HIPAA and ARRA

Wide-ranging changes to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) became effective Feb. 17, 2010. The changes will make “business associates,” as defined by HIPAA, directly subject to the requirements and penalties of HIPAA privacy and security rules to the same extent as “covered entities.” The new rules, which are part of the American Recovery and Reinvestment Act of 2009 (ARRA), will affect other aspects of HIPAA as well.

The U.S. Department of Health and Human Services will begin enforcing the rule for breaches of “unsecured” protected health information that are discovered (or reasonably should have been discovered).

The IIABA Office of General Counsel wrote a memo explaining the Breach Notification Rule, which is available to IIABA members by logging in to www.independentagent.com and selecting Legal Advocacy > Memoranda & FAQs > HIPPA Breach Notification Rule. In addition, IIABA will post any additional information it obtains to help insurance agents understand and comply with the new HIPAA rules, such as the article already posted, “HIPAA Changes Affect Covered Entities and Business Associates,” written by the well-regarded New York law firm Shearman & Sterling LLP and posted with permission on the IIABA site.

Generally speaking, the law imposes a number of obligations on parties defined as “covered entities” and “business associates” and applies heightened enforcement including audits, and increased penalties. Covered entities are providers, health plans and clearinghouses. Business associates are persons or entities who perform or assist in performing a function or activity that involves the use or disclosure of Personal Health Information (PHI). As an agent, you may have access to PHI through contact with an insurer or group health plan or other covered entity or an employer as the representative in connection with an employers health plan administration.

The overarching thrust of the new regulations is to require extraordinary efforts to maintain the security of PHI. Some of the obligations include:

  • Implementing security measures – adopting a security and privacy policy, appointing a security and privacy officer, training employees on how to safeguard electronic PHI including the encryption of e-mail transmission of PHI.
  • Entering into written agreements with any organization with which you exchange PHI or that would have access to PHI under your control. Agreements must contain assurances that PHI will be adequately safeguarded by the organization.
  • Notice of breach – notify any individual whose PHI was or could have been disclosed due to a privacy or security breach.
  • Compliance with an individual’s request to restrict PHI disclosure.

The Agents Council of Technology has additional resources regarding the safeguarding of all customer personal information at www.independentagent.com/act.