Health Insurance Portability and Accountability Act (HIPAA) of 1996

Reuse Permissions

The Health Insurance Portability and Accountability Act (HIPAA) offers protections for millions of American workers that improve portability and continuity of health insurance coverage.

HIPAA Protects Workers And Their Families By

  • Limiting exclusions for preexisting medical conditions (known as preexisting conditions)
  • Providing credit against maximum preexisting condition exclusion periods for prior health coverage and a process for providing certificates showing periods of prior coverage to a new group health plan or health insurance issuer
  • Providing new rights that allow individuals to enroll for health coverage when they lose other health coverage, get married or add a new dependent
  • Prohibiting discrimination in enrollment and in premiums charged to employees and their dependents based on health status-related factors
  • Guaranteeing availability of health insurance coverage for small employers and renewability of health insurance coverage for both small and large employers
  • Preserving the states’ role in regulating health insurance, including the states’ authority to provide greater protections than those available under federal law

Preexisting Condition Exclusions

  • The law defines a preexisting condition as one for which medical advice, diagnosis, care, or treatment was recommended or received during the 6-month period prior to an individual’s enrollment date (which is the earlier of the first day of health coverage or the first day of any waiting period for coverage)
  • Group health plans and issuers may not exclude an individual’s preexisting medical condition from coverage for more than 12 months (18 months for late enrollees) after an individual’s enrollment date
  • Under HIPAA, a new employer’s plan must give individuals credit for the length of time they had prior continuous health coverage, without a break in coverage of 63 days or more, thereby reducing or eliminating the 12-month exclusion period (18 months for late enrollees)

Creditable Coverage

  • Includes prior coverage under another group health plan, an individual health insurance policy, COBRA, Medicaid, Medicare, CHAMPUS, the Indian Health Service, a state health benefits risk pool, FEHBP, the Peace Corps Act, or a public health plan

Certificates Of Creditable Coverage

  • Certificates of creditable coverage must be provided automatically and free of charge by the plan or issuer when an individual loses coverage under the plan, becomes entitled to elect COBRA continuation coverage or exhausts COBRA continuation coverage. A certificate must also be provided free of charge upon request while you have health coverage or anytime within 24 months after your coverage ends
  • Certificates of creditable coverage should contain information about the length of time you or your dependents had coverage as well as the length of any waiting period for coverage that applied to you or your dependents
  • For plan years beginning on or after July 1, 2005, certificates of creditable coverage should also include an educational statement that describes individuals' HIPAA portability rights. A new model cerfiticate is available on EBSAs Web site.
  • If a certificate is not received, or the information on the certificate is wrong, you should contact your prior plan or issuer. You have a right to show prior creditable coverage with other evidence — like pay stubs, explanation of benefits, letters from a doctor — if you cannot get a certificate

Special Enrollment Rights

  • Are provided for individuals who lose their coverage in certain situations, including on separation, divorce, death, termination of employment and reduction in hours. Special enrollment rights also are provided if employer contributions toward the other coverage terminates
  • Are provided for employees, their spouses and new dependents upon marriage, birth, adoption or placement for adoption

Discrimination Prohibitions

Ensure that individuals are not excluded from coverage, denied benefits, or charged more for coverage offered by a plan or issuer, based on health status-related factors

The Medical Privacy Rule at a Glance

The medical privacy rule implements certain privacy protections required by the Health Insurance Portability and Accountability Act of 1996. The standards appear at 45 CFR parts 160 and 164.

Covered entities. Public and private sector entities including health plans, health care clearinghouses, and health care providers who conduct administrative or financial transactions electronically are subject to the rules. Certain business associates who serve the health care industry are also affected.

Information protected. Covered information includes medical records or other data that contain individually identifiable health information that may be used or disclosed in any form such as electronically, on paper, or orally.

New patient rights. Patients must be given a clear written explanation of how health information will be used or disclosed, with such use or disclosure generally occurring only upon the patients’ written consent. Prior consents which provide equal or better protection may be relied upon. In addition, patients will generally have a right of access to their own medical information and may request an amendment to records and restrictions in use. A complaint procedure must be provided to resolve privacy violations.

Limits on use and release. Disclosures of health information should be limited to the minimum amount necessary for specified purposes, and nonmedical disclosures are permitted only upon a patient’s written authorization. Disclosures for public health or law enforcement purposes are permitted when required or permitted by law.

Organizational responsibilities. Covered organizations must adopt written privacy policies, designate a privacy officer, and conduct training for employees on the privacy policies.

Enforcement. The privacy rule is enforced by the Office of Civil Rights of the U.S. Health and Human Services Department. Civil and criminal penalties may be used when violations are found. Criminal penalties can go as high as $250,000.00 and 10 years in prison.

Enhanced standards improve privacy protections and security safeguards for consumer health data

Effective March 26, 2013, the U.S. Department of Health and Human Services (HHS) issued privacy rules to strengthen the privacy and security protections for health information established under HIPAA.

The final omnibus rule greatly enhances a patient’s privacy protections, provides individuals new rights to their health information, and strengthens the government’s ability to enforce the law. The changes in the final rulemaking provide the public with increased protection and control of personal health information. The HIPAA Privacy and Security Rules have focused on health care providers, health plans and other entities that process health insurance claims. The changes announced expanded many of the requirements to business associates of these entities that receive protected health information, such as contractors and subcontractors. Penalties are increased for noncompliance based on the level of negligence with a maximum penalty of $1.5 million per violation. The changes also strengthen the Health Information Technology for Economic and Clinical Health (HITECH) Breach Notification requirements by clarifying when breaches of unsecured health information must be reported to HHS.

Individual rights have also been expanded in the following ways:

  • Patients can ask for a copy of their electronic medical record in an electronic form.
  • When individuals pay by cash they can instruct their provider not to share information about their treatment with their health plan.
  • The final omnibus rule sets new limits on how information is used and disclosed for marketing and fundraising purposes and prohibits the sale of an individuals’ health information without their permission.

The final rule also reduces burden by streamlining individuals’ ability to authorize the use of their health information for research purposes. The rule makes it easier for parents and others to give permission to share proof of a child’s immunization with a school and gives covered entities and business associates up to one year after the 180-day compliance date to modify contracts to comply with the rule.

The final omnibus rule is based on statutory changes under the HITECH Act, enacted as part of the American Recovery and Reinvestment Act of 2009, and the Genetic Information Nondiscrimination Act of 2008 (GINA) which clarifies that genetic information is protected under the HIPAA Privacy Rule and prohibits most health plans from using or disclosing genetic information for underwriting purposes.

Click here to download full text of the regulations.

Source:US Department of LaborUpdated 01/28/2013

Reuse Permissions


CA Resources at Your Fingertips

View all Resources Now

Job Finder

Find an HR Job Near You
Post a Job


Find the Right Vendor for Your HR Needs

SHRM’s HR Vendor Directory contains over 3,200 companies

Search & Connect