Written by
Germeen Tanas
Germeen is an aPHR-certified writer on the marketing team at BerniePortal. She writes about HR, healthcare, and benefits.
What Benefits Brokers Should Know About HIPAA, Data Breaches, & Compliance
In 2019, an insurance brokerage started notifying healthcare providers about a data breach after a business associate discovered that the protected health information (PHI) of 2,088 patients had been potentially viewed by unauthorized personnel. Although there was no evidence to suggest misuse of the data, the Health Insurance Portability and Accountability Act of 1996, or HIPAA, still required that the brokerage reach out to all affected parties.
Prior to HIPAA, there was no federal rule governing or protecting the privacy of digital health information, leaving individuals vulnerable to frequent privacy breaches. Your private health information could be floating around out there, and no one was legally obligated to inform you.
Benefits brokers regularly work with and have access to their clients' PHI. Here’s what brokers should know about maintaining HIPAA compliance.
Refresher: What Is HIPAA?
The Health Insurance Portability and Accountability Act of 1996, or HIPAA, is a federal law that demands all organizations safeguard what’s considered “protected health information” (PHI) from being disclosed to unauthorized persons. Unless the state law is more stringent than federal law, HIPAA overrides state law regarding data privacy.
PHI is generally any information found in medical records that can be used to identify an individual. HIPAA considers the following items protected health information:
- Names
- Geographical subdivisions smaller than a state (address, city, county, zip code, etc.)
- Dates directly related to an individual (birth date, date of death, admission/discharge date, etc.)
- Phone numbers
- Fax numbers
- Emails
- Social Security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- certificate/license numbers
- Vehicle identifiers and serial numbers
- Device identifiers and serial numbers
- URLs
- IP address numbers
- Biometric identifiers (fingerprints, etc.)
- Identifiable images/photographs
- Any other unique identifying numbers, characteristics, or code
HIPAA Considerations for Benefits Brokers
Brokers are considered business associates (BAs) under HIPAA because they serve as intermediaries on behalf of two HIPAA-covered entities: health insurance carriers and employer groups with covered health plans. 45 CFR 160.103 defines a “business associate” as someone who creates, receives, maintains, or transmits PHI. As business associates, benefits brokers have access to and are responsible for protecting the PHI of their employer groups.
According to the U.S. Department of Health and Human Services, a BA is also directly liable and subject to civil penalties for failing to safeguard electronic PHI in accordance with the HIPAA Security Rule. The HIPAA Security Rule protects a subset of information from the Privacy Rule by extending regulations to electronic protected health information, or e-PHI. The Security Rule also describes steps an organization must take to protect patient data and train employees to maintain security. Organizations are expected to detect anticipated PHI breaches, require workforce HIPAA compliance training, and complete regular security risk assessments. Here at BerniePortal, we regularly conduct SOC II audits to help ensure the privacy of our clients is protected.
Business Associate Contracts
The HIPAA Privacy Rule only applies to covered entities but requires that covered entities enter into contracts with business associates to ensure that expectations around confidentiality are clear.
Written contracts between covered entities and business associates must establish guidelines for proper uses and disclosures of PHI and require the business associate to be transparent to HHS about internal practices. When a benefits broker enters into a relationship with an insurance carrier or an employer group, a Business Associate Contract must be signed. Check out the HHS’ website for a Sample Business Associate Agreement and more specific requirements for the business associates contract.
What Is the HIPAA Breach Notification Rule?
The HIPAA Breach Notification Rule requires HIPAA-covered entities and their business associates to notify the secretary following a breach of unsecured protected health information.
According to the Dept. of Health and Human Services, if the breach affects 500 or more individuals, the covered entity must send the notification no later than 60 calendar days from the date of discovery.
If the breach affects less than 500 individuals, the covered entity must notify the secretary by submitting a breach notification within 60 days of the calendar year in which the breach was discovered (March 1st). For example, if a breach was discovered in June of this year, the covered entity must submit a breach notification by March 1st of the following year.
HIPAA Standards for Health Coverage
When working with carriers, brokers should keep an eye out for any signs of benefits discrimination. HIPAA prohibits employers from offering group benefits that discriminate against individuals based on health factors such as:
- Health status
- Medical condition (including both physical and mental illnesses)
- Claims experience
- Receipt of health care
- Medical history
- Genetic information
- Evidence of insurability; or
- Disability
The Costly Risk of HIPAA Noncompliance for Brokers
If client data is not kept secure, you risk data breaches, which can result in losing business and damaging your reputation as a trusted advisor. You also risk costly HIPAA violation fines, which can be detrimental to your business. Penalties vary based on frequency and intention of HIPAA violations.
For example, in 2018, Anthem paid a penalty of $16 million to the U.S. Department of Health to settle a data breach lawsuit. Anthem was also penalized for failing to conduct risk assessments. If they had conducted regular risk assessments, they may have been able to prevent hackers from compromising the ePHI of nearly 79 million people.
For a more in-depth look at HIPAA as it pertains to your employer clients, check out this HR-focused blog on HIPAA.
Additional Resources:
- Brokers’ Corner Podcast—watch and subscribe to the Brokers’ Corner podcast, which dives into the topics that affect your agency and industry and identifies strategies so you can protect and grow your book of business
- BerniePortal Brokers’ Council—a council of benefits brokers from across the country that advises BerniePortal on industry concerns, trends, and the ways technology can best support their agency and employer groups
- BerniePortal for Brokers—leveraging technology to increase your agency valuation and support your employer groups is easier than ever with BerniePortal’s software solution, built for brokers by brokers
Written by
Germeen Tanas
Germeen is an aPHR-certified writer on the marketing team at BerniePortal. She writes about HR, healthcare, and benefits.
Submit a Comment