RESCINDED AND INOPERATIVE

To:           All Companies Writing Health Coverage

From:      Jay Angoff, Director

Re:          The Health Insurance Portability and Accountability Act of 1996 (HIPAA)

Date:       June 27, 1997

The Missouri legislature recently adjourned without taking any action relative to several bills pending before it that would have incorporated various requirements of HIPAA into Missouri law. As a result, the Health Care Financing Administration (HCFA) will be enforcing various group and individual market provisions of HIPAA in Missouri when they become effective July 1, 1997. (The requirements for issuance of certifications of creditable coverage became effective June 1, 1997.) Attached to this bulletin is some information we received from HCFA regarding its enforcement of these requirements.

It is important to note, however, that HCFA's enforcement of provisions of HIPAA does not generally affect the applicability and enforcement of Missouri's insurance laws by the Missouri Department of Insurance (the Department). By its terms, HIPAA is not to be construed to supersede any standard or requirement of state law "except to the extent that such standard or requirement prevents the application of a requirement of" HIPAA. Most provisions of Missouri law do not prevent the application of HIPAA requirements, so the Department is working closely with HCFA to coordinate our concurrent regulatory responsibilities under Missouri law and HIPAA. The concurrent responsibilities of the two agencies are distributed as follows:

• To the extent that an insurer's actions comply with Missouri law but fall short of the requirements of HIPAA, such actions could constitute a violation of HIPAA and would be subject to enforcement by HCFA.
• To the extent that an insurer's actions fall short of the requirements of both Missouri law and HIPAA, such actions could constitute a violation of both sets of laws and would be subject to enforcement by both the Department and HCFA.
• To the extent that an insurer's actions fall short of a requirement of Missouri law that is more stringent than HIPAA, such actions could constitute a violation of Missouri law and would be subject to enforcement by the Department.

Outline of Regulatory Responsibilities Under HIPAA

In conjunction with HCFA, the Department has developed the following outline of the relative regulatory responsibilities of the two agencies in both the group and individual markets. Although we have tried to include all of the major points in this outline, it should not be considered to be an exhaustive list.

HCFA: generally enforces the federal requirements to the extent that they exceed Missouri's requirements

Individual Market

• Collect and review documentation regarding policy forms for compliance. Insurers must file required documentation with HCFA by:
  • September 1, 1997, for current policy forms
  • 90 days before the beginning of the year in which used for subsequent policy forms
• Collect and review requests to limit enrollment due to lack of network capacity or financial capacity
• Regulate certificates of prior creditable coverage
  • Prescribe model form for use
  • Monitor compliance with issuance requirements by insurers
• Resolve complaints regarding federal requirements and impose fines for violations
• Monitor marketing of individual policies
• Monitor the procedure and time frames insurers follow in determining whether someone is an eligible individual, and the effective date of the individual's coverage
• Enforce guaranteed renewability
• Determine compliance as to bona fide associations in the Individual Market

Group Market - Large and Small

• Monitor how preexisting condition exclusions are imposed and how an enrollee is notified of their imposition
• Monitor how creditable coverage is to be calculated and applied to reduce preexisting condition exclusion periods
• Same as 3 in Individual Market
• Monitor compliance with special enrollment periods
• Enforce nondiscrimination as to premiums and eligibility of enrollees
• Same as 7 in Individual Market

Small Group Market

• Enforce guaranteed availability of all group products
• Determine compliance as to bona fide associations in the Small Group Market
• Enforce disclosure requirements of coverage terms, including the benefits and premiums available under all health insurance coverage for which the employer is qualified

The Missouri Department of Insurance: generally continues enforcing Missouri insurance laws to the extent that they do not prevent the application of federal requirements

Individual Market

• Review and approve policy forms for compliance with Missouri laws pursuant to Section 376.777, et al.
• Enforce Unfair Practices Act (e.g., advertising, complaints, etc.)
• Enforce Unfair Claims Practices Act
• Collect data via annual statements and other mechanisms
• Publish and disseminate consumer information

Group Market - Large and Small

• Review and approve policy forms for compliance with Missouri laws pursuant to Section 376.405, et al
• Same as 2, 3, 4, and 5 in the Individual Market

Small Group Market - 3 to 25 employees

• Enforce rating requirements
• Enforce availability, nondiscrimination, renewability, and marketing requirements of Missouri to the extent not inconsistent with federal law

Consumer Complaints

As July 1 rapidly approaches, the Department is receiving an ever increasing number of inquiries from consumers regarding their rights under HIPAA and under Missouri law. The Department is working closely with HCFA to coordinate our handling of complaints under both laws so as not to overburden insurers with multiple requests for information in response to such complaints. Given the overlap in regulatory authority between the two agencies, the Department will first attempt to resolve all complaints it receives where HIPAA aspects are involved. Where complaints are ultimately determined to involve violations only of HIPAA and not Missouri law, they will be transmitted to HCFA for enforcement action. Accordingly, we request your cooperation and assistance by quickly and accurately responding to requests from the Department's consumer services representatives for information relative to consumer complaints.

POLICY FORMS

Under Missouri law, the Department is only empowered to review and approve policy forms for compliance with Missouri law. Approval by the Department should not be construed as a determination that the forms are in compliance with HIPAA! As the Department's insurance product analysts review form filings for compliance with Missouri laws, however, they may notice provisions that do not comply with HIPAA requirements. When this happens, the analyst will bring the problem to the attention of both the filing company and HCFA so that the form may be corrected. Consistent with our joint regulatory efforts with HCFA, any failure to comply with HIPAA requirements that comes to our attention will be reported to HCFA for appropriate enforcement.

In its interim final regulations, HCFA has indicated that insurers in the individual market will be required to file documentation (including policy forms) for approval with HIPAA requirements in those states (such as Missouri) where HCFA is enforcing the federal fallback provisions. Please understand that a filing with the Department does not constitute a filing with HCFA for these purposes. HCFA will need much more information than is ordinarily included with a form filing in Missouri, so a separate filing with HCFA will be necessary. Please also understand that any changes to a Missouri approved form requested by HCFA will need to be refiled with the Department.

HCFA has indicated that insurers must begin complying with the guaranteed availability requirements of HIPAA for small employers and individuals beginning July 1, 1997. The Department has already received numerous form filings containing new HIPAA provisions in both the group and individual markets, and we expect that we will be receiving many more. We will try as much as possible to expedite our review and approval of these forms for compliance with Missouri law. Insurers must comply with the guaranteed availability requirements in the group and individual markets, however, regardless of whether they have had new HIPAA-complying forms approved. The Department believes insurers should be able to administratively handle any language in their current policy forms that conflicts with HIPAA requirements until such time as forms with new language are approved. For those insurers that wish to exercise an abundance of caution, however, we have developed the attached standard amendment form that may be used with any existing approved form for the remainder of 1997. Insurers need not file this standard form with the Department in order to use it. Use of this standard form should allow insurers sufficient time to make any necessary filings.

MISSOURI HIPAA AMENDMENT

PLEASE NOTE

To the extent that the provisions of the policy or certificate to which this amendment is attached do not comply with any provision of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), they are hereby amended to comply.
HIPAA-MDI(6/97)

FOR IMMEDIATE RELEASE

Contact: HCFA Kansas City Regional Office

June 27, 1997

(816) 426-3406

FACT SHEET
Federal Enforcement of HIPAA Insurance Reform Standards in Missouri

• Title I of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) provides important new protections for the millions of Americans who have pre-existing medical conditions and who move from one job to another or who move to self-employment. The new law includes consumer protections that protect many workers who change jobs or lose jobs by providing better access to health insurance coverage; limit exclusions for pre-existing conditions; prohibit discrimination against employees and dependents based on their health status; and guarantee renewability and availability of health coverage to certain employers and individuals.
• HIPAA requires the implementation of various reforms in both the group and individual health insurance markets. These requirements are effective July 1, 1997 in the individual market and on or after that date for group health plans, depending on when their new plan years (or new bargaining unit agreements) take effect. Provision of certificates of creditable coverage has been required since June 1, l997.
• The Departments of Labor, Treasury, and Health and Human Services published regulations on HIPAA in the Federal Register on April 8, 1997. Copies of these regulations may be obtained from the Government Printing Office through its Internet home page at http://www.access.gpo.gov or by calling (202) 523-5227 or faxing a request to (202) 512-2250. The price for hard copies is $8. Credit card orders are accepted. Requestors should reference the regulations by their stock number (769-004-02866-3). Additional information about HIPAA can be found at HCFA's website at http://www.hcfa.gov under the section entitled "Laws and Regs".
• The HIPAA standards that relate to issuers are under the jurisdiction of HCFA and the States. States have the choice of enacting one of several types of legislation specified in HIPAA or else taking no action and allowing the federal government to enforce minimum standards set out in HIPAA.
• The Missouri legislature adjourned May 16 without enacting any legislation to implement HIPAA. Current Missouri law contains certain standards for a portion of the small group market (3-25 employees) that are similar to HIPAA's, and also establishes rating restrictions for that portion of the market. For the remainder of the small group market (which HIPAA defines as 2-50 employees) and the large group market, however, Missouri law does not contain the HIPAA standards regarding availability, portability and renewability. Missouri also has no existing standards relating to guaranteed availability or renewability in the individual market.
• Because Missouri has not enacted legislation implementing HIPAA, HCFA is preparing to enforce those HIPAA standards that Missouri law does not address. HCFA is allocating staff and resources for this effort, and working closely with state officials Among other things, the two agencies will be jointly developing mechanisms to address consumer concerns.
• HCFA's main effort will be run out of the agency's Kansas City Regional Office. This will afford the best available communication base with affected insurers and employers.
• The group market provisions of HIPAA that relate to pre-existing condition exclusions, the recognition by group health plans of prior creditable coverage, and nondiscrimination are shared in enforcement jurisdiction with the Department of Labor and the Internal Revenue Service. The Department of Labor has jurisdiction over group health plans that are subject to the Employee Retirement Income Security Act (ERISA). IRS has jurisdiction over employers. In the event of noncompliance, it is possible that penalties could be exercised against each of the responsible entities: that is; the employer, the plan, and the insurer or HMO. It is important for insurers and HMOs to understand this, because they may place their customers at risk of penalties under either ERISA or the Internal Revenue Code by marketing products that do not comply with HIPAA. Tax penalties under the Code take the form of excise taxes which are expected to be self-reported on employers' tax forms. Discovery upon audit of a past failure to report taxes due may result in the imposition of additional penalties, late charges, and interest. We anticipate communicating this information to the business community as well as to issuers.
• Issuers should also be aware that a period of good faith compliance extends until January 1, 1998 with respect to the group market provisions. The statute, however, does not provide a similar good faith period for compliance with respect to the individual market requirements.
• Informational meetings for the industry will be held in Missouri in three locations.
  • Thursday, July 10, in Jefferson City, 2:00-4:30 Truman Building, Room 492, 301 West High Street
  • Tuesday, July 22, in Kansas City, 2:00-4:30 Richard Bolling Federal Building, Rm 111, 601 E. 12th Street
  • Wednesday, July 23, in St. Louis, 2:00-4:30 Wainwright Building, 1st floor meeting room, 111 North Seventh Street
• HCFA will issue further directions and guidelines to the insurance industry in Missouri within the next few weeks.