Issue Brief- Self-funded Employers and the HIPAA Health Plan Identifier Number (HPID)

Self-funded Employers and the HIPAA Health Plan Identifier Number (HPID)

Issue Date: May 2014

View as MS Word .doc    View as .pdf

The Department of Health and Human Services (HHS) has issued guidance regarding HIPAA electronic transactions related to the HIPAA privacy and security rules. According to the guidance, employers who sponsor self-funded health plans will be required to take certain administrative steps, including applying for a health plan identifier number (HPID) and getting certification from certain vendors that they are in compliance with HIPAA transaction rules.


Most employer sponsored group health plans are considered Covered Entities and are subject to the HIPAA privacy and security rules to varying degrees, depending on such factors as whether the plan is fully insured or self-funded and the level of access to Protected Health Information (PHI).

HIPAA privacy and security rules require Covered Entities to conduct certain transactions electronically using standards set by HHS. These rules apply only to electronic transactions between two covered entities, such as a health insurance company and a medical provider. Importantly, a transaction between the employer’s plan and a member or employee is not a transaction subject to HIPAA transaction rules because the individual is not a Covered Entity.

Even though employer sponsored health plans are HIPAA Covered Entities, rarely does an employer actually process electronic transactions subject to these rules. Generally an employer health plan contracts with another entity to process HIPAA transactions. For example:

  • Most self-funded employer plans contract with a third-party administrator who handles claims, eligibility, and reimbursement transactions for the plan.
  • Employers may use a software vendor or an administrators system to handle online enrollment transactions between the plan and an insurance company.

A small number of employers who internally administer their own benefit plans may be more involved in HIPAA-related transactions and have additional responsibilities. This issue brief does not address these situations. However, recently released regulations require employers who sponsor self-funded health plans to be part of this process in two ways, even though they do not actually process their own electronic transactions:

  1. All employer with self-funded health plans will be required to obtain an HPID from HHS.
  2. Employers will need to get assurance from plan administrators and vendors who process transactions for the plan that the vendor has gone through a required testing process and has received the necessary certification from HHS.

Note that in the case of a fully insured health plan, it is the health insurance company, not the employer/plan sponsor, who is responsible for compliance with these rules. Both of these new employer responsibilities are described in detail below.

Effective Dates

The timing of employer compliance with these requirements depends on whether the plan is considered a large or a small health plan. HHS regulations require large health plans to obtain an HPID by November 5, 2014. Small health plans (with annual receipts of $5 million or less) have until November 5, 2015 to register for an HPID. All health plans, large and small, must then certify compliance with certain standard transaction rules by December 31, 2015.

Determining Small Health Plan Status
When determining small plan status, an employer must consider a number of factors. HHS provided informal guidance on this issue in 2002, but formal regulations were never issued.

According to HHS, to determine total receipts for a plan:

  • “Fully insured health plans should use the amount of total premiums which they paid for health insurance benefits during the plan’s last fiscal (i.e. plan) year”; and
  • “Self-insured plans…should use the total amount paid for health care claims by the employer, plan sponsor or benefit fund…on behalf of the plan during the plan’s last full fiscal (i.e. plan) year.” A separate HHS Q&A noted that “the premiums or amounts paid for stop-loss insurance by an employer or sponsor of a self-insured plan should not be included…”

Employers must also consider which health plans to count when determining small health plan status. HIPAA privacy rules apply to other types of “health plans” such as dental, vision, and Rx plans. Again, no formal guidance has ever been released defining how to address multiple plans offered by a single employer; however, a reasonable approach may be to align the plan size determination with how the plans are identified in the employer’s 5500 filing. If an employer wraps all plans subject to HIPAA into a single “wrap” plan and files a 5500 under a single plan number, the employer should probably consider the claims in all health-related benefits (e.g. medical, dental, vision, etc.) in determining the $5 million threshold.

An employer whose plans are close to $5 million in receipts may simply decide to acquire the number by the November 5, 2014 large plan deadline.

Health Plan Identifier Number (HPID)

All self-funded health plans must obtain an HPID from HHS, even when the employer’s plan is not directly handling HIPAA transactions. Interestingly, TPAs or claims administrators are not required to use each individual employer’s HPID to process transactions on behalf of the plan at this point. It is unclear whether administrators and vendors will require the employer to provide the HPID for use in future transactions. Employers should enter into a conversation with vendors to ascertain whether and when the number will be required by the vendor.

Controlling Health Plan vs. Subhealth Plan
The HPID rules introduce a new concept related to health plans when applying for an HPID that also applies to the new certification rules.

  • A Controlling Health Plan (CHP) is defined as a health plan that controls its own business activities, actions, or policies.
  • A Subhealth Plan (SHP) is defined as a health plan whose business activities, actions, or policies are directed by a Controlling Health Plan.

Each Covered Entity health plan must obtain an HPID. A Controlling Health Plan must obtain its own HPID, but can also apply on behalf of any Subhealth Plans, or the Subhealth Plans may obtain their own numbers. The regulations do not effectively spell out how an employer should apply these rules; therefore, until further guidance is issued, the employer may want to apply for the number in a manner consistent with their ERISA plan structure (if applicable).

For example, consider a situation in which the employer has a wrap plan that is a single legal entity (i.e., a single ERISA plan) comprising several health plans. If those health plans are all self-funded, they could each be considered an SHP (allowing each to have its own unique HPID), but the ERISA plan would be able to apply as a CHP for a single HPID that would cover all of them, together. However, if an employer sponsors several health benefits that are not organized as a single ERISA entity via a wrap plan structure, then each separate health plan is probably a CHP. The situation is similar to whether a single Form 5500 can be filed or if multiple Form 5500s must be filed by the employer. (In either case, since the obligation to apply for the HPID falls on a “covered entity,” the insurer will still be responsible to apply for a HPID for a fully insured benefit, so the employer would not include the fully insured benefit under the HPID of the CHP in the wrap plan situation. Obviously, some of the details require more guidance. The failure of HHS regulations to coordinate well with ERISA in these areas continues to be a problem.)

HHS has established a website where health plans can register and obtain their HPID. The site lists steps the employer must take to provide information about the plan sponsor and plan. The HHS site can be found at:

Health Plan Certification of Compliance with HIPAA Transaction Rules

In a separate set of requirements, all covered entity health plans are required to file a certification with HHS attesting that the plan is in compliance with certain HIPAA transaction requirements by December 31, 2015. The certification process involves going through a specific technical systems testing process defined in the regulations. The rules regarding the certification process are clearly designed to apply to health insurance companies, and employers who sponsor fully insured plans will not need to file a certification directly with HHS. However, due to the fact that employer sponsored health plans are also considered Covered Entities, the rules will directly affect employers who sponsor self-funded plans.

Employer/plan sponsors with self-funded plans that actually process HIPAA transactions would be responsible for the certification, but as previously mentioned, most employer/plan sponsors do not actually process the relevant HIPAA transactions themselves. Rather, they outsource this function to an administrator or outside vendor. Consequently, most employers will work with existing vendors to make sure that the vendors receive the necessary certification on behalf of the employer’s plan. Additional guidance from HHS on the certification process specific to the employer’s responsibility may be forthcoming.

The ACA imposes a penalty on plans that fail to certify compliance of $1 per covered life per day until certification is complete, with a maximum penalty of $20 per covered life.


To acquire their HPID, employers who sponsor self-funded health plans must plan to take the following steps:

  • Determine whether the employer sponsored plans meet the definition of a small health plan.
  • Apply for HPIDs for the appropriate Controlling Health Plan (CHP) and/or Subhealth Plans (SHPs) by November 5, 2014 for large health plans and by November 5, 2015 for small health plans.

Employers should also begin a conversation with any vendor who processes HIPAA transactions on behalf of the plan to make sure that the vendor completes the required testing and receives the necessary certification prior to December 31, 2015.


 While every effort has been taken in compiling this information to ensure that its contents are totally accurate, neither the publisher nor the author can accept liability for any inaccuracies or changed circumstances of any information herein or for the consequences of any reliance placed upon it. This publication is distributed on the understanding that the publisher is not engaged in rendering legal, accounting or other professional advice or services. Readers should always seek professional advice before entering into any commitments.