How does HIPAA apply to health insurance sales?

HIPAA is one of the legislative hurdles health insurance agents and brokers have to navigate to perform their duties. This stems from their handling of protected health information during insurance sales. 

How are health insurance sales classified under HIPAA?

Health insurers are classified as health plans under HIPAA, which is one of the three categories of covered entities, alongside healthcare providers and healthcare clearinghouses. Health insurance agents and brokers are not considered Covered Entities under HIPAA; instead, they are classified as Business Associates when they act on behalf of Covered Entities, such as health plans. The distinction determines the specific HIPAA rules they must comply with. As Business Associates, insurance agents must adhere to the HIPAA Security Rule. 

Which HIPAA rules apply to health insurance sales?

According to a chapter discussing HIPAA compliance, “HIPAA sets strict standards for managing, transmitting, and storing protected health information. HIPAA applies to healthcare providers, insurers, and other organizations handling patient data, mandating safeguards to prevent unauthorized access or misuse of sensitive information.” 

The Privacy Rule outlines the way in which business associates like insurance agents should use and disclose electronic PHI (ePHI). For example, insurance agents should only access or share PHI as necessary for their role like the enrollment process and when assisting clients with claims. They are also required under the Privacy Rule to get consent from patients before using PHI for specific reasons. 

The Security Rule focuses on the technical, administrative, and physical safeguards to prevent unauthorized access. It means that insurance agents have to secure HIPAA compliant email systems or encrypted messaging platforms when transmitting ePHI. 

If a breach involving unsecured PHI occurs, business associates must comply with the Breach Notification Rule by notifying the covered entity promptly, typically within 60 days of discovering the breach. It allows covered entities to fulfill their obligations under HIPAA to notify affected individuals and the Department of Health and Human Services (HHS).

How can health insurance transactions remain HIPAA compliant? 

In practice, compliance with the rules for health insurance sales involves several key steps:

1. Risk assessments: Have regular assessments to identify vulnerabilities in systems and processes.
2. Policies and procedures: Create and establish policies and procedures to address identified risks and ensure compliance with HIPAA standards.
3. Training: Provide training to staff on HIPAA compliance to ensure that everyone understands their roles and responsibilities.
4. Documentation: Keep detailed documentation of compliance efforts, including risk assessments, policies, and training records.
5. Business associate agreements (BAAs): Make sure that all agreements with covered entities are up-to-date and reflect obligations under HIPAA.
   
   

FAQs

Are there any exemptions from HIPAA compliance for certain types of health plans?

Yes, certain exemptions exist for small self-insured group health plans that are self-administered and have fewer than fifty employees, provided they meet specific conditions. 

Can health insurers use PHI for marketing purposes?

Generally, no. Insurers can only use PHI for purposes permitted by the HIPAA Privacy Rule, such as treatment, payment, or healthcare operations unless they gain explicit consent from the individual.

How do BAAs apply to health insurance sales?

BAAs are contracts between covered entities and business associates that outline the responsibilities of each party in protecting PHI. In health insurance sales, these agreements ensure that agents comply with HIPAA standards when handling PHI on behalf of covered entities.