Health Plans are One Step Closer to Clarity on HIPAA Credential Application

With the June 3 deadline for industry feedback on drafts of the HIPAA Credential forms now behind us, health plans are one step closer to gaining clarity on what will be expected of them under the Administrative Simplification: Certification of Compliance for Health Plans.

Based on prior industry experience, we know many health plans (and other covered entities and business associates) are already opting to mitigate the risk of HIPAA audits/investigations by the Office for Civil Right (OCR) by bringing in third party organizations to conduct the privacy and security Risk Analysis required by HIPAA. In some cases, the third party vendor then helps develop and implement a compliance Risk Management program (we definitely do this for our Clearwater clients!). The enactment of the proposed HIPAA credentialing process – and content proposed for applications – only underscores the need for health plans to begin planning for (and budgeting for) these services.


Under a congressionally proposed rule, health plans controlling their own business activities (i.e. Controlling Health Plans; CHPs) will be required to submit documentation by December 31, 2015 demonstrating compliance with standards and operating rules for three types of health care electronic transactions under the Health Insurance Portability and Accountability Act (HIPAA). They must also show compliance by their sub-health plans (SHPs). The end result of this process will be HIPAA credentialing for these plans.

As the proposed administrator of the program, The Council for Affordable Quality Healthcare (CAQH) Committee on Operating Rules for Information Exchange (CORE) developed draft credentialing application forms to demonstrate the type of documentation health plans will be required to submit. Then CAQH CORE opened the floor for industry feedback, with a deadline of June 3 to submit comments.

Stay Tuned!

We will be watching closely as the final rule unfolds, and we will keep our readers up to date as more information and insight about HIPAA credentialing requirements becomes available. In the meantime, we strongly urge CHPs to get their house in order in preparation for what will soon be expected when attesting to compliance with the HIPAA Privacy and Security Rules.

We also welcome inquiries from organizations ready to explore the added certainty that comes with conducting a third party readiness assessment to demonstrate HIPAA compliance. Just reach out to

Mary Chaput

CFO & Chief Compliance Officer at Clearwater Compliance
Mary has 35 years of international and domestic business experience spanning the healthcare, information services, manufacturing and venture capital consulting industries.She is Clearwater’s CFO and Compliance Officer. As an experienced corporate CFO and risk manager, Mary works actively with customers and prospects to identify and prioritize their risks and to develop effective remediation plans within their budgets.