net annual revenue.
$25 million to below $50 million  $2,000............
 net annual revenue.
$50 million to below $75 million  $4,000............
 net annual revenue.
$75 million and above net annual  ..................  $18,000 ($6,000
 revenue.                                              per phase).
------------------------------------------------------------------------

(b) Treatment of Acknowledgements
    We have previously stated in both the Operating Rules IFC and the 
EFT & ERA Operating Rules IFC that we do not require covered entities 
to comply with any CAQH CORE Operating Rule requirements pertaining to 
acknowledgments in Phases I, II, and III (Sec.  162.1203, Sec.  
162.1403, and Sec.  162.1603). However, each of CORE's three phase-
specific Test Suites require that applicants demonstrate compliance 
with acknowledgments-related operating rules. CHPs that seek to obtain 
a Phase III CORE Seal will be bound by CAQH CORE's requirements; in 
other words, the fact that HHS does not require compliance with 
acknowledgments-related operating rules does not relieve the burden of 
CHPs seeking a CORE seal to abide by CAQH CORE's requirements.
    By contrast, the requirements underlying CAQH CORE's HIPAA 
Credential will only apply to the operating rules adopted by the 
Secretary, so CHPs will not have to comply with the acknowledgements 
operating rules to obtain the HIPAA Credential.
(7) Compliance Timelines for CHPs To Meet Submission Requirements for 
the First Certification of Compliance
(a) CHPs That Obtain an HPID Before January 1, 2015
(i) Submit Documentation by December 31, 2015
    In Sec.  162.926(a), we propose that a CHP that obtains an HPID 
before January 1, 2015, would be required to meet the submission 
requirements (proposed in section II.A of this proposed rule) for the 
first certification of compliance on or before December 31, 2015. See 
Table 5, Row 1. Per the requirements of Sec.  162.504, all CHPs (except 
those that are small health

[[Page 311]]

plans) must obtain HPIDs on or before November 5, 2014. CHPS that are 
small health plans must obtain HPIDs on or before November 5, 2015. 
Based on our analysis, we think very few health plans meet the 
definition of a small health plan,\36\ so we anticipate most CHPs will 
have obtained HPIDs on or before November 5, 2014.
---------------------------------------------------------------------------

    \36\ In the HPID proposed rule, we concluded there were 
approximately 138 health maintenance organizations that were small 
entities by virtue of their nonprofit status though ``few, if any of 
them are small by SBA size standards'' (77 FR 23000) and that no 
other category of health plan could be considered ``small'' (77 FR 
22999). Our conclusions were based on an analysis included in a 
proposed rule on the establishment of the Medicare Advantage program 
(69 FR 46866, August 3, 2004).
---------------------------------------------------------------------------

    We propose a different date (December 31, 2015) than that in 
section 1173(h)(1) of the Act (December 31, 2013) for most CHPs to meet 
the first certification of compliance requirements because we believe, 
for the following reasons, CHPs will likely need until the end of 2015 
to meet the requirements for the first certification of compliance:
     In section II.A.3(b) of this proposed rule, we discuss the 
steps a CHP would have to take in order to obtain a CORE Phase III 
Seal, should it elect to pursue that option. We believe the deadlines 
proposed in this rule offer CHPs adequate time to complete the gap 
analysis (planning and evaluation, design and development, and internal 
and external testing) and subsequent certification testing with a CORE-
authorized testing vendor necessary to obtain CORE Seals for Phase I, 
II, and III Operating Rules. CAQH CORE suggests it will take 20 to 60 
days of staff time to conduct certification testing with a CORE-
authorized testing vendor and complete and submit one CORE Seal 
Application packet.\37\ A CHP may also choose to simultaneously pursue 
CORE Seals for all three phases. Therefore, for CHPs that do not now 
have, but choose to obtain, a Phase III CORE Seal, it could take up to 
180 days to obtain Seals for all three operating rules phases, not 
including any time that CORE requires to review applications.
---------------------------------------------------------------------------

    \37\ See FAQ 11 at https://www.caqh.org/pdf/COREFAQsPartA.pdf.
---------------------------------------------------------------------------

     In section II.A.3(a) of this proposed rule, we discuss the 
broad requirements of the HIPAA Credential. Like a Phase III CORE Seal, 
it will take some time to meet the requirements for the HIPAA 
Credential, though many CHPs may have already met the testing 
requirements.
     In section II.A.1 of this proposed rule, we propose that a 
CHP, in meeting the submission requirements for the first certification 
of compliance requirements, will demonstrate not only that it is 
compliant with operating rules and standards, but that its SHP(s), if 
it has any, are compliant. This task will also take time.
     October 1, 2014 is the compliance date for the 
International Classification of Diseases, 10th Edition (ICD-10) Medical 
Data Code Sets. Facilitating the health care industry's smooth 
transition to ICD-10 is of paramount importance, and health plans need 
to prepare and fully test their systems to ensure a smooth and 
coordinated transition. We expect health plans to be dedicating 
significant resources towards the ICD-10 transition prior to, and for a 
time after, the compliance date, which transition may require 
participation from the same human and IT resources as will be necessary 
to meet the first certification of compliance submission requirements. 
We believe the proposed December 31, 2015 deadline for completing the 
first certification of compliance requirements would allow sufficient 
time for health plans to deploy resources to make both initiatives 
successful.
    Furthermore, the December 31, 2015 date aligns with the requirement 
for a CHP to obtain an HPID, as all CHPs must obtain an HPID on or 
before November 5, 2015. Moreover, by virtue of this alignment of 
dates, we will have a database of all CHPs that will be required to 
meet the submission requirements proposed in this rule on or before 
December 31, 2015, and thus should be able to identify any CHPs that do 
not meet the submission requirements proposed in this rule.
    As noted in section I.C of this proposed rule, our goal with the 
first certification of compliance is to help move the health care 
industry incrementally toward consistent testing processes in order to 
transition as seamlessly as possible to new standards or operating 
rules. We believe a certification of compliance process that penalizes 
more CHPs than it incentivizes to carry out testing would not 
accomplish this goal and, for the reasons previously articulated, we 
believe it would be unreasonable to require CHPs to abide by the 
statutory date of December 31, 2013. To be clear, however, this does 
not mean CHPs may delay compliance with the operating rules beyond 
their respective compliance dates. All covered entities were required 
to be compliant with the operating rules for the eligibility for a 
health plan and health care claim status transactions on January 1, 
2013,\38\ and must be compliant with the EFT & ERA Operating Rule Set 
adopted for health care electronic funds transfers (EFT) and remittance 
advice transactions on January 1, 2014. Those compliance requirements 
and dates continue to govern HHS's separate HIPAA enforcement 
processes.
---------------------------------------------------------------------------

    \38\ Early in 2013, CMS announced a 90-day enforcement 
discretion period for compliance with the Operating Rules IFC 
stating that it would not initiate enforcement action until March 
31, 2013. See https://www.cms.gov/Outreach-and-Education/Outreach/OpenDoorForums/Downloads/010213Sec1104ofACAAnnouncement.pdf.
---------------------------------------------------------------------------

(2) Date When CHPs Can Begin Submitting Information and Documentation
    We propose that a CHP that obtains an HPID before January 1, 2015 
may begin to meet the submission requirements of proposed Sec.  
162.926(a) on January 1, 2015; this is the ``start date'' by when we 
will be ready to accept the submission of documents. This does not mean 
a CHP must obtain a CORE Phase III Seal or HIPAA Credential during the 
period of January 1, 2015 through December 31, 2015, as the CHP could 
be awarded either one earlier. For example, a CHP that has been awarded 
a CORE Phase III Seal prior to January 1, 2015, would already have the 
documentation required under this proposed rule, which it would then 
submit on or after January 1, 2015, and on or before December 31, 2015.
(b) CHPs That Obtain an HPID On or After January 1, 2015 and On or 
Before December 31, 2016
    We propose in Sec.  162.926(b) that a CHP that obtains an HPID on 
or after January 1, 2015, and on or before December 31, 2016 would be 
required to meet the submission requirements for the first 
certification of compliance within 365 calendar days of obtaining an 
HPID (see Table 5, Row 2).
    Under Sec.  162.504, any large or small health plans now extant 
that meet the definition of a CHP must obtain an HPID on or before 
November 5, 2015, thus any health plans enumerated as CHPs after 
November 5, 2015 are likely new CHPs. We propose that such CHPs be 
allowed one year from the time they obtain an HPID to submit the 
documentation proposed in Sec.  162.926(b). CHPs that obtain HPIDs on 
or after January 1, 2015 and on or before December 31, 2016 will have 
to: Coordinate with their SHP(s), if applicable; gather the appropriate 
documentation to complete certification testing, and apply for a Phase 
III CORE Seal or HIPAA Credential; and meet the documentation 
submission requirements for the first certification of compliance. We 
believe one year from obtaining an HPID will be adequate for

[[Page 312]]

a new CHP to complete that process, but solicit comments on this 
assumption.
    We propose that a CHP that obtains an HPID after December 31, 2016 
would not be required to meet the requirements proposed in this rule 
for the first certification of compliance (see Table 5, Row 3). A CHP 
that obtains an HPID after December 31, 2016, if given the same time to 
meet the requirements as CHPs that obtain HPIDs on or before December 
31, 2016, would be meeting the requirements into 2018. There are too 
many unknowns that far into the future for us to establish requirements 
for this category of CHPs. For instance, we may have adopted new or 
modified versions of the standards and operating rules for the 
eligibility for a health plan, health care claim status, and health 
care electronic funds transfers (EFT) and remittance advice 
transactions. We may address requirements for a CHP that obtains an 
HPID after December 31, 2016 for the first certification of compliance 
in a later rule.
    We solicit industry and stakeholder comments on our proposed 
certification of compliance dates.

  Table 5--Comparison of Operating Rule Sets Compliance Dates, the Statutory Deadlines for Completing the First
 Certification of Compliance Requirements, and the Proposed Deadlines for Completing the First Certification of
                                             Compliance Requirements
----------------------------------------------------------------------------------------------------------------
                                                Col 1                    Col 2                    Col 3
                                      --------------------------------------------------------------------------
                                                                  Deadline for health      Deadlines for health
                                         Compliance date for      plans to meet first     plans\*\ to meet first
         Operating rule sets            health plans to comply      certification of         certification of
                                          with the operating    compliance requirements  compliance requirements
                                                rules            as mandated by section    as proposed in this
                                                                 1173(h)(1) of the Act             rule
----------------------------------------------------------------------------------------------------------------
Eligibility for a health plan........  January 1, 2013........  December 31, 2013......  December 31, 2015 for
Health care claim status.............                                                     CHPs that obtain an
                                                                                          HPID before January 1,
                                                                                          2015. Within 365
                                                                                          calendar days of
                                                                                          obtaining an HPID for
                                                                                          CHPs that obtain their
                                                                                          HPID on or after
                                                                                          January 1, 2015 and on
                                                                                          or before December 31,
                                                                                          2016.
Health care electronic funds           January 1, 2014........
 transfers (EFT) and remittance
 advice.
----------------------------------------------------------------------------------------------------------------
* Requirements for CHPs that obtain their HPID after December 31, 2016 are not addressed in this proposed rule.

B. Certification of Compliance Penalty Fees

1. Calculating Penalty Fees: Defining Covered Lives of a CHP and Major 
Medical Policies
    Section 1173(j)(1) of the Act specifies that the penalty fee amount 
assessed when a health plan does not meet the certification of 
compliance requirements is based on its number of covered lives. So 
that we may calculate the potential penalty fee amount should we find a 
violation(s) of the first certification of compliance, we must know the 
number of covered lives of a CHP.
    Section 1173(j)(1)(F) of the Act requires the Secretary to 
determine the number of covered lives under a health plan ``based upon 
the most recent statements and filings that have been submitted by such 
plan to the Securities and Exchange Commission'' (SEC). We have 
learned, however, that the SEC only collects data from publicly traded 
health plans (that represent a mere subset of the total number of 
health plans),\39\ and, even then, health plans submitting filings to 
the SEC are not required to include in such filings the number of 
``covered lives'' or any comparable measure. Some health plans may 
volunteer this information in a descriptive text section of a filing 
called the 10-K, used to describe the business and its attributes, but 
this is not a requirement of the 10-K.\40\ In fact, according to a 2007 
study on enrollment in U.S. health insurance products, ``[t]here is no 
national databank containing enrollment figures for all the public and 
private health insurers in the United States, nor is there a single 
database linking all the federal programs.'' \41\
---------------------------------------------------------------------------

    \39\ For information on the SEC's role, see https://www.sec.gov/about/whatwedo.shtml.
    \40\ 10-K filings and other publically available company filings 
can be viewed through the EDGAR database: https://www.sec.gov/edgar/searchedgar/companysearch.html. For more information on the 10-K see 
https://www.sec.gov/answers/form10k.htm. For the 10-K form itself: 
https://www.sec.gov/about/forms/form10-k.pdf.
    \41\ ``Health Care Delivery Covered Lives--Summary of 
Findings,'' John F. Kennedy School of Government: Harvard 
University, Mossavar-Rahmani Center for Business & Government 
(https://www.hks.harvard.edu/m-rcbg/hcdp/numbers/Covered%20Lives%20Summary.pdf).
---------------------------------------------------------------------------

    Therefore, we propose to use the number of covered lives the CHP 
reports in accordance with the proposed submission requirements under 
Sec.  160.926(a)(1) and (b)(1) as the primary source for the number of 
covered lives to calculate penalty fees. Should a CHP fail to include 
the number of covered lives as part of its Sec.  162.926 submission, or 
should we have reason to question the CHP's number of self-reported 
covered lives, we may undertake an independent investigation through 
means that may include, but would not be limited to: Analyzing recent 
filings, if any, submitted by the CHP to the SEC; and researching data 
bases or publicly available documents such as news articles, reports, 
advertisements, brochures, and Web pages where the number of covered 
lives of a CHP is referenced or estimated.
    In Sec.  162.103, we propose to define ``covered lives of a CHP'' 
as individuals covered by or enrolled in major medical policies of a 
CHP and the SHP(s) of that CHP. Individuals may be described in such 
major medical policies by terms, including, but not limited to the 
following:--
     Individuals.
     Spouses.
     Dependents.
     Employees.
     Subscribers.
     Policyholders.
     Medicaid recipients.
     Medicare beneficiaries.
     Tricare beneficiaries.
     Veterans.
     Survivors.
    In section II.B.1 of this proposed rule, we discuss in more detail 
how the definition of covered lives of a CHP would be used to calculate 
penalty fees. We include spouses, partners, and dependents in the 
proposed definition to make clear that covered lives of a CHP includes 
more than just the policyholder, and encompasses all individuals 
covered by major medical

[[Page 313]]

policies, and also include in the definition examples of terms that 
government payers may use to describe their covered lives.
    Within the definition, we clarify that covered lives includes only 
those individuals enrolled in major medical policies. Section 
1173(j)(1)(B) of the Act states that penalty fees may only be assessed 
for persons ``covered by the plan for which its data systems for major 
medical policies are not in compliance.'' We only include individuals 
enrolled in major medical policies in the definition since individuals 
that are not covered by such policies will not be included in the 
calculation of the penalty fee. In cases in which an individual is 
covered by both a major medical policy and another policy/(ies) that 
does not meet the definition of major medical policy, the definition 
contemplates that such individual would be considered a covered life of 
a CHP.
    In Sec.  160.604, we propose that, for purposes of this proposed 
rule, ``major medical policy'' be defined as ``an insurance policy that 
covers accident and sickness and provides outpatient, hospital, 
medical, and surgical expense coverage.'' We developed this definition 
by surveying how the term major medical policy is defined in various 
contexts.
    To be clear, we propose in Sec.  162.926 that all CHPs, 
irrespective of whether they issue major medical policies, must meet 
the first certification submission requirements. However, only CHPs 
with major medical policies may be assessed penalty fees. Moreover, 
should a CHP be assessed a penalty fee, the basis for the assessment 
calculation would be using only those covered lives that are covered or 
enrolled in a major medical policy.
    We indicate in the definition that covered lives of a CHP includes 
the covered lives of the CHP, and, if it has any, its SHP(s). We 
include the covered lives of any SHP(s) of the CHP because, under the 
provisions discussed in section II.A.1 of this proposed rule, the 
submission requirements and applicable penalty fees are the CHP's, not 
its SHP's, responsibility.
    We intend to only include those individuals who are enrolled in or 
covered by health insurance in the definition of covered lives of a 
CHP, as opposed to those individuals who are merely eligible, but not 
enrolled or covered.
    We propose to use the phrase ``covered by or enrolled in'' to 
indicate a distinction that is sometimes made--but that we are not 
making here--between voluntary enrollment or automatic coverage in a 
health plan. That is, irrespective of the actions of an individual, we 
would consider an individual who has major medical coverage under a 
health plan to be a covered life of a CHP. For example, we would 
consider an individual who is automatically enrolled in Medicare Part A 
upon turning 65 years old to be a covered life of Medicare.
    We solicit comments on the proposed definition of covered lives of 
a CHP and the definition of major medical policy.
2. Basis for the Assessment of a Penalty Fee and the Amount of the 
Penalty Fee
    Section 1173(j)(1)(B) of the Act requires the Secretary to assess a 
penalty fee against a health plan in the amount of $1 per covered life 
per day until certification is complete. Section 1173(j)(1)(C) of the 
Act requires the Secretary to double the amount of the penalty fee 
assessed against a health plan that knowingly provided inaccurate or 
incomplete information in certifying compliance. Section 1173(j)(1)(E) 
of the Act caps the penalties that may be imposed on a health plan, 
providing that a penalty fee against a health plan shall not exceed, on 
an annual basis, an amount equal to $20 per covered life under such 
plan, or an amount equal to $40 per covered life where 
misrepresentation has occurred under section 1173(j)(1)(C) of the Act.
    In Sec.  160.612, we propose the bases for assessing penalty fees 
and, in Sec.  160.614, we propose the amounts of penalty fees that 
would be assessed. We think the bases for penalty fees that we propose 
in Sec.  160.612 and the amount of the penalty fee proposed in Sec.  
160.614 are sufficiently intertwined so that it is more effective to 
describe the proposed provisions together.
a. Failure To Submit Required Documentation by the Deadlines
    In Sec.  160.612(a), we propose that the Secretary would assess a 
penalty fee against a CHP that fails to comply with the submission 
requirements specified in Sec.  162.926(a)(2) or (b)(2). This means the 
Secretary would assess a penalty fee when a CHP fails to provide the 
documentation that demonstrates the CHP has been awarded a Phase III 
CORE Seal or the HIPAA Credential.
    The basis for the penalty fee proposed in Sec.  160.612(a) would 
apply when a CHP does not provide the required documentation at all, or 
does so after the deadlines specified in Sec.  162.926(a)(2) or (b)(2). 
A CHP that does not provide the required documentation by the deadlines 
would be assessed $1 per covered life of the CHP per day until the 
requirements of Sec.  162.926 have been met, and as limited by the cap 
described by proposed Sec.  160.614(a)(1). For example, if a CHP with 
100 covered lives enrolled in major medical policies obtains an HPID 
before January 1, 2015 and then submits the required documentation in 
Sec.  162.926 on January 1, 2016--1 day past December 31, 2015 (the 
deadline that would be required under Sec.  162.926(a))--the CHP would 
be assessed a penalty fee of $1 per covered life of the CHP, for a 
penalty fee totaling $100.
    In Sec.  160.614(a), we propose that a CHP that is assessed a 
penalty fee under Sec.  160.612(a)--failure to provide the required 
documentation according to the deadlines in Sec.  162.926(a)(2) or 
(b)(2)--may not be assessed a penalty fee that exceeds $20 per covered 
life of the CHP. For example, a CHP that obtains an HPID before January 
1, 2015 that fails to make the required submissions on or before 
December 31, 2015 would, starting January 1, 2016, be assessed a $1 per 
covered life penalty fee that, per section 1173(j)(1)(E)(i) of the Act 
as implemented by proposed Sec.  160.614(a)(1), would reach its 
maximum, and be capped, on January 21, 2016 at $20 per covered life of 
the CHP. The same maximum penalty cap would apply in instances where a 
CHP fails to ever provide the required documentation.
    We will utilize all reasonable means to ensure that CHPs satisfy 
their obligations under this proposed rule. Because all CHPs are 
required to obtain an HPID, we will, for example, once this proposed 
rule is finalized and implemented, compare a roster of the CHPs that 
have satisfied the requirements of the rule with a roster of CHPs that 
have obtained HPIDs. Moreover, we note that section 1173(j)(3) of the 
Act requires us to report unpaid penalty fees to the Secretary of the 
Treasury and that unpaid penalty fees, per section 1173(j)(4)(D) of the 
Act, shall be increased by the interest accrued.
    We solicit comments on our proposal for assessing penalty fees for 
CHPs.
b. Knowingly Providing Inaccurate or Incomplete Information
    The penalty fee for knowingly providing inaccurate or incomplete 
information that we propose in Sec.  160.612(b) implements section 
1173(j)(1)(C) of the Act, which provides that a ``health plan that 
knowingly provides inaccurate or incomplete information in a statement 
of certification or documentation of compliance . . . shall be subject 
to a penalty fee that is double the amount that would otherwise be 
imposed.''

[[Page 314]]

    In Sec.  160.612(b), we propose that a basis for assessment of a 
penalty fee is providing inaccurate or incomplete information with 
actual knowledge of the inaccuracy or the incompleteness of the 
information, or acting in deliberate ignorance or reckless disregard of 
the accuracy or completeness of the information. We clarify in Sec.  
160.612(b) that information may be in the form of statements, in 
documents, or otherwise. Hereinafter, we refer to the basis for 
assessment of a penalty fee proposed in Sec.  160.612(b) as ``knowingly 
providing inaccurate or incomplete information.''
    In Sec.  160.614(a)(2), we propose that a CHP would be assessed a 
penalty fee of $40 per covered life of the CHP when assessed a penalty 
fee on the basis of Sec.  160.612(b). To be clear, we do not believe a 
``per day'' calculation (as described in section II.b.2.a) would apply 
to a situation in which a CHP has knowingly provided inaccurate or 
incomplete information. Because the first certification of compliance 
is a ``snap shot'' of compliance on the date a CHP makes its Sec.  
162.926 submission, the CHP either knowingly provided inaccurate or 
incomplete information on that day or it did not. A CHP does not 
knowingly provide inaccurate or incomplete information on the date 
submitted, and, on the next, or succeeding, day(s), discontinue the 
state of ``knowingly providing inaccurate or incomplete information or 
documentation.'' Hence, we would apply only the maximum penalty fee in 
such a situation.
    We interpret the statutory language as intending a cap of $40, 
thus, in Sec.  160.614(b), we propose that a CHP may not be assessed 
more than $40 per covered life of the CHP, even where a CHP meets the 
bases for penalty fees under both Sec.  160.614(a)(1) and (2). For 
instance, a CHP may provide the required documentation to the Secretary 
past the applicable deadline, and, later, also be found to have 
knowingly provided inaccurate or incomplete information; such a CHP 
would be assessed a penalty fee of $40 per covered life. Following are 
two examples (not meant to be inclusive of all possible scenarios) 
where we would determine a CHP to have knowingly provided inaccurate or 
incomplete information as described in Sec.  160.612(b):
     To obtain a CORE Seal, a CHP would submit documentation to 
a CORE-authorized testing vendor during certification testing, and to 
CAQH CORE in applying for the Seal. We would have a basis for assessing 
a penalty fee under Sec.  160.612(b) should a CHP knowingly provide 
inaccurate information in the documentation it submits to the testing 
vendor or to CAQH CORE as part of the certification process, that, in 
turn, would then be submitted as part of the Sec.  162.926 submission 
requirements.
     To obtain the HIPAA Credential, a CHP must attest that it 
has successfully completed testing with at least three of its trading 
partners. We would have a basis for assessing a penalty fee under Sec.  
160.612(b) should a CHP be found to have knowingly provided inaccurate 
information with respect to the minimum required number of trading 
partners that would then be submitted as part of the Sec.  162.926 
submission requirements. We solicit comment on our proposed penalty fee 
policy for a CHP that knowingly provides inaccurate or incomplete 
documentation or information.
3. Annual Fee Increase
    Section 1173(j)(1)(D) of the Act provides for an annual increase in 
penalty fees by the annual percentage increase in total national health 
care expenditures. We are not proposing an annual increase methodology 
at this time because the first certification of compliance framework we 
propose here would assess only a one-time penalty fee, not a penalty 
fee that would be assessed year after year. We may revisit this issue 
in future rulemaking.
4. Notice of Penalty Fee, CHP's Response to Notice of Penalty Fee, and 
Defenses
    In Sec.  160.616, we propose that the Secretary would provide a CHP 
notice (sent by certified mail with a return receipt requested) that it 
meets one or more bases to be assessed a penalty fee under proposed 
Sec.  160.612. Such a notice would specify:
     The penalty fee amount;
     Reference to the bases, under proposed Sec.  160.612, for 
the penalty fee;
     A description of the findings of fact regarding the 
violations upon which the penalty fee is based; and
     The reason(s) why the violation(s) subject the CHP to a 
penalty fee.
    We believe these notice elements would enable a CHP to understand 
why it met the criteria to potentially be assessed a penalty fee, and 
the amount proposed to be assessed.
    In Sec.  160.618, we propose that a CHP may submit evidence of any 
of the defenses described in Sec.  160.620 in response to the notice of 
penalty fee. Under proposed Sec.  160.618(b), a CHP must assert any 
such defense(s) in writing, and within 30 days of receipt of the notice 
of penalty fee. We propose in Sec.  162.620 that the Secretary will 
consider only the following defenses:
     The CHP is not subject to the requirements of Sec.  
162.926. For a number of reasons, the documentation or deadline 
requirements of the first certification of compliance may not apply to 
a particular CHP. For instance, a CHP may not offer any major medical 
policies, and, therefore, may not be assessed a penalty fee.
     The CHP's failure to meet the requirements of Sec.  
162.926 was attributable to a ministerial and non-substantive error. We 
propose to apply this defense narrowly; such a ministerial and non-
substantive error might include a typographical mistake made in the 
process of providing the required documentation to the Secretary.
     The failure to meet the requirements of Sec.  
162.926 was beyond the control of the CHP. As with the previous 
defense, we propose to apply this defense narrowly. A failure to meet 
the documentation or deadline requirements of Sec.  162.926 beyond the 
control of the CHP conceivably might include an ``act of god'' (and not 
an act of the CHP or SHP's own making) that made it impossible for the 
CHP to meet the requirements. Given the length of time that we propose 
CHPs would have to meet the submission requirements, however, we 
believe successful application of this defense would be extraordinarily 
rare, and limited only to catastrophic situations.
    By proposing to limit the scope of the defenses the Secretary will 
consider in Sec.  160.620, we make clear that that Secretary will not 
consider any other asserted defense, including, but not limited to, any 
defense associated with a CHP's cost considerations in meeting the 
requirements, or lack of knowledge or confusion about either the 
requirements of the first certification of compliance or about the 
operating rules and standards themselves.
    We propose to allow a CHP to respond to a notice of penalty fee as 
an opportunity to present the circumstances that prevented it from 
meeting the first certification of compliance requirements prior to a 
potential appeal to an administrative law judge (ALJ). This opportunity 
to present defenses is analogous to, but much narrower than, our 
complaint-driven process when a covered entity may resolve a complaint 
brought against it before CMPs are imposed in a notice of determination 
under Sec.  160.420.
    We solicit comments on the defenses the Secretary may consider.

[[Page 315]]

5. Notice of Determination and a CHP's Hearing Rights
    In Sec.  160.624, we propose sending a notice of determination (by 
certified mail with return receipt requested) to a CHP indicating 
whether a penalty fee is, or is not, being assessed. A notice of 
determination will be sent irrespective of whether a CHP responds to 
the proposed Sec.  160.616 notice of penalty fee, and irrespective of 
whether the Secretary determines to assess, or not to assess, a penalty 
fee.
    Should a penalty fee will be assessed, Sec.  160.624 proposes that 
the notice of determination would specify:
     A description of the statutory basis for the assessment of 
the penalty fee;
     The amount of the penalty fee;
     The regulatory basis, under Sec.  160.612, for the 
assessment of the penalty fee;
     The findings of fact regarding the violations on which the 
assessment of the penalty fee is based;
     Any defenses described in Sec.  160.620 that were 
considered in determining whether to assess the penalty fee and the 
reason(s) why the defenses were rejected;
     Instructions for appealing the penalty fee; and
     A statement that the failure to request a hearing within 
90 days results in the imposition of the penalty fee.
    We believe the proposed contents of the notice of determination 
would be sufficient to enable a CHP to understand why it is being 
assessed a penalty fee, the amount of the penalty fee, and how the CHP 
could appeal the penalty fee. We solicit comment on the proposed 
contents of the notice of determination.
    Should the Secretary determine not to assess a penalty fee, the 
notice of determination would indicate why any defense(s) raised under 
Sec.  160.620 was/were successful, and what, if any, actions the CHP 
must take. Because the first certification of compliance process does 
not otherwise envision the application of a corrective action process, 
the only actions we contemplate would be associated with remedying the 
situations associated with the exercise of successful defenses asserted 
under proposed Sec.  1620.620(b) or (c).
6. Administrative Appeals Process
    In Sec.  160.626, we propose that, upon receiving a notice of 
determination assessing a penalty fee described in Sec.  160.624(a), a 
CHP may file a request for a hearing before an administrative law judge 
(ALJ). Should the CHP fail to request a hearing within 90 days of 
receiving the notice of determination (or otherwise affirmatively waive 
its right to a hearing within that 90 days), it would forego its right 
to a hearing and the Secretary would notify it that the penalty fee 
assessed in the notice of determination is final and inform it how the 
penalty fee must be paid.
    If a CHP timely requests a hearing with an ALJ, the CHP would 
participate in a process that is already largely codified at Sec.  
160.500 through Sec.  160.552. Administrative appeals before ALJs are 
widely used to adjudicate disputes between government agencies and 
individuals/entities aggrieved by agency decisions, and such a process 
is currently used for HIPAA Administrative Simplification violations. 
We believe that using the ALJs that already have jurisdiction over 
HIPAA Administrative Simplification violations handled under Sec.  
160.300, and using the same appeals process, would support consistency 
in adjudication of HIPAA Administrative Simplification appeals.
    Section 160.500 is the Applicability provision for Subpart E--
Procedures for Hearings, and provides, ``[t]his subpart applies to 
hearings conducted relating to the imposition of a civil money penalty 
by the Secretary under 42 U.S.C. 1320d-5.'' We propose to revise this 
provision by adding a reference to 42 U.S.C. 1320d-2(j), to indicate 
that Subpart E also applies to the assessment of a penalty fee under 
Subpart F.
    The term ``respondent'' is defined in Sec.  160.103 as ``a covered 
entity or business associate upon which the Secretary has imposed, or 
proposes to impose, a civil money penalty.'' In order to make clear 
that the term respondent, when used in Subpart E, includes entities 
that are assessed a penalty fee pursuant to Subpart F, we propose to 
revise the definition to state that respondent ``means a covered entity 
or business associate upon which the Secretary has imposed or proposes 
to impose, a penalty fee under Subpart F or a civil money penalty.''
    Section 160.506 specifies the rights of the parties. The ALJ 
authority is delineated in Sec.  160.508. Sections 160.510 through 
160.544 describe the ALJ hearing process. The right to appeal the ALJ 
decision to the Departmental Appeals Board is addressed in Sec.  
160.548. As noted, we propose applying most of Sec.  160.500 through 
Sec.  160.552, as already promulgated, as the procedure for CHPs to use 
in appealing a notice of determination. Because it is not always clear 
from those provisions that the process may apply to penalty fee 
assessments under Subpart F, in the following sections we propose to 
revise the regulation text to explicitly account for the specific 
health plan certification of compliance penalty fees and notice 
procedures: Sec.  160.500, Sec.  160.504, Sec.  160.534, Sec.  160.540, 
Sec.  160.546, Sec.  160.548, and Sec.  160.550.
7. Other Issues
a. Relationship of Certification of Compliance Process to Complaint-
Driven Process
    In section I.B.3 of this proposed rule, we describe the current 
HIPAA complaint-driven enforcement procedure through which an entity 
may bring a complaint against any entity it believes is not in 
compliance with adopted HIPAA transaction standards, operating rules, 
or code sets. Such a complaint would generate a fact-finding and 
resolution process, which could result in a corrective action plan, the 
imposition of CMPs, or a hearing before an ALJ.
    The complaint-driven and first certification of compliance 
enforcement processes are markedly different, even though both may 
result in a determination that may be appealed to an ALJ. The 
complaint-driven enforcement process is initiated as a result of a 
complaint, uses an informal fact-finding process, employs a corrective 
action plan if the complaint is valid, and imposes CMPs if the 
corrective action plan is not followed. Conversely, the first 
certification of compliance requires certain submissions by specific 
dates, and provides for an enforcement process with respect to a CHP 
that fails in various ways to abide by these requirements. Notably, the 
first certification of compliance, as proposed in this rule, does not 
employ a corrective action plan should a CHP fail to meet the 
certification of compliance requirements.
    These two distinct enforcement processes assess CMPs (in the case 
of the complaint-driven process) or penalty fees (in the case of the 
first certification of compliance) for different reasons. The 
complaint-driven process addresses complaints regarding a covered 
entity's failure to comply with any Administrative Simplification 
requirement, with the exception of a failure to comply with the first 
certification requirements proposed in this rule (as we describe in 
this section). The first certification of compliance process assesses 
penalty fees for CHPs that fail to meet the submission requirements or 
that knowingly provide inaccurate or incomplete documentation 
associated with such submissions, as proposed in this rule.

[[Page 316]]

    Nothing in this proposed rule prohibits the Secretary from pursuing 
both processes at the same time against a CHP--through CMPs, in the 
case of the complaint-driven process for failure to comply with 
Administrative Simplification requirements, and through penalty fees 
for failure to meet the first certification of compliance requirements. 
Further, an investigation through the complaint-driven process could 
lead to the assessment of a penalty fee for a first certification of 
compliance violation if it revealed through that investigation that the 
CHP failed to meet the first certification of compliance requirements 
or knowingly provided inaccurate or incomplete information required for 
the first certification of compliance. For instance, if an 
investigation based on a complaint revealed that a CHP never submitted 
documentation or knowingly submitted inaccurate or incomplete 
documentation in order to be awarded a CORE Phase III Seal or HIPAA 
Credential under Sec.  162.926, it is possible both CMPs and penalty 
fees may be imposed/assessed.
    Section 160.300 is the Applicability provision under Subpart C--
Compliance and Investigations--which is the complaint-driven 
enforcement process for Administrative Simplification violations. We 
propose to amend this section, that now states ``[t]his subpart applies 
to actions by the Secretary, covered entities, business associates, and 
others with respect to ascertaining the compliance by covered entities 
and business associates with, and the enforcement of, the applicable 
provisions of this part 160 and parts 162 and 164 of this subchapter,'' 
to clarify that the complaint-driven process does not apply to the 
requirements in Sec.  162.926. That is, we propose that a complaint-may 
not be filed against a health plan alleging that it fails to meet the 
certification of compliance submission requirements in Sec.  162.926.

III. Collection of Information Requirements

    Under the Paperwork Reduction Act of 1995 (PRA), we are required to 
provide 60-day notice in the Federal Register and solicit public 
comment before a collection of information requirement is submitted to 
the Office of Management and Budget (OMB) for review and approval. In 
order to fairly evaluate whether an information collection should be 
approved by OMB, section 3506(c)(2)(a) of the PRA requires that we 
solicit comment on the following issues:
     The need for the information collection and its usefulness 
in carrying out the proper functions of our agency.
     The accuracy of our estimate of the information collection 
burden.
     The quality, utility, and clarity of the information to be 
collected.
     Recommendations to minimize the information collection 
burden on the affected public, including automated collection 
techniques.
    We are soliciting public comment on the information collection 
requirements (ICRs) regarding the first certification of compliance 
documentation requirements. Among other requirements, the Affordable 
Care Act requires health plans to file statements with the Secretary 
certifying that they are compliant with standards and operating rules 
for specific transactions. The Affordable Care Act also mandates that 
the Secretary assess a penalty fee against a health plan that fails to 
file a statement with the Secretary certifying that it is compliant 
and/or fails to submit adequate documentation of compliance.
    In section II. of this proposed rule, we discuss the proposed 
requirements for the first certification of compliance. In section 
II.A.7 of this proposed rule, we discuss our proposal that a CHP must 
comply with the first certification of compliance requirements based on 
when it obtains its HPID. Submission requirements are explained in 
section II.A.2 and .3 of this proposed rule. We discuss the penalty 
fees that may be assessed on a CHP that does not meet the submission 
requirements or knowingly provides inaccurate or incomplete information 
in section II.B. of this proposed rule.
    The provisions in this proposed rule align with existing statutory 
and regulatory mandates. In previous regulations, specified in section 
I.B.1 and 2 of this proposed rule, we have mandated compliance with the 
adopted standards and operating rules for the HIPAA transactions for 
which documentation of compliance is proposed in this rule. Other 
existing regulations that are complimented through this proposed rule 
include Sec.  160.310 which requires covered entities to maintain 
records and compliance reports and provide these to the Secretary if 
requested, and Sec.  162.923, that requires covered entities to require 
their BAs to comply with applicable HIPAA standards and operating 
rules.
    In this proposed rule and in this ICR, we are focused on the one-
time requirement that CHPs, as defined by Sec.  162.103, must provide 
the Secretary the following information and documentation for the first 
certification of compliance: (1) the number of covered lives of a CHP; 
and (2) documentation that demonstrates that the CHP has obtained a 
Phase III CORE Seal or the HIPAA Credential.
    We do not know at this time how many health plans would meet the 
definition of a CHP as defined in Sec.  162.103. In the HPID final rule 
(77 FR 54696), we identified 12,000 self-insured group health plans, 
1,827 health insurance issuers, and 60 government health plans that 
might meet the definition of health plan. We believe there will be 
considerably less than the approximately 15,000 health plans that would 
meet the definition of a CHP, but we will not know the actual number of 
CHPs until after the deadline for CHPs to obtain an HPID has passed; 
that is, November 5, 2015. While we do not have objective data that 
identifies which or how many health plans would be CHPs, for the 
purpose of the ICRs, we assume that 3,000 to 5,000 health plans may 
meet the definition of a CHP. Health plans have been increasingly 
consolidating into larger organizations whereby a single CHP exercises 
sufficient control over an increasing number of SHPs to direct their 
business activities, actions, or policies. Thus, we do not believe that 
more than one-third (5,000) of health plans meet the definition of a 
CHP and, in fact, believe the number may be significantly less. We 
solicit comments on our assumption of the number of CHPs.

A. ICRs Regarding Submission of the Number of Covered Lives (Sec.  
162.926(a)(1) and (b)(1))

    Proposed Sec.  162.926(a)(2) would require that a CHP that obtains 
an HPID before January 1, 2015 must provide to the Secretary documents 
demonstrating compliance as explained in section II.A.3. of this 
proposed rule. Proposed Sec.  162.926(b)(2) would require that a CHP 
that obtains an HPID on or after January 1, 2015 and on or before 
December 31, 2016, must, within 365 days of obtaining an HPID, provide 
to the Secretary documents demonstrating compliance as explained in 
section II.A.7. of this proposed rule. Proposed Sec.  162.926(a)(1) and 
(b)(1) require a CHP to submit the number of covered lives of a CHP (as 
defined in Sec.  162.103) on the date that the documentation required 
in Sec.  162.926(a)(2) and (b)(2) is submitted. In section II.A.1. of 
this proposed rule, we indicate that the number of covered lives must 
include the number of covered lives of a CHP's SHPs, if it has any. We 
explain the submission requirements of covered lives in section II.A.2. 
of this proposed rule, including

[[Page 317]]

the reason for including the number of covered lives of the SHPs of the 
CHP.
    The one-time burden associated with this requirement is the time 
and effort associated with the CHP to: (1) Obtain the number of covered 
lives of the CHP (including those of its SHPs); (2) calculate the total 
number of covered lives of the CHP and its SHPs that would meet the 
definition of major medical policy as defined in proposed Sec.  
160.604; (3) have the information reviewed by a CHP executive; and (4) 
submit the number of covered lives to the Secretary. We believe that a 
CHP would have accurate records of the number of covered lives of the 
CHP and each of its SHPs and would be able to access this easily. 
Therefore, we assume that the CHPs would not need to contact each SHP 
to obtain the required information. We also believe that CHPs would 
have easily accessible data on the total number of covered lives of the 
CHP and its SHPs that have major medical policies. We make these 
assumptions on the basis that a CHP's data on the number of covered 
lives and policies--used to determine, for example, risk, costs of 
care, human resource needs, and other factors--is essential information 
to have in order to for a CHP to conduct business.
    We estimate this burden for proposed Sec.  162.926(a)(1) and (b)(1) 
would be 2 hours for each CHP to obtain the number of covered lives for 
the CHP and each of its SHPs, 2 hours to calculate the total number of 
covered lives that have major medical policies, one hour for an 
executive to review the number of covered lives with major medical 
policies, and, 30 minutes to submit the number of covered lives of the 
CHP and its SHPs to HHS.
    We used the median hourly labor rate of $38.31 for a computer 
information system analyst; $58.15 for a computer and information 
system manager; and $80.84 for a chief executive as reported by the 
Department of Labor, Bureau of Labor Statistics, May 2012, found at: 
https://www.bls.gov/oes/current/oes_nat.htm#13-0000. We believe that a 
computer analyst would be an appropriate position to obtain the number 
of covered lives and submit the number to the Secretary, a computer and 
systems manager to do the calculation, and a chief executive would 
verify the accuracy of the information to be submitted. All CHPs must 
comply with these requirements.
    We estimate that proposed Sec.  162.926(a)(1) and (b)(1) would 
impose a one-time, 5.5 hour burden on each CHP. The total burden 
associated with this task for each of the estimated 3,000 to 5,000 CHPs 
would be: (1) $76.62 ($38.31 x 2 hours) to obtain the number of covered 
lives; (2) $116.30 ($58.15 x 2 hours) to calculate the number of 
covered lives in major medical plans; (3) $80.84 ($80.84 x 1 hour) for 
an executive to review the number of covered lives; and (4) $19.16 
($38.31 x 0.5 hours) to submit the number of covered lives to the 
secretary. We estimate that the total cost for each CHP would be 
$292.92.
    The estimated annual burden for this requirement would be 16,500 
(3,000 CHPs x 5.5 hours) to 27,500 hours (5000 CHPs x 5.5 hours). The 
total estimated one-time cost associated with all of the requirements 
in proposed Sec.  162.926(a)(1) and (b)(1) would be approximately 
$878,760 ($292.92 x 3000 CHPs) to $1,464,600 ($292.92 x 5000 CHPs).

B. ICRs Regarding Submission of a Phase III CORE Seal (Sec.  
162.926(a)(2)(i) and (b)(2))

    Section 162.926(a)(2)(i) and (b)(2) would require that a CHP 
provide documentation demonstrating it obtained a Phase III CORE Seal 
or the HIPAA Credential. Should a CHP choose to obtain a Phase III CORE 
Seal, proposed Sec.  162.926(a)(2)(i) and (b)(2) would require that it 
provide documentation demonstrating it had obtained a Phase III CORE 
Seal. We explain in section II.A.3.(b). of this proposed rule that a 
CHP electing to obtain a Phase III CORE Seal must obtain the seal for 
each of the three CAQH CORE operating rules phases, or, in other words, 
a CHP must obtain a CORE Seal for Phases I and II to obtain a Phase III 
CORE Seal. However, as proposed in Sec.  162.926(a)(2), we require only 
the submission of a Phase III CORE Seal to comply with the 
certification compliance documentation requirements. Consequently, for 
the ICR in this proposed rule, we considered the time and effort for 
submitting documentation that the CHP has obtained the Phase III CORE 
Seal and not the time and effort for a CHP to obtain the CORE Phase I 
and II Seals.
    In sections II.A.3.(b). and II.A.3.(d). of this proposed rule, we 
discuss CORE certification testing, CORE-authorized Testing Vendors, 
and the CORE certification process. We describe the four-step process 
required to be awarded any of the CORE Seals: (1) Conduct a gap 
analysis by evaluating, planning, and completing necessary upgrades; 
(2) sign the CAQH CORE Pledge committing to become CORE certified; (3) 
conduct testing through a CORE-authorized Testing Vendor (certification 
testing); and (4) apply for a Phase III CORE Seal. In section II.A.3. 
of this proposed rule, we explain that the documentation that 
demonstrates that the CHP has obtained a Phase III CORE Seal is 
considered adequate documentation of compliance by the CHP and its SHPs 
with the operating rules for the eligibility for a health plan, health 
care claim status, and health care electronic funds transfers (EFT) and 
remittance advice transactions.
    For the purposes of the ICR, we do not include the time and effort 
for a CHP to obtain a CORE Phase III Seal because we believe that the 
process of obtaining a Phase III CORE Seal is inherent in the cost of 
doing business and we accounted for the time and effort as well as the 
cost for complying with the operating rules in previous rulemaking. As 
we indicated, we have mandated compliance with the adopted standards 
and operating rules for HIPAA transactions in previous regulations. The 
costs associated with compliance includes for example, analyzing 
existing data capability and infrastructure, development or enhancement 
of existing infrastructure, and testing of the CHPs systems both 
internally and externally. We believe that, because CHPs are expected 
to be compliant with the operating rules, they have undertaken the 
steps necessary to ensure that they are compliant and are able to 
perform transactions with their trading partners according to the 
adopted standards and operating rules. In this rule, we are proposing 
submission documentation requirements; therefore, in this analysis, we 
are only analyzing the cost of submitting this documentation.
    We have proposed two options for documentation that demonstrates 
compliance with the operating rules and standards. We expect that the 
decision to obtain the CORE Phase I and II Seals and provide 
documentation of the CORE Phase III Seal would be a business decision 
based on a health plan's strategy for implementing new standards or 
operating rules. Therefore, because the time and effort for compliance 
with standards and operating rules have been addressed in previous rule 
making and, because a CHP determines if it wishes to obtain the CORE 
Phase I and II Seal and submit the Phase III CORE Seal to comply with 
the documentation requirements, we do not include any costs for the 
time and effort associated with infrastructure development or 
enhancement or testing of systems to ensure compliance. We also do not 
include the time and effort costs in the ICR to comply with any of 
CORE's specific requirements to obtain the CORE Seals. Finally, we do 
not account for the variability in time,

[[Page 318]]

readiness and success that may or may exist for a CHP to meet CORE's 
requirements for the CORE Seals. There may be CHPs that have undergone 
extensive testing and will be able to undergo the CORE process 
efficiently and in a relatively short time. Other CHPs may require 
assistance and guidance and a more extensive time period to meet CORE's 
requirements.
    Included in the CORE fee paid by each CHP is assistance and 
guidance for CHPs. We account for the fee to CORE in the regulatory 
Impact Statement in this proposed rule. For the purposes of the ICR in 
this proposed rule, we considered the time and effort for a CHP to 
obtain documentation of the Phase III CORE Seal awarded by CORE, and 
the time and effort for the CHP to submit the documentation of that 
Seal to the Secretary. As we discussed previously, in this proposed 
rule, we only consider the time and effort to comply with the 
certification of compliance requirements described in this proposed 
rule.
    At the current time, we do not know how many CHPs will elect to 
obtain a Phase III CORE Seal. According to CAQH CORE's Web site at 
https://www.caqh.org/CORE_organizations.php, 30 health plans have 
voluntarily obtained CORE Seals for Phases I and II, and it reports at 
https://www.caqh.org/ben_participating.php that 25 health plans and 16 
government agencies are CORE participating organizations. Ten CORE 
participating health plans have obtained Phase I and Phase II CORE 
Seals. We assume that any health plan that has obtained the CORE Seal 
for Phases I and II will obtain a Phase III CORE Seal and therefore 
meet the requirements of Sec.  162.926(a)(2)(i) or (b)(2). We also 
assume that there may be CORE participating health plans that will 
obtain a Phase III CORE Seal.
    Because we are unable to quantify the number of CHPs that will 
obtain a Phase III CORE Seal, we are unable to estimate the total cost 
with any certainty. Therefore, for the purposes of the ICR, we estimate 
that 40 percent of health plans that would meet the definition of a CHP 
(that is, 1,200 to 2,000 CHPS) will obtain a Phase III CORE Seal and 
submit documentation of a Phase III CORE Seal to comply with Sec.  
162.926(a)(2) and (b)(2)(i). We solicit comment on our assumption of 
the number of CHPs that would obtain a Phase III CORE Seal.
    The one-time burden associated with Sec.  162.926(a)(2)(i) or 
(b)(2) is the time and effort for the estimated 1,200 to 2,000 CHPs to 
(1) obtain a Phase III CORE Seal from CAQH CORE; and (2) submit the 
documentation of a Phase III CORE Seal to the Secretary. We estimate 
this burden to be 1 hour to obtain the Phase III CORE Seal from CAQH 
CORE and 30 minutes to submit documentation of the CORE Seal to the 
Secretary. We used the median hourly labor rate of $38.31 for a 
computer information system analyst as reported by the Department of 
Labor, Bureau of Labor Statistics, May 2012, found at: https://www.bls.gov/oes/current/oes_nat.htm#13-0000 because we believe that a 
computer analyst would be required to obtain the Phase III CORE Seal 
and submit documentation to the Secretary.
    We estimate that proposed Sec.  162.926(a)(2)(i) and (b)(2) would 
impose an estimated one-time, one and one half hour burden on each CHP. 
The total estimated burden associated with this task for each CHP would 
be: (1) $38.31 ($38.31 x 1 hour) to obtain the Phase III CORE Seal from 
CAQH CORE; and (2) $19.16 ($38.31 x 0.50 hours) to submit documentation 
of the CORE Seal to the Secretary. The estimated one-time burden in 
proposed Sec.  162.926(a)(2)(i) and (b)(2) would be 1,800 (1,200 CHPs x 
1.5 hours) to 3,000 hours (2,000 CHPs x 1.5 hours). The total estimated 
one-time cost associated with the requirement Sec.  162.926(a)(2)(i) 
and (b)(2) would be approximately $68,958 ($38.31 x 1,800 hours) to 
$114,930 ($38.31 x 3,000 hours).

C. ICRs Regarding Submission of the HIPAA Credential (Sec.  
162.926(a)(2)(ii) and (b)(2))

    In section II.A.3(a) of this proposed rule, we explain that the 
HIPAA Credential indicates that the CHP has confirmed that it has 
successfully tested the operating rules for the eligibility for a 
health plan, health care claim status, and health care electronic funds 
transfers (EFT) and remittance advice transactions with trading 
partners. For each of the three transactions, the CHP must confirm that 
the number of transactions conducted with those trading partners 
collectively accounts for at least 30 percent of the total number of 
transactions conducted with providers. For each of the three 
transactions, the CHP must confirm that it has successfully tested with 
at least three trading partners, but if the number of transactions 
conducted with three trading partners does not account for at least 30 
percent of the total number of transactions conducted with providers, 
the CHP could confirm that it has successfully tested with up to 25 
trading partners. The CHP would be required to provide a list of the 
names of the trading partners and their contact information to CORE. A 
CHP would be representing itself as well as all of its SHPs with the 
attestation.
    Should a CHP choose to obtain the HIPAA Credential, proposed Sec.  
162.926(a)(2)(ii) and (b)(2) would require the CHP to provide 
documentation that it has obtained the CORE HIPAA Credential. In 
section II.A.3 of this proposed rule, we explain that the documentation 
that demonstrates that the CHP has obtained the HIPAA Credential is 
considered adequate documentation of compliance by the CHP and its SHPs 
with the operating rules for the applicable transactions.
    For the purpose of the ICR, we are not considering the time and 
effort for a CHP to perform testing with its trading partners because, 
as we have discussed previously, we addressed the time and effort to 
comply with the operating rules in previous rule making, which includes 
testing with the CHPs trading partners. The CORE HIPAA Credential will 
require testing before being obtained, and we assume that every health 
plan's implementation preparation plan requires internal and external 
testing prior to implementing new standards or operating rules.
    However, in previous rule making, we did not account for the time 
and effort for a CHP to identify at least three trading partners with 
which it or its SHPs have successfully tested the operating rules for 
each of the three transactions (eligibility for a health plan, health 
care claim status, and electronic funds transfers (EFT) and remittance 
advice transactions).
    The estimated one-time burden associated with Sec.  
162.926(a)(2)(ii) and (b)(2) for the HIPAA Credential is the time and 
effort to: (1) Confirm that testing has been conducted for each of the 
three transactions with trading partners that collectively conduct no 
less than 30 percent of the total number of transactions conducted with 
providers; (2) list the names of the trading partners and their contact 
information; (3) verify the accuracy of the trading partner list; (4) 
obtain the HIPAA Credential from CORE; and (5) submit documentation of 
the HIPAA Credential to the Secretary. The tasks associated with the 
application for and submission of the HIPAA Credential--and, therefore, 
the estimated burden to a CHP--may change if warranted by any changes 
in the draft requirements for the HIPAA Credential.
    As mentioned, we are unable to determine how many CHPs will choose 
to obtain the HIPAA Credential to fulfill the requirements of Sec.  
162.926(a)(2)(ii) and (b)(2)(ii), but we believe that most CHPs will 
choose the least costly

[[Page 319]]

certification option. Because we are unable to quantify the number of 
health plans that will obtain the HIPAA Credential, we cannot estimate 
the total cost with any certainty. We estimate that 60 percent of CHPs 
(that is 1,800 to 3,000 CHPS) will obtain the HIPAA Credential and 
submit documentation of such the HIPAA Credential to comply with Sec.  
162.926(a)(2)(ii) and (b)(2). We solicit comment on our assumption of 
the number of CHPs likely to obtain the HIPAA Credential.
    As mentioned, CAQH CORE is currently developing the HIPAA 
Credential--which we expect to be finalized prior to the time we 
finalize this proposed rule--and we described in section II.3.(a) the 
expected process and requirements for obtaining it. Should the 
requirements for the final HIPAA Credential differ in any way from the 
way we described it in section II.3.(a), we would reopen the comment 
period to permit additional comment on the HIPAA Credential, including 
on the topic of the estimated number of health plans that would obtain 
the HIPAA Credential.
    We estimate that the burden associated with proposed Sec.  
162.926(a)(2)(ii) and (b)(2) for each of the estimated 1,800 to 3,000 
CHPs would be 2 hours to obtain documentation of the three testing 
partners; one hour to prepare the trading partner list; one hour to 
verify accuracy of the list; one hour to obtain the HIPAA credential 
form CORE; and 30 minutes to submit the CORE HIPAA Credential to the 
secretary. We used the median salaries as reported by the Department of 
Labor, Bureau of Labor Statistics, May 2012, found at: https://www.bls.gov/oes/current/oes_nat.htm#13-0000. We used the median hourly 
labor rate of $38.31 for a computer information system analyst to 
prepare the trading partner list, obtain the HIPAA credential from CORE 
and submit the documentation; $58.15 for a computer and information 
system manager to confirm that testing has been conducted with trading 
partners that collectively conduct no less than 30 percent of the total 
transactions conducted with providers for each of the three 
transactions (eligibility of a health plan, health care claim status, 
and the electronic funds transfers (EFT) and remittance advice 
transactions); and $80.84 for an executive to verify the trading 
partner list.
    We estimate that proposed Sec.  162.926(a)(2)(ii) and (b)(2) will 
impose a one-time, 5.5 hours burden on each CHP. The total time and 
effort burden associated with this task for each CHP would be: (1) 
$116.30 ($58.15 x 2) to obtain the trading partner documentation; (2) 
$38.31 ($38.31 x 1) to compile the trading partner list; (3) $80.84 
($80.84 x 1) to verify the trading partner list; (4) $38.31 ($38.31 x 
1) to obtain the HIPAA Credential from CORE; and (5) $19.16 ($38.31 x 
0.5) to submit documentation of the HIPAA Credential to the Secretary. 
We estimate the total burden for each CHP would be $292.92.
    The total estimated one-time burden associated with all of the 
requirements in proposed Sec.  162.926(a)(2)(ii) and (b)(2) would be 
9,900 (1,800 CHPs x 5.5 hours) to 16,500 hours (3,000 CHPs x 5.5 hours) 
and approximately $527,256 ($292.92 x 1,800 CHPs) to $878,760 ($292.92 
x 3,000 CHPs).
    Calculations are illustrated in Table 6. For simplicity, Table 6 
demonstrates burdens and costs based on the high estimate of CHPs 
(5,000) that are expected to certify compliance.

                          Table 6--Estimated Annual Burden for Reporting, Recordkeeping and Third-Party Disclosure Requirements
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                                                                      Hourly
                                                                                         Burden per      Annual     labor cost  Total labor
        Regulation section             OMB Control No.       Respondents    Responses     response       burden         of        cost of    Total costs
                                                                                           (hours)      (hours)     reporting    reporting        ($)
                                                                                                                       ($)          ($)
--------------------------------------------------------------------------------------------------------------------------------------------------------
162.926(a)(1) and (b)(1)..........  0938--New............           5,000       15,000           2.5     * 12,500        38.31      478,875      478,875
162.926(a)(1) and (b)(1)..........  0938--New............           5,000        5,000           1          5,000        80.84      404,200      404,200
162.926(a)(1) and (b)(1)..........  0938--New............           5,000        5,000           2         10,000        58.15      581,500      581,500
162.926(a)(2)(i) and (b)(2).......  0938--New............           2,000        5,000           1.5     ** 3,000        38.31      114,930      114,930
162.926(a)(2)(ii) and (b)(2)......  0938--New............           3,000        7,500           2.5     ** 7,500        38.31      287,325      287,325
162.926(a)(2)(ii) and (b)(2)......  0938--New............           3,000        3,000           1          3,000        80.84      242,520      242,520
162.926(a)(2)(ii) and (b)(2)......  0938--New............           3,000        3,000           2          6,000        58.15      348,900      348,900
                                                          ----------------------------------------------------------------------------------------------
    Total.........................  .....................          10,000       27,000  ............    ** 37,500  ...........  ...........    2,458,250
--------------------------------------------------------------------------------------------------------------------------------------------------------
* There are no capital or maintenance costs associated with the information collection requirements contained in this notice of proposed rulemaking.
  Therefore, we have removed the designated column from Table 6.
** Even though the information collection requirements are comprised of one-time burdens, all burden estimates have been annualized over the standard 3-
  year OMB approval period.

IV. Regulatory Impact Statement

    We have examined the impact of this proposed rule as required by 
Executive Order 12866 on Regulatory Planning and Review (September 30, 
1993), Executive Order 13563 on Improving Regulation and Regulatory 
Review (January 18, 2011), the Regulatory Flexibility Act (RFA) 
(September 19, 1980, Pub. L. 96-354), section 1102(b) of the Social 
Security Act, section 202 of the Unfunded Mandates Reform Act of 1995 
(March 22, 1995; Pub. L. 104-4), Executive Order 13132 on Federalism 
(August 4, 1999) and the Congressional Review Act (5 U.S.C. 804(2)).
    Executive Orders 12866 and 13563 direct agencies to assess all 
costs and benefits of available regulatory alternatives and, if 
regulation is necessary, to select regulatory approaches that maximize 
net benefits (including potential economic, environmental, public 
health and safety effects, distributives, and equity). A regulatory 
analysis (RIA) must be prepared for major rules with economically 
significant effects ($100 million or more in any 1 year). We believe 
this proposed rule does not reach the economic threshold for being 
considered economically significant, and thus, is not considered a 
major rule. We solicit comment on, and data regarding, the assumptions 
and findings presented in this initial regulatory analysis.
    The proposed rule would require a CHP to submit documentation to 
the Secretary that demonstrates compliance with the standards and 
operating rules adopted by the Secretary under HIPAA, establish the 
first certification of compliance process, and establish penalty fees 
for CHPs that fail to comply with the first certification of compliance 
requirements. This proposed rule would implement elements of the 
certification of compliance mandate in the Affordable Care Act. We 
expect that the

[[Page 320]]

first certification of compliance provision is an initial step toward a 
consistent, industry-wide testing framework.
    As discussed in more detail earlier in this proposed rule, many of 
the requirements of this proposed rule build on already existing 
statutory and regulatory mandates. In the ICRs, we estimate a total 
one-time burden of approximately $1,475,000 to $2,458,000 for 3,000 to 
5,000 CHPs to comply with the submission requirements of proposed Sec.  
162.926.
    In sections II.A.3.(a) and A.3.(b). of this proposed rule, we 
discuss the two options for meeting the submission requirements: a 
Phase III CORE Seal and the HIPAA Credential, respectively. A CHP may 
choose either option. In section II.A.3.(a) and (b) of this proposed 
rule, we describe the process for obtaining either a Phase III CORE 
Seal or the HIPAA Credential.
    We expect that certification testing, such as that required for 
CHPs obtaining the CORE Phase III Seal, would become more widespread as 
a result of this proposed rule, and thus the rule would generate costs 
associated with credentialing activities and greater compliance with 
operating rules (which requires updating infrastructure). We are unable 
to quantify either the current rate of non-compliance with HIPAA 
requirements, the number of CHPs that would become newly compliant as a 
result of this proposed rule, or the cost, per CHP becoming newly 
compliant, of infrastructure updates and requisite testing.
    A category of impacts for which we have been able to make estimates 
is the CAQH CORE fees.\42\ In section II.A.6.(a) of this proposed rule, 
we discuss the cost of a Phase III CORE Seal and HIPAA Credential based 
on current fees that CAQH CORE charges for a Phase III CORE Seal and 
the fees that CAQH CORE believes that it will charge for the HIPAA 
Credential. Federal and state government entities are currently not 
charged for a Phase III CORE Seal, nor are CAQH member plans. However, 
CAQH CORE will charge government entities a $100 fee for obtaining the 
HIPAA Credential.
---------------------------------------------------------------------------

    \42\ We believe that, in general, these fees represent real 
costs to society, in the form of labor and other resources used by 
CAQH CORE for conducting certification.
---------------------------------------------------------------------------

    We assumed the same number of CHPs that we use in the ICRs (that is 
1,200 to 2,000 CHPs would obtain a Phase III CORE Seal and 1,800 to 
3,000 CHPs would obtain the HIPAA Credential). For the purpose of this 
analysis, we considered the cost to obtain either the CORE Seals (Phase 
I, II, and III) or the HIPAA Credential for all of the estimated 3,000 
to 5,000 CHPs and did not account for the CHPs that currently have 
obtained the CORE Seal for Phase I and II or CAQH member plans. That 
means we did not deduct the number of health plans with current Phase I 
and Phase II CORE Seals or CAQH member plans that are not assessed a 
fee by CAQH CORE to obtain a Phase III CORE Seal.
    For the purpose of the impact analysis, we did not account for any 
penalty fees that could be assessed for CHPs that fail to comply with 
the certification of compliance submission requirements. We believe 
that we have structured the provisions of this proposed rule such that 
most CHPs will be able to meet the submission requirements. They will 
have had significant time to implement the applicable standards and 
operating rules, conduct the transactions in a compliant manner, and 
conduct certification testing or testing with their trading partners. 
Further, because the penalty fees are substantial, we believe they 
serve as a strong disincentive for noncompliance. We therefore believe 
few CHPs will fail to certify compliance, and the total amount of 
assessed penalty fees will be insignificant.
    For the 1,200 to 3,000 CHPs we estimate would obtain a Phase III 
CORE Seal, we assumed that 50 percent would have net annual revenues 
less than $75 million with a CAQH CORE fee of $12,000 each ($4,000 for 
each of the three CAQH CORE Operating Rule Phases). We assumed that 50 
percent of the CHPs would have net annual revenues equal or greater 
than $75 million with a CAQH CORE fee of $18,000 each ($6,000 for each 
of the three CAQH CORE Operating Rule Phases). We estimate that the 
total cost for all CHPs that would obtain a CORE Seal would be 
approximately $18 million [($12,000 x 600 CHPs) + ($18,000 x 600 CHPs)] 
to $30 million [($12,000 x 1000 CHPs) + ($18,000 x 1000 CHPs)].
    For the 1,800 to 2,000 CHPs that we estimate would obtain a HIPAA 
Credential, we assumed that 5 percent would have net annual revenues 
less than $5 million with a CAQH CORE fee of $100 each; 20 percent 
would have net annual revenues of $5 million to below $25 million with 
a fee of $1,000 each; 20 percent would have net annual revenues $25 
million to less than $50 million with a fee of $2,000 each; and 55 
percent would have net annual revenues of greater than $50 million with 
a fee of $4,000 each. The estimated total cost for all CHPs that would 
obtain the HIPAA Credential is approximately $5,049,000 [($100 x 90 
CHPs) + ($1,000 x 360 CHPs) + ($2,000 x 360 CHPs) + ($4,000 x 990 
CHPs)] to $8,415,000 [($100 x 150 CHPs) + ($1,000 x 600 CHPs) + ($2,000 
x 600 CHPs) + ($4,000 x 1,650 CHPs)]. We note, because government 
entities do not generate net annual revenues, they have been included 
in the 5 percent computation of CHPs with net annual revenues less than 
$5 million.
    Consequently, we estimate the total cost to comply with Sec.  
162.926 (that is, for the estimated 3,000 to 5,000 CHPs to provide the 
documentation of obtaining the CORE Seal or the HIPAA Credential) would 
be approximately $25 million to $41 million. This total cost includes 
the time and effort discussed in the ICR. The calculation is as 
follows: [Time and effort in ICR: $1,475,000 to $2,458,000] + [total 
fee for CORE Seals: $18,000,000 to $30,000,000] + [total fee for the 
HIPAA credential: $5,049,000 to $8,415,000] = $24,524,000 to 
$40,873,000.
    We are proposing in Sec.  162.926 that a CHP that obtains an HPID 
before January 1, 2015 must meet the submission requirements proposed 
in this rule on or before December 31, 2015. We explained in section 
II.A.7.(a)(1) of this proposed rule that this date is different than 
that in section 1173(h)(1) of the Act: December 13, 2013. We describe 
here the impact in benefits and penalty fees of the 2 year difference 
between the date in section 1173(h)(1) of the Act and the date proposed 
in this rule.
    In the Modifications final rule, Operating Rules IFC, Health Care 
EFT Standards IFC, and the EFT & ERA Operating Rule Set IFC, described 
in the background of this proposed rule, we described the financial and 
qualitative benefits to implementing the standards and operating rules 
for the eligibility for a health plan, health claim status, and health 
care electronic funds transfers (EFT) and remittance advice 
transactions. Those rules measured the financial benefits of the 
standards and operating rules from the compliance dates of those 
particular standards and operating rules: January 1, 2012 is the 
compliance date for Version 5010 standards for the three transactions; 
January 1, 2013 is the compliance date for operating rules for the 
eligibility for a health plan and claim status transactions; and 
January 1, 2014 is the compliance date for the standards and operating 
rules for the health care electronic funds transfers (EFT) and 
remittance advice transaction.
    The cost and savings of implementing those standards and operating 
rules on

[[Page 321]]

their compliance dates are not addressed in this proposed rule as they 
are accounted for in the previously mentioned rules, and the first 
certification of compliance requirements, as proposed in this rule, do 
not affect the costs and benefits of implementing these standards and 
operating rules.
    It is possible that some CHPs may view the first certification of 
compliance deadline, December 31, 2015, as proposed in this rule, as an 
opportunity to implement the required standards and operating rules 
later than the compliance dates of those standards and operating rules 
as required in the applicable regulations. However, we assume that the 
number of CHPs that would slow or delay implementation based on the 
first certification of compliance deadline is quite small. As we noted 
before, thirty health plans have already obtained a Phase I CORE Seal, 
and many of those have obtained or are pursuing a Phase II CORE Seal. 
This growing group of CORE Certified entities represents many major 
health plans with extensive reach in terms of commercially covered 
lives.\43\ Further, the complaint-driven process for enforcing 
compliance with these standards and operating rules applies as of their 
respective compliance dates.
---------------------------------------------------------------------------

    \43\ See map with data on commercially insured lives that have 
policies with a CORE Certified health plan on CAQH CORE Web site: 
https://www.caqh.org/pdf/COREPIwebmap.pdf.
---------------------------------------------------------------------------

    We assume that the CORE-certified health plans include the process 
of obtaining CORE Seals for each phase of operating rules as part of 
their process to successfully implement new standards or operating 
rules. We assume these CORE-certified health plans make CORE 
Certification part of their implementation strategy regardless of the 
first certification of compliance submission requirements as proposed 
in this rule. As discussed in section II.A.7(a)(1) of this proposed 
rule, the December 31, 2015 deadline for submission of information and 
documentation, proposed in this rule, gives these CORE Certified 
entities time to obtain the Phase III CORE Seal. It also gives CHPs 
that would not otherwise use the CORE Certification process time to 
obtain either the CORE Phase I, II, and III Seals or the HIPAA 
Credential.
    Because we believe that a negligible number of CHPs will use the 
December 31, 2015 deadline proposed in this rule as a reason to slow 
implementation of the standards or operating rules required by previous 
rules, and because the financial benefits for those standards and 
operating rules were calculated over 10-year periods, we believe the 
impact of the December 31, 2015 deadline on the overall financial and 
qualitative benefits to using these standards and operating rules to be 
negligible.
    The amount in penalty fees that would have been assessed with a 
December 31, 2013 deadline cannot be determined under the proposed 
certification of compliance requirements because the December 31, 2015 
date and other requirements proposed in this rule were developed to 
align chronologically with other regulatory and commercial sector 
initiatives. For instance, CAQH CORE began offering a Phase III CORE 
Seal in 2013; \44\ the first entity to receive a Phase III CORE Seal 
did so in August 2013.\45\ Given this timeframe, it is unlikely that 
many CHPs could have obtained a Phase III CORE Seal earlier than 
December 31, 2015. Likewise, CHPs have until November 2015 to obtain an 
HPID, and the first certification of compliance requirements apply only 
to CHPs.
---------------------------------------------------------------------------

    \44\ CORE Web page: https://www.caqh.org/ORMandate_EFT.php.
    \45\ https://www.instamed.com/news-and-events/industry-first-instamed-achieves-phase-iii-caqh-core-certification/.
---------------------------------------------------------------------------

    Therefore, due to the vast difference in requirements associated 
with the December 31, 2013 and the December 31, 2015 deadlines, we are 
unable to perform an analysis of the amount of penalty fees that would 
have been assessed with the December 31, 2013 deadline as it would 
entail assuming a completely different set of requirements.
    The Regulatory Flexibility Analysis (RFA), as amended, requires 
agencies to analyze options for regulatory relief of small businesses, 
if a rule has a significant impact on a substantial number of small 
entities. For purposes of the RFA, small entities include small 
businesses, nonprofit organizations, and small governmental 
jurisdictions.
    The health insurance industry was examined in depth in the RIA 
prepared for the proposed rule on establishment of the Medicare 
Advantage program (69 FR 46866, August 3, 2004). It was determined, in 
that analysis, that there were few, if any, ``insurance firms,'' 
including HMOs that fell below the size thresholds for ``small'' 
business established by the SBA Health. We assume that the ``insurance 
firms'' are synonymous, for the most part, with health plans that 
conduct standard transactions with other covered entities and are, 
therefore, the entities that will have costs associated with meeting 
the first certification of compliance requirements. In fact, at the 
time the analysis for the Medicare Advantage program was done, and even 
more so now, the market for health insurance is dominated by a relative 
handful of firms with substantial market shares.
    However, there are a number of health maintenance organizations 
(HMOs) that are small entities by virtue of their nonprofit status even 
though few if any of them are small by SBA size standards. There are 
approximately 100 such HMOs which may meet the definition of, and 
therefore define themselves, as CHPs. These HMOs and the Blue Cross and 
Blue Shield plans that are non-profit organizations, like the other 
CHPs affected by this proposed rule, will be required to meet the first 
certification of compliance requirements.
    Accordingly, this proposed rule may affect a number of small 
entities. We estimate, however, that the costs of this proposed rule on 
``small'' health plans do not remotely approach the amounts necessary 
to be a ``significant economic impact'' on firms with revenues of tens 
of millions of dollars. Therefore, the Secretary proposes to certify 
that this proposed rule would not have a significant economic impact on 
a substantial number of small entities. We welcome industry and 
stakeholder input on our assumption in this regard.
    In addition, section 1102(b) of the Act requires us to prepare a 
regulatory analysis for ``any rule or regulation proposed under title 
XVIII, title XIX, or part B of [the Act] that may have significant 
impact on the operations of a substantial number of small rural 
hospitals.'' This proposed rule, however, is being proposed under title 
XI, part C, ``Administration Simplification,'' of the Act, and, 
therefore, does not apply. Regardless, this requirement of this 
proposed rule is only applicable to CHPs and will not have a 
significant impact on the operations of small rural hospitals.
    Section 202 of the Unfunded Mandates Reform Act of 1995 also 
requires that agencies assess anticipated costs and benefits before 
issuing any rule whose mandates require spending in any 1 year of $100 
million in 1995 dollars, updated annually for inflation. In 2013, that 
threshold is approximately $141 million. This proposed rule would 
impose a minimal effect on state, local, or tribal governments or on 
the private sector because the requirements for all CHPs regardless of 
ownership, to comply with the certification of compliance documentation 
requirements. The related costs for all 5,000 estimated CHPs is 
approximately $40 million, which is less than $141 million.

[[Page 322]]

    Executive Order 13132 establishes certain requirements that an 
agency must meet when it promulgates a proposed rule (and subsequent 
final rule) that imposes substantial direct requirement costs on state 
and local governments, preempts state law, or otherwise has federalism 
implications. Since this regulation does not impose any substantial 
costs on state or local governments, the requirements of Executive 
Order 13132 are not applicable.
    In accordance with the provisions of Executive Order 12866, this 
rule was reviewed by the Office of Management and Budget.

List of Subjects

45 CFR Part 160

    Administrative practice and procedure, Computer technology, 
Electronic information system, Electronic transactions, Employer 
benefit plan, Health, Health care, Health facilities, Health insurance, 
Health records, Hospitals, Investigations, Medicaid, Medical research, 
Medicare, Penalties, Privacy, Reporting and recordkeeping requirements, 
Security.

45 CFR Part 162

    Administrative practice and procedures, Electronic transactions, 
Health facilities, Health insurance, Hospitals, Incorporation by 
reference, Medicaid, Medicare, Reporting and recordkeeping 
requirements.

    For the reasons set forth in this preamble, the Department of 
Health and Human Services proposes to amend 45 CFR parts 160 and 162 to 
read as follows:

PART 160--GENERAL ADMINISTRATIVE REQUIREMENTS

0
1. The authority citation for part 160 continues to read as follows:

    Authority: 42 U.S.C. 1302(a); 42 U.S.C. 1320d-1320d-9; sec. 264, 
Pub. L. 104-191, 110 Stat. 2033-2034 (42 U.S.C. 1320d-2 (note)); 5 
U.S.C. 552; secs. 13400-13424, Pub. L. 111-5, 123 Stat. 258-279; and 
sec. 1104 of Pub. L. 111-148, 124 Stat. 146-154.

0
2. Section 160.103 is amended by--
0
A. Adding the definition of ``Penalty fee'' in alphabetical order.
0
B. Revising the definition of ``Respondent''.
    The addition and revision read as follows:


Sec.  160.103  Definitions.

* * * * *
    Penalty fee means the amount determined under Sec.  160.614.
* * * * *
    Respondent means a covered entity or business associate upon which 
the Secretary has imposed, or proposes to impose, a penalty fee under 
subpart F or a civil money penalty.
* * * * *


Sec.  160.300  [Amended]

0
3. Section 160.300 is amended by removing the phrase ``parts 162 and'' 
and adding in its place the phrase ``parts 162 (excluding Sec.  
162.926) and''.
0
4. Section 160.500 is revised to read as follows:


Sec.  160.500  Applicability.

    This subpart applies to hearings conducted relating to the 
following:
    (a) The imposition of a civil money penalty by the Secretary under 
42 U.S.C. 1320d-5.
    (b) The assessment of a penalty fee by the Secretary under 42 
U.S.C. 1320d-2(j).
0
5. Section 160.504 is amended by revising paragraph (c) to read as 
follows:


Sec.  160.504  Hearing before an ALJ.

* * * * *
    (c) The request for a hearing must do the following:
    (1) Clearly and directly admit, deny, or explain each of the 
findings of fact contained in the notice of proposed determination 
under Sec.  160.420 or in the notice of determination under Sec.  
160.624 with regard to which the respondent has any knowledge. If the 
respondent has no knowledge of a particular finding of fact and so 
states, the finding shall be deemed denied.
    (2) State the circumstances or arguments that the respondent 
alleges constitute the grounds for any defense and the factual and 
legal basis for opposing the penalty or penalty fee, except that a 
respondent may raise an affirmative defense under Sec.  160.410(b)(1) 
or Sec.  160.620(a) at any time.
* * * * *
0
6. Section 160.534 is amended by revising paragraphs (b)(1) and (d)(1) 
to read as follows:


Sec.  160.534  The hearing.

* * * * *
    (b)(1) The respondent has the burden of going forward and the 
burden of persuasion with respect to any of the following:
    (i) Affirmative defense under Sec.  160.410 or defense underSec.  
160.620 of this part.
    (ii) Challenge to the amount of a proposed penalty pursuant to 
Sec.  160.404 through Sec.  160.408, including any factors raised as 
mitigating factors, or to the amount of the penalty fee pursuant to 
Sec.  160.624.
    (iii) Claim that a proposed penalty should be reduced or waived 
pursuant to Sec.  160.412.
    (iv) Compliance with subpart D of part 164, as provided under Sec.  
164.414(b).
* * * * *
    (d)(1) Subject to the 15-day rule under Sec.  160.518(a) and the 
admissibility of evidence under Sec.  160.540, either party may 
introduce, during its case in chief, items or information that arose or 
became known after the date of the issuance of the notice of proposed 
determination under Sec.  160.420, the notice of determination under 
Sec.  160.624, or the request for hearing under Sec.  160.504, as 
applicable. Such items and information may not be admitted into 
evidence, if introduced--
    (i) By the Secretary, unless they are material and relevant to the 
acts or omissions with respect to which the penalty is proposed in the 
notice of proposed determination under Sec.  160.420 or in the notice 
of determination under Sec.  160.624, including circumstances that may 
increase penalties or penalty fees; or
    (ii) By the respondent, unless they are material and relevant to an 
admission, denial or explanation of a finding of fact in the notice of 
proposed determination under Sec.  160.420 or in the notice of 
determination under Sec.  160.624, or to a specific circumstance or 
argument expressly stated in the request for hearing under Sec.  
160.504, including circumstances that may reduce penalties or penalty 
fees.
* * * * *


Sec.  160.540  [Amended]

0
7. In Sec.  160.540, paragraph (g) is amended by removing the phrase'' 
notice of proposed determination under Sec.  160.420 of this part '' 
and adding in its place the phrase ``notice of proposed determination 
under Sec.  160.420 or in the Secretary's notice of determination under 
Sec.  160.624.''
0
8. Section 160.546 is amended by revising paragraph (b) to read as 
follows:


Sec.  160.546  ALJ's decision.

* * * * *
    (b) The ALJ may affirm, increase, or reduce the penalties or 
penalty fees imposed by the Secretary.
* * * * *


Sec.  160.548  [Amended]

0
9. Section 160.548 is amended by:
0
A. In paragraph (e), removing the phrase ``of this part'' and adding in 
its place the phrase ``or a defense under Sec.  160.620(a)''.
0
B. In paragraph (g), removing the phrase ``any penalty determined by 
the

[[Page 323]]

ALJ'' and adding in its place the phrase ``any penalty or penalty fee 
determined by the ALJ.''


Sec.  160.550  [Amended]

0
10. In Sec.  160.550, paragraphs (a) and (b) are amended by removing 
the phrase ``penalty'' and by adding in its place the phrase ``penalty 
or penalty fee'' each time it appears.
0
11. Subpart F is added to part 160 to read as follows:
Subpart F--Imposition of Penalty Fees
Sec.
160.602 Applicability.
160.604 Definitions.
160.612 Basis for the assessment of a penalty fee.
160.614 Amount of the penalty fee for failure to comply with 
submission requirements or knowingly providing inaccurate or 
incomplete information.
160.616 Notice of penalty fee.
160.618 CHP's response to notice of penalty fee.
160.620 Defenses that may be raised in response to notice of penalty 
fee.
160.624 Notice of determination.
160.626 Right to a hearing.

Subpart F--Imposition of Penalty Fees


Sec.  160.602  Applicability.

    This subpart applies to the imposition of penalty fees by the 
Secretary under 42 U.S.C. 1320d-2.


Sec.  160.604  Definitions.

    As used in this subpart, the following definitions apply:
    Controlling health plan (CHP) means a health plan as defined at 
Sec.  162.103 of this subchapter.
    Major medical policy means an insurance policy that covers accident 
and sickness and provides outpatient, hospital, medical and surgical 
expense coverage.


Sec.  160.612  Basis for the assessment of a penalty fee.

    The Secretary assesses a penalty fee against a CHP with major 
medical policies if the Secretary determines the CHP did either of the 
following:
    (a) Failed to provide the documentation in accordance with Sec.  
162.926(a)(2) or (b)(2) of this subchapter.
    (b) With respect to information submitted to the Secretary under to 
Sec.  162.926 of this subchapter--made by statements, in documents, or 
otherwise--upon which either a CORE Seal (under Sec.  162.926(a)(2) or 
(b)(2) of this subchapter) or the HIPAA Credential (under Sec.  
162.926(a)(2) or (b)(2) of this subchapter) is based, provides 
inaccurate or incomplete information--
    (1) With actual knowledge of the inaccuracy or incompleteness of 
the information; or
    (2) Acting in deliberate ignorance or reckless disregard of the 
accuracy or completeness of the information.


Sec.  160.614  Amount of the penalty fee for failure to comply with 
submission requirements or knowingly providing inaccurate or incomplete 
information.

    (a) The penalty fee amounts are as follows:
    (1) For the basis specified at Sec.  160.612(a), $1 per covered 
life of the CHP per day until the requirements of Sec.  162.926(a)(2) 
or (b)(2) of this subchapter, as applicable, have been met, not to 
exceed $20 per covered life.
    (2) For the basis specified at Sec.  160.612(b), $40 per covered 
life of the CHP.
    (b) A CHP is not assessed more than $40 per covered life of the CHP 
under the basis specified at Sec.  160.612.


Sec.  160.616  Notice of penalty fee.

    The Secretary provides notice, by certified mail with return 
receipt requested, to a CHP that meets any of the bases for a penalty 
fee in Sec.  160.612. A notice of penalty fee includes all of the 
following:
    (a) The penalty fee amount.
    (b) Reference to the regulatory basis, under Sec.  160.612, for the 
penalty fee.
    (c) A description of the findings of fact regarding the violations 
upon which the penalty fee is based.
    (d) The reasons(s) why the violation(s) subject the CHP to a 
penalty fee.


Sec.  160.618  CHP's response to notice of penalty fee.

    (a) In response to a notice of penalty fee under Sec.  160.616, a 
CHP may submit to the Secretary evidence of any of the defenses 
described in Sec.  160.620.
    (b)(1) A CHP that chooses to assert a defense(s) under paragraph 
(a) of this section must do so in writing within 30 calendar days of 
receipt of the notice under Sec.  160.616.
    (2) For purposes of this section, the CHP's date of receipt of the 
notice of penalty fee is presumed to be 5 days after the date of the 
notice unless the CHP makes a reasonable showing to the contrary to the 
Secretary.


Sec.  160.620  Defenses that may be raised in response to notice of 
penalty fee.

    The Secretary will consider no defenses aside from the following in 
response to a notice of penalty fee under Sec.  160.616:
    (a) The CHP is not subject to the requirements of Sec.  162.926 of 
this subchapter.
    (b) The CHP's failure to meet the requirements of Sec.  162.926 of 
this subchapter was attributable to a ministerial and non-substantive 
error.
    (c) The failure to meet the requirements of Sec.  162.926 of this 
subchapter was beyond the CHP's control.


Sec.  160.624  Notice of determination.

    The Secretary sends the CHP, by certified mail with return receipt 
requested, a notice of determination as to whether a penalty fee is 
assessed.
    (a) A notice of determination to assess a penalty fee includes all 
of the following:
    (1) A description of the statutory basis for the assessment of the 
penalty fee.
    (2) The amount of the penalty fee.
    (3) Reference to the regulatory basis, under Sec.  160.612, for the 
assessment of the penalty fee.
    (4) The findings of fact regarding the violations on which 
assessment of the penalty fee is based.
    (5) Any defenses described in Sec.  160.620 that were considered in 
determining whether to assess the penalty fee and the reason(s) why the 
defenses were rejected.
    (6) Instructions for requesting a hearing under Sec.  160.626.
    (7) A statement that the failure to request a hearing within 90 
days results in the imposition of the penalty fee specified in the 
notice of determination.
    (b) A notice of determination to not assess a penalty fee includes 
the following:
    (1) Any defenses described in Sec.  160.620 that were considered in 
determining whether to assess the penalty fee and the reason(s) why the 
defenses were accepted; and
    (2) Actions the CHP must take.


Sec.  160.626  Right to a hearing.

    (a) Upon receipt of a notice of determination under Sec.  
160.624(a), a CHP may request a hearing before an ALJ by filing a 
request in accordance with Sec.  160.504.
    (b) If a CHP does not request a hearing within the time prescribed 
by Sec.  160.504, the Secretary notifies the CHP that the penalty fee 
in the notice of determination is final and the means by which the CHP 
must pay the penalty fee.

PART 162--ADMINISTRATIVE REQUIREMENTS

0
12. The authority citation for part 162 continues to read as follows:

    Authority: Secs. 1171 through 1180 of the Social Security Act 
(42 U.S.C. 1320d-1320d-9), as added by sec. 262 of Pub. L. 104-191, 
110 Stat. 2021-2031, sec. 105 of Pub. L. 110-233, 122 Stat. 881-922, 
and sec. 264 of Pub. L. 104-191, 110 Stat. 2033-2034 (42 U.S.C.

[[Page 324]]

1320d-2 (note), and secs. 1104 and 10109 of Pub. L. 111-148, 124 
Stat. 146-154 and 915-917.

0
13. Section 162.103 is amended by adding the definitions of ``Covered 
lives of a CHP'' and ``EFT'' in alphabetical order to read as follows:


Sec.  162.103  Definitions.

* * * * *
    Covered lives of a CHP means individuals covered by or enrolled in 
major medical policies of a CHP and the SHP(s) of that CHP. Individuals 
may be described in such major medical policies by terms, including, 
but not limited to, the following:
    (1) Individuals.
    (2) Spouses.
    (3) Dependents.
    (4) Employees.
    (5) Subscribers.
    (6) Policyholders.
    (7) Medicaid recipients.
    (8) Medicare beneficiaries.
    (9) Tricare beneficiaries.
    (10) Veterans.
    (11) Survivors.
* * * * *
    EFT stands for electronic funds transfers.
* * * * *
0
14. Section 162.926 is added to read as follows:


Sec.  162.926  Certification of Compliance--submission requirements

    (a) Submission requirements for a CHP that obtains an HPID before 
January 1, 2015. For the health care electronic funds transfers (EFT) 
and remittance advice, eligibility for a health plan, and health care 
claim status transactions, a CHP that obtains an HPID before January 1, 
2015 must, on or after January 1, 2015 and on or before December 31, 
2015, provide the following to the Secretary in one submission:
    (1) The number of covered lives of a CHP (as that term is defined 
in Sec.  162.103 of this subpart) on the date that the documentation 
required under paragraph (a) of this section is submitted.
    (2) Documentation that demonstrates the CHP has obtained a Council 
for Affordable Quality Healthcare (CAQH) Committee on Operating Rules 
for Information Exchange (CORE)--
    (i) Certification Seal for Phase III CAQH CORE EFT & ERA Operating 
Rules. The CHP must not be under the CORE IT Exemption Policy at the 
time of submission with regard to the CORE Phase I, II, and III Seals; 
or
    (ii) HIPAA Credential for the operating rules for the transactions 
listed in paragraph (a) of this section.
    (b) Submission requirements for a CHP that obtains an HPID on or 
after January 1, 2015 and on or before December 31, 2016. A CHP that 
obtains an HPID on or after January 1, 2015 and on or before December 
31, 2016, must, within 365 calendar days of obtaining an HPID, provide 
the following to the Secretary in one submission:
    (1) The number of covered lives of a CHP (as that term is defined 
in Sec.  162.103) on the date the documentation required under 
paragraph (b) of this section is submitted.
    (2) The documentation required under paragraph (a)(2) of this 
section.

    Dated: December 20, 2013.
Marilyn Tavenner,
Administrator, Centers for Medicare & Medicaid Services.
    Dated: December 20, 2013.
Kathleen Sebelius,
Secretary, Department of Health and Human Services.
[FR Doc. 2013-31318 Filed 12-31-13; 8:45 am]
BILLING CODE 4120-01-P
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.