September 2013 – PIA National
ABCs of Building a Privacy-HIPAA Compliance Plan
While you may currently be focused on HIPAA, the foundation for PIA agencies’ compliance plan for HIPAA will be based on and an integrated part of the agencies’ overall insurance privacy and data protection ongoing program. Insurance privacy laws have always covered health and medical information data and activities.
Further, if you have been dealing in health insurance and/or any form of insurance where medical/health information has been required, you have also been covered by HIPAA since 2002, and per the subsequent additions to that over the years.
So the current HIPAA changes should only create some additional new procedures and updating some others to the agency’s existing core plan. In this regard, it presents an excellent opportunity for overall agency review of plan and procedures.
CORNER STONES of Your Work Product:
The discipline/experience to do this nature of audit in order to create a plan is already in the DNA of PIA agencies because it is the fundamental skill-set required to practice the business of insurance, advising agency customers on risk management and the process of 101-Class on E&O prevention/defense documentation.
It is imperative to remember that insurance law and HIPAA include the expectation and requirement that the complying party (PIA AGENCY) is able, upon request/demand, to produce written documentation that demonstrates they have (i.) conducted a thorough review of these obligations compared to the nature, scope, and all specifics (including persons) of their operations and any outside parties with which they conduct such activities; (ii.) formed a resulting plan for their compliance; (iii.) memorialized this into instructions, required practices and forms for their operations and personnel; (iv.) inform/train staff as to these (including rotation for new staff coming in and including reminder of ongoing obligations of out-going staff); (v.) monitor implementation; (vi.) identify areas needing improvement &/or staff needing retaining and/or updates needing to be added because of changing business dynamics with swift action; and (vii.) keeps regular notice of and make timely improvements/application to their system’s v/v updates, patches and changes in law/obligations.
WHO WHAT & HOW IS COVERED?
Business Associates are NOW Covered Entities?
PIA agencies (the entity and all employees engaged in this nature of data collection/insurance/service transactions and any independent contractors of agency perform such activities) engaged in health/medical benefits/insurance are subject to and, now, a covered entity under HIPAA in several ways:
As a Business Associate because, the agency places:
A. Health/medical insurance coverage/plans and/or provides services on behalf of and as agent of health insurance carrier/provider.
B. Health/medical insurance coverage on behalf of their agency customer (in role as broker) through wholesaler, alternative insurance plan and/or exchange.
C. Perform services for and on behalf of your employer-customers’ in managing their employee benefit health/medical plans (whether you charge a fee or not) that are expected/required of the employer, but are not part of the insurer’s requirements of agency as part of carrier paid compensation to agency.
Also, PIA member agencies, as employers providing employee health/medical and benefit plans have been and continue to be COVERED ENTITIES and subject to all the employer compliance expectations.
THREE NOTES: * Please remember that there will be some differences between the way you comply as the insurance agency BA of health insurer vs. how you comply as the BA of your employer-customer. While what the agency does in and for each of these roles is mutually complementary, supportive and in the best interests of employer and insurer, as well as employees, they are not exactly the same.
* This is particularly important to keep clear as you review the HIPAA section on Claims reporting/code and data processing. If a PIA member performs any processing, and/or reporting of claims-data/information to/from individuals, employer-customers and/or insurer you need to have clear determinations from the insurer as to whether they consider you doing so on their behalf – or – as the facilitator of the employer. In either case the insurer must provide instructions of exactly how this information will be recorded, reported, and how any follow or result will be handled. This may include inputting information by carrier/exchange designated claims codes assigned by the insurer. The same expressed clarification is needed if the agency is processing this information to and through a GA, Broker, MGS &/or TPA, i.e. is this on behalf of the insurer or employer?
*While HIPAA was not designed to covered life insurance/life insurers/life insurance transactions or WC or WC carriers (all of which PIA agrees with), there can be certain products (in the A&D, LTC, &/or WC combined with a health/medical employee benefit offering (al la some PEOs) etc.) where each carrier with such offerings must make a decision as to whether that particular product of theirs and they are or not covered by HIPAA. Generally, agencies for those carries should be following compliance per carrier instructions. However, we again point out that insurance privacy laws cover all individuals’ health/medical information and the use thereof, so PIA agencies will have a general privacy compliance approach that aligns with the intent and content of HIPAA.
HOW to Begin Your Review, Revised Plan & Implementation?
We appreciate that PIA agencies would prefer a set model program to pick up and use, as is. In the early days of privacy when agencies ran less complex shops that may have seemed possible.
However, the clear direction in privacy/data security expectations, requirements, obligations, compliance and enforcement actions is towards having compliant common always current practices that are molded to the individual specifics of each need each time.
Since no two PIA member agencies operate in the same way, each member-agency is in the position to best know what are common for them, what are exceptions and how to comply with both while having a process to also customize further on demand. This is particularly true when it comes to “insurance services” provided for agency customers.
Agency services is an area of agency activity that has and will continue to grow, as many agencies see this as their point of competitive differentiation, and in health insurance, one of leading ways to “stay in the game.” This also follows the direction of the health/medical insurance coverage world being executed by an ever increasing number of different purveyors and vehicles.
So, we understand that the following process, while substantially comprehensive, is outlined in a perfect world. We expect that PIA member agencies will pick and choose as to what is most important to accomplish first, and then address the balance later which is in itself a wise approach. But this plan and resource continue to remain available to you for the continue improving and adding to and for your internal agency program
1. Begin by having your current privacy, data, breach and systems security plans, policies and procedures all together and use it as your scratch draft. This should make note of all carrier requirements of agency in these areas.
2. Specific to the current HIPAA rule, a very good summary review of what has changed under the new rule is provided for PIA members in the Power Point Presentation provided to us by Marissa Gordon-Nguyen of HHS and Mr. John McClure of wedi (Thanks!). This gives you a quick snap shot of what has changed and how across the entire rule, all sections. It also allows PIA agencies to identify what listed activities your agency does perform, and which it does not.
3. Be sure you add all the revised/updated instructions that you have received from insurer/wholesalers v/v this new rule.
4. Working with all agency staff involved in these areas follow and answer these queries to create a listing/outline from your answers:
A. Among the employer and/or individual life and health benefit insurance policies (including certificates under group programs) that the agency currently solicits, sells, negotiates, places, transacts, effects, services (changes, claims, data reporting, coverage assessment, enrollment etc.) –
B. What activities does your agency perform, for whom, what class of customer/insurer, what type of information is required/handled, to & from what parties is this data exchanged, by who in agency and to you, used for what purposes, and how subsequently how is it specifically handled internally and by whom in the agency for any health/medical information-related insurance coverages/services?
C. Please be sure to include every exception, even if these are only performed for a few customers and/or only occasionally.
5. We suggest that the agency may wish to do steps 2-4 as a separate exercise, creating its own listing. Then it is easier for the agency to take the resulting list from steps 2-4 and compare it point by point with the agency’s current complete plan (step 1). The five questions to ask on each comparison:
a. How is the agency currently handling this area?
b. Can current agency compliance remain the same?
c. Does the agency need to change/update/add to its current compliance and if so how?
d. Do we need to verify (in writing) with carrier, wholesale, exchange, customers, etc.?
e. What role is the agency fulfilling, i.e. on behalf of carrier or wholesaler or individual customer or employer customer or employee of employer customer, exchange, etc?
6. Follow agency activities all the way through: solicitation, sale, negotiation, collection, preparations, transactions/transmissions, effecting, communication (and their various natures), use, who handles what when and how, responses, placement, enrollments, policyholder issuances, endorsements, certificates, claims, risk management, other services, and short-term and long-term records retention/storage. Remember, as with insurance privacy, the agency must address and comply with PHI privacy, data protection, systems security and breach protocols.
7. Review your notes/details of what the agency does, how it falls under HIPAA and what changes need to be made, and develop how to comprise your revised plan.
a. Decide what portions must be addressed first and so forth. The plan can be updated and completed over some period of time (12-months), but do not let it drop.
b. Select who or what group will be assigned to which areas of change to draft the revisions/updates to current agency instruction notes, practices outlines, policy manuals and the like. Please don’t overlook all the systems NOTEs and TAGs you’ve created in the past as “reminders.”
c. Assign a firm completion date to each section/group’s completed work. You may find that one team might need to complete their task before another will work off that draft to complete their portion of the update.
d. Changes will come in generally: Written (to include instruction, forms fax machine messages etc.), Systems (to include agency websites, email, social media, internal systems, storage, warehouses, clouds, etc.) and Communications, i.e. the manner in which you do or don’t communicate in writing and speaking (phone, voice mail, updated agency messages that remember to say after “We do not bind etc., please do not leave any personal or private information on our voice mail), with prospects, customers, individuals, businesses, carriers, neighbors and the like; and Internal activities to include manuals, staff compliance mandates that are part of agency manual that make clear legal obligations of everyone – and of agency (also by carrier contract obligations) and serious errors may require immediate termination and/or reporting to carrier/regulators; included in every job description, education/training, remediation training, termination process, and the like.
e. The revised drafts do not need to be scholarly works of great American Literature.
f. Bring a single team of staff specialists together from all affected areas to review the overall completed draft to assure that all has been picked up; whether additional changes/notations are needed; help revise for clarity; follow-up on any verifications from carriers and others.
g. Once this revised draft is completed, and if the agency can, it may be a good idea for the assigned oversight project leader (most likely owner-principal) to secure the services of an outside party that does business writing. Community college teaching staff and/or senior college business majors are all good candidates, and cost-effective.
h. In the meantime, agency principal can be speaking with their carriers, employer-customers to review the updates to see if they have any suggestions/questions.
i. Once “professional writer” version is completed, specialist team reviews one more time. Then create your implementation schedule of when changes go in, training session with all staff (on sign-in basis to be retained in file), updated agency notice of privacy practices (one a year to all and then at the time new customers are written) and perhaps a summary update to your carriers and lead employer-customers.
j. Please don’t forget to create and issue your own agency as employer notices to your agency employees, as well.
PIA has included several additional planning outlines from several other organizations that member-agencies may find help to take some part of one format and combine with another in developing the outline format that works best for you. Then the format can be combined with the above-process and questions.
As always, share your questions:
As always, PIA is here to help you with your approach to compliance on HIPAA, as well as any other compliance issues. Please contact ()
Please refer to:
Power Point Presentation provided to us by Marissa Gordon-Nguyen of HHS and Mr. John McClure of wedi
Action Item Checklist for Employers - For the Final HIPAA Privacy Regulations - April 26, 2013 - Legal Updates
AICPA – Scope of Regulation