Employer group health plans are also subject to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).203
HIPAA Portability Requirements
HIPAA’s portability, special enrollment, pre-existing condition exclusions restrictions, and nondiscrimination requirements apply generally to group health plans. HIPAA prohibits group health plans from discriminating against employees based on their health status and grants certain health plan enrollment rights to employees. The main purpose of HIPAA, however, is to ensure that workers who change jobs will not lose health insurance coverage due to exclusions for pre-existing conditions.
Under HIPAA, group health plans may not exclude coverage for pre-existing conditions for longer than 12 months (18 months for late enrollees).204 In addition, any exclusion period is reduced by an employee’s period of coverage under a prior employer’s group health plan. The pre-existing exclusion period runs from the enrollment date, or if there is a waiting period, from the first day of the waiting period.205
Group health plans must provide “certificates of creditable coverage” to employees who lose coverage, and accept such certificates from other plans.206 Insurance companies will often take responsibility for complying with HIPAA’s notice and administrative requirements, but employers with insured plans should verify that their insurer is complying with HIPAA. Employers that maintain self-funded health plans are on their own, and should seek assistance from legal counsel to develop the appropriate notices and forms (or contract with a third party administrator for HIPAA compliance services).
The final HIPAA portability regulations contain a new model certificate of creditable coverage containing a new required educational statement.207 The final regulations apply to plan years beginning on or after July 1, 2005. The model certificate for group health plans can be found at http://www.dol.gov/ebsa/hipaamodelnotice.doc. Employers and Plan Administrators are cautioned that this Notice will require tailoring to the particular group health plan, and therefore, they should consult with legal counsel for revisions prior to use.
HIPAA Privacy Standards
When HIPAA was originally enacted, it did not contain detailed privacy standards, but required further regulations to be promulgated. The HIPAA final privacy regulations were published on August 14, 2002, and impose rules surrounding the use and disclosure of individuals’ protected health information. The recently passed stimulus bill, the American Recovery and Reinvestment Act of 2009 (“ARRA”), includes provisions that will significantly change the HIPAA privacy regulations for both “covered entities” and “business associates” (defined below). Consult with legal counsel to determine the extent to which the HIPAA privacy regulations apply and the steps required to comply.
HIPAA’s privacy standards only apply to “covered entities.” Group health plans, health care providers, and health care clearinghouses are considered “covered entities” required to comply with the HIPAA privacy rules.208 While employers are technically not covered under the privacy rules, they will essentially have to comply if they sponsor a group health plan and perform administrative functions which involve handling protected health information on behalf of the plan.
Group health plans with fewer than 50 participants and that are administered by the employer are specifically excluded from the definition of a group health plan, and are therefore not subject to HIPAA’s privacy standards.209
Deadlines to Comply
Covered entities were required to comply with the privacy rules by April 14, 2003. Small health plans (those with annual gross receipts of less than $5 million in claims or premiums) had until April 14, 2004 to comply.
Protected Health Information
Protected Health Information, otherwise known as “PHI,” is defined under HIPAA’s privacy regulations to be individually identifiable information that is maintained or transmitted by a covered entity, and is subject to the following specific exclusions:
- individually identifiable health information contained in education records covered by the Family Educational Rights and Privacy Act (FERPA):
- health care records of students in post-secondary degree programs; and employment records held by a covered entity in its role as an employer.210
Use and Disclosure
Covered entities are only permitted to use or disclose PHI as set forth under the privacy standards. Under these rules, covered entities may use or disclose PHI for treatment, payment or health care operations purposes, which are specifically defined.211 A signed authorization is usually required for further use or disclosure,212 although there are exceptions, such as to avoid a serious threat to health or safety, for public policy purposes, for public health activities, or as required by law, among others.213
HIPAA’s privacy rules guarantee individuals specific rights with respect to their health information, including the right to:
- receive a copy of the covered entity’s Notice of Privacy Practices;
- inspect and copy protected health information contained in their designated record set;
- receive an accounting of disclosures made by the covered entity;
- amend or correct inaccurate or incomplete PHI; and
- request additional restrictions on the use and disclosure of their own PHI.214
Covered entities are required to develop and provide a copy of their privacy practices to each individual that is the subject of the PHI. The regulations specify specific information that the notice must contain, including the types of uses and disclosures that the covered entity is permitted to make.215 A fully insured group health plan’s insurer will generally have the obligation to provide the notice to the insured. Self-funded plans must provide their own notice.
HIPAA’s privacy standards require covered entities to take specific actions designed to protect the privacy of an individual’s PHI, including, but not limited to:
- designating a privacy official who is responsible for developing and implementing privacy policies and procedures;
- designating a contact person responsible for receiving complaints;
- providing training to all members of the covered entity’s workforce on policies and procedures with respect to PHI;
- establishing safeguards to protect the privacy of the PHI (physical and technical);
- developing a complaint procedure;
- developing appropriate sanction/disciplinary procedures for employees who violate the privacy rules; and implementing policies and procedures to comply with the privacy rules.216
Business associates are outside entities or individuals that assist covered entities in performing their functions. HIPAA’s privacy rule requires that a covered entity enter into a written contract or other arrangement with the business associate in order to disclose PHI to the business associate, and in order to allow the business associate to create or receive PHI on behalf of the covered entity.217 For example, business associates can be providers of legal, actuarial, accounting, consulting, management or financial services.218
Fully Insured Group Health Plans
Employers who sponsor fully insured group health plans and do not create, maintain or receive PHI (i.e., are “hands-off”) will have vastly reduced obligations under HIPAA’s privacy standards. In this situation, the requirements to comply with the use and disclosure rules, provide the HIPAA privacy notice, comply with the various individual rights, and comply with HIPAA’s administrative safeguards are imposed upon the insurer.219
HIPAA’s Privacy Standards Enforcement
Individuals do not have a private cause of action when their HIPAA privacy rights have been violated. However, such individuals may file a complaint with the federal Health and Human Services’ (“HHS”) Office of Civil Rights, which will accept and investigate complaints. The HHS has the authority to impose civil penalties of up to $100 per violation (maximum of $25,000 per calendar year) for violation of HIPAA’s privacy rules against the offending covered entity.220 In addition, criminal penalties may apply if a person knowingly misuses a unique health identifier or improperly discloses or obtains individually identifiable health information.221 The criminal penalties can be fines of up to $50,000 or imprisonment for up to a year, or both, for knowing violations, or fines of up to $250,000 or imprisonment for up to ten years, or both, where the offense is with the intent to sell, transfer or use the individually identifiable health information for commercial advantage, personal gain or malicious harm.
The U.S. Department of Justice has the authority to enforce HIPAA’s criminal penalties.
For More Information
The U.S. Department of Health and Human Services’ website is located at www.hhs.gov and provides answers to frequently asked questions regarding HIPAA privacy compliance.
However, because HIPAA’s privacy standards are so complex and detailed, plan sponsors should consult with legal counsel to ensure proper and complete HIPAA compliance.