HR Compliance Information Specialists - LegalWorkplace.com
Sign In | Register | View Cart
 

Brought to you by the Alexander Hamilton InstituteBrought to you by the Alexander Hamilton Institute
 
  Speak with a customer care representative
by dialing toll-free (800) 879-2441		 Speak with a customer care representative by dialing toll-free (800) 879-2441

AHI HomeHome  Printer Friendly Page

Sign Up To Receive Our Free E-Mail Newsletters
Employment Law Today
Benefits Alert
HR Soapbox Blog
Cathie's Corner Blog
E-Mail:  Go
Research Topics
Benefits
Discipline/Performance Issues
Discrimination
Hiring
Leave
Payroll Management
Privacy Policy Guidelines
Record-Keeping Documents
Safety & Health
Termination
Training
Free Reports
Free HR Forms
Job Descriptions & Interview Questions
HR Soapbox Blog
Cathie's Corner Blog
HR Links
Message Board

Message Board

"I believe that this website and message board have been the most beneficial resource to me by far than anything I can read (magazine-wise) or any other website."

M. Clint Person
Human Resources Manager 

Enter
AHI Store
Products by Topic
Products A to Z
Audio/Web Conferences
Training Courses
Job Descriptions & Interview Questions
Labor Law Posters
Related Resources

Complete HIPAA Compliance Kit


HIPAA Compliance KitClears up the confusion when complying with HIPAA regulations!

More Information

Courses & Events

Thurs., 9/11/08, 1:00 PM EST Live Web Conference:

EFFECTIVELY MANAGING THE 10 MOST DISRUPTIVE WORKPLACE SITUATIONS

More Information/Register

HIPAA - Health Insurance Portability and Accountability Act

HIPAA, effective July 1, 1997, offers protection for workers in danger of losing health insurance coverage, such as those who had illnesses before starting new coverage and are denied for that reason; or those who lose coverage for existing conditions when they change jobs.  HIPAA offers protection by allowing employees to buy insurance on their own as long as they had insurance through their jobs for at least 18 months and exhausted coverage under COBRA.  The Act also establishes requirements for insured and self-insured health plans and modifies existing COBRA requirements.

 

Key Definitions


Certification of prior coverage: A group health plan or health insurance issuer offering group health insurance is required to provide certification of the period of creditable coverage under the plan, the coverage under any applicable COBRA continuation provision, and the waiting period or affiliation period.


Continuation of coverage: The health care continuation rights that become available when employees lose or resign their jobs.


Creditable coverage: Includes coverage of the individual under a group health plan or individual insurance, Medicare, Medicaid, military-sponsored health care, a program of the Indian Health Service, a state health benefits risk pool, the federal Employee Health Benefits Program, a public health plan, a state children’s health insurance plan, or a foreign national health plan.


Dependents: Includes individuals who become dependents of an employee through marriage, birth, or adoption.  The special enrollment period for dependents must last for at least 30 days from the date of marriage, birth, or adoption.  Coverage must be effective retroactively for newborns or newly-placed children to the date of birth or adoption.


Disclosure of material modifications: The amount of time in which employers that sponsor group health plans must notify plan participants of any material reductions in covered health benefits.


Guaranteed availability: Coverage under a self-funded group health plan cannot be denied to an individual on the basis of health-related factors.


Health factors: Includes health status, medical condition (including both physical and mental illnesses), claims experience, receipt of health care, medical history, genetic information, evidence of insurability (including conditions arising out of acts of domestic violence), and disability.


Portability: Limits an employer’s ability to deny coverage under a group health plan on the basis of a preexisting condition and requires employers to reduce a preexisting condition exclusion period for a new employee by any periods of creditable coverage under a previous health plan.


Premiums: HIPAA non-discrimination provisions generally prohibit group health plans from charging similarly-situated individuals different premiums or contributions, or imposing different deductible, co-payment, or other cost-sharing requirements based on a health factor.


Restrictions on limitation period: A group health plan and a health insurance issuer may impose a preexisting condition exclusion where medical advice, diagnosis, care, or treatment were received within the six-month period ending on the enrollment date.  The exclusion cannot extend to more than 12 months ending after the anniversary of the enrollment date, or the 12-month anniversary of a waiting period, whichever is earlier.


Special enrollment periods: Plans must have two 30-day special enrollment periods, one for employees and dependents who had other health coverage but lost it either because their COBRA coverage was exhausted or because they ceased to be eligible for the other coverage; a second for individuals who become dependents of a covered employee.  Eligible employees or dependents must have:

  • been covered under another health plan when coverage was offered under the employer’s group health plan;

  • been receiving coverage under COBRA, which is exhausted;

  • become ineligible for coverage under another plan due to legal separation, divorce, death, termination of employment, or reduction in hours of employment;

  • stated in writing at the time of enrollment in the employer group health plan that another source of coverage was the reason for declining enrollment, if that was a requirement; or

  • requested enrollment in the employer group health plan within 30 days after the loss of coverage under the other health plan.

The final portability rules broadened the circumstances (e.g., marriage, birth, adoption) in which an employee is entitled to request special enrollment for health coverage after he/she has lost coverage in another plan.  The rules further clarify employees’ special enrollment rights in several areas.

  • An employee refused coverage offered by his/her employer, and then did not have any other coverage.  Subsequently, the employee obtained other coverage (e.g., spouse’s plan), but then lost that coverage.  The employee becomes eligible for special enrollment because, even though he/she initially refused it, at some point he/she had coverage that was lost.

  • An employee exhausted benefits under his/her other coverage due to reaching the lifetime limit for all benefits in that other plan.  Special enrollment runs for 30 days from the earliest date that the employee’s last claim was denied in that other plan.

  • An employee moved out of an HMO’s service area and has no access to other coverage from the HMO.

  • An employee, who is already enrolled in a benefits package, may enroll in a different benefits package under the plan if a dependent has acquired a special enrollment right due to losing other coverage.

Treatment of long-term care insurance and services: HIPAA requires long-term care insurance contracts to be treated as an accident or health insurance policy and to be excludable from the income of the employee, subject to a cap in per diem payments ($175 per day).  Employer-provided coverage under a long-term care insurance contract is not excludable from income if provided through a cafeteria plan or flexible spending account.  In addition, long-term care insurance premiums that do not exceed specified dollar amounts will be treated as medical expenses for purposes of the itemized deduction for medical expenses.

 

Coverage


HIPAA’s requirements apply to group health plans, insurers, and HMOs that offer health insurance in connection with group health plans. It applies to any group health plan with two or more participants who are active employees on the first day of the plan year.  A group health plan is defined as an employee welfare benefits plan that provides medical care to employees or their dependents either directly or through insurance.


Requirements


Key provisions for employer-sponsored health care plans include the following.

  1. Guaranteed availability.  Coverage cannot be denied to an individual on the basis of health factors, such as health status; medical condition, including both physical and mental illness; claims experience; receipt of health care; medical history; genetic information; disability; and evidence of insurability.

  2. Preexisting conditions.  Limits preexisting condition exclusions to 12 months for most individuals.  Requires employers to reduce the 12-month cap for day-to-day for each day an individual had prior continuous coverage.  If an individual has had continuous coverage for 12 months, the employer may not assert any preexisting condition exclusions.  There are exceptions and/or limitations to this rule.

    1. Employers can impose an 18-month preexisting condition exclusion for individuals who do not enroll as soon as they become eligible.  But employees and dependents who exercise special enrollment rights can only have a 12-month preexisting exclusion imposed on them.

    2. No preexisting condition limits can be applied in cases involving pregnancy or newborns or newly-adopted children who become covered by the plan within 30 days of birth or adoption.

    3. Employers need not consider an individual’s prior coverage if there was a break in coverage under a group health plan which lasted more than 63 continuous days, excluding waiting periods and affiliation periods.

  3. Portability.  It’s not specific insurance coverage that is “portable.”  It’s the eligibility for continued coverage that is guaranteed.   The individual must accept the insurance offered by the employer, but can’t be denied coverage.

  4. Premiums.  HIPAA prohibits employers from varying health plan premiums based on health factors.  Employers are allowed to establish premium discounts or rebates based on an individual’s adherence to wellness and disease prevention programs.

Privacy Provisions


Final privacy regulations strengthened patients’ protection and control over their health information by extending coverage to personal medical records in all forms.  This includes paper records and oral communications, in addition to electronic records.  The final privacy regs cover health plans, health care clearinghouses, and health care providers that conduct certain financial and administrative transactions — such as electronic billing — electronically.  These covered entities were required to be in complete compliance with the reg by April 14, 2003 (April 14, 2004 for small health plans).


There are five important principles outlined by the privacy provisions.

  1. Consumers have the right to control the release of their medical information, including the right to: give advance consent for most disclosures of health information; view copies of their medical records; request corrections to their medical records; obtain documentation of disclosures of their health information; and receive an explanation of their privacy rights and how their information may be used or disclosed.

  2. Although there are a few exceptions, in general, a person’s health care information should be used for health purposes only, including treatment and payment.  Of particular importance to employers: Employers that sponsor health plans are not allowed to obtain health information for employment-related purposes — such as hiring, firing, or determining promotions — without getting permission from the individuals first.  Disclosure is also to be kept to the minimum information needed for the purpose of the disclosure.

  3. Under HIPAA, there are specific federal penalties if a patient’s privacy rights are violated.  For non-criminal violations, such as disclosures made in error, civil monetary penalties of $100 per violation — up to $25,000 per year, per standard — will be assessed.  As for violations that are committed knowingly, HIPAA provides for the following criminal penalties:

    1. up to $50,000 and up to one year in prison for obtaining or disclosing protected heath information;

    2. up to $100,000 and up to five years in prison for obtaining or disclosing protected health information under “false pretenses”; and

    3. up to $250,000 and up to 10 years in prison for obtaining protected health information with the intent to sell, transfer, or use it for commercial advantage, personal gain, or malicious harm.

  4. The privacy regulations provide standards for how information should be released in order to balance individual privacy rights with such public health needs as protecting public health, conducting medical research, improving the quality of health care, and fighting health care fraud and abuse.

  5. The privacy provisions state that it’s the responsibility of organizations that are entrusted with health information to protect that information from deliberate or inadvertent misuse or disclosure.  Covered entities must establish clear procedures for protecting patients’ privacy, including designating an official to establish and monitor the entities’ privacy practices and training.

Note: Some employers mistakenly believe that HIPAA’s privacy regs apply to any and all medical information that makes its way into the workplace.  That’s simply not true.  HIPAA applies to information received through the group health plan; it does not apply where an employer collects health information for employment purposes, including:

  • pre-employment physicals, drug tests, and fitness-for-duty exams;

  • medical information used to carry out obligations under the FMLA, the ADA, and similar laws; and

  • employment files or records, such as sick leave requests and workplace medical or safety records.

Employers that most need to concern themselves with HIPAA’s privacy rules are those that offer a self-funded health plan.  That’s because a fully insured group health plan only has access to limited medical information about participants and beneficiaries and can rely on insurance issuers to comply with HIPAA’s privacy regs.  Employers with self-funded plans, on the other hand, have access to a variety of non-employment-related medical information, including types of health claims filed, medical diagnoses, treatment codes, medical costs, physicians visited, lab work, etc.  It’s this information that HIPAA privacy regs work to protect.


The HHS recently released guidance explaining under what conditions a health plan or other covered entity can disclose protected health information (PHI) to an individual who calls the plan on a beneficiary’s behalf.


According to the HHS, a covered entity is permitted to disclose to a family member, relative, or close personal friend of the beneficiary PHI that is directly relevant to that person’s involvement with the beneficiary’s care or payment for care.


Example: A health plan may disclose relevant PHI to a beneficiary’s daughter who has called to assist her hospitalized, elderly mother in resolving a claim or other payment issue.


Disclosures may also be made to persons who aren’t a family member, relative, or close personal friend, as long as the entity has reasonable assurance that the person has been identified by the beneficiary as being involved in his/her care or payment.


Example: A health plan may disclose relevant PHI to an HR rep who has called the plan with the beneficiary also on the line, or who could turn the phone over to the beneficiary, who could then confirm for the plan that the rep calling is assisting the beneficiary.


The HHS stressed that disclosures of relevant PHI may be made only if the beneficiary doesn’t explicitly object.  Exception to the rule: if the entity can reasonably infer from the circumstances that the beneficiary wouldn’t object to the disclosure.  In other words, in instances where it isn’t possible to speak with the beneficiary because he/she is not present or is incapacitated, the health plan can still make a disclosure if, in the exercise of professional judgment, it believes the disclosure is in the best interests of the beneficiary.


Example: A Medicare Part D plan may disclose relevant PHI to an individual at the Centers for Medicare & Medicaid Services (CMS) who contacts the plan to assist a beneficiary regarding the Part D benefit, if the information offered by this individual about the beneficiary and the beneficiary’s concerns is sufficient to reasonably satisfy the plan that the beneficiary has requested the CMS staff person’s assistance.


Security Provisions


As of April 20, 2005, self-insured plans (including flexible spending accounts) and fully insured health plans that receive protected health information must comply with HIPAA’s security rule.  The compliance deadline for small health plans was April 20, 2006.


The security rule requires that covered entities (those that are covered by HIPAA’s privacy rule) take steps to protect electronic protected health information (ePHI).  Such information is defined as any individually identifiable health information stored on hard drives, laptops, memory sticks, and personal digital assistants; contained in e-mail; or transmitted from or to the covered entity.


Here are some suggestions to ensure that you stay in step with HIPAA’s security rule.

  1. Update business associate agreements, since they are required to contain specific provisions relating to the security rule.

  2. Have experts from your benefits department and your IT department get together and assess ePHI security needs and risks.

  3. Name a security officer to facilitate assessment efforts.

  4. Evaluate ePHI security risks and document all compliance activities.

  5. Inventory existing policies applicable to HIPAA security and develop new policies/procedures to address any gaps in compliance with the rule’s “standards” and “specifications.” 

    Note: The security rule sets forth safeguards to ensure that the confidentiality, integrity, and availability of ePHI are maintained.  Each safeguard is composed of a series of standards, which can be used as a to-do list when developing policies/procedures.  And some standards contain specifications, which are more detailed items to address.

  6. Institute training to alert appropriate personnel about security awareness and any new policies/procedures.

  7.  Amend your group health plan documents to ensure that your plan sponsor adopts reasonable and appropriate safeguards.

Enforcement Provisions


On February 16, 2006, HHS published a final rule detailing the bases and procedures for imposing civil money penalties on covered entities (e.g., group health plans) that violate any of the administrative simplification rules under HIPAA, which includes the security rule.


As explained in the final enforcement regulations, HHS enforcement procedures will focus on working with the covered entity to achieve compliance of the applicable provisions, which may include providing technical assistance to the covered entity.  Note: These enforcement rules do not apply to the privacy provisions, which are enforced by the Centers for Medicare and Medicaid Services Office of Civil Rights (OCR).


During an enforcement action, a covered entity has the following responsibilities.

  • Provide records and compliance reports to the Secretary of the HHS as necessary in order to determine whether the covered entity has complied or is complying with the applicable administrative simplification provisions.

  • Cooperate with complaint investigations and compliance reviews of policies, practices, and procedures.

  • Permit the Secretary to have access to information during normal business hours.  The covered entity must have available and ready for review its facilities, books, records, accounts, and other sources of pertinent information.

If non-compliance is found, the Secretary will attempt to resolve the matter through informal means, which may include demonstrated compliance, a completed corrective action plan, or other agreement.


The law gives the Secretary the authority to impose monetary penalties for failure to comply with a standard.  The Secretary is required by statute to impose penalties of not more than $100 per violation on any person or entity that fails to comply with a standard, except that the total amount imposed on any one person in each calendar year may not exceed $25,000 for violations of one requirement.


Wellness Programs


In December 2006, the Department of Labor, Department of Treasury, and HHS issued final regulations addressing the non-discrimination provisions of HIPAA and the exception for certain wellness programs.  The regulations became effective February 12, 2007, and apply for plan years beginning on or after July 1, 2007.  Calendar-year plans must begin complying by January 1, 2008.


Wellness programs are subject to HIPAA’s non-discrimination provisions, unless participation in the program is made available to all similarly-situated individuals; and none of the conditions for obtaining a reward under a wellness program are based on an individual satisfying a standard related to a health factor, or no reward is offered.


Here are some examples of wellness programs that are excepted from the non-discrimination provisions.

  • A program that reimburses all or part of the cost for memberships in a fitness center.

  • A diagnostic testing program that provides a reward for participation rather than outcome.

  • A program that encourages preventive care by waiving the co-payment or deductible requirement for the costs of, for example, prenatal care or well-baby visits.

  • A program that reimburses employees for the costs of smoking cessation programs without regard to whether the employee quits smoking.

  • A program that provides a reward to employees for attending a monthly health education seminar.

Wellness programs that condition a reward on an individual satisfying a standard related to a health factor (e.g., smoking status) must meet five requirements in order to comply with the non-discrimination rules.

  1. The total reward for all the plan’s wellness programs is limited to 20% of the cost of plan coverage, which is determined based on the total amount of employer and employee contributions.

    Rewards can be in the form of: a discount or rebate of a premium or contribution; a waiver of all or part of a cost-sharing mechanism (e.g., deductibles, co-payments, co-insurance); the absence of a surcharge; or the value of a benefit that would otherwise not be provided under the plan.

    Example: The annual premium for employee-only coverage is $3,600; for family coverage, the premium is $9,000.  If the wellness program is available to employees only, the reward cannot exceed $720 ($3,600 x 20%).  If the program is available to any class of dependents, the reward cannot exceed $1,800 ($9,000 x 20%).

  2. The program is reasonably designed to promote health and prevent disease.  There does not need to be a scientific record that the method promotes wellness, but the program: 1) must have a reasonable chance of improving the health of or preventing disease in participants and is not overly burdensome; 2) must not be a subterfuge for discriminating based on a health factor; and 3) must not be highly suspect in the method chosen to promote health or prevent disease.

  3. The program gives individuals eligible to participate the opportunity to qualify for the reward at least once per year.

  4. The reward is available to all similarly-situated individuals.  The program must allow a reasonable alternative standard (or waiver of the initial standard) for obtaining the reward to anyone for whom it is unreasonably difficult due to a medical condition, or medically inadvisable, to satisfy the initial standard.  A specific alternative standard does not have to be established beforehand; it is sufficient to determine one once a participant informs you of the need.

    It is legal to seek verification (e.g., doctor’s statement) that a health factor makes it unreasonably difficult or medically inadvisable for an individual to achieve the initial standard.

    Example: A wellness program consists solely of an annual cholesterol test, with a 20% discount on the annual premium for those who achieve a count of under 200.  An employee for whom it is unreasonably difficult due to a medical condition to achieve a 200 or lower cholesterol count may be allowed to follow his doctor’s advice regarding prescription medication and periodic blood tests as a reasonable alternative.

  5. Plan materials describing the terms of the program disclose the availability of a reasonable alternative standard (or the possibility of a waiver of the initial standard).  Note: In plan materials that merely mention that a program is available, without describing its terms, this disclosure is not required.

    The final regs provide the following language for satisfying the disclosure requirement.  (You can use substantially similar language.)

    “If it is unreasonably difficult due to a medical condition for you to achieve the standards for the reward under this program, or if it is medically inadvisable for you to attempt to achieve the standards for this reward, call us at [phone number] and we will work with you to develop another way to qualify for the reward.”

Note: With regard to wellness programs, complying with the HIPAA non-discrimination rules does not guarantee compliance with the Employee Retirement Income Security Act (ERISA), Consolidated Omnibus Budget Reconciliation Act (COBRA), the Americans with Disabilities Act (ADA), and other federal and state laws.  Contact legal counsel or government agencies, such as the Equal Employment Opportunity Commission (EEOC) or state insurance departments, if you have any questions under those laws.

 

Record-Keeping Requirements


Such requirements include the following:

  1. Certificate Of Coverage.

    Before a plan can impose any preexisting condition exclusion period, it must count employees’ creditable coverage, which employees substantiate by presenting certificates of prior coverage.

    In general, both a group plan and an insurer must furnish certificates of creditable coverage.  However, duplicate certificates aren’t required.  So, for example, a group plan will be considered to have satisfied this requirement if any other entity provides a complete certificate.  A plan meets this burden if it and its insurer agree that the insurer will issue the certificates.

    Employees and their dependents are entitled to certificates.  One certificate may contain information on employees and dependents, if the information is identical for everyone.  If information isn’t identical, information may still be combined (but separately stated) in one form.  If a plan does not know who employees’ dependents are, or dependents’ coverage information, it must use reasonable efforts to determine the information needed for dependents’ certificates.

    Note: Certificates don’t have to be issued until a plan knows (or, after making a reasonable effort, should know) that dependents no longer have health coverage.

    In general, individuals must receive certificates automatically (i.e., automatic certificates) when they lose coverage under a plan, and when they can elect COBRA continuation coverage.  For automatic certificates, the period of health care coverage which must be shown on the certificate is the last period of continuous coverage ending on the date the individual’s coverage ended.  Automatic certificates must be furnished within the following time frames.

    -- For employees who are qualified beneficiaries entitled to elect COBRA, certificates must be provided no later than when a notice is required to be provided for a qualifying event under COBRA.

    -- For employees who lose coverage under a group plan, and who aren’t entitled to elect COBRA, certificates must be provided within a reasonable time after coverage ceases.  (Typically, this applies to small employers which aren’t subject to COBRA.)  This requirement is satisfied if certificates are provided by the time a notice must be provided under a state program similar to COBRA.

    -- For individuals who are qualified beneficiaries and have elected COBRA, certificates must be provided within a reasonable time after COBRA ends, or, if applicable, after any grace period for the payment of COBRA premiums expires.

    Employees (and their dependents) may also request certificates (i.e., requested certificates).  Requests must be made within 24 months after employees lose coverage under a plan.  Certificates must be provided at the earliest time that a plan, acting in a reasonable and prompt fashion, can provide them.  Plans must establish a procedure for employees to request and receive certificates.

    Requested certificates must reflect each period of continuous coverage ending within the 24 months prior to the date of an employee’s (or dependent’s) request.  Certificates may be mailed by first-class mail to employees’ last known addresses.  Certificates for employees’ spouses, who have different addresses than employees, must be mailed to the spouses’ homes.

  2. Notice Of Privacy Practices.

    At least once every three years, health plans are required under HIPAA to send a Notice of Privacy Practices to plan participants.

    Whether you administer your company’s plan, or a third-party administrator does the job, make sure your health plan meets its HIPAA obligation.  HHS provided guidance that any size health plan can use in order to satisfy the privacy notice reminder requirement.  You may:

    -- resend a copy of the Notice of Privacy Practices to all plan participants;

    -- send a reminder about the availability of the notice and how participants may obtain it; or

    -- include information on the availability of the notice and information on how to obtain it in a plan-produced newsletter or other publication.

    Note: A plan participant may have one or more dependents, but only one reminder notice needs to be sent to the name insured of the policy.

    Example: An employee and her three dependents are covered under a single health plan policy.  The plan can satisfy the reminder requirement by sending information concerning the availability of the Notice of Privacy Practices to just the employee, rather than to the employee and each of her dependents.

 

Back To HIPAA Main Page


Related Resources

Complete HIPAA Compliance Kit


HIPAA Compliance KitClears up the confusion when complying with HIPAA regulations!

More Information
Copyright © 2008 Alexander Hamilton Institute | Home | Privacy Policy | About AHI | Contact Us | Site Map