Delay announced in enforcement of HIPAA HPID

The Health Plan Identifier and Certification requirements were added by the Affordable Care Act to regulate certain electronic transactions. And while applicable to all Group Health Plans, these requirements were specifically aimed at those covered entities (e.g., healthcare providers, health plans, and healthcare clearinghouses) that transmit electronic Group Health Plan data which is subject to the HIPAA Electronic Data Interchange (EDI) rules. The deadline for obtaining an HPID was originally set at November 5, 2014 for large Plans and November 5, 2015 for small Plans.

On October 31, 2014 the Centers for Medicare and Medicaid Services (CMS) announced a delay in enforcement of HIPD enumeration and use of the HIPD in HIPAA transactions. This delay remains in place until further notice from CMS. A copy of the CMS notice is presented below.

Statement of Enforcement Discretion regarding 45 CFR 162 Subpart E – Standard Unique Health Identifier for Health Plans

Effective October 31, 2014, the Centers for Medicare & Medicaid Services (CMS) Office of e-Health Standards and Services (OESS), the division of the Department of Health & Human Services (HHS) that is responsible for enforcement of compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) standard transactions, code sets, unique identifiers and operating rules, announces a delay, until further notice, in enforcement of 45 CFR 162, Subpart E, the regulations pertaining to health plan enumeration and use of the Health Plan Identifier (HPID) in HIPAA transactions adopted in the HPID final rule (CMS-0040-F).

This enforcement delay applies to all HIPAA covered entities, including healthcare providers, health plans, and healthcare clearinghouses.

On September 23, 2014, the National Committee on Vital and Health Statistics (NCVHS), an advisory body to HHS, recommended that HHS rectify in rulemaking that all covered entities (health plans, healthcare providers and clearinghouses, and their business associates) not use the HPID in the HIPAA transactions (see This enforcement discretion will allow HHS to review the NCVHS’s recommendation and consider any appropriate next steps.

What does this mean for your Clients’ Group Health Plans?

Under the regulations, insurance carriers would have obtained HPIDs, while employers with fully-insured group health plans would need to take no action in this regard. Employers with self-insured group health plans were to obtain an HPID by the applicable large or small plan deadline.

Per the delayed enforcement, employers with self-insured group health plans need not obtain an HIPD until further guidance is provided by CMS. If you have already obtained an HPID for your self-insured group health plan or plans, please retain that information for your records. TASC will continue to monitor this situation and will inform you of any further guidance provided by CMS.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s