The Health Insurance Portability and Accountability Act of 1996 (HIPAA), also known as the Kennedy-Kassebaum Act, was signed into law primarily to improve the efficiency and security of the health care system and to help employees and their families keep their medical insurance coverage when employment ends. Although many of HIPAA's regulations primarily concern health care organizations, HIPAA also impacts employers who offer health insurance benefits. Understanding HIPAA is important even for the small employer, because the law applies to employers of two or more.
FAIR HIRING
HIPAA ensures that hiring decisions are made fairly, not based on the health status of employees, said Jeff Davis, vice president and general manager of Premera Blue Cross Blue Shield of Alaska.
For example, an employer could have discriminated against an employee whose poor health and/or health risk factors could raise their group rates.
'If employers currently receive protected health information from their health benefits carriers,' Davis said, 'this practice may be eliminated.
'If it is not eliminated, employers may have to change the way they use and maintain protected health information.'
By keeping health information private, HIPAA protects employees from unfair hiring practices.
FAIR COVERAGE
HIPPA ensures that all employees can get coverage, except in some rare circumstances.
'The most important thing to know about HIPAA is that it's a guaranteed buyer environment,' said Katie Campbell, life/health actuary at the Alaska Division of Insurance. 'You can't deny because of an employee's condition.'
In general, an employer cannot say that an employee with ongoing health problems may not enroll in the health insurance plan.
PORTABILITY
The portability aspect of HIPAA eliminates concern over most pre-existing health conditions that used to disqualify employees from coverage.
'If the employee can show continuous coverage, they are not subject to waiting periods,' said Tom Harwick, marketing director for Benefits Inc. in Anchorage.
Prior to HIPAA, employees would have to wait months before enrolling.
'HIPAA gives employees who would otherwise be handcuffed to an employer more freedom to shop the job market,' Harwick said.
Employees with certain ongoing health concerns, such as needing maintenance drugs or treating a long-term condition, used to be forced to stay with their employers for fear of losing their insurance benefits. If they allowed their coverage to lapse, they may not have passed medical underwriting because of their health conditions.
Insurance provided through the Consolidated Omnibus Budget Reconciliation Act (COBRA) can help out; however, its dubious affordability and limited coverage (18 months) make it a short-term fix for a bigger problem.
'COBRA is usually far too expensive for people who no longer have jobs,' Harwick said.
HIPAA's portability element helps employees make the best employment decisions not only for their health care but also for their career advancement.
Although that isn't necessarily good news for employers, it does help ensure that employees are working jobs that they enjoy, which would probably increase long-term job satisfaction and productivity.
To prove creditable coverage, new employees must show that they have had previous coverage such as group health insurance through prior employment, Federal Employee Health Benefits, Indian Health Service, individual health insurance, Medicaid, Medicare, military health coverage (such as CHAMPUS or TRICARE) or state health insurance high risk pools.
Employees can prove prior coverage by presenting a certificate of creditable coverage that is issued by the previous employer or the health insurance company or broker the previous employer is using. Self-insuring employers are required by law to issue certificates of creditable coverage to terminating employees.
Self-insured group plans define continuous coverage differently. As a general rule, if the coverage is not broken for 63 or more continuous days, it counts as continuous coverage, unlike fully insured group plans, which HIPAA limits to 90 days.
The second employer's insurance may also exclude some provisions if the first employer's insurance shows a gap for that piece of the insurance package. For example, if at his previous job, an employee's hours decreased so that he was ineligible for dental benefits for 95 days but he still qualified for health benefits, the next employer may exclude him for the required waiting period.
Differences in coverage should not be a surprise to new employees.
'Employers must know they have a responsibility to treat their employees with the understanding that they will be coming on with a different type of arrangement if they have prior coverage than if they didn't,' Harwick said.
'They need to tell future employees what to expect,' he added.
GREATER SECURITY
The security of health information was one of HIPAA's purposes, although 'many state public health and privacy laws already limited the amount of health information that a health plan is permitted to provide to an employer,' Davis said.
The amount of security procedures necessary depends on how the employer is providing coverage. Fully insured employers do not handle protected data, so 'even though they are sponsors of the plan, they will need to do no more than make sure the carrier is compliant with the plan,' said Dahlie Plumber, assistant account manager with Willis of Alaska in Anchorage.
If an employer self-funds employees' benefits, the employer must shoulder the responsibility of complying with HIPAA.
'They will need to implement rules on protecting and securing the data,' Plumber said. 'The data needs to have its own area. They will have to find a way to secure it. They will have to transmit the data in a confidential manner.'
The sensitive data available to employers can include health plan eligibility, enrollment and health plan premiums. This information should be shared on a need-to-know basis only. By processing health care information with the Electronic Data Interchange (EDI), fewer people see the information so by nature it is more secure.
Employers should not rely on EDI to guarantee security, however, because not all data may be transmitted electronically and the data that goes through EDI may be inadvertently viewed by unintended parties.
Personal health information should be kept secure, said Darrell Duty, senior software engineer for Mercury Data Group in Anchorage.
Sensitive information may be viewable for curious eyes when employees overseeing the data transmission step away from their terminals.
'They should have a screensaver and/or a blank screen accessible only by a password,' Duty said.
Employees can set their screensaver to come up automatically after a few seconds' inactivity.
INCREASED ACCURACY
EDI has increased accuracy because it relies less upon error-prone humans to move information. Employers who self-insure should realize that compliance with HIPAA in general still depends upon people.
'You need to recognize the difference between a process that must be documented and the common practices of the employees,' Duty said.
The reason of 'that's the way we've always done it' should not have precedence over HIPAA regulations.
INCREASED EFFICIENCY, INCREASED BURDEN
There's no such thing as a free lunch, and the health care industry is no different. One of the downsides of HIPAA is the increased cost, which after seven years has not diminished.
'HIPAA is a good thing, but it hurts small offices because they haven't had to have this burden in the past,' Duty said.
One of the reasons for enacting HIPAA into law was to reduce overhead by decreasing administrative time; however, the opposite is proving to be true. Right from the start, HIPAA has required employers to prove that new employees enrolling in their health care plans have previous creditable coverage.
'Companies will spend more time and internal resources to keep up with complex new legal rules that may potentially impact their health benefit plans,' Davis said.
EDI uses computers to transmit administrative and financial data between health care providers and payers, which seems as though it would be much more cost-effective than using humans to move the information. However, increased technology support is offsetting the efficiency of using electronic data transfer. Buying software patches or hiring computer experts takes a bite out of company coffers.
Duty believes that this misconception stems from the idea that the computer will take care of all their HIPAA responsibilities.
'People hope that software will solve their problems, but it is a combination of business processes, practices and software.'
Another issue is the compatibility of computer systems.
'HIPAA is costly for health plans, providers and ultimately, employers and consumers,' Davis said. 'One example is the myriad of system changes required to support electronic communications between health plans and providers.
'It is hoped that over time, standard electronic transactions will improve efficiency in the industry and eventually, possibly reduce administrative costs.'
KEEPING UP WITH HIPAA
One of the important reasons to comply with HIPAA is that noncompliance could mean that the company's health insurance would not be tax-deductible.
'It would kill most employers if they found out that the plan they have is no longer deductible,' Harwick said.
Maintaining compliance, however, is an ever-changing task.
'Stay tuned,' said Davis, 'Implementing this federal law will create changes for years to come.'
Harwick agrees.
'They continue to promulgate new responsibilities to keep these qualified benefits tax deductible,' he said. 'Employers have to stay on top of it. It all started with ERISA (Employee Retirement Income Security Act) in 1974 and it's been alphabet soup ever since.'
Outsourcing the responsibility of tracking changes in HIPAA is the easiest option.
'Employers should have people who specialize in this,' Harwick said. 'That's what brokers do; navigate the troubled waters of the regulations.
'If not, you need someone on staff who is up to speed on this. That's an additional paid position. Employers should have people who specialize in this. The government will continue to clarify gray areas and make it more consistent.'
Plumber recommends a three-fold approach for training in-house HIPAA personnel.
'Give an introduction to HIPAA, train for in-house policies that you implement, and then give training on HIPAA rules. It's a fairly involved process,' she said. 'Ongoing training is needed to learn the new rules and regulations.'
Insurance company Web sites often include HIPAA information, as does the Department of Labor's Web site, www.dol.gov.
Duty suggests that employers regularly visit www.HIPAA.org or www.MHA.org, and Plumber favors http://cms.hhs.gov/hipaa/.
Davis recommends that employers keep up with HIPAA changes by designating a person to become knowledgeable about HIPAA and track changes, subscribing to employment benefit journals, and attending seminars or talks by an attorney.
Although it is a federal law, 'be aware that if you operate in different states, HIPAA will have different impacts depending upon existing state laws,' Davis advised.
'The forums available online are very good,' he said.
FUTURE OF HIPAA
Some of the upcoming changes include increases in security standards to beef up privacy.
'The HIPAA security standards are expected to be finalized this year,' Davis said. 'That will mean that the health care industry must be more vigilant than ever about maintaining the privacy of personal health information.'
New transaction standards 'will change the way employers electronically enroll their employees for health benefits and pay premiums,' Davis said.
