The Requirement. The Health Plan Identifier (HPID) is a standard, unique health plan identifier required by the Health Insurance Portability & Accountability Act of 1996 (HIPAA). The rule applies to Controlling Health Plans or CHPs (health plans that control their own business activities, actions, or policies; or are controlled by entities that are not health plans) and required CHPs to obtain an HPID by November 5, 2014. Small health plans had until November 5, 2015 to comply. Sponsors of self-funded plans were responsible to obtain the HPID on behalf of the plan. For fully insured plans, the insurer was responsible to obtain the HPID on behalf of the plan.
The Delay. Effective October 31, 2014, Health and Human Services (HHS) announced a delay, until further notice, in enforcement of the HPID requirement. This enforcement delay applies to all HIPAA covered entities, including healthcare providers, health plans, and healthcare clearinghouses. This means that if you have yet to apply for and receive an HPID number, the November 5, 2014 deadline is temporarily suspended until further notice.
This delay will come as a welcome reprieve to many plan sponsors during this busy time of year.
Over the last several years, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) has significantly increased its HIPAA healthcare data breach enforcement posture, resulting in aggregate fines exceeding more than $10 million since June 2013. Despite these increased enforcement efforts, however, the Federal Trade Commission (“FTC”) has now entered the fray as an additional federal enforcer of healthcare data breaches.
In August 2013, the FTC filed an administrative complaint against LabMD, a Georgia cancer detection services laboratory, for failing to provide reasonable and appropriate security for protected health information (“PHI”) on its computer networks, resulting in a breach affecting over 9,000 consumers’ billing information. The FTC claimed that this alleged security failure and consumer harm represented an unfair act or practice under Section 5 of the FTC Act. In the course of rejecting LabMD’s motion to dismiss, the FTC asserted its jurisdiction by stating that nothing in HIPAA indicated an intent of Congress to restrict the FTC’s authority over alleged unfair data security practices such as those at issue in the LabMD case, and that nothing in HIPAA or HHS’ rules negated the FTC’s authority to enforce the FTC Act. On May 12, 2014, a federal district court dismissed LabMD’s motion for a preliminary injunction to stop the FTC’s administrative proceeding. Regardless of the outcome of the FTC administrative proceeding, businesses should take note that on January 28, 2014, LabMD announced it would be winding down its operations, citing the debilitating effects of the FTC’s investigative practices and litigation.
Businesses subject to the HIPAA Privacy, Security and Data Breach Notification rules now need to be concerned with more than the OCR and state Attorneys General, who are given direct enforcement power under HIPAA, in that the FTC has now clearly asserted itself as an additional regulator of healthcare data breaches. Businesses should remain diligent in their HIPAA compliance efforts as a breach of PHI may result in multiple enforcement actions. For questions about HIPAA compliance issues, contact a member of the McGrath North Privacy and Data Security Group.