HHS Withdraws Proposed Health Plan Certification Regulations

HHS’s proposed regulations on certification of HIPAA compliance require health plans to submit to HHS documentation of the number of covered lives in the plan, plus either of two permissible proofs of certification—known as the HIPAA Credential and the Phase III CORE Seal.  The proofs of certification involve external testing and an attestation signed by a senior-level executive indicating that the entity is HIPAA compliant with the Privacy Rule, the Security Standards, and the relevant transaction standards.  The proposed regulations targeted a December 31, 2015 submission deadline for large plans (those with at least $5 million in annual receipts), but in the absence of final regulations, the requirement has not been enforced.

Citing public comments responding to proposed regulations, HHS has decided to withdraw the proposed regulations to reexamine the issues and explore options and alternatives to implement the statutory requirement for health plans to certify compliance.  In its announcement, HHS emphasized that withdrawal of the proposed regulations does not remove the requirement for covered entities to comply with HIPAA’s standards for electronic transactions.

If you have questions about the certification requirement, call ASR Health Benefits at (616) 957-1751 or (800) 968-2449.