Health plan sponsors and administrators must now prepare for the effective dates of the various health care reform provisions. The following HIPAA road map provides a comprehensive (although not exhaustive) list of actions that should be considered and/or taken.

New Rules and Regulations

1. Existing Qualified Beneficiaries must be notified of HIPAA'S COBRA related changes by November 1, 1996.

2. Effective for plan years after June 30, 1997, pre-existing condition limitation periods cannot last longer than 12 months (18 due to late enrollment), and must be reduced by prior creditable coverage under another group health plan. Plans must provide proof of creditable coverage through a newly required "Certificate of Coverage."

3. Prior creditable coverage under another plan can be disregarded if an individual goes without coverage for a period of 63 days or more.

4. By October 1, 1996, plans must track coverage for compliance with the new "Certificate of Coverage" requirements, which start June 1, 1997.

5. Special enrollment periods for individuals and dependents have been created .

6. An exercise tax has been created for HIPAA violations.

7. Insurers cannot deny individuals policies as long as the individuals have exhausted all other insurance coverage, including all COBRA coverage. The net result: More people will elect COBRA.

Actions Required Prior to January 1, 1997

• Issue Model COBRA Notice to all qualified beneficiaries as of November 1, 1996;
• Amend all group health plans to take into account HIPAA COBRA modifications -- e.g., relating to disabled individuals, newborn or newly adopted dependents;
• Revise COBRA Notices and SPDs to take into account HIPAA changes

Actions Required on or Before June 1, 1997

HIPAA's certification requirements become effective for all plans beginning June 1, 1997. In addition, in order to take advantage of HIPAA's transitional relief, HIPAA Notices must be distributed on or before June 1, 1997. The following steps should be taken to ensure that these requirements are satisfied:

• Determine which health plans are subject to HIPAA's certification requirements (generally all health coverage -- including health FSAs and EAP plans -- other than limited scope vision or dental benefits, long-term care benefits; accident or disability benefits, specified disease, hospital indemnity and Medicare Supplement benefits.)

• Assign responsibility for satisfying HIPAA's certification requirements -plan sponsor, third party administrator, or insurer/HMO;

• Implement procedures to track and retain participant coverage information back to July 1, 1996 necessary to satisfy HIPAA certification requirements,

• Implement procedures to track and retain dependent coverage information back to July 1, 1996 necessary to satisfy HIPAA certification requirements;

• Ascertain all individuals who lost group health coverage on or after October 1, 1996, prepare a mailing list and mail the HIPAA Notice to such individuals prior to June 1, 1997;

• Automatically issue HIPAA Certificates to anyone who terminates regular or COBRA coverage on or after June 1, 1997 (Consider amending COBRA Notices to include HIPAA information, but keep in mind that some individuals who voluntarily terminate coverage may not be COBRA qualified beneficiaries);

• Respond to written requests for coverage information and issue HIPAA
Certificates to such individuals;

• Implement a procedure to respond to requests for coverage information from other plans -- i.e., plans using the alternative mechanism for determining creditable coverage -- beginning June 1, 1997.

Actions Required Before Plan's HIPAA Effective Date (First Plan Year On or After July 1, 1997)

As discussed above, several plan design and administrative changes must be considered and implemented prior to a plan's HIPAA effective date -- the first plan year on or after July 1, 1997. These include the following:

Plan Design/Administrative Decisions

• Plan sponsors should determine which health plans are subject to HIPAA's portability and pre-existing condition requirements;
• If the plan sponsor is a governmental entity, the costs and benefits associated with opting out of HIPAA's portability requirements should be weighed, and if decision is made to opt-out, necessary steps should be taken;
• All plan sponsors should weigh administrative costs associated with maintaining pre-existing condition exclusions -- notification requirements, administrative burden of determining reduction in pre-existing condition limitation for prior creditable coverage, etc. --- and decide whether additional costs outweigh ongoing benefit of such provision,
• All plan sponsors should consider increased potential for adverse selection due to HIPAA's nondiscrimination requirements and consider potential plan design changes to limit potential risk -- e.g., limit open enrollments, impose or extend waiting period;
• Plan sponsors should confirm that any insurance coverage, HMO, stop loss contracts will be revised to take into account HIPAA's requirements -e.g., in many cases, stop-loss contracts may contain coverage exclusions that are not permitted in health plans under HIPAA,
• Plan sponsors that retain pre-existing condition exclusions should consider whether to use the standard or alternative method for determining creditable coverage (remember the regulations limit the potential benefit of the alternative method, impose additional notice requirements, and impose the costs associated with determining scope of prior coverage on requesting entity).

Plan Amendments

If a plan retains its pre-existing condition exclusion, the plan document and SPD
must be amended as follows:

• Plan definitions must be revised to take into account the HIPAA definitions of pre-existing condition (including the six month look back limitation and prohibition on applying pre-existing condition exclusions to: newborn or newly adopted children who are enrolled within 30 days of the adoption or birth; pregnancy; or genetic information in absence of treatment or diagnosis); enrollment date (necessary to determine look back and look forward rules); waiting period; late enrollee-, and creditable coverage (including the break in coverage rules);

• The pre-existing condition exclusion must comply with HIPAA's duration
limitations (12 months generally or 18 months for late enrollee);

• Provisions must be added to implement reductions in the pre-existing condition exclusion for a plan's waiting period and prior periods of creditable coverage. If the alternative method of determining creditable coverage is utilized, additional provisions must be included specifying how the reduction works;

Regardless of whether a plan retains its pre-existing condition limitation, the following changes must be made:

• Underwriting, evidence of insurability (EOI), actively at work and non-confinement provisions must be examined and (in most cases) deleted -even for late enrollees;

• Wellness incentives and/or penalties should be reviewed and revised to
ensure compliance with HIPAA's nondiscrimination requirements;

• Exclusions (and penalties) relating to dangerous activities should be reviewed to ensure compliance with HIPAA's nondiscrimination requirements;

• If a plan has limited enrollment periods, plan provisions must be added to allow for special enrollments for newly acquired dependents and employees and dependents who waived coverage because they were covered elsewhere, but subsequently lost the other coverage;

New Administration and Disclosure Requirements

If a plan retains its pre-existing condition exclusion, the following additional
administration and disclosure obligations will arise:

• At the time of enrollment the participant must be made aware of the plan's pre-existing condition exclusion limitations, how prior creditable coverage offsets the pre-existing condition period, and the right to demonstrate prior creditable coverage (including notification of the right to obtain a certificate of prior coverage). This notice may be separate, or could possibly be combined with an initial COBRA rights notification or SPD benefits summary. Failure to provide this notice may result in forfeiture by the plan of the pre-existing condition exclusion.

• A mechanism must be put in place to receive prior HIPAA Certificates, reduce any pre-existing condition exclusion period, and notify the participant of the reduction in the pre-existing condition exclusion. If the alternative mechanism is selected, the mechanism must be prominently displayed.

Regardless of whether a plan retains its pre-existing condition limitation, the following administrative and disclosure obligations may arise:

• If a plan has limited enrollment periods, notice must be provided at the time of enrollment describing the special enrollment rights. Presumably this notice can be included as part of the enrollment form.

• The Plan SPD must be modified to include the new required information in the ERISA rights statement and the information relating to insurers or insurance service providers.

Actions Required By First Plan Year Beginning On or After January 1, 1998

The following changes are required as a result of NMHPA and the Mental Health Parity Act:

Plan Design/Administrative Decisions

• Consider redesigning mental health benefits to limit potential exposure -e.g., by placing limits on the number of days of care, imposing managed care limitations, etc.

Plan Amendments

• Review and revise plan language to comply with new maternity stay requirements and verify compliance by third parties -- e.g., utilization review firms;
• Ensure that Mental Health Parity requirements are satisfied -- e.g., by using uniform cap for mental health and comprehensive health benefits (remember substance abuse treatments are not subject to the mental health parity requirements).

Notice/Disclosure Requirement

A memo describing the NMHPA and Mental Health Parity Act changes should be issued on or before 60 days after the effective date of the acts.

The IRS isn't the only federal regulator that business is worried about this spring. Employers must contend with yet another federal requirement on their group health plans: the "Health Insurance Portability and Accountability Act" (HIPAA) privacy rules that take effect in April.In the computer age of easy-access data, the regulations are intended to protect private health information from inappropriate intrusion. They directly regulate group health plans and not employers, but apply to all companies and individuals who provide services to the group health plan.

Under the regulations, employers must develop policies and procedures to protect access and disclosure of their employees' private health information. This involves determining who has access to health records and how they are stored. The next step is to draft written procedures and train employees on the privacy requirements.

HIPAA requires that employers designate a "privacy official." This person is responsible for the development and implementation of the privacy policies. Employers must also designate someone to receive complaints about privacy violations, to document them and their outcome. Surveys show most companies are designating someone in the human resources or benefits department. Employers must develop sanctions against employees who fail to comply with the policies and procedures and they must document any sanctions imposed. In addition, they must show evidence of mitigation of any harm caused by improper use or disclosure of confidential medical information.

If an employer has a self-funded health plan, they are required to give notice, informing employees about their privacy rights and how their medical information is handled. Employers must give individuals the opportunity to agree or object to disclosures to family members. In addition, employees must be given the opportunity to inspect or obtain copies of their medical information, and make changes.

The April 14 compliance deadline is for large employers -- those with annual medical claims in excess of $5 million. Small companies have another year before it is required. HIPAA requires "reasonable and flexible" policies and procedures. That gives companies latitude to determine what standards are reasonable and will work for them. Employers retain the ability to examine employee benefits information to determine trends and make strategic decisions about coverage plans.

To some extent, the health care information culture is changing because of HIPAA. Doctors, pharmacies, insurance providers and human resource employees will still work on computers, and use e-mail and fax machines to transmit information extremely fast and accurately. The new regulations do not prohibit anyone from talking to another or relaying information for the good of a health plan member. But all will work under documented procedures and with heightened sensitivity on the handling of private medical information.