HIPAA Law and Guidelines for Employers
The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that imposes portability, non-discrimination, and certain other requirements on employer-sponsored health plans. HIPAA also includes regulations covering how employers must protect employees’ medical privacy rights as well as the electronic disclosure of employees’ medical information. and requires employers to cover employees’ and their dependents’ preexisting health conditions under certain circumstances, as well as to protect the privacy of health information.
Benefits Complete Compliance – comprehensive online management reference service and reference manual
HIPAA changes in the 2009 economic stimulus package
On February 17, 2009, President Barack Obama signed a stimulus bill called the American Recovery and Reinvestment Act of 2009 (ARRA) into law. The stimulus package significantly expands HIPAA’s privacy and security regulations. Some of the changes to HIPAA under the stimulus package include the following:
- Business associates. Business associates are companies and consultants that perform services for “covered entities” such as health care providers (doctors, hospitals, etc.), health plans, and health care clearinghouses. A debt collection agency that collects payments for a hospital would be an example of a business associate. Business associates were previously subject to security and privacy requirements through their contracts with covered entities, but they will now be directly subject to HIPAA under the ARRA and be governed by the same requirements under HIPAA as covered entities.
- Security breach notification requirements. The stimulus package also establishes more stringent security breach notification requirements and gives increased notification to patients. Under the ARRA, covered entities and business associates must provide notification to any person whose protected health information has been breached. The ARRA also provides requirements for such notifications.
- Increased rights of individuals. The ARRA expands the rights of individuals regarding the privacy and security of their protected health information (PHI). For example, under the stimulus package, individuals may request accounting of any PHI disclosures made through an electronic health record and may request copies of his or her record in electronic format.
- Enforcement and penalties. The ARRA also provides for increased enforcement and penalties for HIPAA violations. For instance, both civil and criminal penalties for violations are increased based on the level of intent, and state attorneys general are given the power to prosecute and seek civil penalties for violations.
HR Guide to Employment Law: A practical compliance reference manual covering 14 topics, including health benefits and issues related to employee health
HIPAA privacy regulations for employers
HIPAA’s regulations prescribe the permitted uses and disclosures of individually identifiable health information by certain entities, including employers that have access to employee health information. In addition, the Americans with Disabilities Act (ADA) requires employers to keep confidential medical information in a file separate from all other employment or personnel files.
Stay up to date on changes to benefits and compensation employment laws with the Benefits Complete Compliance
HIPAA non-discrimination rules
HIPAA prohibits discrimination in group health plans in two areas: (1) eligibility to enroll in the plan and (2) premium rates. In general, HIPAA prohibits a plan from establishing eligibility rules or imposing a higher premium rate than the premium for similarly situated individuals based on a “health status-related” factor.
Such factors include health status, medical condition, claims experience, receipt of health care, medical history, genetic information, evidence of insurability (including conditions arising out of acts of domestic violence), and disability.