Several federal laws govern health insurance. The Health Insurance Portability and Accountability Act (HIPAA) happens to be one of them. The Act provides a wide range of protections to millions of workers in the US who have some type of underlying health condition that exposes them to the risk of discrimination, limitation, or exclusion in group health coverage.
More often than not, when people talk about the HIPAA law, they are usually referring to the Privacy Rule provision that was established in 2003. However, this is just one facet of the broader law that Congress initially passed in 1996.
So, what is HIPAA law, and why does it matter? Here’s everything you need to know.
What Does HIPAA Stand For
HIPAA is short for the Health Insurance Portability and Accountability Act. The law mainly applies to employer-based health coverage. It is designed to protect you if you have an underlying health characteristic or preexisting medical condition that an insurance company would deem undesirable when it comes to providing you with health insurance.
Additionally, the law also requires doctors, other healthcare professionals, and service providers to ensure that patient medical records are kept confidential.
Today, many of the provisions of HIPAA are no longer required because of the protections provided by the newer 2010 Affordable Health Care Act. Nonetheless, if you are currently on an older healthcare plan, you and your family can still benefit from the protections HIPAA offers.
How Does HIPAA Treat Preexisting Conditions
HIPAA defines a preexisting medical condition as a health characteristic for which you have received a medical diagnosis, treatment, care, or advice in the six-month period leading up to your enrolment in an existing insurance plan.
The law confines insurance providers to a six-month “look-back” limit as far as identifying preexisting conditions goes. It essentially means that a health insurer cannot exclude coverage for a condition you received a medical diagnosis, treatment, care, or advice longer than six months before enrolling in your current plan.
On the other hand, if the condition occurred within the look-back window, a healthcare provider can exclude it from coverage.
The whole premise of HIPAA is to regulate how health insurance providers operate by placing restrictions on the number of ways available to them to exclude coverage for certain underlying medical conditions. Here are some of the notable protections HIPAA provides to American workers.
Protections for Pregnant Women
Before HIPAA was enacted, pregnancy was considered a preexisting condition if you enrolled in a new healthcare plan. This is no longer the case. Pregnant women can now switch to a different group health plan without running the risk of being excluded from coverage.
Protections for Newborn and Adopted Children
Before the enactment of HIPAA, preexisting exclusions applied to newborn children and minors who were adopted or put up for adoption. The provisions of the Act now allow newborns, adopted children, or children put up for adoption to be entered into the health plan provided that it is done within 30 days of birth, adoption, or adoption placement.
The Act bars health insurance providers from treating genetic information as a preexisting condition if there is no accompanying diagnosis. Additional protections under state law may be available to individuals on a plan provided via a health maintenance organization or private insurance company.
Shorter Exclusion Periods
Individuals with preexisting medical conditions on group coverage can now enjoy shorter exclusion periods. The maximum exclusion duration is typically 12 months from the date of enrolment in your existing plan.
Protections When Changing Jobs
If changing jobs results in switching from one health plan to a different one, the provisions of HIPAA protect you from any new preexisting condition exclusions, provided that the break within your coverage is no more than 63 days.
Protections Against Discrimination
HIPAA prohibits insurance providers from discrimination based on any health-related characteristics a patient may have. Health insurers cannot exclude you from coverage or charge you more because of your existing health status.
HIPAA Privacy Rule
In most cases, when people talk about HIPAA compliance, they are generally referring to the provisions of the Act’s Privacy Rule. This federal law prohibits healthcare providers, businesses, and medical professionals, including health insurers, laboratories, pharmacies, administrative staff, and so forth, from disclosing your information to third parties without your authorization.
Congress enacted the Privacy Rule after the sale of country singer Tammy Wynette’s medical records to the tabloids and the public revelation of tennis star Arthur Ashe’s HIV status. The two incidents raised public concerns about the safety of their genetic information, particularly because the internet made it easier for privacy breaches to occur.
Why Is the Privacy Rule Important
HIPAA’s Privacy Rules give individuals the right to control the way their health information is disclosed to third parties. It’s important to note that HIPAA doesn’t protect all kinds of health data. It applies to medical information held by specific kinds of health care providers.
For instance, the Act doesn’t cover the data stored on your Fitbit or Apple Watch. The same applies to the genetic data entered on DNA match websites like Ancestry.com. While the privacy disclosures required on such apps may be governed by other laws, HIPAA does not protect that information.
What Is Protected Health Information
HIPAA defines protected health information (PHI) as personally identifiable information related to an individual’s present, past, or future health status. This information can only be collected, created, maintained, or transmitted by a HIPAA-covered entity, for use in healthcare operations and the provision or payment of healthcare services.
Examples of protected health information include:
- Demographic information such as gender, ethnicity, and birth dates
- Diagnostic information
- Medical test results
- National identification numbers
- Prescription information
- Treatment information
- Emergency contact information
PHI generally refers to physical records, while ePHI refers to health records created, stored, or transmitted in electronic format.
An important distinction to make here is that protected health information doesn’t relate to data contained in employment or educational repositories, even for HIPAA-covered entities in their capacities as employers. Instead, it only applies to the health information on patients or members of a health plan.
The rule of thumb when determining whether or not a piece of information is considered PHI is if the data in question can be used to identify the individual to whom it belongs. If the health data is stripped of all identifiers, the information is no longer considered protected, and HIPAA’s Privacy Rule no longer applies.
What Is a HIPAA Violation
A HIPAA violation occurs when the access, acquisition, disclosure, or use of PHI results in a substantial personal risk to the patient.
There are two categories of HIPAA violations:
- Criminal, where the individual committed the violation with malicious intent. This attracts stiff penalties, including fines, jail time, or both.
- Civil, where the individual committed the violation without malicious intent, mainly as a result of negligence or ignorance. Penalties consist of fines ranging between $100 and $50,000 for each count of the violation.
Some examples of HIPAA violations include getting hacked, phishing attacks, lack of encryption, loss/theft of company devices, unauthorized access, improper PHI disposal, unsecured access, among others.
What Is Health Insurance Portability
Title I of HIPAA grants individuals certain rights pertaining to how insurance and health plan providers treat preexisting conditions. Title I also contains provisions related to portability rights.
Health insurance portability refers to an individual’s option to retain their health plan benefits when changing employers. HIPAA provisions give an employee the right to be provided with health coverage without exclusions, provided they meet certain enrollment criteria. These portability requirements are detailed below.
- Requires health-plan and insurance providers to provide coverage and limit the restrictions placed on benefits for preexisting conditions. A group health plan can only decline coverage related to preexisting conditions for 12 months after an individual’s enrollment.
- Requires group health plans to take into account the duration of coverage an individual had before enrolling into a new plan, inclusive of any breaks. That way, workers can limit the exclusion period related to their preexisting conditions.
- Requires the application of “creditable coverage” to the exclusion periods related to preexisting conditions. Creditable coverage refers to previous health plans that meet certain criteria. Health-plan and insurance providers can apply it as a day-for-day credit against that of the exclusion period for a preexisting condition when an employee migrates from one health plan to another.
- Requires the application of day-for-day creditable coverage by health plan providers to minimize exclusions on preexisting conditions, provided the individual’s break in coverage is no more than 63 days.
- Allows group health plans to apply the maximum length of exclusion for a preexisting condition if the individual had a “significant break” in coverage during their transition from one group plan to the other. Title I defines a “significant break” as 63 days or more.
- Requires health insurance providers to offer policies with no exclusions to employees exiting from group health plans that had creditable coverage spanning more than 18 months.
HIPAA’s portability requirement as provided by Title I means that insurers are obligated to provide policies without exclusion to individuals transitioning from one job to another, allowing them to retain their right to be enrolled in group health plans.
Who Enforces HIPAA and Who Does It Apply To
There is often a lot of confusion over who HIPAA applies to since the Privacy Rule – which requires healthcare entities to protect personally identifiable health information for every individual – forms a very small section of the entire law.
First, it’s important to understand that the Health Insurance Portability and Accountability Act is a federal law. The Department of Health and Human Services (HHS) is the federal agency responsible for enforcing it.
With that in mind, who does HIPAA apply to? Broadly speaking, the short answer would be – everybody in the United States. Nonetheless, the scope of HIPAA for healthcare providers is a lot smaller. According to the HHS, the rules set out by HIPAA apply to any entity and business associate covered by the Act.
A covered entity is any healthcare provider whose operations consist of electronic transactions. Examples of covered entities include healthcare clearinghouses and health plans.
On the other hand, a business associate, as defined by the Act, is an individual conducting business with covered entities and whose operations include exposure or access to protected health information from the entities in question.
HIPAA and Telehealth
Does HIPAA cover telehealth? Yes, it does.
The HIPAA guidelines for telehealth apply to any healthcare entity or medical professional that offers remote services to patients outside their designated health facility. HIPAA compliant telehealth requires secure channels of communications between patients and their providers that meet the following criteria.
- ePHI should only be accessible to authorized users
- The integrity of ePHI should be protected by secure systems of communication
- A communication monitoring system should be implemented to prevent malicious or accidental ePHI breaches
Is FaceTime HIPAA Compliant for Telehealth
No, it’s not. Using unsecured channels of communication such as FaceTime, Skype, Zoom, email, or SMS goes against the HIPAA guidelines for telehealth. These should not be used for ePHI communications. Here’s why.
When electronic-based protected health information is created by a covered entity (healthcare organization) or healthcare professional, third-party providers store this information. The covered entity and the third-party service need to have a Business Associate Agreement (BAA) in force, detailing the methods used to store and protect the integrity of the data. It also contains provisions for regular security audits.
Copies of communications containing personally identifiable health information sent via FaceTime, Skype, Zoom, email, or SMS are stored on the service provider’s servers. To comply with the HIPAA guidelines for telehealth, a covered entity would need to have BAAs with each of these third-party providers (such as Apple Inc., Skype, etc.).
Since no agreements exist with these providers, the covered entity would be liable for civil action should a breach result in the unauthorized disclosure of ePHI.
Get Help From an Attorney
Knowing whether your HIPAA-guaranteed healthcare rights have been violated can be quite difficult, particularly when switching jobs. It’s always a good idea to consult with an experienced lawyer to ensure your health coverage rights are protected.
Do you have any legal questions for us? Chat online with a Laws101 attorney right now.