AHIA – NAIFA Health & Employee Benefits
New HIPAA Privacy, Security Standards
Once the COBRA portion of the American Recovery and Reinvestment Act (ARRA) is implemented, a new series of issues will emerge for insurance agents and employers because of ARRA’s other provisions related to privacy and security. The deadline for implementing this portion of the law is February 2010.
Most agents are aware of HIPAA because of the privacy compliance requirements that went into effect during 2003 and 2004. While there was a lot of activity signing Business Associates agreements, the years that followed were marked by little or no enforcement action on privacy or security by the Bush administration. All that is rapidly changing. Already in 2009 there is enforcement action for privacy violations. (CVS Pharmacy - $2.2 million fine) The Obama administration will invest more money and attention on enforcement of the Privacy and Security HIPAA regulations.
Here are some of the changes brought in by the new law:
Business Associates are now regulated the same as Covered Entities for both privacy and security issues by federal agencies.
This is perhaps the most significant change for insurance agents and employers. Prior to ARRA, the “reach” of federal regulators was limited to Covered Entities and the privacy and security obligations of Business Associates were not within the scope of an audit or performance expectation of federal agencies. Now, with this change, Business Associates can be held directly accountable.
Increased enforcement actions mandated.
In the past, there was no requirement for regular audits by the Office of Civil Rights within the US Department of Health and Human Services. Now periodic audits must be conducted to ensure compliance. Accordingly enforcement actions will actually occur and not be driven exclusively by complaints.
New Business Associate Agreements required.
Insurance agencies must collect signed Business Associate agreements from any third party with whom they share PHI (an agent with whom you share commission) or who had access to your clients’ PHI (cleaning companies, IT firms).
New fines and penalties (and the likely creation of an opportunity for penalties to be paid to a “victim” for violations).
The financial penalties have increased significantly and increase immediately. If the violation is willful, the fine is $50,000 with the maximum penalty of $1.5 million per calendar year. There is explicit language that requires the federal agencies to review and adopt new regulations that could mandate that a portion of penalties be shared with the “victims.” This change, which will not be finalized until February 2012, would open the floodgates of potential plaintiff-driven investigations with the promise of penalties (with a portion being paid to their legal representatives).
What do you need to do?
- Increase attention to privacy issues within your agency, especially related to PHI in any form.
- Be prepared to implement new requirements on notices, including providing a HIPAA Privacy notice to each of your clients regularly (remember, that Privacy notice should include Gramm-Leach-Bliley privacy language);
- Review existing policies and procedures and adopt new ones to implement new privacy and security provisions;
- Train (and retrain) your staff on privacy and security rules and be required to mandate similar training for anyone who has access to PHI that you use, transmit or store electronically;
- Get new Business Associate agreements with any third party who has access to your physical or electronic data, including any agent that you might share various clients;
- Help your group insurance clients be prepared to deal with the new requirements by February 2010; and
- Be smart!
For more information: Contact Caitlin Kubler, AHIA Marketing Coordinator, (703) 770-8251.
 |
 |
 |
 |
 |
