Author: Judi Newman
Following up on her original article on HIPAA, Judi Newman provides more information about the nature and scope of HIPAA implementation that will help you better understand the compliance implications and how you can explain them to your staff and clients.
Note: The following article provides an overview of HIPAA and its possible implications for agents. The views expressed are those of the author and do not necessarily reflect the views or interpretations of IIABA. As with any law, in order to ensure proper, legal compliance, we encourage you to consult with appropriate qualified counsel before implementing HIPAA regulations in your operations.
IMPORTANT: IIABA has developed an Executive Summary of the Privacy Rule Implementing HIPAA’s Privacy Requirements, and a Memorandum on Final HIPAA Privacy Regulations which was written by our outside counsel. IIABA members may access them by going to www.independentagent.com and clicking on the "Legal Advocacy" menu item on the left.
"Whatever, in connection with my professional service, or not in connection with it, I see or hear, in the life of men, which ought not to be spoken of abroad, I will not divulge, as reckoning that all such should be kept secret." – Hippocratic Oath, circa 4th Century B. C.
By the time you are reading this article there will be less than 150 days to prepare for the impact of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. You will recall that HIPAA was signed into law in August of 1996. The Privacy Rule was finalized in August of 2002. The compliance date for the Privacy Rule is April 14, 2003, and most insurance carriers should be operating in full compliance.
By then, the carriers represented by your agency should have already shared with you their Privacy Plan and how they will be implementing their compliance strategy. It is important to know the details, as it will definitely impact how your agency will handle new and renewal business in the future.
"We are at a decision point. Depending on what we do, revolutions in health care, biotechnology, and communications can hold great promise or great peril…when all is said and done, will our health care records be used to heal us or reveal us?" – Donna Shalala, U. S. Secretary of Health and Human Services
Until August 14, 2002 there were no comprehensive federal laws to protect individuals' medical records. Invasion of privacy is something that concerns every one of us. There are many incidents where medical privacy has been violated which prompted the enactment of the Administrative Simplification Regulation (ASR) or also known as Title II of HIPAA. The Privacy Rule is just one part of ASR. Although it comes six years after the signing of the bill, it is designed to protect all of us from unauthorized use of our medical information.
THE HEALTH PRIVACY PROJECT
The Institute for Health Care Research and Policy of Georgetown University has been educating consumers to have a prominent and informed voice on health privacy issues at the federal, state and local levels. The Health Privacy Project has been dedicated to raising public awareness on the importance of ensuring health privacy in order to improve health care access and quality. The Project receives funding from various benefactors. To learn more about The Project visit their website at www.healthprivacy.org and access some of the recent studies.
So you are asking yourself, just what kinds of incidents have occurred? Put yourself in the place of the people that were violated in the following scenarios. How do you feel? In each of these instances, comprehensive federal laws protecting the privacy of medical records and information did not exist at the time they occurred. The following press releases have been made available by The Health Privacy Project.
After suffering a work related injury to her wrist, Roni Breite authorized her insurance company to release information pertaining to her wrist ailment to her employer. When she had the opportunity to review her medical record, the file contained her entire medical history, including records on recent fertility treatment and pregnancy loss. – E. McCarthy, "Patients Voice Growing Concerns about Privacy," Sacramento Business Journal, April 5, 1999
A jury in Waukesha, Wisconsin, found that an emergency medical technician (EMT) invaded the privacy of an overdose patient when she told the patient's co worker about the overdose. The co worker then told nurses at West Allis Memorial Hospital, where both she and the patient were nurses. The EMT claimed that she called the patient's co worker out of concern for the patient. The jury, however, found that regardless of her intentions, the EMT had no right to disclose confidential and sensitive medical information, and directed the EMT and her employer to pay $3,000 for the invasion of privacy. – L. Sink, "Jurors Decide Patient Privacy Was Invaded," Milwaukee Journal Sentinel, May 9, 2002
In Tampa, a public health worker walked away with a computer disk containing the names of 4,000 people who tested positive for HIV. The disks were sent to two newspapers. – J. Bacon, "AIDS Confidentiality," USA Today, October 10, 1996, p. Al
HIPAA Title II:
ADMINISTRATIVE SIMPLIFICATION REGULATION
There is no doubt that many issues are yet to be unveiled with HIPAA, in particular the Administrative Simplification Regulation (ASR). Our previous article was a more formal overview of HIPAA. Let's talk now about some of the more practical concerns or problems you may encounter during a realistic business day after April 14, 2003. For the record, ASR is the:
• Privacy Rule
• Security Rule
• Transaction Standards
HOW DOES THE PRIVACY RULE IMPACT OUR AGENCY?
It is important to realize that the Privacy Rule is not just some regulation that healthcare facilities need to worry about. As an insurance agent or broker you will be impacted on many levels. There is your own organization to consider. Then, you probably have clients that may be doctors, hospitals, or medical facilities. Also, some of your other P & C clients probably have group health insurance, if not with you, maybe through another agency. Do you understand your obligations as their P & C agent?
As such, you owe it to them to stay on top of issues that may impact the types of insurance coverage they purchase from you. Your clients also look to you for direction on issues that involve their present insurance coverage, whether it is property/casualty coverage or employee benefits. In this article we will to highlight some of the reasons the Privacy Rule is something you should understand completely. As an independent insurance agent or broker you are the "Trusted Choice" of your clients. The following is a listing of some potential issues that should go to the top of your priority list. Just a thought, this may also be a good time to check your errors and omissions coverage. Are your limits high enough?
• What is a "Covered Entity?"
• What is a "Business Associate?"
• Do we really need a Privacy Statement?
• Do we need to develop a "Business Associate Agreement"
for our clients?
• What do we need to know about a "covered entity" to give
added value to our clients?
• What do we need to know about the Privacy Rule?
• What agency relationships will be affected by the Privacy Rule?
• What should we ask the health insurance carriers we
represent about their HIPAA or Privacy Rule policies?
• How is the Privacy Rule going to impact new sales?
• How is the Privacy Rule going to affect our renewal process?
• What insurance protection will our clients need in the event
of HIPAA fines, penalties and defense costs?
A "Covered Entity"
For starters, in plain English, a "covered entity" could be a hospital, medical facility, physician, dentist, pharmacy, clearinghouse, insurance carrier, or health insurance plan. At this point, your agency may write insurance coverage for any one of these types of "covered entities." With renewal dates looming in 2003, your clients are going to be looking to you for advice and direction to make sure they have the proper protection. Just because they haven't asked, isn’t it still up to you to inform them of potential liability issues? Are you going to be prepared? Or, will your clients seek the help they need from another advisor, agency or broker. A loss of one or more clients will have a definite impact on the bottom line. On the other hand, being prepared could bring new business your way.
"Business Associate"
As defined in § 164.501 of the ASR, a "Business Associate" (BA) is, with respect to a "covered entity" is a person who is in involved in a function or activity involving the use or disclosure of individually identifiable health information. This includes claims processing or administration, data analysis processing or administration, utilization review, quality assurance, billing, benefits management, practice management, and re-pricing. If someone other than a member of the workforce of such "covered entity" performs legal, actuarial, accounting, consulting, data aggregation, management, administration, accreditation, or financial services they are a BA. Also, you are a BA in the case of an organized health care arrangement in which the "covered entity" participates, and where the service provided involves the disclosure of individually identifiable health information.
The Privacy Rule
Simply stated, the Privacy Rule is intended to protect the health and medical privacy of individuals. The Privacy Rule assures most people that their personal health information (PHI) will not be distributed for use in any manner without their express authorization. This means that anyone that comes in contact with PHI will be bound by the rules and standards set forth and will be sanctioned for violation of the rules.
On July 9, 2002, the Florida Attorney General issued investigative subpoenas to Eli Lilly & Co., Walgreen Co. and a number of health care providers to determine whether state laws were violated when Prozac tablets were mailed unsolicited to Florida residents. Individuals received an envelope from Walgreen with a letter encouraging them to switch to Prozac Weekly along with a free one-month trial of the drug. The Attorney General's office is concerned not only with the unsolicited delivery of a prescription drug but also with the possibility that privacy rights were violated by the misuse of medical information to target likely candidates for a particular drug. A woman who received the Prozac also filed an invasion of privacy lawsuit against Eli Lilly, Walgreen, and her doctor for sending her a drug that she did not request. – Fla. AG Issues Subpoenas Over Prozac," Associated Press, July 10, 2002; B. Japsen, "Florida Prozac Case Raises Issues of Privacy, Health," Chicago Tribune, July 11, 2002)
About 400 pages of detailed psychological records concerning visits and diagnoses of at least 62 children and teenagers were accidentally posted on the University of Montana web site for eight days. In most cases, the information included names, dates of birth and sometimes home addresses and schools attended with the results of the psychological tests. – C. Piller, "Web Mishap: Kids' Psychological Files Posted,"
Los Angeles Times, November 7, 2001, p. Al)
Your Privacy Statement
If your agency is not a "covered entity" a privacy statement is probably not required. However, if you are going to be doing business with clients and prospects that are "covered entities" then it probably makes sense to develop your own privacy statement. After all, they will be asking you how your agency is protecting sensitive information. If you have your GLB (Gramm Leach Bliley) privacy statement in place, most advisors believe that adding a statement on HIPAA privacy will suffice. If you have not yet developed your GLB privacy statement, this might be a good time to do it and add a section for the HIPAA Privacy Rule.
Your "Business Associate Agreement"
If you have many clients that you do business with that will be "covered entities" it makes sense to develop your own business associate agreement (BAA) so you have a standard process. If you can get a majority of your clients to agree to your BAA, then you may incur fewer legal costs. If you have to sign a different BAA with each client, you will be keeping your agency's legal counsel very busy. Remember that a "covered entity" must take reasonable measures to prevent the compromise of PHI. A business associate that is not a "covered entity" does not fall under HIPAA. Therefore a "covered entity" must have a BAA to ensure that reasonable privacy protection is afforded PHI by a non "covered entity."
Added Value For Your Clients
There is no doubt confusion reigns on many fronts as businesses of all types try to figure out what they need to do to be in compliance with the Privacy Rule. Understanding the basic requirements for compliance enables you to provide the help your clients will need. A good understanding of what is required will also allow you to develop your own network of professionals that you can rely on when your clients have serious issues with compliance. Wouldn't it be better if the referrals come from you so you can maintain some control over your relationship?
The Privacy Rule And Agency Relationships
In many instances today, your agency is handling sensitive information for clients, particularly with group health plans. After April 14, 2003 most of the group health information you gather on your client's behalf will no longer be available to the agent. Your client will need to be in compliance and certify to their insurance carrier that they are if they want to access information like claims/loss runs. Well in advance of any renewal, you will need to know that the client is in compliance so that they will be able to access the necessary information. In the past, the agency may have been able to do this for them, but it will be more difficult after April 14, 2003. Also, in order for the client to provide your agency with information, they will need to have an agreement with you as a "Business Associate" to protect themselves.
Health Insurance Carriers And Their HIPAA Policies
Almost all insurance carriers that provide health insurance either on an individual policy or on a group policy will need to be in compliance with the Privacy Rule on April 14, 2003. Every carrier your agency represents will most likely have developed their own processes, although, it is likely that many of these processes could be similar between carriers. Each of your carriers should have gone over in detail how they will be handling new and renewal business after April 14, 2003 and pointing out what differences may be in store. You should also know whether or not a new agency agreement would be required. Also, you should know what position they will take in dealing with an agency that is not in compliance. It will be important to understand how future communications between the agency and carrier will transpire. And, these are just for starters. Medical privacy is the issue; the impact of the amount of work involved in assuring it happens has not yet been determined.
The Privacy Rule And New Sales
In the past, your agency has been able to gather the information necessary including an application, a statement of pre-existing conditions, a census and claims history in order to start the process of finding the best coverage at the best rates. This information will not be so easily accessed. Following April 14, 2003, you will need to have an agreement, most likely a "Business Associate Agreement" with the prospect in order to market the account. You will be bound by rules that detail how you can submit the data to receive a proposal, much of which will depend on the particular carrier. There will be considerably more work, more attention to detail and more attention to the security of the information you are handling.
The Privacy Rule And Renewals
Your client relies on your professional advice about coverage issues, clarification and continuation. It is highly likely there will be changes as a result of HIPAA. You are going to need to work with all of your clients that are "covered entities" to make sure that they are in compliance so as not to void necessary insurance coverage. As you forge through the renewal process, you may have limited access to information that was not a problem in the past. You will need to understand any new endorsements added to policies like general liability, EPL, D&O, and medical/professional malpractice to make sure that HIPAA in any form has not been excluded. What about the renewal of employee benefits coverage? You will be subjected to the same limitations as described in the new business paragraph.
Insurance Protection
Since the Administrative Simplification Regulation is new, and in particular the Privacy Rule, any discussion of how insurance coverage might respond to HIPAA fines and penalties is conjecture at this point. However, as the enforcement date draws near, it is probably a good time to understand the impact of violations. HIPAA makes provisions for both civil monetary penalties and criminal sanctions against "covered entities" including healthcare providers and their BAs some of whom, may actually be natural persons. There are issues to take into consideration such as fines and penalties and defense costs for fraud and abuse and what could actually trigger coverage. It is just as important to look at what may not be covered at all. At the present time it is difficult to predict how current policies will address these risks. It is just as important that as the insurance agent or broker, you start now to ask the right questions and push for answers.
SUMMARY
Without creating a legal document, we have tried to bring to your attention the many reasons why your agency needs to start to learn more about HIPAA and the Administrative Simplification Regulation, in particular, the Privacy Rule. As an insurance agent or broker, you have many responsibilities to your clients in all areas of coverage. There will be limitations on the amount of information that can be shared for selling new and renewal health insurance plans. There are issues of liability coverage in the event of a violation of state or federal laws concerning privacy and confidentiality.
As we continue to research the impact of HIPAA and Title II, the Administrative Simplification Regulation on our industry, it seems that it will be far-reaching. We also won't know just how far until the compliance date is here on April 14, 2003 (and 2004 for smaller plans) and enforcement begins. The penalties for violations are severe. It is doubtful that most Medical Professional Liability, Errors & Omissions, Employment Practices Liability or General Liability policies will provide coverage for HIPAA enforcement actions. Why? Because most policies contain an exclusion for claims made by or on behalf of a regulatory agency. Its back to the drawing board, time to gain a better understanding and grasp on liability coverage. It is now time to undertake a concentrated effort to understand and comply with the HIPAA Privacy Rule in your own organization so you understand what your clients must do. Its time to become the "Trusted Choice" of your clients. If you don't, someone else will.
By Judith H. Newman, President of Phaze II Consulting, Inc. Judi has worked on site with over 500 agents across the nation on a variety of consulting projects. Phaze II Consulting, Inc. is the owner of the Master Agency Manager, designed to be the most complete and easy to use agency management resource available today. The Master Agency Manager is a must have tool for anyone interested in the insurance agency business.
Phaze II Consulting, Inc. provides consulting services to independent insurance agencies in matters of management issues, operations, planning, valuations and customized projects for individual clients. Phaze II Consulting, Inc. is prepared to assist you in undertaking the compliance process for HIPAA and GLB (Gramm, Leach, Bliley). Please contact Judi Newman at 800-638-0657 or judinewman@aol.com for additional information on the HIPAA Compliance Program.
Copyright 2002 by Phaze II Consulting, Inc. Used with permission.
All rights reserved. No part of this article may be reproduced in any form or by electronic or mechanical means without permission from the publisher.