insure logo

Why you can trust

quality icon

Quality Verified

At, we are committed to providing the timely, accurate and expert information consumers need to make smart insurance decisions. All our content is written and reviewed by industry professionals and insurance experts. Our team carefully vets our rate data to ensure we only provide reliable and up-to-date insurance pricing. We follow the highest editorial standards. Our content is based solely on objective research and data gathering. We maintain strict editorial independence to ensure unbiased coverage of the insurance industry.

You probably know the Health Insurance Portability and Accountability Act, or HIPAA, from the privacy-notification forms you have to sign at your doctor’s office and pharmacy. HIPAA, enacted by the United States Congress in 1996, has two functions.

Title 1 as defined by the Centers for Medicare & Medicaid Services, protects health insurance for workers and their families if they change or lose jobs.

Title 2 is designed to prevent health care abuse and fraud by defining offenses and setting penalties for them.

The first part of the law was designed to ease a problem known as “job lock” — the reluctance to move from one company to another for fear of losing health insurance. (Another federal law called COBRA helps you buy health insurance benefits if you lose a job. Know your COBRA rights.)

Pre-existing conditions

HIPAAHealth insurance companies have traditionally tried to control costs by using a “pre-existing condition” clause — refusing to cover a condition that existed before you purchased a health insurance plan.

The concept of pre-existing conditions is simple: If you were to purchase car insurance and your windshield was cracked before you bought your coverage, you can’t expect your new car insurer to replace it.

Title 1 limits any group health plan from imposing eligibility rules or assessing premiums for individuals based on health status, medical history, genetic information or disability.

Before HIPAA was enacted, if you switched to a new group health plan, the new insurer could consider your diabetes a pre-existing condition and refuse to cover treatment. You would then have to pay for all of your diabetes treatment.

HIPAA imposes limits on the extent to which some group health plans can exclude health insurance for pre-existing conditions. For instance, if you’ve had “creditable” health insurance for 12 months, with no lapse in coverage of 63 days or more a new group health plan cannot invoke a pre-existing condition exclusion. It must cover your medical problems as soon as you enroll in the plan.

What is “creditable” coverage? It includes prior coverage you had under any of the following health plans:

  • A group health plan (related to employment)
  • Medicare
  • Medicaid
  • A military-sponsored health care program such as TRICARE
  • Health plans offered by the Indian Health Service
  • A state high-risk health insurance pool
  • The federal Employees Health Benefit Program
  • A public health plan established or maintained by a state or local government
  • A health benefit plan provided for Peace Corps members

On the other hand, if you are not switching from a “creditable” coverage plan when you enroll in a new group plan — or had coverage from an overseas health insurer — your new insurer can refuse to pay for treatment of your pre-existing conditions for 12 months (except pregnancy, if the plan has maternity coverage). Late enrollees in group health plans might have to wait up to 18 months for coverage of pre-existing conditions.

Your rights under HIPAA

Pre-existing conditions

A pre-existing condition is generally considered a physical or mental ailment for which medical advice, diagnosis, care or treatment was recommended or received in the six months before you enroll in a health insurance plan.

It can also be a problem you were aware of, but for which you never sought treatment.

Under some health insurance policies, a medical problem can be considered pre-existing even if you didn’t know you had the problem before you bought your health plan.

There is no federal law that requires health plans to provide maternity coverage, although some states have such laws.

In some states, health plans provided by an employer or group typically include maternity benefits. Health maintenance organizations (HMOs) are required by state law to have maternity coverage. Preferred provider organizations (PPOs) can choose to exclude the benefit.(Read more about how pregnancy complicates health insurance options.)

HIPAA’s rules apply to every employer group health plan that has at least two participants who are current employees, including companies that are self-insured. States have the option of applying the rules to “groups” of one, which some have opted to do.  That helps the self-employed. Some states also have enacted their own laws protecting health insurance applicants, and in many cases the states afford more rights than federal law.

There is one major exception to HIPAA: It provides no protection if you switch from one individual health plan to another individual plan.

HIPAA limitations

In an effort to balance the interests of consumers and insurers, HIPAA also contains plenty of other exceptions, conditions and loopholes that limit your rights. It’s important to understand HIPAA before you change health plans.

Employers are not required by any law to offer employee health insurance.

Even if employers do offer health insurance, it’s possible they don’t have to cover such things as mental health or maternity, but this depends on state mandates. Levels of mandated coverage vary from state to state. The Council for Affordable Health Insurance provides a list of state mandates for group health insurance.

While HIPAA makes it much easier to get health insurance from your new employer if you switch jobs, it doesn’t guarantee the same level of benefits, deductibles or claim limits you might have enjoyed under your former employer’s health plan. The law is meant to provide valuable protection against having to start new waiting periods for coverage of pre-existing conditions when you change jobs.

Your group health insurance can be canceled if you or your employer fail to pay the premiums, commit fraud, violate health plan rules or move outside of your insurer’s service area. HIPAA also allows employers to impose a waiting period, generally one to three months, before you become eligible to join the group health plan. Such waiting periods do not count as a lapse in health insurance and you would not be penalized under HIPAA’s 63-day window.

HIPAA requirements do not apply to “excepted benefits.” Those benefits include:

  • Coverage only for accidents (such as accidental death and dismemberment) or disability income insurance
  • Liability insurance
  • Supplements to liability insurance
  • Workers compensation or similar insurance
  • Automobile medical payment insurance (known as “MedPay”)
  • Credit-only insurance (for example, mortgage insurance)
  • Coverage for on-site medical clinics

Creditable coverage

Under HIPAA, if you’ve already been in a group health plan, chances are you won’t have to sit out the full 12-month exclusion period. Your new health plan must give you “credit for time served” — the amount of time you were enrolled in your previous plan — and deduct it from the exclusion period. Thus, if you’ve had 12 or more months of continuous health insurance, you’ll have no waiting period for pre-existing conditions. If you had prior coverage for eight months, you can be subject to only a four-month exclusion period when you switch jobs.

Let’s say you’re a recent college graduate and you haven’t had health insurance for the last six months. Then you land a job that offers you group health coverage. Because you’ve had such a long lapse in coverage, you’ll likely face the 12-month exclusion period for any existing medical problems. (Insurers are not required to impose these pre-existing exclusions, but it is standard practice.)

In order to keep your coverage continuous, you cannot have a lapse in coverage for 63 days or more.

In order to keep your health insurance continuous, you cannot have a lapse or break in coverage for 63 days or more.

The U.S. Centers for Medicare and Medicaid Services warns it’s crucial to maintain health insurance when you leave a job if you want to avoid exclusions for pre-existing conditions in your new employer’s health plan. A good way to bridge a lapse in insurance is through the Consolidated Omnibus Budget Reconciliation Act (COBRA). Here are 10 things you should know about COBRA.

Whenever you leave any health plan, either group or individual, get a “certificate of creditable coverage” in writing. Your certificate should list the following:

  • Your coverage dates.
  • Your policy ID number.
  • The insurer’s name and address.
  • Any family members included under your coverage.

This is the easiest way to ensure your rights are secured under HIPAA. You can use other evidence to prove creditable coverage. These include:

  • Pay stubs that reflect a health insurance premium deduction.
  • Explanation-of-benefit forms.
  • A benefit-termination notice from Medicare or Medicaid.
  • A verification letter from your doctor or your former health insurance provider that you had prior coverage.

Individual health plans and HIPAA

If your employer decides to drop group health insurance, HIPAA might make it easier to get an individual health insurance policy.

Under HIPAA, you might be able to buy an individual health plan without the threat of exclusions for pre-existing conditions. In order to do so, you have to qualify as an “eligible individual.”

In some states, if you qualify for individual health insurance under HIPAA, any company offering individual health plans in that state must sell you coverage. Your state’s insurance department can explain the rules.

To be eligible as an individual under HIPAA, you must:

  • Have at least 18 months of continuous creditable coverage without a gap of more than 63 days.
  • Have been covered under a group health plan, a government health plan or church plan (or health insurance offered in connection with such plans, such as COBRA) during the most recent period of creditable coverage. If you do not have a creditable coverage certificate, you can talk to the health plan to find out if there are other ways you can prove you had 18 months of coverage.
  • Not be eligible for coverage under a group health plan (including a spouse’s plan), Medicare or Medicaid.
  • Not have other health insurance.
  • Have not lost your most recent health coverage due to nonpayment of premiums or fraud (unless it was your employer that failed to pay premiums).
  • Have elected and exhausted any option for continuation of coverage under COBRA (or a similar state law) that was available under your prior plan.

HIPAA does not limit the premiums individual health plans can charge. While your application for insurance won’t be rejected because of health problems, the premiums for individual coverage can be much higher than for group plans.

Health privacy and security

HIPAAThe American Recovery and Reinvestment Act of 2009 (ARRA), signed into law on Feb. 17, 2009, provides additional protections of your personal health information. It mandates that:

  • HIPAA-covered entities (including physicians) and their business associates must honor your request to not disclose to a commercial health plan certain protected health information if it addresses a health care issue or service that you paid for in full at the time of service and for which you requested that your insurer not be billed.
  • HIPAA-covered entities should use limited identifiable patient information to meet the minimum standard, if practicable.
  • HIPAA-covered entities using electronic medical records must honor, within 30 days of notice, your request for an electronic copy of your records, which must be transmitted directly to an entity or person that you specify. Any related fee charged must be reasonable and comply with applicable state law.
  • If a HIPAA-covered entity is paid by an outside entity to send a communication to you, a patient, the communication is deemed to be marketing material and therefore requires your prior written authorization. Physicians also must allow patients to opt out of receiving fundraising communications.
  • Business associates of HIPAA-covered entities must comply directly with HIPAA requirements.

An additional HIPAA requirement with subsequent effective dates requires that:

  • HIPAA-covered entities using electronic health records must honor your request for an accounting of disclosures of your personal health information, including those for treatment, payment and health care operations.

Those that adopted electronic medical records on or after Jan. 1, 2009, must comply by Jan. 1, 2011, or the date that they acquire(d) the electronic health record, whichever is later. Physicians, however, who began using electronic health records before Jan. 1, 2009, must comply by Jan. 1, 2014.

author image
Michelle Megna


Michelle, the former editorial director, insurance, at QuinStreet, is a writer, editor and expert on car insurance and personal finance. Prior to joining QuinStreet, she reported and edited articles on technology, lifestyle, education and government for magazines, websites and major newspapers, including the New York Daily News.