Guidance on Business Associates' HIPAA Requirements Compliance and on Virtual Credit Cards for EFT and ERA Transactions

Guidance on HIPAA Covered Entities’ responsibility for ensuring Business Associates’ compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) regulations, GL-2022-03. Guidance on health plans’ payment of health care claims using Virtual Credit Cards (VCCs) and adopted HIPAA standards for Health Care Electronic Funds Transfers (EFT) and Remittance Advice (ERA) transactions; 45 Code of Federal Regulations (C.F.R.) §§ 162.1601 and 162.1602(d), GL-2022-04. The National Standards Group (NSG), on behalf of the Department of Health and Human Services (HHS), has issued two guidance letters: one on Business Associates of Health Insurance Portability Accountability Act (HIPAA) Covered Entities and the other on payment of health care claims using Electronic Funds Transfers (EFT). The Business Associates guidance letter, GL-2022-03, clarifies covered entities’ obligation to ensure their business associates comply with HIPAA regulations, as specified by 45 C.F.R. § 162.923(c).   NSG frequently receives complaints alleging noncompliance with HIPAA Administrative Simplification requirements that are filed against entities that do not meet the regulatory definition of a “covered entity.” Such entities often function as business associates to HIPAA covered entities, and conduct transactions on behalf of the covered entities. In such cases, the HIPAA covered entity is responsible for the compliance of its business associates. The Health Plans’ Payment of Health Care Claims Using Virtual Credit Cards (VCCs) and Adopted HIPAA Standards for Health Care Electronic Funds Transfers (EFT) and Remittance Advice (ERA) Transactions guidance letter, GL-2022-04, clarifies requirements for covered entities in conducting electronic transactions using the EFT and ERA standards adopted at 45 C.F.R. § 162.1601 and 162.1602(d).   In lieu of sending paper checks or paying health care claims using adopted EFT and ERA standards, some health plans pay health care claims by sending health care providers a single use credit card number. The adopted HIPAA EFT and ERA standards permit health plans to pay claims by virtual card credit (VCC). However, if a provider requests that a health plan pay the provider’s claims using the adopted HIPAA health care EFT and ERA transaction standards, the health plan must comply. See the full guidance letters for Business Associates and Electronic Fund Transfer (EFT) on the CMS Website. Should you have questions about these guidances, send inquiries to AdministrativeSimplification@cms.hhs.gov with the subject line: “Business Associates” and/or “EFT Question.” Get the latest news about Administrative Simplification. Sign up for Administrative Simplification Email Updates.