Final Regulations for Health Coverage Portability,  69 Fed. Reg. 78720 (Dec. 30, 2004)

This document contains final regulations governing portability requirements for group health plans and issuers of health insurance coverage offered in connection with a group health plan. The rules
contained in this document implement changes made to the Internal Revenue Code, the Employee Retirement Income Security Act, and the Public Health Service Act enacted as part of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). These final regulations are effective February 28, 2005 and apply for plan years beginning on or after July 1, 2005. These final regulations do not significantly modify the framework established in the April 1997 interim rules. The final rules define a dependent as someone who, according to the terms of the plan, is eligible for coverage because of a relationship with a participant. The proposed FMLA provisions (see below) would prohibit taking coverage gaps during FMLA leave into account when determining whether there has been a significant break in coverage.

See also 69 Fed. Reg. 78800 (Dec. 30, 2004) Notice of Proposed Rulemaking for Health Coverage Portability: Tolling Certain Time Periods and Interaction With the Family and Medical Leave Act Under HIPAA Titles I and IV and 69 Fed. Reg. 78825 (Dec. 30, 2004) Request for Information on Benefit-Specific Waiting Periods Under HIPAA Titles I & IV. See also the Jackson Lewis Jan. 5, 2005 article entitled Final Regulations for HIPAA Portability on Group Health Plans Contain Few Changes.

HIPAA: Standard Unique Health Identifier for Health Care Providers, 69 Feg. Reg. 3433, Jan. 23, 2004

This final rule issued by HHS establishes the standard for a unique health identifier for health care providers for use in the health care system and announces the adoption of the National Provider Identifier (NPI) as that standard. It also establishes the implementation specifications for obtaining and using the standard unique health identifier for health care providers. The purpose of the National Provider Identifier (NPI) is to uniquely identify a health care provider in standard transactions, such as health care claims. NPIs may also be used to identify health care providers on prescriptions, in internal files to link proprietary provider identification numbers and other information, in coordination of benefits between health plans, in patient medical record systems, in program integrity files, and in other ways. HIPAA requires that covered entities (i.e., health plans, health care clearinghouses, and those health care providers who transmit any health information in electronic form in connection with a transaction for which the Secretary of Health and Human Services has adopted a standard) use NPIs in standard transactions by the compliance dates.

Covered entities must use the identifier in connection with standard transactions.  The final rule is effective May 23, 2005, except for Sec. 162.210 governing employer identification numbers. The effective date of this final rule marks the beginning of the implementation period for the NPI, which is distinct form the compliance dates of the NPI. For the compliance date, HHS  adopts the requirement that covered entities (except small health plans) must obtain an NPI and must use the NPI in standard transactions no later than May 23, 2007. Small health plans must do so no later than May 23, 2008. See the CMS website for FAQs on NPIs. Simply plug "NPI" into the search text box.

New HIPAA documents

Guidance on Compliance with HIPAA Transactions and Code Sets

This document issued by the Centers for Medicaid and Medicare Services reminds covered entities of the Oct. 16, 2003 compliance deadline for compliance with the Transaction and Code Set rules,and offers up the information on the enforcement approach. Enforcement will focus on voluntary compliance and use a complaint driven approach.

Interim Final Rule setting forth civil money penalties for violation of HIPAA's Administration Simplification Provisions.68 Fed. Reg. 18895, April 17, 2003, corrected expiration date of Sept. 16, 2004 (not 2003)  at 68 Fed. Reg. 22453, April 28, 2003. This interim final rule establishes rules of procedure for the imposition, by the Secretary of Health and Human Services, of civil money penalties on entities that violate standards adopted by the Secretary under the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (``HIPAA''). This will be the first installment of a rule that will be termed the ``Enforcement Rule.'' The Enforcement Rule, when issued in complete form, will set forth procedural and substantive requirements for imposition of civil money penalties.

HIPAA Privacy Rule and Public Health: April 11, 2003 MMWR Report from the CDC and HHS.

Protecting Personal Health Information in Research:  A booklet discussing how the Privacy Rule may affect research posted on the NIH web site.

HIPAA Privacy Rule and IRBs:  April 15, 2003 Guidance Letter from OCR stating that the Privacy Rule does not require IRBs to review HIPAA authorizations for compliance with the Rule's requirements.

Summary of the HIPAA Privacy Rule: OCR Privacy Brief: 

Title I of HIPAA is the Health Insurance Reform section and does the following:

• Restricts an employer’s or insurer’s ability to use pre-existing condition exclusions or limitations. Pre-existing condition limitations may not exceed 12 months, except for late enrollments, in which case the limitation may not exceed 18 months.  No pre-existing condition limitation may be applied to an individual who was continuously covered for 12 months or more under the prior employer’s health plan.  In addition, no pre-existing condition limitation can be applied to children who become covered under "creditable coverage" within 30 days of birth, adoption or placement for adoption.  Pre-existing condition limitation periods have to be reduced by the length of the aggregate period of the employee’s prior creditable coverage.  "Creditable coverage" is coverage of the individual under a group health plan, health insurance coverage (either group or individual), Medicare, Medicaid, military sponsored health care, or certain other government sponsored medical plans.  A break in coverage that extends beyond 63 days disqualifies the opportunity to have the prior coverage count towards limiting the pre-existing condition limitation period.  Pre-existing condition is defined as "a condition, mental or physical, present on the enrollment date, for which any medical advice, diagnosis, care or treatment was recommended or received within six months before the enrollment date."  Pregnancy may not be identified as a pre-existing condition under any pre-existing condition exclusion.  An employer or the employer’s insurer must provide notification to each individual about any pre-existing condition limitations.  The notice must include the basis of the determination, the source and substance of any information on which the plan relied in making the determination, and an explanation of the plan’s appeal procedures, and notification of the individual’s right to present additional evidence.
  

• Requires almost all employers and insurers to comply with certification requirements.  Insurers and health plan sponsors are required to maintain coverage records and to issue certifications of coverage for periods of coverage occurring after July 1, 1996.  Written certification of the participant’s period of creditable coverage must be provided by the employer or their insurer:  a) at the time the individual ceases to be covered under COBRA continuation coverage; b) at the time a qualified beneficiary under COBRA ceases that coverage; or c) upon a covered individual's request if such a request is made within 24 months after termination of coverage.  The employer or its insurer should retain coverage information for 24 months after individuals lose group health coverage; and maintain data and issue certificates based on categories of coverage, such as prescription drugs, mental health, or substance abuse.  For copies of the model notice, model certificate, and model form, see 62 Fed. Reg. 16,894 (Apr. 8, 1997). 
  

• Imposes special enrollment period rules on group health plans.  In general, group health plans and health insurance issuers offering group health insurance coverage are required to permit late enrollment for individuals who originally declined coverage due to alternative coverage if they lose such other coverage and request enrollment within 30 days.
  

• Restricts group health plans from discrimination on the basis of health status.  Limitations on conditions covered by the plan can last no longer than 12 months.  All medical plans will be guaranteed renewable.  Group plans cannot use health status to deny or drop coverage.  

Title II contains The Administration Simplification Provisions of HIPAA

Title II addresses the security and privacy of health data. When Congress adopted HIPAA in 1996, the law included a provision mandating the Department of Health and Human Services to promulgate standards to ensure the privacy of personally identifiable health information if Congress had failed to act by 1999. Congress did not act, and thus HHS issued proposed rules on privacy and several other standards. While much of the focus has been on the privacy standards, there are actually four sets of standards:

• Privacy
• Electronic Transactions
• Security
• Unique Identifiers

What entities are covered by these standards?

Before getting involved in all of the deadlines imposed by the HIPAA Standards, the first question is whether the university is covered by the standards at all, in other words, are you a covered entity?  In general, the standards apply to all health care providers that conduct certain transactions in electronic form;  health care clearinghouses, and health care plans. Unfortunately, there is no quick and easy way to determine if you are indeed a covered entity. This decision requires either some heavy reading, or consultation with an outside attorney. However, the key questions are 1. Are there health care services provided? and 2. Do you engage in standard electronic transactions with third party payors? See also the decision flow chart on the HHS web page.

If a student health center posts a bill to a student's online account, which will ultimately be paid by the student or his/her parent, this is not a standard electronic transaction with a third party payor.

Once you have determined you are a covered entity, or a hybrid entity (this is a special designation for those whose primary business is not health care, see 45 CFR § 164.504(a)) then you must decide what your obligations are under the law. Final regulations have been issued for the privacy and transaction standard sections of the law. The final privacy regulations can be found at 67 Fed. Reg. 53181 , Aug. 14, 2002. Compliance with the privacy regulations must occur by April 14, 2003.

The final transaction standards are online at  65 Fed. Reg. 50312, Aug. 17, 2000, and final modifications to the Electronic Data Transaction Standards and Code Sets are published at 68 Fed. Reg. 8381 (Feb. 20, 2003). Compliance with the transaction standards was set for Oct. 16, 2002, but covered entities may delay compliance until Oct. 16, 2003 if they have filed for an extension by Oct. 16, 2002. ( Public Law 107-105) See  67 Fed. Reg. 18216 (April 15, 2002) for further information on filing for an extension, and a sample model compliance plan.

Security Regs

Final rules for the Security Standards are published at 68 Fed. Reg. 8333 (Feb. 20, 2003). The FERPA exception to the definition of protected health information was added to this rule. Page 8342 of the rule states the following :

1. Scope of Health Information Covered by the Rule (Sec.  164.306(a))     We proposed to cover health information maintained or transmitted by a covered entity in electronic form. We have modified, by narrowing, the scope of health information to be safeguarded under this rule from that which was proposed. The statute requires the privacy standards to cover individually identifiable health information. The Privacy Rule covers all individually identifiable information except for: (1) Education records covered by the Family and Educational Rights and Privacy Act (FERPA); (2) records described in 20 U.S.C. 1232g(a)(4)(B)(iv); and (3) employment records. (see the Privacy Rule at 65 FR 82496. See also 67 FR 53191 through 53193). The scope of information covered in the Privacy Rule is referred to as ``protected health information.'' Based upon the comments we received, we align the requirements of the Security and Privacy Rules with regard to the scope of information covered, in order to eliminate confusion and ease implementation. Thus, this final rule requires protection of the same scope of information as that covered by the Privacy Rule, except that it only covers that information if it is in electronic form.    We note that standards for the security of all health information or protected health information in nonelectronic form may be proposed at a later date.

 

The  final security rule states that covered entities, with the exception of small health plans, must comply with the requirements of this final rule by April 21, 2005. Small health plans must comply with the requirements of the final rule by April 21, 2006.

The security regs provide for certain required implementation specifications and otherwise set forth implementation specifications and standards to be addressed by each covered entity, allowing flexibility in the means and methods by which covered entities address that latter category of specifications.   The State of New York HIPAA Security Matrix is an incredible resource in this regard.

The security rule applies to electronic PHI, i.e. PHI that is transmitted by or maintained in electronic media. This definition includes storage media such as hard drives, magnetic tape or disks, and digital memory cards, and it also includes transmission media such as the Internet, extranets, leased lines, dial-up lines, private networks, and the physical movement of electronic storage media. Certain transmissions, including of paper, via facsimile, and of voice, via telephone, are not considered to be transmissions via electronic media, because the information being exchanged did not exist in electronic form before the transmission.

 Electronic PHI may be shared with a business associate only if a business associate contract exists that specifically addresses the security rule. This can be done by a new contract or amending an existing contract.

  The general requirements of the security rule require covered entities to do the following:
    (1) Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity creates, receives, maintains, or transmits.
    (2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.
    (3) Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of the rule.
    (4) Ensure compliance with this subpart by its workforce.

Electronic PHI may only be disclosed to the Plan Sponsor when the electronic protected health information disclosed to a plan sponsor is summary health information or enrollment or disenrollment information as provided for by Sec.  164.504(f). If more than the above is disclosed, then the plan documents of the group health plan must be amended to incorporate provisions to require the plan sponsor to--
    (i) Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that it creates, receives, maintains, or transmits on behalf of the group health plan;
    (ii) Ensure that the adequate separation required by Sec.  164.504(f)(2)(iii) is supported by reasonable and appropriate security measures;
    (iii) Ensure that any agent, including a subcontractor, to whom it provides this information agrees to implement reasonable and appropriate security measures to protect the information; and
    (iv) Report to the group health plan any security incident of which it becomes aware.

Security incident means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.

Implementation of the rule at colleges and universities

Universities with hospitals and academic medical centers are subject to the rules as health care providers. Research institutions are allowed to disclose protected health information to researchers without patient authorization if an Institutional Review Board approves a waiver or alteration of authorization. Universities, if they are self-insured employers, must amend plan documents to limit the employer’s ability to obtain health information, must appoint a privacy official, set up firewalls within the institution, and comply with other requirements under the rule.

What about schools that simply operate a student health center? Whether or not the HIPAA privacy rules will apply to the school may hinge on whether or not the university health center engages in electronic transmission of personally identifiable health information. Under the regulations, a health care provider is a covered entity if it transmits health information in electronic form in connection with transactions listed in 45 CFR § 160.103. For example, if the student health center bills a student’s health insurer electronically, then the rule comes into play. If the health center does not engage in electronic transmission of personally identifiable health information in a covered "HIPAA transaction", then the HIPAA privacy law will most likely be inapplicable.

If the university receives federal funds, students already have privacy protection under the Family Educational Rights and Privacy Act (FERPA). Under FERPA, medical records are defined as records:

• of students who are 18 years or older or are attending post-secondary educational institutions,
  
• maintained by a physician, psychiatrist, psychologist, or recognized professional or paraprofessional acting or assisting in that capacity,
  

• that are made, maintained, or used only in connection with the provision of treatment to the student, and
  

• that are not available to anyone, except a physician or appropriate professional reviewing the record as designated by the student.
  

FERPA excludes the above records from its protections only to the extent they are not available to anyone other than persons providing treatment to students. Any use or disclosure of the record for other purposes, including providing access to the individual student who is the subject of the information, would turn the record into an education record protected by FERPA. The Department of Health and Human Services decided there was no need for another layer of federal privacy protection for these records, and thus student medical records as described above are excluded from the definition of protected health information under the HIPAA. It is important to remember that HIPAA does not preempt FERPA.

Additional Resources

HR's role in HIPAA Security Compliance by Philip L. Gordon, Littler Mendelson

This is an excellent summary of the steps Human Resources departments need to take to work with IT professionals to ensure that PHI stored or transmitted electronically is protected.

For more on HIPAA see the publications and resources sections of our employment law page.

See http://hipaablog.blogspot.com for an ongoing commentary on HIPAA.

updated 2/5/05 to add security rule information

updated 2/6/05 to add portability final rules

updated 4/30/05 to add HR and HIPAA article

updated 7/14/05 to add HIPAA criminal enforcement letter
updated 12/7/05 to add Jackson Lewis Newsletter
updated 7/5/07 to add NACUANOTE