The Health Insurance Portability and Accountability Act (HIPAA) has a significant impact on medical coverage provided by employer-sponsored group health plans. Among other provisions, HIPAA:
Employers that violate HIPAA’s portability, privacy, or security provisions may face fines and/or lawsuits for failing to meet these requirements. Additionally, HIPAA imposes notification requirements should a plan sponsor become aware that certain health information has been improperly disclosed or accessed.
The original HIPAA Privacy and Security Rules focused on health care providers, health plans, and other entities that process health insurance claims. In January of 2013, the Department of Health and Human Services (HHS) published new regulations expanding many of the requirements to business associates of these entities that receive protected health information, such as contractors and subcontractors. Potential penalties for noncompliance are based on the level of negligence with a maximum penalty of nearly $1.8 million per violation. The revised regulations also strengthen the Health Information Technology for Economic and Clinical Health (HITECH) Breach Notification requirements by clarifying when breaches of unsecured health information must be reported to HHS.
For purposes of HIPAA’s requirements, health insurance coverage means benefits for medical care under any hospital or medical service policy or certificate, hospital or medical service plan contract, or HMO contract offered by a health insurance issuer. It does not, however, include certain “excepted benefits” such as:
Certain limited scope dental and vision benefits or long-term care benefits are also excepted benefits if they are provided under a separate policy, certificate, or contract of insurance, or are otherwise not an integral part of the plan.
HIPAA requirements also generally do not apply to governmental plans that elect to opt out of HIPAA’s portability requirements or to a group health plan for any year in which the plan has only one employee-participant on the first day of the plan year. There is no opting out, however, under HIPAA’s medical privacy and electronic security rules.
HIPAA provides protection to individuals who are changing jobs and/or health coverage by restricting the ability of the new group health plan to limit coverage for prior medical conditions or other health status factors.
Under the Affordable Care Act, signed into law in 2010, preexisting condition exclusions for individuals of all ages are prohibited beginning January 1, 2014. However, some older group plans may be considered “grandfathered” into the old rules and may be permitted to exclude preexisting conditions according to HIPAA for at least one additional year. Under HIPAA, a group health plan (or a health insurance issuer offering group health insurance coverage) may impose such exclusion only if the following requirements are met:
In order to impose a PCE, a group health plan must provide, as part of its enrollment materials, a written notice explaining the existence, length, and terms of the PCE. The notice must explain that creditable coverage will reduce the length of the PCE, that the individual has the right to demonstrate creditable coverage, and that the individual has the right to request a certificate of creditable coverage from the prior plan. The notice must also state that the current plan will assist in obtaining the certificate, if necessary. The notice must include a contact person (with telephone number or address) for assistance or additional information in obtaining a certificate.
In general, creditable coverage means health coverage provided to an individual under programs such as:
A period of creditable coverage is not counted if there is a break in coverage of at least 63 days (other than any applicable waiting period) between the end of the creditable coverage period and the participant’s or beneficiary’s enrollment date under the new creditable coverage.
A group health plan may count periods of creditable coverage without regard to the specific benefits provided under such coverage. Alternatively, the group health plan may count the periods of creditable coverage for certain types of benefits (such as mental health, prescription drugs, or dental care).
In general, an individual proves prior creditable coverage by presenting to a new group health plan a certificate of creditable coverage from the old plan.
A group health plan must furnish a plan participant, without charge, with a certificate of coverage in the form on each of the following occasions:
The summary plan description provided to plan participants and beneficiaries must include an explanation of the procedures to be followed to obtain a certificate.
Self-insured group health plans bear the responsibility for providing the certificates. If the plan is a fully-insured group health plan, the health insurer will normally fulfill these obligations. However, the plan sponsor must verify with the health insurer that the certificates are being provided as required.
The certificate of creditable coverage must be in written form and contain specific information. A copy of the model certificate published by the Department of Labor is attached at the top of this chapter, available for download.
No written certificate is required if:
If the accuracy of a certificate is in question or a certificate of creditable coverage is not available, an individual may demonstrate creditable coverage (and any waiting periods) through the presentation of documents or other means. The plan may not consider an individual’s inability to obtain a certificate to be evidence of the absence of creditable coverage. Documents that may establish creditable coverage in the absence of a certificate include:
The plan must take into account all information that it receives on behalf of an individual. The plan must make a determination, based upon the relevant facts and circumstances, whether the individual has creditable coverage and is entitled to offset all or a portion of any PCE period.
A plan shall treat the individual as having furnished a certificate if the individual:
A plan seeking to impose a PCE is required to disclose to the individual, in writing, its determination of any PCE period that applies to the individual as well as the basis for such determination (including the source and substance of any information on which the plan relied). In addition, the plan is required to provide the individual with a written explanation of any appeal procedures established by the plan and with a reasonable opportunity to submit additional evidence of creditable coverage.
As a general rule, a group health plan can limit the times when an individual can enroll in the plan. However, HIPAA requires group health plans to establish special enrollment periods in certain circumstances. As noted previously, an individual who enrolls for coverage in a group health plan after the first period in which the individual is eligible to enroll generally can be subject to an 18-month PCE as a “late enrollee.” However, any individual who enrolls in a group health plan during one of the special enrollment periods set forth herein is not considered a “late enrollee” and is, therefore, subject only to a 12-month PCE period.
A group health plan must permit an eligible employee and/or dependent to enroll for coverage under the plan if each of the following conditions is met:
HIPAA also requires a group health plan to permit a special enrollment period when an employee acquires a new dependent through marriage, birth, or adoption. In general, if an eligible individual gains a dependent through marriage, birth, adoption, or placement for adoption, the group health plan must permit the individual, the new spouse, and any new dependent to enroll in the plan. The individual must notify the plan of the special enrollment event within 30 days in order to be eligible for special enrollment. Coverage becomes effective on the following dates:
On or before the time an employee is offered the opportunity to enroll in a group health plan, the plan is required to provide the employee with a description of the HIPAA special enrollment rules. Language for a sample notice has been provided by the Department of Labor and can be seen in the files tab at the top of the page.
A group health plan cannot establish eligibility rules that discriminate against any individual with respect to coverage or continued coverage or premium amounts based on any of the following factors:
These requirements, however, do not prevent a group health plan from limiting the amount, level, extent, or nature of the benefits provided as long as such limitations do not discriminate among similarly situated individuals. Thus, for example, a group health plan could choose not to cover experimental medical procedures or choose to limit the benefits for experimental medical procedures, provided this limitation applies equally to all similarly situated individuals.
A group health plan cannot require an individual to pay a higher premium on the basis of any health-related factor that may apply to the individual. However, the plan may charge different premiums for different classes of employees (such as full-time and part-time employees), as long as the different classes are based on bona fide distinctions not related to health factors.
A group health plan may offer premium discounts, rebates, and adjustments to deductibles or co-payments in exchange for adherence to bona fide wellness programs, including health promotion and disease prevention programs such as weight loss or smoking cessation programs. If these incentives are contingent on particular results (such as specified blood pressure levels, refraining from smoking, etc.), then a number of restrictions apply.
In addition to possible exposure to a participant lawsuit, HIPAA imposes a tax on group health plans that fail to meet the requirements of the law.
An employer whose group health plan fails to meet the requirements (or the plan, in the case of a multiple employer plan) faces a penalty tax of $119 for each day of the non-compliance period for each affected individual. The non-compliance period begins on the date the failure occurs and ends on the date of correction.
In addition to the regulation of health insurance portability and non-discrimination rules, HIPAA also provides for the protection of participants’ medical records and other individually identifiable health information that is created, received, or maintained by the group health plan or certain other entities (PHI). In general, the rules below will apply only to records held in connection with a group health benefits plan or some on-site medical clinics, and not to records held by the employer itself (for example, for absence management policies). However, because such information can be sensitive regardless of where it is held, appropriate safeguards should be applied to all medical information.
The privacy regulations under HIPAA (Privacy Rule), as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act, including the final regulations which went into effect on March 23, 2013, require the following information.
The Privacy Rule is a federal provision that requires a comprehensive approach to ensuring that the privacy of PHI is balanced with the public’s responsibility to support medical research, public health and quality of care. The Privacy Rule sets limits on how a group health plan may use PHI. Under the Privacy Rule, a group health plan is generally prohibited from using and disclosing PHI without first obtaining the authorization of the participant. However, to ensure that the group health plan’s activities are not unduly hampered, activities for treatment, payment and healthcare operations (TPO Activities) are exempted from certain aspects of the Privacy Rule. For purposes of the Privacy Rule, TPO Activities are defined as the following:
A group health plan does not need to obtain the participant’s authorization prior to the use of PHI for TPO Activities, but may use or share only the minimum amount of PHI necessary for a particular purpose. In most other situations, the plan cannot use or disclose PHI unless the plan participant signs a specific authorization permitting the use or disclosure.
Plan participants generally have the right to see and obtain copies of their medical and claim records and request corrections if they identify errors and mistakes. However, participants may be denied access to certain types of information in limited circumstances. If the participant has the right to obtain copies of the participant's medical and claim records, access to these records must generally be provided within 30 days and the group health plan may reasonably charge plan participants for the cost of copying and sending the records. If the participant identifies errors and requests the records be changed, the plan must comply with the request within 60 days.
A group health plan must provide a notice to its plan participants at the times of their enrollment and then at least every three years thereafter explaining how the plan intends to use their PHI, as well as explaining the participants’ rights under the Privacy Rule. Plan participants also have the right to ask their group health plan to restrict the use or disclosure of their PHI beyond the practices included in the notice, but the group health plan is not required to comply with such requests.
Under the Privacy Rule, a plan participant must be permitted to request receipt of confidential communications of the participant's PHI by alternative means or at alternative locations if the individual states that the disclosure of the information could endanger the individual. A group health plan must accommodate all reasonable requests for confidentiality.
In limited circumstances, the Privacy Rule permits (but does not require) a group health plan to disclose limited amounts of PHI for specific public responsibilities.
Some of the permitted disclosures include:
Plan participants may file formal complaints regarding the privacy practices of a group health plan. Such complaints can be submitted to the health plan’s Privacy Officer or filed with the Department of Health and Human Services (HHS) Office for Civil Rights (OCR), which has the authority to receive and investigate complaints and enforce the Privacy Rule. Plan participants are required to file such complaints with the OCR in writing within 180 days of when they knew that the act or omission complained of occurred. The group health plan may not retaliate against a plan participant for submitting a complaint or exercising any rights provided by the Privacy Rule.
The Privacy Rule requires that a group health plan maintain written privacy procedures, including a description of the members of the group health plan’s workforce that have access to PHI, how PHI will be used, and when PHI may be disclosed. A group health plan must implement policies and procedures with respect to PHI that are designed to comply with the Privacy Rule. The group health plan’s policies and procedures must take into account the size of the group health plan and the types of activities in which the group health plan engages. The group health plan must also ensure that its policies and procedures are revised regularly to reflect changes in the law and in the plan’s privacy practices.
A group health plan is required to designate an individual as the privacy official who will be responsible for developing and implementing the privacy policies and procedures for the group health plan. The privacy officer, or some other designated contact person, is also responsible for receiving complaints from plan participants and beneficiaries, as well as providing further information regarding the group health plan’s notice of privacy practices. In addition to designating a privacy officer, a group health plan must provide adequate training of its employees in the plan’s privacy policies and procedures. For newly hired members of the plan’s workforce, training must be completed within a reasonable time period after hiring.
A group health plan must ensure that its plan documents provide for adequate separation between the group health plan and the plan sponsor. Specifically, the plan documents must identify the members of the group health plan’s workforce (either by name or class) who may receive access to PHI, including the workforce members who receive PHI for TPO Activities, or for other matters relating to the group health plan in the ordinary course of business included in the description of the plan. Additionally, the workforce members’ access to PHI must be restricted to the plan administration functions performed for the plans by their plan sponsors. Finally, the plan documents must provide for the means to resolve any issues arising from workforce members’ (who have access to PHI) non-compliance with the plan’s policies and procedures or non-compliance with the Privacy Rule.
“Unsecured PHI” is protected health information in any medium that has not been protected by a technology or methodology that has met government approval (for example, encryption). A covered entity (including a health plan and, by extension, the plan sponsor) is required to notify affected parties in the event of a “breach” of unsecured PHI, which includes most unauthorized access, disclosure, release, or use of such information. Certain good-faith disclosures are excepted from this rule (for example, an inadvertent disclosure to another individual within the “HIPAA firewall” of the health plan). Additionally, disclosures where the unauthorized recipient would have no reasonable means of retaining or recording the PHI are excepted from these requirements.
In the event of a covered disclosure of unsecured PHI, the health plan must notify each affected individual of the breach. Additionally, if the breach is reasonably expected to have affected more than 500 individuals, local media outlets must be notified. In general, the notification must be provided via first-class mail no later than 60 days after the first date the breach was discovered. The notice must include the following items:
In addition, and to the extent applicable, the group health plan should also comply with state breach notification requirements applicable to a breach involving personal information, such as social security numbers or drivers' licenses that could be used to identify a plan participant.
A group health plan must maintain all documentation (that is, policies, procedures, etc.) required by the Privacy Rule for a period of six years from the later of the date of its creation or the date when it last was in effect. Such documentation must be made available to the workforce members responsible for implementing the group health plan’s policies and procedures.
A group health plan is not subject to the standards and implementation specifications of the Privacy Rule if health benefits are provided under the plan solely through an insurance contract with a health insurance issuer or an HMO and the group health plan does not create or receive PHI other than summary health information or enrollment information. A group health plan that meets this exception is still required to refrain from retaliatory, intimidating, or discriminating acts against individuals who exercise their privacy rights according to the Privacy Rule, and it is further prohibited from requiring or requesting waivers of an individual’s right to lodge a complaint with the Secretary of the HHS.
A group health plan that fails to comply with the Privacy Rule is subject to a number of penalties. Civil penalties were greatly increased by regulations published in 2020.
A person who knowingly obtains or discloses PHI in violation of the Privacy Rule also faces up to one-year imprisonment. The criminal penalties increase to up to five years imprisonment and $100,000 if the wrongful conduct involves fraud, and up to 10 years imprisonment and $250,000 if the wrongful conduct involves the intent to sell, transfer, or use PHI for commercial advantage, personal gain, or malicious harm. Criminal sanctions are enforced by the Department of Justice. State Attorneys General may bring civil actions in federal district court on behalf of their residents for violations of the Privacy Rule.
Categories of Violations and Respective Penalties |
||
Type of violation |
Each |
All such violations of an identical provision in a calendar year |
Did not know and by the exercise of reasonable diligence would not have known |
$119 to $59,522 |
$1,785,651 |
Reasonable cause |
$1,191 to $59,522 |
$1,785,651 |
Willful neglect – timely corrected |
$11,904 to $59,522 |
$1,785,651 |
Willful neglect - not timely corrected |
$59,522 to $1,785,651 |
$1,785,651 |
HIPAA’s security regulations (Security Rule) require a group health plan to protect the confidentiality, integrity, and availability of PHI when it is stored, maintained, or transmitted electronically. A group health plan must maintain reasonable and appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of individually-identifiable health information that is created, received, or maintained by the health plan electronically (Electronic PHI) against any reasonably anticipated risks.
HIPAA requires the HHS to establish national standards for the security of Electronic PHI. The Security Rule specifies a series of administrative, technical, and physical security procedures for group health plans to utilize to assure the confidentiality of Electronic PHI. The Security Rule specifies standards that are delineated into either required or addressable implementation specifications.
The required specifications are critical and must be implemented. With respect to the addressable specifications, a group health plan must assess whether each implementation specification is a reasonable and appropriate safeguard by analyzing such specification’s likelihood of protecting Electronic PHI.
If a group health plan decides that an addressable specification is applicable, it must:
The Security Rule’s administrative safeguards require a group health plan to have documented policies and procedures for managing day-to-day operations, the conduct and access of workforce members to Electronic PHI, and the selection, development, and use of security controls.
The specific standards are as follows:
The physical safeguards are a series of requirements meant to establish the minimum physical protections acceptable for ensuring data integrity, confidentiality, and availability, and to guard physical computer systems from fires, other natural and environmental disasters, and unauthorized access. A group health plan must limit and control physical access while permitting properly-authorized access. The specific standards are:
The technical safeguards focus on verifying the identity of the user accessing an electronic network, files or applications, controlling the data the user has access to, and using measures to protect data in the event that it is intercepted during transmission. The specific standards are:
Most group health plans rely on assistance from a variety of businesses, vendors, contractors, and outsourcers that must have access to PHI to perform their jobs properly. A group health plan is required to enter into business associate contracts with such business associates establishing the permitted and required uses and disclosures of such information by the business associate, including prohibitions that preclude the business associate from using or disclosing PHI in a manner that would violate the Security and Privacy Rule.
A business associate is defined as any entity which, on behalf of a group health plan, performs or assists in the performance of functions that involve the use of PHI, such as claims processing or administration, data analysis, billing, benefit management, utilization reviews, or quality assurance. Furthermore, if an entity provides legal, accounting, consulting, management, administrative, or financial services for a group health plan in any other capacity other than as an employee of the group health plan, and the provision of such services involve the use of PHI, such entity is treated as a business associate.
A business associate contract must provide that the business associate agrees, among other things, to:
Certain other provisions, including indemnification for breaches and provisions providing for business associate compliance with the breach notification requirements, are now required as a result of regulations published in 2013 to implement HITECH. Further, many business associate agreements now contain indemnification or other provisions requiring the business associate to cover the costs of a breach by the business associate or any of its subcontractors.
In addition, HITECH required that business associates must comply with the Security Rule and the use and disclosure provisions of the Privacy Rule, and would be subject to HIPAA’s penalties for violations or non-compliance with these provisions. Such compliance steps would, at a minimum, include items such as:
All policies and procedures must be written and documented. A group health plan must maintain all documentation (that is, policies, procedures, records of actions, activities, or assessments) required by the Security Rule for a period of six years from the later date of its creation or the date when it last was in effect. Such documentation must be made available to the workforce members responsible for implementing the policies and procedures. Additionally, a group health plan must periodically review such documentation and revise and update it as needed to ensure the confidentiality, integrity, and availability of Electronic PHI.
The penalties for failing to comply with the Security and Privacy Rules have become tougher as a result of HITECH. There are now four tiers of civil penalties. At the lowest tier, where the group health plan does not know of a violation, penalties are not less than $119 and no more than $59,422 per violation, with an annual cap of $1,785,651 for identical violations. For a four-tier violation, which involves willful neglect and a practice that was not corrected within 30 days, the penalties are no less than $59,422 per violation with an annual cap of 1,785,651 for identical violations. As a result of HITECH, state attorney generals may bring civil actions in federal district court on behalf of their residents for violations of the Privacy and Security Rules.
Employee Benefits Security Administration (EBSA), Department of Labor