In 2019, an insurance brokerage started notifying healthcare providers about a data breach after a business associate discovered that the protected health information (PHI) of 2,088 patients had been potentially viewed by unauthorized personnel. Although there was no evidence to suggest misuse of the data, the Health Insurance Portability and Accountability Act of 1996, or HIPAA, still required that the brokerage reach out to all affected parties.
Prior to HIPAA, there was no federal rule governing or protecting the privacy of digital health information, leaving individuals vulnerable to frequent privacy breaches. Your private health information could be floating around out there, and no one was legally obligated to inform you.
Benefits brokers regularly work with and have access to their clients' PHI. Here’s what brokers should know about maintaining HIPAA compliance.
The Health Insurance Portability and Accountability Act of 1996, or HIPAA, is a federal law that demands all organizations safeguard what’s considered “protected health information” (PHI) from being disclosed to unauthorized persons. Unless the state law is more stringent than federal law, HIPAA overrides state law regarding data privacy.
PHI is generally any information found in medical records that can be used to identify an individual. HIPAA considers the following items protected health information:
Brokers are considered business associates (BAs) under HIPAA because they serve as intermediaries on behalf of two HIPAA-covered entities: health insurance carriers and employer groups with covered health plans. 45 CFR 160.103 defines a “business associate” as someone who creates, receives, maintains, or transmits PHI. As business associates, benefits brokers have access to and are responsible for protecting the PHI of their employer groups.
According to the U.S. Department of Health and Human Services, a BA is also directly liable and subject to civil penalties for failing to safeguard electronic PHI in accordance with the HIPAA Security Rule. The HIPAA Security Rule protects a subset of information from the Privacy Rule by extending regulations to electronic protected health information, or e-PHI. The Security Rule also describes steps an organization must take to protect patient data and train employees to maintain security. Organizations are expected to detect anticipated PHI breaches, require workforce HIPAA compliance training, and complete regular security risk assessments. Here at BerniePortal, we regularly conduct SOC II audits to help ensure the privacy of our clients is protected.
The HIPAA Privacy Rule only applies to covered entities but requires that covered entities enter into contracts with business associates to ensure that expectations around confidentiality are clear.
Written contracts between covered entities and business associates must establish guidelines for proper uses and disclosures of PHI and require the business associate to be transparent to HHS about internal practices. When a benefits broker enters into a relationship with an insurance carrier or an employer group, a Business Associate Contract must be signed. Check out the HHS’ website for a Sample Business Associate Agreement and more specific requirements for the business associates contract.
The HIPAA Breach Notification Rule requires HIPAA-covered entities and their business associates to notify the secretary following a breach of unsecured protected health information.
According to the Dept. of Health and Human Services, if the breach affects 500 or more individuals, the covered entity must send the notification no later than 60 calendar days from the date of discovery.
If the breach affects less than 500 individuals, the covered entity must notify the secretary by submitting a breach notification within 60 days of the calendar year in which the breach was discovered (March 1st). For example, if a breach was discovered in June of this year, the covered entity must submit a breach notification by March 1st of the following year.
When working with carriers, brokers should keep an eye out for any signs of benefits discrimination. HIPAA prohibits employers from offering group benefits that discriminate against individuals based on health factors such as:
If client data is not kept secure, you risk data breaches, which can result in losing business and damaging your reputation as a trusted advisor. You also risk costly HIPAA violation fines, which can be detrimental to your business. Penalties vary based on frequency and intention of HIPAA violations.
For example, in 2018, Anthem paid a penalty of $16 million to the U.S. Department of Health to settle a data breach lawsuit. Anthem was also penalized for failing to conduct risk assessments. If they had conducted regular risk assessments, they may have been able to prevent hackers from compromising the ePHI of nearly 79 million people.
For a more in-depth look at HIPAA as it pertains to your employer clients, check out this HR-focused blog on HIPAA.
Additional Resources: