Author: Judi Newman
April 14, 2004, that's the compliance date for the HIPAA Privacy Rule for small health plans. A small health plan is defined as a plan that spends less than $5,000,000 in premium annually if fully insured, or pay less than $5,000,000 in claims annually if self-insured. Are you in compliance?
Note: The following article provides information on HIPAA and its possible implications for agents. The views expressed are those of the author and do not necessarily reflect the views or interpretations of IIABA. As with any law, in order to ensure proper, legal compliance, we encourage you to consult with appropriate qualified counsel before implementing HIPAA regulations in your operations.
IMPORTANT: IIABA has developed an Executive Summary of the Privacy Rule Implementing HIPAA’s Privacy Requirements, and a Memorandum on Final HIPAA Privacy Regulations which was written by our outside counsel. IIABA members may access them by going to www.independentagent.com and clicking on the "Legal Advocacy" menu item on the left.
April 14, 2004, that's the compliance date for the HIPAA Privacy Rule for small health plans. A small health plan is defined as a plan that spends less than $5,000,000 in premium annually if fully insured, or pay less than $5,000,000 in claims annually if self-insured.
Understanding the new privacy and security rules of HIPAA is challenging to most employers and group health plan administrators. There is a great deal of confusion as to exactly who is supposed to do the compliance work.
The compliance deadline is very real. Group health plans that meet the "covered entity) definition need to understand that compliance is not an option. While confusion reigns, it is important to move ahead and recognize that the following is important in the compliance process:
• Good faith;
• Common sense; and
• That the law is evolving and will continue to change
The law addresses HIPAA privacy and security requirements for "covered entities" and has specifically identified "covered entities" as:
• Health plans
• Healthcare clearinghouses
• Healthcare providers
An insurance agency is not a covered entity. They are usually, however, employers that sponsor health plans for their employees. The health plans are covered entities and the agency is the plan sponsor. As the plan sponsor, the agency has the responsibility to make sure the health plans are in compliance with the regulations.
What is important to understand is what the law defines as "health plans." The health plans include:
• Group medical plan (HMO, PPO, etc.)
• Dental
• Vision
• Pharmacy/prescription
• Long Term Care
• Flexible medical spending account
• 125 Plan
• HRA
• EAP
Any one, two or the entire list above is subject to the HIPAA Privacy Rule and Security Regulations. Determining the exact responsibility of the plan sponsor (the agency) is the first step that you must take.
When the law was written, there were several lines of insurance, although medical information might be involved, that are not considered "health plans" and therefore not protected by the HIPAA Privacy and Security rules. What is not included are the following:
• Life Insurance Plans
• Sick Pay Plans
• Casualty or Accident Insurance
• LTD or STD Plans
• EAP which doesn’t treat patients
• Liability insurance including auto liability
• Workers’ Compensation Insurance
• Automobile Medical Insurance
• Credit Insurance
• OSHA, FMLA, ADA, drug tests, fitness for duty exams
An Independent Agency as employer and plan sponsor must assess the group health plans sponsored to make a determination as to exactly what is required to bring the health plans into compliance. If the health plans are all fully insured plans, and the plan sponsor does not handle any information other that summary PHI, then the plan sponsor only has a few actions necessary. If any of the plans are self-insured partially self-insured or have a deductible, then the steps for compliance become more involved. The first step is to complete the following assessment chart to determine the category of the health plans sponsored by the agency.
| Type of Plan |
Fully Insured |
Deductible |
Self Insured |
None |
| Medical (PPO or HMO) |
|
|
|
|
| Dental |
|
|
|
|
| Vision |
|
|
|
|
| Long Term Care |
|
|
|
|
| Flexible Spending Account |
|
|
|
|
| Prescription Pharmacy |
|
|
|
|
| EAP with treatment |
|
|
|
|
| 125 |
|
|
|
|
| Other - Specify: |
|
|
|
|
If in this assessment, you check either fully insured or none for each covered plan, then the steps to compliance have been simplified. If on the other hand, you have checked a plan that has a deductible or is self-insured, the steps to compliance just became more detailed.
On the flip side, insurance agencies active in the employee benefits insurance business may have another obligation. If an insurance company or an employee benefits client requires that the agency sign a Business Associate Agreement, the agency becomes a business associate of the company or the client.
The business associate agreements agents are signing do refer to the law Title 45 CFR parts 160 and 164 and the need to understand what is required. What exactly does being in compliance as a business associate mean? Well, it means understanding things like:
• What is a covered entity?
• What is PHI?
• What are personal identifiers?
• What are business associate agreements?
• What are NPPs?
• What do we do with a request for access to PHI?
• What are plan amendments supposed to say?
• When can we use or share PHI?
• What is an accounting?
• What is an authorization for?
If the agency has signed or acknowledged a business associate agreement, they have promised, guaranteed, warranted, made a covenant or personally indemnified that the agency is in compliance depending on the exact wording of the agreement signed. In some cases, the Covered Entity has even included a hold harmless clause for themselves in the event the agent is in default. We don't know exactly what the repercussions will be should such default occur but some of the things that come to mind include the company canceling the agency agreement or the client moving their business elsewhere
There is one last item to consider. In many agencies, producers have direct contracts with health insurance carriers. If this is the case in your agency, you need to find out whether or not your agents have signed a business associate agreement with the carrier. If so, you need to determine the exposure that has been created for the agency. Insurance carriers have also been known to send out new contracts that include the business associate agreement wording and many agents have signed them without fully understanding exactly what they carrier has required. A review of your business associate agreements is suggested.
HIPAA is not a one-time implementation project. It is an on-going responsibility, which needs to be part of the agency culture and business processes.
Judith H. Newman, President of Phaze II Consulting, Inc. Judi has worked on site with over 500 agents across the nation on a variety of consulting projects. Phaze II Consulting, Inc. is the owner and publisher of HIPAA All-In-One The Agent & Broker Compliance Toolkit designed to simplify the compliance process.
Phaze II Consulting, Inc. provides consulting services to independent insurance agencies in matters of management issues, operations, planning, valuations and customized projects for individual clients. You can contact Judi Newman at 800-438-7566 or judinewman@aol.com for additional information on HIPAA compliance and HIPAA All-In-One The Agent & Broker Compliance Toolkit.
Copyright 2004 by Phaze II Consulting, Inc. Used with permission.
All rights reserved. No part of this article may be reproduced in any form or
by electronic or mechanical means without permission from the publisher.