Who is Responsible for Issuing HIPAA Certificates

Issue: The Health Insurance Portability and Accountability Act (HIPAA) requires group health plans to furnish certificates of creditable coverage to individuals. ERISA and the Public Health Service Act put the burden on both group health plans and health insurance issuers offering coverage; however, a plan complies with the requirement to provide certificates of creditable coverage if the health insurance issuer provides the certificates. All three laws and supporting regulations define the information that must be in the certificate of creditable coverage and the timing for issuing it. Since certificates of creditable coverage may be issued more than once and since there may be liability for failing to issue certificates, how can employers be certain that proper certificates are issued in a timely manner?

Answer: It is not enough for an insured health plan to ask the insurance company to issue certificates.
Regulations require that there be an agreement between the issuer and the health plan spelling out this arrangement. If the issuer sends a certificate that is correct and on time, the plan has no liability. However, only if there is an agreement can the plan hope to avoid responsibility if the issuer fails to provide certificates of creditable coverage.

Having an agreement with an insurance company (issuer) to provide certificates may not end a plan’s duties.
An issuer is only responsible for certificates for periods of coverage provided by it. A change of health coverage (for example, at annual open enrollment, an employee switches from an HMO to an indemnity medical plan) does not require issuing a certificate of creditable coverage, but it may end coverage by a health issuer. The former health issuer must provide adequate information to the plan to prepare a certificate of creditable coverage including this period of coverage. In doing so, the issuer has satisfied its obligations so long as it cooperates with the plan in responding later to inquiries regarding the participant for the period when the issuer provided coverage.

The law is specific about the information to be included in the certificates. In the example above, an issuer may not have information to provide a certificate that contains accurate information for the entire coverage period of the individual without input from the employer. The group health plan bears responsibility for the entire period of coverage.

Multiple certificates may be required.
Certificates of creditable coverage must be issued when a covered employee or dependent has a COBRA qualifying event or otherwise ceases to have coverage under the employer-sponsored health plan, when COBRA coverage ends, and upon request within 24 months after coverage ceases. Sending a certificate of creditable coverage one time, therefore, may not be all that is required for a covered individual.

Certificates must be sent first class within a reasonable time.
Sending certificates using first class mail to the last known address is considered compliance. Thus, an issuer or a health plan must have access to address information and procedures to document that the certificate was mailed first class.

Time limits for certificates vary.
Although regulations specify timing for providing certificates of creditable coverage, the time limit varies depending on the reason for sending the certificate. Within 14 days of notification of the plan administrator of a COBRA qualifying event, the plan must issue a certificate. When COBRA coverage ends, the plan must provide a certificate within a reasonable period of time or after the expiration of a grace period, normally 30 days. However, the requirements are “within a reasonable period of time” for other cessation of coverage and “by the earliest date that the plan can, acting in a reasonable and prompt fashion” when a certificate is provided upon request.

Despite an agreement shifting the burden, health plans may still be legally responsible.
Group health plans, whether insured or self-insured, have a responsibility for issuing certificates of creditable coverage. If a third party issues certificates for the plan with accurate information in a timely manner, the plan has no further liability. However, even if a plan negotiates with a third-party administrator to provide the service for the plan, it may not be fully protected from liability if the third party fails to provide proper certificates in a timely manner with accurate information. If the health plan is insured and the agreement places the burden on the issuer, the plan should not have liability for the issuer’s failure. A self-insured health plan may not be able to negotiate a complete transfer of liability to a third party, however. In any case, vigilance and oversight on the part of the health plan is recommended.

What you should do:
Employers, as administrators of health plans offered to employees, must work closely with insurance companies providing insurance or with third-party administrators to define the responsibility for providing HIPAA certificates of creditable coverage. This includes:

• Determining who will provide the certificates each time a certificate is required

• Agreeing in writing concerning who bears responsibility and legal liability for issuing certificates and their accuracy

• Developing procedures for compliance with all aspects of providing certificates, including mailing, adequacy of information, and cooperation with other employers or issuers concerning prior coverage

• Being specific about time periods so that “reasonable time” and “earliest date” have a number of days associated with them

• Establishing a means to verify that procedures are consistently followed and documented

• Identifying data needed for records concerning employees and dependents and the responsibility for storage of that information

• Developing communication strategies for information-sharing between the employer/plan and all administrators or health insurance issuers, especially following open enrollment, employer selection of new carriers, and employee status changes and events triggering HIPAA certificates

Cites: Code Sec. 9801(e), ERISA Sec. 701(e), and PHSA Sec. 2701(e); IRS Reg. Sec. 54.9801-5T, ERISA Reg. Sec. 2590.701-5, and PHSA Reg. Sec. 146.115.

Source: CCH Incorporated is a leading provider of information and software for human resources, legal, accounting, health-care and small-business professionals. CCH offers human resource management, payroll, employment, benefits, and worker-safety products and publications in print, CD, online and via the Internet. For more information and other updates on the latest HR news, check our Web site at http://hr.cch.com.