What is the Health Insurance Portability and Accountability Act of 1996?
What is the Health Insurance Portability and Accountability Act of 1996?
The Health Insurance Portability and Accountability Act of 1996 (commonly shortened to the acronym HIPAA) was enacted on August 21, 1996 under President Bill Clinton for the purpose of improving various processes in healthcare administration. Specifically, the law outlined security measures to safeguard patients’ protected health information (PHI), limited discriminatory practices in enrollment and claims coverage, and simplified medical coding.
The law was broken down into five parts that outline the broad scope of the plan and can serve as an overview of the law’s effects, though Title I and II contain the most extensive and impactful measures of the law:
- Title I – Health Care Access, Portability, and Renewability
- Title II – Preventing Health Care Fraud and Abuse; Administrative Simplification; Medical Liability Reform
- Title III – Tax-related health provisions governing medical savings accounts
- Title IV – Application and enforcement of group health insurance requirements
- Title V – Revenue offset governing tax deductions for employers
HIPAA improved protections for the insured by mandating coverage offers for certain groups and placing new protections for those seeking coverage.
Under the new law, insurers were not allowed to refuse an offer of small-group coverage to employers with two to fifty employees. Also, barring fraud or misrepresentation, insurers were required to allow renewals of past plans. Furthermore, they were required to offer plans to those who had been covered under a group plan for eighteen months, had exhausted COBRA benefits, and did not qualify for other employment-based insurance.
These mandates protected workers with medical needs who had been in good standing but had fallen upon hard times. The law also extended the same protections of group insurance plans to those who acquired health insurance while self-employed.
HIPAA created special enrollment periods for those who undergo a qualifying life event, such as the loss of coverage, a marriage, or the birth or adoption of a new dependent. This measure ensured that those who experienced an unexpected life change or who fell outside of normal processes would be guaranteed coverage for themselves and dependents.
HIPAA also instituted new protections that prevented insurers from denying coverage for discriminatory reasons, including genetic information, dependents, medical history, health status, or disabilities.
Pre-existing Conditions and HIPAA
The also law placed restrictions on what claims could be denied based on preexisting conditions, but it is important to note that pre-existing conditions as a whole were required to be covered under the later Affordable Care Act of 2010, impacting all plans as of January 1, 2014.
However, before the passage of the ACA, health insurance was made more portable between plans through the “creditable coverage” provision of HIPAA. This provision prevented insurers from denying claims based on preexisting conditions as a result of the insured switching plans, either because the insured party switched jobs or the insured party’s employer switched plans.
Pre-existing conditions would typically be covered after twelve months of coverage (or eighteen months in the case of late enrollment), but HIPAA allowed time accumulated towards those twelve months to be maintained or shared across several different insurance providers, provided that there was not a gap in coverage exceeding 63 days.
Thus, even if a person were to switch providers, they could transfer over whatever time (or creditable coverage) they had accumulated towards the preexisting condition clause into the new plan rather than having to restart the clock, so to speak, each time they switched plans.
Taken together with the other enrollment protections, these provisions offered much more robust security for consumers who were growing increasingly frustrated with trends in the health insurance market, offering stability and reliability regardless of their status or changing conditions. Consumers can also rest assured that regardless of which plan they purchase, there will be certain protections that are universal across plans and do not contain hidden language in the fine print.
HIPAA and Privacy Protections
HIPAA also instituted broad protections for patients’ protected health information (PHI). PHI includes the medical history, billing information, and health status of any patient and often contains sensitive personal or financial information that require protection.
Covered entities, including medical and insurance providers, are required to maintain the privacy and security of patients’ PHI under penalty of heavy fines or other punishments according to the law. The severity of punishment depends on the severity of the breach and the intention, or lack thereof, in disclosing the private information.
Previous to the 2013 Omnibus Rule, breaches of the privacy laws were required to be disclosed if it was proven that “significant harm” had resulted from the breach, whereas now they must disclose unless it can be definitively shown that harm had NOT occurred as a result of the breach. This change places a far more stringent requirement on covered entities and promotes greater transparency for the consumer.
Conversely, covered entities are also required to disclose PHI to the patients themselves within 30 days, ensuring access for patients to their own medical and billing information.
One important provision of this privacy is that providers are not permitted to share patients’ information with relatives of the patient over the phone, which has led to some issues in isolated cases, but which showcases the importance the law places on security.
PHI can also be shared between providers to facilitate the payment or treatment of a patient without express written consent when a legitimate cause exists, though the covered entities are required to disclose to individuals when this occurs and document the transfer of information appropriately.
When disclosing in this manner, covered entities are expected to share only the minimum of information required for their purpose.
Under other rare circumstances, such as when covered entities are reporting possible abuse to child welfare agencies or otherwise assisting a law enforcement agency, PHI can be disclosed to outside parties without the patient or caregiver’s consent.
Although medical history is often sought by health researchers, any patient’s information must undergo a process of de-identification before it can be utilized as a public data set. Any health or billing data is stripped of any information that could be used to link that it back to the original patient before being provided to outside agencies, including:
- Geographic data
- All elements of dates
- Telephone numbers
- FAX numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers including license plates
- Device identifiers and serial numbers
- Web URLs
- Internet protocol addresses
- Biometric identifiers (i.e. retinal scan, fingerprints)
- Full face photos and comparable images
- Any unique identifying number, characteristic, or code
Other Aspects of HIPAA
It’s important to note that HIPAA was not intended to radically alter the landscape of the health insurance industry. Although many of the reforms applied to the country as a whole, HIPAA legislation did not impose a federal system of health insurance, allowing for differences in individual programs between states and experimentation in different areas of the country.
States were still free to enact additional protections or laws in addition to the national laws, such as extended enrollment periods.
The most significant additional change made my HIPAA was the simplification of health care coding, which made the use of ICD, CPT, and HCPCS codes for medical claims as well as NPI (National Provider Identifier) codes mandatory and uniform across the healthcare landscape. This resulted in fewer miscommunications, a reduced chance of fraud by providers or members, and a streamlined and simplified process that cut down on costs.
Title II also included language which required all electronic transactions to be performed as an Electronic Data Interchange (EDI), a specific type of secured transaction that ensured security and uniformity across systems.
Other parts of HIPAA, including Titles III, IV, and V, deal with minor issues, such as the standardization of medical savings accounts (which allow for pre-tax income to be stored and used on medical expenses), clarification of COBRA coverage language, life insurance tax deductions, and laws regarding expatriated citizens.
At the time of its inception, HIPAA represented the most wide-ranging overhaul of health insurance standards in decades, and its legacy still stands as one of the most significant governing our health insurance markets today.
By understanding the laws that protect you and your family, you can be secure in the knowledge that your right and privacy are well protected under the scope of this law regardless of the plan or provider you choose.
Make sure you’re always in good hands by choosing a quality health insurance plan. Enter your zip below to compare quotes from reliable companies!