Health Insurance Portability and Accountability Act (1996),
30 June 200629 U.S.C. §§1181 et seq., and §§1320d et seq.
Coverage and Requirements: The Health Insurance Portability and Accountability Act (“HIPAA”) applies to all health plans covered under the Employee Retirement Income Security Act (“ERISA”) (including self-funded and insured plans) and HMOs. HIPAA’s most important features include: (1) insurance “portability” provisions for employees who leave or lose their jobs; (2) antidiscrimination provisions prohibiting denial of health coverage based on an individual’s “health status;” (3) protections for employers that are part of a multi-employer plan or multi-employer welfare arrangement; and (4) creation of a demonstration program for medical savings accounts.
Among HIPAA’s portability provisions is a requirement that group health plans and health insurers furnish to an individual who loses coverage under a group health plan a certificate documenting the length of the individual’s prior coverage. Both the employer (technically, the group health plan) and the insurer (including an HMO) must provide the certificate; however, if one party provides it, the other party is considered to have done so. The recipient may use this information to limit any preexisting condition exclusion or other restriction under another group health plan.
Perhaps of most significance to employers, however, are regulations issued by the Department of Health and Human Services (“HHS”) to implement the Act’s privacy provisions. These regulations require covered entities (including group health plans, health care clearinghouses, and health care providers) to ensure that consumer health information is not misused or improperly disclosed and to establish clear procedures to protect patient privacy. Most employers (even if they are not a covered entity) that offer welfare benefits to employees under ERISA, whether insured or self-insured, are covered in their role as plan sponsor. The extent of the employer’s obligations will depend upon the functions it performs on behalf of the plan.
Enforcement: HHS’s Office for Civil Rights is charged with enforcing the privacy regulations. HHS does not have authority to regulate directly organizations in their role as employers, though it does regulate the group health plans sponsored by employers. The Department of Labor enforces HIPAA’s portability requirements on ERISA covered group health plans, including self-insured arrangements. Participants and beneficiaries also may sue to enforce these obligations.
Remedies: The Secretary of HHS may impose against persons who violate the privacy regulations a penalty of no more than $100 per violation not to exceed a total of $25,000 in a calendar year for the same violations. Persons who knowingly and in violation of HIPAA’s privacy requirements disclose individually identifiable health information are subject to fines of up to $50,000, imprisonment for not more than a year, or both. Penalties are more severe for disclosures committed under false pretenses or with the intent to sell, transfer, or use the information for commercial advantage, personal gain, or malicious harm. In addition, the Treasury Department can impose excise taxes against group health plans that fail to comply with the portability provisions.
Related Regulations:
Department of Labor, Employee Benefits Security Administration: Health Coverage Portability, Nondiscrimination, and Renewability - Evidence of Creditable Coverage, 29 C.F.R. §2590.701-5.
HHS: Privacy of Individually Identifiable Health Information, 45 C.F.R. §§164.500 et seq.
WordPress database error: [Can't open file: 'wp_comments.MYI' (errno: 145)]
SELECT * FROM wp_comments WHERE comment_post_ID = '16' AND comment_approved = '1' ORDER BY comment_date
