Employers who sponsor group health plans and wellness programs must comply with certain provisions of the Health Insurance Portability and Accountability Act (HIPAA). To ensure compliance, all employers should familiarize themselves with the law’s group health plan, wellness program, and general privacy protection requirements.

GROUP HEALTH PLAN REQUIREMENTS – Overview
Under HIPAA, group health plans are subject to certain nondiscrimination, special enrollment, and preexisting condition requirements. These requirements are explained in detail below.
Nondiscrimination Requirements
Under HIPAA, an individual cannot be denied eligibility for benefits or charged more for coverage because of any health factor. However, distinctions among groups of similarly situated participants in a health plan may be permitted if they are based on bona-fide employment-based classifications consistent with the employer’s usual business practice.
Health Factors
As stated above, under HIPAA, an individual cannot be denied eligibility for benefits or charged more for coverage because of any health factor. “Health factors” include:

• Health status;
• Medical condition, including both physical and mental illnesses;
• Claims experience;
• Receipt of health care;
• Medical history;
• Genetic information;
• Evidence of insurability; and
• Disability.

Bona-Fide Classifications May Be Permitted
According to federal regulations, distinctions among groups of similarly situated participants in a health plan based on bona fide employment-based classifications consistent with the employer’s usual business practice may be permissible. For example, part-time and full-time employees, employees working in different geographic locations, and employees with different dates of hire or lengths of service can be treated as distinct groups of similarly situated individuals, with different eligibility provisions, different benefit restrictions, or different costs, provided the distinction is consistent with the employer’s usual business practice. Please note, however, that such distinctions must still comply with other federal and state nondiscrimination laws.

Special Enrollment Rights Provisions
Under HIPAA, certain events that happen to employees or their dependents trigger a right to “special enroll” in an employer-sponsored group health plan. Special enrollment allows individuals who previously declined health coverage to enroll for coverage outside of a plan’s open enrollment period. Group health plans must make all employees eligible to enroll in the employer’s group health plan aware of their special enrollment rights at or before the time an employee is initially offered the opportunity to enroll in the plan by distributing a Notice of Special Enrollment Rights.

What Triggers Special Enrollment Rights?
The following events trigger special enrollment rights in a group health plan:

• Loss of eligibility for other coverage;
• Termination of employer contributions toward health coverage;
• Certain life events, including marriage, birth, adoption, or placement for adoption;
• Loss of coverage under a state Children’s Health Insurance Program (CHIP) or Medicaid; or
• Determination of eligibility for premium assistance under CHIP or Medicaid.

Loss of Eligibility for Other Health Coverage
Employees and dependents who decline coverage due to other health coverage and then lose eligibility or employer contributions have special enrollment rights. For example, an employee
who turns down health benefits for herself and her family because the family already has coverage through her spouse’s plan can request special enrollment for her family in her own company’s plan

To have a special enrollment opportunity as a result of losing other health coverage:

• The employee or dependent must have had other health coverage when he or she previously declined coverage under the group health plan.
• If the other coverage was COBRA continuation coverage, special enrollment can be requested only after the COBRA continuation coverage is exhausted.
• If the other coverage was not COBRA continuation coverage, special enrollment can be requested when the individual loses eligibility for the other coverage. Loss of eligibility does not include a loss due to the failure of the employee or dependent to pay premiums on a timely basis or termination of coverage for cause (such as making a fraudulent claim or an intentional misrepresentation of a material fact in connection with the plan).

If claiming special enrollment rights as a result of a loss of eligibility for other coverage, the employee must be provided at least 30 days for the employee or dependent to request coverage after the loss of eligibility for other coverage.

Termination of Employer Contributions Toward Health Coverage
Employees and dependents who decline coverage due to other health coverage and then lose employer contributions toward that other coverage have special enrollment rights. For example, an employee who turns down health benefits for herself and her family because the family already has coverage through her spouse’s plan can request special enrollment for her family in her own company’s plan.

If claiming special enrollment rights as a result of a termination of employer contributions toward health coverage, the employee must be provided at least 30 days for the employee or dependent to request coverage after the termination of employer contributions.

Life Events
Employees, spouses, and new dependents are permitted to special enroll in a group health plan as a result of the following life events:

• Marriage;
• Birth;
• Adoption; or
• Placement for adoption.

A plan or issuer must allow an individual at least 30 days after the triggering life event to request special enrollment based on that event.
Loss of Coverage under CHIP or Medicaid

A special enrollment right arises for employees and their dependents who lose coverage under a state Children’s Health Insurance Program (CHIP) or Medicaid. The employee or dependent must request enrollment within 60 days of the loss of this coverage.

Determination of Eligibility for Premium Assistance under CHIP or Medicaid
A special enrollment right arises for employees and their dependents who become eligible to receive premium assistance under a state Children’s Health Insurance Program (CHIP) or Medicaid. The employee must request enrollment within 60 days of the determination of eligibility for premium assistance.

Notice of Special Enrollment Rights Requirement
A notice of special enrollment rights must be provided to employees at the time or before they are offered the opportunity to enroll in the group health plan. This notice may be provided in the summary plan description (SPD) if the SPD is provided to the employee at the time or before the employee is initially offered the opportunity to enroll in the plan. If the SPD is provided at a later time, the notice should be provided separately (for example, as part of the application for coverage).

Preexisting Condition Exclusion Prohibition
The Affordable Care Act (ACA) prohibits plans from imposing preexisting condition exclusions. Previously, HIPAA limited these exclusions and required plans to offset preexisting condition exclusion periods if the individual had prior health coverage.

WELLNESS PROGRAM REQUIREMENTS
Wellness programs offered as part of a group health plan must generally comply with nondiscrimination, notice, and privacy protection requirements under HIPAA, as amended by the Affordable Care Act (ACA).

Nondiscrimination Requirements
If a wellness program is part of a group health plan, it must comply with rules created by HIPAA that prevent the employee from being impermissibly discriminated against based on a health factor. “Health factors” include:

• Health status;
• Medical condition, including both physical and mental illnesses;
• Claims experience;
• Receipt of health care;
• Medical history;
• Genetic information;
• Evidence of insurability; or
• Disability.

Participatory wellness programs are deemed nondiscriminatory under HIPAA as long as they are made available to all “similarly situated individuals.” HIPAA states that plans may distinguish among employees only on “bona fide employment-based classifications” consistent with the employer’s usual business practice. For example, the following employees can be treated as different groups of similarly situated individuals:

• Part-time and full-time employees;
• Employees working in different geographic locations; and
• Employees with different dates of hire or lengths of service.

In addition, a plan may draw a distinction between employees and their dependents, and can also make distinctions between beneficiaries themselves if the distinction is not based on a health factor (e.g., a plan can distinguish between spouses and dependent children, or between dependent children age 26 and older based on their age or student status).
Health-contingent wellness programs are generally deemed nondiscriminatory under HIPAA if they meet the following requirements:

1. Individuals must be able to qualify for a reward at least once each year.
2. The total reward for all of the plan’s wellness programs that require satisfaction of a standard related to a health factor is limited – generally, it must not exceed 30% (or 50% for programs designed to prevent or reduce tobacco use) of an employee’s cost of coverage for the employee and any covered dependents. If dependents (such as spouses and/or dependent children) may participate in the wellness program, the reward must not exceed 30% (or 50% for programs designed to prevent or reduce tobacco use) of the cost of the coverage in which an employee and any dependents are enrolled.
3. The program must be reasonably designed to promote health and prevent disease.*
4. The full reward must be made available to all “similarly situated individuals.” This means the program must allow a reasonable alternative standard to gain a reward (or waiver of the otherwise applicable standard) to individuals for whom gaining a reward is medically unreasonable.*
5. Any materials describing the program must notify individuals about an alternative standard to gaining a reward (or the possibility of a waiver of the otherwise applicable standard).*
* Note that different requirements apply for activity-only and outcome-based programs in these areas. For additional information on how the five requirements above apply to different types of programs, please click here.

Notice Requirement
Group health plan participants and beneficiaries eligible to participate in a health-contingent wellness program must receive a Wellness Program Disclosure in all plan materials that describe the terms of the health-contingent wellness program (both activity-only and outcome-based). For outcome-based wellness programs, this notice must also be included in any disclosure of an individual’s failure to satisfy an initial outcome-based standard (e.g., a notice that an individual did not meet the BMI target range to qualify for the reward).
If the plan materials merely mention that a program is available, without describing its terms, this disclosure is not required.

Privacy Protection Requirements
Where a wellness program is offered as part of a group health plan, the individually identifiable health information collected from or created about participants in the wellness program is protected health information (PHI) protected by HIPAA. While the HIPAA Privacy Rule does not directly apply to the employer, a group health plan sponsored by the employer is generally a covered entity under HIPAA (an exception exists for self-administered plans with fewer than 50 participants), and HIPAA protects the individually identifiable health information held by the group health plan (or its business associates). HIPAA also protects PHI that is held by the employer as plan sponsor on the plan’s behalf when the plan sponsor is administering aspects of the plan, including wellness program benefits offered through the plan. Where a workplace wellness program is offered by an employer directly and not as part of a group health plan, the health information that is collected from employees by the employer is not protected by HIPAA. However, other federal or state laws may apply and regulate the collection and/or use of the information.
Additional privacy protection rules apply to wellness programs. Click here for more information.

GENERAL PRIVACY PROTECTION REQUIREMENTS – Overview
The Health Insurance Portability and Accountability Act (HIPAA) generally does not apply to employers. Instead, the law most commonly covers health plans, health care providers, health care clearinghouses, and so-called “business associates.” Please note that for purposes of HIPAA compliance, an employer and its group health plan are considered separate entities.
Under HIPAA, a group health plan is defined as an employee welfare benefit plan, including insured and self-insured plans, to the extent that the plan provides medical care, including items and services paid for as medical care, to employees or their dependents directly or through insurance, reimbursement, or otherwise, that:

• Has 50 or more participants; or
• Is administered by an entity other than the employer that established and maintains the plan.

Notice of Privacy Practices Requirement
Fully insured group plans that create or receive protected health information (PHI) in addition to summary health information and enrollment information must maintain a Notice of Privacy Practices and provide it to any person upon request. However, fully insured group health plans that do not create or receive PHI—other than summary health and enrollment information—are not required to develop this notice.
Other health plans generally must provide the notice as follows:

• To new enrollees at the time of enrollment; and
• To individuals covered by the plan within 60 days of a material revision to the policy.

A health plan also must notify individuals covered by the plan of the availability of, and how to obtain, the notice at least once every 3 years, and must make it available to any person who asks for it.

FMLA Privacy Requirements
The federal Family and Medical Leave Act (FMLA) entitles eligible employees of covered employers to take unpaid, job-protected leave for specified family and medical reasons with continuation of group health insurance coverage under the same terms and conditions as if the employee had not taken leave. When an employee requests FMLA leave due to his or her own serious health condition or a covered family member’s serious health condition, the employer may require certification in support of the leave request from a health care provider. To obtain this certification, the U.S. Department of Labor recommends employers use Form WH-380-E.

When held by the employer, records and documents relating to medical certifications, recertifications, or medical histories of employees created for FMLA purposes are not PHI under HIPAA.  Nonetheless, FMLA rules generally require employers to handle these records and documents as confidential medical records, separately from the usual personnel files.

Wellness Program Privacy Requirements
Where a wellness program is offered as part of a group health plan, the individually identifiable health information collected from or created about participants in the wellness program is protected health information (PHI) protected by HIPAA. While the HIPAA Privacy Rule does not directly apply to the employer, a group health plan sponsored by the employer is generally a covered entity under HIPAA (an exception exists for self-administered plans with fewer than 50 participants), and HIPAA protects the individually identifiable health information held by the group health plan (or its business associates). HIPAA also protects PHI that is held by the employer as plan sponsor on the plan’s behalf when the plan sponsor is administering aspects of the plan, including wellness program benefits offered through the plan. Where a workplace wellness program is offered by an employer directly and not as part of a group health plan, the health information that is collected from employees by the employer is not protected by HIPAA. However, other federal or state laws may apply and regulate the collection and/or use of the information.