You’ve probably signed an acknowledgment of HIPAA Privacy Practices dozens of times at doctor’s offices and hospitals. Did you know, as a health insurance agent, you’re held responsible for safeguarding this information for your clients?
Now’s your chance to learn what it all means and how it applies to your job. By staying compliant with these regulations, you can better protect your clients and avoid costly audits and fines!
Note: As an agent, selling Medicare Advantage plans, you cannot require a beneficiary to provide personal information (e.g., Medicare Beneficiary Identifier, Social Security number, or any required data to perform an eligibility query using CMS systems) to receive carrier plan options. The only exception is that you may ask for the client’s zip code to determine plans offered within their service area.
What Is HIPAA?
HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. Part of this law establishes national standards and procedures for protecting patients’ medical information as it’s maintained or transferred by “covered entities,” their “business associates,” or “business associate subcontractors.” Insurance agents fall into the latter two categories. For the purposes of this post, “business associate” and “business associate subcontractor” are referred to as “business associate” since they carry the same level of responsibility.
By nature of the insurance business, some personal information must be exchanged for things like plan enrollment, underwriting, and claims processing. The purpose of HIPAA is to make sure this data stays safe and is only accessible by people with explicit permission, either granted by the rules or the patient. Therefore, covered entities are directed to provide only the “minimum necessary” details to resolve a request.
Privacy vs. Security
HIPAA guidelines fall into two broad categories: the Privacy Rule and the Security Rule. Both address procedures for protecting patient data, with one major difference; the Privacy Rule applies to all forms — electronic, written, and oral — while the Security Rule only dictates how to manage electronic health information.
As business associates of covered entities, insurance agents are obligated to comply fully with both the Privacy and Security Rules. This responsibility is a combined result of two related pieces of legislation:
- The HITECH Act of 2009, which made business associates directly liable for compliance, and written agreements required between the associate and covered entity;
- The 2013 HIPAA Omnibus Rule, which expanded the Department of Health and Human Services’ (HHS) ability to enforce the requirements of the law on business associates (and not just covered entities).
As business associates of covered entities, insurance agents must comply fully with HIPAA’s Privacy & Security Rules.
The Privacy Rule
The Privacy Rule describes the types of “individually identifiable health information” — known as protected health information (PHI) — that business associates are responsible for safeguarding. This includes defining who can use, disclose, or access it. PHI encompasses details about a person’s physical or mental wellness, health services provided to them, and payment for those services. It also includes basic information like a person’s name, address, birthday, and Social Security number.
The Office for Civil Rights within HHS is responsible for enforcing the Privacy Rule. Failure to comply with the Privacy Rule can result in monetary penalties or criminal prosecution. This applies to both disclosing and obtaining PHI.
The Security Rule
The Security Rule refers to how electronic protected health information (e-PHI) is safeguarded against inappropriate alteration or destruction and unauthorized use or access. The Office for Civil Rights (OCR) oversees compliance with this rule.
Any hardware or software you use to store and transfer e-PHI must have sufficient administrative, technical, and physical protections in place.
Administrative: Access should only be granted to certain people based on their specific role, and you should maintain the “minimum necessary” standard. Make sure everyone with access has proper training on the rules, and they’re enforced with repercussions for violations.
Technical: Your computers must be capable of: keeping information confidential and secure (e.g., strong passwords and encryption software); protecting against potential threats; and tracking and logging data about access and other activities, such as how PHI is altered and deleted.
Physical: Whether you keep files in a locked room or password-protected on a computer, they should not be accessible by unauthorized individuals.
Security also entails making sure that information is available when needed and that its integrity can’t be compromised. That means authorized individuals can access and use e-PHI on demand, and files are not changed or deleted in an unlawful manner.
It’s important to continually conduct and document risk analyses to gauge what security measures are needed and if they’re working.
Working with Protected Info
As a business associate, you can only legally use PHI for the purposes specified by the covered entity providing it. Therefore, you’ll need to ensure compliance with their HIPAA practices in a formal contract.
Be sure to familiarize yourself with the HIPAA data breach notification policies, as this is a common source of issues. It doesn’t take a major malware scam to warrant a report. Simply sending an email with PHI to the wrong person may potentially qualify as a breach requiring a report, which could open up an audit.
Data breaches are a common issue with HIPAA compliance and can happen easily. Know when to report them!
To prevent vulnerability, make sure you never: send PHI via unsecured email or internet services, leave voicemails with PHI, or put documents with PHI in the trash without shredding them.
Any business associate agreement you sign is binding, so the covered entity can take corrective actions or terminate your relationship if you don’t comply with the terms. The 2013 HIPAA Omnibus Rule also placed additional emphasis and authority on HHS’ ability to audit business associates such as independent agencies. For these reasons, compliance is truly in your best interest.
HIPAA Compliance Training and Education
In order to maintain compliance, agents are required to complete training, perform a risk assessment each year, and maintain documentation of all HIPAA policies and procedures. Health and Human Services (HHS) has a set of training documents and resources that could be helpful for agents learning about HIPAA for the first time.
To easily complete a risk assessment, HHS also hosts a risk assessment tool on HealthIT.gov. The tool is helpful for small to medium organizations, such as independent insurance agents, to maintain HIPAA compliance in their practices. You’ll be asked several multiple-choice questions that will determine risk as well as your vulnerability to threats.
It’s important to maintain proper documentation of all current HIPAA policies and procedures as a business associate. As discussed above, hold required documentation by using proper administrative, technical, and physical securities.
● ● ●
HIPAA rules can change with new legislation, so it’s important to stay ahead of any revisions. Compliance is a never-ending dance for agents — make sure you don’t miss a step!
At Ritter, we’re committed to helping you maintain a compliant business. Register with our site today to have full access to all of our guides and eBooks that educate you on all elements of being a successful business owner and to have full access to our sales specialists that can help you questions and business solutions.
Editor’s Note: This was originally published in June 2017. It has been updated to include information more relevant to 2023.