Employee Benefits Compliance, HIPAA

Health Plan Identifier (HPID) Requirements and Process

WHO Most self-insured health plans (probably not insured plans)
WHAT Need to obtain a Health Plan Identifier (HPID)
WHEN By Nov. 5 2014 if paid claims of $5 million or more in last fiscal year; otherwise by Nov. 5 2015
WHERE CMS secure portal at: https://portal.cms.gov
WHY HIPAA requires health plans/insurers/medical providers/TPAs and other parties involved in HIPAA “standard transactions” to use standard identifiers to identify themselves and the HPID is the standard identifier for health plans.

This article was written by Lisa Klinger, J.D. and Susan Grassli, J.D. 

Health Plans must Apply for Health Plan ID

Most health plans must obtain a Health Plan Identifier (HPID) to help identify a health plan in certain HIPAA “standard transactions” by November 5th of either 2014 or 2015 (depending on plan size—see below). The HPID is a 10-digit identifier that will be unique for each health plan but will be in the same format. There is no charge for a health plan to obtain a HPID, and it can be obtained through the CMS Enterprise Portal.  Sponsors of self-funded plans are responsible to obtain the HPID on behalf of the plan. For fully insured plans, the insurer is responsible to obtain the HPID on behalf of the plan. It appears employers who sponsor self-funded plans such as Health Reimbursement Arrangements (HRAs) or Health Flexible Spending Accounts (FSAs) will have to obtain the HPID on behalf of the plan, but the compliance date for these is likely to be November 2015 (see effective dates below). 

This article was updated by a more recent article posted Oct. 8, 2014, since CMS issued new FAQs on the HPID soon after this September article was posted.  The new FAQs do not require employers to obtain HPIDs for HFSAs or for HRAs that reimburse only for deductibles and co-pays.

Effective Dates

November 5, 2014 is the deadline by which large plans must obtain an HPID

  • A large plan is defined as a plan with annual receipts of over $5 million dollars for the prior plan year.
  • “Annual receipts” means either total claims paid (not including stop-loss or administrative fees) by a self-funded plan, or total premiums paid by an insured plan.

November 5, 2015 is the deadline by which small plans must obtain an HPID

  • A small plan is a plan with annual receipts of $5 million dollars or less.

November 7, 2016is the full implementation date for actually using the HPID in standard transactions. See below for an explanation of “standard transactions” and the use of the HPID in standard transactions.

Important Practical Tip: Plan sponsors should not wait until the last minute to obtain an HPID, as there may be a time lag between the date of registration and the date an HPID is assigned, and the process to register and apply for an HPID can be complicated.

Controlling Health Plans (CHPs) and Subhealth Plans (SHPs)

Controlling Health Plan (CHP): CHPs are health plans that control their own business activities, actions or policies; or are controlled by entities that are not health plans.  For example, a self-funded plan is controlled by its plan sponsor, so it will be a CHP unless designated as an SHP to another CHP.

Subhealth Plan (SHP):  SHPs are health plans over which a CHP exercises sufficient control by directing its business activities, actions or policies. For example, a self-funded dental plan could be designated as an SHP to a self-funded medical plan.   A CHP can either obtain one HPID for itself and the subhealth plans, or it can direct each of the subhealth plans to obtain their own HPID.

For the following types of plan arrangements, the responsibility to obtain an HPID would likely be:

Plan Description

Responsibility to Obtain HPID

Employer sponsors three self-funded options: High-deductible plan, PPO, and self-funded dental. These three plans are part of one consolidated medical plan and one Form 5500 is filed.Employer would obtain one HPID for the entire consolidated medical plan and designate one of the three as the CHP. The other two plans would be SHPs and would not need separate HPIDs. Alternatively, the Employer could obtain separate HPIDs for all three plans, the CHP and two SHPs.
Employer sponsors one self-funded option and one fully-insured optionEmployer would obtain the HPID for the self-funded option and insurer would obtain the HPID for the fully-insured product, which would be the CHP. The employer’s insured plan would be a SHP to the insurer’s CHP, so the insurer’s HPID would apply.
Employer sponsors two fully-insured options and an insured dental option and no self-funded optionsInsurer(s) would obtain the HPIDs for all three fully-insured products. These insured products would be the CHPs, and the employer’s medical plan would be a SHP so could rely on the insurer’s CHP HPID.
Employer sponsors two fully-insured options, plus a self funded Health Flexible Spending Account (HFSA)Insurer(s) would obtain the HPID(s) for the two fully-insured options. Employer would not obtain HPIDs for the insured options. Update Oct. 8, 2014:  The self funded HFSA does not need an HPID, per CMS FAQs issued in Oct. 2014.  (Original article 9.25.14 said the employer would have to obtain an HPID for the HFSA.)


What are the Steps to Obtain the HPID?

The HPID is obtained through the Health Plan and Other entity Enumeration System (HPOES). It is housed within the Centers for Medicare and Medicaid Services (CMS) Health Insurance Oversight System (HIOS) which is now integrated with the CMS Enterprise portal found at https://portal.cms.gov. After going to this site, look at the right side of the screen, and click on “Login to CMS Secure Portal.” Those who have already been accessing the HIOS system should already have an account and login to the portal. New HIOS users need to register in the portal to obtain a user ID and password. However, all users will need to complete the registration process.

CMS has several videos, presentations and other guidance on its website explaining what an HPID is and how to obtain it. These are at: http://www.cms.gov/Regulations-and-Guidance/HIPAA-Administrative-Simplification/Affordable-Care-Act/Downloads/HPOESTrainingSlidesMarchSlideDeck.pdf

The CMS presentation explains the procedure to obtain an HPID:

  • Step 1: Register the organization in HIOS
  • Step 2: Access HIOS User Role Management
  • Step 3: Access HPOES and Select an Application Type
  • Step 4: Complete and Submit an Application
  • Step 5: Application Review by the Authorizing Official
  • Step 6: HPID or OEID Number is assigned

Each of these steps has several sub-steps, and some of these steps require individual application review and a response from CMS within 24 hours (this timeframe is not always met).      Obtaining an HPID is not a 10-15 minute process, so don’t wait until November 4th to go online and obtain an HPID! Start this process now, with plenty of time to spare.

Why is an HPID Required?

HIPAA requires medical providers, health insurers, group health plans, TPAs, and other parties involved in HIPAA “standard transactions” to use standard identifiers (same length and format) to identify themselves, and also to use standard formats and code sets for the electronic data being exchanged in a “standard transaction.”  HIPAA standard transactions include: medical and dental claims and encounters, payment and remittance advice, claims status request and response, eligibility and benefit inquiry and response, benefit enrollment and disenrollment, referrals and authorizations, and premium payment.

The purpose of requiring standard identifiers, formats and code sets is to increase the efficiency and accuracy of the transactions.  Currently health plans are identified in these transactions using various identifiers that differ in length and format.  The HPID is a 10-digit identifier that will be unique for each health plan but will be in the same format.

Although TPAs almost always conduct HIPAA standard transactions on behalf of the self-insured plans they administer (and use their own unique standard identifiers in such transactions), the plans themselves are also required to obtain HPIDs if the health plans are identified in the standard transactions (which would likely always be the case).  Additionally, the HPID will be used to help HHS implement various administrative simplification initiatives.  For example, an upcoming major compliance requirement in 2015 will be that health plans must certify to HHS that they are in compliance with HIPAA’s electronic transaction standards. Under this “Certification of Compliance” process, HHS will use the HPID to track CHPs that have met the certification requirements.  Additionally, group health plans must disclose their HPID when requested.

What Penalties Apply if a Health Plan does Not Obtain an HPID?

The HPID regulations do not specify a particular penalty if a health plan fails to obtain an HPID. It appears that the penalty would be the same as the civil monetary penalty that applies for violations of HIPAA’s administrative simplification rules. This means if a plan does not obtain an HPID due to “willful neglect,” HHS could impose a penalty of $50,000, plus an additional penalty of $50,000 each time a standard transaction is made for the plan and should but does not include an HPID. There is an annual cap of $1.5 million for violations of the same requirement.

Additional Background Information

The HPID was initially created in 1996 under HIPAA.  The final rule adopting a 10-digit HPID for health plans was published September 5, 2012.  The final rule was developed by the Office of E-Health Standards and Services (OESS).  OESS is part of the Centers for Medicare & Medicaid Services (CMS).  The Administrative Simplification provision of the Affordable Care Act (ACA) also included requirements for group health plans to obtain HPIDs.

HIPAA also requires other entities to obtain unique identifiers if they are identified in standard transactions:

  • The National Provider Identifier, implemented in 2004, required medical providers to obtain unique, standardized identifiers.
  • Plan sponsors identified in standard transactions must be identified by their federal employer identification numbers (EINs).
  • The Other Entity Identifier (OEID) is a voluntary identifier for third-party administrators, repricers and health care clearinghouses, but is required if the entity is identified in standard transactions.
  • HIPAA also required HHS to develop standard individual identifiers (similar to Social Security numbers), but this might not happen due to public resistance.