by Jeff Yates, ACT Executive Director
American citizens are becoming increasingly concerned with the privacy of their health and other personal information. Clients want to know that their agents and brokers have taken the steps necessary to safeguard the private information that they obtain on them and that this information is only used for permitted business purposes.
Traditionally, most independent agents and brokers have been careful with their clients’ personal information. It is good business. The risks have become a lot greater in recent years, however, because now this information is stored electronically within the agencies and therefore may be more accessible to more agency employees. In addition, the agency management systems themselves are more exposed to the external world through the Internet. Couple these risks with the unfortunate fact that there are more individuals out there today actively seeking to steal identities of unsuspecting people and to capitalize on them.
Moreover, an increasing array of federal and state laws, such as HIPAA, Gramm-Leach-Bliley, the Fair Credit Reporting Act, and state motor vehicle and privacy laws, may impose specific privacy requirements on agents and brokers and carry significant penalties if the agency does not institute appropriate procedures and safeguards.
In this new environment, it is highly important for agency principals to establish privacy protection as a priority for the agency and then to take the steps necessary to implement these protections. To help agents take action, ACT has recently published a report, “Safeguarding Non-Public Personal Information,” and a related “ACT HIPAA and Privacy Supplement.” These ACT tools have been developed by agents and consultants who have implemented privacy plans. They can be found under Technology Reports on the ACT web site at www.independentagent.com/act. These reports also contain links to several very helpful legal opinions that are available from the IIABA Office of General Counsel on HIPAA and its Privacy Rule, Gramm-Leach-Bliley, and the Fair Credit Reporting Act.
HIPAA and Agents
HIPAA safeguards “Protected Health Information,” and contains the most elaborate requirements, as well as potential liabilities and penalties. Agents are typically drawn into the regulation’s requirements when they sell or service health or employee benefits insurance and are asked to sign a “Business Associate” agreement by the insurance company or employee benefits client. Agencies may also be impacted as an employer when they sponsor health plans for their employees and must make sure these health plans are in compliance with the HIPAA Privacy Rule.
Taking Action
The agency first needs to ascertain which federal and state privacy laws apply to it and what the specific requirements are. Then the agency may find developing an overall privacy policy and procedures that encompass these requirements is preferable and less confusing than trying to adopt multiple policies and procedures based upon the specific requirements of each law. These policies and procedures should apply to employee non-public personal information as well as to prospect and customer information.
Agents and brokers may want to appoint a privacy officer who has a good knowledge of overall agency operations and charge that individual with developing a detailed understanding of the various privacy laws. That individual can manage the staff team developing and then implementing the privacy policy and procedures, oversee the audit process for compliance, and receive privacy-related complaints and problems.
Agents and brokers also may want to appoint a security officer to oversee the agency’s security policies and procedures in order to protect the agency’s information from both external and internal threats-- whether the information is in electronic or paper form, or conveyed orally.
Another important privacy protection is to limit access to non-public personal information and individually identifiable medical information to only those employees who have a need to see it. This principle is commonly seen in the various privacy laws.
Issues to consider include:
- How can the agency’s systems be “locked down” to limit access to particular files to only the appropriate employees who need to see that information?
- What procedures can be adopted by the mailroom to avoid unauthorized viewing of this sensitive information?
- What steps can be taken with the technology staff who have broad access to systems information or with vendors who have access to the agency’s systems and information?
- What procedures should be adopted to assure that individual employee passwords are safeguarded and that the agency immediately terminates a departing employee’s access both to the agency’s systems as well as to the systems of the agency’s trading partners?
- What communications policies are put in place so that mail and faxes are used to send private health and personal information, rather than e-mail which is not a confidential medium unless sent in encrypted form?
Agents and brokers may want to raise awareness with every agency employee regarding the importance of safeguarding all non-public personal information and individually identifiable health information and employee passwords, and provide training to both existing and new staff as they come onboard with regard to the agency’s privacy policies and procedures. A sample employee training memo, geared specifically to HIPAA, is included in the ACT report. Agency employees can be asked to commit in writing to safeguard the confidentiality of all protected information, to access it only when they have a legitimate business purpose to do so, and to use the information only for the business purpose for which it was intended to be used.
Employees with access to non-public personal information and/or individually identifiable health information should take steps to keep it out of view of fellow employees whether it is on the computer or on paper, especially when they are away from their desk. In addition, they may want to create a procedure to verify a caller’s identity before discussing private information with him or her. Employee reminders can be placed throughout the agency regarding the importance of the agency’s privacy policies. Employees can also be asked to advise the privacy officer should they come across private information to which they should not have access, so that improved procedures can be considered.
It is important for agencies to consider the effectiveness of their privacy strategy. An audit of the implementation of their privacy policies and procedures is one way to measure a privacy policy’s success. If an audit is conducted, written records of it, along with any problems found, and corrections implemented should be kept. This is exactly the type of information government agencies or others may be looking for if a privacy complaint were to be lodged that involves the agent or broker.
A pro-active privacy strategy makes very good business sense for the independent agent. It responds to evolving client expectations and minimizes the agency’s exposure to prosecution, liability, and negative public relations that can result from a failure to safeguard a client’s private personal information.
Jeff Yates is executive director of the Agents Council for Technology (ACT), which is affiliated with the Independent Insurance Agents & Brokers of America. This article reflects the views of the author and should not be construed as an official statement by ACT.