If your brokerage is solidly rooted in employee benefits, compliance with the Health Insurance Portability and Accountability Act, better known as HIPAA, is a topic worth your regular attention. Even if you are a property-casualty only firm, you’ll still want to take note.
While your exposure is significantly lower, protected health information can still sneak its way into your firm. So HIPAA compliance is a big topic.
Let’s break it down to its basic components.
At its core, HIPAA is about protected health information. This includes two required components: something personally identifiable about a patient and something related to that patient’s health or medical condition. Both elements must be present for the data to qualify as personal health information. Because insurance seems to have developed a cottage industry creating acronyms (I can assure you the editors of this magazine despise them), we like to call this PHI.
For example, a list of medical procedures with no identifying data isn’t PHI. A list of names and social security numbers with no medical data isn’t PHI. The trick is that a single email with two attachments—a spreadsheet full of only names and addresses that lines up with another attached spreadsheet that contains only medical information—could be considered personal health information if the data are easily combined. (By the way, ePHI refers to electronic documents.) In our (sort of) paperless world, most of our exposure lives in the world of ePHI.
Instead of worrying about details, we are better served developing procedures and systems to prevent this from happening. To do so, we need to consider four components of HIPAA:
- HIPAA Privacy Rule establishes the standards requiring safeguards to protect PHI.
- HIPAA Enforcement Rule contains procedures related to hearings and penalties.
- HIPAA Breach Notification Rule explains the process and requirements for notifying patients and the Department of Health and Human Services (HHS) of a PHI breach.
- HIPAA Security Rule spells out specific requirements for compliance. You’ll spend most of your time with this rule. One note as you peruse the security rule during your rainy day pleasure reading: some of the specifications are required while others are “addressable.”
Addressable means you must follow the specification only if it’s reasonable to do so. For example, encrypting the transmission of PHI is merely an addressable specification; it’s not required. Be warned, however, that due to technology advancements (specifically email encryption systems) it’s not likely a decision to skip email encryption would survive an HHS audit. Bottom line? Plan to adhere to the addressable specifications as though they are required.
Assessing Your Compliance
From a practical perspective, assessing your brokerage’s compliance follows a few basic steps. First, you have to perform a risk assessment. While this may sound like something right up our alley, HHS requires an assessment that complies with National Institute of Standards and Technology guidelines (that’s NIST for you tech and acronym lovers). It’s not hard, but you’ll need to jump through a few hoops, so don’t just wing this. The key is to identify and minimize all of your areas of exposure. Once it’s completed, you’ll make your way through the Security Rule to determine where you stand.
Don’t be bashful about identifying non-compliance. Find the holes so you can fill them. As part of this process, you’ll need to have appropriate business partner agreements in place to ensure vendors, providers, wholesalers and other entities are also HIPAA compliant.
Given the inclusion of the 2009 Health Information Technology for Economic and Clinical Health Act (at least it has a cool acronym: HITECH), and the nature of data transmission and encryption, it’s a common misconception that HIPAA compliance is achieved through technology.
Most of your remediation will be in educating your employees to identify PHI and manage it in a well-defined manner. I’ve seen most brokerages spend far more time on shoring up the required policies and procedures and developing appropriate training than on making technical changes. Federal rules and regulations are built to be intentionally vague on the technology front, and nearly every agency I’ve seen exposed to it already exceeds the required technology security standards. Updating published policies and educating your employees is key to proper compliance management.
Once you’ve assessed your position and implemented any necessary changes, you can take a deep breath. But, unfortunately, you’re not finished. The rules require you to continually assess and make changes on an ongoing basis. But it’s sort of like cleaning off your desk. Once you go through the pain of doing it the first time, you can move into maintenance mode. The key is to actually manage your exposure going forward. An annual review will be much easier than the initial audit.
From a process perspective, most brokerages have the internal talent to manage HIPAA compliance even if the rules are complex. My advice is to find an outside expert to take a look and help you set up your own internal recurring review process. The process will be educational enough, and you’ll be in good shape to manage this internally going forward. While our industry hasn’t been directly targeted for HHS audits, HHS will investigate any credible complaint. With fines ranging from $100 to $50,000 per occurrence, it’s worth taking the time to ensure your own compliance.