The Act consists of five Titles. Title III sets guidelines for pre-tax medical spending accounts, Title IV sets guidelines for group health plans, and Title V governs company-owned life insurance policies. There are five sections to the act, known as titles. Title I of HIPAA regulates the availability and breadth of group health plans and certain individual health insurance policies. It amended the Employee Retirement Income Security Act, the Public Health Service Act, and the Internal Revenue Code. Title I requires the coverage of and also limits restrictions that a group health plan can place on benefits for preexisting conditions.
Group health plans may refuse to provide benefits relating to preexisting conditions for a period of 12 months after enrollment in the plan or 18 months in the case of late enrollment. Title I allows individuals to reduce the exclusion period by the amount of time that they had “creditable coverage” prior to enrolling in the plan and after any “significant breaks” in coverage. Creditable coverage” is defined quite broadly and includes nearly all group and individual health plans, Medicare, and Medicaid. A “significant break” in coverage is defined as any 63-day period without any creditable coverage.
Along with an exception, allowing employers to tie premiums or co-payments to tobacco use, or body mass index. Some health care plans are exempted from Title I requirements, such as long-term health plans and limited-scope plans such as dental or vision plans that are offered separately from the general health plan. However, if such benefits are part of the general health plan, then HIPAA still applies to such benefits. For example, if the new plan offers dental benefits, then it must count creditable continuous coverage under the old health plan towards any of its exclusion periods for dental benefits.
An alternate method of calculating creditable continuous coverage is available to the health plan under Title I. That is, 5 categories of health coverage can be considered separately, including dental and vision coverage. Since limited-coverage plans are exempt from HIPAA requirements, the odd case exists in which the applicant to a general group health plan cannot obtain certificates of creditable continuous coverage for independent limited-scope plans such as dental to apply towards exclusion periods of the new plan that does include those coverages. Such clauses must not be acted upon by the health plan and also must be re-written so that they comply with HIPAA. Unsourced material may be challenged and removed.
Title II of HIPAA establishes policies and procedures for maintaining the privacy and the security of individually identifiable health information, outlines numerous offenses relating to health care, and establishes civil and criminal penalties for violations. It also creates several programs to control fraud and abuse within the health-care system. However, the most significant provisions of Title II are its Administrative Simplification rules. These rules apply to “covered entities” as defined by HIPAA and the HHS. Covered entities include health plans, health care clearinghouses, such as billing services and community health information systems, and health care providers that transmit health care data in a way that is regulated by HIPAA. Per the requirements of Title II, the HHS has promulgated five rules regarding Administrative Simplification: the Privacy Rule, the Transactions and Code Sets Rule, the Security Rule, the Unique Identifiers Rule, and the Enforcement Rule. The effective compliance date of the Privacy Rule was April 14, 2003, with a one-year extension for certain “small plans”.
By regulation, the Department of Health and Human Services extended the HIPAA privacy rule to independent contractors of covered entities who fit within the definition of “business associates”. PHI is any information held by a covered entity that concerns health status, provision of health care, or payment for health care that can be linked to an individual. Covered entities must disclose PHI to the individual within 30 days upon request. A covered entity may disclose PHI to certain parties to facilitate treatment, payment, or health care operations without a patient’s express written authorization. Any other disclosures of PHI require the covered entity to obtain written authorization from the individual for the disclosure.