HR Management & Compliance

Health Benefits: A Look at Recent HIPAA Developments

By HR Daily Advisor Staff Mar 31, 2007 HR Management & Compliance

Updated: May 18, 2015

If you have an employer-sponsored health plan, it is important to stay up-to-date on the latest information about the Health Insurance Portability & Accountability Act, or HIPAA—which imposes requirements regarding the security of medical information, nondiscrimination in health plans, and much more. We’ll take a look at HIPAA developments that are new for 2007.

New Security Guidance

In January 2007 the Centers for Medicare and Medicaid Services issued new guidance addressing the remote use of and access to electronic protected health information (EPHI). EPHI includes any electronic data related to an individual’s health or health care that could identify the individual, such as name, address, medical record or account number, or e-mail address. The guidance outlines strategies covered entities (that is, health plans, including employer-sponsored health plans, and providers) can use to prevent security incidents involving EPHI that is accessed, stored, or transported offsite, such as through laptops, home computers, PDAs, flash drives, smart phones, CDs or DVDs, or e-mail.

The guidance advises that offsite use or access of EPHI should only be permitted when necessary for business reasons—and then, the organization should analyze potential risks stemming from accessing, storing, and transmitting this information. The results of this analysis should form the basis of policies and procedures needed to protect the information, including:

  • Data access policies and procedures, ensuring that users only get at data they are appropriately authorized for and that remote access is granted solely based on a user’s role in the organization and their need for the EPHI.
  • Storage policies and procedures for portable media and devices containing EPHI, such as laptops, hard drives, backup media, USB flash drives, and any other data storage item that could potentially be removed from the organization’s facilities.
  • Transmission policies to ensure the safety of EPHI sent over networks.
  • Security incident procedures, inclu- ding notifying affected parties and steps to manage the harmful effects of improper use or disclosure.
  • A sanction policy informing the workforce of the consequences of not complying with the EPHI policies and procedures. 
  • Workforce awareness and training regarding the organization’s EPHI security policies and procedures. 

The new guidance contains detailed examples of these possible risks and appropriate security measures. You can link to the guidance from this article’s online version.

Nondiscrimination in Wellness Programs

In other HIPAA news, final rules were recently published regarding how the law’s nondiscrimination provisions apply to wellness programs. The rules will be effective on the first day of the plan year beginning on or after July 1, 2007. For calendar year plans, the new rules typically apply beginning January 1, 2008.

How To Survive an Employee Lawsuit: 10 Tips for Success

With lawsuits against employers becoming ever more common—and jury verdicts skyrocketing—your risk of getting sued has increased dramatically even if you’ve done all the right things. Learn how to protect yourself with our free White Paper, How To Survive an Employee Lawsuit: 10 Tips for Success.

HIPAA’s nondiscrimination provisions generally prohibit group health plans from charging similarly situated individuals different premiums or contributions or imposing different deductible, copay, or other cost-sharing requirements based on a health factor.

Health factors include:

  • Health status;
  • Medical condition;
  • Claims experience;
  • Receipt of health care;
  • Medical history;
  • Genetic information;
  • Evidence of insurability; and
  • Disability.

The new rules clarify that wellness programs meeting certain criteria are exempt from the nondiscrimination requirements. A wellness program that doesn’t require an individual to meet a health factor or doesn’t offer a reward is consistent with HIPAA’s nondiscrimination requirements. Examples include a program that reimburses the cost for fitness center memberships or a diagnostic testing program that provides a reward for participation rather than outcomes.

However, a wellness program that conditions a reward on an individual satisfying a standard related to a health factor must meet these five requirements to comply with the nondiscrimination provisions:

The total reward must be limited—generally, it must not exceed 20 percent of the cost of employee-only coverage under the plan.

  1. The program must be reasonably designed to promote health and prevent disease.

  2. The program must give individuals the opportunity to qualify for the reward at least once a year.

  3. The reward must be available to all similarly situated individuals. The program must allow a reasonable alternative standard (or waiver of initial standard) for obtaining the reward to any individual for whom it is unreasonably difficult due to a medical condition, or medically inadvisable, to satisfy the initial standard.

  4. The plan must disclose in all materials that describe the program’s terms the availability of a reasonable alternative standard (or the possibility of a waiver of the initial standard).

 

Additional Resource

Review the new nondiscrimination regulations on the U.S. Department of Labor Employee Benefits Security Administration’s website.

Leave a Reply

Your email address will not be published. Required fields are marked *