The Health Insurance Portability and Accountability Act (HIPAA) has a significant impact on the medical coverage provided by employer-sponsored group health plans. Among other provisions, HIPAA:
Employers who violate HIPAA’s portability, privacy or security provisions may face monetary penalties and/or lawsuits for failing to meet these requirements.
For purposes of HIPAA’s portability, access and renewability requirements, health insurance coverage means benefits for medical care under any hospital or medical service policy or certificate, hospital or medical service plan contract or HMO contract offered by a health insurance issuer. It does not, however, include certain “excepted benefits” such as:
Certain limited scope dental and vision benefits or long-term care benefits are also excepted benefits, if they are provided under a separate policy, certificate or contract of insurance or are otherwise not an integral part of the plan.
HIPAA portability, access and renewability requirements also generally do not apply to governmental plans that elect to opt out of HIPAA’s portability requirements or to a group health plan for any year in which the plan has only one employee-participant on the first day of the plan year.
HIPAA was strengthened in 2009 by the passage of The Health Information Technology for Economic and Clinical Health (HITECH) Act, which was part of the American Recovery and Reinvestment Act. HITECH was designed to promote the adoption and meaningful use of health information technology. Subtitle D addresses privacy and security concerns unique to the electronic transmission of health information and increases the civil and criminal enforcement of the HIPAA rules.
Health Insurance Portability and Accountability Act (HIPAA) provides protection to individuals who are changing jobs and/or health coverage by restricting the ability of the new group health plan to limit coverage for prior medical conditions or other health status factors.
Many group health plans limit or exclude benefits for expenses incurred as a result of preexisting conditions. Under HIPAA, a group health plan (or a health insurance issuer offering group health insurance coverage) may impose such an exclusion only if the following requirements are met.
First, a preexisting condition exclusion (PCE) may be imposed only for a preexisting condition, which is defined as a medical condition for which medical advice, diagnosis, care or treatment was recommended or received within the six month period prior to the enrollment date.
Medical care or treatment includes taking a prescribed drug during the look-back period, even if prescribed more than six months before the enrollment date.
Second, the group health plan may not limit benefits for a preexisting condition for a period longer than the 12-month period after the enrollment date. There is an exception to this limitation for individuals who do not enroll in the plan when they are first eligible to enroll or during a special enrollment period (as discussed below). These individuals are considered to be “late enrollees” and the plan may impose its PCE for up to 18 months with respect to late enrollees.
Finally, the period of the PCE must be reduced to the extent the individual has prior creditable coverage under another plan. However, prior periods of creditable coverage generally do not count toward reducing the PCE period if the individual experienced a break in coverage of 63 days or more.
A group health plan cannot impose any PCE relating to pregnancy as a preexisting condition. Also, a group health plan’s PCE may not apply to a newborn or adopted child if that child has creditable coverage on at least one day within the 30-day period following his or her birth, adoption or placement for adoption and the child is subsequently enrolled in the group health plan without a significant break in coverage. Also, genetic information alone, without diagnosis of a specific related condition, cannot be treated as a preexisting condition.
The ACA changed aspects of the law as it applies to PCEs under HIPAA. ACA prohibits PCEs from being imposed by group health plans or group health insurance coverage and extends this protection to individual health insurance coverage.
The ACA prohibits both exclusions of coverage of specific benefits and complete exclusions from a plan or coverage based on a pre-existing condition. These PCE rules do not change the HIPAA rule that an exclusion of benefits for a certain condition under a plan is not a PCE if the exclusion is not based on the date the condition arose. For instance, if a group health plan generally provides coverage for medically necessary services but excludes coverage for the treatment of cleft palate, the exclusion of coverage for treatment of cleft palate is not a PCE because it applies regardless of when the condition arose.
In order to impose a PCE, a group health plan must provide, as part of its enrollment materials, a written notice explaining the existence, length and terms of the PCE. The notice must explain that creditable coverage will reduce the length of the PCE, that the individual has the right to demonstrate creditable coverage and that the individual has the right to request a certificate of creditable coverage from his or her prior plan. The notice must also state that the current plan will assist in obtaining the certificate, if necessary. The notice must include a contact person (with telephone number or address) for assistance or additional information in obtaining a certificate.
In general, creditable coverage means health coverage provided to an individual under programs such as:
A period of creditable coverage is not counted if there is a break in coverage of at least 63 days (not counting any applicable waiting period or HMO affiliation period) between the end of the creditable coverage period and the participant’s or beneficiary’s enrollment date under the new creditable coverage.
A group health plan may count periods of creditable coverage without regard to the specific benefits provided under such coverage. Alternatively, the group health plan may count the periods of creditable coverage for certain types of benefits (such as mental health, drugs or dental care).
In general, an individual proves that he or she had prior creditable coverage by presenting to his or her new group health plan a certificate of creditable coverage from the prior plan or insurer.
A group health plan must furnish a plan participant, without charge, with a certificate of creditable coverage (see page 402, Certificate of group health plan coverage) on each of the following occasions:
The certificate of creditable coverage must generally be in written form and contain specific information. A copy of the model certificate published by the Department of Labor is attached at the end of this chapter.
If the accuracy of a certificate is in question or a certificate of creditable coverage is not available, an individual may demonstrate creditable coverage (and any waiting or affiliation periods) through the presentation of documents or other means. The plan may not consider an individual’s inability to obtain a certificate to be evidence of the absence of creditable coverage. Documents that may establish creditable coverage in the absence of a certificate include:
The plan must take into account all information that it receives on behalf of an individual. The plan must make a determination, based upon the relevant facts and circumstances, whether the individual has creditable coverage and is entitled to offset all or a portion of any PCE period.
A plan shall treat the individual as having furnished a certificate if he does all of the following:
A plan seeking to impose a PCE is required to disclose to the individual, in writing, its determination of any PCE period that applies to the individual as well as the basis for such determination (including the source and substance of any information on which the plan relied). In addition, the plan is required to provide the individual with a written explanation of any appeal procedures established by the plan and with a reasonable opportunity to submit additional evidence of creditable coverage.
As a general rule, a group health plan can limit the times when an individual can enroll in the plan. However, HIPAA requires group health plans to establish special enrollment periods in certain circumstances. As noted above, an individual who enrolls for coverage in a group health plan after the first period in which he or she is eligible to enroll generally can be subject to an 18-month PCE as a “late enrollee.” However, any individual who enrolls in a group health plan during one of the special enrollment periods set forth below is not considered a “late enrollee” and is, therefore, subject only to a 12-month PCE period.
A group health plan must permit an eligible employee and/or dependent to enroll for coverage under the plan if all of the following conditions are met:
HIPAA also requires a group health plan to permit a special enrollment period when an employee acquires a new dependent through marriage, birth, adoption or placement for adoption. In general, if an eligible individual gains a dependent through marriage, birth, adoption or placement for adoption, the group health plan must permit the individual, the new spouse and any new dependent, to enroll in the plan. The individual must notify the plan of the special enrollment event within 30 days in order to be eligible for special enrollment. Coverage shall become effective on the following dates:
On or before the time an employee is offered the opportunity to enroll in a group health plan, the plan is required to provide the employee with a description of the HIPAA special enrollment rules. Language for a sample notice has been provided by the Department of Labor.
Notice of Special Enrollment Rights – Sample
If you are declining enrollment for yourself or your dependents (including your spouse) because of other health insurance or group health plan coverage, you may be able to enroll yourself and your dependents in this plan if you or your dependents lose eligibility for that other coverage (or if the employer stops contributing towards your or your dependents’ other coverage). However, you must request enrollment within [insert “30 days” or any longer period that applies under the plan] after your or your dependents’ other coverage ends (or after the employer stops contributing toward the other coverage).
In addition, if you have a new dependent as a result of marriage, birth, adoption or placement for adoption, you may be able to enroll yourself and your dependents. However, you must request enrollment within [insert “30 days” or any longer period that applies under the plan] after the marriage, birth, adoption or placement for adoption.
To request special enrollment or obtain more information, contact [insert the name, title, telephone number and any additional contact information of the appropriate plan representative].
A group health plan cannot establish eligibility rules that discriminate against any individual with respect to coverage or continued coverage based on any of the following health-related factors:
These requirements, however, do not prevent a group health plan from limiting the amount, level, extent or nature of the benefits provided as long as such limitations do not discriminate among similarly situated individuals. Thus, for instance, a group health plan could choose not to cover experimental medical procedures or choose to limit the benefits for experimental medical procedures, provided this limitation applies equally to all similarly situated individuals.
A group health plan cannot require an individual to pay a higher premium on the basis of any health-related factor (listed below) that may apply to the individual. However, the plan may charge different premiums for different classes of employees (such as full- and part-time employees), as long as the different classes are based on bona-fide distinctions not related to health factors.
A group health plan may offer premium discounts, rebates and adjustments to deductibles or co-payments in exchange for adherence to health promotion and disease prevention programs such as weight loss or smoking cessation programs. However, if these incentives are contingent on particular results (such as specified blood pressure levels, refraining from smoking), then restrictions apply.
In addition to possible exposure to a participant lawsuit or a Department of Labor enforcement action, HIPAA imposes a tax on group health plans that fail to meet the requirements of the law.
An employer whose group health plan fails to meet the requirements (or the plan, in the case of a multiple employer plan) faces a penalty tax of $119 for each day of the noncompliance period for each affected individual and up to $59,522 per person per violation of a single standard per calendar year. The noncompliance period begins on the date the failure occurs and ends on the date of correction.
In addition to the regulation of health insurance portability and non-discrimination rules, HIPAA provides for the protection of participants’ medical records and other individually identifiable health information that is created, received or maintained by the group health plan. The privacy regulations under HIPAA (Privacy Rule) require the following:
The Privacy Rule sets limits on how a group health plan may use personal health information (PHI). To ensure that the group health plan’s activities are not unduly hampered, activities for treatment, payment and healthcare operations (TPO Activities) are exempted from certain aspects of the Privacy Rule. For instance, a group health plan does not need to obtain the participant’s authorization prior to the use of his or her PHI for TPO Activities, but may use or share only the minimum amount of protected information needed for a particular purpose. In most other situations, the plan cannot use or disclose the PHI unless the plan participant signs a specific authorization permitting the use or disclosure.
Plan participants generally have the right to see and obtain copies of their medical and claim records and request corrections if they identify errors and mistakes. Access to these records must generally be provided within 30 days and the group health plan may charge plan participants for the cost of copying and sending the records. If the participant identifies errors and requests the records be changed, the plan must comply.
A group health plan must record certain disclosures of PHI and maintain this record for at least six years from the date of the disclosure. A group health plan must provide a list (known as an accounting) of these disclosures to health plan participants upon request. Disclosures made for TPO Activities, to the plan participant or according to an authorization do not have to be recorded. A group health plan must record the following information about each accountable disclosure:
A group health plan must provide a notice to its plan participants explaining how the plan intends to use their private health information as well as the participants’ rights under the Privacy Rule. At least once every three years, a group health plan must notify plan participants of the availability of the notice and how to obtain a copy.
Plan participants have the right to ask their group health plan to restrict the use or disclosure of their PHI beyond the practices described in the notice of privacy practices. The group health plan is not required to grant such requests. However, if a group health plan agrees to honor a restriction request, the group health plan must abide by the terms of the agreed upon restriction.
Under the Privacy Rule, a plan participant must be permitted to request to receive confidential communications of his PHI by alternative means or at alternative locations, if the individual states that the disclosure of the information could endanger the individual. A group health plan is required to comply with such a request if the group health plan can reasonably accommodate such a request.
In limited circumstances, the Privacy Rule permits (but does not require) a group health plan to disclose limited amounts of PHI for specific public responsibilities. These permitted disclosures include:
For instance, a group health plan may disclose PHI in compliance with the terms of a subpoena, but only if the plan has received satisfactory assurances as required by the Privacy Rule that the individual has been notified and there are no pending objections to the subpoena or that a qualified protective order has been agreed upon or requested.
Plan participants may file formal complaints regarding the privacy practices of a group health plan. Such complaints can be made directly to the group health plan or to the HHS Office for Civil Rights (OCR), which is charged with investigating complaints and enforcing the Privacy Rule.
The Privacy Rule requires that a group health plan have written privacy procedures, including a description of the members of the group health plan’s workforce that have access to protected information, how it will be used and when it may be disclosed. A group health plan must implement policies and procedures with respect to PHI that are designed to comply with the Privacy Rule. The group health plan’s policies and procedures must take into account the size of the group health plan and the types of activities in which the group health plan engages. The group health plan must also ensure that its policies and procedures are revised regularly to reflect changes in the law and in the plan’s privacy practices.
A group health plan is required to designate an individual as the privacy official who will be responsible for developing the privacy policies and procedures for the group health plan. The privacy official is also responsible for receiving complaints from plan participants and beneficiaries as well as providing further information regarding the group health plan’s notice of privacy practices. In addition to designating a privacy official, a group health plan must provide adequate training of their employees in the plan’s privacy policies and procedures. For newly hired members of the plan’s workforce, training must be completed with a reasonable time period after their hiring.
With limited exceptions, a group health plan may not disclose PHI (or permit a health insurance issuer or HMO to disclose PHI) to the group health plan sponsor unless the group health plan has received a certification from the plan sponsor that the plan documents have been amended to restrict how the plan sponsor may use or disclose the PHI. Among other things, the plan sponsor must agree to use and disclose PHI only as permitted by the Privacy Rules, ensure that its agents and subcontractors that receive PHI agree to the same restrictions, not use or disclose PHI for any employment-related purpose or in connection with any other benefit of the plan sponsor and notify the group health plan of any security incidents or non-permitted uses or disclosures. A group health plan must ensure that its plan documents provide for adequate separation between the group health plan and the plan sponsor. Specifically, the plan documents must identify the members of the group health plan’s workforce (either by name or class) that can receive access to PHI, including the workforce members who receive PHI for TPO Activities or for other matters relating to the group health plan in the ordinary course of business be included in the description. Additionally, the workforce members’ access to PHI must be restricted to the plan administration functions performed for the plans by their plan sponsors. The plan documents must provide for the means to resolve any issues arising from workforce members’ (who have access to PHI) noncompliance with the plan’s policies and procedures or with the Privacy Rule.
A group health plan is required to enter into business associate contracts establishing the permitted and required uses and disclosures of such information by the business associate, including not permitting the business associate to use or disclose PHI in a manner that would violate the Privacy Rule.
A group health plan must maintain all documentation required by the Privacy Rule for a period of six years from the date of its creation or the date when it last was in effect, if later. Such documentation must be made available to the workforce members responsible for implementing the group health plan’s policies and procedures.
A group health plan is not subject to most of the requirements of the privacy standards if benefits are provided under the plan solely through an insurance contract with a health insurance issuer or an HMO and the group health plan does not create or receive PHI with the exception of summary health information or enrollment information. A group health plan that meets this exception is only required to refrain from retaliatory or intimidating acts against individuals who exercise their privacy rights and is prohibited from requiring or requesting waivers of individual rights.
A group health plan that fails to comply with the Privacy Rule is subject to a number of penalties. Civil penalties are $119 - $59,522 per violation, up to $1,785,651 per year for each requirement violated. Criminal penalties range from $50,000 in fines and one year in prison up to $250,000 in fines and 10 years in jail.
The Health Insurance Portability and Accountability Act‘s (HIPAA’s) security regulations require a group health plan to protect the confidentiality, integrity, and availability of PHI when it is stored, maintained or transmitted electronically. A group health plan must maintain reasonable and appropriate administrative, physical and technical safeguards to protect the confidentiality, integrity and availability of individually identifiable health information that is created, received or maintained by the health plan electronically (Electronic PHI) against any reasonably anticipated risks. Most group health plans were required to become compliant with these regulations as of 2005.
Small group health plans must become compliant with the regulations no later than 2006. A small group health plan is defined as a group health plan with annual receipts of less than five million dollars.
The security regulations provide a number of implementation specifications, which are further divided into two types:
The required specifications are critical and must be implemented. The addressable specifications may be implemented after the group health plan has performed the following analysis:
Additionally, the plan must implement and document the alternative security measure that will satisfy the addressable specification.
The regulations’ administrative safeguards require a group health plan to have documented policies and procedures for managing day-to-day operations, the conduct and access of workforce members to Electronic PHI and the selection, development and use of security controls.
The specific standards are as follows:
The physical safeguards are a series of requirements meant to protect a group health plan’s electronic information systems and Electronic PHI from unauthorized physical access.
A group health plan must limit physical access while permitting properly-authorized access.
The specific standards are:
The technical safeguards include several requirements for using technology to protect Electronic PHI, particularly controlling access to it.
A significant change to the way HIPAA applies is found in the Health Information Technology for Economic and Clinical Health Act (the HITECH Act). In the event of a breach of unsecured protected health information (PHI), a covered entity must notify each individual whose unsecured PHI has been breached. The covered entity must also notify each individual when it reasonably believes that PHI has been accessed, acquired, used or disclosed from the breach.
A breach is defined as “the acquisition, access, use or disclosure” of PHI that violates the Privacy Rule or Security Rule and that “compromises the security or privacy” of the protected information. Unsecured PHI is PHI that is not rendered unusable, unreadable or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary.
The breach reporting obligation also requires that covered entities provide notice of the breach to the Secretary of the Department of Health and Human Services in the event of a breach of unsecured PHI involving 500 or more individuals. A covered entity must notify the media in the event of a breach of unsecured PHI involving more than 500 residents of a state or jurisdiction. The breach reporting obligations also apply to business associates who are required to report breaches to covered entities.
All policies and procedures must be written and documented. A group health plan must maintain all documentation (including policies and procedures) required by the security regulations for a period of six years from the date of its creation or the date when it last was in effect, whichever is later.
Such documentation must be made available to the workforce members responsible for implementing the policies and procedures. Additionally, a group health plan must periodically review such documentation and revise and update it as needed to ensure the confidentiality, integrity and availability of Electronic PHI.
The penalties for failing to comply with the security regulations are similar to the penalties for failing to comply with the Privacy Rule. Specifically, civil penalties are $119 - $59,522 per violation, up to $1,785,651 per year for each requirement violated, while criminal penalties range from $50,000 in fines and one year in prison up to $250,000 in fines and 10 years in jail.
Where to go for more information
Phone: (866) 444-3272
Policies and Forms
Chapter 27: Health insurance portability and privacy