You are here:HomeIssuesPrivacy2003What to Do About HIPAA?

What to Do About HIPAA?

The Department of Health and Human Services (HHS) has set April 14, 2003 as the compliance deadline for the Privacy Rule of the Health...
April 10, 2003

By Alyssa Keehan
Manager of Business and Legal Affairs
PIA National

The Department of Health and Human Services  (HHS) has set April 14, 2003 as the compliance deadline for the Privacy Rule of the Health Insurance Portability and Accountability Act (HIPAA). HIPAA's Privacy Rule creates the first set of broad national standards protecting the privacy of personally identifiable health information. However, these standards are not necessarily a new duty for insurance agents. This is because even before statutes dealing with privacy like HIPAA and GLBA passed, agents owed a duty of reasonable care in handling information entrusted to them by their clients. This duty is known as a common law duty.

What this common law duty has required is that, if agents were negligent in dealing with or protecting their client's information and that negligence resulted in damages to the client, an agent could be held liable for those damages. All that HIPAA, GLBA, and other state privacy statutes have done is formalize the common law duty by articulating very specific obligations and consequences (if these obligations are not followed), to ensure that care is used to protect client information.

Many of the privacy obligations under HIPAA are very similar to those set in GLBA. If an agent has taken the time to create a privacy policy that complies with GLBA, the agent would probably need to only make minor revisions to the policy in order to comply with HIPAA. Yet, the extent of each producer's obligations under HIPAA is going to differ significantly, depending upon the ways in which that producer interacts with protected health information. Moreover, each producer is going to interact with protected health information to different degrees and in different contexts depending upon (1) the kinds of insurers they represent and (2) the scope of practices the agency performs for their clients. This article will lay out (1) the different contexts in which HIPAA obligations could arise for a producer and (2) what actions a producer should take to comply.

The Different Contexts Under Which HIPAA Obligations Could Arise for a Producer

The producer may be a "business associate" of a covered entity - A producer may have to comply with HIPAA if he is a "business associate" of a covered entity. There are two ways in which a producer may be deemed a business associate of a covered entity: (1) the producer may be a business associate through the carrier (when the carrier is deemed a covered entity) and (2) the producer may be a business associate through his client (when his client is deemed a covered entity). Many producers may have already received a HIPAA "Business Associate" agreement from one or more of the companies they represent. If a producer signs this agreement, then he is a business associate under HIPAA. But what does this mean, and why are carriers issuing these agreements?

Under HIPAA, "covered entities" (defined as health care providers, health plans, and health care clearinghouses) are required to issue a "business associate agreement" to those agents, vendors, contractors and consultants with whom they disclose an individual's protected health information. Under HIPAA, a "business associate" is defined as persons or organizations who are not members of the covered entities workforce, but who perform functions or activities on behalf of covered entities that involve the creation or receipt of protected health information.

Significantly, as previously mentioned, a producer may also be a business associate when he performs certain functions for his client and his client is a covered entity. A client can be a covered entity when the client is an employer who sponsors a group health plan. In this situation (when the client is a covered entity), the producer can become a business associate of that employer-client when he "performs functions or activities on behalf of the covered entity or client that involve the creation or receipt of protected health information." Here, the employer-client would have a duty to issue a business associate agreement to the producer.

The HIPAA regulations require that the "business associate" agreements issued by covered entities (or insurers) contain certain provisions. For example, the agreement must require the business associate (or producer) to establish appropriate safeguards to ensure the security of "protected health information." Furthermore, the business associate must issue a contract to any agent or vendors with whom the business associate shares protected health information, requiring these vendors to adhere to the same restrictions and conditions that apply to the business associate with respect to protected health information (one may notice that these are strikingly similar to GLBA privacy requirements).

However, these are just two of the required provisions a business associate agreement must contain. For a complete listing of the required provisions, go to the HHS website.

The producer may be a covered entity in his capacity as an employer if the producer administers a "group health plan" - A producer may have to comply with certain HIPAA regulations if he is a covered entity. A producer could be considered a covered entity if he is an employer and, as an employer, the producer administers a "group health plan." This is because HHS cannot directly regulate employers, but it can regulate the "group health plans" sponsored or administered by employers. Significantly, if a producer is an employer who: (1) administers a group health plan which is fully insured (not self insured) and (2) does not receive any protected health information, then that producer may not have to comply with HIPAA regulations as a "covered entity" (however, this does not mean that the producer will have no HIPAA obligations as a business associate). Conversely, it is likely that a producer that sponsors or administers a self-insured group health plan will have to comply with HIPAA regulations as a covered entity.

It is important to note that if a producer administers or sponsors a "small group health plan" (defined as a health plan paying claims of less than $5 million per year) for its employees then that producer gets an extra year and does not have to comply with HIPAA until April 14, 2004.

So What Should a Producer do to Comply?

Write a letter to the insurer - The reason the producer needs to write a letter is because it is important for the producer to document his compliance efforts. The reason such documentation is important is that it provides tangible proof that the producer has made a good faith effort to comply with HIPAA or to determine that HIPAA does not apply. This documentation can prevent the producer from being sanctioned in the event that, down-the-road, the producer is audited for HIPAA compliance by HHS. With detailed documentation by a producer regarding (1) whether HIPAA regulations apply to that producer and (2) if so, what are the obligations, the producer is not likely to be sanctioned, even if the producer is not in actual compliance. However, if the producer does nothing or makes an internal decision (not supported by any documentation which shows the thought process in coming to this decision), then that producer runs the risk of being sanctioned for failure to comply with HIPAA.

Therefore, if a producer, (1) suspects that he may be a "business associate" or a covered entity under HIPAA or (2) knows he is a "business associate" because he has signed an agreement issued by a carrier, then that producer should write a letter to (1) the insurer he represents or (2) in the case of a covered entity, the producer should write a letter to the insurer who underwrites the group health plan.

What should the letter say? In the producer's letter to the insurance entity, he should list the insurance products and services that he places or performs for that insurance entity and then ask or state the following:

  1. Do these products or services need to comply with HIPAA?
  2. And, if so, how are they covered under HIPAA?
  3. And, if so, please direct me on the actions I need to take to comply.
  4. If I do not hear back from your company within 12 weeks, your failure to respond will be interpreted to mean that, with respect to the products and services I place or perform through you, I do not have to comply with HIPAA.

Get the response, to the above questions, in writing from the insurance entity - In his letter to the insurance entity, the producer should request that the response to the above questions be in writing. It is absolutely imperative that any response given by the insurance entity to the above questions be in writing.

Seek the advice of your attorney who handles your employment law issues - If a producer, (1) suspects that he may be a "business associate" or a covered entity under HIPAA or (2) knows he is a "business associate" because he has signed an agreement issued by a carrier, then that producer should (in addition to writing the above letter) seek the advice of the attorney who handles his employment law issues. He should tell his attorney he is trying to determine whether he has any duties under HIPAA and, if so, what they are. In advising his attorney, the producer should be sure to provide (1) a copy of any "business associate" agreement he has received, (2) a copy of the group health plan policy or any policy of insurance benefits he provides to his employees, and (3) a list of the ways or potential ways in which he interacts with protected health care information.

Be sure to implement the compliance advice you receive from the insurance entity and your attorney - Finally, once a producer has consulted with his carriers and employment law attorney, it is crucial that he makes an effort to implement the compliance advice these entities give him. A producer's efforts to document his determination of HIPAA compliance will be defeated if the producer fails to implement the compliance advice received. Yet, if the producer (1) writes his carriers and receives a written response, (2) seeks the advice of his attorney, and (3) implements the compliance advice received from both the insurance entity and attorney, the producer should have sufficient documentation to back-up his actions to prevent being sanctioned for non-compliance with HIPAA in the event of an audit by HHS.

This article originally appeared in the April 2003 PIA Connection

Filed under: