Skip to content Skip to footer

Table of contents

This Massachusetts Human Resources Manual is offered to you for free. Find state specific laws and regulations below.

Health insurance portability and privacy — Massachusetts


The Health Insurance Portability and Accountability Act (HIPAA) regulates the medical coverage of employer-sponsored group health plans by:

  • requiring a group health plan to limit exclusions based upon preexisting conditions
  • prohibiting plans from denying coverage to individuals or charging higher premiums based on health status, medical history, or certain other factors
  • guaranteeing renewability of coverage to certain individuals
  • requiring a group health plan to provide for the privacy and security of plan participants’ individually identifiable health information.

Employers who violate HIPAA’s provisions may face fines and lawsuits.


For the purpose of HIPAA’s requirements, health insurance coverage means benefits for medical care under any hospital or medical service policy or certificate, hospital or medical service plan contract, or HMO contract offered by a health insurance issuer. It does not cover:

  • accident-only coverage
  • disability income insurance
  • liability insurance, including general liability insurance and automobile liability insurance
  • workers' compensation or similar insurance
  • automobile medical payment insurance
  • credit-only insurance (such as mortgage insurance)
  • coverage for on-site medical clinics.

HIPAA also excludes from its coverage certain dental and vision benefits and long-term care benefits when they are provided under a separate policy, certificate, or contract of insurance, or are otherwise not an integral part of the plan. Also, HIPAA does not cover flexible spending accounts or health savings accounts.

HIPAA requirements also generally do not apply to government plans or to a group health plan for any year in which the plan has only one employee-participant on the first day of the plan year.

Protections for individuals changing coverage

HIPAA provides protection to individuals who are changing jobs or health coverage by restricting the ability of the new group health plan to limit coverage for prior medical conditions or other health status factors.

Limitations on imposing preexisting condition exclusions

Many group health plans limit or exclude benefits for expenses incurred as a result of conditions that exist before an individual joins the plan. Under HIPAA, a group health plan (or a health insurance issuer offering group health insurance coverage) may only impose this type of exclusion when it meets these requirements:

  • Six-month look-back rule - A preexisting condition exclusion (PCE) may be imposed only for a preexisting condition, which is defined as a medical condition for which medical advice, diagnosis, care or treatment was recommended or received within the six-month period prior to the enrollment date. Medical care or treatment includes taking a prescribed drug during the look-back period, even if prescribed more than six months before the enrollment date. A group health plan may not exclude or limit benefits based on genetic information alone, without diagnosis of a specific related condition.
  • Twelve-month look-forward rule - Second, the group health plan may not limit benefits for a preexisting condition for a period longer than the 12-month period after the enrollment date. However, this rule does not apply to individuals who do not enroll in the plan when they are first eligible to enroll or during a special enrollment period (as discussed below). These individuals are considered to be “late enrollees,” and the plan may impose its PCE for up to 18 months on these enrollees.
  • Reduction of exclusion period by creditable coverage - The group health plan must reduce the PCE period to the extent the individual has prior creditable coverage under another plan. However, prior periods of creditable coverage generally do not count toward reducing the PCE period if the individual experienced a break in coverage of 63 days or more. A group health plan cannot impose any PCE to pregnancy-related treatment. Also, a group health plan’s PCE may not apply to a newborn or adopted child if that child has creditable coverage by the 30th day following his or her birth, adoption or placement for adoption, and the child is subsequently enrolled in the group health plan without a significant break in coverage.

Notice requirements

To impose a PCE, a group health plan must provide, as part of its enrollment materials, a written notice explaining the existence, length and terms of the PCE. The notice must explain that creditable coverage reduces the length of the PCE, that the individual has the right to demonstrate creditable coverage, and that the individual has the right to request a certificate of creditable coverage from his or her prior plan. The notice must include a contact person (with telephone number or address) for assistance or additional information in obtaining a certificate.

Creditable coverage

In general, creditable coverage means health coverage provided to an individual under programs such as:

  • a group health plan
  • another group or individual health insurance policy
  • Medicare or Medicaid
  • Chapter 55 of Title 10 of the U.S. Code (medical coverage for members of the uniformed services)
  • a public health plan (as defined in regulations)
  • State Children's Health Insurance Program.

A group health plan will not count a period of creditable coverage when there is a break in coverage of at least 63 days (other than any applicable waiting period) between the end of the creditable coverage period and the participant’s or beneficiary’s enrollment date under the new group health plan. This rule does not apply when the individual has a break in coverage of at least 63 days with a subsequent COBRA election according to the American Recovery and Reinvestment Act of 2009 (ARRA) (as discussed in Health insurance continuation coverage).

Calculation of periods of creditable coverage

A group health plan may count periods of creditable coverage without regard to the specific benefits provided under such coverage. Conversely, the group health plan may count the periods of creditable coverage based on the type of benefits (such as mental health, prescription drugs or dental care).

Certificates of creditable coverage

In general, an individual proves that he or she had prior creditable coverage by presenting a certificate of creditable coverage from the old group health plan to the new group health plan. 

A group health plan must provide a plan participant with a certificate of coverage without charge, on each of the following occasions:

  • At the time a plan ceases to cover a plan participant (or when the plan would cease to cover the individual were it not for continuation of coverage under COBRA or state law). The participant should receive this certificate at a time consistent with notices required under COBRA. For a participant not entitled to elect COBRA coverage, the certificate must be provided within a reasonable period of time after coverage ends. The group health plan must also provide a certificate automatically to any qualified beneficiary at the end of his or her COBRA coverage period.
  • Upon request by a plan participant within 24 months of the loss of coverage.

The summary plan description provided to plan participants and beneficiaries must include an explanation of the procedures a participant must follow to obtain a certificate.

Self-insured group health plans bear the responsibility of providing the certificates. If the plan is a fully insured group health plan, the health insurer will normally fulfill these obligations. However, the plan sponsor must verify with the health insurer that the certificates are being provided as required.

Rules related to certification

  • A plan may provide a single certificate for a participant and his or her dependents if the period of coverage is identical for each individual. However, if plan coverage information is different for each family member, each individual’s information must be separate and clear on the certificate.
  • The certificate should be sent by first-class mail to the participant’s last known address. If a dependent’s last known address is different from the participant’s last known address, a separate certificate must be mailed to the dependent’s last known address.
  • If the participant designates another individual or entity to receive the certificate, the certificate may be provided to that individual or entity.

Demonstrating creditable coverage through other means

If the accuracy of a certificate is in question or a certificate of creditable coverage is not available, an individual may demonstrate creditable coverage (and any waiting periods) with other documentation. The plan may not consider an individual’s inability to obtain a certificate to be evidence of the absence of creditable coverage. Documents that may establish creditable coverage in the absence of a certificate include:

  • explanations of benefit forms
  • pay stubs showing payroll deduction for health coverage
  • verification by a doctor or former health plan
  • copies of premiums payments or other documents showing health care coverage.

The plan must take into account all information that it receives on behalf of an individual to determine whether the individual has creditable coverage to offset a portion of the PCE period.

A plan shall treat the individual as having furnished a certificate if he or she:

  • attests to the period of creditable coverage
  • presents relevant supporting evidence of some creditable coverage during the period
  • cooperates with the plan’s efforts to verify the individual’s coverage. (Cooperating with the plan includes, among other things, providing a written authorization for the plan to request a certificate on the individual’s behalf.)

Notification of preexisting condition exclusion periods

A plan seeking to impose a PCE is required to disclose to the individual, in writing, its determination of any PCE period that applies to the individual as well as the basis for the determination (including the source and substance of any information on which the plan relied). In addition, the plan is required to provide the individual with a written explanation of any appeal procedures established by the plan and with a reasonable opportunity to submit additional evidence of creditable coverage.

Acquiring new dependents

HIPAA also requires a group health plan to permit a special enrollment period when an employee acquires a new dependent through marriage, birth or adoption. In general, if an eligible individual gains a dependent through marriage, birth, adoption or placement for adoption, the group health plan must permit the individual, the new spouse and any new dependent, to enroll in the plan. The individual generally must notify the plan of the special enrollment event within 30 days to be eligible for special enrollment. Coverage shall become effective on the following dates:

  • in the case of marriage, not later than the first day of the first month beginning after the date the completed request for enrollment is received
  • in the case of a dependent’s birth, as of the date of such birth
  • in the case of a dependent’s adoption or placement for adoption, the date of such adoption or placement for adoption.

Special enrollment periods

Generally, a group health plan may limit the times when an individual may enroll in the plan. However, HIPAA requires group health plans to establish special enrollment periods in certain circumstances. As noted above, an individual who enrolls for coverage in a group health plan after the first period in which he or she is eligible to enroll generally can be subject to an 18-month PCE as a “late enrollee.” However, any individual who enrolls in a group health plan during one of the special enrollment periods set forth herein is not considered a “late enrollee” and is, therefore, subject only to a 12-month PCE period

Notice of special enrollment rights

On or before an employee enrolls in a group health plan, the plan must provide the employee with a description of the HIPAA special enrollment rules. The Department of Labor provides sample language at the files tab above.

Prohibition against discrimination based on health service

Eligibility for coverage

A group health plan cannot discriminate against any individual with respect to coverage or continued coverage or premium amounts based on any of the following factors:

  • health status
  • medical condition (including both physical and mental illness)
  • claims experience
  • receipt of health care
  • medical history
  • genetic information
  • evidence of insurability
  • disability.

These requirements, however, do not prevent a group health plan from limiting the amount, level, extent, or nature of the benefits provided as long as such limitations do not discriminate among similarly-situated individuals. Thus, a group health plan could choose not to cover experimental medical procedures or choose to limit the benefits for experimental medical procedures, provided this limitation applies equally to all similarly situated individuals.


A group health plan cannot require an individual to pay a higher premium based on a health-related factor. However, the plan may charge different premiums for different classes of employees (such as full-time and part-time employees), as long as the different classes are based on bona-fide distinctions unrelated to health factors.

A group health plan may offer premium discounts, rebates, and adjustments to deductibles or copayments in exchange for adherence to health promotion and disease prevention programs such as weight loss or non-smoking programs. If these incentives are contingent on particular results (such as specified blood pressure levels or not smoking), then a number of restrictions apply.

Penalties for noncompliance

Failure to meet the requirements of HIPAA may expose an employer to lawsuits brought by group health plan participants or cause an employer to incur tax liability.

Amount of the tax

An employer whose group health plan fails to meet the HIPAA requirements incurs a tax penalty of $100 for each day of the non-compliance period for each affected individual. The noncompliance period begins on the date the failure occurs and ends on the date the plan is corrected.

Limitations on amount of the tax

  • No tax is imposed during any period if the IRS determines that the employer or insurer was not aware that the health plan was not in compliance, and could not have discovered the non-compliance by the exercise of reasonable diligence.
  • No tax is imposed if the failure is due to reasonable cause and is corrected within 30 days of the date it is (or should have been) discovered.
  • For unintentional failures, the tax is capped at the lesser of $500,000 or 10% of the amount paid or incurred by the employer during the preceding tax year for group health plans (or for multiple employer plans, the lesser of $500,000 or 10% of the amount paid by the trust to provide medical care during such taxable year).
  • For small employers (generally, an employer that employs an average of two to 50 employees) that provide health insurance coverage solely through a contract with a health insurance issuer, no tax shall be imposed on the employer for any failure that is solely because of the health insurance coverage offered by such insurer.
  • The IRS has the discretion to reduce the amount of a tax penalty if it finds the penalty to be excessive in relation to the failure and if the failure is due to reasonable cause, and not willful neglect.

Privacy of health information

HIPAA also includes provisions to protect participants’ medical records and other individually identifiable health information when the information is created, received, or maintained by a group health plan (commonly called, PHI).

Limits on use of personal medical information

HIPAA limits how a group health plan may use PHI. The law permits a group health plan to use an individual’s health information for treatment, payment, and health care without authorization; however, it may only use or share the minimum amount of information needed and, generally, may only disclose the information to entities that are also subject to HIPAA’s privacy requirements. 

Generally, a group health plan may not otherwise use or disclose PHI without a plan participant’s written authorization.

Access to medical records

A plan participant generally may see and obtain copies of his or her medical and claim records, and may request corrections of any identified errors and mistakes. The group health plan may charge plan participants for the cost of copying and sending the records, but it must provide access to the records within 30 days. If the participant identifies errors and requests the records be changed, the plan must comply with the request.

Notice of privacy practices

A group health plan must provide notice to its plan participants concerning the participants’ privacy rights, as well as how the plan intends to use participants’ private health information. While plan participants have the right to ask the group health plan to restrict the use or disclosure of information beyond the practices included in plan’s notice, group health plans are not required to comply with these requests.

Confidential communications

A group health plan must allow a plan participant to receive confidential communications concerning his or her PHI by alternative means or at alternative locations if the individual states that the standard disclosure could endanger the individual. The group health plan must comply with such requests when it can reasonably do so.

Public responsibilities

In limited circumstances, HIPAA permits a group health plan to disclose limited amounts of PHI to satisfy specific public needs.

These permitted disclosures include:

  • those required by law
  • emergency circumstances
  • identification of the body of a deceased person or the cause of death
  • public health needs
  • judicial and administrative proceedings
  • limited law enforcement activities
  • activities related to national defense and security.


Plan participants may file formal complaints regarding the privacy practices of a group health plan. Such complaints may be made directly to the group health plan or to the Health and Human Services Commission’s Office for Civil Rights (OCR), which is the agency that investigates and enforces HIPAA privacy law.

Written privacy procedures

HIPAA privacy regulations require that a group health plan have written privacy procedures, including a description of those individuals who have access to protected information, how the information will be used, and when it may be disclosed. A group health plan must implement policies and procedures with respect to PHI that are designed to comply with HIPAA. The group health plan’s policies and procedures must take into account the size of the group health plan and the types of activities in which the group health plan engages. The group health plan must also regularly revise its policies and procedures to reflect changes in the law and in the plan’s privacy practices.

Employee training and privacy officer

A group health plan is required to designate an individual to be responsible for developing the privacy policies and procedures. This individual must also receive complaints from plan participants and beneficiaries, as well as provide information regarding the group health plan’s notice of privacy practices. The group health plan must also provide adequate training to employees in the plan’s privacy policies and procedures.

Adequate separation

A group health plan must ensure that its plan documents provide for adequate separation between the group health plan and the plan sponsor. Specifically, the plan documents must identify the members of the group health plan’s workforce that may access PHI. The plan documents further must provide for the means to resolve any issues arising from employees’ non-compliance with the plan’s policies and procedures or with the privacy rules.

Business associates

Before a group health plan discloses PHI to a business associate, it must enter into a contract with the entity to establish the permitted and required uses and disclosures of information by the business associate. Specifically, the group health plan must include language to prohibit the business associate from using or disclosing PHI in a manner that would violate HIPAA privacy rules.

A business associate is any entity that, on behalf of a group health plan, performs functions that involve the use of PHI, such as claims processing or administration, data analysis or transmission, billing, benefit management, utilization reviews or quality assurance. Furthermore, if an entity provides legal, accounting, consulting, management, administrative or financial services for a group health plan in any capacity other than as an employee of the group health plan, such entity is considered a business associate subject to the requirements of the HIPAA privacy rules.

The contract must also provide that the business associate agrees, among other things, to:

  • not use or further disclose information other than as permitted or required by the contract or as required by law
  • use appropriate safeguards to prevent use or disclosure of information other than as provided for by its contract
  • report to the group health plan any use or disclosure of information not provided for by its contract of which it becomes aware
  • ensure that any agents to whom it provides PHI agree to the same restrictions and conditions that apply to the business associate with respect to such information
  • at the termination of the contract, if feasible, return or destroy all PHI that the business associate maintains in any form or, if such return or destruction is not feasible, extend the protections of the contract to the information and limit further use and disclosure of PHI.


A group health plan must maintain all documentation (including policies, procedures, and required notices) required by HIPAA for a period of six years from the date of its creation or the date when it last was in effect, whichever is later. Such documentation must be made available to the workforce members responsible for implementing the group health plan’s policies and procedures.

Exemption from the privacy rules

An employer that sponsors a group health plan is not subject to the requirements of the privacy standards if benefits are provided under the plan solely through an insurance contract with a health insurance issuer or an HMO and the employer does not create or receive PHI (except for summary health information or enrollment information). The only requirement for an employer that meets the above requirements is to refrain from retaliatory or intimidating acts against individuals who exercise their privacy rights. A group health plan may not require or request waivers of individual rights.


A group health plan that fails to comply with HIPAA privacy rules is subject to a number of penalties. Penalties are based on a tiered system:  

  • For unknowing violations, civil penalties are at least $120 per violation, not to exceed $60,226 in a calendar year.
  • For violations due to reasonable cause, at least $1,205 per violation, not to exceed $60,226 in a calendar year.
  • For violations due to willful neglect, at least $12,045 per violation, not to exceed $60,226 in a calendar year, except that if the violation is not corrected within 30 days of the first date the entity knew or should have known that the violation occurred, the penalty increases to at least $60,226 not to exceed $1,805,757.
  • Criminal penalties range from $50,000 in fines and one year in prison up to $250,000 in fines and 10 years in jail.

Security of health information

HIPAA’s security regulations require a group health plan to protect the confidentiality, integrity, and availability of PHI when it is stored, maintained, or transmitted electronically. A group health plan must maintain reasonable and appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of PHI against any reasonably anticipated risks.

Requirements of the security regulations

The security regulations provide 36 implementation specifications, which fall into two categories:

  1. 14 required specifications
  2. 22 addressable specifications.

The group health plan must implement the 14 required specifications. Conversely, the group health plan should implement the 22 addressable specifications after it performs the following analysis:

  • If the group health plan determines that an addressable specification is reasonable and appropriate, the specification must be implemented.
  • If the group health plan determines that an addressable specification is not reasonable and appropriate, but the overall safety standard may be met without implementing the specification, it must document the decision not to implement the addressable specification, the reasons why implementing the specification is not reasonable and appropriate, and how the plan intends to meet the security standard.
  • If the group health plan determines that the addressable specification is not reasonable and appropriate, but the overall standard may be met with the adoption of an additional security measure, the plan must document the reasons why implementing the specification is not reasonable and appropriate. In addition, the plan must implement and document the alternative security measure that satisfies the addressable specification.

Administrative safeguards

The regulations’ administrative safeguards require a group health plan to have written policies and procedures for concerning security controls. The policies and procedures must include certain standards:

  • Security management process - The group health plan must implement policies to prevent, detect, contain and correct security violations.
  • Assigned security responsibility - The group health plan must designate an individual to have responsibility for the security of a group health plan’s electronic PHI.
  • Workforce security - The group health plan must implement policies to ensure that only properly authorized employees have access to electronic PHI.
  • Information access management - The group health plan must implement policies for authorizing, establishing, and modifying access to electronic PHI.
  • Security awareness and training - The group health plan must implement a security awareness and training program for its entire workforce.
  • Security incident procedures - The group health plan must implement policies for reporting, responding to, and managing security incidents.
  • Contingency plan - The group health plan must implement policies for responding to a disaster or emergency that damages information systems containing electronic PHI.
  • Evaluation - The group health plan must perform periodic technical and non-technical evaluations to determine the extent to which its security policies meet the ongoing requirements of the security regulations.
  • Business associate contracts and other arrangements - Group health plans, as well as plan sponsors/employers, must enter into contracts with business associates to protect PHI.

Physical safeguards

HIPAA also has a series of requirements to protect a group health plan’s electronic information system from unauthorized physical access.

The specific standards are listed herein:

  • Facility access controls - The group health plan must implement policies that limit physical access to electronic information systems, while ensuring that it permits properly authorized access.
  • Workstation use - The group health plan must implement policies concerning appropriate use of workstations and the specific characteristics of the physical workspace where employees may access electronic PHI.
  • Workstation security - The group health plan must implement physical safeguards for all workstations that may access electronic PHI in order to limit access to only authorized users.
  • Device and media controls - The group health plan must implement policies for the receipt and removal of hardware and electronic media that contain electronic PHI.

Technical safeguards

Group health plans must meet technical requirements to safeguard electronic PHI. 

The specific standards are:

  • Access control - The group health plan must implement policies for electronic information systems that contain PHI to only allow access to persons or software programs that have appropriate access rights.
  • Audit controls - The group health plan must implement mechanisms to record activity in information systems that contain electronic PHI.
  • Integrity - The group health plan must implement policies that protect electronic PHI from improper modification or destruction.
  • Person or entity authentication - The group health plan must implement policies that verify the identity of persons or entities seeking access to electronic PHI.
  • Transmission security - The group health plan must implement policies to prevent unauthorized access to electronic PHI that it transmits over an electronic communications network (such as the Internet).


The group health plan must maintain all of its policies and procedures in writing. Documentation required by the HIPAA security regulations (including risk assessments, policies and procedures) must be retained for a period of six years from the date of its creation or the date when it last was in effect, whichever is later. The group health plan must make this documentation available to its employees who implement the policies. In addition, the plan must periodically review its documentation and update it as needed to ensure the confidentiality, integrity and availability of electronic PHI.


The penalties for failing to comply with the security regulations are similar to the penalties for failing to comply with HIPAA privacy rules. Specifically, civil penalties are based on the tiered system that ranges from $120 per violation, up to $1,806,757 per year for each requirement violated. Criminal penalties range from $50,000 in fines and one year in prison to up to $250,000 in fines and 10 years in prison.

The Health Information Technology for Economic and Clinical Health Act (HITECH Act), included as part of the stimulus bill, greatly expands the privacy and security provisions of HIPAA and mandates extensive new regulations concerning electronic medical records. These changes became effective as of February 17, 2010 and are not discussed in this chapter.

Where to go for more information

This chapter is intended as a brief overview of the HIPAA requirements under federal law. It is by no means exhaustive. Employers should consider consulting an attorney for more information, or contacting the following sources:

Employee Benefits Security Administration (EBSA), Department of Labor

Department of Health and Human Services
200 Independence Avenue, S.W.
Washington, D.C., 20201
Toll-free: (877) 696-6775