Paul Sanchez
The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996 to improve the efficiency and effectiveness of the US healthcare system. HIPAA applies to insurance brokers who are considered “business associates” of covered entities. Covered entities include health insurance plans that provide for the costs of medical care, such as public and private plans offered through health insurers, health maintenance organizations, and most group health plans. Insurance brokers who perform services for covered entities and use or disclose protected health information (PHI) are subject to HIPAA rules and regulations. To maintain compliance, insurance brokers must complete training, perform annual risk assessments, and maintain documentation of all HIPAA policies and procedures. Failure to comply with HIPAA's Privacy and Security Rules can result in monetary penalties or criminal prosecution.
| Characteristics | Values |
|---|---|
| What is HIPAA? | The Health Insurance Portability and Accountability Act of 1996 |
| Who does it apply to? | Insurance brokers who are business associates of covered entities |
| What are covered entities? | Health insurance plans that provide for the costs of medical care, including public and private plans offered through health insurers, health maintenance organizations, Medicare, Medicaid, prescription drug plans, and most group health plans |
| What is a business associate? | An entity that performs services for a covered entity involving the use or disclosure of PHI or electronic protected health information (ePHI) |
| What is PHI? | "Individually identifiable health information," including details about a person's physical or mental wellness, health services provided, payment for those services, and basic information such as name, address, birthday, and Social Security number |
| What are the consequences of non-compliance? | Monetary penalties or criminal prosecution |
| What are the HIPAA guidelines? | The Privacy Rule and the Security Rule, which address procedures for protecting patient data |
| What is the Privacy Rule? | Applies to all forms of PHI, including electronic, written, and oral, and describes who can use, disclose, or access PHI |
| What is the Security Rule? | Dictates how to manage electronic health information (ePHI) to protect its security |
| What training is required for insurance brokers? | HIPAA Awareness training and, if involved in implementing HIPAA Security compliance, the HIPAA Security course |
Explore related products
What You'll Learn
Insurance brokers and HIPAA compliance
The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996 to improve the efficiency and effectiveness of the US healthcare system. It is known primarily for its privacy regulations, which aim to ensure that personal information exchanged for things like plan enrollment, underwriting, and claims processing stays safe and is only accessible by authorised individuals.
HIPAA applies to "covered entities", which include public and private health insurance plans, health maintenance organisations, Medicare, Medicaid, prescription drug plans, and most group health plans. As business associates of covered entities, insurance brokers must comply with HIPAA's Privacy and Security Rules. This means that brokers are responsible for safeguarding "individually identifiable health information", known as protected health information (PHI). PHI includes details about a person's physical or mental health, health services provided to them, payment for those services, and basic personal information such as name, address, birthday, and Social Security number.
Insurance brokers must therefore ensure that they only disclose PHI when permitted by HIPAA. For example, under HIPAA's organised healthcare arrangement (OCHA) rules, intermediaries are allowed to use and disclose PHI to the health plan without needing a business associate agreement (BAA) with the health plan. However, intermediaries should not share PHI directly with the health plan sponsor's employees unless the plan sponsor identifies the specific employees authorised to receive the PHI and certifies compliance with special rules applicable to disclosure by group health plans.
To maintain compliance, insurance brokers are required to complete training, perform a risk assessment each year, and maintain documentation of all HIPAA policies and procedures. Failure to comply with the Privacy Rule can result in monetary penalties or criminal prosecution.
Washington's Medical Insurance Requirements: What You Need to Know
You may want to see also
Explore related products
Privacy and Security Rules
HIPAA, the Health Insurance Portability and Accountability Act of 1996, has two broad categories of guidelines: the Privacy Rule and the Security Rule. Both categories address procedures for protecting patient data. The Privacy Rule applies to all forms of patient data, including electronic, written, and oral information. It establishes national standards to protect individuals' medical records and other identifiable health information, collectively referred to as Protected Health Information (PHI). PHI includes details about a person's physical or mental health, the health services provided to them, payment for those services, and basic information such as name, address, birthday, and Social Security number. The Privacy Rule sets limits and conditions on the use and disclosure of PHI without an individual's authorization, giving individuals rights over their PHI, including the right to examine and obtain a copy of their health records.
The Security Rule, on the other hand, specifically dictates how to manage electronic health information, or electronic Protected Health Information (ePHI). It establishes a national set of security standards to protect ePHI and requires covered entities and their business associates to implement administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of ePHI.
Insurance agents and brokers are considered business associates of covered entities and are therefore subject to the HIPAA Privacy and Security Rules. They must ensure that only individuals with explicit permission can access PHI and ePHI. To maintain compliance, agents and brokers must complete training, perform annual risk assessments, and maintain documentation of all HIPAA policies and procedures. Failure to comply with the Privacy Rule can result in monetary penalties or criminal prosecution.
To assist organizations in understanding and implementing the requirements of the Security Rule, the Office of the National Coordinator for Health Information Technology (ONC) and the HHS Office for Civil Rights (OCR) have jointly launched a HIPAA Security Risk Assessment Tool. Additionally, the NIST HIPAA Security Toolkit Application is a self-assessment survey that helps organizations assess their compliance with the Security Rule.
HSA Withdrawals: No Medical Insurance, What's Possible?
You may want to see also
Explore related products
Protected health information (PHI)
The Privacy Rule under HIPAA stipulates how PHI can be used and disclosed. Covered entities, such as health plans, health care clearinghouses, and qualifying healthcare providers, are directed to provide only the "minimum necessary" details to resolve a request. The Privacy Rule also allows for the disclosure of PHI to family, relatives, or friends involved in an individual's care or payment for care. Certain disclosures, such as to a life insurer or an employer, require written authorization from the individual.
Insurance brokers may be subject to HIPAA if they are considered business associates of a covered entity. This typically involves the use or disclosure of PHI in the course of providing services to the covered entity. For example, if an insurance broker creates, receives, maintains, or transmits PHI on behalf of an insurer or plan, they are regarded as a business associate and are subject to HIPAA rules and regulations.
To maintain compliance with HIPAA, insurance brokers and their employees must complete training and perform risk assessments to protect the privacy and security of PHI. Failure to comply with the Privacy Rule can result in monetary penalties or criminal prosecution.
Understanding Medical Insurance Schemes: Benefits and Coverage
You may want to see also
Explore related products
Training and certification
HIPAA requires that all employees with access to protected health information are properly trained on HIPAA so that they can be aware of their personal responsibilities under HIPAA. This includes insurance brokers and agents who are considered business associates of covered entities. As business associates, insurance brokers and agents must comply fully with HIPAA's Privacy and Security Rules.
HIPAA Awareness training is meant to satisfy the training requirement under HIPAA and provides an overview of HIPAA regulations, with an emphasis on HIPAA Privacy and an overview of HIPAA Security. Everyone who has access to protected health information must take this course to satisfy the training requirement under HIPAA.
HIPAA Security training is a more in-depth course on HIPAA Security (the IT part of HIPAA) and covers the safeguards required to protect the security of protected health information in electronic form (computer data, networks, email, electronic transmissions, etc.). This course is meant for the HIPAA compliance officer, IT staff, or anyone else who will be involved in implementing HIPAA Security or who needs a more detailed understanding of HIPAA Security.
HIPAA training courses are available online and are valid for all US states and territories. They meet or exceed the requirements for HIPAA training established by federal HIPAA Privacy and HIPAA Security regulations. Upon successful completion of each course, individuals receive their own HIPAA certificate and wallet card, which they can use as proof of training.
In addition to completing training, agents are required to perform a risk assessment each year and maintain documentation of all HIPAA policies and procedures as a business associate. Health and Human Services (HHS) provides a set of training documents and resources that could be helpful for agents learning about HIPAA for the first time, as well as a risk assessment tool on HealthIT.gov.
Oscar Medical Insurance: What You Need to Know
You may want to see also
Explore related products
Business associates
Insurance brokers are considered business associates under HIPAA if they are performing services for a covered entity, such as a health insurance plan. Covered entity health plans include public and private plans offered through health insurers, health maintenance organizations, Medicare, Medicaid, or Medicare prescription drug plans, and most group health plans, whether insured or self-insured.
Insurance brokers acting as business associates are subject to the HIPAA rules and regulations, including the HIPAA Security Rule and any Privacy Rule and Breach Notification requirements included in a Business Associate Agreement (BAA). A BAA passes down the same privacy and security protections that apply to the health plan to the business associate. While a BAA is not always required, it is recommended that brokers proactively provide one to their clients when they are providing business associate services.
HIPAA compliance for business associates includes conducting annual training, performing a risk assessment each year, and keeping detailed documentation of policies and procedures. Compliance also requires understanding what information is covered by HIPAA and ensuring that client information is kept secure at rest, in storage, and in transit to prevent data breaches.
Stacked Insurance: Maximizing Your Medical Coverage Benefits
You may want to see also
Frequently asked questions
HIPAA stands for the Health Insurance Portability and Accountability Act. It was passed in 1996 to improve the efficiency and effectiveness of the US healthcare system.
An insurance broker may be subject to HIPAA if the broker is deemed a business associate. If the broker performs services for a covered entity, they are considered a business associate of that covered entity and are therefore subject to HIPAA rules and regulations.
A business associate is an entity that performs certain functions or activities that involve the use or disclosure of protected health information (PHI) or electronic protected health information (ePHI).
Failure to comply with the Privacy Rule can result in monetary penalties or criminal prosecution.
