August 2021 marks the 25th anniversary of the signing of the Health Insurance Portability and Accountability Act (HIPAA). The main goals of the law were improving the portability of health insurance coverage for people who change jobs, preventing health care fraud, assisting with electronic health plan transactions (such as payments) and ensuring that all protected health information (PHI) remained secure.
Now that the law is celebrating its silver anniversary, it seems like a good time to review its impact on the employee benefits world.
HIPAA heightened employers’ concern and awareness about privacy, said John Barlament, who is an attorney with Quarles & Brady LLP and author of the manual HIPAA Portability, Privacy & Security. As an example, before the law was passed it was common for an employer or its benefits committee to review the final appeal of a denied health claim. “After HIPAA, employers became more worried about seeing PHI, so many of them have outsourced appeal reviews to third-party administrators (TPAs) and pharmacy benefit managers (PBMs).”
Concern about protecting sensitive information has extended into other benefit areas such as retirement plans, he added. “In the retirement plan context, plan sponsors have imposed some HIPAA-like requirements on vendors—for example, protections for Social Security numbers and other account numbers.”
HIPAA also has achieved the goal of standardizing terms around PHI among various vendors, which makes it easier for plan sponsors to negotiate vendor agreements, he said.
Have there been any unintended consequences? Sometimes someone claims that information is covered by HIPAA when it is not. “For example, an employer asking about an employee’s COVID-19 vaccination status generally is not subject to HIPAA,” Barlament noted. “But it ‘feels’ to many like it should be. That can unnecessarily stop the flow of information.”
Although Barlament recalls that there was a lot of panic when the HIPAA rules were first introduced because there was so much to absorb, the industry has learned to live with them “with only occasional panic, such as when a breach occurs.”
He forecasted that some updates may be on the horizon for the quarter-century-old law, particularly for the HIPAA Security Rule. The final rule was published in 2003, which is a long time in the electronic security world. For example, encryption of PHI is not necessarily required under the Security Rule because it was a relatively slow, cumbersome and expensive process at the time, he explained. A future rewrite of the rule would probably require PHI to be encrypted since technology has improved.
Kathy Bergstrom, CEBS
Senior Editor, Publications at the International Foundation of Employee Benefit Plans
The latest from Word on Benefits: