Are Health Insurance Producers Your Greatest HIPAA Liability?

Are Health Insurance Producers Your Greatest HIPAA Liability?

If you are a health insurance carrier, agent, broker, or managing general agent and don’t demand proof of HIPAA compliance from your producers you are taking a huge financial risk.

The HIPAA Omnibus Rule became the law on September 23, 2013 and requires all business associates and their sub-contractors to meet the same stringent security and privacy requirements as covered entities. You might quibble that only some of the privacy rules apply but essentially the rules are the same.

Are health insurance producers business associates? If they create, store, access, or transfer protected health information (PHI) they are a business associate and anyone that they share that PHI with is a sub-contractor that must also meet the requirements. The chain of responsibility extends from the carrier down to the lowest level that has access to the PHI. Consequently a breach at the lowest level travels back up that chain to the business associates and ultimately to the covered entity, the carrier.

What could cause a breach at the producer level?

•Lost or stolen I-Phone or I-Pad that is not encrypted

•Lost or stolen laptop that is not encrypted

•Misdirected email

•Misdirected fax

•Lost paper records

•Lost or stolen copier or fax machine with PHI on the hard drive

•Hacking attack

•PHI posted on the Internet

You can probably imagine further scenarios but the obvious point is that it is very easy to cause a breach.

You might think that the breach would probably only involve less than 500 patient records and so wouldn’t need to be reported to HHS but actually all breaches must be reported. In 2012 there were over 13,000 breaches of less than 500 records reported and probably ten times that number that were not reported. Many breaches are either not noticed or swept under the carpet. How would anyone know if there was a breach that was not reported? The HIPAA Omnibus rule has provisions for breaches to be reported by a patient or a whistleblower and there have been many instances of this happening.

What happens if your producer breaches or you suspect that they are not compliant? The rules state that if you “discover a pattern of non-compliance” you must ask the producers to remediate or mitigate the risk and if they can’t or won’t you must “sever the business relationship”.

How do you protect your company from a breach by a health insurance producer?

1.Get HIPAA compliant yourself

2.Show your producer that you are compliant

3.Educate your producer about the new requirements of the HIPAA Omnibus Rule

4.Get the producer to sign a business associate agreement

5.Follow up to make sure that they are compliant on an on-going basis.

Compliance Helper offers a low cost, simple solution for health insurance producers called HIPAAssure™ Micro at www.compliancehelper.com