Spring 2005-15 New HIPAA rules for group health plans and health insurers
Access to group health coverage rules
New HIPAA rules for group health plans and health insurers
Among other things, the new regulations give workers greater access to group health plan coverage by limiting the use and duration of preexisting condition exclusions imposed.
The Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, was enacted on August 21, 1996. HIPAA amended the Employee Retirement Income Security Act of 1974, the Internal Revenue Code of 1986 and the Public Health Service Act to provide for, among other things, improved portability and continuity of health coverage. Interim final regulations implementing the HIPAA provisions were first made available to the public on April 1, 1997 (published in the Federal Register on April 8, 1997, 62 FR 16894).
On October 25, 1999, the Labor Department published a notice in the Federal Register (64 FR 57520) soliciting additional comments on the portability requirements, based on the experience of plans and issuers operating under the April 1997 interim rules.
More than five years later, on December 30, 2004, the Department promulgated final regulations that give individuals greater access to group health plan coverage. Identical regulations were issued simultaneously by the Treasury Department and the Department of Health and Human Services.
The new access regulations give workers greater access to group health plan coverage by limiting the use and duration of preexisting condition exclusions imposed. In addition, the regulations require group health plans and health insurance issuers to offer “special enrollment” options for certain life events that cause individuals (and other eligible new dependents) to lose eligibility for other group health coverage or health insurance.
The final regulations become effective February 28, 2005, but apply to plan years starting on or after July 1, 2005. Notably, the final regulations do not significantly change the framework of the 1997 interim regulations; but in response to comments received during the public comment period, they increase plan participant protections even further.
Although some of the 1997 interim final regulations still remain in their non-final form, the parts that have been finalized include those that:
limit exclusions for preexisting medical conditions;
provide credit for prior health coverage that satisfies preexisting medical conditions, as well as a process for providing medical certificates concerning prior coverage to a new group health plan or health insurance issuer; and
provide new rights that allow individuals who lose coverage or have a new dependent to enroll immediately in health coverage.
Preexisting condition exclusions
One of HIPAA’s central provisions prevents group health plans and health insurance issuers from excluding preexisting conditions from coverage for certain periods of time and under certain circumstances. The final rules confirm the interim rules posture that any preexisting condition exclusions:
must relate to a condition for which medical advice, diagnosis, care, or treatment was recommended or received during the six-month period before an individual’s enrollment date;
may not last for more than 12 months (18 months for late enrollees) after an individual’s enrollment date;
must be reduced by the number of days of an individual’s “prior creditable coverage” that occurred without a break in coverage for 63 days or more;
may not include pregnancy; and
cannot be applied to a newborn or adopted child under age 18, so long as the child became covered within 30 days of birth or adoption, provided there is not a subsequent 63-day or longer break in coverage.
A group health plan or health insurance issuer must provide a general notice of preexisting condition exclusions as part of any written application materials distributed by the group health plan or health insurance issuer for enrollment. If such application materials do not exist, then the general notice must be provided by the earliest date following a request for enrollment that the group health plan or health insurance issuer, acting in a reasonable and prompt fashion, can provide such a notice.
Group health plans or health insurance issuers that have preexisting condition exclusions will need to follow certain final rule requirements, including:
the group health plan or health insurance issuer must notify individuals of their rights to show prior creditable coverage to reduce the preexisting exclusion period;
the group health plan or health insurance issuer must decide whether creditable coverage exists; and
if the group health plan or health insurance issuer notifies an individual that it is imposing an exclusion period, then the notice also must tell the individual the basis of the determination, including the source and substance of any information on which it relied, an explanation of the individual’s right to submit additional evidence of creditable coverage, a description of any appeals procedures established, as well as a person to contact for obtaining additional information or assistance regarding the preexisting condition exclusion.
The final regulations include a statement that the Uniformed Services Employment and Reemployment Rights Act can affect the application of a preexisting condition exclusion to certain individuals who are reinstated in a group health plan following active military service.
HIPAA does not prohibit a group health plan or health insurance issuer from establishing a waiting period. Nevertheless, established waiting periods must run concurrently with any preexisting condition exclusion period. With respect to group health plans, a waiting period is the period that must elapse before an employee, or a dependent, is eligible to enroll under the terms of a group health plan. Note that if the employee or dependent is a late enrollee (or a special enrollee), any time period prior to the late (or special) enrollment will not be considered to form part of the waiting period.
Creditable coverage is the concept that individuals should be given credit for previous health coverage when moving from one employer group health plan to another, from an employer group health plan to an individual policy, or from certain kinds of individual coverage to an employer group health plan. Creditable coverage includes coverage under a group health plan (including a governmental or church plan), HMO, COBRA, Medicare, Medicaid, CHAMPUS, S-CHIP, Indian Health Service program, Federal Employees Health Benefit Program, a public health plan, a Peace Corps health benefit plan, or any individual health insurance policy. With respect to limited scope benefits such as dental, vision, or long-term care, coverage for such benefits does not count as creditable coverage; and days in a waiting period are generally not creditable coverage under such a plan, nor are these days taken into account when determining a significant break in coverage.
Employers must provide a “certificate of coverage” to any employee who has coverage and loses it (typically, these employees leave their place of work and lose coverage or go on COBRA continuation coverage).
The final regulations published by the trio of federal agencies also contain a model form certificate of creditable coverage that group health plans or health insurance issuers may use. Group health plans or health insurance issuers who are not using the model certificate should know that any certificate of creditable coverage issued must identify the group health plan or the health insurance issuer that provided the coverage, provide any insurance identification number, and state how long the individual was covered. Coverage for longer than 18 months can be stated as such, but shorter lengths of time must specify the dates of coverage. Certificates of creditable coverage may also be issued to individuals via electronic communication such as e-mail.
The final regulations add that group health plans and health insurance issuers are required to include, concurrently with the certificate of creditable coverage provided to individuals when they lose coverage under the plan, an educational statement on their HIPAA rights. The final regulations contain model language that group health plans and health insurance issuers can use for such an educational statement.
Alternatives to certificate
Group health plans and health insurance issuers should be aware that individuals will be allowed to use other evidence to prove prior coverage. Such evidence may consist of, among other things:
payment stubs showing premium payments,
a health insurance identification card,
explanation of benefits forms and
medical documents, such as verification by a treating health practitioner.
Group health plans and health insurance issuers must furnish the certificate of creditable coverage automatically:
to an individual who is entitled to COBRA continuation coverage, no later than when a notice is required to be provided for a qualifying event under COBRA;
to an individual who loses coverage under a group health plan and who is not entitled to a COBRA election, within a “reasonable time” after coverage is stopped;
to an individual who has been on COBRA coverage, either within a “reasonable time” after the plan learns that COBRA continuation coverage ended, or, if applicable, within a “reasonable time” after the individual’s grace period for the payment of COBRA premiums ends; and
when an individual, or a person acting on the individual’s behalf and with his or her permission, requests one while the individual is covered under a plan and after 24 months after coverage ceases, at the earliest time that the certificate can be provided in a “reasonable and prompt fashion.”
The time of coverage issued in a certificate of creditable coverage depends upon the method of issuance.
Automatic Issue: The certificate should cover the most recent period of continuous coverage.
Issue on Request: The certificate should show each period of continuous coverage ending within 24 months of the request.
There are several provisions with respect to special enrollees in the final regulations. In general, a group health plan and a health insurance issuer is required to provide for special enrollment periods during which certain individuals who previously declined coverage are allowed to enroll without having to wait until the group health plan’s next open enrollment period.
A completely new set of HIPAA standards, this time covering security for electronic protected health information (“ePHI”), will, in the near future, take effect and apply to HIPAA-covered entities, including employer group health plans that are creating, receiving, maintaining, or transmitting ePHI. These rules are different from, and are in addition to, the HIPAA privacy rules that became applicable to group health plans in 2003 (or 2004 for small group health plans). While the HIPAA privacy rules govern the use and disclosure of protected health information, the new security rules apply to the physical, technical, and administrative safeguards that are to be put in place to protect electronic healthcare data that is ePHI.
Security rule application
The new HIPAA security rules only apply to group health plans that electronically create, receive, maintain, or transmit protected health information. Group health plans must comply with the new rules if the group health plan or any service provider to the group health plan (such as, for example, a third-party administrator) creates, receives, maintains, or transmits ePHI in connection with the administration or operation of the group health plan.
The new security rules generally become effective April 21, 2005, and are intended to implement national standards for safeguards to protect the confidentiality, integrity, and availability of ePHI. Types of group health plans subject to the security rules include medical plans, health care flexible spending accounts, and dental plans, to name a few. The type of group health plan arrangements a plan sponsor has will determine the level of compliance required by the security rules. For example, the burdens on a self-funded plan will be greater than on a fully insured plan. Certain smaller plans (i.e., those with less than $5 million in annual receipts) are entitled to an additional year to comply with the Security Rules (April 21, 2006).
Group health plans subject to the security rules must have certain documentation in place by the April 21, 2005, (April 21, 2006, for small group health plans) effective date. For example, for a self-funded group health plan subject to the security rules, required documents will include written health security policies and procedures, and amendments to plan documents and any service provider (business associate) contracts, even those already containing HIPAA privacy language. In addition to these documentary requirements, group health plans, through, for example, the plan sponsor’s technology support staff, will be required to assess and implement a number of security measures relating to administrative, physical, and technical safeguards with respect to any plan ePHI that is created, received, maintained, or transmitted as part of its or the plan sponsor’s electronic systems. Each group health plan should analyze its situation in light of the security rules in order to determine accurately the requirements that will apply to the plan.
Because the new security rules are complex, if readers need any assistance in determining whether the rules apply to their group health plans or in implementing the rules if they do, they should call a Jones Day lawyer as soon as possible to discuss their legal obligations and to begin a timely determination and preparation of required written documents that will need to be in place by April 21, 2005, (April 21, 2006, for small group health plans).
© 2005 Goldman Antonetti