This post is part of a series sponsored by AgentSync.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) may be one of the most popular health insurance laws, not only by insurance professionals, but in the daily lives of most Americans. Learn more about what they are, what they do (and don’t), and how they affect the insurance industry.
Please read our notice of privacy practices
fast! Name the health care law that everyone knows, but no one really knows. If you are considering HIPAA, congratulations, you won! For private citizens, HIPAA references appear at every doctor’s office visit and, more recently, if the company has dared to ask for proof of COVID-19 vaccine status for entry or service. More on that later, but spoiler alert: A company that requires proof of vaccination to enter or provide services does not violate HIPAA.
You’d be hard pressed to find an American adult who hasn’t heard of HIPAA, or who doesn’t know it has anything to do with medical privacy. But the collective knowledge of the 500-page Medicare Act ends there. And for most people, that’s okay. But if you’re in the insurance business, you may be one of the few who really needs to understand HIPAA more than just a superficial one. Then again, HIPAA is so specific to health insurance and health information that it doesn’t apply universally across the insurance world either.
What is HIPAA?
Literally, it is the Health Insurance Portability and Accountability Act of 1996. This law, signed by President Clinton in 1996, was the first law to address the privacy of health and healthcare information. Although electronic medical records rarely existed in 1996, HIPAA was forward thinking It included references to digitization in medical and health insurance that would not have come for years.
HIPAA has given US citizens the right to expect a certain degree of privacy surrounding this information, particularly when it comes to health insurance. It has also given us the right to access our private health information, even if most of the time that is easier said than done.
A large part of the entire HIPAA law is what is known as the HIPAA Privacy Rule. According to the CDCThe privacy rule standards address the use and disclosure of individuals’ health information (commonly known as “protected health information”) by entities subject to the privacy rule. These individuals and organizations are called “covered entities.” The privacy rule also contains standards for individuals’ rights to understand how they are used their health information and control.
In plain English:
- Your personal health information is considered private, and therefore “protected” by law.
- Some entities (doctors’ offices, hospitals, health insurance companies, etc.) are subject to the privacy rule.
- You also have the right to understand and control how your PHI is used, including with whom it is shared.
What does HIPAA do?
Simply, HIPAA required the creation of national standards to protect sensitive patient health information from disclosure without the patient’s consent or knowledge. The law gave responsibility for Mandatory To the Office of Civil Rights of the Department of Health and Human Services.
HIPAA also sets out valid reasons for when PHI used by a covered entity should be shared or disclosed. The final canon was over 500 pages long, so obviously, and by necessity, this is a very shortened version of the law! If you’re a bigger insurance geek than we are, Welcome to read the full text of the law here!
Also, if HIPAA is essential or incidental to your business, keep in mind that this is a brief overview and not legal or due diligence guidelines. If you need legal advice, consult a lawyer.
What does HIPAA not do?
The short answer is “a lot”. As you have now learned, HIPAA applies to a very specific set of covered entities. A restaurant or bar is not a covered entity. The airline is not a covered entity. Thus, private companies requiring recipients to disclose their COVID-19 vaccination status in order to enter or provide a service are neither subject to nor in violation of HIPAA.
In addition, HIPAA also does not cover:
- “Employment records of protected health information held by a Covered Entity as Employer, Education and Certain Other Records Subject to or Specified in the Family Educational Rights and Privacy Act, 20 USC §1232g.”
- Anonymous health information, when medical information is completely separated from personally identifiable details about the human it came from. For example, a large list of ages, heights, and body weights would not be protected if there was no name, address, Social Security number, or other identifying information that would associate health data with a particular person.
Who is required to follow HIPAA?
HIPAA has established standard definitions of the types of companies and entities that are subject to its Privacy Rule. These include:
- health care providers
- Health plans (including Medicare, Medicaid, long-term care, and others – with a few exceptions)
- health care clearing
- Business partners (defined as a person or organization other than an employee of a covered entity that uses PHI to perform services for the covered entity)
This is the basis. Again, your uncle is not HIPAA at a family dinner. Your neighbor’s restaurant or bar is not subject to the Health Insurance Portability and Accountability Act (HIPAA). Your local grocery store, movie theaters, and workplace (probably!) aren’t subject to the Health Insurance Portability and Accountability Act (HIPAA).
If, and only if you are one of the above entities or a “business partner” of one of them, do you and your company have to comply with the Health Insurance Portability and Accountability Act (HIPAA).
Why is HIPAA important?
Most of us would agree that patient privacy is an important right. Prior to 1996, this was not necessarily the case. It certainly wasn’t guaranteed or legally enforced.
Why HIPAA is important to the healthcare and health insurance industry
Although 1996 is hardly what we think of as the “digital age” these days, HIPAA was truly forward thinking about its time. He introduced some very important concepts that will be essential as the industry transitions from paper records to electronic health records.
HIPAA has standardized how health data is collected and protected, enforcing a set of nationally recognized codes and identifiers. Much like the move to structured data in other industries, HIPAA requirements have helped the healthcare industry move toward a digital future where health information is shared among patients, doctors, clinics, insurance companies, and other entities on a daily basis with an emphasis on privacy.
WHY HIPAA IS IMPORTANT FOR PATIENTS
For patients, HIPAA is of particular interest. Moreover, medical records have moved into the digital age, which has left them vulnerable to information security breaches. Prior to the enactment of the Health Insurance Transfer and Liability Act (HIPAA), it was possible that “covered entities” often did not intentionally disclose personal patient information in unscrupulous ways, but there was no guarantee (and there were no government-imposed penalties).
HIPAA was the first law of its kind that established rules regarding the storage and sharing of personal health information. It has imposed a strict standard of information security controls for any organizations that handle such information. Additionally, with the laws in place, there are actual consequences for non-compliance.
HIPAA has also enabled patients to have greater control over their health care by allowing them to access their records for the purpose of being more familiar with diagnoses and treatments, seek additional medical input from different providers, or even check their records for errors. Prior to the Health Insurance Transfer and Liability Act (HIPAA), health care organizations and health insurance companies were not required to comply with a patient’s request for access to their medical records.
How does HIPAA affect the insurance industry?
For many property and casualty insurers, agents, brokers, and other insurers, it really isn’t. For the vast majority of the insurance industry — those who do not deal with life, health, accident, disability, or related products — HIPAA does not apply.
For those dual licensed producers, for insurance companies that deal in health and life, and any insurance professionals Who handle protected health information In the context of doing business, HIPAA is a concern and a law that requires compliance.
HIPAA can also affect Employers who sponsor health insurance coverage for their employees. This means that it is something employee benefits brokers need to pay attention to and alert their clients about.
In the quarter century since HIPAA was first signed into law, it’s become somewhat of a household name (as in health care laws!) but that doesn’t mean it’s simple or easy to understand. If you are in the health insurance business, HIPAA is just one of the many insurance industry regulations you should pay attention to and make sure you comply with. And you should get an expert advisor to do this.
While AgentSync can’t help you out there, we can certainly keep compliance on track for your non-HIPAA needs, such as product setup and lifecycle management. Watch AgentSync in Action today.