Health Insurance Portability and Accountability Act of 1996

HIPAA General FAQs

How does HIPAA apply to me?

If you change jobs, HIPAA guarantees that your new employer's health plan must accept you regardless of your health status. HIPAA also protects you if you or an insured family member has a pre-existing condition by limiting the pre-existing condition exclusion-waiting period and crediting prior coverage.

How will HIPAA help people with pre-existing conditions?

Some companies have a pre-existing condition exclusion period* for new employees and their covered dependents. During this exclusion period, certain health benefits are not provided for pre-existing conditions. HIPAA generally limits the time of the exclusion period to no longer than 12 months (18 months for late enrollees). Also, if you previously had health insurance coverage, the exclusion period may be reduced or waived.

Note that under health care reform, pre-existing condition limitations have been eliminated on the individual market products.

*A pre-existing exclusion period cannot be applied to pregnancy or to newborns and adopted children added to the health plan within 30 days.

What if I previously had insurance and my new company has a pre-existing exclusion period?

If you or your dependents have a pre-existing condition and previously had health insurance, you may be able to reduce or waive the pre-existing condition exclusion period at your new company. Your prior coverage (including group health insurance, an individual policy, Medicare or Medicaid) may be "credited" against the exclusion period if certain HIPAA requirements are met.

What if my new company has an employer-imposed waiting period?

If your company has a waiting period before you are covered under the group health plan, it must run concurrently with any pre-existing exclusion waiting period. For example, if your company has a 3-month waiting period and a 12-month pre-existing exclusion-waiting period, you would only have to wait a maximum of 12 months to be covered for pre-existing conditions and less if you have evidence of prior creditable coverage.

How can I show that I had prior coverage?

Under HIPAA, your previous employer or insurance company is required to issue a certificate to you if you change jobs or lose your health coverage. This certificate, called a "certificate of creditable coverage," provides evidence of your prior coverage.

If I cannot obtain a certificate, are there other means by which I can provide evidence of creditable coverage?

Since HIPAA regulations require insurers to be reasonable regarding crediting of prior coverage, the insurer must accept other evidence of coverage. An example would be government entities who are not required to issue certificates. In this case, a letter from the Department of Public Welfare or military discharge papers will be accepted. In addition, other evidence of creditable coverage can include: pay stubs, telephone verification, identification card, etc. (as long as the effective and cancel dates of coverage can be verified).

What should I do if I receive a certificate?

If you receive a certificate, keep it for your files or future use. If you or a family member has a pre-existing medical condition, you may need to present your certificate to your new employer. If you do not have a pre-existing condition or if your new employer does not have a pre-existing exclusion period, you may not need to use your certificate.

What other rights do I have under HIPAA?

Under HIPAA, your health coverage cannot be terminated because of your health status. Employers must notify you of any pre-existing condition exclusion periods and inform you of your right to present evidence of prior coverage.

Does Highmark have a list of the health status-related factors defined under the HIPAA nondiscrimination regulations?

Yes, individuals cannot be treated differently on the basis of the following:

  • Health status
  • Medical condition, including both physical and mental illness
  • Claims experience
  • Receipt of health care
  • Medical history
  • Genetic information
  • Evidence of insurability (including conditions arising out of acts of domestic violence)
  • Disability

How do I determine if I fall into the special enrollment period under HIPAA?

HIPAA provides for special enrollment in two situations:

  1. The employee or their dependent loses their medical or dental insurance coverage.
  2. The employee acquires a new dependent by adoption, placement for adoption, birth or marriage.

Note: In both situations, he/she must request the special enrollment(s) within 30 days of the triggering event.

Does HIPAA affect COBRA continuation coverage?

HIPAA made three changes to COBRA's continuation coverage. These changes took effect January 1, 1997, regardless of an individual's eligibility date for continuation coverage.

  1. Continuation coverage period — Under HIPAA, disabled individuals (as determined under the Social Security Act) are entitled to 29 months of COBRA continuation coverage if they become disabled during the first 60 days of COBRA coverage.
  2. Coverage termination — COBRA continuation coverage generally can be terminated when an individual becomes covered under another group health plan. It cannot be terminated because of other coverage where the plan limits or excludes coverage for any preexisting condition of the individual.
  3. Continuation coverage for children — COBRA rules have been changed so that children born to, adopted by or placed for adoption with the covered employee during the continuation coverage period are treated as qualified beneficiaries.

What is the Newborns' and Mothers' Health Protection Act?

The Newborns' and Mothers' Health Protection Act (NMHPA) provides that coverage for a hospital stay following a normal delivery may generally not be limited to less than 48 hours for both mother and newborn child. The hospital stay following a Caesarian section may generally not be limited to less than 96 hours for both mother and newborn child.

Can my health plan require me to obtain authorization for a 48-hour or 96-hour hospital stay?

A health plan cannot require you to obtain authorization justifying the medical necessity of your 48- or 96-hour stay. However, your health plan may require your physician to submit the necessary documentation for pre-certification of medical necessity for any additional time exceeding the 48- or 96-hour stay, or control your admission to certain facilities.

HIPAA Privacy FAQs

What is a covered entity?

Covered entities are health plans, health care clearinghouses and health care providers who transmit any health information in electronic form in connection with a standard transaction covered by HIPAA.

What does PHI mean?

PHI means Protected Health Information. PHI is defined as any information, including demographic information, that is created or received by a health care provider, health plan, employer or health care clearinghouse. It relates to the past, present or future physical or mental health or condition of an individual, the providing of health care to an individual, or any past, present or future payment for health care to an individual. The information identifies the individual or there may be a reasonable basis to believe the information can be used to identify an individual.

Are individuals entitled to free copies of their medical records?

Individuals are able to request, view and obtain copies of their medical records. The law specifically allows a covered entity to impose a reasonable, cost-based fee for this service.

Can prescriptions be only picked up by the patient?

The regulation states "A covered entity may use professional judgment and its experience with common practice to make responsible inferences of the individual's best interest in allowing a person to act on behalf of the individual to pick up filled prescriptions, medical supplies, X-rays, or other similar forms of protected health information."

What does "minimum necessary" mean?

HIPAA's "minimum necessary" component makes reasonable efforts to limit uses, disclosures and requests for protected health information to the minimum necessary to accomplish intended purposes. Basically, protected health information should be limited to: who really needs to know and how much does the person really need to know.

What is a business associate?

A business associate is a person or entity who provides certain functions, activities or services to a covered entity involving the use or disclosure of protected health information.

Can we discolse an individual's zip code information?

Unless the information is being released pursuant to a permitted disclosure, the rules require that ZIP code information cannot be released, except in the following situations:

  • If it is determined that the risk is very small and the information could not be used either by itself or in a combination with other available information to identify an individual, or
  • The first three digits of the ZIP code may be released if the total population within all ZIP codes with these three digits is more than 20,000.

What is a "designated record set"?

Generally, it is a group of records maintained by or for a covered entity that is:

  • The medical records and billing records about individuals maintained by or for a covered health care provider
  • The enrollment, payment, claims adjudication and case or medical management record systems maintained by or for a health plan
  • Used in whole or in part by or for the covered entity to make decisions about individuals

Must covered entities establish and maintain policies and procedures to safeguard the confidentiality of PHI?

All covered entities must establish and maintain policies and procedures to include administrative, technical (security services and mechanisms) and physical safeguards to protect PHI.

What are the HIPAA privacy training requirements concerning employees?

All covered entities must train each member of the covered entity's workforce and document that training took place for its workforce prior to the compliance date (April 14, 2003) and must train all new workforce members after the compliance date.

If there is a material change to its privacy policies or procedures, the covered entity must train each member of its workforce whose functions are affected by this change.