|Deanna H. Nino is a senior associate with the law firm Greenberg Traurig, LLP. She focuses her practice in the areas of ERISA, employee benefits law and executive compensation. Prior to her private practice, NiÒo was a pension investigator with the U.S. Department of Labor in Boston.
This article will address the recent privacy rules required by the Health Insurance Portability and Accountability Act ("HIPAA") with respect to group health plans and group health plan compliance with the health care laws that comprise Part 7 of Title I of the Employee Retirement Income Security Act of 1974 ("ERISA").
Privacy rules with respect to group health plans
Effective April 14, 2003, "covered entities" are required to comply with the privacy rules of HIPAA, with the exception of small group health plans. Small group health plans are those plans with less than $5 million in total health care premiums or benefits payable to participants and beneficiaries during a plan year. These plans do not have to comply with HIPAA's privacy rules until April 14, 2004. Since "covered entities" are required to comply with HIPAA privacy rules, it is important to know what is included in the definition of a "covered entity." A "covered entity" includes a health plan, a health care provider who transmits any health information in electronic form and a health care clearinghouse.1 Entities that are not included in the definition of a "covered entity" are employer/plan sponsors, third party administrators, disability plans, worker compensation programs, leave of absence arrangements, sick pay and life insurance plans.
The privacy requirements of HIPAA were enacted to limit the use and disclosure of health care information that is identifiable to an individual. This information, which is identifiable and must be treated confidentially, is known as "protected health information" ("PHI"). PHI is individually identifiable information that is related to that individual's health condition, including past, present or future conditions.2 HIPAA provides for stringent guidelines and rules to limit the use and disclosure of PHI. Under HIPAA, one permissible disclosure of PHI that may be made by a group health plan without the prior authorization of the individual is for the purposes of "treatment, payment or health care operations."3 If the information is being disclosed for those purposes, then the disclosed information must be limited to the "minimum necessary" for such purposes. Otherwise, this information may only be disclosed upon the approval of the individual whose information is being disclosed or for other specific exceptions listed in the regulations such as for law enforcement purposes, or for public health activities, etc. In addition to the above, group health plans must provide the individual with the information, which is being disclosed upon their request. Overall, the group health plan must establish and be able to document various safeguards to protect the privacy of the PHI, such as administrative, technical and physical safeguards.4
With respect to administrative safeguards, group health plans must have policies, procedures and guidelines established to enable a designated HIPAA privacy official to be able to readily identify PHI type information. They must also have the training to ensure those people who will be working with PHI maintain that information in accordance with HIPAA. They must also have evaluations of the above processes and established contingency plans to further ensure HIPAA compliance.5 With respect to technical safeguards, there must be standards met for access control, audit controls and transmission security of PHI information.6 Lastly, with respect to physical safeguards, a covered entity should implement computer passwords, workstation security measures, firewalls, etc. to ensure that the PHI itself is protected and remains private in accordance with HIPAA.7 Although the security provisions of HIPAA were only recently finalized and become effective as of April 21, 2005, covered entities should begin thinking about how they are going to secure PHI from unauthorized disclosure.
In addition, it is important to note that there are state privacy laws, which are more liberal than HIPAA. These state privacy laws may also apply to the group health plan and increase its compliance responsibilities if the plan has operations in various states.
Lastly, it is important to note that there are both civil and criminal penalties, which may be imposed under HIPAA with respect to the privacy rules. The U.S. Department of Health and Human Services ("HHS") is the agency with enforcement jurisdiction over civil compliance with HIPAA's privacy rules. The civil penalty, which may be assessed to a covered entity for noncompliance with HIPAA, is $100 (up to a maximum of $25,000 per person) per year per violation.8 The following criminal penalties may also be assessed in situations where the covered entity knowingly obtained or disclosed PHI information in violation of HIPAA by the Department of Justice:
• Up to $50,000 and one year in prison for obtaining or disclosing PHI information.
• Up to $100,000 and up to five years in prison for obtaining or disclosing PHI information false pretenses.
• Up to $250,000 and up to 10 years in prison for obtaining or disclosing PHI information with the intent to sell, transfer or use it for commercial advantage, personal gain or malicious harm.9
As such, it is important for group health plans and other covered entities to review and evaluate their HIPAA compliance efforts and discuss their processes and procedures with counsel in order to ensure compliance with HIPAA in order to avoid any of the penalties listed above.
Group health plan compliance with the health care laws that amended ERISA
Part 7 of Title I of ERISA was amended by HIPAA in 1996 and its related acts, which are the Mental Health Parity Act of 1996 ("MHPA"), the Newborns' and Mothers' Health Protection Act of 1996 ("Newborns' Act") and Women's Health and Cancer Rights Act of 1998 ("WHCRA"). Briefly, HIPAA provided for special enrollment rights for certain individuals, placed limitations on a group health plan's ability to impose preexisting condition exclusions and imposed nondiscrimination requirements on group health plans based on health status.10 The MHPA provided for equality in the application of dollar limitations on mental health benefits and on medical and surgical benefits.11 The Newborns' Act requires group health plans that offer maternity hospital benefits to pay for the mother and newborn's hospital stay for a statutory period of time.12 The WHCRA provides various protections for patients who elect breast reconstruction or mastectomy follow-up care.13 In general, compliance with HIPAA and its related acts requires that group health plans be amended to conform with these laws and the furnishing of the various HIPAA notices. The U.S. Department of Labor's Employee Benefits Security Administration ("EBSA") (formerly the Pension and Welfare Benefits Administration) has enforcement jurisdiction over the health care laws that comprise Part 7 of Title I of ERISA.
As such, EBSA targets group health plans to determine compliance with ERISA (most specifically the reporting and disclosure requirements) and HIPAA. These HIPAA audits have been and will undoubtedly be at the forefront of the agency's initiatives within the next year due to the recent focus on HIPAA by group health plans. In fact, EBSA announced a new HIPAA Compliance Assistance Program ("H-CAP") on Feb. 26, 2003, to help group health plans meet their responsibilities under HIPAA and its related acts.14 This H-CAP is a three-pronged program that includes new publications aimed at assisting with compliance of HIPAA and its related acts by group health plans, a new section of the agency's Web site, which is dedicated solely to health law material, and the agency's sponsorship of compliance assistance workshops.15 This H-CAP program highlights the agency's desire to ensure group health plans are focusing on and ensuring compliance with HIPAA and its related acts. The audits that EBSA is conducting may be a HIPAA compliance targeted audit, or the HIPAA audit may be triggered as part of another audit.16 In any event, the HIPAA audit requires the plan sponsor to produce voluminous records to evidence compliance with HIPAA and its related acts. Some of the documents requested during a HIPAA audit are the following:
• Evidence of the issuance of certificates of creditable coverage;
• Documentation provided to individuals that sets forth the procedure by which they may request and receive certificates of creditable coverage;
• Documentation evidencing the issuance of preexisting condition exclusion period notices;
• Evidence of claims that were denied due to the imposition of a preexisting condition exclusion;
• Documentation evidencing the issuance of notices of special enrollment rights provided to participants, if applicable;
• Plan's or insurance issuer's compensation agreement with physicians or physician groups that provide obstetric services for the plan; and
• Documentation evidencing that the one-time notice requirement for WHCRA are and have been provided and evidence of the annual furnishing of WHCRA notices to participants.17
This increased enforcement activity requires that plan sponsors review their plans for compliance with HIPAA disclosures relating to certificates of creditable coverage, preexisting condition exclusions, special enrollment rights, etc. Generally, procedural prudence for reporting and disclosure requirements means written procedures for ensuring that disclosures are made to participants as required by ERISA and HIPAA.
Since EBSA focuses on notices that are furnished to participants to ensure that all employer communications with plan participants and beneficiaries regarding the group health plan comply with ERISA, it is important that all plan sponsors have their HIPAA notices and related health plan documentation reviewed by counsel to ensure plan compliance with ERISA and HIPAA. During the document review process, plan sponsors can be advised of any necessary changes in order to avoid civil penalties (and in some cases criminal penalties that exist regarding HIPAA compliance), which may be discovered during a governmental audit, if such an audit occurs.
1. 45 CFR Sec. 160.103(3).[back]
2. 45 CFR Sec. 164.103 and 164.501.[back]
3. 45 CFR Sec. 164.502(a)(1).[back]
4. 45 CFR Sec. 164.530.[back]
5. 45 CFR Sec. 142.308.[back]
6. 45 CFR. Sec. 142.312.[back]
7. 45 CFR Sec. 164.310.[back]
8. 42 USC 1320d-5.[back]
9. 42 USC 1320d-6.[back]
10. DOL Publication, "Compliance Assistance for Group Health Plans HIPAA and Other Recent Health Care Laws," October 2002.[back]
14. DOL Media Release, "Labor Department Announces Compliance Assistance Program for ERISA Health Laws," Release Number 03-10, Feb. 26, 2003.[back]
16. "DOL Audits on HIPAA Compliance Require Detailed Employer Records", Excerpt from Employer's Guide to the Health Insurance Portability and Accountability Act, Terry Humo, Esq., Thompson Publishing Group Inc., Washington, D.C., Dec. 7, 2000.[back]
17. List of documents obtained from a DOL request letter of September 1999 during a HIPAA audit of a welfare benefit plan; see also, DOL Checklist of HIPAA Compliance Investigation Inquiries, Benefits Link Q&A, Nicholas W. Ferrigno, Jr. and Frank J. Bitzer, 2002.[back]