HIPAA

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) places certain requirements on group health plan sponsors and insurers in the areas of portability and privacy/cecurity.

Portability

HIPAA's portability provisions provide protections for employees who are changing health plans. The provisions include limiting exclusions for pre-existing medical conditions, prohibiting discrimination based on health-status, and permitting enrollment for individuals experiencing qualifying events.

Pre-existing Conditions

A group health plan may not exclude coverage for an individual's pre-existing condition for longer than 12 months (18 months for a late enrollee). A pre-existing condition is defined as one in which medical advice, a diagnosis, care, or treatment was received or recommended within the six months prior to enrollment.

If a plan includes a pre-existing condition exclusion, the plan's enrollment material must notify the eligible participant of the exclusion, their right to request and provide proof of creditable coverage, and a statement that the current employer's plan or health insurance issuer will assist the individual in obtaining the Certificate of Creditable Coverage from the prior plan. This is referred to as the General Notice of Pre-existing Condition Exclusion.

View Model Notice

A group health plan or insurance carrier is required to provide a Certificate of Creditable Coverage to a participant upon loss of coverage and upon request.

View Model Notice

Discrimination Based on Health Status

A group health plan is prohibited from discriminating against an employee or dependent based on that individual's health status, physical/mental condition, claims experience, receipt of health care, medical history, genetic information, evidence of insurability, and disability. A plan must not vary its eligibility, premiums, or contributions based on these factors.

A wellness plan basing a reward on satisfaction of a health standard must meet certain criteria to be in compliance with the nondiscrimination rules. Those criteria are:

  • The reward must not be greater than 20% of the cost of employee only coverage.
  • The program must be designed to promote health and prevent disease.
  • The program must offer the opportunity to qualify for the reward at least once per year.
  • The program must be available to all similarly situated employees. If a physician determines that it is unreasonably difficult for an individual to satisfy the health standard due to a medical condition, the individual must be offered a reasonable alternative standard to satisfying the health standard.
  • The program, including the availability of a reasonable alternative standard, must be communicated to employees in written materials.

In February 2008, the Employee Benefits Security Administration issued Field Assistance Bulletin 2008-02 to its agency personnel for their review of employer wellness programs for compliance with the Final HIPAA Regulations, which were effective July 1, 2007. The Bulletin contains a checklist that employers may find helpful when designing their own wellness program.

View Checklist »

In addition to the information provided in the checklist, an employer would also want to make sure that they are in compliance with the requirements under the Genetic Information Non-discrimination Act (GINA). Under the rules, if a wellness program rewards participants for completing a health risk assessment (HRA), the HRA must not request any information regarding family medical history because this information is considered genetic information. This applies regardless of the type or amount of the reward offered. The HRA is permitted to request family medical history information if no reward is offered. These rules are effective for plan years beginning on or after Dec. 7, 2009.

View Rules »

Special Enrollment Rights

An individual who experiences one of the following events must be given the right to enroll in the plan within 30 days of the event.

  • Loss of other group coverage or health insurance due to loss of eligibility, termination of employer contributions, or exhaustion of COBRA coverage.
  • A dependent is newly acquired due to marriage, birth, or adoption.
  • The employee's or dependent's Medicaid or CHIP coverage is terminated as a result of loss of eligibility (must notify employer within 60 days of event).
  • The employee or dependent become eligible for a premium assistance subsidy under Medicaid or CHIP (must notify employer within 60 days of event).

In its enrollment material, a plan must notify eligible participants of their Special Enrollment Rights (Notice of Special Enrollment Rights).

View Model Notice

 

Privacy/Security

The HIPAA privacy and security rules can be very complex. The purpose of the rules is to limit the uses and disclosures of group health plan participants' Protected Health Information (PHI). The plan sponsor should put procedures and policies in place to safeguard that information. This section only provides a basic overview of what a plan sponsor must do to be in compliance with these rules.

  • Designate a Privacy Official and a Privacy Contact Person.

  • Conduct a written risk assessment detailing what PHI is received by the plan sponsor (employer). This means any personally-identifiable health information, which could include claims information, utilization reports, claims appeals, etc. The document should detail who has access to the information, how it is received, and for what purpose the information is used.

  • Put safeguards in place to protect PHI, which include filing PHI in locked file cabinets, maintaining PHI separate from personnel files, password-protected electronic files, password-protected computers, and not allowing unauthorized persons access to PHI.

  • Implement written policies and procedures to include:

    • Definition of PHI
    • Permitted Uses and Disclosures
    • Authorization Requirement for Other Uses and Disclosures
    • Sanctions for Violations
    • Privacy Safeguards
    • Complaints Procedure
    • Prohibition of Retaliation and Waiver of Rights
    • Record Retention
    • Data Backup Plan
    • Disaster Recovery Plan

  • Establish Business Associate Agreements with those entities or persons who perform a service for the plan and have access to participant PHI.

  • Conduct training for workforce members that handle PHI.

  • Distribute a Notice of Privacy Practices to participants. At least once every three years, the participants must receive the Notice or a notice indicating that one is available and how to obtain one.

The American Recovery and Reinvestment Act of 2009 (ARRA) includes amendments to the privacy and security provisions under HIPAA. Most of the changes are effective February 17, 2010. We will provide additional guidance in the coming months as it becomes available from the Department of Health and Human Services (HHS). The highlights of the new provisions include:

  • Under current law, a business associate is not directly responsible for privacy and security requirements under HIPAA. Their obligation is through a signed business associate agreement with the covered entity. ARRA has amended HIPAA to make business associates directly responsible for certain requirements and subject to penalties for noncompliance.
  • The term breach has been defined as: "the unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information."
  • A covered entity will be required to notify affected individuals of a breach without unreasonable delay and in no case later than 60 calendar days following the discovery of the breach. If the number of affected individuals is greater than 500, the covered entity must also notify HHS and prominent media outlets.

Our preferred vendor HIPAA Solutions Rx, a BridgeFront Company, created a white paper entitled "Impact of the American Recovery and Reinvestment Act of 2009 on HIPAA Privacy & Security."

Click here to view the white paper

Resources are available to assist you with your HIPAA Compliance efforts. Please contact your advisor for information.

 

FAQs

Our plan is fully insured. What obligations do we have under the privacy rules?

If a fully insured plan provides benefits solely through an insurance contract and it does not receive or create PHI except for summary health information and enrollment/disenrollment information, then the plan sponsor is exempt from most of the obligations under the privacy rule. The insurer will be fulfilling the obligations for the group health plan, including the distribution of the Notice of Privacy Practices.

However, the plan sponsor should still conduct a written risk assessment. Additionally, the plan sponsor should implement a written policy regarding prohibiting intimidating or retaliatory acts against an individual for exercising their privacy rights and a policy prohibiting the requirement of an individual to waive their right to file a complaint.

 

Additional Resources

The above links are provided for your information only. NFP does not endorse, nor accept any responsibility for the content, products and/or services provided at non-NFP sites. Some information contained in the NFP site is provided by third parties. We do not independently verify this information, nor do we guarantee its accuracy or completeness. Information provided from governmental agencies is subject to change.

This material was created by NFP, its subsidiaries, or affiliates for distribution by their Registered Representatives, Investment Advisor Representatives, and/or Agents. This material was created to provide accurate and reliable information on the subjects covered. It is not intended to provide specific legal, tax or other professional advice. The services of an appropriate professional should be sought regarding your individual situation. Neither NFP Securities, Inc. nor NFP Benefits offer legal or tax services.

Securities offered through Registered Representatives of NFP Securities, Inc., a Broker/Dealer and Member FINRA/SIPC. Investment Advisory Services offered through Investment Advisory Representatives of NFP Securities, Inc. a Federally Registered Investment Adviser. NFP Benefits Partners is a division of NFP Insurance Services, Inc., which is a subsidiary of National Financial Partners Corp, the parent company of NFP Securities, Inc. NFP Securities, Inc. is not affiliated with any other entities listed on this document.

Not all of the individuals using this material are registered to offer Securities or Investment Advisory services through NFP Securities, Inc.