Workforce.com

Carrying the Weight of the HIPAA-potamus

November 1, 1998
Ask Conrad Meier: Which weighs more a hippo or HIPAA, the Health Insurance Portability and Accountability Act?

"In comparison to HIPAA, a three-ton hippo looks like a piglet," he says. A health-policy adviser for Chicago-based Heartland Institute, Meier believes HIPAA is one of the first lumbering steps toward national health care. But for HR, compliance can be an administrative nightmare. "The devil is in the details," he says.

HIPAA is the major health care reform mandate that went into effect in July 1997. Also known as the Kassebaum-Kennedy Act, it’s nearly 400 pages thick, with five major Titles, 73,840 words and 5,704 lines. It’s no wonder HR managers feel squashed by HIPAA information overload. But in order to comply with the law, human resources managers need to at least understand the concept of guaranteed issue and renewability, know about HIPAA’s impact on COBRA, and follow the privacy debates sparked by the "unique identifier" provision, which calls for a national medical database. Any HR managers attempting to explain employee benefits without knowing what HIPAA is and isn’t create a potential liability for themselves and their employers, Meier warns.

Moreover, the General Accounting Office, which is the investigative arm of the U.S. government, already has moved very aggressively to enforce the law. So at the very least, HR should review HIPAA’s basic intent and provisions. To help your understanding and ensure your company’s compliance, here are the answers to some frequently asked questions.

What is the goal of HIPAA?
The introductory paragraph of the law says its purpose is "To amend the Internal Revenue Code of 1986 to improve portability and continuity of health insurance coverage in the group and individual markets, to combat waste and fraud, to improve access to long-term care services and coverage, to simplify the administration of health insurance, and for other purposes."

What specific areas are covered by the law?
There are five basic sections:

Title I: Health Care Access, Portability and Renewability

Title II: Preventing Health Care Fraud and Abuse; Administrative Simplification; Medical Liability Reform

Title III: Tax-related Health Provisions

Title IV: Application and Enforcement of Group Health Plan Requirements

Title V: Revenue Offsets

What does HIPAA actually provide?
HIPAA sets minimum standards that are put in place to improve the access, portability and renewability of health insurance coverage in employer-sponsored group and individual insurance markets. Among other standards, HIPAA includes requirements for carriers to guarantee that:

  1. Health coverage in the small-group market (2 to 50 employees) is available to all small-group employers that apply (guaranteed issue).
  2. Eligible individuals leaving group coverage have access to coverage in the individual market (group-to-individual portability).
  3. All health coverage may be renewed upon expiration of the policy (guaranteed renewal).

Why are these requirements significant?
More than two-thirds of Americans under 65 years of age rely on private group or individual health insurance markets for health coverage. Through HIPAA, Congress sought for the first time to provide a uniform set of minimum consumer protections that would apply to all health coverage available in all states.

Although most states had passed laws designed to improve the access, portability and renewability of private health insurance prior to the bill, the scope of reforms varied. Gaps existed among states, and self-insured employer group plans (40 percent of all group coverage) have been exempt from these state insurance reforms.

Wasn’t HIPAA expected to eliminate job lock?
Several years ago, Americans were very concerned about job lock. Many workers, especially during the recession in the early ’90s, felt trapped in their jobs out of fear that switching could mean losing their health coverage. So when HIPAA was being formulated and touted, job lock was one of the reasons for its appeal. Therefore, HIPAA was designed to help ameliorate—not completely eliminate—this issue by requiring insurance portability for individuals with preexisting conditions.

According to Washington, D.C.-based Employee Benefit Research Institute’s 1998 Health Confidence Survey, only 16 percent of respondents said that preexisting conditions were the main reasons for job lock. In other words, HIPAA’s provision is a step forward for some, but not for the majority of the workforce.

What is a preexisting condition?
A preexisting condition is defined as a condition for which medical advice, diagnosis, care or treatment was received or recommended during the six months preceding the date of coverage or the first day of the waiting period for coverage.

What are the employer restrictions?
HIPAA specifically prohibits group health plans from imposing preexisting condition limits for longer than 12 months (or 18 months for late enrollees).

Does HIPAA guarantee total portability for all employees?
No. Managers need to clarify to employees what HIPAA does not promise. It does not ensure a worker who changes jobs will have access to health insurance coverage on the new job, and does not ensure affordability of health insurance on a new job. Moreover, HIPAA doesn’t enable individuals to maintain the same group health plan on job change. Health insurance would be totally portable if a worker didn’t have to change health plans upon job change. Therefore, job lock continues to be an issue Americans will have to bear until policymakers address health insurance affordability—not just portability, according to the Employee Benefit Research Institute (EBRI).

How does HIPAA affect changes in COBRA—the Consolidated Omnibus Budget Reconciliation Act of 1985?
Although HIPAA provides portability of benefits, employers also must be aware of its limitations. For example, employees must not allow a gap in coverage of longer than 62 days in order to be entitled to waive preexisting condition exclusions when joining a new plan, according to National Underwriter Property & Casualty-Risk & Benefits Management. Several changes to COBRA will also impact HR’s administrivia. HIPAA’s principal changes to COBRA include:

  • Expansion of COBRA’s 11-month disability extension. Under previous law, a person applying for a disability extension of COBRA—which allows for an added 11 months of group coverage above the 18 months an employee is permitted to buy after leaving his or her job—must be considered disabled at the time of the qualifying event.
  • Expansion of the definition of "qualified beneficiary." HIPAA extends COBRA coverage to adopted children or newborns of the covered employee after a COBRA event, provided they’re added to the plan within the appropriate time frame.
  • The use of "certificates of coverage" to show proof that employees attempting to waive a preexisting condition clause in a new plan had prior coverage. When an individual joins a new employer’s plan, he or she may reduce or eliminate that plan’s preexisting condition clause by proving he or she had prior coverage. The individual’s previous employer will be required to provide the former employee with a Certificate of Coverage.

Should HR track coverage of employees’ dependents?
Yes. HR benefits managers will need to track coverage of its employees and dependents—and issue the certificates in a timely fashion. "I think that’s still a major thing for employers to worry about," says John Piro, a legal consultant with Hewitt Associates LLC in Roywayton, Connecticut. Otherwise, employees may not be able to reduce or eliminate preexisting conditions.

Negligence in such matters can cause legal nightmares. HR benefits managers should amend the plan documents and summary plan descriptions to include the changes that affect your employees’ health insurance coverage.

What kinds of penalties can employers face?
Hefty legal penalties for HIPAA noncompliance can be as much as $100 per day per participant. Because of the complex nature of HIPAA, employers risk handling the programs sloppily or putting themselves at risk of government-imposed sanctions.

"There are penalties that apply under the tax law," says Mike Langan, an expert on HIPAA at Valhalla, New York-based Towers Perrin.

The requirements that Langan speaks of also are enforceable under ERISA. For example, the IRS is able to levy tax penalties against employers who fail to provide the certificates of coverage that are required when an employee leaves the organization. However, employers can present facts that would mitigate these penalties, such as the failure of a third-party (the insurer or HMO) to perform these tasks on behalf of the employer.

Separately, the ERISA enforcement provisions would also speak to a plan participant who is suing in federal district court for an order compelling the plan sponsor to comply with HIPAA, says Langan.

What is the "National Provider Identifier" (NPI) provision?
If there’s any one provision of HIPAA that’s a center of debate, it’s the NPI—otherwise known as the "unique identifier." Today, health plans assign identification numbers to health care providers—individuals, groups or organizations that provide medical or other health services or supplies. Thus, providers who do business with multiple health plans have multiple identification numbers.

The NPI is a unique ID number for health care providers that will be used by all health plans. They would be given to health care providers who need them to submit claims or conduct other transactions specified by HIPAA.

Why is the NPI of concern?
The scary news is that under HIPAA, the Department of Health and Human Services must develop a system for collecting details on medical history, claims and payments, enrollment and disenrollment, eligibility, premium payments and referral information. HIPAA also requires health professionals to disclose details of every patient encounter, diagnosis, test result, therapy and demographic information.

Backers of the ID number say it could help physicians treat patients—especially in emergencies—and help insurers keep better track of claims. Opponents, however, warn that medical privacy may not be protected and records may be exposed to misuse or unauthorized examination. In a worse-case scenario, an employee’s medical records could get into the wrong hands—and the employer can be liable for releasing inappropriate information. It’s not unlikely that HR could also end up on a witness stand.

Is there any effort opposing the NPI?
Yes. Two of the leading congressional opponents are Senators John Ashcroft (R-Mo.) and Patrick Leahy (D-Vt.). Last July, they introduced the Patient Privacy Rights Act, which would repeal the 1996 mandate. (This provision wasn’t included in the Senate’s version of the portability bill.) The debate has taken on wider significance in light of increasing congressional focus on privacy issues since the growth of the Internet. Privacy experts have warned that a person’s intimate medical history could become available to insurance companies, employers and Internet hackers.

"Without privacy protections in place, people may be discouraged from seeking help or taking advantage of the access to health care," says Ashcroft, chairman of the Senate Constitution Subcommittee.

With regulations still in the making, how serious is HIPAA enforcement?
Never mind that HIPAA is misperceived, too broad or too confusing. Even in the absence of specific regulations, the government is very serious about enforcement.

According to the U.S. General Accounting Office (GAO), responsibility for enforcing HIPAA standards is divided among three federal agencies and the states. The Department of Labor is responsible for making sure that group health plans comply with HIPAA—a duty that is an extension of the current regulatory role under the Employee Retirement Income Security Act of 1974 (ERISA).

The Department of Treasury enforces HIPAA requirements on group health plans by imposing an excise tax under the Internal Revenue Code as a penalty for noncompliance with the HIPAA standards. In states that have standards that conform to HIPAA requirements, state insurance regulators have primary enforcement authority over insurance carriers. In states that don’t adopt and enforce statutes or regulations that meet or exceed the HIPAA standards, the Health Care Financing Administration (HCFA) is responsible for directly enforcing HIPAA’s standards on carriers in the group and individual markets.

"Because HIPAA is such a complex piece of legislation, it’s not surprising that the HCFA has been given the role as regulator," says Randy Dirosa, a health policy analyst with the GAO.

What have been some of the GAO’s recent findings?
In March, the GAO released a report that some insurance companies were charging rates 140 percent to 600 percent of the standard premiums. It also revealed that agents were receiving lower commissions for signing up HIPAA eligibles.

What the media didn’t report—and what insurance-industry experts quickly pointed out—is that group-to-individual portability provisions require that if an employee has 18 months of coverage in the group market and exhausts his or her COBRA benefits, he or she is eligible for some type of coverage in the individual market. States, he adds, are given a wide range of choices of how to go about it.

Is it true that some states’ insurance companies are price gouging?
Reports of price gouging seem to have waned. The 13 states the GAO referred to in its earlier report chose to use what’s called the Federal Fallback Rules. Under that approach, all carriers in those states must offer insurance to all HIPAA eligibles.

The problem is that it’s not clear to insurers how to rate those individuals and establish their premium rates. "So what a lot of carriers do is set up a separate pool for HIPAA eligibles, and that rate is going to be higher," says Dirosa. "This ‘all carriers guaranteeing issue’ only applies to these 13 states." Earlier reported abuses, he believes, have been abated.

How will the GAO continue to monitor HIPAA implementation?
The GAO will focus on three areas:

  • In the Federal Fallback states, it will watch how carriers assess the premiums for high-risk HIPAA eligibles. In states using "high-risk pools," the cap is going to be between 150 to 200 percent of the standard rates.
  • It will promote consumer awareness.
  • It will monitor HCFA’s ability to carry out its function as regulator—coordinating the overlap of federal and state regulations.

How does HIPAA increase employers’ liability?
According to Meier, negligent employers could be charged with misrepresentation if they give employees the wrong information. For example, some states have amended their laws to extend coverage to companies with more than 50 employees. If an employee at a company with 60 employees is told that he or she won’t qualify for preexisting condition exclusions under HIPAA when they leave, that counsel would be wrong.

Another possibility is HR hires a new employee, and the individual is told to wait three months for his or her health benefits, which isn’t uncommon. But at the end of 18 months, the employee is fired and learns that he or she isn’t qualified under HIPAA, though HR said otherwise. What the HR manager failed to compute correctly is the employee only had 15 months of continuous coverage—18 months minus the three-month wait. Under HIPAA, there must be 18 months of continuous coverage to become eligible. Keep up with the latest federal and state provisions. You don’t want to end up in court because of ignorance or negligence.

Where can employers get help?
One option is to outsource your HIPAA administration to actuary and consulting firms such as Chicago-based Arthur Andersen and Seattle-based Milliman & Robertson. Another option is to contact experts, such as COBRA Administrative Services Inc. (CAS), headquarted in Stone Mountain, Georgia. In addition to handling notification requirements, election processing, premium billing and toll free customer services, CAS offers comprehensive reporting and communication to the employer and each insurance plan administrator.

For the Internet savvy, there’s Employease, an Internet-based human resource and benefits administration service that produces certificates of creditable coverage for HIPAA from its Web-based service, the Benefits Management Network. The online guide includes a free HIPAA creditable coverage calculator, examples of letters of notification, requests for certification and certificates of coverage. The site also has links to legal advice, federal information and other HIPAA-related Web sites.

One of the most extensive sites is Health Hippo, with consolidated policy and regulatory materials related to health care. Click to view information about HIPAA. Among the posted items are FAQs (frequently asked questions) pertaining specifically to small employers.

Workforce, November 1998, Vol. 77, No. 11, pp. 58-64.