HIPAA: New Privacy and Security Requirements Effective February 17, 2010

You may have become aware of changes to the HIPAA requirements that took effect on February 17, 2010.  Some questions have been raised as to what it means to BGAs, so we offer the following information:

BACKGROUND
Starting on February 17, 2010, health insurance agents and brokers must comply with a new version of HIPAA privacy and security. The genesis for these new regulations is the electronic medical records provision of the American Recovery and Reinvestment Act (ARRA) or stimulus act. These new provisions have raised the expectation of compliance (and punishment for non-compliance) for all Covered Entities. Agents, brokers, consultants and for the first time business associates are classified as Covered Entities.

The ARRA did include a change in the legal requirements that cover BGAs that have access to what is defined as "protected health information" or PHI under HIPAA.  The change was included in the section of the ARRA referred to as the HITECH Act (Health Information Technology for Economic and Clinical Health Act).  

Basically, HIPAA requires that "covered entities" as defined in the statute take certain steps to ensure that "protected health information" is maintained on a confidential basis.   The HIPAA statute provided for penalties to be assessed against "covered entities" that did not establish the types of security and privacy systems required or which did not provide proper notice in the event of a breach.

While this regulation specifically refers to HEALTH insurance agents and brokers, it is not unlikely that at some point it may also be applied to LIFE brokers and agents.  Many of you are already handling PHI, so being prepared in advance is a course of action that we would encourage.

The HITECH provisions of the ARRA expanded the responsibilities of "business associates" and made "business associates" directly responsible for compliance with the security and privacy requirements for protecting PHI.  Furthermore, "business associates" are now subject to penalties for violations of the statute or regulations.  Obviously this is a significant change.  Under HITECH, "covered entities" are required to amend their contracts with "business associates" and include in those contracts notification of the fact that the "business associates" have increased responsibilities.  

RECOMMENDATIONS FOR NAILBA MEMBERS
Under HIPAA as amended by HITECH, "business associates" must implement many of the procedures that formerly were required only for "covered entities".  NAILBA member agencies, as “business associates” should ensure that they are in compliance with those procedures.

Such procedures include but are not limited to:
1.        Appointing a Security Officer and conducting a security risk analysis.
2.        Developing written privacy and security policies.
3.        Implementing administrative, physical and technical safeguards to secure all PHI in either hard copy or electronic format.
4.        Train all employees.
5.        Establish procedures for dealing with breaches of unsecured PHI.
6.        Prepare for periodic audits by HHS.
7.        Understand that violations of the statute are serious and include penalties of up to $25,000 even for unintentional violations, up to $1.5 million for willful violations and possible criminal sanctions.
8.        Understand that the new provisions become effective February 17, 2010.

PLEASE NOTE THAT THESE RECOMMENDATIONS ARE NOT INTENDED TO BE CONSTRUED AS LEGAL ADVICE.  We encourage you to consult your own legal counsel.  Under the HITECH, state attorneys general are authorized to sue for violations so the risk of enforcement actions has increased considerably.  

There are training materials available from a variety of sources (including NAIFA).  We would also encourage you to seek out those materials that may best meet the needs of your own agency.