HIPAA

Q. What is HIPAA and what does it mean?

A. HIPAA is the Health Insurance Portability and Accountability Act of 1996. The privacy regulations restrict the way that holders of medical information may use or disclose that information. These regulations went into effect on April 14, 2003.

Q. To whom does HIPAA apply?

A. HIPAA applies to “covered entities.” A covered entity is a health care provider, a health care clearinghouse and a health plan. For our purposes, “health plans” are defined to include insurance companies that issue, among other types of health insurance, long term care insurance.

Note: HIPAA specifically does not directly apply to insurance companies that issue life insurance, annuities and disability income insurance. So for purposes of your relationship, HIPAA essentially only directly applies to long term care business.

Q. If HIPAA only directly applies to my long term care business, does it matter for life, annuities and disability income policies?

A. Yes. HIPAA applies to medical providers. These medical providers are not permitted to share medical information unless they receive a valid authorization. Most Part I authorizations are probably not going to be considered to be valid, or “HIPAA-compliant.”

Q. How does this affect processing long-term care business?

A. For long-term care insurance, there are two main areas of impact. First is in the need to use a HIPAA-compliant authorization. That is discussed below in more detail. The second area relates to the rules that govern how your agency can share information with the agent and what you can do with it once the GA or the carrier shares it with the agent. Essentially, you can share information only as necessary to place or service the policy.

Note: If the GA receives a long term care case for one carrier and is asked to “shop” it to another carrier they will either need to get the original carrier’s written release to do that or get the client to sign an Authorization and re-acquire the medical records. Neither you nor agent can take the information that is gathered on behalf of one carrier and share it with another carrier – even with the client’s permission – unless you have the carrier’s permission.

Q. What type of information is restricted?

A. HIPAA restricts the use and disclosure of “Protected Health Information”, or “PHI.” PHI is health and demographic information about an individual. It includes information about the person’s medical status and treatment as well as identification information such as name, address, social security number, date of birth and policy number.

Q. So how can I use and disclose PHI?

A. It depends on your business. But generally, as HIPAA relates to your business, you can use and disclose PHI: to complete the transaction requested by the applicant / insured, including underwriting, claims and customer service; as necessary to meet your operational and administrative requirements; as authorized by the applicant / insured; and as required by law. That is, you can use and disclose PHI, only as necessary, to conduct your business relating to the person whose PHI you have. You generally cannot use it or disclose it for other purposes.

Q. What other actions must I take to protect PHI?

A. Again, it depends on your business. But generally, as HIPAA relates to your business, you must make sure that any PHI in your possession is protected from accidental disclosure. For example, you must make sure that information is not lying out in the open when you are away from your desk; you must make sure that faxes, mail and copies are quickly distributed; you must make sure that any papers that you have containing PHI are shredded or destroyed and not just thrown into the trash.

Q. I understand the authorizations are changing. Why and what does it mean to my business with my agency?

A. The HIPAA Privacy Rules restrict disclosure of PHI. One of the restrictions is that if information is to be released pursuant to an authorization, then the authorization must contain certain terms and elements required by the law. We must obtain HIPAA-compliant authorizations and only use the PHI pursuant to the terms of the authorization.

Q. What is a HIPAA-compliant authorization?

A. A HIPAA-compliant authorization is one that has each of the following elements:

	A specific description of the information to be disclosed [for example, “any personal health information, records or data concerning my past, present or future mental, physical or behavioral health or condition”];
	A specific description of the person(s) or class of persons to whom the information is to be disclosed [for example, “(Your Agency Name) and all the insurance carriers listed on this Authorization”];
	A specific description of the person(s) or class of persons who is authorized to disclose the information [for example, “any physician or other medical practitioner, any hospital, clinic, or other health-related facility, any medical testing laboratory”];
	A description of the purpose of the disclosure [for example, “to determine eligibility for and apply for insurance products and services”];
	An expiration date or event;
	Signature and date;
	A statement detailing the right to revoke the authorization and instructions how to revoke it;
	A statement that if the person does not sign the authorization, the purpose of the authorization may not be able to be met; and
	A statement that the information being disclosed is subject to redisclosure and may not longer be protected by federal privacy regulations.

Q. I am told that some medical providers will not disclose records because they are not specifically identified (by name) on the authorization. Do they have to be specifically identified?

A. No, not according to HIPAA. Think of HIPAA as the floor, or the minimum required for privacy. States and doctors’ offices are permitted impose more stringent requirements than HIPAA does. If a GA is faced with this issue, first to work with the provider, informing them that the authorization is HIPAA-compliant, and they are in the “class” of persons identified to disclose PHI to the GA.

Remember: The doctor’s office may not necessarily be wrong; they are protecting their (and your) client’s privacy; and that they have the medical records that we need to provide service to your client. We (the agent and the GA) may have to have the client sign an authorization acceptable to the provider.

Q. Have all carriers created HIPAA-compliant authorizations?

A. No. As HIPAA specifically excludes life insurance, disability insurance and annuities, some carriers have taken the position that authorizations associated with these lines of insurance do not have to be HIPAA-compliant. On the other hand, some carriers have taken the position that they do need to have a HIPAA-compliant authorization for all lines of business.

Q. Why don’t all carriers take the same position?

A. The HIPAA privacy regulations are new and there is strong debate among the carriers and the medical community about how HIPAA applies.

Q. What are some other sources of information?

A. The Department of Health and Human Services (the government agency responsible for implementing the HIPAA privacy regulations) has good resources on its website. http://www.hhs.gov/ocr/hipaa

Q. Should I expect changes to HIPAA and will any other parts of HIPAA apply to me?

A. Yes to both questions. HIPAA may be amended; however, as of April of 2003, there are no proposed changes pending. Other parts of HIPAA, relating to electronic transfer of data, are set to take effect in October of 2003. You will hear more about that, as that date approaches.

For Agent/Broker use only – not intended for use in solicitation of sales to the public.
Products and programs offered through this general agency are not approved for use in all states