HIPAA: Health Insurance Portability and Accountability Act Explained

Introduction to HIPAA and Its Legislative Origins

The 104th Congress of the United States Senate and House of Representatives enacted the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to improve the Medicare program under the Social Security Act, the Medicaid program, and the overall efficiency and effectiveness of the health care system (Public Law 104-191). The establishment of standards and other requirements for the electronic transmission of health information was the perceived means of attaining these objectives. The Act amended the Internal Revenue Code of 1986, aiming to improve the portability and continuity of health insurance coverage in group and individual markets, control waste, fraud, and abuse in the delivery of health insurance and health care, encourage the use of medical savings accounts, improve access to long-term care services and coverage, and simplify the administration of health insurance. It was signed into law on August 21, 1996.

HIPAA contains new and important protection provisions for the millions of working Americans and their families already suffering from medical conditions before its enactment, or who might encounter discriminatory practices in their health coverage (Employee Benefits Security Administration). HIPAA's provisions changed the requirements imposed on employer-sponsored group health plans, insurance companies, and health maintenance organizations. It limited exclusions for pre-existing medical conditions; prohibited discrimination against employees and their dependents based on health status; assured that health coverage would be available and renewable; and offered workers better access to health coverage.

Pre-Existing Condition Protections and Coverage Portability

HIPAA now obliges group health plans and health insurance issuers to apply exclusions of pre-existing medical conditions only under specific conditions: the pre-existing exclusion must be related to the condition for which the individual received medical advice, diagnosis, care, or treatment within the six-month period before the enrollment date; the pre-existing condition exclusion period may not last more than 12 months after the enrollment date; and the 12-month period must be reduced by the number of days of the individual's prior creditable coverage (EBSA).

The health plans of some employers do not cover pre-existing medical conditions, but HIPAA limits their restrictions so that most plans must cover an employee's pre-existing condition after 12 months (EBSA). The law requires the employer to credit the employee for the duration of any prior health coverage, which reduces this 12-month period. A change of job allows for continuous health coverage if the employee already has 12 months of coverage, so the employee does not need to restart the 12-month exclusion requirement for any pre-existing conditions.

HIPAA defines a "pre-existing" condition as one present before the enrollment date of a new health plan, excluded only if medical advice, diagnosis, care, or treatment was rendered for it within the six-month period ending on the enrollment date. Other pre-existing condition exclusion exceptions include pregnancy — with or without previous coverage — and coverage of newborn or adopted children under 18 years old, unless the child is enrolled in the health plan within 30 days of birth, adoption, or placement for adoption, provided that any interruption of coverage does not exceed 63 days (EBSA).

States may impose more stringent obligations on health insurers under certain circumstances (EBSA). These include: reducing the six-month "looking back" period before the enrollment date for determining pre-existing conditions; reducing the 12-month and 18-month maximum pre-existing condition exclusion periods; increasing the 63-day significant break in the coverage period; increasing the 30-day period for newborn and adopted children; expanding the prohibitions to additional cases; requiring additional and special enrollment periods; and reducing the maximum HMO enrollment period to less than two months.

This means that an employee should check with his or her state for local provisions and to determine whether health coverage is offered through an HMO or an insurance policy. If the employee has changed jobs, he or she must also review the health plan's provisions on pre-existing condition exclusions and the duration of the exclusion period. The plan must reflect the employee's right to prior creditable coverage to reduce the exclusion period and must provide relevant information within a reasonable period after a certificate is issued or creditable coverage information is provided. If there is no job change, the health plan may not exclude coverage for any pre-existing conditions for more than 12 months from the date the plan first becomes subject to HIPAA provisions (EBSA).

HIPAA has been widely recognized for its response to the urgent call for medical privacy in the electronic age (Gellman 2003). Previously, confidential medical and mental health information was stored in filing cabinets and on the dusty shelves of clinics or hospital medical records departments. Today, the same information has become widely available as electronic data files accessible to researchers, often strangers, engaged in the health care business or in other industries seeking to profit from patients' personal data. HIPAA established a national standard to regulate the electronic transfer of such data, addressing the growing need to secure the privacy of patient information.

HIPAA Privacy Rule and Medical Data in the Electronic Age

The U.S. Department of Health and Human Services issued the HIPAA Privacy Rule on April 14, 2003, for compliance by most health care providers, health plans, and health care clearinghouses. It balances the interests of the health industry, the government, and the public against the patient's interest in privacy and confidentiality in his or her relationship with a physician.

The HIPAA Privacy Rule not only establishes a national standard for accessing and handling confidential medical and mental health information, but also aligns with state regulations and provisions that may not eliminate or undermine the basic rights established by HIPAA (Gellman 2003). HIPAA guarantees everyone the right to view, copy, or request changes to their own medical records — a right not previously granted by federal law. However, individuals have no right to sue under HIPAA for privacy violations; only the Department of Health and Human Services or the Department of Labor may file enforcement actions. An individual may only file a complaint against the violator or with the DHHS.

Businesses may access or acquire an individual's medical or mental health information directly, or they may obtain it from the person's doctor or share it with business associates — including billing personnel, lawyers, accountants, data processors, and software vendors. The physician may sign a written agreement authorizing the release of such information but is not required to verify that it is being handled correctly (Gellman).

The National Association of Health Underwriters strongly endorsed HIPAA for advancing the Association's long-standing legislative objectives and for furthering health reform (Legislative and Government Affairs 2003). It specifically supported HIPAA's provisions for small-group and individual market reforms, long-term care insurance tax incentives, the medical savings account demonstration project, and standards for the electronic transmission of health information.