HIPAA first limits the rights of health insurers to exclude new employees of an insured employer based on pre-existing conditions. For an employee to be denied coverage based on a pre-existing health problem, the employee must have actually received medical attention, including medical advice, diagnosis, or treatment, for the condition within the six-month period immediately preceding his new employment start date.
Moreover, HIPAA prevents insurers from excluding a new employee from coverage based on pregnancy. The law also provides that after 12 months of status as a pre-existing condition, no particular health condition can continue to be the basis of exclusion from the new employer’s health insurance plan. This means, for example, that if an employee has had a heart condition for 12 months after being employed by a new employer, the employer’s health insurer must accept the employee for coverage at that point in time notwithstanding the likelihood of continued heart problems that may require medical treatment in the future.
Finally, HIPAA provides that health insurance plans offered by employers cannot exclude employees from coverage based on past, current, or future expected health status; the degree to which employees utilized medical insurance or made claims in the past; or even high-risk activities that the employees may engage in, like motorcycling, skiing, or horseback riding.
Recently, employers have been exploring ways to increase costs for employees not managing their health by providing incentives to employees who certify that they engage in regular physical activity or do not smoke.
In addition to the portability requirements, HIPAA also governs how employers and medical providers safeguard health care information and conduct standard transactions.
The HIPAA Privacy rule requires employers to protect some personal health information. Employers, plans, and providers may only disclose protected health information for purposes of treatment, payment, or health care operations. Furthermore, entities are required to provide individuals with detailed notice of their privacy rights and any uses of health information. Though most states had previously required that health care organizations obtain a signed release from individuals before releasing any health care information to a third party, HIPAA details content requirements for the authorization and requires that entities also track any such disclosures of information.
Finally, the privacy rule of HIPAA provides that entities designate a Privacy Officer to oversee HIPAA implementation and ongoing training activities and investigate alleged violations of the rule. The Security rule, effective April 2006 establishes national standards for the security of electronic information. It includes a series of administrative, technical, and physical security procedures for covered entities to use to assure the confidentiality of electronic protected health information.
The requirements of COBRA and the HIPAA are detailed and complicated. Some employers find them to be so complicated and time-consuming that they actually subcontract the tasks of notifying employees and their dependents of COBRA rights following qualifying events to outside companies whose entire business is providing COBRA-consulting services to employers.
Employers can also face significant liability for violation of COBRA or the HIPAA. If an employer does not offer continuation coverage to an eligible person, or refuses to allow a new employee to participate in a health insurance plan contrary to HIPAA requirements, and the person or employee is forced to incur costs for medical treatments, the employer may be forced to pay those costs itself.