- 1 Health Insurance Portability and Accountability Act of 1996
- 2 Scope
- 3 Substantive Requirements
- 3.1 Health Factors
- 3.2 Wellness programs
- 3.3 Preexisting Conditions and Creditable Coverage
- 3.4 Special Enrollment Periods
- 3.5 Notice of Benefit Reductions
- 3.6 Privacy
- 3.7 Security
- 3.8 Transaction Standards
- 4 Penalties
- 5 Correction of Violations
- 6 ARRA
- 7 Guidance
Health Insurance Portability and Accountability Act of 1996
The Health Insurance Portability and Accountability Act of 1996 added provisions to ERISA and the Code intended to increase access to group health plan coverage for individuals changing jobs. The chief HIPAA requirements mandate that group health plans:
- Not discriminate on the basis of specified health status factors.
- Obey a maximum "look back" period for preexisting condition limitations.
- Provide special enrollment periods for those who lose coverage, and for new dependents (e.g., newborns).
- Notify partipants of benefit reductions within 60 days.
HIPAA applies to any ERISA welfare plan that provides medical care (directly or through reimbursements) to employees or their dependents. It applies to both self-funded and insured plans. Importantly, "medical care" is a HIPAA term of art that includes payments for: the diagnosis, treatment, or prevention of disease; transportation to receive such care; and insurance coverage for both care and transportation. HIPAA also applies to insurance coverage associated with a group health plan.
HIPAA does not apply to governmental plans, plans with only one employee, individual insurance policies (though state law classification is not determinative), and plans or portions of plans that provide exempted benefits. The exempted benefit include (among other things) insurance such as accident insurance, disability insurance, and workers' compensation; limited scope insurance such as optional dental, vision, and long-term care insurance; independent fixed indemnity insurance and insurance for specific illnesses (e.g., cancer); and certain supplemental insurance coverage. See FAB 2007-4 for more guidance as to the circumstances under which supplemental health insurance coverage satisfies the requirements for excepted benefits under HIPAA. See also Notice 2008-23.
HIPAA generally preempts any provision of state law which establishes any standard or requirement solely relating to health insurance issuers in connection with group health insurance coverage if the requirement prevents the application of a HIPAA requirement. HIPAA does not preempt for stringent state requirements.
HIPAA forbids discrimination in eligibility or charges (i.e., premiums and contributions) based on a health factor.
Health factors include:
- Health status;
- Medical condition (including both physical and mental illnesses), as defined in § 2590.701-2;
- Claims experience;
- Receipt of health care;
- Medical history;
- Genetic information, as defined in § 2590.701-2;
- Evidence of insurability; or
Common Health Factor Violations
- Defective wellness programs
- Requiring a satisfactory exam prior to enrollment;
- Increasing the general deductible for those with certain conditions.
A wellness program is any program designed to promote health or prevent disease. Wellness programs often violate HIPAA's health factor discrimination provisions unless they are carefully designed. See Wellness Program.
Preexisting Conditions and Creditable Coverage
HIPAA restricts the use of preexisting condition exclusions by group health plans. Group health plans may not impose any preexisting condition exclusion for:
- Adopted children; or
- On the basis of genetic information.
Other preexisting conditions may be excluded if they existed within a "look-back" period of no more than six months prior to enrollment. This period is reduced by the individual's "creditable coverage." Computing creditable coverage can be complex, but generally it is the time spent actually enrolled in group or individual health insurance plans (or government insurance programs such as Medicare. B) after excluding any time before the individual's last break in coverage of 63 days or more.
The exclusion may not last more than 12 months after enrollment (or 18 months after late enrollment). Enrollment in this context is a term of art: It usually means the date coverage or a waiting period first starts.
Special Enrollment Periods
See 29 CFR 2590.701-6.
For Loss of Coverage
A current employee and any dependents (including the employee's spouse) each are eligible for special enrollment in any benefit package under the plan (subject to plan eligibility rules conditioning dependent enrollment on enrollment of the employee) if:
- The employee and the dependents are otherwise eligible to enroll in the benefit package;
- When coverage under the plan was previously offered, the employee (or dependent) had coverage under any group health plan or health insurance coverage;
- The employee declined the employer coverage because of the existing coverage, and - if the employer provided a statement explaining the consequences of the statement -- stated in writing that this was the reason for declining coverage; and
- The existing coverage was lost because of COBRA coverage exhaustion or the loss of eligibility for coverage, or was terminated by the individual because the employer ceased to make contributions.
The special enrollment must be made within 30 days after the existing coverage is lost.
For A New Dependent or Spouse
If a plan offers dependent coverage, it must provide a special enrollment period of at least 30 days when any new dependent is created by marriage, birth, or adoption. The participant must be otherwise eligible for coverage (e.g., the employee must have satisfied any waiting period). This right extends to employees, and spouses, as well as to their dependents. (E.g., an employee may enroll himself because his wife just gave birth.)
Notice of Benefit Reductions
Plans must notify participants of any change to a benefit plan that causes "a material reduction in covered services or benefits" not later than 60 days after the date of the adoption of the modification or change.
A "material reduction in covered services or benefits" means any modification to the plan or change in the information required to be included in the summary plan description that, independently or in conjunction with other contemporaneous modifications or changes, would be considered by the average plan participant to be an important reduction in covered services or benefits under the plan.
A "reduction in covered services or benefits" generally would include any plan modification or change that:
- eliminates benefits payable under the plan;
- reduces benefits payable under the plan, including a reduction that occurs as a result of a change in formulas, methodologies or schedules that serve as the basis for making benefit determinations;
- increases premiums, deductibles, coinsurance, copayments, or other amounts to be paid by a participant or beneficiary;
- reduces the service area covered by a health maintenance organization; or
- establishes new conditions or requirements (e.g., preauthorization requirements) to obtaining services or benefits under the plan.
See 29 CFR 2520.104b-3.
See HIPAA privacy.
See HIPAA security.
There is no private right of action under HIPAA; therefore, the threat of penalties is the chief HIPAA enforcement mechanism.
Code Section 4980D imposes a $100 per day excise tax (typically on the employer) for each violation of HIPAA. Employers who are notified of a liability by the IRS are subject to mandatory minimum penalties. The IRS may waive or reduce the excise tax for reasonable cause.
ARRA increases civil penalties for HIPAA violations to $1,000 per violation due to reasonable cause and $10,000 per violation due to willful neglect.
Correction of Violations
HIPAA violations that are corrected (meaning retroactively remedied, to the extent possible) within 30 days of the date on which the violation is (or should be) discovered are not subject to the excise tax.
ARRA expanded HIPAA in a number of ways. Most changes are effective February 17, 2010.
ARRA expanded the reach of HIPAA security provisions to apply to business associates as well as covered entities. ARRA also provides that covered entities must notify affected individuals of any breach in the security of their PHI.
ARRA extends the HIPPA privacy rule to provide that covered entities must honor request to restrict certain information related to health care for which the provider has been paid in full out-of-pocket.
ARRA introduces the concept of the “electronic health record,” and provides that an individual may request an account of such records for up to three years.
Finally, ARRA increases civil penalties for HIPAA violations to $1,000 per violation due to reasonable cause and $10,000 per violation due to willful neglect.
- HIPAA Regulations (includes preamble and model certificates of creditable coverage) (PDF)
- 2590.701-1 Basis and scope.
- 2590.701-2 Definitions.
- 2590.701-3 Limitations on preexisting condition exclusion period.
- 2590.701-4 Rules relating to creditable coverage.
- 2590.701-5 Evidence of creditable coverage.
- 2590.701-6 Special enrollment periods.
- 2590.701-7 HMO affiliation period as an alternative to a preexisting condition exclusion.
- 2590.702 Prohibiting discrimination against participants and beneficiaries based on a health factor.
- 2590.711 Standards relating to benefits for mothers and newborns.
- 2590.712 Parity in the application of certain limits to mental health benefits.
- 2590.731 Preemption; State flexibility; construction.
- 2590.732 Special rules relating to group health plans.
- 2590.736 Applicability dates.
- Health Information Technology for Economic and Clinical Health (HITECH) Breach Notification Requirements
- Interim Final Regulations on HIPAA Violation Enforcement and Penalties
- HIPAA Opt-Out for Governmental Plans
- Interim Final Rule on Operating Rules for Eligibility for a Health Plan and Health Care Claim Status Transactions (effective January 1, 2013)
- Notice 2008-23 (safe harbor for supplemental group health insurance to be excepted from HIPAA)