• Home
• About
  • Management Summary
  • Management Team Bios
  • Our Digital Brochure
  • Online Employee Census
• AVI Difference
  • Client Portal
  • Enrollment Services
  • Benefits Benchmarking
  • Communication Services
  • Compliance Assistance
  • Brokerage/Consulting Services
• Commercial Lines
  • Workers Compensation
  • Commercial General Liability
• Employee Benefits
  • Medical
  • Dental
  • Vision
  • Disability
  • Life
  • HSA Model
• Consulting Services
  • HR Compliance
  • HR Consulting
  • Consulting Links
• Personal Lines
  • Property and Casualty
  • Individual & Family Plans
• Native American Resources

Health Insurance Portability and Accountability Act (HIPAA)

The Health Insurance Portability and Accountability Act (HIPAA) (Pub. L. 104-191) is designed to improve portability of health coverage by reducing exclusion periods for pre-existing conditions. HIPAA also prohibits group health plans from making eligibility decisions based on an individual's health status .

Other HIPAA provisions address administrative procedures to streamline and standardize the exchange of health care data. In conjunction with these so-called “administrative simplification” provisions, the law requires national standards for protecting the privacy of personal health information.

This summary outlines the law's requirements related to health care coverage and briefly discusses the requirements related to health information privacy.

Businesses Subjected to HIPAA

If a plan has two or more participants, the HIPAA requirements related to health coverage apply. HIPAA applies to group health plans, including self-insured plans, employee welfare benefit plans maintained by employers, and plans maintained by self-employed persons. Employees are counted as of the first day of the plan year. HIPAA does not apply to state or local government plans, if the plan's administrator elects to be exempted.

Group Plans Subject to HIPAA

HIPAA's health coverage requirements do not apply to plans that are too limited in scope to be considered group health plans. Benefits provided under a separate plan that are not subject to HIPAA's requirements include:

Dental benefits;

Vision benefits; and

Long-term care insurance.

Pre-Existing Condition Exclusion

HIPAA restricts a group health plan's use of pre-existing condition exclusion periods, particularly for employees and other individuals who have a history of uninterrupted health insurance coverage. Under HIPAA, a group health plan cannot impose pre-existing condition limits for periods longer than 12 months, 18 months for late enrollees. The duration of these limits is reduced by one month for each month that an enrollee has previous creditable coverage, as long as the individual didn't experience a lapse in coverage of more than 63 days.

A group health plan cannot impose a pre-existing condition exclusion for a newborn or adopted child who was enrolled in the plan within 30 days of birth or adoption. However, plans can apply the pre-existing condition exclusion to children who have had a break in coverage longer than 63 days.

Any waiting periods for new hires to enroll and become covered by the plan must run concurrently with the pre-existing exclusion period. For instance, if an employer plan has an enrollment period that requires quarterly admissions or restricts new hires from enrolling until they have been employed three months, these waiting periods run concurrently with the pre-existing exclusion period.

Example: An Individual has just found a new job, but she has to wait until three months from her date of hire to participate in the company's health plan. She has a medical condition at the time she's hired. According to HIPAA, that pre-existing condition must be covered within nine months of her entry into the plan. This is calculated by reducing the 12-month condition limit period by the three-month waiting period prior to enrollment.

Certificates of Creditable Coverage

A certificate of creditable coverage is a document specifying the period that an employee was covered under a previous health plan. Either you or your insurance company must provide a certificate of creditable coverage to your employees when they lose coverage, become covered under COBRA's health care continuation provisions, or end a period of COBRA coverage. Employees also can request a certificate of creditable coverage any time within 24 months of losing coverage with the employer. Certification must be provided for the employee and any covered dependents.

What Types of Discrimination Based on Health Status are Prohibited by HIPAA?

Under HIPAA, group health plans cannot establish rules or procedures that effectively discriminate against certain conditions. For example, rules for eligibility or continued eligibility cannot take into account:

Medical conditions, including mental illness;

Claims experience;

Medical history;

Genetic information;

Evidence of insurability; or

Disability.

What Does HIPAA Not Cover?

HIPAA does not guarantee that an employee who changes jobs will get health coverage on the new job, and it also does not guarantee any health coverage available on the new job will be affordable.

Unlike COBRA, HIPAA does not guarantee individuals can maintain the same group health plan for a period of time after a job change.

What Privacy Protections for Health Information Does HIPAA Require?

HIPAA's privacy protections are designed to restrict access to and use and disclosure of individually identifiable health information. The privacy requirements do not apply directly to employers, but they do apply to many employer-sponsored group health plans. Other covered entities that must comply with the privacy requirements are health care providers and health care clearinghouses.

Protected health information under HIPAA includes medical records and any other individually identifiable information maintained or disclosed by covered group health plans, health care providers, and health care clearinghouses.

Under the privacy requirements, patients and group health plan participants must receive information on how the plan or provider will use, maintain, and disclose their medical records. In addition, patients have the right to review their records, request changes to their records, and receive a list of any disclosures made of their records. Most routine health information exchanges relating to treatment, payment, and certain heath care operations do not require special consent from the patient. However, other uses and disclosure of a patient's records require specific authorization, and individuals can request to restrict the use and disclosure of their information.

Violations of the privacy requirements carry civil penalties and criminal penalties, including up to 10 years in prison.

How do the Privacy Rules Affect Employers That Sponsor Group Health Plans?

A plan sponsor's duties depend on whether it receives protected health information, basic summary information—that is, records on the types, history, or costs of claims without any personally identifying information—or no health records. Plan sponsors that receive no protected health information or only summary data used for obtaining insurance bids or modifying, amending, or terminating the group health plan are exempt from many HIPAA privacy rules. However, greater duties apply to employers that are more extensively involved in implementing and carrying out plan functions.

Compliance

Basic steps for compliance with the privacy requirements include designating which employees can access protected health records for plan administration purposes and establishing firewalls that prohibit use of these records for employment actions and employment-related decisions. Group health plan documents also must be amended to state the permitted uses and disclosures of health information and the plan sponsor's commitment to adhere to these restrictions for any health information it receives from the plan.

Additional Requirements

Employers whose staffs handle substantial plan administrative duties and routinely deal with protected health information must meet additional requirements, such as:

Notifying plan participants of their privacy rights and protections;

Safeguarding against unauthorized disclosure or use of the information;

Training those employees who have access to the information;

Establishing oversight and complaint mechanisms; and

Taking steps to ensure that business associates—such as third-party administrators and consultants—also maintain appropriate safeguards.

Health Records Not Affected by the Privacy Rules

HIPAA's rules do not apply to several types of medical information dealt with by employers. For example, the protections do not apply to employment records gathered solely to implement an employer's business practices or legal duties, such as doctors' notes verifying the need for sick leave, medical condition certifications for purposes of the Family and Medical Leave Act, fitness-for-duty examinations, workers' compensation records, and occupational safety and health records.

Keep in mind, however, that such records still might have privacy protections under laws other than HIPAA. For example, the Americans with Disabilities Act imposes strict confidentiality requirements on any medical information obtained from employees, regardless of whether they have disabilities. In addition, certain employers that provide health care services to their workers can encounter situations where the same record is protected and exempt under HIPAA's rules. The determining factor in these situations is not the nature of information contained in the record, but the purpose or function for which the record is created or used.

Example: A health care provider that administers drug screening tests to its own staff initially must treat those tests as health records protected by HIPAA's privacy requirements. However, once the test results are turned over to the provider acting as the employer and placed in an employee's personnel file, they no longer are considered medical records subject to the privacy rule.

A hospital that provides medical treatment to one of its employees likewise must prevent unauthorized disclosure of these records, but once the employee authorizes release of this information for an employment-related purpose—such as verifying the need for accommodation under ADA—this information becomes an employment record that is subject to ADA record keeping rules, but not the HIPAA privacy requirements.

Penalties for HIPAA Violations

If you fail to meet the legal requirements for plan availability and portability under HIPAA, you can receive a penalty of $100 per day for each person affected by the violation, up to a maximum of $500,000. No penalty cap applies to violations caused by willful neglect. On the other hand, penalties will not apply if a failure occurs for reasonable cause and is corrected within 30 days from the date the employer knew or should have known of the failure.

Enforcement

The Office for Civil Rights (OCR) is responsible for enforcing the HIPAA Privacy Rule (45 C.F.R. Parts 160 and 164, Subparts A and E).

How ORC Enforces HIPAA

One of the ways that OCR carries out this responsibility is to investigate complaints filed with it.

OCR may also conduct compliance reviews to determine if covered entities are in compliance, and OCR performs education and outreach to foster compliance with the Privacy Rule’s requirements.

ORC May Only Take Action on Certain Complaints See What OCR Considers during Intake and Review of a Complaint for a description of the types of cases in which OCR cannot take an enforcement action.

If OCR accepts a complaint for investigation, OCR will notify the person who filed the complaint and the covered entity named in it. Then the complainant and the covered entity are asked to present information about the incident or problem described in the complaint. OCR may request specific information from each to get an understanding of the facts. Covered entities are required by law to cooperate with complaint investigations.

If a complaint contains information about an incident or problem that could also be a violation of the HIPAA Security Rule (45 C.F.R. Parts 160 and 164, Subparts A and C), OCR coordinates its investigation with the Centers for Medicare & Medicaid Services (CMS), which is the agency within HHS that is responsible for enforcing the Security Rule. If a complaint describes an action that could be a violation of the criminal provision of HIPAA (42 U.S.C. 1320d-6), OCR may refer the complaint to the Department of Justice for investigation.

OCR reviews the information, or evidence, that it gathers in each case. In some cases, it may determine that the covered entity did not violate the requirements of the Privacy Rule. If the evidence indicates that the covered entity was not in compliance, OCR will attempt to resolve the case with the covered entity by obtaining:

Voluntary compliance;

Corrective action; and/or Resolution agreement.

Most Privacy Rule investigations are concluded to the satisfaction of OCR through these types of resolutions. OCR notifies the person who filed the complaint and the covered entity in writing of the resolution result.

If the covered entity does not take action to resolve the matter in a way that is satisfactory, OCR may decide to impose civil money penalties (CMPs) on the covered entity. If CMPs are imposed, the covered entity may request a hearing in which an HHS administrative law judge decides if the penalties are supported by the evidence in the case. Complainants do not receive a portion of CMPs collected from covered entities; the penalties are deposited in the U.S. Treasury.



For a more information regarding COBRA and how it may affect your company contact Almond Valley Insurance Services, Inc. or visit the Department of Health and Human Services online.