Implementation of HIPAA: Progress Slow in Enforcing Federal Standards in
Nonconforming States (Letter Report, 03/31/2000, GAO/HEHS-00-85).

Pursuant to a congressional request, GAO reviewed the Health Care
Financing Administration's (HCFA) enforcement of the Health Insurance
Portability and Accountability Act of 1996 (HIPAA), focusing on: (1)
HCFA's progress in enforcing HIPAA and related laws in states lacking
conforming statutes; (2) HCFA's role in enforcing HIPAA for state and
local government health plans; and (3) the status of pending federal
regulations regarding HIPAA's nondiscrimination provisions that restrict
health plans from excluding employees, or varying benefits, premiums, or
employer contributions, on the basis of health status.

GAO noted that: (1) HCFA has overcome some barriers it had previously
identified as contributing to its minimalist approach to enforcing HIPAA
and the related laws, including clarifying its regulatory authority and
having sufficient staff resources for HIPAA oversight and enforcement;
(2) however, nearly 4 years after HIPAA's enactment, HCFA continues to
be in the early stages of fully identifying where federal enforcement
will be required; (3) to varying degrees, HCFA has assumed regulatory
activities, such as reviewing carrier policies and marketing practices,
in the three states that had voluntarily notified HCFA of their failure
to enforce HIPAA; (4) beyond these activities, HCFA has identified more
than 20 states where it questions whether they have conforming laws, but
it is still in the process of determining whether these states are
enforcing the standards through other regulatory means or whether other
states' laws are fully in conformance with the federal standards; (5)
agency officials did not provide explicit time periods for completing
these reviews, and until they are complete, HCFA is largely reacting to
consumers' complaints as a means of fulfilling its statutory mandate;
(6) although nearly 600 self-funded state and local government plans
have opted out of at least one of the federal standards, HCFA has yet to
fully determine its enforcement responsibilities among the remaining
nonfederal government plans and is instead relying on complaints from
enrollees to identify compliance problems; (7) the final regulations
regarding HIPAA's nondiscrimination provisions remain pending and are
under review by HCFA, the Department of Labor, and the Department of the
Treasury; and (8) anticipated issuance is sometime in the summer of
2000.

--------------------------- Indexing Terms -----------------------------

 REPORTNUM:  HEHS-00-85
     TITLE:  Implementation of HIPAA: Progress Slow in Enforcing
	     Federal Standards in Nonconforming States
      DATE:  03/31/2000
   SUBJECT:  Administrative law
	     Health insurance
	     Insurance regulation
	     Employee medical benefits
	     Federal/state relations
	     Health care services
	     Noncompliance
	     State law
IDENTIFIER:  California
	     Missouri
	     Rhode Island
	     Massachusetts
	     Michigan

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Testimony.                                               **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************

GAO/HEHS-00-85

Health, Education, and
Human Services Division

B-284986

March 31, 2000

The Honorable James M. Jeffords
Chairman
Committee on Health, Education, Labor, and Pensions
United States Senate

Dear Mr. Chairman:

About 160 million Americans younger than 65 rely on the private
employer-sponsored or individual health insurance markets for health
coverage. The Health Insurance Portability and Accountability Act of 1996
(HIPAA) established minimum federal standards regarding access to and the
portability and renewability of private health insurance, including
provisions that assist individuals who change or lose their jobs in
maintaining health coverage. These standards apply to nearly all health
coverage available in all states. Subsequently, the Congress enacted
additional minimum standards that, within certain limits, require dollar
limits for mental health services to be no more restrictive than those for
medical and surgical services, establish minimums for the length of allowed
postnatal hospital stays, and provide for coverage for reconstructive
surgery following mastectomies. The Congress continues to consider and
debate additional private health insurance standards as part of patient
protection legislation.

Recognizing that states have traditionally regulated health insurance
carriers while the federal government has authority for employer-sponsored
benefit plans, HIPAA divided oversight and enforcement authority among state
insurance regulators and three federal agencies--the Department of Health
and Human Services (HHS), the Department of Labor, and the Department of the
Treasury. State insurance regulators assume primary regulatory authority
over carriers (including traditional insurers and managed care
organizations) in states that have laws comparable to or more comprehensive
than the federal health insurance standards or that otherwise enforce the
federal standards. In states that fail to enact or enforce standards for
carriers that conform to the federal law, HHS--through the Health Care
Financing Administration (HCFA)--is required to enforce the standards. HHS
is also responsible for enforcing

these federal standards for state and local government plans, which HIPAA
refers to as nonfederal government plans. However, these government plans
that are self-funded are statutorily allowed to elect an exemption from most
of the federal standards. HIPAA expanded Labor's oversight responsibilities
for employer-sponsored health coverage and provided Treasury with authority
to impose an excise tax on noncompliant group health plans.1

We have previously reported that HCFA has taken a cautious approach by
assuming a minimal role in enforcing HIPAA in states that do not conform to
all provisions of the federal law, in part because regulating private health
insurance plans was a new and initially unanticipated responsibility.2 HCFA
previously attributed its limited enforcement activities to several factors,
such as uncertainty surrounding its regulatory authority and insufficient
staff resources. To obtain information for considering how best to enforce
any future federal health insurance standards, you asked us to assess the
current status of HCFA's enforcement of HIPAA. Specifically, we examined (1)
HCFA's progress in enforcing HIPAA and related laws in states lacking
conforming statutes, (2) HCFA's role in enforcing HIPAA for state and local
government health plans, and (3) the status of pending federal regulations
regarding HIPAA's nondiscrimination provisions that restrict health plans
from excluding employees, or varying benefits, premiums, or employer
contributions, on the basis of health status. To address these objectives,
we interviewed headquarters and regional representatives of HCFA, officials
from Labor and Treasury, and insurance regulators in several states. We
conducted our work in March 2000 in accordance with generally accepted
government auditing standards.

HCFA has overcome some barriers it had previously identified as contributing
to its minimalist approach to enforcing HIPAA and the related laws,
including clarifying its regulatory authority and having sufficient staff
resources for HIPAA oversight and enforcement. However, nearly 4 years after
HIPAA's enactment, HCFA continues to be in the early stages of fully
identifying where federal enforcement will be required. To varying degrees,
HCFA has assumed regulatory activities, such as reviewing carrier policies
and marketing practices, in the three states that had voluntarily notified
HCFA of their failure to enforce HIPAA. Beyond these activities, HCFA has
identified more than 20 states where it questions whether they have
conforming laws, but it is still in the process of determining whether these
states are enforcing the standards through other regulatory means or whether
other states' laws are fully in conformance with the federal standards.
Agency officials did not provide explicit time periods for completing these
reviews, and until they are complete, HCFA is largely reacting to consumers'
complaints as a means of fulfilling its statutory mandate.

Although nearly 600 self-funded state and local government plans have opted
out of at least one of the federal standards, HCFA has yet to fully
determine its enforcement responsibilities among the remaining nonfederal
government plans and is instead relying on complaints from enrollees to
identify compliance problems. Finally, the final regulations regarding
HIPAA's nondiscrimination provisions remain pending and are currently under
review by HCFA, Labor, and Treasury. Anticipated issuance is sometime in the
summer of 2000. This report makes recommendations aimed at improving HCFA's
enforcement efforts.

HIPAA includes minimum standards that seek to improve the access,
portability, and renewability of health insurance coverage in
employer-sponsored group and individual insurance markets. Among other
standards, HIPAA

ï¿½ requires carriers to offer coverage to all small employers (defined as
those with 2 to 50 employees) that apply (guaranteed issue),

ï¿½ restricts excluding an employee from health plans, or varying benefits,
premiums, or employer contributions, on the basis of health status
(nondiscrimination),

ï¿½ requires carriers to offer individual market coverage to eligible
individuals losing group coverage (group-to-individual portability),3 and

ï¿½ requires all health coverage to be renewable upon expiration of the policy
(guaranteed renewal).

The Congress also enacted a number of additional federal standards--the
Mental Health Parity Act of 1996, the Newborns' and Mothers' Health
Protection Act of 1996, and the Women's Health and Cancer Rights Act of
1998--that address private insurance coverage of mental health, maternity
and newborn, and post-mastectomy reconstructive surgical benefits.4 In
general, these standards require that

ï¿½ plans cannot impose annual and lifetime dollar limits that are more
restrictive for mental health benefits than for medical and surgical
benefits,5

ï¿½ plans cannot restrict benefits for a hospital stay in connection with
childbirth to less than 48 hours following a vaginal delivery or 96 hours
following a delivery by cesarean section, and

ï¿½ plans that provide mastectomy coverage must also provide coverage for
reconstructive surgery.

The responsibility for ensuring that consumers receive these protections is
shared by multiple federal agencies and the states. HIPAA expanded Labor's
oversight responsibilities for employer-sponsored health coverage and
provided Treasury with authority to impose an excise tax on noncompliant
employer-sponsored health plans. In states that have standards that conform
to or exceed these federal standards or that otherwise enforce the federal
standards, state insurance regulators have primary enforcement authority for
insurance carriers. HCFA is responsible for directly enforcing HIPAA and
related standards for carriers in states that do not. In this role, HCFA
must assume many of the responsibilities undertaken by state insurance
regulators, such as responding to consumers' inquiries and complaints,
reviewing carriers' policy forms and practices, and imposing civil penalties
on noncomplying carriers.6 HIPAA provides for the imposition of a civil
monetary penalty of up to $100 per day per violation for each individual
affected by a carrier's failure to comply.

We previously reported that HCFA was cautious in enforcing the federal
standards and had undertaken limited enforcement action in the three
states--California, Missouri, and Rhode Island--known to have not adopted
statutes or regulations that fully meet the HIPAA standards. HCFA's
enforcement activities ranged from responding to consumers' inquiries and
complaints in all three states to initiating the review of carriers'
policies in Missouri to ensure compliance. In our July 1998 report, we found
that HCFA had not undertaken any comprehensive efforts to review the
insurance laws of the remaining states to determine compliance with HIPAA or
the related laws. The agency attributed its limited regulatory efforts to
uncertainty surrounding the manner in which it could exercise its
enforcement authority and insufficient staff resources--particularly those
with experience regulating private health insurance.

States That Do Not Conform to HIPAA and Related Laws

HCFA has addressed some factors it previously identified as contributing to
its limited enforcement efforts, such as clarifying its regulatory authority
and having sufficient staff resources dedicated to HIPAA oversight and
enforcement. However, HCFA has assumed direct regulatory functions, such as
policy reviews, in only the three states that voluntarily notified HCFA of
their failure to pass HIPAA-conforming legislation more than 2 years ago.
HCFA continues to be in the early stages of identifying the full scope of
its enforcement responsibilities in other states. For example, although HCFA
has reasonable questions about whether conforming laws exist in more than 20
states for one or more of the federal standards, it is still in the process
of determining whether these states are enforcing the laws through other
regulatory means and whether other states' laws are fully in conformance
with the federal laws.

Previously, HCFA officials attributed their limited efforts primarily to
uncertainty surrounding their enforcement authority and insufficient staff
capacity. Uncertainty surrounding HCFA's regulatory authority was largely
removed with the agency's publication of enforcement regulations in August
1999. These regulations authorize HCFA to undertake more proactive
enforcement activities in states. The regulations also clarified the
applicability of the Paperwork Reduction Act of 1995 on the agency's
enforcement efforts. Previously, some HCFA officials raised concerns that
the act would require the agency to obtain approval from the Office of
Management and Budget (OMB) before requiring carriers to submit policies for
review. According to agency officials, the regulations clarify that HCFA's
efforts to collect information and documents from carriers in the event of a
complaint or any number of other triggering events are not subject to the
Paperwork Reduction Act.7

In addition, HCFA officials now believe that the agency has sufficient staff
to handle their HIPAA enforcement responsibilities, even though the number
of full-time-equivalent (FTE) staff dedicated to HIPAA activities has
declined from 39 in July 1998 to about 31.5.8 Previously, the agency was
concerned that it would not have the resources to move ahead with the full
range of enforcement activities. The Congress did not initially provide
additional resources for HCFA to implement the provisions of the law. Thus,
HCFA originally reassigned a relatively small number of staff to address
direct enforcement issues. When the scope of its enforcement activities
became clearer, HCFA received a supplemental appropriation of $2.2 million
in May 1998 that allowed it to hire and train additional staff. Although its
satisfaction with current staffing levels is attributable to more certainty
about the extent of its involvement and a better understanding of its
insurance regulatory functions, it is still in the process of determining
state conformance with all the federal standards, and it is possible that
the agency's staffing needs could change. Further, the number of inquiries
and complaints that HCFA receives from nondirect enforcement states has
decreased, resulting in a need for fewer staff resources for this duty.

Table 1: HCFA FTE HIPAA Enforcement Staff, July 1998 and March 2000

 HCFA office locationa July 1998  March 2000
 Central office        17         18
 Boston                3          3
 Chicagob              5          1
 Kansas City           6          3.5
 San Francisco         8          6
 Total                 39         31.5

Note: Actual rather than authorized FTEs. FTEs in our July 1998 report
include the additional hiring resulting from the May 1998 supplemental
appropriations HCFA received for HIPAA enforcement.

a Regional offices specifically allocated FTEs for HIPAA enforcement.
Regional offices not listed have persons available to work on HIPAA
functions, if required, but represent less than 1 FTE.

b The anticipated need for HCFA staff dedicated to HIPAA enforcement was
reduced after Michigan enacted an acceptable alternative mechanism in 1999,
according to an agency official.

Source: HCFA.

Although HCFA has made progress in its enforcement efforts since our
previous reports, when its enforcement consisted largely of responding to
consumers' inquiries and complaints, progress remains slow and varies among
the three HCFA regions that have direct enforcement responsibilities. HCFA
has assumed enforcement responsibilities for certain HIPAA provisions in
California, Missouri, and Rhode Island--the three states that voluntarily
notified the agency of their nonconforming status more than 2 years ago.9
The extent of the agency's enforcement responsibilities in these states
varies, however, depending on whether a state had laws that conformed to at
least some of the standards HIPAA mandated. For example, with the exception
of group-to-individual portability, California law conforms to or exceeds
virtually all HIPAA's provisions. In contrast, HCFA's involvement is greater
in Missouri and Rhode Island, which lack conforming legislation for a number
of HIPAA provisions in both the individual and small group markets.

HCFA continues to receive inquiries and complaints from the public, although
the overall number has decreased. In April 1999, HCFA developed a tracking
system to collect consistent data from across all regions. Through this
tracking system, the agency plans to capture information such as the source
of and reasons for inquiries and complaints and their disposition. The
documented number of inquiries and complaints, however, has decreased
considerably. From April 1999 through February 2000, the agency documented a
total of about 1,000 inquiries and complaints about HIPAA or one of the
related laws--a significant decrease from the combined 1,700 inquiries and
complaints the San Francisco regional office alone received in the first 4
months of 1998.10 Of the more recent total, 97 were classified as
complaints, two-thirds of which dealt with issues related to the individual
market. The most common complaint involved allegations that carriers did not
guarantee issue products to individuals eligible for HIPAA.

In addition to continuing to respond to consumers' questions and complaints,
the regional offices with direct enforcement responsibilities are in various
stages of reviewing carrier policies for compliance with HIPAA. HCFA's
Kansas City regional office has undertaken the most extensive enforcement
activities for Missouri, where it began reviewing policies in 1998. Regional
officials said they have now reviewed policies representing 88 percent of
the state's small group market and virtually all the individual and health
maintenance organization markets. Similarly, officials in HCFA's Boston and
San Francisco offices told us they are also reviewing policies, although
they did not begin their reviews until 1999.11 In these reviews, HCFA
officials have found instances of preexisting condition exclusions imposed
illegally on enrollees and carriers that delayed guaranteeing coverage to
individuals eligible for HIPAA.

Through an external contractor, HCFA also began on-site market conduct
examinations at selected carriers in Missouri in June 1999 and in California
in January 2000. HCFA informed us that it is initiating a similar study of
one carrier in Rhode Island. In a market conduct examination, HCFA monitors
carriers' business practices for compliance with HIPAA standards. HCFA
typically selected carriers on the basis of their market share, complaints
received, or the results of the policy review. HCFA identified several
potential HIPAA violations in Missouri through these market reviews,
including a carrier that excluded information about HIPAA in its
Internet-based advertising and a carrier that eliminated its maternity
benefit for individuals eligible for HIPAA.

HIPAA also provides for the imposition of a civil monetary penalty on
noncomplying carriers, and the final enforcement regulations include
detailed standards to follow in imposing penalties. Officials in two of the
regional offices told us they have begun notifying a few carriers of the
potential for pursuing civil monetary penalties. In addition, in lieu of
civil monetary penalties, officials at one of these offices said they are in
the process of negotiating settlements with two carriers that agreed to pay
consumers for claims that were wrongly denied in the amount of about
$113,000.

HCFA has given its regional offices considerable discretion in how they can
enforce HIPAA. For example, HCFA's central office has not provided regions
with specific guidance in terms of criteria and time periods for performing
policy reviews or market conduct examinations. HCFA attributes the varying
extent of enforcement activities among regions to its efforts to work
collaboratively with states and not pursue an approach that could disrupt a
market that states had traditionally regulated. Further, the statute and
regulations were written in a way such that states would be provided every
possible opportunity to conform their regulatory authority to the federal
laws.

We previously reported that Massachusetts and Michigan were known not to
have conforming HIPAA legislation and therefore could require HCFA to pursue
a determination of whether federal enforcement would be required. While
Michigan passed legislation implementing an acceptable alternative mechanism
in March 1999, HCFA officials acknowledged that Massachusetts is still not
fully in conformance with HIPAA. However, HCFA has not begun to assume
enforcement responsibilities in the state. Instead, because the state
enacted insurance reforms immediately before HIPAA, including provisions
that in some areas, according to HCFA officials, exceed HIPAA's
requirements, HCFA has continued to work on bringing the state into
conformance without undermining state provisions that afford consumers more
extensive protections than HIPAA requires. Officials from HCFA and the
Massachusetts' insurance department currently meet every 2 weeks to discuss
issues related to HIPAA.

HCFA is currently in the process of identifying the scope of its enforcement
responsibilities by conducting legislative analyses to determine states'
conformance with each of the federal standards. HCFA officials said they
began a state-by-state comparison of existing state laws with HIPAA
provisions in April 1999. HCFA has nearly completed this review and is in
the process of clearing outstanding issues with a small number of states.
The agency also assessed states' conformance with the Mental Health Parity
Act and the Women's Health and Cancer Rights Act, while it relied largely on
Labor's analysis of state laws to determine conformance with the Newborns'
and Mothers' Health Protection Act. Through these analyses, the agency
placed states in one of three categories: (1) those that appear to have
acceptable laws, (2) those with questionable laws, and (3) those that appear
not to have applicable laws. HCFA identified at least 21 states that
appeared not to have any laws conforming to one or more of the federal
standards.12 (See table 2.)

Table 2: States HCFA Identified as Not Having Any Legislation Conforming to
Certain HIPAA Requirements

                                            Women's Health
 State              Newborns' and Mothers'  and Cancer       Mental Health
                    Health Protection Act                    Parity Act
                                            Rights Act
 Alabama                                    X                X
 Alaska                                     X
 Colorado                                   X
 Delaware                                   X
 District of
 Columbia                                   X
 Georgia                                    X
 Hawaii             X                       X
 Idaho                                      X                X
 Iowa                                       X
 Massachusetts                              X
 Michigan           X                                        X
 Mississippi        X                       X
 Nebraska           X                       X
 New Mexico                                 X
 New York                                                    X
 North Dakota                               X
 Ohio                                       X                X
 South Dakota                               X
 Utah               X                       X                X
 Wisconsin          X
 Wyoming            X                       X                X
 Total              7                       18               7

Source: HCFA.

In December 1999, HCFA sent letters to these states, indicating that it had
a reasonable question about whether a state's standards substantially met
the specified federal requirements. HCFA is currently in the process of
determining whether these states meet the federal standards through other
means, such as regulations or advisory bulletins. HCFA officials said they
would accept that states meet the federal standards if such alternative
means exist and have some statutory basis. HCFA officials said they have
already received from several states clarifications of statutes,
regulations, or advisory bulletins that demonstrate that they are enforcing
these federal insurance standards. In states that do not meet these
standards through other regulatory means, HCFA will begin its formal
determination process in which it could ultimately assume direct enforcement
responsibilities.13

HCFA officials said the agency would not undertake any enforcement
activities in states it has identified as appearing to have acceptable laws,
regulation, bulletins, or other guidance, and it assumes states are
enforcing the provisions unless it has reason to believe otherwise. For
states it has identified as having questionable laws for any of the federal
standards, HCFA is still further reviewing state laws to determine
conformance. HCFA officials did not provide a specific time period for the
completion of this review. However, a HCFA official said that further review
of state conformance with the Women's Health and Cancer Rights Act is
awaiting clarification of the scope of the law's preemption language in
future regulations.

for State and Local Government Health Plans

HCFA is also responsible for enforcing federal insurance standards on state
and local government plans, such as health plans for public universities and
city, county, and state governments. Nonfederal government plans that are
self-funded, however, are allowed by the federal laws to elect exemption
from one or more requirements, provided that they comply with provisions
related to certification and disclosure of creditable coverage.14 Plans must
file or renew their exemptions with HCFA annually, and as of March 1, 2000,
568 plans had done so. A fully insured nonfederal government plan that buys
insurance coverage from a carrier does not have this option and must comply
with all HIPAA group market requirements.

Thus, in addition to states without conforming legislation, HCFA must
enforce HIPAA and the related laws for state and local government plans that
do not claim an exemption from one or more of the provisions. However, the
agency has undertaken virtually no enforcement efforts related to these
plans. For example, the agency has not determined the scope of its
responsibilities because it has never identified the universe of these
plans, although an official estimates their number to be in the thousands.
Instead, the agency has relied on complaints to identify areas of
nonconformance. An agency official said that HCFA has received a small
number of complaints from participants of these plans and, in virtually all
these cases, the issue was resolved through dialogue between HCFA and the
plan. The official said that in one case, a participant in one of these
plans contacted HCFA because his mental health claims were being denied.
When HCFA investigated, it found that the plan had lower dollar limits on
mental health benefits than on medical benefits, a violation of the Mental
Health Parity Act.

Been Made Final

Nearly 4 years have passed since the enactment of HIPAA, and final
regulations for its nondiscrimination provisions have not yet been issued.
Without final regulations, issuers have had to rely on the April 1997
interim regulations, which provide for "good faith compliance"--that is, the
federal agencies agree not to take action against employers who attempt in
good faith to comply with the law, pending the issuance of final
regulations.15 The enforcement of this provisions, and thus the development
of the final regulations, is shared by HCFA, Labor, and Treasury.

Under HIPAA's nondiscrimination provisions, group plan issuers may not
exclude a member within the group from coverage on the basis of the member's
health status or medical history. Similarly, the benefits provided, premiums
charged, and contributions to the plan may not vary for similarly situated
group plan enrollees on the basis of health status or medical history.
Without final regulations, however, questions remain about the meaning of
statutory language that could affect health plans' design or eligibility
requirements, such as the definition of bona fide wellness programs and
"source of injury."16 Until these and similar terms are more clearly
defined, employers may hesitate to make certain changes to their health
plans or wellness programs, according to a representative from an employer
benefits consulting firm. This representative said that most employers are
waiting for the final regulations before changing their health plans.

While there is not an established deadline, federal officials anticipate
issuing the final regulations this summer and attribute the delay to the
protracted nature of developing policy and rules when multiple federal
agencies are involved and the complexity of the statutory provisions.
However, in the past 2 years, a Labor official testified and regulatory
agendas have indicated that these regulations were forthcoming, but they
still have not been issued. Nonetheless, agency officials said they were not
aware of significant complaints or inquiries regarding the nondiscrimination
provision, and they believe that employers generally have followed good
faith compliance.

HCFA has been responsive to several of our previous findings and
recommendations by issuing enforcement regulations in August 1999, beginning
to catalog the extent to which states have conforming laws meeting the
federal minimum standards, and developing staff with insurance regulation
expertise dedicated to overseeing HIPAA, the Mental Health Parity Act, the
Newborns' and Mothers' Health Protection Act, and the Women's Health and
Cancer Rights Act. While HCFA currently reports having the regulatory
authority and staff resources it needs to accomplish its responsibilities,
its role could further expand if it determines that it must assume insurance
regulation functions in more than the three states in which it currently
plays this role. HCFA is still proceeding slowly in its enforcement role and
generally affords states every opportunity to demonstrate that they will
assume primary enforcement responsibilities. Nearly 4 years after the
Congress enacted new federal health insurance standards, HCFA still does not
fully know the level of many states' conformance with these federal
standards and has not developed specific time periods for completing its
evaluation of states' conformance. In several states and for state and local
government health plans, HCFA has largely relied on complaints to guide its
enforcement efforts. HCFA has also given its regions considerable discretion
in enforcing the federal standards in states lacking their own enforcement
authority and has not established a consistent strategy or time periods for
fulfilling these enforcement responsibilities. However, to the extent that
consumers do not understand or are unaware of HIPAA and the related laws,
consumers' complaints alone may be insufficient to identify problems.
Further, HCFA, Labor, and Treasury have encountered repeated delays in
issuing final regulations regarding HIPAA's nondiscrimination provisions.

We recommend that the HCFA Administrator complete the established federal
process for determining whether federal enforcement will be required in
additional states as quickly as possible, to include developing a consistent
strategy and time period for enforcing HIPAA and the related laws'
provisions in the states that lack conforming enforcement authority.

We further recommend that HCFA, Labor, and Treasury promptly complete
regulations related to HIPAA's nondiscrimination provisions.

We provided a draft of this report to HCFA, Labor, and Treasury for
comments. HCFA generally concurred with our findings and recommendations.
HCFA listed a number of actions planned or under way to complete its
assessment of state enforcement regulations and other laws as well as to
assume enforcement itself where necessary. HCFA emphasized the need for a
deliberative approach in establishing new federal enforcement roles for
health insurance standards given the tradition of state regulation of
private health insurance. HCFA also noted that since it received additional
funds for oversight in May 1998, it has made progress in establishing
collaborative federal-state enforcement of HIPAA and related laws. Further,
HCFA noted that the laws require "substantial" rather than "absolute"
compliance with the federal standards and, thus, the agency has provided
states every opportunity to come into conformance. HCFA and Labor officials
also noted that, while final nondiscrimination regulations have not yet been
issued, they have provided some interim guidance related to this provision.

Regarding state and local government plans, HCFA said that it is almost
impossible to identify the universe of these plans. HCFA also said that it
does not believe that identifying the universe is critical to enforcing
federal standards for these plans because (1) self-funded state and local
government plans may elect exemption from certain HIPAA-related
requirements; (2) fully insured plans are subject to state or HCFA
oversight, regardless of whether they are purchased by private or government
employers; and (3) HCFA continues to respond to complaints related to these
government plans. Recognizing the data limitations associated with
identifying these plans, we agree that this is a reasonable approach.

HCFA, Labor, and Treasury also provided technical comments that we
incorporated as appropriate. Appendix I contains the comment letter from
HCFA.

As we agreed with your office, unless you publicly announce this report's
contents earlier, we plan no further distribution of it until 30 days after
its issue date. We will then send copies to the Honorable Nancy Ann Min
DeParle, Administrator of the Health Care Financing Administration; the
Honorable Alexis M. Herman, Secretary of Labor; the Honorable Lawrence H.
Summers, Secretary of the Treasury; and other interested congressional
committees and members and agency officials. We will also make copies
available to others on request.

The information presented in this report was developed by Susan Anthony and
John Dicken. Please call me at (202) 512-7114 if you have any questions.

Sincerely yours,
Kathryn G. Allen
Associate Director, Health Financing
and Public Health Issues

Comments From the Health Care Financing Administration

(201037)

  

1. The federal government is solely responsible for enforcing HIPAA for
self-insured private employer group plans, which represent about 40 percent
of all group coverage and are exempt from state insurance laws under the
Employee Retirement Income Security Act of 1974.

2. See Private Health Insurance: HCFA Cautious in Enforcing Federal HIPAA
Standards in States Lacking Conforming Laws (GAO/HEHS-98-217R , July 22,
1998) and Private Health Insurance: Progress and Challenges in Implementing
1996 Federal Standards (GAO/HEHS-99-100 , May 12, 1999).

3. An eligible individual has had at least 18 months of creditable coverage
with no break of more than 63 consecutive days; has exhausted any federal or
state mandated continuation coverage; is not eligible for any other group
coverage, Medicare, or Medicaid; and did not lose group coverage because of
nonpayment of premiums by the individual or fraud.

4. The Mental Health Parity Act applies only to groups with more than 50
employees while the Newborns' and Mothers' Health Protection Act and Women's
Health and Cancer Rights Act apply to the individual and all group markets.

5. In a forthcoming report, we will examine the implementation of the Mental
Health Parity Act, including how employers have changed other mental health
benefit design features in response to the required parity in dollar limits.

6. A health insurance policy is the legal document or contract issued by an
issuer to a group plan sponsor or an individual that contains the conditions
and terms of the insurance.

7. The Paperwork Reduction Act established standards for how most federal
agencies may collect, maintain, and use collected information and sets
governmentwide goals for reducing paperwork. It requires federal agencies to
evaluate the need for information as well as identify any burdens that
responding to agency requests may impose on respondents. It also sets a
process for approving any collection of information, defined as collections
from ten or more persons. With regard to implementing the federal insurance
standards, HCFA would need to obtain approval from OMB before requiring
carriers to submit policies for review. Although the act could still apply
to the agency's monitoring efforts (for example, proactive policy reviews),
it does not restrict HCFA's enforcement efforts in response to consumers'
complaints and a number of other activities.

8. HCFA officials emphasized that they feel they have sufficient staff,
provided funding for the agency's external contracts with private firms to
perform market conduct examinations and actuarial analyses continues.

9. State officials provided some reasons why conforming legislation was
never passed: political differences between the legislature and the
administration, industry lobbying efforts, and concerns that HIPAA was an
unfunded federal mandate.

10. One HCFA official attributes this decrease to the strong economy because
the law is particularly relevant to individuals who lose their jobs or
employer-sponsored health insurance.

11. According to HCFA regional officials, the regions also varied in
selecting carriers' policies to review. Whereas the Kansas City office asked
the nine largest Missouri carriers to submit product literature for their
health plans, the San Francisco office selected carriers representing about
90 percent of California's individual market, based on complaints it had
received. The Boston office is reviewing the policies of four carriers,
which represent about 90 percent of Rhode Island's individual and small
group markets.

12. The agency is still analyzing certain states' compliance with HIPAA and
has not yet formally decided whether or not it will pursue an enforcement
role in additional states.

13. If a state does not voluntarily notify HCFA of its nonconformance, HCFA
must undertake a determination process in which it establishes the state's
nonconformance, thus providing the agency with the authority to become
involved. This determination process is set forth in the federal regulation
and provides for several iterative steps before HCFA formally assumes
enforcement responsibility.

14. A plan may elect exemption from any number of the following federal
requirements: limitations on preexisting condition exclusion periods,
special enrollment periods, nondiscrimination, newborns' and mothers' health
protection, mental health parity, and coverage for reconstructive breast
surgery. Regulations require plans making this election to notify
participants at enrollment and annually that they have made the election and
what the effect the election has. Failure to do so invalidates the election.

15. The April 1997 interim regulations clarified a number of issues related
to HIPAA's nondiscrimination provisions. For example, the effective
regulations included a prohibition on imposing a physical examination as a
condition for eligibility in a group health plan, a common feature with
respect to late enrollees before HIPAA. Since the interim final rules were
published in April 1997, the agencies have published two additional pieces
of guidance. In December 1997, the departments issued a technical bulletin
in the Federal Register addressing the treatment of individuals who had been
discriminated against before HIPAA's effective date. In March 2000, a HCFA
insurance standards bulletin addressed nonconfinement clauses.

16. The proposed regulations clarify the definition of "source of injury"
with regard to the extent to which HIPAA permits benefit limitations to be
based on the source of an injury. For example, this would clarify whether
HIPAA allows plans to exclude coverage for injuries sustained in a
motorcycle accident when the rider does not have a helmet or injuries
sustained in committing a felony.
*** End of document. ***