The Health Insurance Portability and Accountability Act (HIPAA) became law in 1996 and is designed to improve the portability of health coverage, to standardize health care transactions, to impose privacy and security requirements, and to make other changes to the health care delivery system. HIPAA contains the following major administrative requirements:

(1) Portability – generally require health plans to issue certificates of creditable coverage that help individuals transfer to a new health plan without the imposition of pre-existing condition exclusions and limitations.

(2) Special Enrollment and Nondiscrimination – HIPAA mandates that plans permit special mid-year enrollments and prohibits discrimination in benefits eligibility and premiums based on health status-related factors.

(3) Insurance Market Rules – prescribes rules for guaranteed availability and renewability of coverage for employers in the group market and improve portability, by requiring that insurers make individual insurance coverage available and renewable to certain individuals who lose employer-provided coverage under a group health plan.

(4) Other HIPAA requirements – special rules for (a) Multiple Employer Welfare Arrangements (MEWA), (b) fraud and abuse rules that apply to health care benefit programs, and (c) strengthening the ability of the Medicare and Medicaid programs to fight health care fraud. HIPAA also established new civil and criminal penalties for fraud and abuse in the public and private sectors.

(5) Administrative simplification – Three parts: (a) Privacy (b) Transaction Standards (Electronic Data Interchange) and (c) Security. The administrative simplification provisions may be the most far-reaching and certainly the most expensive initially for plan sponsors, although they are expected to reduce costs in the long run. The law was enacted to reduce health care administrative costs through standardization of electronic healthcare transactions while protecting security and privacy of information.

HIPAA applies to the following covered entities: (1) health care providers who transmit data electronically, (2) health plans, and (3) health care clearinghouses. By definition, the Concordia Health Plan is the covered entity that must comply with HIPAA.