5 min read
Eight factors HIPAA prohibits from being used for discrimination
Kirsten Peremore
Mar 14, 2025 11:14:00 AM
HIPAA prohibits discrimination in group health plans based on eight specific health factors: health status, medical condition (including physical and mental illnesses), claims experience, receipt of healthcare, medical history, genetic information, evidence of insurability (e.g., conditions arising from domestic violence or risky activities), and disability. The nondiscrimination rule is used to ensure individuals are not denied eligibility or treated unfairly as a result of exclusionary factors.
An AJPH Law & Ethics study regarding coverage discrimination stated, “A new problem has arisen among certain insurers—so-called ‘coverage discrimination,’ or the design of benefit plans that can prevent individuals with complex or otherwise costly conditions from obtaining appropriate treatment.” These group health plans have to apply their terms to “similarly situated individuals,” meaning distinctions can only be made based on bona fide employment classifications, not health-related factors.
What is HIPAA's nondiscrimination rule?
The nondiscrimination rule is established in Title I of HIPAA ensuring that group health plans and individual health insurance issuers do not deny coverage, exclude benefits, or charge higher premiums based on an individual's health status. The rule was designed to assist people transitioning between insurance plans, helping them avoid penalties for factors beyond their control.
Under 45 CFR Part 146, insurers are required to offer consistent coverage terms for similarly situated individuals, preventing discrimination practices like retroactive exclusion of pre-existing conditions. The foundational protection then provides the groundwork for later legislative measures like the Affordable Care Act’s nondiscrimination provisions in sections 1311, 1557, and 1302 which prohibit discriminatory pricing and benefit designs. According to a collaborative study about best practices for nondiscrimination, “Wellness programs under the ACA are also supported by amendments to the Genetic Information and Nondiscrimination Act (GINA), the Americans with Disabilities Act (ADA), and the Health Insurance Portability and Accountability Act (HIPAA),”
The eight prohibited factors
- Health status: An individual's general physical and mental condition.
- Medical condition: Includes both physical and mental illnesses.
- Claims experience: An individual's history of healthcare claims.
- Receipt of health care: Whether an individual has received medical treatment or services.
- Medical history: A record of an individual’s past medical conditions or treatments.
- Genetic information: Genetic information as defined in related regulations.
- Evidence of insurability: Includes conditions arising from acts of domestic violence and participation in risky recreational activities.
- Disability: Physical or mental impairments that substantially limit one or more major life activities.
The exceptions to the rule
HIPAA’s nondiscrimination provisions generally prohibit group health plans from discriminating based on eight health factors, but exceptions exist. The most notable is “benign discrimination,” which allows plans to offer more favorable terms (e.g., lower premiums or expanded benefits) to individuals with adverse health factors, such as disabilities.
Plans can distinguish between “similarly situated individuals” based on bona fide employment classifications unrelated to health status, such as full-time vs. part-time status, geographic location, or union membership. For example, an employer may offer different benefits to employees in separate collective bargaining units, provided the distinction aligns with standard business practices.
While HIPAA restricts discrimination, systemic issues persist. A 2020 nationally representative study found that 21% of U.S. adults reported experiencing healthcare discrimination, with 72% of those encountering it repeatedly. Racial/ethnic discrimination was most common, highlighting gaps between policy and practice.
However, HIPAA’s exceptions are narrowly designed to enable equitable adjustments (e.g., enhanced support for disabled individuals) while preserving flexibility in benefit design. Compliance hinges on distinguishing permissible employment-based classifications from prohibited health-related distinctions so that protections align with ERISA §702 and 29 CFR 2590.702.
Instances of denied coverage due to preexisting conditions
Thanks to the ACA, instances of denied coverage due to pre-existing conditions are now largely prohibited in the United States. Prior to the ACA, insurers could deny coverage or charge higher premiums based on pre-existing health problems, such as asthma, diabetes, or cancer. Today, health insurance companies can't refuse to cover you or charge you more just because you have a pre-existing condition.
According to the HHS Health Insurance Reform section, “The only exception to the pre-existing coverage rule is for grandfathered individual health insurance plans — the kind you buy yourself, not through an employer. Plans like these would have been purchased before March 23, 2010; they don’t have to cover pre-existing conditions. They also may have other restrictions.” Short-term health plans also typically do not cover pre-existing conditions.
The charging of higher premiums based on claims history
In 2012, the U.S. Department of Health and Human Services (HHS) evaluated proposed health insurance premium increases from John Alden Life Insurance Company and Time Insurance Company across nine states: Arizona, Idaho, Louisiana, Missouri, Montana, Nebraska, Virginia, Wisconsin, and Wyoming. These proposed hikes ranged from 12% to 24% and would have impacted over 40,000 residents.
According to former HHS Secretary Kathleen Sebelius, “Thanks to the Affordable Care Act consumers are no longer in the dark about their health insurance premiums. Now, insurance companies are required to justify rate increases of 10 percent or higher. It’s time for these companies to immediately rescind these unreasonable rate hikes, issue refunds to consumers or publicly explain their refusal to do so.”
HHS deemed these increases "unreasonable" after independent expert reviews revealed that the insurers planned to allocate a low percentage of premium dollars to actual medical care and quality improvements. Additionally, the justifications for the hikes were based on unreasonable assumptions, relying on national medical trend data instead of state-specific information.
How HIPAA protects employee rights
HIPAA grants employees control over their health information. A chapter from Health Insurance Portability and Accountability Act (HIPAA) Compliance notes, the regulation "uphold[s] patients' rights to confidentiality and empower[s] them to control the disclosure of their health information, fostering trust in healthcare systems." This means that employees have the right to know how their health data is being used and can restrict certain disclosures, enhancing their autonomy and trust in the healthcare system.
HIPAA's portability provisions also protect employees from discrimination based on their health status when changing jobs. By limiting the ability of employers to use health information against employees, HIPAA reduces the phenomenon known as "job lock," where individuals feel compelled to stay in jobs solely to retain health coverage. However, it's important to note that while HIPAA and the Consolidated Omnibus Budget Reconciliation Act (COBRA) address aspects of job lock, they do not fully eliminate it, as neither ensures the affordability of health insurance.
Why HIPAA compliant email is the best way to communicate claims information
Compared to traditional postal methods, email offers rapid document transmission that reduces processing delays. For healthcare organizations, the use of HIPAA compliant email adds a layer of incomparable security that allows both insurers, providers, and policyholders access to documentation through the claims process.
When considering the amount of sensitive information and the potential of exposure in cases like changing policies or switching employment policies, HIPAA compliant email is the only choice that provides the assurance that protected health information (PHI) remains protected.
FAQs
Can my group health plan exclude or limit benefits for certain conditions or treatments?
Group health plans can exclude coverage for a specific disease or limit or exclude benefits for certain treatments or drugs, but only if the restriction applies uniformly to all similarly situated individuals and is not directed at individual participants or beneficiaries based on a health factor they may have.
Can a health insurance issuer charge an employer different premiums for each individual within a group of similarly situated individuals based on each individual's health status?
No. Issuers may not charge or quote an employer or group health plan separate rates that vary for individuals (commonly referred to as "list billing") based on any of the health factors.
What are the main federal laws that affect health benefits coverage provided by group health plans and health insurance issuers?
Laws include
- Affordable Care Act (ACA)
- HIPAA
- Mental Health Parity and Addiction Equity Act (MHPAEA)
- Newborns’ and Mothers’ Health Protection Act of 1996
- Women’s Health and Cancer Rights Act of 1998 (WHCRA)
- Genetic Information Nondiscrimination Act of 2008 (GINA).