The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was enacted to protect the security and privacy of personal health data. Show
HIPAA basicsHIPAA protects the use and disclosure of Protected Health Information (PHI), which includes an individual’s medical information as well as personal identifiers such as name, address, date of birth and Social Security number. PHI is defined as any information in any form or medium that:
Under HIPAA, there are three main rules that Covered Entities and Business Associates (defined on next page) must follow.
Who must comply with HIPAA?Covered Entities and their Business Associates are required to comply with HIPAA rules. Covered Entities are any entities that transmit PHI and ePHI including:
While the definition of a Covered Entity does not include employer plan sponsors or plans other than health plans, all employers and employees are affected by, and benefit from, HIPAA’s rules. A Business Associate is any person or organization that performs certain functions for, or provides services to, a Covered Entity that involves access to PHI. These services may include:
If a Covered Entity engages the services of a Business Associate, it must have a written contract or agreement, called a “Business Associate Agreement,” in place. The agreement must detail the permitted uses and disclosures of PHI by the Business Associate and require the Business Associate to protect the PHI. It’s important to note that a broker partner relationship with a Covered Entity would, in most cases, require a Business Associate Agreement be in place due to the nature of information shared. What is required under HIPAA?With limited exceptions, HIPAA requires that Covered Entities and Business Associates:
Privacy RuleA Covered Entity may only use or disclose PHI as HIPAA expressly requires or permits. The Privacy Rule is intended to limit use and disclosure of PHI to the “minimum necessary” and restrict access and use of PHI to identified personnel. Required and permitted uses of PHI Required uses and disclosures under HIPAA include:
PHI cannot be used or disclosed for a non-health plan purpose to another plan (such as a pension or disability plan) or for general employment purposes. Authorization requirement Before using or disclosing PHI to third parties for purposes other than what’s permitted under the Privacy Rule, HIPAA requires Covered Entities to obtain an individual’s authorization in writing. The authorization must specify who is authorized to make and receive the disclosures, the specific purpose of the use or disclosure and an expiration date. Administrative requirements The Privacy Rule requires a Covered Entity to establish privacy practices and safeguards, designate an employee to act as a Privacy and Security Official, provide HIPAA training to its workforce, and provide a Notice of Privacy Practices. The Notice of Privacy Practices must provide a clear, easy-to-read explanation of individuals’ rights with respect to their personal health information and the privacy practices that the Covered Entity has in place. The notice should explain how an individual’s PHI is used and protected, as well as what disclosures are prohibited. The U.S. Department of Health & Human Services (HHS) provides model notices and details on notice distribution on itsHIPAA page. Security RuleThe HIPAA Security Rule requires Covered Entities and Business Associates to protect the confidentiality, integrity and availability of ePHI. “Integrity” is defined as ensuring ePHI is authentic and not altered or destroyed in an unauthorized manner. “Availability” means ePHI should be accessible and usable on demand only by an authorized person. Reasonable and appropriate administrative, technical and physical safeguards must be implemented and maintained to ensure the protection of ePHI against reasonably anticipated security threats and impermissible uses. Required safeguards include securing PHI with password protected systems, limiting physical access to facilities that store ePHI and auditing system access. There are specific standards with which entities must comply; however, the standards are either “required” or “addressable,” which allows Covered Entities to implement solutions that best fit their needs and specific environment. Breach Notification RuleHIPAA defines a “breach” as the acquisition, access, use or disclosure of PHI that violates the Privacy Rule or compromises the security or privacy of PHI. There are exclusions to what is considered a breach including: unintentional, good faith acquisition, access or use by an authorized person without further use or disclosure; or a disclosure to an unauthorized person with a good faith belief that the PHI could not have been retained. How is HIPAA enforced?The HHS Office for Civil Rights enforces the HIPAA Privacy, Security and Breach Notification Rules. Failure to comply with HIPAA requirements can result in monetary penalties. In some cases, the Department of Justice (DOJ) may also enforce criminal penalties. HIPAA violations may be discovered through claims investigations, anonymous reports or the government may randomly audit a Covered Entity. Although employers are not Covered Entities, employers are responsible for ensuring that the group health plans they sponsor are compliant with HIPAA. This means that the employees who perform functions on behalf of the health plan or in administration of the health plan need to understand and comply with HIPAA’s requirements. What can Covered Entities do?All Covered Entities, including any health plan sponsored by an employer (whether fully insured or self-insured), should take actions and implement best practices to ensure compliance with HIPAA’s Privacy and Security Rules. For employers that sponsor group health plans this includes the following with respect to the plan and any employees that support it. Establish policies and procedures to ensure HIPAA compliance – as part of this process, designate a HIPAA privacy officer to be responsible for overseeing the policy and procedures and their implementation.
What is regulated by the insurance information and Privacy Protection Act?The purpose of this Act is to establish standards for the collection, use and disclosure of information gathered in connection with insurance transactions by insurance institutions, agents or insurance support organizations; to maintain a balance between the need for information by those conducting the business of ...
Which of the following individuals does not require an insurance agent's license in North Carolina?Which of the following individuals does not require an insurance agent's license in North Carolina? C. Employees of insurance producers do not require an agent's license as long as they do not receive commissions from policies written or sold in the state.
What is the disclosure rule in life insurance?The purpose of this regulation is to require insurers to deliver to purchasers of life insurance information that will improve the buyer's ability to select the most appropriate plan of life insurance for the buyer's needs and improve the buyer's understanding of the basic features of the policy that has been purchased ...
What is the name of the law that requires insurers to disclose information gathering practices and where the information was obtained?The Privacy Protection Act requires insurers and insurance agents to provide applicants for insurance with information concerning what information is required, what information can be distributed, and how this might affect the applicant's personal information.
|