RSS | Print | PDF | Email Page

New HIPAA Rules for Group Health Plans and Health Insurers

February 2005

The Department of Health and Human Services has issued two sets of final regulations under the Health Insurance Portability and Accountability Act of 1996, as amended ("HIPAA") that will soon become effective and that apply to group health plans and health insurance issuers. The first set of regulations implements previously established health insurance portability rules. The second set of regulations imposes new security standards on group health plans and health insurance that use electronic protected health information. This Jones Day Commentary will describe the compliance obligations for group health plans and health insurance issuers created by these new HIPAA regulations.

Access to Group Health Coverage Rules

On December 30, 2004, the Department of Health and Human Services issued final regulations under HIPAA in connection with health insurance portability that give workers greater access to group health plan coverage. Identical regulations were issued simultaneously by the Department of Labor and the Department of Treasury.

Specifically, the new access regulations finalize portions of an interim final regulation published on April 8, 1997 that give individuals greater access to group health plan coverage by limiting the use and duration of preexisting condition exclusions imposed. In addition, the regulations require group health plans and health insurance issuers to offer "special enrollment" options for certain life events that cause individuals (and other eligible new dependents) to lose eligibility for other group health coverage or health insurance.

The final regulations become effective February 28, 2005 but apply to plan years starting on or after July 1, 2005. Notably, the final regulations do not significantly change the framework of the 1997 interim regulations, but in response to comments received during the public comment period, the final regulations increase plan participant protections even further.

Although some of the 1997 interim final regulations still remain in their non-final form, the parts that have been finalized include those that:
  • Limit exclusions for preexisting medical conditions;
  • Provide credit for prior health coverage that satisfies preexisting medical conditions, as well as a process for providing medical certificates concerning prior coverage to a new group health plan or health insurance issuer; and
  • Provide new rights that allow individuals who lose coverage or have a new dependent to enroll immediately in health coverage.

Preexisting Condition Exclusions. One of HIPAA’s central provisions prevents group health plans and health insurance issuers from excluding preexisting conditions from coverage for certain periods of time and under certain conditions. Specifically, the final rule confirms the interim rules posture that any preexisting condition exclusions:
  • Must relate to a condition for which medical advice, diagnosis, care, or treatment was recommended or received during the six-month period before an individual’s enrollment date;
  • May not last for more than 12 months (18 months for late enrollees) after an individual’s enrollment date;
  • Must be reduced by the number of days of the individual’s "prior creditable coverage" that occurred without a break in coverage for 63 days or more;
  • May not include pregnancy—pregnancy must be covered no matter whether a woman had previous coverage; and
  • Cannot be applied to a newborn or adopted child under age 18 so long as the child became covered within 30 days of birth or adoption, provided there is not a subsequent 63-day or longer break in coverage.

A group health plan or health insurance issuer must provide a general notice of preexisting condition exclusions as part of any written application materials distributed by the group health plan or health insurance issuer for enrollment. If such application materials do not exist, then the general notice must be provided by the earliest date following a request for enrollment that the group health plan or health insurance issuer, acting in a reasonable and prompt fashion, can provide such a notice.

Group health plans or health insurance issuers that have preexisting condition exclusions will need to follow certain final rule requirements, including:
  • The group health plan or health insurance issuer must notify individuals of their rights to show prior creditable coverage to reduce the preexisting exclusion period;
  • The group health plan or health insurance issuer must decide whether creditable coverage exists; and
  • If the group health plan or health insurance issuer notifies an individual that it is imposing an exclusion period, then the notice also must tell the individual the basis of the determination, including the source and substance of any information on which it relied, an explanation of the individual’s right to submit additional evidence of creditable coverage, a description of any appeals procedures established, as well as a person to contact for obtaining additional information or assistance regarding the preexisting condition exclusion.

Waiting Periods. HIPAA does not prohibit a group health plan or health insurance issuer from establishing a waiting period. Nevertheless, established waiting periods must run concurrently with any preexisting condition exclusion period. With respect to group health plans, a waiting period is the period that must pass before an employee or a dependent is eligible to enroll under the terms of a group health plan. Note that if the employee or dependent is a late enrollee (or a special enrollee), any time period prior to the late (or special) enrollment will not be considered part of the waiting period.

Creditable Coverage and Certificates of Coverage. Creditable coverage is a concept that individuals should be given credit for previous health coverage when moving from one employer group health plan to another, from an employer group health plan to an individual policy, or from certain kinds of individual coverage to an employer group health plan. Creditable coverage includes coverage under a group health plan (including a governmental or church plan), HMO, COBRA, Medicare, Medicaid, CHAMPUS, S-CHIP, Indian Health Service program, Federal Employees Health Benefit Program, a public health plan, a Peace Corps health benefit plan, or any individual health insurance policy. With respect to limited scope benefits such as dental, vision, or long-term care, coverage for such benefits does not count as creditable coverage, and days in a waiting period are generally not creditable coverage under such a plan, nor are these days taken into account when determining a significant break in coverage.

Employers must provide a "certificate of coverage" to any employee who has coverage and loses it (typically, these employees leave their place of work and lose coverage or go on COBRA continuation coverage).

Model Certificate of Creditable Coverage and Educational Statement. The final regulations published by the trio of federal agencies also contain a model form certificate of creditable coverage that group health plans or health insurance issuers may use. Group health plans or health insurance issuers who are not using the model certificate should know that any certificate of creditable coverage issued must identify the group health plan or the health insurance issuer that provided the coverage, provide any insurance identification number, and state how long the individual was covered. Coverage for longer than 18 months can be stated as such, but shorter lengths of time must specify the dates of coverage. Certificates of creditable coverage may also be issued to individuals via electronic communication such as e-mail.

The final regulations add that group health plans and health insurance issuers are required to include, concurrently with the certificate of creditable coverage provided to individuals when they lose coverage under the plan, an educational statement on their HIPAA rights. The final regulations contain model language that group health plans and health insurance issuers can use for such an educational statement.

Alternatives to Certificate of Creditable Coverage. Group health plans and health insurance issuers should be aware that individuals will be allowed to use other evidence that proves prior coverage. Such evidence may include, among other things:
  • pay stubs showing premium payments,
  • a health insurance identification card,
  • explanation of benefits forms, or
  • medical documents, such as verification by a treating health practitioner.

Timing of Certificate Issuance and Time Covered by Certificate. Group health plans and health insurance issuers must furnish the certificate of creditable coverage automatically:
  • To an individual who is entitled to COBRA continuation coverage, no later than when a notice is required to be provided for a qualifying event under COBRA;
  • To an individual who loses coverage under a group health plan and who is not entitled to a COBRA election, within a "reasonable time" after coverage is stopped;
  • To an individual who has been on COBRA coverage, either within a "reasonable time" after the plan learns that COBRA continuation coverage ended, or, if applicable, within a "reasonable time" after the individual’s grace period for the payment of COBRA premiums ends; and
  • When an individual, or a person acting on the individual’s behalf and with his or her permission, requests one while the individual is covered under a plan and after 24 months after coverage ceases, at the earliest time that the certificate can be provided in a "reasonable and prompt fashion."

The time of coverage issued in a certificate of creditable coverage depends upon the method of issuance.

Automatic Issue: The certificate should cover the most recent period of continuous coverage.

Issue on Request: The certificate should show each period of continuous coverage ending within 24 months of the request.

Special Enrollment. There are several provisions with respect to special enrollees in the final regulations. In general, a group health plan and a health insurance issuer is required to provide for special enrollment periods during which certain individuals who previously declined coverage are allowed to enroll without having to wait until the group health plan’s next open enrollment period. For a more complete explanation and analysis of special enrollment rights, contact a Jones Day lawyer listed at the end of this Jones Day Commentary.

Security Rules

A completely new set of HIPAA standards, this time covering security for electronic protected health information ("ePHI"), will, in the near future, take effect and apply to HIPAA-covered entities, including employer group health plans that are creating, receiving, maintaining, or transmitting ePHI. These rules are different from, and are in addition to, the HIPAA privacy rules that became applicable to group health plans in 2003 (or 2004 for small group health plans). While the HIPAA privacy rules govern the use and disclosure of protected health information, the new security rules apply to the physical, technical, and administrative safeguards that are to be put in place to protect electronic healthcare data that is ePHI.

Security Rule Application. The new HIPAA security rules (the "Security Rules") only apply to group health plans that electronically create, receive, maintain, or transmit protected health information. Group health plans must comply with the new rules if the group health plan or any service provider to the group health plan (such as, for example, a third-party administrator) creates, receives, maintains, or transmits ePHI in connection with the administration or operation of the group health plan.

Security Rule Effective Date and Administrative Burdens. The new Security Rules generally become effective April 21, 2005 and are intended to implement national standards for safeguards to protect the confidentiality, integrity, and availability of ePHI. Types of group health plans subject to the Security Rules include medical plans, health care flexible spending accounts, and dental plans, to name a few. The type of group health plan arrangements a plan sponsor has will determine the level of compliance required by the Security Rules. For example, the burdens on a self-funded plan will be greater than on a fully insured plan. Certain smaller plans (i.e., those with less than $5 million in annual receipts) are entitled to an additional year to comply with the Security Rules (April 21, 2006).

Security Rule Compliance Requirements. Group health plans subject to the Security Rules must have certain documentation in place by the April 21, 2005 (April 21, 2006 for small group health plans) effective date. For example, for a self-funded group health plan subject to the Security Rules, required documents will include written health security policies and procedures, and amendments to plan documents and any service provider (business associate) contracts, even those already containing HIPAA privacy language. In addition to these documentary requirements, group health plans, through, for example, the plan sponsor’s technology support staff, will be required to assess and implement a number of security measures relating to administrative, physical, and technical safeguards with respect to any plan ePHI that is created, received, maintained, or transmitted as part of its or the plan sponsor’s electronic systems. Each group health plan should analyze its situation in light of the Security Rules in order to determine accurately the requirements that will apply to the plan.

Because the new Security Rules are complex, if readers need any assistance in determining whether the rules apply to their group health plans or in implementing the rules if they do, they should call a Jones Day lawyer as soon as possible to discuss their legal obligations and to begin a timely determination and preparation of required written documents that will need to be in place by April 21, 2005 (April 21, 2006 for small group health plans).

Further Information

For further information, readers are encouraged to contact their regular Jones Day attorney or the principal authors of this Commentary, Ned Milenkovich (nmmilenkovich, in the Chicago Office, 77 West Wacker Drive, Suite 3500, Chicago, Illinois 60605, telephone 312.269.1583, and Kevin D. Lyles (kdlyles in the Columbus Office, 325 John H. McConnell Boulevard, Suite 600, Columbus, Ohio 43215, telephone 614.281.3821. General e-mail messages may be sent using our web site feedback form, which can be found at

Jones Day Commentaries are a publication of Jones Day and should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of Jones Day, to be given or withheld at its discretion. The mailing of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship.