HIPAA Law and Guidelines for Employers

Additional HR Resources Employee Health Plans Hands-on advice for benefits, including consumer-driven health care COBRA Compliance How to comply with COBRA without getting bit Healthcare Reform Game Plan Learn how the new healthcare plan affects HIPPA in this audio conference on CD HIPAA Portability Regulations Portability definitions, including "dependent" and "pre-existing condition" Plans Under $5 Million Answers to crucial questions related to HIPAA regulations Employment Law in Your State Where your state lawmakers and fellow employers stand Federal Employment Law Advanced warning on upcoming federal regulations and legislation

The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that imposes portability, non-discrimination, and certain other requirements on employer-sponsored health plans. HIPAA also includes regulations covering how employers must protect employees’ medical privacy rights as well as the electronic disclosure of employees’ medical information. and requires employers to cover employees’ and their dependents’ preexisting health conditions under certain circumstances, as well as to protect the privacy of health information.

HR Guide to Employment Law: A practical compliance reference manual covering 14 topics, including health benefits and issues related to employee health

Related articles on HIPAA
HIPAA tools for Employment Law Letter subscribers

HIPAA changes in the 2009 economic stimulus package
On February 17, 2009, President Barack Obama signed a stimulus bill called the American Recovery and Reinvestment Act of 2009 (ARRA) into law. The stimulus package significantly expands HIPAA’s privacy and security regulations. Some of the changes to HIPAA under the stimulus package include the following:

• Business associates. Business associates are companies and consultants that perform services for “covered entities” such as health care providers (doctors, hospitals, etc.), health plans, and health care clearinghouses. A debt collection agency that collects payments for a hospital would be an example of a business associate. Business associates were previously subject to security and privacy requirements through their contracts with covered entities, but they will now be directly subject to HIPAA under the ARRA and be governed by the same requirements under HIPAA as covered entities.
• Security breach notification requirements. The stimulus package also establishes more stringent security breach notification requirements and gives increased notification to patients. Under the ARRA, covered entities and business associates must provide notification to any person whose protected health information has been breached. The ARRA also provides requirements for such notifications.
• Increased rights of individuals. The ARRA expands the rights of individuals regarding the privacy and security of their protected health information (PHI). For example, under tje stimulus package, individuals may request accounting of any PHI disclosures made through an electronic health record and may request copies of his or her record in electronic format.
• Enforcement and penalties. The ARRA also provides for increased enforcement and penalties for HIPAA violations. For instance, both civil and criminal penalties for violations are increased based on the level of intent, and state attorneys general are given the power to prosecute and seek civil penalties for violations.

After the government provides guidelines on future proposed regulations of this new law, action will be required by employers to comply with many of the changes to HIPAA under the ARRA

HIPAA privacy regulations for employers
HIPAA's regulations prescribe the permitted uses and disclosures of individually identifiable health information by certain entities, including employers that have access to employee health information. In addition, the Americans with Disabilities Act (ADA) requires employers to keep confidential medical information in a file separate from all other employment or personnel files.

Stay up to date on changes to benefits and compensation employment laws with the Benefits and Compensation Law Alert

HIPAA non-discrimination rules
HIPAA prohibits discrimination in group health plans in two areas: (1) eligibility to enroll in the plan and (2) premium rates. In general, HIPAA prohibits a plan from establishing eligibility rules or imposing a higher premium rate than the premium for similarly situated individuals based on a “health status-related” factor.

Such factors include health status, medical condition, claims experience, receipt of health care, medical history, genetic information, evidence of insurability (including conditions arising out of acts of domestic violence), and disability.

Audio Conference: Employee Wellness Programs: How to Minimize Your Legal Risks

View all HR topics

Related articles on HIPAA law and regulations featured in HR Hero Line, HR Hero White Papers, and Employment Law Post

• Wellness Programs and the Health Care Reform Debate
  (Maine Employment Law Letter, December 2009)
• What to Do When Contagious Illnesses Comes to Work
  (Mississippi Employment Law Letter, September 2009)
• Using Wellness Programs to Reduce Health Care Costs
  (Mississippi Employment Law Letter, August 2009)
• New Requirements on Group Health Plans Starting April 1
  (West Virginia Employment Law Letter, April 2009)
• What the Obama Stimulus Plan Means for Employers: COBRA, Benefits, and More
  (HR Hero White Papers , March 2009)
• Employer Wellness Programs Need a HIPAA Checkup
  (Oklahoma Employment Law Letter , July 2008)
• Employees Hold the Key to Employers' Data Security
  (Colorado Employment Law Letter, Feburary 2008)
• HIPAA Security Rule Compliance Deadline Approaches
  (Georgia Employment Law Letter, March 2006)

HR Tools for HIPAA law and regulations

• Sample Policy - Eligibility for Benefits
• Sample Policy - Health and Welfare Benefits
• Sample Policy - Continuation of Health Benefit Coverages