Health Insurance Standards: New Federal Law Creates Challenges for
Consumers, Insurers, Regulators (Letter Report, 02/25/98,
GAO/HEHS-98-67).

Pursuant to a congressional request, GAO reviewed the implementation of
the Health Insurance Portability and Accountability Act (HIPAA),
focusing on issues affecting: (1) consumers; (2) issuers of health
coverage, including employers and insurance carriers; (3) state
insurance regulators; and (4) federal regulators. GAO also reviewed
efforts undertaken by federal agencies to address some of the concerns
and challenges that have arisen.

GAO noted that: (1) although HIPAA provides people losing group coverage
the right to guaranteed access to coverage in the individual market
regardless of health status, consumers attempting to exercise their
right have been hindered by carrier practices and pricing and by their
own misunderstanding of this complex law; (2) among the 13 states where
this provision first took effect, many consumers who had lost group
coverage experienced difficulty obtaining individual market coverage
with guaranteed access rights, or they paid significantly higher rates
for coverage; (3) some carriers have discouraged individuals from
applying for the coverage or charged them rates 140 to 600 percent of
the standard premium; (4) carriers charge higher rates because they
believe individuals who attempt to exercise HIPAA's individual market
access guarantee will, on average, be in poorer health than others in
the individual market; (5) many consumers do not realize that the access
guarantee applies only to those leaving group coverage who meet other
eligibility criteria; (6) individuals must have previously had at least
18 months of coverage, exhausted any residual employer coverage
available, and applied for individual coverage within 63 days of group
coverage termination; (7) consumers who misunderstand these restrictions
are at risk of losing their right to coverage; (8) issuers of health
coverage believe certain HIPAA regulatory provisions result in: (a) an
excessive administrative burden; (b) unanticipated consequences; and (c)
the potential for consumer abuse; (9) although issuers appear to be
generally complying with the requirement to provide a certificate of
coverage to all individuals terminating coverage, some issuers continue
to suggest that the process is burdensome and costly and that many of
these certificates may not be needed; (10) these issuers, as well as
many state regulators, believe that issuing the certificates only to
consumers who request them would serve the purpose of the law for less
cost; (11) state insurance regulators have encountered difficulties in
their attempts to implement and enforce HIPAA provisions where they
found federal guidance to lack sufficient clarity or detail; (12)
federal regulators face an unexpectedly large regulatory role under
HIPAA that could strain the Department of Health and Human Services'
resources and impair its oversight and effectiveness; and (13) partly in
response to health insurance issuers' and state regulators' concerns,
federal agencies issued further regulatory guidance intended to clarify
current HIPAA regulations.

--------------------------- Indexing Terms -----------------------------

 REPORTNUM:  HEHS-98-67
     TITLE:  Health Insurance Standards: New Federal Law Creates 
             Challenges for Consumers, Insurers, Regulators
      DATE:  02/25/98
   SUBJECT:  Public health legislation
             Health insurance
             Eligibility criteria
             Insurance regulation
             Health insurance cost control
             Insurance premiums
             Federal/state relations
             Insurance companies
             Employee medical benefits
IDENTIFIER:  Medicaid Program
             Medicare Program
             
******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO report.  Delineations within the text indicating chapter **
** titles, headings, and bullets are preserved.  Major          **
** divisions and subdivisions of the text, such as Chapters,    **
** Sections, and Appendixes, are identified by double and       **
** single lines.  The numbers on the right end of these lines   **
** indicate the position of each of the subsections in the      **
** document outline.  These numbers do NOT correspond with the  **
** page numbers of the printed product.                         **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
** A printed copy of this report may be obtained from the GAO   **
** Document Distribution Center.  For further details, please   **
** send an e-mail message to:                                   **
**                                                              **
**                                            **
**                                                              **
** with the message 'info' in the body.                         **
******************************************************************


Cover
================================================================ COVER


Report to the Chairman, Committee on Labor and Human Resources, U.S. 
Senate

February 1998

HEALTH INSURANCE STANDARDS - NEW
FEDERAL LAW CREATES CHALLENGES FOR
CONSUMERS, INSURERS, REGULATORS

GAO/HEHS-98-67

First-Year HIPAA Implementation Concerns

(101594)


Abbreviations
=============================================================== ABBREV

  ERISA - Employee Retirement Income Security Act of 1974
  COBRA - Consolidated Omnibus Budget Reconciliation Act of 1985
  HIPAA - Health Insurance Portability and Accountability Act of 1996
  HHS - Department of Health and Human Services
  NAIC - National Association of Insurance Commissioners

Letter
=============================================================== LETTER


B-278643

February 25, 1998

The Honorable James M.  Jeffords
Chairman, Committee on Labor
 and Human Resources
United States Senate

Dear Mr.  Chairman: 

Over two-thirds of Americans under 65 years old--some 160 million
people--rely on the private group or individual health insurance
markets for their health coverage.  During the past decade, most
states have passed laws designed to improve the access, portability,
and renewability of private insurance coverage.  However, the extent
and scope of these reforms vary, and gaps in protections remain
within and among states.  Furthermore, self-funded employer group
plans, which cover about 40 percent of all employees enrolled in a
group health plan, are beyond the purview of state regulation and
thus exempt from these reforms. 

To provide minimum standards of protection for coverage sold in all
states and insurance markets, the Congress passed the Health
Insurance Portability and Accountability Act of 1996 (HIPAA), which
the president signed on August 21, 1996.  HIPAA is considered by some
to be the most significant federal health insurance legislation in
over a decade.  It sets standards for access, portability, and
renewability that apply to group coverage--both fully insured and
self-funded--as well as to individual coverage.  Federal regulatory
jurisdiction for the law is shared among three agencies. 

Because of the scope and complexity of this law, its implementation
has been a complicated undertaking, and various concerns and
challenges emerged during the first year.  To assist your Committee
in its oversight of the implementation process and in its
consideration of possible technical amendments to the statute, you
asked us to monitor the implementation process and keep your
Committee informed of these concerns and challenges as they arise.\1
As requested, we reviewed the implementation of HIPAA, concentrating
on issues affecting

  -- consumers;

  -- issuers of health coverage, including employers and insurance
     carriers;

  -- state insurance regulators; and

  -- federal regulators. 

In addition, we reviewed efforts undertaken by federal agencies to
address some of the concerns and challenges that have arisen. 

To address these objectives, we reviewed the statute and regulations,
and interviewed representatives of the Departments of Health and
Human Services (HHS) and Labor.  With these officials, we discussed
the federal interagency process to develop regulations and the
measures agencies have taken to ensure compliance.  We visited
Arizona, Colorado, Michigan, and Missouri and met with
representatives of insurance departments, health carriers, employers,
and consumer organizations.  We also interviewed representatives of
several national organizations, including the National Association of
Insurance Commissioners (NAIC), the Health Insurance Association of
America, the American Association of Health Plans, and the Blue Cross
Blue Shield Association. 

We conducted our work between May and December 1997 in accordance
with generally accepted government auditing standards.  While we did
not verify in detail all data obtained from carriers, HHS, and NAIC,
we did review the consistency of the data with our own interview
results and the views of experts in the field, cross-checked some
data, and concluded that using the data was reasonable for our
purposes. 


--------------------
\1 We issued a preliminary product, The Health Insurance Portability
and Accountability Act of 1996:  Early Implementation Concerns
(GAO/HEHS-97-200R), on Sept.  2, 1997. 


   RESULTS IN BRIEF
------------------------------------------------------------ Letter :1

Although HIPAA provides people losing group coverage the right to
guaranteed access to coverage in the individual market regardless of
health status, consumers attempting to exercise their right have been
hindered by carrier practices and pricing and by their own
misunderstanding of this complex law.  Among the 13 states where this
provision first took effect, many consumers who had lost group
coverage experienced difficulty obtaining individual market coverage
with guaranteed access rights, or they paid significantly higher
rates for such coverage.  Some carriers have discouraged individuals
from applying for the coverage or charged them rates 140 to 600
percent of the standard premium.  Carriers charge higher rates
because they believe individuals who attempt to exercise HIPAA's
individual market access guarantee will, on average, be in poorer
health than others in the individual market.  In addition, many
consumers do not realize that the access guarantee applies only to
those leaving group coverage who meet other eligibility criteria. 
For example, individuals must have previously had at least 18 months
of coverage, exhausted any residual employer coverage available, and
applied for individual coverage within 63 days of group coverage
termination.  Consumers who misunderstand these restrictions are at
risk of losing their right to coverage. 

Issuers of health coverage believe certain HIPAA regulatory
provisions result in (1) an excessive administrative burden, (2)
unanticipated consequences, and (3) the potential for consumer abuse. 
Although issuers appear to be generally complying with the
requirement to provide a certificate of coverage to all individuals
terminating coverage, some issuers continue to suggest that the
process is burdensome and costly and that many of these certificates
may not be needed.  These issuers, as well as many state regulators,
believe that issuing the certificates only to consumers who request
them would serve the purpose of the law for less cost.  Also, issuers
fear that HIPAA's guaranteed renewal provision may create several
unanticipated consequences for those eligible for Medicare or holding
policies designed for certain targeted populations.  For example,
HIPAA does not permit issuers to cancel coverage of individuals once
they become eligible for Medicare.  Consequently, some individuals
could pay more for redundant coverage.  Likewise, for individuals
enrolled in subsidized insurance programs for low-income persons,
HIPAA may require that such coverage be renewed after these
individuals' income exceeds program eligibility limits.  Finally,
certain protections for group plan enrollees may create the
opportunity for consumer abuse.  HIPAA's establishment of special
enrollment periods may give employees an incentive to forgo coverage
until they become ill, and guarantees of credit for prior coverage in
the group market could provide enrollees an incentive to switch from
low-cost, high-deductible coverage to low-deductible ("first-dollar")
coverage when medical care becomes necessary.  Some issuers fear that
the overall cost of coverage could increase if such abuses became
widespread. 

State insurance regulators have encountered difficulties in their
attempts to implement and enforce HIPAA provisions where they found
federal guidance to lack sufficient clarity or detail.  For example,
regulators say unclear risk-spreading requirements contribute to the
high costs faced by certain eligible individuals attempting to
exercise their right to guaranteed access in the individual market. 
Lacking sufficient detail, for example, was guidance to implement
nondiscrimination and late enrollee requirements in the group market. 

Federal regulators face an unexpectedly large regulatory role under
HIPAA that could strain HHS' resources and impair its oversight
effectiveness.  In five states that reported they had not passed
legislation to implement HIPAA provisions by the end of 1997, HHS, as
required, has begun performing functions similar to a state insurance
regulator, such as approving insurance products and responding to
consumer complaints.  In addition, HHS may be required to play a
regulatory role in some of the other states, the District of
Columbia, and the U.S.  territories that have yet to pass legislation
to implement certain HIPAA provisions.  Consequently, the full extent
of HHS' regulatory role under HIPAA is not yet known. 

Partly in response to health insurance issuers' and state regulators'
concerns, federal agencies issued further regulatory guidance on
December 29, 1997, intended to clarify current HIPAA regulations such
as those related to nondiscrimination and late enrollment in group
health plans.  Agencies expect to continue supplementing and
clarifying the interim regulations in other areas where problems may
arise.  To address its resource constraints, HHS has reprogrammed
resources and requested additional resources as part of its fiscal
year 1999 appropriations. 


   BACKGROUND
------------------------------------------------------------ Letter :2

Title I of HIPAA contains standards for health insurance access,
portability, and renewability, which apply to group (both self-funded
and fully insured) and individual insurance market coverage.\2 While
some of the standards, such as guaranteed renewal of insurance
coverage, apply equally to coverage offered in all markets, other
standards do not.  For example, HIPAA requires all products carriers
offer in the small group market to be sold to any small employer that
applies, but it does not extend the same requirement to the large
group or individual markets.\3 Similarly, HIPAA requires that certain
individuals leaving group coverage be guaranteed access to coverage
in the individual market--"group to individual guaranteed access."
However, no similar guarantees of access exist for people in the
individual market who have coverage today but might lose it in the
future.  (App.  I contains a summary of HIPAA access, portability,
and renewability standards by market segment.)

Three federal agencies--Labor, HHS, and the Treasury--are required to
jointly develop and issue implementing regulations for HIPAA.  Each
agency has somewhat different responsibilities for ensuring
compliance.  Labor is responsible for ensuring that group health
plans comply with HIPAA standards.  This is an extension of its
current regulatory role under the Employee Retirement Income Security
Act of 1974 (ERISA).  Treasury also enforces HIPAA requirements on
group health plans, but does so by imposing an excise tax under the
Internal Revenue Code.  HHS is responsible for enforcing HIPAA
provisions with respect to insurance carriers in the group and
individual markets in states that do not already have similar
protections in place and do not pass appropriate laws and
substantially enforce them.\4 This represents an essentially new role
for that agency.\5

The implementation of HIPAA is ongoing, in part, because the
implementing regulations were on an interim final basis.  Therefore,
further guidance needed to finalize the regulations has not yet been
issued.\6 In addition, specific HIPAA provisions have varying
effective dates.  Although most of the provisions became effective on
July 1, 1997, group-to-individual guaranteed access standards in 36
states and the District of Columbia were allowed to take effect as
late as January 1, 1998.  Finally, although all provisions are now in
effect, individual group plans do not become subject to the law until
the start of their plan year beginning on or after July 1, 1997.  For
some collectively bargained plans, this may not be until 1999 or
later. 

During the first year of implementation, federal agencies, the
states, and issuers have taken various actions in response to HIPAA. 
The federal agencies issued interim final regulations by the April 1,
1997, statutory deadline.  Many considered this task to be a
significant undertaking, and states and the insurance industry were
generally pleased with the open and inclusive nature of the process. 
More regulations and guidance are expected to be issued in 1998.  The
agencies also conducted various educational outreach activities.  For
example, Labor sponsored a series of informational seminars for
employers held in several large cities, created informational
literature, and provided guidance on its Web page.  HHS consulted
with state insurance regulators at quarterly meetings of NAIC, held
informational meetings for insurance industry representatives in at
least two states where it will play an enforcement role, and also
maintains a Web page containing information on HIPAA.  Also during
the first year, state legislatures have enacted laws to enforce HIPAA
provisions locally, and state insurance regulators have written
regulations and prepared to enforce HIPAA provisions.  Issuers of
health coverage have modified products and practices to comply with
HIPAA. 


--------------------
\2 An employer may provide group coverage to its employees either by
purchasing a group policy from an insurance carrier (fully insured
coverage) or by funding its own health plan (self-funded coverage). 
For more information on fully insured and self-funded group coverage,
see The Employee Retirement Income Security Act of 1974:  Issues,
Trends, and Challenges for Employer-Sponsored Health Plans
(GAO/HEHS-95-167, June 21, 1995) and Employment-Based Health
Insurance:  Costs Increase and Family Coverage Decreases
(GAO/HEHS-97-35, Feb.  24, 1997).  Individuals without group coverage
may obtain coverage by purchasing a policy directly from carriers in
the individual insurance market.  For more information on the
individual insurance market, see Private Health Insurance:  Millions
Relying on Individual Market Face Cost and Coverage Tradeoffs
(GAO/HEHS-97-8, Nov.  25, 1996). 

\3 HIPAA defines the "small group" market generally as insurance sold
to employers with 2 to 50 employees. 

\4 HHS is also responsible for enforcing group market provisions of
HIPAA for certain nonfederal government health plans. 

\5 HIPAA provisions applicable to group health plans are under a new
part 7 of subtitle B of title I of ERISA; a new title XXVII, part A,
of the Public Health Service Act; and a new subtitle K of the
Internal Revenue Code.  HIPAA provisions applicable to individual
market health insurance are in the Public Health Service Act,
sections 2741 through 2763 and 2791. 

\6 Normal federal rulemaking procedures require agencies to publish a
Notice of Proposed Rulemaking in the Federal Register and provide for
a comment period before issuing regulations.  Under the interim final
approach, agencies issue regulations prior to a notice and comment
period. 


   HIPAA GUARANTEES ACCESS TO
   COVERAGE FOR INDIVIDUALS
   LEAVING GROUP PLANS, BUT
   CONSUMER ABILITY TO OBTAIN THIS
   COVERAGE IS COMPROMISED
------------------------------------------------------------ Letter :3

To ensure that individuals losing group coverage have guaranteed
access--regardless of health status--to individual market coverage,
HIPAA provides states with two different approaches.  The first,
which HIPAA specifies and which has become known as the "federal
fallback" approach, requires all issuers who operate in the
individual market to offer eligible individuals at least two health
plans.  (This approach became effective on July 1, 1997.) The second
approach, the so-called "alternative mechanism," grants states
considerable latitude to use high-risk pools and other means to
ensure guaranteed access.  (HIPAA requires states that adopt this
approach to have it implemented no later than Jan.  1, 1998.\7 )
Among the 13 states that are using the federal fallback approach,
carrier marketing activities and high premium prices may limit
consumers' ability to take advantage of this guarantee.  Some
carriers initially attempted to discourage consumers from applying
for products with guaranteed access rights, and some are charging
premiums 140 to 600 percent of the standard rate.  In addition,
widespread consumer misunderstanding of HIPAA guarantees of
individual market coverage and the restrictions placed on those
guarantees has also contributed to access problems. 


--------------------
\7 Nineteen states began implementing an alternative mechanism before
January 1, 1998. 


      STATES USE FEDERAL FALLBACK
      APPROACH OR AN ALTERNATIVE
      MECHANISM TO GUARANTEE
      ACCESS
---------------------------------------------------------- Letter :3.1

Under HIPAA, guaranteed access to coverage is restricted to eligible
individuals who, among other criteria, had at least 18 months of
coverage without a break of more than 63 days and with the most
recent coverage obtained under a group health plan.  Recognizing the
controversial nature of this requirement and that many states had
already passed reforms that could be modified to meet or exceed these
requirements, HIPAA gave states the flexibility to implement this
provision by using either the federal fallback or the alternative
mechanism approach. 

Under the federal fallback approach, carriers have three options for
offering eligible individuals guaranteed access to coverage.  A
carrier may offer (1) all of its individual market plans, (2) only
its two most popular plans, or (3) two representative plans--a
lower-level and a higher-level coverage option--which are explicitly
subject to some mechanism for risk spreading or financial
subsidization.\8 Thirteen states use the federal fallback approach. 

In the 36 states and the District of Columbia that use an alternative
mechanism, which was to become effective no later than January 1,
1998, the law allows a wide range of approaches as long as certain
minimum requirements are met.\9 For example, an eligible individual
must have a choice between at least two different coverage options. 
Twenty-two of these states chose a state high-risk insurance pool to
provide group-to-individual guaranteed access rights.  Appendix II
summarizes the different options states have chosen to provide
group-to-individual guaranteed access rights. 


--------------------
\8 Under a risk-spreading requirement, a health insurance carrier
must aggregate the health care costs incurred by one group of
enrollees with the costs incurred by a larger group of enrollees for
purposes of establishing premium rates.  Therefore, if the smaller
group incurred higher costs than the larger group, its premiums under
risk spreading would be lower than they otherwise would have been. 

\9 Because the Kentucky legislature was not in session during 1997,
that state has until July 1, 1998, to implement group-to-individual
guaranteed access. 


      CARRIER MARKETING OF HIPAA
      GUARANTEED ACCESS PRODUCTS
      MAY HAVE DISCOURAGED
      INDIVIDUALS FROM APPLYING
---------------------------------------------------------- Letter :3.2

Some initial carrier marketing practices may have discouraged HIPAA
eligibles from enrolling in products with guaranteed access rights. 
After the federal fallback provisions took effect on July 1, 1997,
many consumers complained to state insurance regulators that carriers
did not disclose the fact that a product with HIPAA guaranteed access
rights existed or, when the consumers specifically requested one,
they were told that the carrier did not have such a product
available.  One state regulator we visited said that some carriers
told consumers HIPAA products were not available because the state
had not yet approved them.  However, the regulator had notified all
carriers that such products were to be issued starting July 1, 1997,
regardless of whether the state had yet approved them. 

Soon after July 1, some carriers had also refused to pay commissions
to insurance agents who referred HIPAA eligibles.  In two of the
three federal fallback states we visited, insurance regulators told
us that some carriers were advising agents against referring
HIPAA-eligible applicants, or paying reduced or no commissions. 
Because consumers often use insurance agents to access the individual
insurance market, an economic incentive to steer individuals away
from guaranteed access products could significantly reduce consumer
access to them.  Several states have challenged this practice under
state fair marketing practice laws.  HHS officials looked into
reports of such practices and learned of about 10 carriers that had
reduced or eliminated agent commissions for HIPAA eligibles. 
Responding to pressure from state insurance regulators, two of these
carriers have resumed paying commissions, and the other eight,
according to the officials, appear to be wavering.  Since finding
these initial 10, HHS officials have not heard of other carriers
refusing to pay agent commissions. 


      CARRIER PRICING OF HIPAA
      GUARANTEED ACCESS PRODUCTS
      CAN RESULT IN SUBSTANTIALLY
      HIGHER RATES
---------------------------------------------------------- Letter :3.3

Premiums for products with guaranteed access rights may be
substantially higher than standard rates.  In several of the 13
federal fallback states, anecdotal reports from insurance regulators
and agents suggest that rates range from 140 to 600 percent of the
standard rate.  Rates charged by several individual market carriers
in the three federal fallback states we visited ranged from 140 to
400 percent of the standard rate, as indicated in table 1.  Carriers
charge higher rates, in part, because they believe HIPAA-eligible
individuals will, on average, be in poorer health and hence would
likely have higher medical costs.  In addition, carriers that do not
charge higher premiums to HIPAA eligibles could be subject to adverse
selection.  That is, once a carrier's low rate for eligible
individuals became known, agents would likely refer unhealthy HIPAA
eligibles to that carrier. 

We also found that these carriers typically evaluate the health
status of applicants and offer healthy individuals access to their
standard products.  Although these products may include a preexisting
condition exclusion period, they may cost considerably less than the
HIPAA product and therefore are likely to draw healthy individuals
away from HIPAA products.  Unhealthy HIPAA-eligible individuals may
have access to only the guaranteed access product, and some of them
may be charged an even higher premium on the basis of their health
status. 



                          Table 1
          
            Premiums as a Percentage of Standard
            Rate Charged for Selected Guaranteed
           Access Products in Arizona, Colorado,
                        and Missouri

                                              Premium as a
                                             percentage of
Carrier                                      standard rate
--------------------------------------  ------------------
A                                                      140
B                                                      150
C                                                      185
D                                                      200
E                                                      200
F                                                      225
G                                                      300
H                                                      300
I                                                      400
----------------------------------------------------------
Carriers permit or even encourage healthy HIPAA-eligible individuals
to enroll in standard plans.  According to one carrier official,
denying these individuals the opportunity to enroll in a less
expensive product for which they are eligible would be contrary to
the consumers' best interests.  Moreover, the practice of encouraging
healthy HIPAA-eligible individuals to enroll in standard products may
lead to further rate increases for HIPAA guaranteed access products
in the future.  According to an official from one large insurance
carrier, a spiral might ensue as higher premiums induce the better
health risks to disenroll from HIPAA products, leaving a pool of
poorer risks and spurring insurers to further raise premiums. 

Finally, HIPAA regulations explicitly impose a risk-spreading
requirement under only one of the three options carriers have to
provide coverage to HIPAA-eligible individuals.  If carriers choose
to develop two new products to be offered to eligible individuals,
they must include some method of risk spreading or a financial
subsidization mechanism.  Under the other two options, the
regulations are silent about rates.  In fact, the preamble to the
regulations expressly acknowledges that HIPAA does not place limits
on the premiums insurers may charge.  This, some state regulators
contend, permits issuers to charge substantially higher rates for
products with guaranteed access in the federal fallback states. 


      WIDESPREAD CONSUMER
      MISUNDERSTANDING OF HIPAA
      GROUP-TO-INDIVIDUAL
      GUARANTEED ACCESS RIGHTS MAY
      FOSTER DISSATISFACTION AND
      DIMINISH ACCESS
---------------------------------------------------------- Letter :3.4

HIPAA's group-to-individual guaranteed access rights are limited to
eligible individuals and are subject to several other restrictions. 
Consumers who do not understand these rights may be disappointed or
even be at risk of losing their group-to-individual portability
rights. 


         HIPAA INDIVIDUAL MARKET
         COVERAGE GUARANTEES ARE
         MORE LIMITED THAN MANY
         CONSUMERS BELIEVE
-------------------------------------------------------- Letter :3.4.1

Some consumers believe HIPAA provides broader access and protections
than it actually does.  After HIPAA was enacted, insurance regulators
in several states received numerous calls from individuals, including
the uninsured, who misunderstood their rights and expected to have
guaranteed access to insurance coverage.  One state reported
receiving consumer calls at the rate of 120 to 150 a month beginning
shortly before most HIPAA provisions became effective on July 1,
1997.  About 90 percent of these calls related to the
group-to-individual guaranteed access provision, about half of which
were complaints about the lack of access to coverage in the
individual market.  Similarly, an official from one large national
insurer told us that many consumers believe the law covers them when
it actually does not.  One insurance agent suggested that perhaps
only 10 percent or fewer of all individuals actually know that HIPAA
exists, much less fully understand the protections it offers.  Some
regulators and others contend that the press has poorly served the
public by not accurately portraying the consumer protections provided
under HIPAA.  They believe that the media reporting of the rhetoric
surrounding the passage of HIPAA may have contributed to
misunderstanding among consumers. 


         CONSUMERS WHO
         MISUNDERSTAND
         RESTRICTIONS MAY LOSE
         THEIR INDIVIDUAL COVERAGE
         GUARANTEE
-------------------------------------------------------- Letter :3.4.2

HIPAA imposes several restrictions on former group enrollees'
guarantee of access to individual market coverage.  Among other
restrictions, eligible individuals must

  -- have had at least 18 months of creditable coverage (the most
     recent of which must have been group coverage) with no break of
     more than 63 consecutive days;

  -- have exhausted any COBRA\10 or other continuation coverage
     available;

  -- not be eligible for any other group coverage, or Medicare or
     Medicaid; and

  -- not have lost group coverage because of nonpayment of premiums
     or fraud. 

In addition to these restrictions, consumers need to be aware of
other factors in order to exercise their rights.  For example, in
states that used the federal fallback approach, eligible individuals
needed to be aware that the provision became effective on July 1,
1997, and that coverage must be offered by all carriers in the state
that operate in the individual insurance market.  In states that
chose an alternative mechanism, eligible individuals needed to know
that the provision had until January 1, 1998, to take effect and also
needed to be aware of which method the state chose to provide
guaranteed access to coverage in order to exercise their
group-to-individual guaranteed access right. 

Consumer misunderstanding of these restrictions can hamper or limit
access to products for eligible individuals.  For example,
individuals who are unaware of the 63-day limit on coverage
interruptions may wait until medical care is necessary before
applying for coverage, only to find that coverage is unavailable,
according to one regulator.  A regulator told us that individuals
coming from group coverage have waited beyond 63 days to apply for
individual coverage and thus have lost their portability rights. 
Another insurance regulator said that some consumers lost their
guarantee to individual coverage because they left group coverage
before January 1, 1998, believing HIPAA guaranteed access rights to
be in place.  However, because the state chose an alternative
mechanism, protections did not exist until January 1, and insurance
department officials in the state were in the unfortunate position of
telling consumers that they had no guaranteed access rights. 


--------------------
\10 Consolidated Omnibus Budget Reconciliation Act of 1985. 


         CONSUMER EDUCATION NEEDED
-------------------------------------------------------- Letter :3.4.3

Some state regulators and consumer advocates support the need for
more consumer education.  HHS also recognizes that the lack of
consumer education is a significant problem.  A well-informed
consumer is better able to take advantage of the protections HIPAA
offers, according to the officials.  The agency is more convinced
than ever that education outreach and assistance are the keys to
improving group-to-individual portability under HIPAA.  However,
because of resource constraints, the agency is unable to put much
effort into consumer education.  HHS officials told us the agency is
attempting to expand the information available on a toll-free
telephone number to include HIPAA particulars, is expanding its Web
site to include more HIPAA information, and is in the very early
stages of developing an education pilot program in two regions. 


   ISSUERS OF HEALTH COVERAGE
   CONCERNED ABOUT HIPAA'S
   ADMINISTRATIVE BURDEN AND
   POSSIBLE UNINTENDED
   CONSEQUENCES
------------------------------------------------------------ Letter :4

Issuers of health coverage have several concerns about the unintended
consequences of certain HIPAA requirements.  An ongoing concern has
been the administrative burden and cost associated with the
requirement to issue certificates of creditable coverage to all
enrollees who terminate coverage.  While issuers generally have
complied with this requirement, some suggest that a more limited
requirement, such as issuing the certificates only to consumers who
request them, would serve the same purpose for less cost.  Issuers
are also concerned that HIPAA's guaranteed renewal requirement may
have negative consequences for certain populations, including
individuals eligible for Medicare.  Finally, issuers are concerned
that certain HIPAA provisions create opportunities for individuals to
abuse protections afforded to group coverage enrollees. 


      ISSUERS COMPLY, BUT STILL
      CITE REQUIREMENT TO PROVIDE
      CERTIFICATES AS BURDENSOME
      AND LARGELY UNNECESSARY TO
      PROVE PRIOR COVERAGE
---------------------------------------------------------- Letter :4.1

HIPAA requires issuers of health coverage to provide certificates of
creditable coverage to enrollees whose coverage terminates.  The
certificates are intended to document an individual's period of
coverage so that a subsequent health issuer can credit this time
against the preexisting condition exclusion period of the new
coverage.  Early indications suggest that issuers generally appear to
be complying with this requirement.  Moreover, none of the health
carrier officials with whom we met were unable to issue the
certificates once systems were put into place to generate them. 
Likewise, state insurance regulators we visited had received few
complaints from consumers who were unable to obtain a certificate of
coverage, and they therefore do not consider issuer compliance with
the certification requirement a significant concern. 

Nevertheless, as we reported in our September 2, 1997,
correspondence,\11

concerns about HIPAA's certification requirement remain: 

  -- Some issuers suggest that information needed for certificates
     can be difficult to obtain.  For example, certificates must
     include information on each dependent covered under the policy,
     such as the date they were first covered and how long the
     coverage was in effect.  Since changes in the number or status
     of dependents in a family--as a result of events such as births,
     deaths, and marriages--are fairly common in a large group plan,
     issuers may have a difficult time keeping abreast of all these
     changes.  They believe that maintaining and updating records
     could be time-consuming and expensive.  To address such
     concerns, federal agencies provided issuers a transition period
     ending June 30, 1998, during which certain dependent information
     need not be included in certificates.  Issuers are also provided
     additional time to issue a certificate when a dependent's
     cessation of coverage is not known to the issuer. 

  -- Some regulators have also raised concerns that the certification
     requirement will create an added administrative burden for state
     Medicaid agencies.  Medicaid recipients tend to enroll and
     disenroll in the Medicaid program frequently as their income and
     employment status change.  This volatility in enrollment will
     increase the volume of certificates issued by the Medicaid
     program.  In addition, Medicaid agencies have had a difficult
     time maintaining accurate addresses for recipients and expect a
     large volume of certificates to be undeliverable, according to
     NAIC.  In the preamble to the interim final regulations, federal
     agencies requested comments on how the certification process
     might be adapted to the special circumstances of Medicaid
     agencies and other entities. 

  -- Finally, issuers contend that certificates may not be necessary
     to prove creditable coverage in all cases and that issuance on
     demand would serve the same purpose at a lower cost.  In fact,
     the Blue Cross Blue Shield Association estimates that consumers
     ultimately will not use as many as 90 percent of all
     certificates issued to prove creditable coverage.  For example,
     several issuers, as well as a state regulator, pointed out that
     portability reforms passed by most states have worked well
     without a similar certification requirement.  Where proof of
     prior coverage was needed, issuers asked for documentation of
     prior coverage from the applicant and, if unavailable, simply
     called the prior issuer to confirm that coverage.  Also, many
     group health policies do not contain clauses with preexisting
     condition exclusions and therefore do not need certificates from
     incoming enrollees. 


--------------------
\11 GAO/HEHS-97-200R. 


      GUARANTEED RENEWAL
      REQUIREMENTS MAY HAVE
      NEGATIVE CONSEQUENCES
---------------------------------------------------------- Letter :4.2

HIPAA regulations explicitly state the circumstances under which an
individual's health coverage may not be renewed or may be canceled,
such as for nonpayment of premiums or fraud.  Issuers are concerned
that the omission of other circumstances, such as the attainment of
Medicare eligibility age and ceasing to meet eligibility criteria for
targeted population insurance programs, may affect both issuers and
consumers adversely. 

Commonly cited as problematic is the renewal of comprehensive
coverage for individual market enrollees who become eligible for
Medicare.  When individuals reach the age of Medicare eligibility,
issuers have typically terminated individuals' comprehensive coverage
and offered Medicare supplemental coverage instead.  HIPAA's
requirement to automatically renew this comprehensive coverage may
have a number of drawbacks.  First, individuals risk losing their
6-month open enrollment window for Medicare supplemental coverage. 
If individuals choose to retain comprehensive coverage rather than
obtain Medicare supplemental coverage, they may permanently lose
their right to enroll in a supplemental policy without preexisting
condition exclusions in the future.  This could have a significant
impact on some consumers, since individual market coverage is often
more expensive than Medicare supplemental coverage.  In addition,
many states do not permit issuers to coordinate their coverage with
that provided by Medicare.  Thus, some consumers may pay for
duplicate coverage.  Finally, NAIC is concerned that renewing
coverage for Medicare eligibles could have a deleterious effect on
the individual insurance market.  Premiums for all individuals could
increase if large numbers of older and less healthy individuals
remain in that market.  Because of these consequences, several state
insurance regulators require issuers to notify enrollees of the
implications of renewing their coverage once they become eligible for
Medicare. 

HIPAA's guaranteed renewal requirements may also preclude issuers
from canceling the coverage of individuals enrolled in insurance
programs targeted for low-income populations once these individuals
exceed eligibility criteria.  Since carriers might be prohibited from
canceling coverage once an enrollee's income exceeds the eligibility
threshold, a program's limited slots could be filled by otherwise
ineligible individuals.  Similarly, under children-only insurance
products, issuers could be required to renew coverage for those who
have reached adulthood.  Several issuers and their representative
organizations have expressed concern about such implications of the
guaranteed renewal requirement and have asked the federal agencies to
revise regulations to provide appropriate exceptions. 


      ISSUERS CONCERNED THAT HIPAA
      CREATES OPPORTUNITIES FOR
      INDIVIDUALS TO ABUSE CERTAIN
      CONSUMER PROTECTIONS
---------------------------------------------------------- Letter :4.3

Issuers cite two provisions in HIPAA that consumers could potentially
abuse.  First, HIPAA requires group health plans to give new
enrollees or enrollees switching plans during an open enrollment
period full credit for a broad range of prior health coverage,
regardless of the deductible level of that coverage.  Since the law
does not recognize differences in the deductible levels, issuers and
regulators are concerned that where given a choice of health coverage
options, individuals may enroll in inexpensive, high-deductible plans
that may have limited benefits while healthy and then switch to plans
with comprehensive, first-dollar coverage when they become ill. 
Likewise, a small employer could move all its employees from a high-
to a low-deductible plan once a single employee becomes ill. 

Second, issuers are concerned that certain enrollment rights under
HIPAA create the opportunity for abuse.  Under certain circumstances,
HIPAA permits an individual who initially declines coverage under the
employer's group plan to later obtain coverage under the plan without
waiting for the specified open enrollment period or being penalized
as a late enrollee.  The circumstances under which this special
enrollment period is allowed include the loss of other health
coverage as well as family changes that affect the status of
dependents, such as marriage, birth, and adoption.  Issuers suggest
that since individuals essentially control some of the circumstances
that create these special enrollment periods, some may forgo coverage
until medical care is needed and then create the circumstances that
trigger an open enrollment period.  For example, an unmarried couple
could avoid the expense of health coverage, knowing they could obtain
access to their employers' group coverage if necessary later by
marrying.  Citing a related example, a Health Insurance Association
of America official noted that individuals could also misuse HIPAA's
prohibition against including pregnancy as a preexisting condition. 
For example, nothing would prevent an employee from avoiding the
expense of health coverage until medical care for pregnancy became
necessary.  The employee need merely enroll as a late enrollee to
immediately obtain full coverage for maternity benefits. 


   STATE INSURANCE REGULATORS CITE
   LACK OF SUFFICIENT CLARITY OR
   DETAIL IN SOME HIPAA
   REGULATIONS AS HINDERING
   IMPLEMENTATION EFFORTS
------------------------------------------------------------ Letter :5

State regulators have encountered difficulties implementing HIPAA
provisions in instances where federal regulations lacked sufficient
clarity or detail.  Where federal regulations have been viewed as
unclear, the resulting confusion has affected state regulators and
issuers in carrying out their roles under HIPAA.  Federal agency
officials suggest that statutory deadlines, competing demands, and
their desire to provide states the flexibility to implement the
regulations in a manner best suited to each state may have
contributed to the perceived lack of clarity. 


      SOME REGULATORS CALL FOR
      MORE CLARITY AND GUIDANCE IN
      CERTAIN HIPAA REGULATIONS
---------------------------------------------------------- Letter :5.1

The unclear or ambiguous nature of some of HIPAA's implementing
regulations have presented several challenges to state regulators. 
Specifically, some regulators are concerned that the lack of clarity
may result in varying interpretations and confusion among the
multiple entities involved in implementation.  For example, Colorado
insurance regulators surveyed carriers in that state to determine how
they interpreted regulations pertaining to group-to-individual
guaranteed access.  The survey results indicated that issuers had a
difficult time interpreting the regulations and were applying the
regulations differently. 

Such regulatory ambiguities can have critical consequences for
consumers and have created some situations in which the intent of the
statute may have been thwarted, according to NAIC.  For example, as
discussed earlier, partly because of the inconsistency in the
risk-spreading requirement for products available to HIPAA-eligible
individuals in the individual markets of federal fallback states,
rates for these products in some states range from 140 to 600 percent
of standard rates.  As a result, many regulators believe this outcome
raises a question about whether those leaving group coverage are
provided with meaningful access under HIPAA to coverage in the
individual insurance market. 

The following are examples of other regulatory provisions for which
state insurance regulators have sought further federal guidance or
clarification. 

  -- Plan design as preexisting condition exclusion period.  One of
     HIPAA's key goals is to provide portability of coverage to those
     who change jobs or lose group coverage.  To achieve this
     objective, the regulations limit the extent to which issuers can
     exclude preexisting conditions from coverage.  However, the
     regulations do not contain guidance about whether an issuer may
     structure the benefits of a plan in a way that effectively
     excludes certain preexisting conditions.  For example, according
     to NAIC, some health plans have established waiting periods of
     up to a year during which certain conditions or procedures, such
     as organ transplants, are excluded from all enrollees' coverage. 
     Requiring such waiting periods effectively excludes such
     preexisting conditions from coverage and, according to
     regulators, is contrary to the statutory intent to provide
     portability of coverage. 

  -- Treatment of late enrollees.  State regulators believe HIPAA is
     unclear about whether late enrollees are eligible for coverage. 
     Although the regulations explicitly define "late enrollees" as
     individuals who enroll for group coverage any time after the
     date on which they were initially eligible (or subsequently
     eligible under a special enrollment period), the preamble to the
     regulations indicates that issuers are not required to accept
     late enrollees.  Regulators believe that certain distinctions,
     such as an 18-month preexisting waiting period for late
     enrollees versus 12 months for on-time enrollees, would not have
     been made if late enrollees were not intended to be covered. 
     Accordingly, NAIC has asked that HHS interpret the statute to
     explicitly require the acceptance of late enrollees. 

  -- Market withdrawal as exception to guaranteed renewability. 
     Regulators believe that the HIPAA provision that allows issuers
     who cease offering coverage throughout the individual and group
     markets to not renew the coverage of an individual or a group
     creates uncertainties that may affect their ability to regulate
     insurance.  Regulators believe the interim regulations leave
     three key questions unanswered.  First, must an issuer who
     withdraws from the market also not renew existing coverage, or
     does it have the discretion to maintain existing coverage but
     not write new coverage?  Second, must the issuer also cease to
     issue all other types of health policies, such as
     limited-benefit or specified-disease policies?  And finally,
     must the issuer terminate all coverage at once, or can it
     terminate each policy on its respective anniversary date? 

  -- Nondiscrimination provisions in group plans.  HIPAA regulations
     prohibit group plan issuers from excluding an individual of the
     group from coverage or charging a higher premium because of an
     individual's health status or medical history.  In the preamble
     to the nondiscrimination regulations, federal agencies sought
     input on this requirement from regulators and issuers and
     indicated that further guidance would be forthcoming.  Until
     further guidance is issued, regulators have several questions
     concerning how this requirement is applied, such as to what
     extent the statute permits an issuer to limit benefits on the
     basis of the source of a person's injury and whether issuers may
     vary benefits for different groups of employees. 


      FEDERAL OFFICIALS CITE TIGHT
      STATUTORY DEADLINES AND
      STATES' DESIRE FOR
      FLEXIBILITY TO HELP EXPLAIN
      PERCEIVED LACK OF CLARITY OR
      DETAIL IN SOME REGULATORY
      GUIDANCE
---------------------------------------------------------- Letter :5.2

Federal agency officials point to several factors that contributed to
the perceived lack of clarity or sufficient detail in some HIPAA
regulations.  First, the agencies were required to issue a number of
complex regulations within a relatively short period of time.  The
statute, signed into law on August 21, 1996, required that
implementing regulations be issued within fewer than 8 months, on
April 1, 1997.  Implicitly recognizing this challenge, the Congress
provided for the issuance of regulations on an interim final
basis.\12 This time-saving measure helped the agencies to issue a
large volume of complex regulations within the statutory deadline,
while also providing the opportunity to add more details or further
clarify the regulations based on comments later received from
industry and states.  Therefore, some regulatory details necessarily
had to be deferred until a later date. 

Furthermore, agency officials point out that in developing the
regulations, they sought to balance states' need for clear and
explicit regulations with the flexibility to meet HIPAA goals in a
manner best suited to each state.  For example, under
group-to-individual guaranteed access requirements, states were given
several options for achieving compliance.  While the multiple options
may have contributed to confusion in some instances, the
controversial nature of the requirement suggested to agency officials
that a flexible approach was in the best interests of states. 
Officials said that many state officials requested that minimal
detail be included in the federal regulations.  In particular, with
respect to risk spreading for guaranteed access products in the
individual market, HHS officials said they attempted to meet with
federal fallback states to discuss appropriate regulations.  However,
the states were hesitant to participate in such meetings until after
the July 1, 1997, effective date passed and they were confronted with
greater than expected operational problems.  Officials further noted
that HIPAA does not preclude states adopting their own risk-spreading
requirements.  Finally, some of the regulatory ambiguities derive
from ambiguities existing in the statute itself.  For example,
regulations concerning late enrollees closely track the language from
the statute. 

To ease the burden on state regulators and issuers, HIPAA regulations
provided an overall good faith compliance period, which ended on
January 1, 1998.  Until that time, federal officials agreed to take
no compliance action against any issuer who attempted to comply with
HIPAA.  In addition, a good faith compliance period continues to
apply to the nondiscrimination provisions until further guidance is
issued, and additional leeway is given in the form of phase-ins for
certain other provisions. 


--------------------
\12 Normal federal rulemaking procedures require agencies to publish
a Notice of Proposed Rulemaking in the Federal Register and provide
for a comment period before issuing regulations.  Under the interim
final approach, agencies issue regulations before a notice and
comment period. 


   UNEXPECTEDLY LARGE ROLE FOR
   FEDERAL REGULATORS MAY STRAIN
   RESOURCES, HAMPER OVERSIGHT
------------------------------------------------------------ Letter :6

States have the option of enforcing HIPAA's access, portability, and
renewability standards as they apply to fully insured group and
individual health coverage.  In states that do not pass laws to
substantially enforce these federal standards, HHS must perform the
enforcement function.  According to HHS officials, the agency as well
as the Congress and others assumed HHS would generally not have to
perform this role, believing instead that states would not relinquish
regulatory authority to the federal government.  However, several
states reported that they did not pass legislation implementing key
provisions of HIPAA, thus requiring HHS to actively regulate
insurance plans in these states.  Preliminary information suggests
that a number of additional states may not enact one or more HIPAA
provisions, potentially requiring HHS to also play a limited
regulatory role in these states.  HHS resources are currently
strained by its new regulatory role in the five states where
enforcement is under way, according to officials, and concern exists
about the implications of the possible expansion of this role to
additional states. 


      HHS GIVEN NEW HEALTH
      INSURANCE REGULATORY ROLE IF
      STATES DECLINE TO IMPLEMENT
      AND ENFORCE HIPAA STANDARDS
---------------------------------------------------------- Letter :6.1

Unlike Labor and the Treasury, HHS was given a new regulatory role
under HIPAA.  The agency must enforce HIPAA provisions for fully
insured group and individual market plans in states that do not enact
the standards in state laws and substantially enforce them.  In these
states, HHS must take on functions typically reserved for state
insurance regulators.  The agency must

  -- provide guidance to help issuers in modifying their products and
     practices to comply with HIPAA requirements,

  -- obtain and review issuers' product literature and policy forms,

  -- monitor issuer marketing practices,

  -- respond to consumer complaints and encourage issuers to take
     corrective actions where noncompliance is determined, and

  -- impose civil monetary penalties on issuers who fail to initiate
     corrective actions. 

Although the role of an insurance regulator represents a significant
new responsibility for HHS, neither the Congress nor HHS anticipated
the agency would actually be required to perform this role to any
great extent.  Many federal authorities assumed that the vast
majority of states would choose to pass laws to enforce HIPAA
provisions rather than relinquish regulatory authority to the federal
government. 


      GAPS REMAIN IN STATE LAWS
      NEEDED TO ENFORCE HIPAA
      STANDARDS
---------------------------------------------------------- Letter :6.2

As of December 1997, HHS was preparing to enforce HIPAA standards in
five states that reported federal enforcement would be necessary. 
These five states--California, Massachusetts, Michigan, Missouri, and
Rhode Island--did not pass laws to implement the group-to-individual
guaranteed access provision, among others, according to an NAIC
survey and HHS officials.  HHS has also been working with insurance
regulators from U.S.  territories to determine whether federal
enforcement is necessary there. 

HHS will next turn its attention to the remaining states.  According
to agency officials, because states were not required to report their
plans for enforcing most HIPAA standards, HHS has had to rely on
information provided voluntarily by states, surveys performed by
others, and anecdotal reports to determine the status of state
legislative activity.  Resources permitting, HHS may survey each
state during 1998 and make a comprehensive determination of the
status of HIPAA legislation and enforcement.  Nevertheless,
preliminary data from an October 1997 NAIC survey indicate that while
most states have made progress in enacting statutes implementing key
HIPAA provisions, many gaps remain.  For example, as indicated in
table 2, in the individual market, eight states had not passed laws
to implement guaranteed renewal.  In the group markets, two states
had not passed laws to implement small-group guaranteed access, and
four states had not passed laws to implement guaranteed renewal and
limits on preexisting condition exclusion periods in the large-group
markets.  In addition, these preliminary data do not include HIPAA's
certificate issuance requirement, and anecdotal evidence suggests
that many states have not incorporated this requirement into state
statutes.  While states continue to pass legislation to close some of
these gaps, the possibility remains that not all provisions in all
market segments will be addressed, necessitating an expansion of HHS'
enforcement role. 



                          Table 2
          
          Gaps in State Laws to Implement Selected
          HIPAA Standards, as of October 31, 1997

               HIPAA standard to be adopted by states
          ------------------------------------------------
                              Preexist
                                   ing
                              conditio               HIPAA
          Guarante                   n            definiti
                ed            exclusio    Credit     on of
           access/  Guarante         n       for   "small-
Market    availabi        ed   periods     prior    group"
segment       lity   renewal    limits  coverage  employer
--------  --------  --------  --------  --------  --------
Individu         1         8       Not       Not       Not
 al                           applicab  applicab  applicab
                                    le        le        le
Small            2         1         1         1        17
 group
Large          Not         4         4         4       Not
 group    applicab                                applicab
                le                                      le
----------------------------------------------------------
Note:  Excludes gaps in the five states in which HHS has begun
enforcement activities. 

Source:  NAIC survey based on self-reported data from state
officials. 


      HIPAA IMPLEMENTATION AND
      ENFORCEMENT MAY STRAIN HHS
      RESOURCES
---------------------------------------------------------- Letter :6.3

The new enforcement role HHS is required to perform in California,
Massachusetts, Michigan, Missouri, and Rhode Island may strain the
resources of its regional offices serving those states, according to
HHS officials.  For example, HHS staff in the Kansas City regional
office (covering Missouri) are challenged to regulate the insurance
products offered by up to 500 insurers in Missouri.  To carry out
this function, the office asked for 11 new full-time positions but,
as of December 1997, was authorized to hire only 4.  Three of the
four positions have been filled through outside hires, and one was
filled through an internal promotion.  Two additional staff were
rotated from other units to assist in HIPAA-related activities.  Even
fewer resources are devoted to HIPAA enforcement in the two other
regions, Boston and San Francisco.  Also as of December 1997, Boston
had only one full-time and two part-time staff members devoted to
enforcing the HIPAA compliance of hundreds of Massachusetts and Rhode
Island insurers.  Although the office had received authorization for
two additional staff, none had yet been hired.  A health insurance
specialist in that office said that with such limited staffing, the
office will be hard-pressed to fulfill its upcoming policy form
review tasks and handle the expected surge in consumer queries in
early 1998.  In San Francisco, no additional staff had yet been
authorized, and only one person was working full time on HIPAA issues
as of December 1997.  HHS was surprised by California's failure to
pass group-to-individual guaranteed access, a fact that did not
become known until September 1997.  According to an HHS deputy
director, regulation in California will be especially challenging
because of the state's large size and the fragmented, complicated
structure of its health insurance markets. 

HHS' resources will be further strained if the enforcement role it is
serving in these five states becomes permanent or expands to other
states.  If HHS determines that other states have not passed one or
more HIPAA provisions, as preliminary data suggest, HHS will have to
play a regulatory role in these additional states.  Staff throughout
the agency noted that HHS' current resources are insufficient to
handle such a task.  Officials outside HHS have also publicly
expressed concern that its resources could become overtaxed.  For
example, in his September 1997 testimony before the House Ways and
Means Committee's Subcommittee on Health, the president of the Health
Insurance Association of America testified that HHS faces "regulatory
overload" because of the demands placed on the agency by HIPAA and
other new responsibilities under the Balanced Budget Act of 1997.\13
Also, in an October 1997 speech, the former administrator of HHS'
Health Care Financing Administration said that the agency is facing a
serious problem if it does not receive additional resources to cope
with its expanded responsibilities under HIPAA and other recent laws. 


--------------------
\13 Bill Gradison, Statement of HIAA on Implementation of the Health
Insurance Portability and Accountability Act, P.L.  104-191
(Washington, D.C.:  Sept.  25, 1997). 


   FEDERAL ACTIONS UNDER WAY TO
   ADDRESS SOME HIPAA
   IMPLEMENTATION CONCERNS
------------------------------------------------------------ Letter :7

Federal officials have begun to respond to some of the concerns
raised during the first year of HIPAA implementation.  HHS is
continuing to monitor the need for more explicit risk-spreading
requirements to mitigate the high cost of guaranteed access products
in the individual market under the federal fallback approach.  Though
HHS does not at present support changes to the certificate issuance
requirement, some of the other unintended consequences and concerns
that issuers and states cite may be addressed by ongoing revisions to
and clarifications of the regulations.  Federal agencies issued
further guidance at the end of 1997 and expect to continue issuing
guidance in 1998.  Finally, because of the increasing pressure on its
resources, HHS has asked for additional funding as part of its fiscal
year 1999 budget request. 


      HHS IS MONITORING THE NEED
      FOR MORE EXPLICIT
      RISK-SPREADING REQUIREMENTS
      FOR PRODUCTS OFFERED TO
      HIPAA-ELIGIBLE INDIVIDUALS
---------------------------------------------------------- Letter :7.1

HHS has realized that many HIPAA-eligible individuals in states using
the federal fallback approach to group-to-individual guaranteed
access may be unable to obtain affordable coverage and may
effectively be priced out of the market.  According to officials, HHS
legal staff are reevaluating whether HIPAA provides the agency
authority to issue regulations with more explicit risk-spreading
requirements and the agency is continuing to monitor the situation. 


      HHS DOES NOT NOW SUPPORT
      CHANGES TO CERTIFICATE
      ISSUANCE REQUIREMENT
---------------------------------------------------------- Letter :7.2

HHS officials believe it is premature to revise the certificate
issuance requirement in response to issuer concerns that issuing
certificates creates an administrative burden and is unnecessary to
prove creditable coverage.  The officials indicated that certificates
do serve another important purpose in that they notify consumers of
their portability rights, regardless of whether the consumers
ultimately need to use the certificate to exercise those rights.  In
addition, HHS officials have heard anecdotal evidence that suggests
even with the certificate some consumers are having difficulty
exercising their portability rights.  With respect to state Medicaid
agencies, officials acknowledged that they may face an increased
administrative burden, but HHS and other federal agency officials
were concerned that offering an exception to Medicaid agencies might
encourage other groups to also seek an exception. 


      ONGOING AMPLIFICATION AND
      CLARIFICATION OF HIPAA
      REGULATIONS MAY ADDRESS SOME
      ISSUER AND STATE CONCERNS
---------------------------------------------------------- Letter :7.3

Federal agencies interpret HIPAA's guaranteed renewal provision to
mean that individuals, upon becoming eligible for Medicare, must be
given the option of maintaining their individual market coverage. 
HHS officials point out that some retirees with special needs, such
as those dependent on expensive prescription drugs, may benefit from
retaining their individual market coverage rather than buying a
Medicare supplemental policy.  Moreover, they disagree with the
insurance industry and state regulators' contention that sufficient
numbers of individuals in poor health will remain in the individual
market to affect premium prices there.  Finally, even if HHS
supported a change to this requirement, agency legal staff are
uncertain whether HHS could simply change the regulations or whether
a technical amendment to the statute would be needed. 

With respect to insurance products offered to targeted populations,
such as children or low-income families, HHS has no immediate plans
to revise HIPAA requirements.  However, officials say they are
considering industry comments on this issue and would not rule out
the possibility in the future. 

Federal officials have also acknowledged concern that certain other
HIPAA provisions, such as those that give group enrollees who switch
health plans full credit for a broad range of prior coverage, may
create an incentive for consumers to abuse the provision. 
Furthermore, they acknowledged that such abuse may lead to adverse
selection.  In response, the federal agencies have asked for comments
from issuers and regulators about how differences between high- and
low-deductible plans should be treated under HIPAA.  The agencies
have received many comments on the issue and are continuing to
examine potential changes.  The agencies also issued supplemental
guidance for provisions concerning nondiscrimination and late
enrollment on December 29, 1997.  This guidance clarifies how group
health plans must treat individuals who, prior to HIPAA, had been
excluded from coverage because of a health status-related factor. 
Further guidance and clarification in these and other areas will
follow. 


      HHS SEEKS ADDITIONAL
      RESOURCES
---------------------------------------------------------- Letter :7.4

To address its resource constraints, HHS has shifted resources to
HIPAA tasks from other activities.  In its fiscal year 1999 budget
request, HHS has also requested an additional $15.5 million to fund
65 new full-time-equivalent staff and outside contractor support for
HIPAA-related enforcement activities.  Its most critical unmet need,
according to agency officials, relates to the direct federal
enforcement of HIPAA insurance standards in the states.  Officials
further noted that, even if the requested funding becomes available,
it may not be adequate if direct HHS enforcement becomes necessary in
additional states. 


   CONCLUSIONS
------------------------------------------------------------ Letter :8

HIPAA provides, for the first time, nationwide minimum standards for
health coverage access, portability, and renewability in all private
insurance markets.  Importantly, these new standards apply to both
fully insured and self-funded coverage.  However, implementation of
the standards is complicated.  It requires three federal agencies,
state legislatures and insurance regulators, and issuers of health
coverage to coordinate their efforts.  Further complicating
implementation, the issuance of federal regulations has been on an
interim final basis.  Moreover, different HIPAA provisions have
become effective and group plans have become subject to the law on
different dates.  Nevertheless, implementation has moved forward. 
For example, federal agencies issued interim final regulations within
the deadline set by HIPAA, using a process widely commended for being
open and inclusive.  As might be expected, however, the process has
raised certain concerns and posed challenges to those charged with
implementing this new law. 

Some challenges are likely to recede or be addressed in the near
term.  What could be called "early implementation hurdles,"
especially those related to the clarity of federal regulations, may
be resolved during 1998.  Federal agencies issued supplemental
guidance on December 29, 1997, and expect to provide further
regulatory guidance during 1998 to states and issuers, who consider
certain regulations--relating to nondiscrimination, late enrollment,
and special enrollment periods--to be ambiguous.  Moreover, as states
and issuers gain experience in implementing HIPAA standards, the
intensity of their dissatisfaction may diminish.  For example, while
still criticizing the cost and administrative burden of issuing
certificates of creditable coverage, issuers seem able to comply. 
(Now that the start-up burden of putting procedures in place is
largely behind them, issuers we visited seemed to find the day-to-day
process of issuing these certificates to be manageable.)

Various participants involved in implementing HIPAA have pointed to
several potential unintended consequences, but whether these
possibilities will be realized is difficult to predict.  These
concerns are necessarily speculative in nature because HIPAA's
insurance standards have not been in effect long enough for evidence
on these potential problems to accumulate.  First, for example,
evidence is not yet available to determine whether large numbers of
Medicare eligibles will remain in the individual market for health
insurance (and consequently push up premiums there).  The same is
true for whether good health risks will select high-deductible plans,
leaving the sicker individuals in low-deductible plans, or whether
consumers will abuse special enrollment periods to obtain coverage. 
Second, possible changes in the regulations or the HIPAA statute may
further affect whether a concern becomes a reality.  However,
uncertainty over whether the changes will be made or will rectify the
potential unintended consequences makes more difficult any assessment
of these possibilities. 

Finally, two implementation difficulties are substantive and likely
to persist unless measures are taken to address them.  First, among
the 13 federal fallback states, some consumers are finding it
difficult as a result of high premiums to obtain the
group-to-individual guaranteed access coverage that HIPAA requires. 
This situation is likely to continue unless HHS interprets HIPAA to
provide for more explicit risk-spreading requirements or states adopt
explicit risk-spreading requirements of guaranteed access to coverage
for HIPAA eligibles.  In addition, if consumer education about HIPAA
coverage guarantees in the individual market continues to be spotty
or absent, consumers will likely continue to be discouraged by the
limited nature of HIPAA protections.  Similarly, some will probably
continue to be at risk of losing those protections.  Second, HHS'
regulatory role could expand as the status of state efforts to adopt
and implement HIPAA provisions becomes clearer in 1998.  HHS' current
enforcement capabilities could be inadequate to handle the additional
burden unless further resources become available. 

As additional health plans become subject to the law, and as the
remaining regulations and guidance are issued, new problems of
implementation may emerge.  Corrective actions will necessarily be
ongoing.  A comprehensive determination of HIPAA's impact remains
years off. 


   AGENCY COMMENTS
------------------------------------------------------------ Letter :9

The Departments of Health and Human Services, Labor, and the Treasury
commented on a draft of this report.  In general, the agencies
believed that our report did not adequately describe the obstacles
they faced in issuing interim final HIPAA regulations within the
statutory deadline.  Labor added that our draft did not adequately
discuss consumers' views, distinguish the individual market from the
group market regarding implementation challenges, identify all of
Labor's outreach efforts, or convey the extent to which its expanded
regulatory role under HIPAA will place new demands on agency
resources.  Treasury generally concurred with the HHS and Labor
comments.  In light of these comments, we have refined our
presentation in several places as appropriate.  Appendixes III, IV,
and V contain the agencies' letters and for HHS and Labor, our
responses. 

We also furnished a draft of this report for review to the American
Association of Health Plans, Blue Cross Blue Shield Association,
Consumers Union, ERISA Industry Committee, Health Insurance
Association of America, and NAIC.  We received comments from all but
the ERISA Industry Committee.  In response, we clarified certain
distinctions and made technical changes as appropriate. 


---------------------------------------------------------- Letter :9.1

As agreed with your office, unless you publicly release its contents
earlier, we will make no further distribution of this report until 30
days after its issue date.  At that time, we will send copies of this
report to the Secretaries of Health and Human Services, Labor, and
the Treasury and will make copies available to others on request. 

Please contact me at (202) 512-7114 or Jonathan Ratner, Senior Health
Economist, at (202) 512-7107 if you or your staff have any further
questions.  Other GAO contacts and staff acknowledgments for this
report are listed in appendix VI. 

Sincerely yours,

William J.  Scanlon
Director, Health Financing and
 Systems Issues


HIPAA ACCESS, PORTABILITY, AND
RENEWABILITY STANDARDS
=========================================================== Appendix I

To achieve its goals of improving the access, portability, and
renewability of private health insurance, the Health Insurance
Portability and Accountability Act of 1996 (HIPAA) sets forth
standards that variously apply to the individual, small-group, and
large-group markets of all states.  Most HIPAA standards became
effective on July 1, 1997.  However, the certificate-issuance
standard became effective on June 1, 1997, and issuers had to provide
certificates automatically to all disenrollees from that point
forward as well as upon request to all disenrollees retroactive to
July 1, 1996.  In states that chose an alternative mechanism
approach, the guaranteed access standard in the individual market
(often called "group-to-individual portability") was to become
effective no later than January 1, 1998.  Finally, group plans do not
become subject to the applicable standards until their first plan
year beginning on or after July 1, 1997. 

Each of HIPAA's health coverage access, portability, and renewability
standards is summarized in table I.1 by applicable market segment. 
The subsequent text describes each standard. 



                         Table I.1
          
           Summary of HIPAA Access, Portability,
           and Renewability Standards, by Market
                          Segment

                                Small group
                                (2-50
HIPAA standard    Individual    employees)    Large group
----------------  ------------  ------------  ------------
Certificate of    Yes           Yes           Yes
creditable
coverage

Guaranteed        Only for      Yes           No
access/           some
availability      individuals
                  leaving
                  group
                  coverage

Guaranteed        Yes           Yes           Yes
renewability

Limitations on    No\b          Yes           Yes
preexisting
condition
exclusion
periods\a

Nondiscriminatio  N/A           Yes           Yes
n

Credit for prior  No            Yes           Yes
coverage
(portability)

Special           N/A           Yes           Yes
enrollment
period
----------------------------------------------------------
Notes:  Some of these standards also apply to certain federal, state,
and local government insurance programs such as Medicaid or state
employee health plans.

N/A = not applicable. 

\a Preexisting conditions may be excluded from the coverage of a late
enrollee for up to 18 months. 

\b Issuers may not impose preexisting condition exclusions upon
individuals eligible for group-to-individual guaranteed access. 


      CERTIFICATE OF CREDITABLE
      COVERAGE
------------------------------------------------------- Appendix I:0.1

HIPAA requires issuers of health coverage to provide certificates of
creditable coverage to enrollees whose coverage terminates.  The
certificates must document the period during which the enrollee was
covered so that a subsequent health issuer can credit this time
against its preexisting condition exclusion period.  The certificates
must also document any period during which the enrollee applied for
coverage but was waiting for coverage to take effect--the waiting
period--and must include information on an enrollee's dependents
covered under the plan. 


      GUARANTEED
      ACCESS/AVAILABILITY
------------------------------------------------------- Appendix I:0.2

In the small group market, carriers must make all plans available and
issue coverage to any small employer that applies, regardless of the
group's claims history or health status.  Under individual market
guaranteed access--often referred to as group-to-individual
portability--eligible individuals must have guaranteed access to at
least two different coverage options.  Generally, eligible
individuals are defined as those with at least 18 months of prior
group coverage who meet several additional requirements.\14 Depending
on the option states choose to implement this requirement, coverage
may be provided by carriers or under state high-risk insurance pool
programs, among others. 


--------------------
\14 An eligible also must have had no break in the prior coverage of
more than 63 consecutive days; must have exhausted any Consolidated
Omnibus Budget Reconciliation Act of 1985 (COBRA) or other
continuation coverage available; must not be eligible for any other
group coverage, or Medicare or Medicaid; and must not have lost group
coverage because of nonpayment of premiums or fraud. 


      GUARANTEED RENEWABILITY
------------------------------------------------------- Appendix I:0.3

HIPAA requires that all health plan policies be renewed regardless of
health status or claims experience of plan participants, with limited
exceptions.  Exceptions include cases of fraud, failure to pay
premiums, enrollee movement out of a plan service area, the cessation
of membership in an association's health plan, and the withdrawal of
an issuer from the market. 


      LIMITATIONS ON PREEXISTING
      CONDITION EXCLUSION PERIOD
------------------------------------------------------- Appendix I:0.4

Group plan issuers may deny, exclude, or limit an enrollee's benefits
arising from a preexisting condition for no more than 12 months
following the effective date of coverage.  A preexisting condition is
defined as a condition for which medical advice, diagnosis, care, or
treatment was received or recommended during the 6 months preceding
the date of coverage or the first day of the waiting period for
coverage.  Pregnancy may not be considered a preexisting condition,
nor can preexisting conditions be imposed on newborn or adopted
children, in most cases. 


      NONDISCRIMINATION
------------------------------------------------------- Appendix I:0.5

Group plan issuers may not exclude a member within the group from
coverage on the basis of the individual's health status or medical
history.  Similarly, the benefits provided, premiums charged, and
employer contributions made to the plan may not vary within similarly
situated groups of employees on the basis of health status or medical
history. 


      CREDIT FOR PRIOR COVERAGE
      (PORTABILITY)
------------------------------------------------------- Appendix I:0.6

Issuers of group coverage must credit an enrollee's period of prior
coverage against its preexisting condition exclusion period.  Prior
coverage must have been consecutive, with no breaks of more than 63
days to be creditable.  For example, an individual who was covered
for 6 months who changes employers may be eligible to have the
subsequent employer plan's 12-month waiting period for preexisting
conditions reduced by 6 months.  Time spent in a prior health plan's
waiting period cannot count as part of a break in coverage. 


      SPECIAL ENROLLMENT PERIODS
------------------------------------------------------- Appendix I:0.7

Individuals who do not enroll in a group plan during their initial
enrollment opportunity may be eligible for a special enrollment
period later if they originally declined to enroll because they had
other coverage, such as coverage under COBRA, or were covered as a
dependent under a spouse's coverage and later lost that coverage.  In
addition, if an enrollee has a new dependent as a result of a birth
or adoption or through marriage, the enrollee and dependents may
become eligible for coverage during a special enrollment period. 


      OTHER INSURANCE-RELATED
      PROVISIONS
------------------------------------------------------- Appendix I:0.8

HIPAA also includes certain other standards that relate to private
health coverage, including limited expansion of COBRA coverage
rights, new disclosure requirements for Employee Retirement Income
Security Act of 1974 (ERISA) plans, and, to be phased in through
1999, new uniform claims and enrollee data reporting requirements. 
Changes to certain tax laws authorize federally tax-advantaged
medical savings accounts for small employer and self-employed plans. 
Finally, although not included as part of HIPAA but closely related
are new standards for mental health and maternity coverage, which
became effective on January 1, 1998. 


STATE APPROACHES TO
GROUP-TO-INDIVIDUAL MARKET
GUARANTEED ACCESS
========================================================== Appendix II

Under HIPAA, states may choose to guarantee access to individual
market coverage for eligible individuals using either the "federal
fallback" or state "alternative mechanism" approach. 

Federal fallback approach:  Carriers must offer eligible individuals
guaranteed access to coverage in one of three ways.  Under this
approach, HIPAA specifies that a carrier must offer either (1) all of
its individual market plans, (2) only its two most popular plans, or
(3) two representative plans--a lower-level and a higher-level
coverage option--that are subject to some risk spreading or financial
subsidization mechanism.  Thirteen states are using the federal
approach. 

State alternative mechanism:  States may design their own approach to
guarantee coverage to eligible individuals as long as certain minimum
requirements are met.  Essentially, the approach chosen must ensure
that eligible individuals have guaranteed access to coverage with a
choice of at least two different coverage options.  Twenty-two of the
36 states and the District of Columbia that chose an alternative
mechanism are using a high-risk insurance pool to provide
group-to-individual guaranteed access rights.  Table II.1 shows which
states chose which approach. 



                         Table II.1
          
          State Approaches to Group-to-Individual
                     Guaranteed Access

                                    State alternative
                                    mechanism approach
                                --------------------------
                  Federal
                  fallback      High-risk
State             approach      pool          Other
----------------  ------------  ------------  ------------
Alabama                         X

Alaska                          X

Arizona           X

Arkansas                        X

California        X\

Colorado          X

Connecticut                     X

Delaware          X

District of                                   X\a
Columbia

Florida                                       X

Georgia                                       X

Hawaii            X

Idaho                                         X

Illinois                        X

Indiana                         X

Iowa                            X

Kansas                          X\b

Kentucky          \c            \c            \c

Louisiana                       X

Maine                                         X

Maryland          X

Massachusetts     X

Michigan          X

Minnesota                       X

Mississippi                     X

Missouri          X

Montana                         X

Nebraska                        X

Nevada                                        X

New Hampshire                                 X\a

New Jersey                                    X

New Mexico                      X\b

New York                                      X

North Carolina    X

North Dakota                    X

Ohio                                          X

Oklahoma                        X

Oregon                          X

Pennsylvania                                  X

Rhode Island      X

South Carolina                  X

South Dakota                                  X

Tennessee         X

Texas                           X

Utah                            X\a,b

Vermont                                       X

Virginia                                      X\a

Washington                                    X

West Virginia     X

Wisconsin                       X

Wyoming                         X
----------------------------------------------------------
\a State submitted an alternative mechanism that closely resembles
the federal fallback approach. 

\b High-risk pool and other mechanism. 

\c Because state legislature was not in session during 1997, HIPAA
allows Kentucky until July 1, 1998, to comply. 

Source:  Health Care Financing Administration. 




(See figure in printed edition.)Appendix III
COMMENTS FROM THE DEPARTMENT OF
HEALTH AND HUMAN SERVICES
========================================================== Appendix II



(See figure in printed edition.)



(See figure in printed edition.)


The following are GAO's comments on the Department of Health and
Human Services' letter dated February 9, 1998. 

GAO COMMENTS

1.  HHS commented that we did not adequately convey the many
challenges it faced in issuing interim final regulations by the April
1, 1997, statutory deadline, and did not give sufficient credit to
its accomplishment in doing so.  Our original draft noted the federal
agencies' achievements (issuing interim final regulations by the
statutory deadline and being widely commended for their open and
inclusive process) as well as the obstacles the agencies faced (the
complexity of the law, the difficulty of balancing the need for
detail in the regulations with states' desire for latitude in
implementing them, and tight statutory deadlines).  Nonetheless, we
have refined our presentation, especially regarding these obstacles. 
The report elaborates on the nature of interim final rules and notes
that HIPAA authorized their use.  The report also now emphasizes that
clarity and detail in the regulations are the more fundamental
issues.  For example, nondiscrimination rules were issued on time,
but many of the necessary details states need to implement the rules
have not yet been issued.  We recognize the agencies' achievement in
issuing the majority of the interim final regulations by the
statutory deadline, but also underscore the work that remains to be
done. 

2.  HHS noted that supplemental HIPAA guidance was issued on December
29, 1997.  This development is now incorporated in our report. 




(See figure in printed edition.)Appendix IV
COMMENTS FROM THE DEPARTMENT OF
LABOR
========================================================== Appendix II



(See figure in printed edition.)



(See figure in printed edition.)



(See figure in printed edition.)


The following are GAO's comments on the Department of Labor's letter
dated February 3, 1998. 

GAO COMMENTS

1.  Labor believed we should have included in our report the
perspective of consumer groups and individual citizens to provide a
better balance of the benefits and limitations of HIPAA.  We disagree
with this point for two reasons.  First, our report does reflect
consumer perspectives.  In our fieldwork, we interviewed officials
from certain national and local consumer organizations, such as
Consumers Union and the Missouri Consumer Health Care Watch
Coalition.  Their members' very limited awareness of and experience
with this new law tended to corroborate our findings concerning
challenges in the individual market.  Second, a comprehensive
assessment of HIPAA's benefits and limitations lies outside our
scope.  Our study aimed at monitoring the actual process of
implementing HIPAA, not at systematically evaluating its effects or
assessing its merits from a consumer's perspective.  Consequently, we
focused on the activities of those implementing the law--state and
federal regulators and issuers--and emphasized areas where
preliminary evidence signaled emerging challenges. 

2.  Labor stated that our report does not describe adequately its
industry and consumer outreach efforts.  On the contrary, we believe
the examples of Labor outreach efforts that we cite do recognize
these efforts adequately.  We did not provide a fuller list of
Labor's efforts because our conclusion concerning the lack of
consumer education bears only on the individual insurance market,
where Labor has no jurisdiction.  However, we have clarified that the
consumer education conclusion applies to the individual--not
group--insurance market. 

3.  Labor commented that we did not adequately convey the many
challenges it faced in issuing interim final regulations by the April
1, 1997, statutory deadline, and did not give sufficient credit to
its accomplishment in doing so.  Our original draft noted the federal
agencies' achievements (issuing interim final regulations by the
statutory deadline and being widely commended for their open and
inclusive process) as well as the obstacles the agencies faced (the
complexity of the law, the difficulty of balancing the need for
detail in the regulations with states' desire for latitude in
implementing them, and tight statutory deadlines).  Nonetheless, we
have refined our presentation, especially regarding these obstacles. 
The report elaborates on the nature of interim final rules and notes
that HIPAA authorized their use.  The report also now emphasizes that
clarity and detail in the regulations are the more fundamental
issues.  For example, nondiscrimination rules were issued on time,
but many of the necessary details states need to implement the rules
have not yet been issued.  We recognize the agencies' achievement in
issuing the majority of the interim final regulations by the
statutory deadline, but also underscore the work that remains to be
done. 

4.  Labor commented that the draft report inappropriately commingles
our analyses of group and individual HIPAA standards and does not
recognize the relatively favorable responses it has received
regarding the group market reforms.  We clarified the distinction in
our report between the challenges arising in the individual markets
of some states and those in the employer-sponsored group markets.  We
devoted our resources to gathering information where preliminary
evidence pointed to emerging challenges rather than where they were
less apparent, resulting in a less extensive review of HIPAA
implementation in the group market. 

5.  Labor stated that the draft report failed to mention the issuance
of supplemental HIPAA guidance (concerning late enrollees and
nondiscrimination provisions) on December 29, 1997.  We have
incorporated the new information the agencies have provided in their
comments.  (In early December 1997, HHS officials had estimated that
it would not be issued before "early 1998.") However, since the new
guidance does not address the particular aspects of the late
enrollment and nondiscrimination requirements that we cite as lacking
clarity, the examples remain. 

6.  Labor commented that the draft report suggested its enforcement
responsibilities are limited to self-funded group plans and did not
note that the agency, like HHS, also faces expanded enforcement
responsibilities.  However, as we pointed out in the report under
HIPAA, only HHS faces an entirely new enforcement role--one that has
become larger than anticipated.  We also observed that, because of
HIPAA, Labor faces an extension of its existing enforcement role
under ERISA.  Nonetheless, while this creates extra demands on
Labor's resources, in the near term, the demands facing HHS in its
new enforcement role appear to be more urgent.  Regarding enforcement
responsibilities, the report now refers to all, not just self-funded,
group plans. 




(See figure in printed edition.)Appendix V
COMMENTS FROM THE DEPARTMENT OF
THE TREASURY
========================================================== Appendix II


GAO CONTACTS AND STAFF
ACKNOWLEDGMENTS
========================================================== Appendix VI

GAO CONTACTS

Jonathan Ratner, Project Director, (202) 512-7107
Randy DiRosa, Project Manager, (312) 220-7671

STAFF ACKNOWLEDGMENTS

The study team consisted of Randy DiRosa, who managed the project,
and Betty Kirksey, Evaluator.  Susan Thillman advised on report
presentation, Craig Winslow provided legal review, and Elizabeth T. 
Morrison provided editorial review.  This report was prepared
initially under the direction of the late Michael Gutowski; his role
was later assumed by Jonathan Ratner. 

RELATED GAO PRODUCTS

Medical Savings Accounts:  Findings From Insurer Survey
(GAO/HEHS-98-57, Dec.  19, 1997). 

The Health Insurance Portability and Accountability Act of 1996: 
Early Implementation Concerns (GAO/HEHS-97-200R, Sept.  2, 1997). 

Private Health Insurance:  Continued Erosion of Coverage Linked to
Cost Pressures (GAO/HEHS-97-122, July 24, 1997). 

Employment-Based Health Insurance:  Costs Increase and Family
Coverage Decreases (GAO/HEHS-97-35, Feb.  24, 1997). 

Private Health Insurance:  Millions Relying on Individual Market Face
Cost and Coverage Tradeoffs (GAO/HEHS-97-8, Nov.  25, 1996). 

Health Insurance Regulation:  Varying State Requirements Affect Cost
of Insurance (GAO/HEHS-96-161, Aug.  19, 1996). 

Health Insurance for Children:  Private Insurance Coverage Continues
to Deteriorate (GAO/HEHS-96-129, June 17, 1996). 

Health Insurance Portability:  Reform Could Ensure Continued Coverage
for Up to 25 Million Americans (GAO/HEHS-95-257, Sept.  19, 1995). 

Health Insurance Regulation:  National Portability Standards Would
Facilitate Changing Health Plans (GAO/HEHS-95-205, July 18, 1995). 

The Employee Retirement Income Security Act of 1974:  Issues, Trends,
and Challenges for Employer-Sponsored Health Plans (GAO/HEHS-95-167,
June 21, 1995). 

Health Insurance Regulation:  Variation in Recent State Small
Employer Health Insurance Reforms (GAO/HEHS-95-161FS, June 12, 1995). 


*** End of document. ***