HIPAA overview

Scope

The Act affects all healthcare organizations, including all health care providers, health plans, employers, public health authorities, life insurers, clearinghouses, billing agencies, information systems vendors, service organizations, and universities. It is administered by The Employee Benefits Security Administration (EBSA).

Regulatory citations

• None

Key definitions

• None

Summary of requirements

HIPAA:

• Includes protections for coverage under group health plans that limit exclusions for preexisting conditions (preexisting condition exclusions were subsequently eliminated under the Affordable Care Act);
• Prohibits discrimination against employees and dependents based on their health status; and
• Allows a special opportunity to enroll in a new plan to individuals in certain circumstances.

HIPAA may also give employees a right to purchase individual coverage if they have no group health plan coverage available, and have exhausted Consolidated Omnibus Budget Reconciliation Act (COBRA) or other continuation coverage.

HIPAA protects workers and their families by the following:

• Limiting exclusions for preexisting medical conditions (known as preexisting conditions);
• Providing credit against maximum preexisting condition exclusion periods for prior health coverage and a process for providing certificates showing periods of prior coverage to a new group health plan or health insurance issuer;
• Providing new rights that allow individuals to enroll for health coverage when they lose other health coverage, get married, or add a new dependent;
• Prohibiting discrimination in enrollment and in premiums charged to employees and their dependents based on health status-related factors;
• Guaranteeing availability of health insurance coverage for small employers and renewability of health insurance coverage for both small and large employers;
• Preserving the states’ role in regulating health insurance, including the states’ authority to provide greater protections than those available under federal law; and
• Improving disclosure about group health plans

Special enrollment rights are provided for:

• Individuals who lose their coverage in certain situations, including on separation, divorce, death, termination of employment and reduction in hours. Special enrollment rights also are provided if employer contributions toward the other coverage terminates; and
• Employees, their spouses and new dependents upon marriage, birth, adoption or placement for adoption

Discrimination prohibitions. Ensure that individuals are not excluded from coverage, or charged more for coverage offered by a plan or issuer, based on health status-related factors.

Disclosure requirements. Plans are required to:

• Furnish a summary of any “material reduction in covered services or benefits” generally within 60 days after the change has been adopted by the plan.
• If an insurance company is used by the plan, list in the Summary Plan Description (SPD) the name and address of the insurer, the services it provides, and an explanation of whether benefits under the plan are guaranteed under an insurance contract or policy.
• Include in their SPD information about where participants and beneficiaries can get assistance or information from the Department of Labor about their rights under ERISA, including rights under HIPAA.
• The disclosure rules also provide guidance on the use of electronic media (e.g., email) to furnish covered workers with required group health plan disclosures.

Privacy. Title II of the Act includes a section, Administrative Simplification, requiring improved efficiency in healthcare delivery by standardizing electronic data interchange, and protection of confidentiality and security of health data. Compliance deadline for the privacy requirements was April 14, 2003. Employers are covered by the privacy rule when:

• They self-insure;
• They have entered into an insurance agreement but they receive, manage, or disclose protected health information as a group health plan; or
• They are not self-insured, but perform certain record-keeping functions, such as transmitting individuals’ health records to a group plan.

In general, privacy is about who has the right to access personally identifiable health information. The rule covers all individually identifiable health information in the hands of covered entities, regardless of whether the information is or has been in electronic form. Protected health information is that which identifies an individual’s physical or mental health condition, the health care that the individual has received, or payments for such care. In contrast, summary health information, which excludes individuals’ names and identifying information, may be disclosed to, and used by, employers—without consent—for certain functions such as obtaining bids for insurance coverage.

The privacy standards:

• Limit the non-consensual use and release of private health information;
• Give patients new rights to access their medical records and to know who else has accessed them;
• Restrict most disclosure of health information to the minimum needed for the intended purpose;
• Establish new criminal and civil sanctions for improper use or disclosure;
• Establish new requirements for access to records by researchers and others.

Some of the actions that employers may want to take include the following:

• Become aware of the rule and its requirements;
• Share the information with key managers and officers;
• Review any group health plan documents;
• Review vendor (business associate) contracts;
• Develop appropriate policies, with measures taken for violators;
• Appoint a privacy officer;
• Develop procedures for obtaining authorization; and
• Train managers, supervisors, and employees about their rights and responsibilities.

Authorizations allow additional, specific uses of health information beyond treatment, payment and health care operations to be released. Covered employers must provide notice of patient’s privacy rights and the privacy practices.

ERISA. HIPAA amended the Employee Retirement Income Security Act (ERISA) to provide for, among other things, improved portability and continuity of health insurance coverage provided in connection with employment. The HIPAA portability provisions relating to group health plans and health insurance coverage offered in connection with group health plans are set forth under a new Part 7 of Subtitle B of Title I of ERISA . These provisions include rules relating to preexisting conditions exclusions, special enrollment rights, and prohibition of discrimination against individuals based on health status-related factors.

The provisions of Title I of ERISA are administered by the U.S. Department of Labor. ERISA confers substantial law enforcement responsibilities on the Department. Part 5 of ERISA Title I gives the Department authority to bring a civil action to correct violations of the law, gives investigative authority to determine whether any person has violated Title I, and imposes criminal penalties on any person who willfully violates any provision of Part 1 of Title V.