Health Advisor

Health Plan Identifier (HPID) under HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) requires the Department of Health and Human Services (HHS) to adopt standards for certain transactions to promote the efficient and uniform transmission of health information. One of the standards is a unique identifier for health plans.

HHS released a final rule adopting the health plan identifier (HPID) standard on Sept. 5, 2012.

Purpose of HPID

The primary purpose of the HPID is for use in standard transactions. In standard transactions, the HPID replaces proprietary health plan identifiers that vary in lengths and formats. The HPID is a 10-digit, all numeric code similar to a credit card number. In addition, information about health plans and their HPIDs will be available in a public database to facilitate the routing of transactions.

Also, the HPID will likely be used for future administrative simplification initiatives under HIPAA. For example, HHS may use the HPID to track whether controlling health plans (or CHPs) comply with the health plan certification for HIPAA compliance. The initial health plan certification deadline is Dec. 31, 2015.

Affected health plans

Health Plans

The HPID requirement applies to group health plans subject to HIPAA’s administrative simplification provisions, including insured and self-insured plans. For example, major medical plans, dental plans, vision plans, health reimbursement arrangements (HRAs) and health flexible spending accounts (FSAs) are generally subject to the HPID requirement.

However, health plans with less than 50 participants that are administered by the employer that maintains the plan are NOT subject to the HPID requirement.

CHPs and SHPs

For purposes of the HPID, there are two classifications of health plans—controlling health plans (CHPs) and subhealth plans (SHPs). All CHPs must obtain an HPID.

  • A CHP is a health plan that: (1) controls its own business activities, actions or policies; or (2) is controlled by an entity that is not a health plan and, if it has SHPs, exercises sufficient control over the SHPs to direct their business activities, actions or policies.

A SHP is a health plan whose business activities, actions or policies are directed by a CHP. 

Self-insured plans generally qualify as CHPs, and are required to obtain their own HPIDs. For insured health plans, the health insurance issuer, not the employer sponsoring the plan, is generally required to obtain the HPID.




A SHP is eligible, but not required, to obtain an identifier. To determine whether a SHP should get an HPID, the CHP or the SHP should consider whether the SHP needs to be identified in the standard transactions. A CHP may get an HPID for its SHP or may direct a SHP to get an HPID.




Controlling health plans (CHPs)

Must get an HPID for itself

  • May get HPID for its SHPs
  • May direct its SHPs to get HPIDs
    • May get an HPID at the direction of its CHP
    • May get an HPID on its own initiative
      • Needs to be identified in standard transactions;
      • Is not eligible to obtain an HPID;
      • Is not eligible to obtain a National Provider Identifier (NPI); and
      • Is not an individual.

Subhealth plans (SHPs)

Not required to get an HPID


Other Entities

The final rule adopted an optional data element that would serve as an identifier for entities that are not health plans or health care providers but that perform health plan functions and need to be identified in standard transactions. This identifier is called an “other entity identifier” (OEID).

An entity is eligible to get an OEID if the entity:

Examples of entities that are eligible to get an OEID include health care clearinghouses, third party administrators (TPAs), and non-HIPAA covered entities, such as auto liability and workers compensation carriers. According to HHS, the OEID will create greater standardization in health care transactions by providing all parties that need to be identified in the transactions with a standard identifier that will be listed in a publicly available searchable database.


The deadline for health plans, except small health plans, to obtain their HPIDs is Nov. 5, 2014. Small health plans (those with annual gross receipts of $5 million or less) have an additional year to comply, until Nov. 5, 2015. By Nov. 7, 2016, all covered entities must use the HPID in standard transactions involving health plans that have an identifier.

Other entities are not required to get or use OEIDs. The OEID is a voluntary identifier.

Entity Type

Compliance Date for Obtaining HPID

Full Implementation Date for Using HPID in Standard Transactions

Health plans, excluding small health plans

Nov. 5, 2014

Nov. 7, 2016

Small health plans

Nov. 5, 2015

Nov. 7, 2016

Covered health care providers


Nov. 7, 2016

Healthcare clearinghouses


Nov. 7, 2016


Application Process

Health plans and other entities submit applications for HPIDs and OEIDs through HHS’ Health Plan and Other Entity Enumeration System (HPOES). HPOES is housed within the Health Insurance Oversight System (HIOS) of the Centers for Medicare & Medicaid Services (CMS).

Users go to the CMS Enterprise Portal at to access HIOS. The application process involves the following steps:


Step 1: To determine if the organization already exists in HIOS, search by the organization’s federal employer identification number (EIN). If the organization does not already exist in HIOS, users must register their organization. All registration requests are reviewed prior to approval. The following information is needed to register a new company: company legal name; EIN; incorporated state; and domiciliary address.

Step 2: Users must determine their user role and identify the company they need access to. Users can only have one user role at a time. There are three different user roles:

  • Guest: A user that is able to view general information (no company association needed)
  • Submitter: A representative of a health plan or other entity that submits an application
  • Authorizing Official: An individual who has the authority to legally bind the entity and holds ultimate responsibility, for example, the chief executive officer (CEO), chief compliance officer or chief financial officer (CFO). An Authorizing Official approves applications submitted by the company’s submitter users. 

Step 3: There are two different types of HPID applications, CHP and SHP. If completing a SHP application, users will be required to select a CHP company. There is also an OEID application for other entities.
Step 4: Users will need to complete their application and provide the necessary information. The company’s Authorizing Official needs to be identified if one has not already been designated. SHP applications will display the CHP’s Authorizing Official information. All Authorizing Official information provided in the application is reviewed prior to the user being assigned the Authorizing Official role. Users will be able to review their application information prior to submission.

Step 5: Once the application has been submitted, the company’s Authorizing Official will be notified that an application is pending approval. The Authorizing Official will need to review each application and will have the option to approve or reject it.

Step 6: Once the application is approved by the Authorizing Official, the system will generate an HPID or OEID. An email notification will be sent to the submitter user with the HPID or OEID.