Skip to content Skip to footer
Templates
Table of contents

This Colorado Human Resources Manual is offered to you for free. Find state specific laws and regulations below.

Health insurance portability and privacy — Colorado

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) has a significant impact on the medical coverage provided by employer sponsored group health plans. Among other provisions, HIPAA:

  • requires a group health plan to limit exclusions based upon preexisting conditions
  • prohibits such plans from denying coverage to individuals or charging higher premiums based on health status, medical history or certain other factors
  • guarantees renewability of coverage to certain individuals
  • requires a group health plan to provide for the privacy and security of plan participants’ individually identifiable health information.

Employers who violate HIPAA’s portability, privacy or security provisions may face fines and/or lawsuits for failing to meet these requirements.

For purposes of HIPAA’s requirements, health insurance coverage means benefits for medical care under any hospital or medical service policy or certificate, hospital or medical service plan contract, or HMO contract offered by a health insurance issuer. It does not, however, include certain “excepted benefits” such as:

  • accident-only coverage
  • disability income insurance
  • liability insurance, including general liability insurance and automobile liability insurance
  • workers' compensation or similar insurance
  • automobile medical payment insurance
  • credit-only insurance (for instance, mortgage insurance)
  • coverage for on-site medical clinics.

Certain limited scope dental and vision benefits or long term care benefits are also excepted benefits, if they are provided under a separate policy, certificate, or contract of insurance, or are otherwise not an integral part of the plan. Also, health FSAs ordinarily are exempt from HIPAA, as are health savings accounts (HSAs).

HIPAA requirements also generally do not apply to government plans or to a group health plan for any year in which the plan has only one employee/participant on the first day of the plan year.

Limitations on imposing preexisting condition exclusions

Impact of healthcare reform

Before discussing the HIPAA rules relating to preexisting condition exclusions (PCEs), it is important to note that under the Patient Protection and Affordable Care Act of 2010, better known as the Affordable Care Act (ACA), there are specific rules relating to PCEs that will eventually replace HIPAA’s existing provisions with respect to PCEs. Effective for plan years beginning on or after January 1, 2014, plans are prohibited from imposing any PCEs regardless of age.

HIPAA rules on PCEs 

Many group health plans limit or exclude benefits for expenses incurred as a result of preexisting conditions. Under HIPAA, a group health plan (or a health insurance issuer offering group health insurance coverage) may impose such an exclusion only if all three of the following requirements are met:

  1. Six-month look-back rule

    First, a PCE may be imposed only for a preexisting condition, which is defined as a medical condition for which medical advice, diagnosis, care, or treatment was recommended or received within the six-month period prior to the enrollment date.

    Medical care or treatment includes taking a prescribed drug during the look-back period, even if prescribed more than six months before the enrollment date. Genetic information alone, without diagnosis of a specific related condition, cannot be treated as a preexisting condition.

  2. Twelve-month look-forward rule

    Second, the group health plan may not limit benefits for a preexisting condition for a period longer than the 12-month period after the enrollment date. There is an exception to this limitation for individuals who do not enroll in the plan when they are first eligible to enroll or during a special enrollment period (as discussed in Special enrollment periods on page 350). These individuals are considered to be “late enrollees” and the plan may impose its PCE for up to 18 months with respect to late enrollees.

  3. Reduction of exclusion period by creditable coverage

    Finally, the period of the PCE must be reduced to the extent the individual has prior creditable coverage under another plan. However, prior periods of creditable coverage generally do not count toward reducing the PCE period if the individual experienced a break in coverage of 63 days or more.

    A group health plan cannot impose any PCE relating to pregnancy as a preexisting condition. Also, a group health plan’s PCE may not apply to a newborn or adopted child if that child has creditable coverage by the 30th day following his/her birth, adoption, or placement for adoption and the child is subsequently enrolled in the group health plan without a significant break in coverage.

Notice requirements

In order to impose a PCE, a group health plan must provide, as part of its enrollment materials, a written notice explaining the existence, length, and terms of the PCE. The notice must explain that creditable coverage will reduce the length of the PCE, that the individual has the right to demonstrate creditable coverage, and that the individual has the right to request a certificate of creditable coverage from his/her prior plan. The notice must also state that the current plan will assist in obtaining the certificate, if necessary. The notice must include a contact person (with telephone number or address) for assistance or additional information in obtaining a certificate.

Creditable coverage

In general, creditable coverage means health coverage provided to an individual under programs such as:

  • a group health plan
  • another group or individual health insurance policy
  • Medicare or Medicaid
  • Chapter 55 of Title 10 of the U.S. Code (medical coverage for members of the uniformed services)
  • a public health plan (as defined in regulations)
  • a state children's health insurance program (CHIP).

A period of creditable coverage is not counted if there is a break in coverage of at least 63 days (other than any applicable waiting period) between the end of the creditable coverage period and the participant’s or beneficiary’s enrollment date under the new group health plan. There is an exception when there is a break in coverage of at least 63 days with a subsequent COBRA election for certain individuals eligible for subsidized COBRA coverage according to the American Recovery and Reinvestment Act of 2009 (ARRA).

Calculation periods

A group health plan may count periods of creditable coverage without regard to the specific benefits provided under such coverage. Alternatively, the group health plan may count the periods of creditable coverage for certain types of benefits (such as mental health, prescription drugs, or dental care).

Certificates 

In general, an individual proves that he/she had prior creditable coverage by presenting to his/her new group health plan a certificate of creditable coverage from the old plan.

A group health plan must furnish a plan participant, without charge, with a certificate of coverage on each of the following occasions:

  • Automatically, at the time a plan participant ceases to be covered under the plan (or would cease to be covered if not for continuation coverage under COBRA or applicable state law). The certificate generally must be provided to the participant at a time consistent with notices required under COBRA. For a participant not entitled to elect COBRA coverage, the certificate must be provided within a reasonable period of time after coverage ends. The group health plan must also provide a certificate automatically to any qualified beneficiary at the end of his/her COBRA coverage period.
  • Additionally, a certificate must be provided to a plan participant upon request within 24 months of the loss of coverage.

The summary plan description provided to plan participants and beneficiaries must include an explanation of the procedures to be followed to obtain a certificate.

Self-insured group health plans bear the responsibility for providing the certificates. If the plan is a fully insured group health plan, the health insurer will normally fulfill these obligations. However, the plan sponsor must verify with the health insurer that the certificates are being provided as required.

Form and content of the certificate

The certificate of creditable coverage must be in written form and contain specific information. A copy of the model certificate published by the U.S. Department of Labor (DOL) is included at the end of this chapter.

No written certificate is required if any of the following statements are true:

  • the individual requests that the certificate be sent to another plan or issuer instead of the individual
  • the plan or issuer that would otherwise receive the certificate agrees to accept the information through means other than a written certificate (that is, by telephone)
  • the receiving plan or issuer receives such information from the sending plan or issuer in such form within the required time period.

Rules related to certification

  • A plan may provide a single certificate for a participant and the participant’s dependents, if the period of coverage is identical for each individual. However, if plan coverage information is different for each family member, such information must be separated on the certificate with each set of information clearly indicated for the applicable family members.
  • The certificate must be sent by first-class mail to the participant’s last known address. If a dependent’s last known address is different from the participant’s last known address, a separate certificate must be mailed to the dependent’s last known address.
  • If the individual entitled to receive a certificate designates another individual or entity to receive the certificate, the certificate may be provided to that designated individual or entity.

Demonstrating creditable coverage through other means

If the accuracy of a certificate is in question or a certificate of creditable coverage is not available, an individual may demonstrate creditable coverage (and any waiting periods) through the presentation of documents or other means. The plan may not consider an individual’s inability to obtain a certificate to be evidence of the absence of creditable coverage. Documents that may establish creditable coverage in the absence of a certificate include:

  • explanations of benefit claims
  • pay stubs showing payroll deduction for health coverage
  • a health insurance identification card
  • records from medical care providers indicating health coverage.

The plan must take into account all information that it receives on behalf of an individual. The plan must make a determination, based upon the relevant facts and circumstances, whether the individual has creditable coverage and is entitled to offset all or a portion of any PCE period.

A plan shall treat the individual as having furnished a certificate if they do the following:

  • attest to the period of creditable coverage
  • present relevant supporting evidence of some creditable coverage during the period
  • cooperate with the plan’s efforts to verify the individual’s coverage. (Cooperating with the plan includes, among other things, providing a written authorization for the plan to request a certificate on the individual’s behalf.)

Notification of PCE periods

A plan seeking to impose a PCE is required to disclose to the individual, in writing, its determination of any PCE period that applies to the individual as well as the basis for such determination (including the source and substance of any information on which the plan relied). In addition, the plan is required to provide the individual with a written explanation of any appeal procedures established by the plan and with a reasonable opportunity to submit additional evidence of creditable coverage.

Special enrollment periods

As a general rule, a group health plan can limit the times when an individual can enroll in the plan. However, HIPAA requires group health plans to establish special enrollment periods in certain circumstances. As noted previously, an individual who enrolls for coverage in a group health plan after the first period in which he/she is eligible to enroll generally can be subject to an 18-month PCE as a “late enrollee.” However, any individual who enrolls in a group health plan during one of the special enrollment periods set forth below is not considered a “late enrollee” and is, therefore, subject only to a 12-month PCE period.

Individuals losing other coverage

A group health plan must permit an eligible employee and/or dependent to enroll for coverage under the plan if each of the following conditions are met:

  • The employee or dependent was covered by a group health plan or had other health insurance when the coverage was previously offered.
  • The employee stated in writing at such time that enrollment was declined because of coverage under another group health plan or other health insurance coverage (if the plan sponsor required such a statement and provided notice of such requirement).
  • The previous coverage was either of the following:
    1. COBRA coverage that has now been exhausted
    2. terminated as a result of loss of eligibility for such coverage or because employer contributions toward such coverage were terminated.

Loss of eligibility does not include loss of coverage for failure to pay premiums or termination of coverage for cause (for instance, filing fraudulent claims under the plan, intentional misrepresentation of facts related to coverage, etc.). However, an individual reaching a lifetime maximum limit on benefits is a loss of eligibility reason that may trigger special enrollment.

The employee or eligible dependent requests to be enrolled in the new coverage no later than 30 days after the prior coverage ceases (a special enrollment period). Enrollment must become effective not later than the first day of the first calendar month beginning after the date the completed enrollment request is received.

Acquiring new dependents

HIPAA also requires a group health plan to permit a special enrollment period when an employee acquires a new dependent through marriage, birth, or adoption. In general, if an eligible individual gains a dependent through marriage, birth, adoption, or placement for adoption, the group health plan must permit the individual, the new spouse, and any new dependent, to enroll in the plan. The individual generally must notify the plan of the special enrollment event within 30 days in order to be eligible for special enrollment. Coverage shall become effective on the following dates:

  • in the case of marriage, not later than the first day of the first month beginning after the date the completed request for enrollment is received
  • in the case of a dependent’s birth, as of the date of such birth
  • in the case of a dependent’s adoption or placement for adoption, the date of such adoption or placement for adoption.

Notice of special enrollment rights

On or before the time an employee is offered the opportunity to enroll in a group health plan, the plan is required to provide the employee with a description of the HIPAA special enrollment rules. Language for a sample notice has been provided by the DOL.

Prohibition against discrimination based on health status

Eligibility for coverage

A group health plan cannot establish eligibility rules that discriminate against any individual with respect to coverage or continued coverage or premium amounts based on any of the following factors:

  • health status
  • medical condition (including both physical and mental illness)
  • claims experience
  • receipt of healthcare
  • medical history
  • genetic information
  • evidence of insurability
  • disability.

These requirements, however, do not prevent a group health plan from limiting the amount, level, extent, or nature of the benefits provided as long as such limitations do not discriminate among similarly situated individuals. For instance, a group health plan could choose not to cover experimental medical procedures or choose to limit the benefits for experimental medical procedures, provided this limitation applies equally to all similarly situated individuals.

Premiums

A group health plan cannot require an individual to pay a higher premium on the basis of any health-related factor that may apply to the individual. However, the plan may charge different premiums for different classes of employees (such as full time and part time employees), as long as the different classes are based on bona fide distinctions not related to health factors.

A group health plan may offer premium discounts, rebates, and adjustments to deductibles or co-payments in exchange for adherence to health promotion and disease prevention programs such as weight loss or smoking cessation programs as part of a wellness program. If these incentives are contingent on particular results (such as, specified blood pressure levels, refraining from smoking), then a number of restrictions apply.

Penalties for noncompliance

In addition to possible exposure to a participant lawsuit, HIPAA imposes a tax on group health plans that fail to meet the requirements of the law.

Amount of the tax

An employer whose group health plan fails to meet the requirements (or the plan, in the case of a multiple employer plan) faces a minimum penalty tax of $120 for each day of the noncompliance period for each affected individual. The noncompliance period begins on the date the failure occurs and ends on the date of correction.

Limitations on amount of the tax

  • No tax is imposed during any period if the IRS determines that the employer or insurer was not aware that the health plan was not in compliance, and could not have discovered the noncompliance by the exercise of reasonable diligence.
  • No tax is imposed if the failure is due to reasonable cause and is corrected within 30 days of the date it is (or should have been) discovered.
  • For unintentional failures, the tax is capped at $60,226 per violation up to a maximum of $1,806,757 per year.
  • In the case of a group health plan of a small employer (generally, an employer that employs an average of more than two but fewer than 50 employees) that provides health insurance coverage solely through a contract with a health insurance issuer, no tax shall be imposed on the employer on any failure that is solely because of the health insurance coverage offered by such insurer.
  • The IRS has the discretion to reduce the amount of a tax penalty if it finds the penalty to be excessive in relation to the failure and if the failure is due to reasonable cause, and not willful neglect.

Privacy of health information

In addition to the regulation of health insurance portability and non-discrimination rules, HIPAA provides for the protection of participants’ medical records and other individually identifiable health information that is created, received, or maintained by the group health plan and is commonly referred to as protected health information (PHI). The privacy regulations under HIPAA (privacy rule) require the following:

Limits on use of personal medical information

The “privacy rule” sets limits on how a group health plan may use PHI. To ensure that the group health plan’s activities are not unduly hampered, activities for treatment, payment, and healthcare operations (TPO activities) are exempted from certain aspects of the privacy rule. For instance, a group health plan does not need to obtain the participant’s authorization prior to the use of his/her PHI for TPO activities, but may use or share only the minimum amount of protected information needed for a particular purpose and generally may only disclose it to entities that are also subject to HIPAA’s privacy requirements, either by law or by regulation. In most other situations, the plan cannot use or disclose the PHI unless the plan participant signs a specific authorization permitting the use or disclosure.

Access to medical records

Plan participants generally have the right to see and obtain copies of their medical and claim records and request corrections if they identify errors and mistakes. Access to these records must generally be provided within 30 days and the group health plan may charge plan participants for the cost of copying and sending the records. If the participant identifies errors and requests the records be changed, the plan must comply.

Notice of privacy practices

A group health plan must provide a notice to its plan participants explaining how the plan intends to use their private health information as well as the participants’ rights under the privacy rule. Plan participants also have the right to ask their group health plan to restrict the use or disclosure of their information beyond the practices included in the notice, but the group health plan is not required to comply with such requests.

Confidential communications

Under the privacy rule, a plan participant must be permitted to request to receive confidential communications of his/her PHI by alternative means or at alternative locations, if the individual states that the disclosure of the information could endanger the individual. A group health plan is required to comply with such a request if it can reasonably accommodate such a request.

Public responsibilities

In limited circumstances, the privacy rule permits (but does not require) a group health plan to disclose limited amounts of PHI for specific public responsibilities. These permitted disclosures include:

  • those required by law
  • emergency circumstances
  • identification of the body of a deceased person or the cause of death
  • public health needs
  • judicial and administrative proceedings
  • limited law enforcement activities
  • activities related to national defense and security.

Complaints

Plan participants may file formal complaints regarding the privacy practices of a group health plan. Such complaints can be made directly to the group health plan or to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR), which is charged with investigating complaints and enforcing the privacy rule.

Written privacy procedures

The privacy rule requires that a group health plan have written privacy procedures, including a description of the members of the group health plan’s workforce that have access to protected information, how it will be used, and when it may be disclosed. A group health plan must implement policies and procedures with respect to PHI that are designed to comply with the privacy rule. The group health plan’s policies and procedures must take into account the size of the group health plan and the types of activities in which the group health plan engages. The group health plan must also ensure that its policies and procedures are revised regularly to reflect changes in the law and in the plan’s privacy practices.

Employee training and privacy officer

A group health plan is required to designate an individual as the privacy official who will be responsible for developing the privacy policies and procedures for the group health plan. The privacy official is also responsible for receiving complaints from plan participants and beneficiaries as well as providing further information regarding the group health plan’s notice of privacy practices. In addition to designating a privacy official, a group health plan must provide adequate training of their employees in the plan’s privacy policies and procedures. For newly hired members of the plan’s workforce, training must be completed within a reasonable time period after their hiring.

Adequate separation

A group health plan must ensure that its plan documents provide for adequate separation between the group health plan and the plan sponsor. Specifically, the plan documents must identify the members of the group health plan’s workforce (either by name or class) that can receive access to PHI, including the workforce members who receive PHI for TPO activities, or for other matters relating to the group health plan in the ordinary course of business. Additionally, the workforce members’ access to PHI must be restricted to the plan administration functions performed for the plans by their plan sponsors. Finally, the plan documents must provide for the means to resolve any issues arising from workforce members’ (who have access to PHI) noncompliance with the plan’s policies and procedures or with the privacy rule.

Business associates

A group health plan is required to enter into business associate contracts establishing the permitted and required uses and disclosures of such information by the business associate, including not permitting the business associate to use or disclose PHI in a manner that would violate the privacy rule.

  • A business associate has generally been defined as any entity that, on behalf of a group health plan, performs or assists in the performance of functions that involve the use of PHI such as claims processing or administration, data analysis and/or transmissions, billing, benefit management, utilization reviews, or quality assurance. Furthermore, if an entity provides legal, accounting, consulting, management, administrative, or financial services for a group health plan in any other capacity other than as an employee of the group health plan, where the provision of such service involves the use of PHI, such entity is treated as a business associate subject to the requirements of the privacy rule. Please note that under final regulations issued in 2013, business associate status will be “triggered” where an entity creates, receives, maintains, or transmits PHI, and includes entities performing services such as claims administration, data analysis, utilization review, and other common functions undertaken by covered entities.
  • The contract must also provide that the business associate agrees, among other things, to:
    • not use or further disclose the information other than as permitted or required by the contract or as required by law
    • use appropriate safeguards to prevent use or disclosure of the information other than as provided for by its contract
    • report to the group health plan any use or disclosure of the information not provided for by its contract of which it becomes aware
    • ensure that any agents, including a subcontractor, to whom it provides PHI received from (or created or received by) the business associate on behalf of the group health plan, agrees to the same restrictions and conditions that apply to the business associate with respect to such information (noting that under the final health information technology for clinical health (HITECH) regulations, subcontractors and agents who are retained to help a business associate conduct covered functions will themselves be business associates
    • at the termination of the contract, if feasible, return or destroy all PHI received from, or created or received by the business associate on behalf of, the group health plan that the business associate still maintains in any form and retain no copies of such information or, if such return or destruction is not feasible, extend the protections of the contract to the information and limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible.

Documentation

A group health plan must maintain all documentation (including policies, procedures, and required notices) required by the privacy rule for a period of six years from the date of its creation or the date when it last was in effect, if later. Such documentation must be made available to the workforce members responsible for implementing the group health plan’s policies and procedures.

Breach notification

Employer health plans and other covered entities (or their business associates) will have to make comprehensive and methodical risk assessments following the discovery of an impermissible use or disclosure of unsecured PHI. Upon completing this assessment, a plan or business associate will have to follow all the rules related to a breach of unsecured PHI, including notification to participants and HHS, unless the plan or business associate determines that there is a low probability that PHI has actually been compromised. To demonstrate that there is a low probability that PHI has been compromised, the risk assessment must consider at least the following factors:

  • the nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification
  • the unauthorized person who used the PHI or to whom the disclosure was made
  • whether the PHI was actually acquired or viewed
  • the extent to which the risk to PHI has been mitigated.

Exemption from the privacy rule requirements

An employer who sponsors a group health plan is not subject to the requirements of the privacy standards if benefits are provided under the plan solely through an insurance contract with a health insurance issuer or an HMO and the employer does not create or receive PHI with the exception of summary health information or enrollment information. An employer who sponsors a group health plan that meets this exception is only required to refrain from retaliatory or intimidating acts against individuals who exercise their privacy rights. A group health plan is also prohibited from requiring or requesting waivers of individual rights.

Penalties

A group health plan that fails to comply with the privacy rule is subject to a number of penalties. Civil penalties are based on a tiered system detailed below:

  • Unknowing violations - For unknowing violations, civil penalties ranging from $120-$60,226 per violation, not to exceed $1,806,757 million in a calendar year.

  • Reasonable cause - For violations due to reasonable cause, civil penalties ranging from $1,205-$60,226 per violation, not to exceed $1,806,757 in a calendar year.

  • Willful neglect - For violations due to willful neglect, penalties of $11,904-$60,226 per violation, not to exceed $1,806,757 in a calendar year. However, if the violation is not corrected within 30 days of the first date and the person liable knew or should have known that the violation occurred, the penalty increases to at least $60,226 not to exceed $1,806,757 million in a calendar year.

Criminal penalties range from $50,000 in fines and one year in prison up to $250,000 in fines and 10 years in prison.

Security of electronic information

HIPAA’s security regulations require a group health plan to protect the confidentiality, integrity, and availability of PHI when it is stored, maintained, or transmitted electronically. A group health plan must maintain reasonable and appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of individually identifiable health information that is created, received, or maintained by the health plan electronically against any reasonably anticipated risks.

Requirements of the security regulations

The security regulations are broken down into five categories, each of which with different standards and implementation specifications. These categories include:

  1. administrative safeguards
  1. physical safeguards
  1. technical safeguards
  1. organizational requirements
  1. policies and procedures and document requirements.

The required specifications are critical and must be implemented. The addressable specifications may be implemented after the group health plan has performed the following analysis:

  • If the group health plan determines that an addressable specification is reasonable and appropriate, the specification must be implemented.
  • If the group health plan determines that the addressable specification is not reasonable and appropriate, but the overall standard can be met without implementing an alternative security measure, the group health plan must document the decision to not implement the addressable specification, the reasons why implementing the specification is not reasonable and appropriate, and how the plan intends to meet the security standard.
  • If the group health plan determines that the addressable specification is not reasonable and appropriate, but the overall standard can be met with the adoption of an additional security measure, the plan must document the reasons why implementing the specification is not reasonable and appropriate. Additionally, the plan must implement and document the alternative security measure that will satisfy the addressable specification.
Administrative safeguards

The regulations' administrative safeguards require a group health plan to have documented policies and procedures for managing day-to-day operations the conduct and access of workforce members to electronically transmitted PHI, and the selection, development and use of security controls. The specific standards are as follows:

  • Security management process - An overall requirement to implement policies and procedures to prevent, detect, contain, and correct security violations.

  • Assigned security responsibility - A single individual must be designated as having overall responsibility for the security of a group health plan’s electronically submitted PHI.

  • Workforce security - Policies, procedures, and processes must be developed and implemented that ensure only properly authorized workforce members have access to electronically submitted PHI.

  • Information access management - Policies, procedures, and processes must be developed and implemented for authorizing, establishing, and modifying access to electronically submitted PHI.

  • Security awareness and training - A security awareness and training program for a group health plan’s entire workforce must be developed and implemented.

  • Security incident procedures - Policies, procedures, and processes must be developed and implemented for reporting, responding to, and managing security incidents.

  • Contingency plan - Policies, procedures, and processes must be developed and implemented for responding to a disaster or emergency that damages information systems containing electronically submitted PHI.

  • Evaluation - A group health plan must perform periodic technical and non-technical evaluations that determine the extent to which its security policies, procedures, and processes meet the ongoing requirements of the security regulations.

  • Business associate contracts and other arrangements - Group health plans, as well as plan sponsors/employers must, when dealing with business associates that create, receive, maintain, or transmit PHI electronically on the group health plan’s behalf, develop and implement contracts that ensure the business associate will appropriately safeguard the information.

Physical safeguards

The physical safeguards are a series of requirements meant to protect a group health plan’s electronic information systems and electronically submitted PHI from unauthorized physical access. A group health plan must limit physical access while permitting properly authorized access. The specific standards are:

  • Facility access controls - An overall requirement to implement policies, procedures, and processes that limit physical access to electronic information systems while ensuring that properly authorized access is allowed.

  • Workstation use - Policies and procedures must be developed and implemented that specify appropriate use of workstations and the characteristics of the physical environment of workstations that can access PHI electronically.

  • Workstation security - A group health plan must implement physical safeguards for all workstations that can access electronically submitted PHI in order to limit access to only authorized users.

  • Device and media controls - Policies, procedures, and processes must be developed and implemented for the receipt and removal of hardware and electronic media that contain electronically submitted PHI into and out of a group health plan, and the movement of those items within a group health plan.

Technical safeguards

The technical safeguards include several requirements for using technology to protect electronically submitted PHI, particularly controlling access to it. The specific standards are:

  • Access control - Policies, procedures, and processes must be developed and implemented for electronic information systems that contain PHI to only allow access to persons or software programs that have appropriate access rights.

  • Audit controls - Mechanisms must be implemented to record and examine activity in information systems that contain or use electronically submitted PHI.

  • Integrity - Policies, procedures, and processes must be developed and implemented that protect electronically submitted PHI from improper modification or destruction.

  • Person or entity authentication - Policies, procedures, and processes must be developed and implemented that verify persons or entities seeking access to electronically submitted PHI are who or what they claim to be.

  • Transmission security - Policies, procedures, and processes must be developed and implemented that prevent unauthorized access to PHI that is being transmitted over an electronic communications network (for instance, the Internet).

Organizational requirements

The organizational requirements include standards on business associates and group health plans relating to the creation, receipt, maintenance, or transmission of electronic PHI. The specific standards are:

  • Business associate contracts or other arrangements - A covered entity must enter into a business associate agreement prior to permitting a business associate to create, receive, maintain, or transmit PHI electronically.

  • Requirements for group health plans - A group health plan must ensure its plan documents provide that the plan sponsor will properly safeguard electronically submitted PHI.

Policies and procedures document requirements

These requirements specify the policies and procedures and document requirements to comply with the security requirements. The specific standards are:

  • Policies and procedures - A covered entity or business associate must create and implement policies and procedures to comply with the security rule.

  • Documentation - All policies and procedures must be written and documented. A group health plan must maintain all documentation (including risk assessments, policies, and procedures) required by the security regulations for a period of six years from the date of its creation or the date when it last was in effect, whichever is later. Such documentation must be made available to the workforce members responsible for implementing the policies and procedures. Additionally, a group health plan must periodically review such documentation and revise and update it as needed to ensure the confidentiality, integrity, and availability of electronic PHI.

Penalties

The penalties for failing to comply with the security regulations are similar to the penalties for failing to comply with the privacy rule. Specifically, civil penalties are based on the tiered system discussed previously and range from $120 per violation, up to $1,806,757 million per year for each requirement violated. Criminal penalties range from $50,000 in fines and one year in prison up to $250,000 in fines and 10 years in prison.

Where to go for more information

This chapter is intended as a brief overview of the COBRA and HIPAA requirements under federal law. It is by no means exhaustive. Additional information may be acquired through consulting with an attorney or by contacting any of the following resources:

U.S. Department of Labor's (DOL)
Employee Benefit Security Administration (EBSA) National Office
U.S. Department of Health and Human Services
200 Independence Avenue, S.W.
Washington, D.C. 20201
Phone: (800) 368-1019
Toll-free: (877) 696-6775