Before you begin selling insurance, you will need to become familiar with The Health Insurance Portability and Accountability Act of 1996, more commonly known as HIPAA. This federal law created standards for protecting a patient’s health information from being disclosed without their consent or knowledge. In 2013, the HIPAA Omnibus Rule expanded the Department of Health and Human Services’ (HHS) ability to enforce the requirements not just in regards to “covered entities,” which are defined as health plans, health care clearinghouses, and health care providers who transmit records electronically, but also to “business associates” that help these covered entities carry out their health care activities. What does that all mean? It means that independent agencies like yours must comply with HIPAA rules; as an agent, you are just as responsible for protecting your customer’s health information as medical professionals and insurance companies. But what are you responsible for exactly?
What Does HIPAA Mean for Insurance Agents?
For insurance agents, the rules of HIPAA are in place to make sure that the information you gather on customers for underwriting and claims processing is kept safe and only accessible to others with the permission of your customer. In order to do this, you need to comply with two different categories of HIPAA guidelines: HIPAA privacy and HIPAA security. Both categories of guidelines address procedures for protecting your customer’s data, but there is a big difference between them that you need to be aware of.
The HIPAA Privacy Rule is meant to keep your customers’ health information safe from others when it is being used in an administrative or contractual way. You are responsible for protecting their Personal Health Information (PHI), which is any personal health information that was created or used during your customers’ treatment or diagnosis; you are also responsible for maintaining the security of your customers’ basic information, or anything that could identify them, like their name, address, birthday, and Social Security number. Under the HIPAA Privacy Rule, you can only disclose or give access to this information to specific entities, and if you fail to comply, you could face a fine, loss of your license to sell, or even jail time.
The HIPAA Security Rule is meant to protect any health information that is in electronic form, such as that which is stored on computers, secured VPNs, software with encryption, or that is sent via email, from hackers and electronic theft. There’s no doubt that you rely on your computer, tablet, laptop and phone for work, so the HIPAA Security Rule means that you will need to go the extra mile to protect your customers’ information. To make sure you are complying with the Security Rule, you’ll need to make sure your computers or whatever technology you are using to store your customers’ info are absolutely secure and as protected as possible from any potential cyber threats.
When working with customers’ important and confidential information, you have to be diligent and prevent any breaches that could result in their information being leaked to people who do not have permission to access it. Something as simple as sending an email that includes a customer’s PHI to the wrong person, or leaving a voicemail with your customer’s information, could end up getting you in trouble. If something like this happens, you would most likely be audited by the Office for Civil Rights, who oversee compliance with HIPAA rules. In order to be prepared, make sure you (and anyone else in your agency) are trained in and thoroughly understand HIPAA guidelines; you need to be very careful with customer’s information – one mistake could cost you your business!