Life Insurance Broker: Hipaa Compliance And You

The Health Insurance Portability and Accountability Act (HIPAA) is a US law that protects the privacy of health and healthcare information. It gives US citizens the right to privacy and control over their personal health information. HIPAA applies to covered entities and business associates. Covered entities include health plans, health insurance companies, health maintenance organizations, government programs that pay for healthcare (such as Medicare and Medicaid), and healthcare providers. Business associates are persons or organizations that use protected health information to perform services for a covered entity. An insurance broker may be subject to HIPAA if they are a business associate, and their services involve the use or disclosure of protected health information.

HIPAA and life insurance have different purposes

HIPAA and life insurance have distinct purposes and applications, despite both dealing with personal health information. HIPAA, or the Health Insurance Portability and Accountability Act, is a federal law enacted in 1996 to protect the privacy and security of individuals' health information. It establishes standards to safeguard sensitive health information from disclosure without the patient's consent. On the other hand, life insurance serves as a financial safety net for specific individuals, typically beneficiaries chosen by the insured. While life insurance companies may request medical information, they are considered non-covered entities and are not subject to HIPAA regulations.

HIPAA's primary focus is on protecting the privacy and security of health information. It gives individuals rights regarding who can access their health data and how it is used. This includes the right to understand and control the use of their protected health information. The law applies to covered entities, which include healthcare providers, health plans, healthcare clearinghouses, and business associates. These entities are responsible for complying with HIPAA rules and protecting health information.

Life insurance, on the other hand, is a legally binding contract between the insured and the insurance company. The insured pays a recurring premium to the insurance company, and in exchange, the insurance company provides a flat-sum payment to the named beneficiaries upon the death of the insured. While a life insurance company may require a medical exam to underwrite the policy and assess risk, they are generally not concerned with an individual's medical records once the policy is in force.

The distinction between HIPAA and life insurance lies in their purposes and the nature of the information they deal with. HIPAA is focused on protecting health information and ensuring patient privacy, while life insurance is primarily concerned with providing financial benefits to beneficiaries upon the death of the insured. Life insurance companies may still obtain health information about their customers, such as prescription drug histories and lab test results, but this information is not protected under HIPAA as life insurance companies are non-covered entities.

It is important to note that while life insurance brokers are generally not subject to HIPAA, they may become business associates if they perform services for a covered entity that involve the use or disclosure of protected health information (PHI) or electronic protected health information (ePHI). In such cases, the broker would be subject to HIPAA rules and regulations and should enter into a business associate agreement with the covered entity.

HIPAA is a federal law that protects the privacy of medical information

HIPAA, or the Health Insurance Portability and Accountability Act, is a federal law in the United States that was enacted in 1996 to protect the privacy of medical information. It sets out privacy and security standards for health information, giving people rights over who can access their health-related content.

Under HIPAA, a distinction is made between "covered" and "noncovered" entities. Covered entities must comply with HIPAA, and include health insurers, health maintenance organizations, and government-funded health coverage providers, such as those offering Medicaid and Medicare. Other covered entities include dental plans, vision plans, and health flexible spending accounts.

In contrast, life insurance plans, disability plans, and workers' compensation plans are considered noncovered entities and are therefore not subject to HIPAA rules. This means that life insurance companies can legally request information that is otherwise protected under HIPAA. For example, they can buy prescription drug histories and lab test results from outside parties. However, many life insurance companies will still have privacy policies on their websites or in written documentation that outlines how they handle customer data. If a life insurance company operates in the European Union, it must also comply with the General Data Protection Regulation (GDPR).

HIPAA also introduced the HIPAA Privacy Rule, which addresses the use and disclosure of individuals' health information by covered entities. This includes standards for individuals' rights to understand and control how their health information is used, including who it is shared with. The HIPAA Security Rule further enforces rules to protect the confidentiality, integrity, and access to PHI.

Life insurance companies are noncovered entities

HIPAA, or the Health Insurance Portability and Accountability Act, defines the privacy and security standards surrounding health information. It gives people rights regarding which parties can view or receive their health-related content. The legislation makes a distinction between covered and noncovered entities. A covered entity must follow HIPAA, but a noncovered entity does not need to abide by it.

Covered entities include health plans, health care clearinghouses, and health care providers who electronically transmit any health information in connection with transactions for which the Department of Health and Human Services (HHS) has adopted standards. This includes health insurance companies, company health plans, and government programs that pay for health care, such as Medicare and Medicaid.

On the other hand, life insurance companies are considered noncovered entities because they do not process electronic health information for healthcare-related transactions. They may collect health information, but they do not transmit it electronically for billing or claims processing purposes. Therefore, they are not subject to the same strict rules as covered entities and do not have the same obligations to protect sensitive patient information.

However, it is important to note that life insurance companies are not exempt from all privacy regulations. Many companies have privacy policies on their websites or in written documentation that outline how they handle customer data. Additionally, if a life insurance company operates in the European Union, it must comply with the General Data Protection Regulation (GDPR).

HIPAA for insurance brokers

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a commonly referenced health insurance law, not just by insurance professionals but also in the everyday lives of most Americans.

Health insurance plans are considered covered entities if those plans provide for the costs of medical care. Covered entity health plans include public and private plans offered through health insurers, health maintenance organizations, Medicare, Medicaid, or Medicare prescription drug plans, and most group health plans, whether insured or self-insured.

Other examples of covered entities include dental plans, vision plans, and health flexible spending accounts (FSAs). In contrast, disability plans that provide for income replacement, life insurance plans, and workers' compensation plans are not covered entities.

An insurance broker that performs services for one of the above-mentioned covered entities is considered a business associate of that covered entity and is therefore subject to the HIPAA rules and regulations if the services involve the use or disclosure of protected health information (PHI) or electronic protected health information (ePHI, which is PHI in electronic form).

Insurance broker business associate functions involving the use of PHI or ePHI may include so-called "intermediary" functions. If an intermediary creates, receives, maintains, or transmits PHI on behalf of the insurer or plan, the intermediary is regarded as a business associate of the insurer. In this case, the intermediary is subject to HIPAA and should enter into a business associate agreement with the insurer.

As a practical matter, brokers should continuously evaluate their relationship with the plan sponsor, group health plan, or insurer to determine whether the broker's services will involve the use or disclosure of PHI of a covered entity or business associate. If the broker's services involve or necessitate the use or disclosure of PHI of a covered entity or business associate to or by a broker, the broker should enter into the appropriate business associate agreement.

Privacy vs. Security

HIPAA guidelines fall into two broad categories: the Privacy Rule and the Security Rule. Both address procedures for protecting patient data, with one major difference: the Privacy Rule applies to all forms (electronic, written, and oral), while the Security Rule dictates how to manage electronic health information.

As business associates of covered entities, insurance agents are obligated to comply fully with both the Privacy and Security Rules. This responsibility is a combined result of two related pieces of legislation: the HITECH Act of 2009 and the 2013 HIPAA Omnibus Rule.

The Privacy Rule describes the types of "individually identifiable health information" known as PHI that business associates are responsible for safeguarding. This includes defining who can use, disclose, or access it. PHI encompasses details about a person's physical or mental wellness, health services provided to them, and payment for those services. It also includes basic information like a person's name, address, birthday, and Social Security number.

The Security Rule refers to how e-PHI is safeguarded against inappropriate alteration or destruction and unauthorized use or access. Any hardware or software used to store and transfer e-PHI must have sufficient administrative, technical, and physical protections in place.

Steps to Become a HIPAA-Compliant Company

There are four main steps to HIPAA compliance for an organization:

• Comprehensive training for a privacy security compliance officer: This is a requirement under the regulation, and this person is responsible for ensuring HIPAA compliance.
• Provide HIPAA Awareness Training on HIPAA privacy and security training for all employees with access to PHI.
• Compliance manual for HIPAA: Create a manual for policies, forms, and procedures.
• Conduct a gap analysis for the privacy rule and risk analysis per the security regulation requirements, create privacy and security policies, and complete a contingency plan as required in the security rule.

HIPAA Compliance Training and Education

To maintain compliance, agents are required to complete training, perform a risk assessment each year, and maintain documentation of all HIPAA policies and procedures. Health and Human Services (HHS) has a set of training documents and resources that could be helpful for agents learning about HIPAA for the first time.

HIPAA and insurance received through group plans

HIPAA compliance for self-insured group health plans is a complicated area of HIPAA legislation. Group health plans are considered covered entities under HIPAA, except for self-administered plans with fewer than 50 participants. Covered entity health plans include public and private plans offered through health insurers, health maintenance organizations, Medicare, and Medicaid.

The Privacy Rule does not directly regulate employers or other plan sponsors that are not HIPAA covered entities. However, it does control the conditions under which a group health plan can share protected health information (PHI) with the employer or plan sponsor. This information is necessary for the plan sponsor to perform certain administrative functions on behalf of the group health plan. Employers are obligated not to misuse PHI they obtain from the group health plan for employment-related actions, such as termination or demotion.

If a covered entity engages a business associate to help carry out its healthcare activities and functions, it must have a written contract or other arrangement that establishes what the business associate has been engaged to do. The contract must also require the business associate to comply with the Rules' requirements to protect the privacy and security of PHI. An insurance broker that performs services for a covered entity is considered a business associate of that entity and is therefore subject to the HIPAA Rules and regulations if the services involve the use or disclosure of PHI or electronic PHI (ePHI).

In the case of fully insured group health plans, the Privacy Rule recognizes that these plans may not need to satisfy all the requirements of the Privacy Rule since the responsibilities will be carried out by the health insurance issuer or HMO with which the group health plan has contracted for coverage of its members. These plans are still required to refrain from intimidating or retaliatory acts and from requiring an individual to waive their privacy rights.

Frequently asked questions