All posts in HIPAA

Congress approved the Health Insurance Portability and Accountability Act (HIPAA) to guard the privacy of personal medical information, and to give individuals the right to keep their health insurance coverage for pre-existing conditions in place even if they change jobs. The law has done this, providing important safeguards for patients. But it has also increased the red tape involved in medical care.

History

Congress passed HIPAA in August 1996, and the U.S. Department of Health and Human Services finalized standards for the electronic exchange, privacy and security of health information in 2002. The rules apply to health plans, health care clearinghouses, and to any health care provider, such as a doctor, who transmits health information in electronic form.

Significance

Congress intended HIPAA to protect individually identifiable health information. Any entity, including a physician’s office, a hospital or other health care facility, or an insurer, that deals with personal health information must follow strict rules about how to handle that information to avoid disclosing it to someone not authorized to see it. For example, Health and Human Services allows physicians and insurance companies to exchange individually identifiable health information to pay a health claim, but would not allow them to release it publicly. Penalties for violating the regulations include civil fines of up to $50,000 per violation, according to Health and Human Services.

Minimum Necessary

According to Health and Human Services, the privacy rule also requires physicians, hospitals, insurers, and other health care entities to use and disclose only the minimum amount of information needed to complete the transaction or fulfill the request. As a practical matter, for example, that means a physician should not send a patient’s entire medical file to an insurer if just one page from the record will suffice to answer the insurer’s query.

Portability

In addition to protecting patients’ privacy, HIPAA also limits the ability of a new employer plan to exclude coverage for pre-existing conditions. This means a person who has health insurance coverage can change jobs — and therefore health plans — without worrying that a condition they already have, such as diabetes or asthma, would not be covered under the new health plan. This was not always the case, according to the U.S. Department of Labor. “In the past, some employers’ group health plans limited, or even denied, coverage if a new employee had such a condition before enrolling in the plan. Under HIPAA, that is not allowed,” the Department of Labor says. HIPAA also prohibits discrimination against employees and their family members based on health histories, previous claims, and genetic information, according to the Department of Labor.

Pros of HIPAA

HIPAA, for the first time, allowed patients the legal right to see, copy, and correct their personal medical information. It also prevented employers from accessing and using personal health information to make employment decisions. And, it enabled patients with pre-existing conditions to change jobs without worrying that their conditions would not be covered under a new employer’s health plan.

Cons of HIPAA

However, HIPAA’s effects have not all been positive. The regulations increased the paperwork burden for doctors considerably, according to the American Medical Association. HIPAA has spawned a mini-industry of companies and consultants who help medical professionals comply with the law’s lengthy provisions. In addition, some professionals who deal with medical paperwork have become overcautious about releasing protected information. For example, some physician’s offices now refuse to mail test results, saying patients need to pick them up in person. And some hospitals require physicians to submit written requests on their own letterhead for information on a patient’s condition, when the law allows this information to be provided by phone.

Originally published by www.livestrong.com

Cafeteria plans, or plans governed by IRS Code Section 125, allow employers to help employees pay for expenses such as health insurance with pre-tax dollars. Employees are given a choice between a taxable benefit (cash) and two or more specified pre-tax qualified benefits, for example, health insurance. Employees are given the opportunity to select the benefits they want, just like an individual standing in the cafeteria line at lunch.

Only certain benefits can be offered through a cafeteria plan:

  • Coverage under an accident or health plan (which can include traditional health insurance, health maintenance organizations (HMOs), self-insured medical reimbursement plans, dental, vision, and more);
  • Dependent care assistance benefits or DCAPs
  • Group term life insurance
  • Paid time off, which allows employees the opportunity to buy or sell paid time off days
  • 401(k) contributions
  • Adoption assistance benefits
  • Health savings accounts or HSAs under IRS Code Section 223

Some employers want to offer other benefits through a cafeteria plan, but this is prohibited. Benefits that you cannot offer through a cafeteria plan include scholarships, group term life insurance for non-employees, transportation and other fringe benefits, long-term care, and health reimbursement arrangements (unless very specific rules are met by providing one in conjunction with a high deductible health plan). Benefits that defer compensation are also prohibited under cafeteria plan rules.

Cafeteria plans as a whole are not subject to ERISA, but all or some of the underlying benefits or components under the plan can be. The Patient Protection and Affordable Care Act (ACA) has also affected aspects of cafeteria plan administration.

Employees are allowed to choose the benefits they want by making elections. Only the employee can make elections, but they can make choices that cover other individuals such as spouses or dependents. Employees must be considered eligible by the plan to make elections. Elections, with an exception for new hires, must be prospective. Cafeteria plan selections are considered irrevocable and cannot be changed during the plan year, unless a permitted change in status occurs. There is an exception for mandatory two-year elections relating to dental or vision plans that meet certain requirements.

Plans may allow participants to change elections based on the following changes in status:

  • Change in marital status
  • Change in the number of dependents
  • Change in employment status
  • A dependent satisfying or ceasing to satisfy dependent eligibility requirements
  • Change in residence
  • Commencement or termination of adoption proceedings

Plans may also allow participants to change elections based on the following changes that are not a change in status but nonetheless can trigger an election change:

  • Significant cost changes
  • Significant curtailment (or reduction) of coverage
  • Addition or improvement of benefit package option
  • Change in coverage of spouse or dependent under another employer plan
  • Loss of certain other health coverage (such as government provided coverage, such as Medicaid)
  • Changes in 401(k) contributions (employees are free to change their 401(k) contributions whenever they wish, in accordance with the administrator’s change process)
  • HIPAA special enrollment rights (contains requirements for HIPAA subject plans)
  • COBRA qualifying event
  • Judgment, decrees, or orders
  • Entitlement to Medicare or Medicaid
  • Family Medical Leave Act (FMLA) leave
  • Pre-tax health savings account (HSA) contributions (employees are free to change their HSA contributions whenever they wish, in accordance with the their payroll/accounting department process)
  • Reduction of hours (new under the ACA)
  • Exchange/Marketplace enrollment (new under the ACA)

Together, the change in status events and other recognized changes are considered “permitted election change events.”

Common changes that do not constitute a permitted election change event are: a provider leaving a network (unless, based on very narrow circumstances, it resulted in a significant reduction of coverage), a legal separation (unless the separation leads to a loss of eligibility under the plan), commencement of a domestic partner relationship, or a change in financial condition.

There are some events not in the regulations that could allow an individual to make a mid-year election change, such as a mistake by the employer or employee, or needing to change elections in order to pass nondiscrimination tests. To make a change due to a mistake, there must be clear and convincing evidence that the mistake has been made. For instance, an individual might accidentally sign up for family coverage when they are single with no children, or an employer might withhold $100 dollars per pay period for a flexible spending arrangement (FSA) when the individual elected to withhold $50.

Plans are permitted to make automatic payroll election increases or decreases for insignificant amounts in the middle of the plan year, so long as automatic election language is in the plan documents. An “insignificant” amount is considered one percent or less.

Plans should consider which change in status events to allow, how to track change in status requests, and the time limit to impose on employees who wish to make an election.

Cafeteria plans are not required to allow employees to change their elections, but plans that do allow changes must follow IRS requirements. These requirements include consistency, plan document allowance, documentation, and timing of the election change. For complete details on each of these requirements—as well as numerous examples of change in status events, including scenarios involving employees or their spouses or dependents entering into domestic partnerships, ending periods of incarceration, losing or gaining TRICARE coverage, and cost changes to an employer health plan—request UBA’s ACA Advisor, “Cafeteria Plans: Qualifying Events and Changing Employee Elections”.

By Danielle Capilla
Originally published by www.ubabenefits.com

The U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) began a pilot program in 2012 to assess the procedures implemented by covered entities to ensure compliance with the Health Insurance Portability and Accountability Act (HIPAA). OCR evaluated the effectiveness of the pilot program and then announced Phase 2 of the program on March 21, 2016. Phase 2 Audits focus on the policies and procedures adopted by both covered entities and business associates to ensure they meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules. Covered entities include health plans, health care clearinghouses, and health care providers; whereas, business associates include anyone handling health information on behalf of a covered entity.

Phase 2 Audits of business associates focus on risk analysis, risk management, and reporting of HIPAA breaches to covered entities. OCR emphasizes the importance of audits as a compliance improvement activity in order to identify best practices and proactively uncover and address risks and vulnerabilities to protect health information (PHI).

OCR chose entities to audit through random sampling of the audit pool. Communications from OCR were sent via email, so it is important to check spam filters and junk emails for communications from OSOCRAudit@hhs.gov. OCR emailed a notice to verify contact information. Once the contact information was verified, OCR emailed a pre-audit questionnaire to gather data about size, type, and operations of the entity. This data was used with other information to develop pools of potential covered entities for making audit selections.

Phase 2 Audits consist of three sets of audits. The first set of audits will be desk audits of covered entities and the second set of audits will be desk audits of business associates. These audits will examine compliance with specific requirements of the Privacy, Security, or Breach Notification Rules and covered entities will be notified of their audit in a document request letter. All desk audits in this phase will be completed by the end of December 2016. OCR will select entities and request they electronically submit documentation within 10 days. The third set of audits will be onsite and examine a broader scope of requirements from HIPAA Rules.

On July 11, 2016, 167 covered entities were notified that they were selected for a desk audit. Desk audits of business associates will begin this fall. Download the complete Compliance Advisor, “HIPPA Phase 2 Audits” for best practices for covered entities facing desk or field audits.

Originally published by www.ubabenefits.com