HIPAA Law and Insurance Agents: What Are Agents Responsible For?

In addition to helping clients protect against financial risks and safeguard their livelihoods, life and health agents are also responsible for maintaining the privacy of their clients’ protected health information (PHI), including treatment histories, biometric identifiers, personal information and more.

An agent receives this private and sensitive health data when providing insurance carriers information about clients seeking insurance. With this data, carriers make underwriting decisions, such as:

• Issuing or denying coverage.
• Determining premium pricing.
• Handling claims.
• Assessing risk profiles.

PHI is very private, critical information. Not only do all healthcare patients deserve privacy in general, but much graver consequences, such as fraud or abuse, can occur if PHI ends up in the wrong hands. That is why the U.S. enacted a law almost 30 years ago holding all entities possessing patient healthcare records to a very high security standard.

The Health Insurance Portability and Accountability Act (HIPAA)

HIPAA was enacted and signed into law in 1996 to protect the PHI of every American. It ensures organizations using and storing private health information preserve their patients’ and clients’ privacy and financial security.

Do insurance agents have to follow HIPAA?

Yes, they do. With such valuable data in their possession, it is every agent’s responsibility to comply with all standards and protect their clients’ privacy.

Here are a few of HIPAA’s key components and objectives:

• HIPAA states that every patient’s personal health information is private and protected by law.
• The law gives patients the right to understand and control how their PHI is used and shared. Before HIPAA, entities were not required to give access to their records when they requested them.
• The rules require consent from the client, which allows an insurance agent to handle their private health information and disclose it to another party.
• HIPAA sets standards for electronic data storage for healthcare facilities, private offices, billing companies, electronic medical record companies and insurance providers.
• It applies to insurance brokers and providers who handle life, health, accident, disability and other related products.
• HIPAA rules require organizations to take action to prevent PHI from ending up in the hands of those who intend to commit fraud and abuse.
• The law is enforced by the Office for Civil Rights (OCR), a branch of the Department of Health and Human Services (HHS).

HIPAA’s significance cannot be overstated. It was the first law to address and legally enforce healthcare privacy. It was considered forward-thinking, as it outlined standards for digital record handling practices, just as the transition from paper to electronic records was still in its early stages.

Fast forward to today, HIPAA has evolved in many ways to keep up with modern standards. The law now has four main types of rules:

• Privacy Rule – States the use and disclosure of a patient’s PHI, as well as their right to understand and control the use of their health information
• Security Rule – Applies to maintaining the confidentiality of electronic protected health information (ePHI); it ensures agents have implemented appropriate administrative, technical and physical protection practices
• Breach Notification Rule – Affected individuals and the HHS must be notified if a breach of patient data occurs; when more than 500 patients are affected, it must be reported to media outlets as well
• Final Omnibus Rule – Amendments to strengthen protections and enforcement

Insurance Agents and HIPAA

Insurance professionals are obligated to fully comply with HIPAA rules, meaning they have a multitude of responsibilities.

These requirements include:

1. Maintaining the complete privacy of patient records.

Information is only to be accessed for treatment payment or healthcare operations. No one can view records without explicit permission, and patients have total control over who can access them. Agents are responsible for upholding their standards.

2. Performing system-wide risk assessments and address vulnerabilities.

Agents must conduct regular risk assessments of their security measures, infrastructure, procedures and employee employee training and awareness programs.

3. Giving patients access to their health records.

Entities must grant patients access to their health records upon request.

4. Ensuring the compliance of third-party partners.

Under the business associate agreement, it is an agent’s responsibility to ensure its partners using and storing clients’ PHI maintain HIPAA compliance.

Associates include:

• Accountants
• Administrators
• Attorneys
• Billing companies
• Cloud-, data- or document-storage services
• Consultants and auditors
• Data transmission services
• IT personnel
• Legal counsel
• Medical transcription services
• Paper shredding companies
• Web-hosting organizations

5. Notifying affected clients within 60 days of a data breach.

Breach notification policies are an important aspect of any insurance agent’s cybersecurity practices. Under HIPAA, organizations must notify affected clients within 60 days of a data breach occurring.

6. Handling PHI properly.

Agents must handle clients’ private health data responsibly. This includes:

• Only disclosing PHI when authorized.
• Disposing of documents and digital files carefully.
• Storing and managing records on authorized, secure physical locations and devices. 
• Utilizing and sharing information carefully; when using electronic transmission, don’t send it to private email accounts.
• Not leaving paperwork or devices unattended.
• Not downloading data onto unauthorized devices or unsecured networks.

7. Renewing HIPAA authorization.

Once an agent’s HIPAA authorization expires, they must obtain and file the client’s signature on a new form.

Insurance Agent HIPAA Violations

Insurance agents do not want to break the law, as the consequences can be very severe:

• Fines and penalties – Agents can face fines up to $1.5 million and five years in prison.
• Reputational damage – Practitioners, companies and insurance agents can face significant reputational damage with one mistake violating HIPAA, and it can be hard to regain trust among patients and the general public, especially since such cases are public record. 
• Client impact – Not following compliance can leave clients exposed to fraud and identity theft, in addition to having their privacy violated.

Here are some real-life examples:

Insurance provider pays $6.85 million settlement after data breach affects more than 10 million patients.

OCR investigated insurer Premera Blue Cross (PBC) after hackers stole the personal data of 10.4 million people using a phishing email laced with malware. OCR found “systemic non-compliance” by PBC, which failed to conduct risk assessments and implement stronger digital systems to protect their clients’ data.

It is the second-largest HIPAA settlement since the law’s creation.

Insurer pays $115 million settlement and $16 million in HIPAA violations after a historic data breach.

Anthem, one of the biggest healthcare benefits companies in the U.S., suffered one of the largest data breaches ever, in which hackers obtained the ePHI of almost 79 million people.

Anthem violated both Privacy and Security rules; they failed to conduct risk assessments, did not implement sound protection and detection systems and had a lackluster response. They paid a $115 million class-action lawsuit to those affected and an additional $16 million to OCR for HIPAA violations.

Insurance Agent HIPAA Compliance

HIPAA exists to protect healthcare patients, but insurance agents are also better off following these guidelines, as it helps them protect their financial health as well.

Here are the most impactful aspects of meeting compliance:

• Knowledge – Gaining an understanding of PHI and ePHI
• Risk analysis and management – Conducting a comprehensive risk analysis of databases and record storage
• Planning – Creating an administrative plan of policies and procedures for managing patient requests, protecting all records and preventing HIPAA violations
• Physical security – Considering physical safeguards, such as locked file cabinets, locations with controlled access in the workplace(s), secured workstations and proper disposal of PHI
• Digital security – Using robust cybersecurity practices and tools, such as malware protection, encryption, access controls, system monitoring, etc.
• Incident response – Devising a response plan in case records are lost, stolen or mishandled in another way that threatens patient confidentiality
• Communication – Creating a notification system, so clients affected by a breach are alerted promptly
• Documentation – Tracking plans, risk assessments, training records, incident reports and anything HIPAA-related
• Routine checkups – Adopting methods for routine monitoring and continuous updates to privacy protections and HIPAA standards

Resources

Here are some resources agents can use to understand the importance of HIPAA rules and compliance, as well as how to protect their businesses and clients:

• HIPAA for Professionals – Information directly from HHS
• HIPAA Violations: Examples, Penalties + 5 Cases to Learn From – Analysis of HIPAA violations and how to avoid them
• The HIPAA Journal – Leading source of news and guidance for all things HIPAA
• The HIPAA Journal’s Compliance Checklist – Comprehensive guide to compliance processes
• Ultimate 9-Step HIPAA Compliance Checklist – Another guide for meeting HIPAA standards
• Best Practices for Protected Health Information (PHI) – Tips for handling PHI and ePHI

How the National Association of Professional Agents (NAPA) Can Help

HIPAA violations and liability insurance policies go hand-in-hand, and NAPA is dedicated to offering support and solutions for insurance agents.

The following instances, which can result from HIPAA violations, can be protected under NAPA’s Cyber Liability & Data Breach Insurance:

• Stolen devices 
• Firewall breaches
• Stolen login information
• Phishing malware

Electronic data breaches fall under cyber protection, whereas errors and omissions (E&O) insurance covers improperly handling private information.

NAPA Errors and Omissions (E&O) Insurance is designed to protect agents from the risks of making mistakes, such as:

• Failing to disclose important information.
• Offering incorrect advice.
• Leaving clients with coverage gaps due to insufficient risk evaluations.

These errors can cost your clients, and they could hold you financially liable. NAPA’s E&O insurance program gives agents like you affordable coverage from an “A” rated carrier.

Learn more about NAPA’s Cyber Liability and E&O coverages and additional benefits, such as free continuing education (CE) and savings programs today!

The information contained herein is offered as insurance Industry insight and provided as an overview of current market risks and available coverages and is intended for discussion purposes only. This publication is not intended to offer legal advice or client specific risk management advice. Any description of insurance coverages is not meant to interpret specific coverages that your company may already have in place or that may be generally available. General insurance descriptions contained herein do not include complete Insurance policy definitions, terms and/or conditions, and should not be relied on for coverage interpretation. Actual insurance policies must always be consulted for full coverage details and analysis. Gallagher publications may contain links to non-Gallagher websites that are created and controlled by other organizations. We claim no responsibility for the content of any linked website, or any link contained therein. The inclusion of any link does not imply endorsement by Gallagher, as we have no responsibility for information referenced in material owned and controlled by other parties. Gallagher strongly encourages you to review any separate terms of use and privacy policies governing use of these third party websites and resources. Insurance brokerage and related services to be provided by Gallagher Affinity Insurance Services, Inc. (License No. 100310679 | CA License No. 0783129).