Regulation of Group Health Plans

January 19th, 2021
Ellisa H. Culp, Eric D. Penkert, Grace H. Ristuccia, Thomas M. Christina
Ogletree, Deakins, Nash, Smoak & Stewart, P.C.

Most group health plans sponsored by employers in the private sector - other than certain health savings accounts (HSAs) - are considered employee welfare benefit plans under the Employee Retirement Income Security Act (ERISA). If a group health plan (or any other welfare benefit plan) is governed by ERISA, a number of ERISA’s provisions relating to plan adoption and other procedural requirements apply. Some of the more significant of these requirements are discussed in the first section of this chapter, as well as in Chapter 12: Employee communications and Chapter 13: Fiduciary duties.

When originally adopted, ERISA did not contain many requirements as to specific benefits that group health plans would be required to provide, nor did it contain prohibitions against particular terms and conditions that might be included in such plans. State laws regulating the business of insurance were immunized from ERISA preemption, and Congress evidently believed that the vast majority of employees would have ample protection as the result of state insurance law and the dynamics of the market for insured indemnity plans. However, beginning in 1985 with the adoption of continuation coverage requirements under the Consolidated Omnibus Budget Reconciliation Act (COBRA), Congress has amended ERISA many times to add substantive requirements applicable to many if not all group health plans. These substantive requirements are discussed in later sections of this chapter. This Guide reflects the ACA and its underlying guidance as of March 12, 2017.

COVID-19’s impact on timeframes

In response to the coronavirus pandemic, various deadlines and timeframes normally applicable to group health plans have been temporarily altered. These altered timeframes impact many of the statutory and regulatory schemes discussed below.

The Presidential Proclamation on March 13, 2020, declaring a National Emergency in response to the COVID-19 outbreak also resulted in regulatory changes extending various timeframes applicable to all group health plans subject to ERISA or the Internal Revenue Code. For the purposes listed below, these plans must disregard the period from March 1, 2020, until 60 days after the announced end of the National Emergency or such other date announced by the Department of Labor (the “outbreak period”). The dates may ultimately be extended for up to one year from the following normal time limits:

  • the 30-day period (or 60-day period, if applicable) to request special enrollment under ERISA
  • the 60-day election period for COBRA continuation coverage under ERISA
  • the date for making COBRA premium payments pursuant to ERISA
  • the date for individuals to notify the plan of a qualifying event or determination of disability under ERISA
  • the date within which individuals may file a benefit claim under the plan's claims procedure
  • the date within which claimants may file an appeal of an adverse benefit determination under the plan's claims procedure
  • the date within which claimants may file a request for an external review after receipt of an adverse benefit determination or final internal adverse benefit determination
  • the date within which a claimant may file information to perfect a request for external review upon a finding that the request was not complete.

With respect to group health plans and their sponsors and administrators, the outbreak period shall be disregarded when determining the date for providing a COBRA election notice.

Regulatory requirements 

Group health plans governed by ERISA are subject to several regulatory requirements that apply to all ERISA-governed plans, regardless of the types of benefits they provide.

Written plan document

A group health plan must be established and maintained according to a written instrument. The written instrument must provide for one or more named fiduciaries who have the authority to control and manage the operation and administration of the plan. The plan document also must provide procedures for establishing and carrying out a funding policy and method, and for amending the plan. The written plan document also must identify the persons who have the authority to amend the plan, the basis on which payments are to be made to and from the plan, and provide a reasonable procedure for participants to assert a claim for a benefit from the plan.

Reporting and disclosure requirements

ERISA’s reporting requirements establish rules for providing information about the plan to the U.S. Department of Labor (DOL) and other federal entities. Most group health plans must file a Form 5500 Annual Report with the DOL within seven months of the end of the plan year, although they may apply for an automatic extension that gives them an additional 2 ½ months to file.

The disclosure requirements are concerned with providing plan participants with information about the plan. For instance, participants must be provided copies of the group health plan summary plan description (SPD) within 90 days after they first become covered under the plan (or if the plan is new, within 120 days after the plan first becomes subject to ERISA). In addition, plan participants must be provided copies of summaries of any material modification to a group health plan that significantly reduces benefits within 60 days of the adoption of any change. Updated SPDs must be furnished to participants at least every five years if there have been any material changes made within that five-year period. If a plan does not have any material changes, a copy of the most recently distributed SPD must be furnished to participants within 210 days following the last day of the 10th plan year after a material change would have been reflected in the most recently distributed SPD.

Summary of benefits and coverage

Under the Patient Protection and Affordable Care Act (ACA), in addition to an SPD, employers must provide much more succinct summaries of their health plan benefits (no more than four double-sided pages) much more quickly (often within seven days after request) and in a much more standardized form. The summary is referred to as a summary of benefits and coverage (SBC). Employers must see to it that updated summaries reflecting “material” changes in health plans would be distributed at least 60-days prior to the date any change takes effect, if changes are made mid-plan year.

There are a number of standards for the SBC including:

  • A plan or insurer (not both) is required to provide an SBC to participants or beneficiaries upon request as soon as practicable but in no event later than seven days following a request.
  • A plan or insurer (not both) must provide an SBC for each “benefit package” for which a participant or beneficiary is eligible. However, upon renewal, an SBC need only be provided for the specific benefit package in which a participant is enrolled, unless a participant or beneficiary requests SBCs for other options.
  • The SBC must be distributed as part of any written open enrollment materials and if there is any change to the SBC after the open enrollment period an updated version would have to be provided by the start of the plan year. If the plan does not distribute written application materials for enrollment, the SBC must be distributed no later than the first day an individual can enroll.
  • Individuals who enter the plan under a Health Insurance Portability and Accountability Act (HIPAA) special enrollment right – such as children and a spouse following a marriage – must be provided with an SBC when they request special enrollment.
  • SBCs can be provided in paper or electronically and can be electronically delivered to any participant or beneficiary who enrolls in or renews coverage online, or who requests an SBC online, provided they satisfy the ERISA rules for electronic disclosure. ERISA generally requires plan administrators to take appropriate and necessary means to ensure that the system for furnishing documents results in actual receipt of the transmitted information. A DOL electronic delivery safe harbor that applies to SPDs and other documents also may be relied on in providing the SBCs.
  • SBCs must be provided as standalone documents in the form authorized by the regulatory agencies and completed according to the instructions written by the agencies. The revised SBC cannot exceed four double-sided pages in length and cannot include print smaller than 12 points. Use of the Arial and Garamond fonts are encouraged.
  • SBCs must be provided in a “culturally and linguistically appropriate manner” in a county where the U.S. Census Bureau has determined that 10% or more of the population is literate only in one of the following languages: Chinese, Spanish, Tagalog or Navaho.

Drawing primarily upon the text of ACA itself, there are numerous content requirements for the SBCs, including:

  • Uniform definitions of standard insurance and medical terms to enable consumers to compare the terms of coverage as well as exceptions. The proposed rules include a list of 44 terms (from “allowed amount” through “urgent care”) and provide for additional terms to be added by the regulators.
  • The cost of coverage and a description of the coverage, including cost-sharing, for each category of benefits.
  • Exceptions, reductions and limitations of the coverage, along with cost-sharing provisions including deductibles, co-payments and co-insurance.
  •  “Coverage examples,” which are hypothetical summaries of how the plan would pay benefits in certain common medical situations such as the birth of a child, treatment for cancer, managing diabetes, or a fractured foot with an emergency room visit.
  • A statement that the SBC is only a summary and that the plan document, policy, or certificate of insurance should be consulted to determine the governing provisions.
  • Internet addresses for obtaining the uniform glossary and for obtaining any formulary or provider network that a plan uses.
  • A statement as to whether the coverage option provides “minimum essential coverage,” and whether the plan meets the “minimum value” requirements.

Fiduciary duties

ERISA sets out a number of fiduciary responsibility provisions, which are broad in scope. They require a written plan document and set forth broad standards of conduct for plan fiduciaries. For more information, see Chapter 13: Fiduciary duties.


Title I of ERISA provides for enforcement, both through criminal penalties and civil lawsuits. ERISA generally does not permit jury trials for civil suits and does not permit an award of punitive damages. ERISA lawsuits (other than lawsuits seeking a court’s determination regarding entitlement to a benefit) must be brought in federal court rather than state court. Lawsuits seeking a benefit entitlement decision that are brought in a state court originally may be “removed” (that is, transferred) to a federal court by the defendants, provided the defendants file for removal on a timely basis.

Increased penalties

The Setting Every Community Up for Retirement Enhancement Act (SECURE Act) raised the penalty for failure to file a Form 5500 from $25 to $250 per day of the failure and increased the maximum from $15,000 to $150,000. The SECURE Act also increased penalties for failures relating to annual deferred vested participant registration statements, change of status notifications and withholding notices. The penalty increases apply to returns and notices due after December 31, 2019.

Requirements for coverage continuation

Federal and state law generally require employers to provide employees and dependents of employees who lose coverage under a group health plan for specified various eligibility related reasons an opportunity to continue group health coverage that would otherwise be terminated. The federal law that mandates continuation coverage is COBRA. COBRA also establishes a duty to provide an initial or “general” notice to covered employees, their spouses, and their adult dependents within a short period following their initial date of coverage under the plan. The initial notice must provide specified information regarding COBRA continuation coverage.

COBRA generally applies to group health plans maintained by private employers that normally employ an average of 20 or more full time equivalent persons on 50% or more of the typical business days in the previous calendar year. Under COBRA, continuation coverage is available to “qualified beneficiaries” who would otherwise lose coverage under a group health plan because of the occurrence of a “qualifying event.”

Qualified beneficiary

The term “qualified beneficiary” usually refers only to a person who is covered under a group health plan on the day before a qualifying event occurs. For certain purposes, a child born, adopted, or placed for adoption during a COBRA continuation period is treated as a “qualified beneficiary.” In addition, if a person who had retiree coverage (including the spouse of a retiree) loses coverage within a year before the employer’s bankruptcy, or if a person was deprived of coverage unlawfully or in an effort to prevent the person from being entitled to continuation coverage, they may be treated as a qualified beneficiary.

Qualifying event

A qualifying event includes any one of the following:

  • death of the covered employee
  • the covered employee's termination or reduction in hours
  • the divorce or legal separation of the covered employee
  • the covered employee's becoming entitled to Medicare
  • the dependent child's loss of dependency status
  • the occurrence of a Chapter 11 bankruptcy proceeding with respect to an employer from whose employment a covered employee retired.

However, if a participant is terminated for gross misconduct, the qualified beneficiaries can be denied COBRA coverage.

Notification of a qualifying event and election period

An employer has 30 days to notify the plan administrator of an employee’s reduction in hours or termination, and the plan administrator has 14 days to send the qualified beneficiaries a notice of their COBRA qualifying event and their election rights. If the employer serves as the plan administrator, the employer has 44 days to send the qualified beneficiaries the qualifying event and election rights notice. If the qualified beneficiary wants to elect COBRA continuation coverage, they ordinarily must respond within 60 days of receipt of the notice. (A more generous rule applies to qualified beneficiaries whose coverage was lost because of certain job losses caused by the consequences of certain types of foreign economic competition.) Once the COBRA election is made, the qualified beneficiary has 45 days to pay the applicable premium payments. Qualified beneficiaries must notify the plan administrator of all other qualifying events (death of the employee, divorce, loss of dependency status, and the like) within 60 days of the date of the qualifying event. However, the 60-day deadline applies only when the general COBRA notice describes the qualified beneficiaries’ duty to notify the plan administrator and the procedures on how to do so; and the COBRA notice has been provided to the covered employee and spouse.

The deadlines applicable to qualified beneficiaries have been temporarily suspended in response to the COVID-19 pandemic. More details are provided above in the section titled COVID-19’s impact on timeframes.

Coverage period

Continuation coverage must be provided for up to 18 months after the date of the qualifying event when a covered employee is terminated or has a reduction in hours. For other qualifying events, the maximum COBRA continuation period is 36 months from the date of the qualifying event. If a second qualifying event occurs during the 18-month period that follows the covered employee’s termination or reduction in hours, the period over which continuation coverage must be provided is extended to 36 months following the date of the initial qualifying event. If a qualified beneficiary is determined to be disabled by the Social Security Administration (SSA) at the time of the qualifying event or within the first 60 days of COBRA coverage, such determination is made within the initial 18-month period, and the qualified beneficiary notifies the plan administrator within 60 days of such determination, the qualified beneficiary and his/her family members who are also qualified beneficiaries are eligible for an additional 11 months of COBRA continuation coverage (the timeframe during which a qualified beneficiary is required to notify the plan administrator of a disability determination by the SSA has been temporarily suspended in response to the COVID-19 pandemic.

Cutting short the coverage period

COBRA continuation coverage may be cut short under any of the following circumstances:

  • the employer ceases to provide coverage under any group health plan to any employee
  • the qualified beneficiary fails to pay premiums within the applicable grace period
  • after making the COBRA election, the qualified beneficiary becomes covered under another group health plan that does not contain any exclusion or limitation with respect to any preexisting condition of the beneficiary
  • after making the COBRA election, the qualified beneficiary becomes entitled to Medicare.


Persons who elect continuation coverage ordinarily are required to pay for the coverage. However, the maximum amount they can be required to pay is based on what COBRA refers to as the “applicable premium,” which is a historically based amount determined by the group health plan’s own claims experience and/or insurance premium amounts. A group health plan generally may charge no more than 102% of the applicable premium to qualified beneficiaries. However, if a qualified beneficiary is entitled to the 11-month disability extension and elects the extension, the plan may charge up to 150% of the applicable premium for any month during the 11-month extension. The initial COBRA premium payment must be made within 45 days of the date COBRA benefits are elected. Subsequent premium payments must be made within 30 days of the date they are due. If payment is made, but it is not for the full amount, a shortfall less than or equal to $50 or 10% of the amount required may not be automatically treated as a failure to make timely payments. Instead, the plan administrator must notify the participant or qualified beneficiary of the insignificant shortfall and give the participant 30 days in which to make the additional payment.

The timeframes for making COBRA premium payments have been temporarily suspended in response to the COVID-19 pandemic


Group health plans must provide four types of written notice to plan participants. These notices include:

  1. General notice - At the commencement of coverage, the plan must provide written notice to each covered employee and his/her spouse of the rights and obligations provided by COBRA within 90 days of the commencement of coverage. The DOL provided a model notice that plans may use for this purpose. The model notice is available at:
  2. Election notice  - As mentioned earlier, the employer must notify the plan administrator within 30 days of the date an employee is terminated or has a reduction in hours and the plan administrator must provide a copy of the election notice to the qualified beneficiaries within 14 days of such notification. The DOL has issued regulations describing the content requirements of the election notice. A model election notice is available at:
  3. Notice of ineligibility - The employer must provide a notice of ineligibility within 14 days of request from an ineligible person for COBRA coverage. The notice of ineligibility should explain why the individual is not eligible for COBRA coverage.
  1. Notice of termination - The plan administrator must provide a notice of termination of COBRA coverage as soon as reasonably practicable following the termination of COBRA coverage to the qualified beneficiary if the COBRA continuation coverage is cut short.

Requirements under the Health Insurance Portability and Accountability Act

The Health Insurance Portability and Accountability Act (HIPAA)  mandates that plans provide a number of protections for employees who obtain health benefits through group health plans sponsored by employers. HIPAA applies to a plan (including a self-insured plan) of, or contributed to by, an employer or employee organization to provide healthcare to the employees, former employees, others associated or formerly associated with the employer in a business relationship, or their families. Due to the extensive nature of the mandated “portability” protections required under HIPAA, the following is a particularly condensed account of the protections provided.

Limitations on preexisting conditions

A preexisting condition limitation is a provision of a group health plan that causes coverage under the plan to be eliminated or curtailed if the medical treatment or care to be provided under the plan involves a medical condition the participant had before they became covered under the plan. Effective for plan years beginning on or after January 1, 2014, the healthcare reform provisions under the ACA prohibit group health plans from applying preexisting condition exclusions to any plan enrollees. Previously, for plan years beginning on or after September 23, 2010, the healthcare reform provisions under the ACA prohibited group health plans and healthcare insurers from applying preexisting condition exclusions to individuals enrolled in the plan who were under 19 years of age. Prior to the enactment of the ACA, HIPAA placed limits on a group health plan’s ability to impose preexisting condition limitations. Under HIPAA, preexisting condition limitations could be applied only when all of the following criteria are met:

  • the limitation related to a condition for which medical advice, diagnosis, care, or treatment was recommended or received within the six-month period ending on the enrollment date
  • the limitation extended for a period of not more than 12 months (or 18 months in the case of a late enrollee) after the enrollment date
  • the period during which the exclusion operated was reduced by the length of the aggregate of the periods of “creditable coverage” applicable to the participant or beneficiary as of the enrollment date.

Additionally, HIPAA bans the application of preexisting condition exclusions to pregnancy or to any medical condition of a newborn or a child adopted before the age of 18 if the newborn or child is enrolled for coverage in the plan within 30 days of the birth or adoption.

Creditable coverage

Before the ACA prohibited group health plans from imposing a preexisting condition exclusion, a group health plan was required to give a plan participant credit towards meeting a preexisting condition exclusion for prior creditable coverage. Prior periods of creditable coverage can be counted towards meeting preexisting condition limitations as long as the participant has not experienced a break in coverage of more than 63 days. Creditable coverage includes, but is not limited to the following examples:

  • coverage under another group health plan
  • health insurance coverage
  • Medicare
  • Medicaid
  • medical care programs of the Indian Health Service or of a tribal organization
  • state high risk health benefits pools
  • public health plans
  • health plans sponsored by foreign countries or any of their political subdivisions.

Group health plans also were required to provide written certification of creditable coverage to qualified participants at the time they lose coverage under the plan or if the individual is covered by COBRA continuation coverage, at the time the individual ceases to be covered by COBRA coverage. In addition, the plan was required to provide written certification of creditable coverage upon written request of the individual for up to 24 months after the termination of coverage under the group health plan or COBRA continuation coverage, whichever is later.

Special enrollment periods

The term “enrollment date” means the date of enrollment of the individual in the plan or, if earlier, the first day of the waiting period for such enrollment. Under most group health plans, an eligible employee is given an opportunity to enroll shortly after the individual first becomes eligible, and all eligible employees are given subsequent opportunities to enroll (usually during an annual “open enrollment period”). A group health plan also must provide an individual with a special enrollment period in either one of the following two situations:

  1. An employee or dependent who previously declined coverage because the individual was covered under the spouse’s coverage and who now is losing that coverage must generally be offered an opportunity to enroll in the group health plan if the employee requests enrollment within 30 days after the date of the exhaustion or termination of the other coverage.
  1. An employee who is either covered under the plan or is eligible to be covered under the plan acquires a new dependent through marriage, birth, or adoption and requests enrollment for the new dependent(s) (and for himself/herself if not already covered under the plan) within 30 days of the birth, adoption, or marriage.

Additional special enrollment periods

The Children’s Health Insurance Program Reauthorization Act (CHIPRA) provides two additional special enrollment periods for certain qualified individuals effective April 1, 2009. As a result of CHIPRA, all group health plans must provide special enrollment rights for employees and their dependents upon either of the following:

  • the termination of coverage under Medicaid or state children’s health insurance program due to loss of eligibility
  • becoming eligible for premium assistance from a state under a Medicaid or children’s health insurance program (CHIP).

To be eligible for either additional special enrollment right, the employee must notify the plan administrator of the special enrollment event within 60 days of the event.

CHIPRA also imposes notice requirements on group health plans to inform participants of state premium assistance programs. The U.S. Departments of Labor, Treasury, and Health and Human Services jointly developed a model CHIPRA notice to assist employers in complying with notice requirements.

Following the initial distribution of this notice, group health plans are required to distribute the notice to all employees of their potential eligibility for state subsides when they become eligible for enrollment under the plan along with open enrollment materials free of charge. This notice should also be included in the SPD. In addition, upon request, group health plans will have to provide states with sufficient plan information to allow the state to determine whether employees and/or their dependents are eligible for assistance and/or whether the CHIP program will provide supplemental coverage. The penalty for failure to provide the required notices and disclosures is $100 per day per participant or beneficiary.

Privacy and security requirements

HIPAA’s  administrative simplification provisions impose privacy and security requirements on covered entities that are designed to protect the privacy and security of certain health information.

Under HIPAA, a covered entity is defined as a healthcare provider, healthcare clearinghouse, or group health plan. “Protected health information” (PHI) refers generally to individually identifiable health information that meets any one or more of the following criteria:

  • transmitted by electronic media
  • maintained in any such medium
  • transmitted or maintained in any other form or medium.

Frequently, covered entities retain the services of business associates to perform or assist in the performance of functions that use or disclose individually identifiable health information (such as claims processing administration, legal services, consulting services, and the like).

Privacy rules

HIPAA’s privacy rules restrict covered entities from using or disclosing certain types of health information except where permitted by HIPAA’s privacy rules or where required by law. The HIPAA privacy rules also provide individuals certain rights with respect to their own PHI including the right to all of the following:

  • inspect and obtain a copy of their own PHI
  • amend or correct protected health information that is inaccurate or incomplete
  • obtain an accounting of certain disclosures of their PHI that were made by covered entities (with some exceptions, including disclosures made for purposes of treatment, payment or healthcare operations and disclosures made to the individual or pursuant to the individual’s authorization)
  • receive the notice of privacy practices required under the privacy standards
  • request additional restrictions on the use or disclosure of their own PHI (although the covered entity may deny this type of request)
  • receive communications by alternative means or at a different location than where previously received.

The HIPAA privacy rules also set specific time limits within which covered entities must respond to an individual’s request to inspect, copy or amend protected health information or for an accounting.

HIPAA’s privacy rules require covered entities to comply with a number of other administrative requirements to protect the privacy of protected health information, including, but not limited to:

  • designating a privacy official who is responsible for the development and implementation of privacy policies and procedures and a contact person (the privacy official or another person) or office for receiving complaints and providing additional information concerning the privacy notice
  • training workforces on privacy policies and procedures
  • establishing appropriate safeguards for protecting the privacy of PHI from accidental or intentional use or disclosure in violation of the privacy standards (such as limiting access to information by creating computer firewalls and locking doors or filing cabinets)
  • creating a process for individuals to lodge complaints and a system for handling such complaints, and keeping a record of the complaints and any resolution
  • designing a system of written disciplinary policies and sanctions for workforce members who violate the covered entity’s privacy policies and procedures
  • mitigating, to the extent practicable, any harmful effect that is known to the covered entity resulting from an improper use or disclosure of PHI
  • refraining from intimidation or retaliation against individuals or others for exercising their rights, filing a complaint, participating in an investigation, or opposing any improper practice under the privacy standards
  • implementing policies and procedures designed to comply with the privacy standards.

The HIPAA privacy rules also prohibit a covered entity from requiring individuals to waive their rights under those rules.

Security rules

HIPAA’s security rules impose certain requirements on covered entities that electronically maintain or transmit PHI to control access to electronic PHI and to protect such information from accidental or intentional disclosure to unauthorized persons and from unauthorized alteration, destruction, or loss. In particular, they must implement reasonable and appropriate safeguards in order to ensure all of the following:

  • the availability, integrity, and confidentiality of electronic PHI
  • protections against reasonably anticipated threats to security and reasonably anticipated uses or disclosures of information that are not permitted by the privacy rule
  • ​compliance with the security standards by their workforce.

The HIPAA security rule establishes specific security standards that covered entities are required to implement to guard data integrity, confidentiality, and availability and include administrative safeguards, physical safeguards, and technical safeguards.

Covered entities are required to evaluate their operations in light of each of the HIPAA security standards to determine whether and to what extent their systems and operations comply with the standards and where weaknesses are found, to either implement the specification established under the HIPAA security rules or develop and implement an equivalent alternative.

The HIPAA security rule also requires that a plan amendment be in place if the plan sponsor will create, receive, maintain, or transmit electronic PHI on behalf of the plan.

Notice of security breaches

In February 2009, The Health Information Technology for Economic and Clinical Health Act (HITECH), a part of the American Recovery and Reinvestment Act (ARRA), was signed into law. A key provision of HITECH imposes a new duty on covered entities (including group health plans) to notify affected individuals and, in some cases, the media and the U.S. Department of Health and Human Services (HHS), of a breach of unsecured PHI. HHS issued regulations under HITECH, which went into effect on September 23, 2009, with additional regulations going into effect on September 23, 2013.

Under the regulations, covered entities must notify each individual whose unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed following a breach of unsecured PHI. The covered entity is also required to notify the media and HHS in certain breaches involving large numbers of individuals. In addition, business associates of group health plans are required to notify the plan of a breach of unsecured PHI.

Unsecured PHI is generally defined as PHI maintained in any form or medium, including paper or electronic, that is not encrypted or destroyed.

The regulations establish a three-step process for covered entities and their business associates to follow in determining whether a breach has occurred for which notification must be given:

  1. Determine whether there has been an impermissible acquisition, access, use or disclosure of PHI under the HIPAA privacy rules.
  1. Determine and document whether the impermissible acquisition, access, use, or disclosure has a low probability of compromising the PHI based on a risk assessment of at least the following factors:
    • the nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification
    • the unauthorized person who used the PHI or to whom the disclosure was made
    • whether the PHI was actually acquired or viewed
    • the extent to which the risk to the PHI has been mitigated.
  1. Determine whether the incident is excluded from the definition of "breach" because it is:
    • an unintentional use of PHI by a workforce member acting in good faith and within the scope of his/her authority, and the PHI is not further used or disclosed improperly
    • an inadvertent disclosure of PHI by and authorized person to another authorized person, and the PHI is not further used or disclosed improperly
    • a disclosure of PHI to an unauthorized person where there is a good faith belief that the unauthorized person would not reasonably have been able to retain the PHI.

If the covered entity determines that a breach has occurred, it must notify the affected individuals without unreasonable delay but not later than 60 calendar days after discovery of the breach. The notice must meet both of the following criteria:

  1. be "in plain language"
  1. include all of the following:
    • a brief description of what happened
    • the dates of the breach and discovery (if known)
    • a description of the types of unsecured PHI involved in the breach
    • steps the individuals should take to protect themselves from potential harm resulting from the breach
    • a brief description of the steps the entity is taking to investigate the breach, mitigate harm and protect against future breaches
    • contact procedures for individuals to ask questions or obtain additional information, including a toll-free number, email address, website or postal address.

The notices should be sent to the affected individual’s last known address via first-class mail, or email if the individual has agreed to email and has not withdrawn such agreement. If a covered entity determines that the contact information on the affected individuals is out of date, the regulations provide alternate means of notification, depending on the number of individuals with outdated contact information. If there are less than 10 individuals with outdated contact information, substitute notice may be provided by an alternative written notice, telephone, or other means. If, however, there are 10 or more individuals with outdated contact information, the covered entity must use one of the following alternative forms to notify the individuals:

  • if the covered entity has a website, it may conspicuously post the notice on the website for a period of not less than 90 days
  • post the notice in major print or broadcast media in geographic areas where the affected individuals likely reside.

Both of the alternative notice methods must include a toll-free telephone number that will remain active for at least 90 days where individuals can learn whether their unsecured PHI was included in the breach.

If a breach affects more than 500 residents in a particular state, the covered entity must also notify prominent media outlets serving the state of the breach without unreasonable delay, but not later than 60 calendar days after discovery of the breach. In addition, if a breach affects 500 or more individuals, the covered entity must also notify HHS within the same time period.

Covered entities must maintain a log of all breaches that affect fewer than 500 individuals and submit the log annually to HHS no later than 60 days following the end of the calendar year.

Business associates must provide breach notification to covered entities without unreasonable delay but not later than 60 calendar days after discovery of the breach. Business associates must also, to the extent possible, identify each individual whose PHI was breached and provide any other available information the covered entity will need to notify the affected individuals.

Discriminatory group health plans

Under HIPAA, a group health plan may not discriminate on the basis of certain health factors against participants and beneficiaries with respect to eligibility to enroll, waiting periods, or contribution levels.

Health factors

Health factors that may not be used as a basis for discrimination include health status, medical conditions (including both physical and mental illnesses), claims experience, receipt of healthcare, medical history, genetic information, evidence of insurability (including conditions arising out of acts of domestic violence, or the fact that a participant/beneficiary engages in high-risk sports such as skiing and parachuting), and disability.

Similarly situated employees

Participants belonging to different categories of employees are not considered similarly situated employees for purposes of the HIPAA non-discrimination rule, if the distinction between or among the categories is based on a bona fide employment-based classification, consistent with the employer’s customary business practice. The determination of whether a particular classification is bona fide is based on all of the relevant facts and circumstances, such as whether the employer uses the classification for other employment related purposes. Examples of permissible classifications include, but are not limited to:

  • full-time vs. part-time employees
  • different geographic locations
  • different plant facilities
  • membership in a collective bargaining unit
  • date of hire
  • length of service.

More favorable treatment for adverse health factors

While HIPAA’s non-discrimination rules prohibit discrimination based on health factors, they do permit plans to establish more favorable eligibility rules for individuals with adverse health factors than for individuals without the adverse health factors. Plans also may charge individuals with adverse health factors a higher premium if these individuals would not be eligible for coverage were it not for the adverse health factor.

Example - A plan that offers extended health coverage apart from COBRA for disabled employees following separation from service by reason of their disability may charge a higher co-pay or premium during the extended period of coverage.

Preexisting condition exclusions

While preexisting condition exclusions discriminate against individuals on the basis of health related factors, HIPAA’s non-discrimination rules previously permitted them as long as they meet all of the following criteria:

  • complied with HIPAA’s portability requirements
  • applied to all similarly situated participants and beneficiaries
  • were not directed at any one individual based on his/her health status.

Plan amendments incorporating such exclusions were not permitted to become effective before the first day of the first year after the amendment was adopted. However, effective for plan years beginning on or after September 23, 2010, the healthcare reform provisions of ACA prohibit any group health plan from imposing preexisting condition exclusions against any individual enrolled in a plan who is under 19 years of age. This prohibition on preexisting condition exclusions is extended to all individuals enrolled in a plan for plan years beginning on or after January 1, 2014.

Source of injury claims

Under the HIPAA non-discrimination regulations, a plan may not deny eligibility to individuals who engage in high-risk sports. However, the plan may exclude coverage relating to injuries arising out of such activities. Nevertheless, source-of-injury clauses that deny benefits for treatment of injuries arising from acts of domestic violence or from a medical condition are not permitted.

Example - A group health plan may not exclude coverage for self-inflicted injuries if the injuries are the result of a medical condition such as depression.

Actively at work clauses

Under an actively at work clause, plan eligibility or the participant’s contribution rate is based on whether the individual is actively at work. HIPAA’s non-discrimination rules generally prohibit such requirements unless employees who are absent due to health conditions are treated as if they are actively at work.

Non-confinement clauses

A non-confinement clause generally states that an individual who is confined to a hospital may not enroll in a health plan until the confinement ends. HIPAA’s non-discrimination rules also prohibit these provisions. However, HIPAA does permit a plan to require the employee to begin work for the employer sponsoring the plan before coverage becomes effective, provided that the rule applies regardless of the reason for the absence.

Restricting hospital stays for new mothers

Under the Newborns’ and Mothers’ Health Protection Act (NMHPA), a group health plan cannot restrict benefits for a hospital stay in connection with childbirth for the mother or newborn to less than 48 hours following a normal vaginal delivery or less than 96 hours following a Caesarian section. The mother and newborn may be discharged sooner if the decision is made by an attending healthcare provider in consultation with the mother. The plan may not offer incentives to stay less than the required time, or deny or restrict plan coverage or benefits of any portion of the required minimum hospital stay to circumvent the minimum hospital stay requirements. In addition, the NMHPA amended ERISA’s rules on the contents of SPDs for group health plans by adding the requirement that if a plan provides maternity or newborn infant coverage, its SPD must include a statement describing any requirements under federal or state law applicable to the plan, and any health insurance coverage offered under the plan, relating to hospital length of stay in connection with childbirth for the mother or newborn child. As with most of the other federal mandates discussed in this section, any comparable state laws that provide more favorable benefits to the mother or newborn child take precedence over the NMHPA. In cases where a state law takes precedence over the NMHPA, the SPD must describe the applicable state law as well.

Mental health and substance abuse benefits

The Mental Health Parity and Addiction Equity Act was signed into law on October 3, 2008, and extends the parity provisions that were created under the Mental Health Parity Act to substance abuse disorder benefits and places additional limitations on the restrictions group health plans place on mental health and/or substance abuse disorder benefits. In particular, if a group health plan provides mental health and/or substance abuse disorder benefits it may not set limitations, restrictions, or cost sharing arrangements that are different from benefit restrictions and/or cost sharing arrangements on medical and surgical benefits. For instance, group health plans that cover mental health/substance abuse disorder benefits may not apply higher co-payments, deductibles, and/or co-insurance amounts to such benefits than are applied to medical/surgical benefits. If plans cover medical/surgical benefits provided within or without a network of preferred providers, and if they also provide mental health/substance abuse disorder benefits, they must also provide mental health/substance abuse disorder benefits whether the benefits are provided within or without a network of preferred providers. However, the Mental Health Parity and Addiction Equity Act does not require group health plans to cover mental health and/or substance abuse disorder benefits.

The Mental Health Parity and Addiction Equity Act is generally effective for plan years beginning on or after October 3, 2009 (for instance, for calendar years plans, the effective date is January 1, 2010). However, certain employers and groups are exempt from compliance. These include small employers with an average of at least two but not more than 50 employees during the preceding calendar year and union plans whose collective bargaining agreements have not terminated as of the enactment of the Mental Health Parity and Addiction Equity Act or January 1, 2009, discounting any bargaining agreement extension. An exemption also exists for employers whose claim cost increases of 2% in the first year of adoption of the Mental Health Parity and Addiction Equity Act, provided that the cost calculation is based on six months of actual claims data with parity in place. The cost exemption for those employers who qualify is effective in the following plan year and it is a one-year exemption. Employers must apply each year for future exemptions. In addition, employers must notify participants, beneficiaries, and the government of the election to use the exemption.

The U.S. Department of Labor's Employee Benefits Security Administration has prepared a self-compliance tool to assist employers. For a copy of this resource, visit:

Group health plans and cancer treatment

Under the Women’s Health and Cancer Rights Act (WHCRA), plans that provide coverage for mastectomies must also cover reconstructive surgery following the mastectomy. The coverage may be subject to annual deductibles and co-insurance provisions that are consistent with other benefits under the plan. Reconstructive surgery is defined under the WHCRA to include the reconstruction of the breast on which the mastectomy was performed, surgery and reconstruction of the other breast to produce a symmetrical appearance, and prostheses. The WHCRA also mandates that group health plans provide a written notice of the availability of this coverage to each participant and beneficiary upon enrollment and each year thereafter. The notice must be prominently positioned in any literature or correspondence distributed by the plan.

Military leave and health coverage

Under the Uniformed Services Employment and Reemployment Rights Act (USERRA), persons who serve in the Armed Forces of the United States are generally entitled to the seniority and all rights and benefits based on seniority that they would have attained with reasonable certainty had they remained continuously employed. To be eligible for the rights granted under USERRA, employees must meet all of the following requirements:

  • the employee must provide advance notice of the leave when practical
  • the cumulative length of an employee’s absences from a position cannot exceed five years
  • the employee cannot have been dishonorably discharged from the military
  • the employee must report back to the employer or apply for reemployment within the following timeframes, depending on the length of military service:
    • if the period of service is 0-30 days, the employee must reapply by the beginning of the first regularly scheduled period eight hours after safe travel home after service
    • if the period of service is 31-180 days, the reapplication period is 14 days after service
    • if the period of service is 181 days or more, the reapplication period is 90 days after service.

The types of uniformed service that are covered under USERRA include:

  • full-time and reserve components of the Army, Navy, Marine Corps, Air Force, and Coast Guard
  • National Guard
  • commissioned corps of the Public Health Service
  • certain types of service in the National Disaster Medical System (NDMS)
  • any other category of persons designated as a "uniformed service" by the President of the United States in time of ware or national emergency.

The term "service" is broadly defined under USERRA to include:

  • active duty
  • active and inactive duty for training
  • initial duty for training
  • full time National Guard
  • examination to determine fitness for duty
  • funeral honors duty by National Guard or Reserve members
  • certain duties performed by NDMS employees.

Employers that sponsor health plans must provide COBRA-like health benefit continuation coverage for persons who are absent from work to serve in the military, even when the employer, due to size, is not subject to COBRA. If a person’s health plan coverage would terminate because of an absence due to military service, the employee may elect to continue the health plan coverage for up to 24 months after the absence begins, or for the period of service, whichever period is shorter. During the first 30 days that the employee is on military leave, the employer may not charge the employee any more for the group health coverage than what similarly situated active employees pay for the coverage. However, after the first 30 days, the employer may charge the employee up to 102% of the full premium for the coverage. Employers cannot discontinue continuation coverage merely because the employee and family members become eligible to receive coverage under TRICARE.

If a person’s coverage under a health plan is terminated because of service in the uniformed services, the plan may not impose an exclusion or waiting period in connection with the reinstatement of coverage if health coverage would have been provided to the employee had the employee not been absent for military service. This protection applies to the person who is reemployed and to his or her family members who have their coverage reinstated. However, this protection does not apply to the coverage of any illness or injury determined by the Veterans’ Administration to be service-connected.

Student eligibility status

Michelle’s Law prohibits group health plans from ending a dependent child’s eligibility for coverage based on loss of status as a student or full time student because of a “medically necessary leave of absence.” A “medically necessary leave of absence” includes not only a complete leave of absence, but also a reduced course load or other schedule change that would otherwise cause the dependent child not to be a “full time” student. Michelle’s Law applies only if the group health plan or issuer of the child’s insurance coverage has received written certification by the child's treating physician stating that the child is suffering from a serious illness or injury, and that the leave of absence is medically necessary. Under those circumstances, the group health plan may not terminate coverage of the child before the earlier of the following:

  • one year after the leave of absence began
  • the date on which coverage otherwise would have ended for reasons unrelated to the leave of absence (such as reaching a maximum age or the parent’s termination of employment).

Michelle’s Law also includes a special notice provision. If a plan distributes any notice relating to certification of student status or full time student status for children over a certain age to continue to be eligible for coverage as a dependent, the plan must include a description of the rules under Michelle’s Law that require continued coverage during medically necessary leaves of absence. Congress adopted Michelle’s Law on September 25, 2008, but delayed its effective date until the first day of the group health plan’s fiscal year that begins on or after September 25, 2009. For most plans, this means that Michelle’s Law first became effective on January 1, 2010. 

Under the ACA’s adult child coverage requirement, Michelle’s Law will no longer apply to group health plans that only cover children until age 26. The adult coverage requirement under the ACA is more specifically discussed in Chapter 05: Health insurance reform. However, for group health plans with dependent definitions that include expanded categories of dependents such as grandchildren, Michelle’s Law will continue to apply to the plan.

Discriminate based on genetic information

The Genetic Information Nondiscrimination Act (GINA), which went into effect for group health plans in plan years beginning after May 21, 2009, prevents discrimination in health insurance based on genetic information. Under GINA, group health plans and group health insurance issuers may not do any of the following:

  • use genetic information to discriminate with respect to premium or contribution amounts
  • request or require that individuals or their family members undergo genetic testing (with limited exceptions)
  • collect (by requesting, requiring or purchasing) genetic information for underwriting purposes and collecting genetic information with respect to any individual prior to enrollment or coverage under the health plan
  • use genetic information to determine eligibility for coverage or to impose preexisting condition exclusions.

Genetic information includes any information about an individual’s own genetic tests, the genetic tests of an individual’s family members, and the manifestation of a disease or disorder in the individual’s family members. Genetic information also includes information on the health histories of family members. In addition, a genetic test is any analysis of human DNA, RNA, chromosomes, proteins or metabolites that detects genotypes, mutations or chromosomal changes that could be used to predict whether an individual has a predisposition to a disease, disorder, or pathological condition.

As stated previously, GINA prohibits the use of genetic information for underwriting purposes.  Underwriting purposes include determinations of eligibility (including enrollment and continued eligibility), computation of premium or contribution amounts, and application of preexisting condition exclusions. Under GINA, the definition of underwriting is broader than merely activities relating to rating and pricing a group policy. Underwriting purposes include all of the following:

  • changing deductibles or other cost-sharing mechanisms
  • providing discounts, rebates, payments in kind
  • other premium differential mechanisms in return for activities such as completing a health risk assessment (HRA) or participating in a wellness program.

Example - A group health plan provides a premium reduction to enrollees who complete an HRA. The HRA is requested to be completed after enrollment. Whether or not it is completed or what responses are given on it has no effect on an individual’s enrollment status, or on the enrollment status of members of the individual’s family. The HRA includes questions about the individual’s family medical history. Therefore, the HRA includes a request for genetic information (that is, the individual’s family medical history). Because completing the HRA results in a premium reduction, the request for genetic information is for underwriting purposes and the request violates GINA.

Reporting requirements

The ACA imposes reporting requirements on insurers and employers. The specific form or forms that are required depend on if the employer is an “applicable large employer” (ALE) and how health benefits are funded. If the employer is an ALE, the employer must provide each full time employee with a Form 1095-C regardless of whether the employer provides fully insured or self-funded coverage to those employees. Furthermore, if the employer is an ALE that sponsors a self-funded plan, that employer also will provide Form 1095-C to any part-time employees who are enrolled in the plan.

If the employer is not an ALE and sponsors a self-funded plan, the employer will report that coverage on Form 1095-B to any employees covered by that plan. Regardless of whether the employer is an ALE, if the employer sponsors a fully insured plan, the insurance carrier will report that coverage to the employer’s covered employees on a Form 1095-B.

Note: An employer is an ALE if the employer employed 50 or more full time equivalent employees on average during the preceding plan year. 

The employer uses the Form 1094-B and Form 1094-C to transmit the health insurance information to the Internal Revenue Service (IRS). 

Due dates

The due date for furnishing the Form 1095-B and Form 1095-C to employees (and former employees if applicable) is January 31 for all years after 2015. The due date for filing the Form 1094-B, Form 1095-B, Form 1094-C and Form 1095-C with the IRS is February 28. If filing electronically, the due date is March 31. In October of 2020, the IRS extended the due date for furnishing the Form 1095-B and Form 1095-C to employees (and former employees if applicable) to March 2, 2021.