2018 Was a Record Year for HIPAA Enforcement Actions


In 2018, Office for Civil Rights (OCR) collected $28.7 million in HIPAA enforcement penalties, surpassing the previous record year by 22 percent. Ardent Solutions can help clients avoid a HIPAA breach—and a costly penalty—by complying with all HIPAA requirements, which are briefly outlined in this news brief. 

We are here to help. Contact Ardent Solutions today for more information about HIPAA compliance.

© 2019 Zywave, Inc. All rights reserved.


HIPAA Compliance Reviews – Audit Protocol

Compliance overview imageIn connection with its HIPAA audit program, HHS released an updated audit protocol that identifies potential areas of audit inquiry. The updated audit protocol can be used by covered entities and business associates as a guide for self-audits of HIPAA compliance. This Compliance Overview provides a summary of the audit protocol and discusses key HIPAA standards that should be included in a self-audit.



© 2016 Zywave, Inc. All rights reserved.

HHS Launches HIPAA Audit Program

Compliance bulletin header2

• HHS has announced the start of the second phase of its HIPAA audit program.
• Both covered entities and business associates may be selected for a HIPAA audit.
• If a HIPAA audit reveals a serious compliance issue, HHS may initiate a compliance review to investigate further.

• Entities selected for an audit will be asked to provide information regarding HIPAA compliance.
• Audited entities will have 10 business days to submit the requested information.
• After OCR develops its draft findings, audited entities will have 10 business days to review the findings and respond to OCR.

To learn more, read the full HHS Launches HIPAA Audit Program Compliance Bulletin.

© 2016 Zywave, Inc. All rights reserved.

HIPAA Certificates No Longer Required in 2015

Health Care Reform Legislative Brief

Effective for plan years beginning on or after Jan. 1, 2014, the Affordable Care Act (ACA) prohibits group health plans and issuers from imposing pre-existing condition exclusions (PCEs) on any enrollees. Prior to 2014 plan years, the ACA prohibited PCEs for enrollees under 19 years of age. The ACA’s restrictions on PCEs apply to both grandfathered and non-grandfathered plans.

On Feb. 24, 2014, the Departments of Health and Human Services, Labor and the Treasury (Departments) issued a final rule that addresses how the ACA’s prohibition on PCEs affects the requirement to provide HIPAA Certificates of Creditable Coverage (HIPAA Certificates).

The final rule eliminates the requirement to provide HIPAA Certificates, beginning Dec. 31, 2014.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) includes rules regarding portability of health coverage, which are designed to help individuals transition from one source of health coverage to another. HIPAA’s portability provisions limit exclusions for preexisting conditions, prohibit discrimination based on health status and provide for special enrollment opportunities.

For plan years beginning before Jan. 1, 2014, HIPAA allowed plans and issuers to exclude pre-existing conditions from coverage, but placed significant limitations on those exclusions. For example, under HIPAA, PCEs could be imposed only for a maximum period of 12 months for regular and special enrollees and 18 months for late enrollees.

In addition, HIPAA required that the plan or issuer reduce any PCE by the amount of creditable coverage the individual had prior to his or her enrollment in the plan.

To allow an individual to establish prior creditable coverage for purposes of reducing or eliminating any PCE imposed by a group health plan, HIPAA’s rules require plans and issuers to provide HIPAA Certificates. Plans and issuers are required to provide HIPAA Certificates to individuals:
• Automatically when they lose coverage under the plan; and
• Upon request for a period of 24 months following termination of coverage.

The ACA’s prohibition on PCEs for plan years beginning on or after Jan. 1, 2014, makes HIPAA Certificates unnecessary. Recognizing this fact, the Departments’ final rule eliminates the requirement to provide HIPAA Certificates, beginning Dec. 31, 2014. Thus, group health plans and issuers are not required to provide HIPAA Certificates during 2015 and later years.

This Legislative Brief is not intended to be exhaustive nor should any discussion or opinions be construed as legal advice. Readers
should contact legal counsel for legal advice. © 2014 Zywave, Inc. All rights reserved. EM 11/14

Self-funded employers likely need health plan identifier

self funding 101Most employers who sponsor self-funded group health plans will likely need to obtain a health plan identifier (HPID) for their plan by November 5, 2014.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires medical providers, health insurers, group health plans, third party administrators (TPA), and other parties involved in HIPAA “standard transactions” to use standard identifiers to identify themselves, and also to use standard formats and codes for the electronic data being exchanged in a “standard transaction,” such as a medical claim.

The purpose of requiring standard identifiers, formats and codes is to increase the efficiency and accuracy of transactions. Currently, health plans are identified in transactions using various identifiers that differ in length and format. The HPID is a 10-digit identifier that will be unique for each health plan, but will be in the same format.

Although TPAs almost always conduct HIPAA standard transactions on behalf of the self-funded plans they administer, the plans themselves are also now required to obtain HPIDs. Additionally, group health plans must disclose their HPID when requested. (Fully insured employers do not need to obtain a HPID because they do not qualify as a “health plan” under these rules. HHS has stated the insurer must obtain the HPID for the fully insured plan.)

Most employers who sponsor self-funded health plans will need to obtain a HPID by November 5, 2014. Employers should look to their consultant and/or their TPA for help obtaining an HPID.

Qualifying Life Events & Group Insurance Coverage

questions and answers2What is a Qualifying Life Event?

During the plan year, you can change your benefit coverage if a qualified change in status affects you or your dependents’ eligibility under your employer’s plans. If you’re eligible to make coverage changes, your changes must be consistent with the change in status. They must also match any changes your spouse or child makes to his or her coverage under another employer’s plans. Below are the situations that qualify as a change in status.

Your legal marital status changes:

Divorce, legal separation, or annulment
Death of your spouse

The number of your eligible children changes:

Birth or adoption of a child
Child gains or loses eligibility for coverage under the plan
Death of a child

Your benefits eligibility changes because of:

Taking or returning from a leave of absence
A change in work schedule or status that causes you to gain or lose eligibility

Your family member’s benefits eligibility changes because of a change in his or her eligibility or coverage under another employer’s plans:

A change in work schedule or status that causes him or her to gain or lose eligibility
He or she gains a benefit option or loses coverage
He or she makes new coverage choices during his or her employer’s annual enrollment
Your or your family member’s COBRA coverage from another employer expires
You or your family member becomes eligible for or loses Medicare or Medicaid
You or your family member loses coverage under a government’s or educational institution’s plan

Election Changes Due to Status Changes
You may change your coverage elections in accordance with the special enrollment rights provided under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Group health plans and health insurance issuers are required to provide special enrollment periods during which individuals who previously declined coverage for themselves and their dependents may be allowed to enroll (without having to wait until the plan’s next open enrollment period). You may change coverage levels mid-year, but you may not change that plans that you are currently enrolled in mid-year.

Source: https://www.humana.com/insurance-through-employer/enrollment-center/life-changing-events

Proposed Expansion of “Excepted Benefits”

Health Care Reform Legislative BriefThe Health Insurance Portability and Accountability Act of 1996 (HIPAA) established certain categories of “excepted benefits” that generally are not governed by the HIPAA portability regulations. Employee benefits that qualify as excepted benefits under HIPAA are also not subject to the market reforms under the Affordable Care Act (ACA), including the ACA’s prohibition on annual limits and preventive care coverage requirement.

On Dec. 20, 2013, the Departments of Labor (DOL), Health and Human Services (HHS) and the Treasury (Departments) issued proposed regulations that would expand excepted benefits. Specifically, the proposed regulations would:

  • Allow self-insured plans to cover dental and vision benefits as excepted benefits without an extra premium payment;
  • Permit limited group wraparound coverage of individual coverage as excepted benefits; and
  • Recognize certain employee assistance programs (EAPs) as excepted benefits.

These proposed regulations would be effective with respect to limited wraparound coverage for plan years starting in 2015. Until final regulations are issued, through at least 2014, the Departments will consider dental and vision benefits and EAP benefits that meet the proposed requirements to qualify as excepted benefits.

Read the full Proposed Expansion of Excepted Benefits Legislative Brief to learn more.

© 2014 Zywave, Inc.All rights reserved.

HIPAA Certification: HHS Proposes Rules and Extends Deadline

Health Care Reform bulletinOn Jan. 2, 2014, HHS issued a proposed rule on the ACA requirement that health plans certify to HHS that they comply with certain HIPAA electronic standards and rules.
The proposed rule:

  • Affects controlling health plans (CHPs);
  • Extends the deadline to Dec. 31, 2015; and
  • Addresses penalties for noncompliance.

To learn more read the HIPAA Certification HHS Proposes Rules and Extends Deadline Health Care Reform Bulletin.

© 2014 Zywave, Inc.All rights reserved.

Compliance Checklist for HIPAA Wellness Program

Legislative BriefUnder HIPAA, group health plans and health insurance issuers may not require an individual to pay a premium or contribution that is greater than a premium or contribution for a similarly situated individual enrolled in the plan on the basis of any health factor. However, HIPAA’s nondiscrimination rules do not prohibit a plan from providing a reward based on adherence to a wellness program. The HIPAA rules permit rewards that are contingent on an individual meeting a standard related to a health factor if the wellness program meets certain standards.

Keep in mind that effective for plan years beginning on or after Jan. 1, 2014, the Affordable Care Act (ACA) essentially codifies the existing HIPAA nondiscrimination requirements for health-contingent wellness programs. Also, proposed regulations under the ACA would increase the maximum reward under a health-contingent wellness program from 20 percent to 30 percent of the cost of coverage and would further increase the maximum reward to 50 percent for wellness programs designed to prevent or reduce tobacco use.
The Department of Labor (DOL) issued the following Compliance Checklist for HIPAA Wellness Program to assist plans and issuers to comply with wellness program rules under HIPAA.

© 2013 Zywave, Inc.All rights reserved.

Who is governed by the HIPAA Privacy Rules?

Q&A Legal Compliance

The HIPAA Privacy Rules apply to Covered Entities. Covered Entities include:

  • Health plans
  • Health care clearinghouses
  • Health care providers that conduct certain transactions electronically

The HIPAA Privacy Rules do not directly regulate an employer sponsoring a group health plan. Only the health plan is directly regulated. However, where the plan sponsor has access to Protected Health Information (PHI) related to the administration of the health plan, it must comply with the requirements of the HIPAA Privacy Rules.

Self-administered, self-funded group health plans with fewer than 50 participants are not required to comply with the HIPAA Privacy Rules. In addition, the following benefits are not subject to the HIPAA Privacy Rules:

  • Accident-only
  • Disability income
  • Liability insurance
  • Life insurance
  • Worker’s compensation

Note: The benefits excluded under the Privacy Rules differ from those excluded under the nondiscrimination, pre-existing condition and special enrollment provisions of HIPAA (for example, limited-scope dental and vision plans are subject to the HIPAA Privacy Rules).

Many aspects of the HIPAA Privacy Rules apply directly to Business Associates. A Business Associate is an entity that performs a function or activity for a Covered Entity or provides certain services for a Covered Entity and has access to PHI. The HIPAA Privacy Rules require Covered Entities and Business Associates to enter into an agreement regarding the protection of PHI. The HIPAA Privacy Rules also specify the provisions that must be contained within a Business Associate agreement.

© 2013 Zywave, Inc.All rights reserved.