The Health Insurance Portability and Accountability Act of 1996
(“HIPAA”) is a federal law that imposes many requirements on
health care providers and employer-sponsored benefit plans. The
most significant of those requirements relate to:
- restrictions on preexisting condition exclusions, and
the related “certificate of creditable coverage”;
- special enrollment rules allowing participants to enroll
in plans at times other than open enrollment;
- private insurance market rules that allow individuals
losing group health coverage to purchase private health
insurance (see Guaranteed Issue);
- rules governing nondiscrimination based on health
conditions; and
- the privacy and security of protected health
information.
This section discusses the rules relating to the privacy and
security of protected health information.
Every employer that
sponsors a health benefit plan should ensure that it is
complying with these HIPAA requirements. The compliance task may
be more complicated as the size of the employer and the health
plan increases. Nonetheless, even the very smallest of employers
that maintains a health plan should take reasonable steps to
comply. In practice, smaller employers often rely heavily on
assistance from its group benefits broker and consultant to
inform the employer of its compliance responsibilities, whereas
larger employers may receive advice from different sources, such
as in-house personnel, brokers and benefits attorneys. Failing
to comply with these rules can result in government enforcement
actions, civil and criminal monetary penalties and lawsuits.
Overview of Privacy Rules
Employer-sponsored health plans must
comply with HIPAA’s privacy rule that determines who may access
protected health information (PHI) and the right of an
individual to determine how that information is used or
disclosed. HIPAA’s related security rule generally addresses who
may access PHI that is stored electronically, and how that
information must be protected from accidental or intentional
disclosure or destruction. As of April 20, 2006, all large and
small health plans are required to comply with the privacy and
security rules.
Subject to some exceptions, “protected health
information” is any information relating to a plan participant’s
or beneficiary’s health that identifies the related individual
and that is created or received by the plan.
Although HIPAA does
not apply directly to employers, it does apply directly to
employer health plans. Accordingly, employers will need to take
action to ensure that its plans are in compliance. As a
practical matter, an employer may avoid many of HIPAA’s privacy
requirements if the plan is fully insured and the employer has
no access to PHI.
Generally, HIPAA prohibits a group health plan
(which is an entity that is distinct from the employer) from
sharing PHI with the employer, except in the following
circumstances:
- Summary health information may be shared with
the employer in order to obtain premium bids and to modify or
terminate the plan. Summary health information is information
that summarizes the plan’s claims history, but does not contain
certain specific employee information.
- Participant enrollment
information may be disclosed to the employer without complying
with requirements that would otherwise apply.
- A group health
plan may disclose PHI to the employer for plan administration
functions (such as claims processing, auditing and monitoring),
but only if the employer has agreed in its plan document to
specific limitations on how the employer can use and disclose
the PHI. In addition, the employer must agree to a number of
requirements, including maintaining adequate “firewalls” for the
protection of PHI stored on computers.
Group health plans often
use other parties called “business associates” to assist with
plan administration. Insurance brokers, third party
administrators, attorneys, consultants and accountants are
typical examples of business associates. A plan may disclose PHI
to a business associate only under specified circumstances and
subject to specific conditions. HIPAA requires the plan to enter
into a written agreement with the business associate that
requires the business associate to agree to those conditions.
How Echelon Can Help
Echelon can advise large and small
employers (and the plans they sponsor) about their compliance
responsibilities under the HIPAA privacy rules, and can provide
necessary documents and forms useful to compliance. Echelon can
also help with the requirements of HIPAA other than the privacy
rules including the preexisting condition, special enrollment
and nondiscrimination rules.
- HIPAA Guaranteed
Issue
- Apply for Coverage |
