The Health Insurance Portability and Accountability Act of 1996 (HIPAA) places certain requirements on group health plan sponsors and insurers in the areas of Portability and Privacy/Security.

Portability

HIPAA's portability provisions provide protections for employees who are changing health plans. The provisions include limiting exclusions for pre-existing medical conditions, prohibiting discrimination based on health-status, and permitting enrollment for individuals experiencing qualifying events.

Pre-existing Conditions

A group health plan may not exclude coverage for an individual's pre-existing condition for longer than 12 months (18 months for a late enrollee). A pre-existing condition is defined as one in which medical advice, a diagnosis, care, or treatment was received or recommended within the 6 months prior to enrollment.

If a plan includes a pre-existing condition exclusion, the plan's enrollment material must notify the eligible participant of the exclusion, their right to request and provide proof of creditable coverage, and a statement that the current plan or issuer will assist the individual in obtaining the Certificate of Creditable Coverage from the prior plan. This is referred to as the General Notice of Pre-existing Condition Exclusion.

Click here to view Model Notice

A group health plan or insurance carrier is required to provide a Certificate of Creditable Coverage to a participant upon loss of coverage and upon request.

Click here to view Model Notice

Discrimination Based on Health-Status

A group health plan is prohibited from discriminating against an employee or dependent based on that individual's health status, physical/mental condition, claims experience, receipt of health care, medical history, genetic information, evidence of insurability, and disability. A plan must not vary its eligibility, premiums, or contributions based on these factors.

A wellness plan basing a reward on satisfaction of a health standard, must meet certain criteria to be in compliance with the nondiscrimination rules. Those criteria are:

• The reward must not be greater than 20% of the cost of employee only coverage.
• The program must be designed to promote health and prevent disease.
• The program must offer the opportunity to qualify for the reward at least once per year.
• The program must be available to all similarly situated employees. If a physician determines that it is unreasonably difficult for an individual to satisfy the health standard due to a medical condition, the individual must be offered a reasonable alternative standard to satisfying the health standard.
• The program, including the availability of a reasonable alternative standard, must be communicated to employees in written materials.

Special Enrollment Rights

An individual who experiences one of the following events must be given the right to enroll in the plan within 30 days of the event.

• Loss of other group coverage due to loss of eligibility for coverage, termination of employer contributions, and exhaustion of COBRA coverage.
• A dependent is newly acquired due to marriage, birth, or adoption.

In its enrollment material, a plan must notify eligible participants of their Special Enrollment Rights (Notice of Special Enrollment Rights).

Click here to view Model Notice

Privacy/Security

The HIPAA privacy and security rules can be very complex. The purpose of the rules is to limit the uses and disclosures of group health plan participants' Protected Health Information (PHI). The plan sponsor should put procedures and policies in place to safeguard that information. This section only provides a basic overview of what a plan sponsor must do to be in compliance with these rules.

• Designate a Privacy Official and a Privacy Contact Person.

• Conduct a written risk assessment detailing what PHI is received by the plan sponsor (employer). This means any personally-identifiable health information, which could include claims information, utilization reports, claims appeals, etc. The document should detail who has access to the information, how it is received, and for what purpose the information is used.

• Put safeguards in place to protect PHI, which include filing PHI in locked file cabinets, maintaining PHI separate from personnel files, password-protected electronic files, password-protected computers, and not allowing unauthorized persons access to PHI.

• Implement written policies and procedures to include:

  • Definition of PHI
  • Permitted Uses and Disclosures
  • Authorization Requirement for Other Uses and Disclosures
  • Sanctions for Violations
  • Privacy Safeguards
  • Complaints Procedure
  • Prohibition of Retaliation and Waiver of Rights
  • Record Retention
  • Data Backup Plan
  • Disaster Recovery Plan
  
  

• Establish Business Associate Agreements with those entities or persons who perform a service for the plan and have access to participant PHI.

• Conduct training for workforce members that handle PHI.

• Distribute a Notice of Privacy Practices to participants. At least once every three years, the participants must receive the Notice or a notice indicating that one is available and how to obtain one

FAQs

Our plan is fully insured. What obligations do we have under the privacy rules?

Additional Resources

• DOL Resources on HIPAA Portability
• The Office of Civil Rights provides a summary of the HIPAA privacy requirements
• Centers for Medicare and Medicaid Resources on the HIPAA security requirements