National Association of Professional Insurance Agents

September 2013

TO: PIA National and Affiliates and Members

RE: HIPAA OMNIBUS FINAL RULE – Quick Overview

What it means to PIA agencies.

HHS’ final rule was published in January, effective in March this rule will be enforced September 23rd. PIA agencies already have developed, implemented, are monitoring, enforcing and updating their overall privacy information/data, breach and systems security compliance program (which has included HIPAA since 2002) already required of you under current insurance law. Hence in most part the new HIPAA rule will be a matter of review and fine tuning for the changes in HIPAA.

Remember and Update Your Current Baseline:

1.  Across all of these differences, PIA agencies must be current on the state insurance privacy (and related requirements) that apply to their agency and the nature, scope and territories across which the agency operates. This is your data/privacy compliance foundation.

2.  Then the agency will add/modify these founding practices with the further/updated specifics from the revised HIPAA rules and/or health carrier and/or exchange instructions.

3.  On the list of additional reference resources, we’ve included an ABC’s Outline to assist member-agencies in approaching their agency review from which they will develop their agency’s specific plan for compliance.

HIPAA Rules Facts to know:

4.  PHI = Private Health Information; CE = Covered Entity; BA = Business Associate

5.  This HHS HIPAA rule is omnibus, because it formally brings together three areas of existing federal law and agency rules all related to different areas of HIPAA. Thus, HHS has better coordinated and aligned these several sets of different federal law and rules as they apply to HIPAA. The summary directly from HHS included in your listed resources and provides more specifics as to what actual federal statues/regulations are embraced, but in sum the three function areas addressed are:

  1. Private health information/data – (PHI)
  2. Notice and action plan requirements if a breach occurs
  3. Expectations that all mediums, systems and facilities (to include people and connected parties) used containing PHI are secured.

Members will note that these are the same three areas PIA agencies are already obligated to comply with under insurance laws and regulations, as well as carrier-agency agreements.

FYI – For those members interested, on the additional reference resources, we’ve provided the several lead and most direct web-links to the HHS guidance information and education materials for each of these areas.

6.  As directly stated from the HHS summary, this omnibus rule:

  1. Make business associates of covered entities directly liable for compliance with certain of the HIPAA Privacy and Security Rules' requirements.
  2. Strengthen the limitations on the use and disclosure of protected health information for marketing and fundraising purposes, and prohibit the sale of protected health information without individual authorization.
  3. Expand individuals' rights to receive electronic copies of their health information and to restrict disclosures to a health plan concerning treatment for which the individual has paid out of pocket in full.
  4. Require modifications to, and redistribution of, a covered entity's notice of privacy practices.
  5. Modify the individual authorization and other requirements to facilitate research and disclosure of child immunization proof to schools, and to enable access to decedent information by family members or others.
  6. Adopt the additional HITECH Act enhancements to the Enforcement Rule not previously adopted in the October 30, 2009, interim final rule (referenced immediately below), such as the provisions addressing enforcement of noncompliance with the HIPAA Rules due to willful neglect.

7.  Of prime importance to PIA members is that HHS has now made plain that BAs are also primary covered entities (CE) and subject to the same level of care, compliance and possible liability as the original set of CEs. This underscores the point that if what a person does is listed in the activities under HIPAA and/or if what they do involves PHI then that person, too, must comply with HIPAA.

8.  Also, under the comprehensive version of the final rule (copy provides in list resources), HHS more clearly and completely addresses under what circumstances some limitations/exceptions may apply.

Despite that fact that the complete final rule is a very wordy, weighty document, it outlines very good explanations and illustrations of what HHS means in various areas of the rule. We encourage members to retain this document as part of your compliance/reference guide. It “demonstrates” what guidance HHS provided to complying parties.

9.  Provided for PIA members by and outlined in the complete Manning, Morris & Martin, LLP bulletin (also included in additional resources):

“As required by HITECH, the Rule imposes certain regulatory duties on business associates and makes any violation of these duties subject to HIPAA’s civil and criminal penalties. The regulatory duties applicable to business associates, including subcontractors that qualify as business associates, include the following:

i.  Business associates must implement administrative, technical and physical safeguards to protect the security of electronic PHI as required by the HIPAA Security Rule. Business associates also must comply with the Security Rule’s documentation requirements.

ii.  Business associates contracting directly with a covered entity must provide timely notice to the covered entity of any security breach involving unsecured PHI. It appears subcontractors that are business associates must give notice of breach to the business associate with which they have a direct contractual relationship, although the Rule is not entirely clear on this point.

iii.  Business associates must use and disclose PHI only as permitted by their business associate agreement.

iv.  Business associates must not use or disclose PHI in a way that would violate the Privacy Rule if done by the covered entity.

v.  Business associates must execute business associate agreements with their subcontractors that handle PHI. If a subcontractor engages in a pattern of conduct or practice in material breach of its business associate agreement, the business associate must take reasonable steps to cure the breach and, if such steps are unsuccessful, terminate the agreement if feasible.

vi.  Business associates must make reasonable efforts to limit uses and disclosures of, and requests for, PHI to the minimum necessary. This requirement suggests that business associates should have reasonable written policies and procedures for limiting uses and disclosures of, and requests for, PHI to the minimum necessary and limiting the access of personnel to PHI necessary for their job function.

vii.  Business associates must disclose PHI to the covered entity, individual or the individual’s designee when required to provide an electronic copy of PHI. Business associates also must disclose PHI to the Secretary of Health and Human Services when lawfully requested to do so.”

10.  Due to these changes, the rule also requires BA agreements and/or contracts to be updated to reflect the new requirements. This process has until September 2014 to be completed. This includes the following like-kind agreements/contracts that PIA agencies would have with any outside parties they may require to perform some function that may include any of this information (that is not otherwise an expressed part of the “covered, obligated and already contracted community). This is similar to areas of obligation that already exists under insurance privacy laws.

11.  All PIA agencies doing business with health insurers have (or should have) both an agency agreement and an addendum or agreement section that addresses HIPAA and as a Business Associate. Carriers’ updated version should provide clear instructions to the agency of what carrier requires of them under the revised HIPAA, and such instructions must be “legally feasible/permissible” for the agency to comply with, and not create any conflicts in law.

12.  Of course, this time around, these BA agreements/contracts/addendums with their instructions may become more complicated. Not only with PIA members continue to write business directly for health insurance (each having their own view of compliance instructions) under the current traditional insurance system, but many PIA agencies also place through health-insurance GAs, brokers and/or TPAs. We already know that many PIA agencies will also be doing health insurance placements for carriers in and/or individual and/or business agency customers under state and /or federal health exchanges. Most likely these will create some differences between and among their instructions, disclosure and release forms language and the like.

13.  However, still make your list with including all these differences. Then, please, take a step back. For the sake of agency efficiency, better compliance, E&O prevention and your sanity look at each area and circle the most demanding requirement, process and/or language being made of you by one party/state. Consider making this tough standard, if possible, the common basis of your compliance across all. Generally speaking, the law will expect that when one has two different sets of instructions for complying with the same thing that one will elect the higher consumer-right/protection version to become their common practice, and thus treat all their customers/prospects/parties with the same level of care. So, PIA agencies have a right and compliance needs to maintain as common and equal a treatment across all their insurance customers and prospects as much as legally possible.

14.  Please advise any questions, comments, suggestions and/or request for assistance on these or any privacy/data/cyber matter. Pat Borowski,

ABCs of Privacy & HIPAA Compliance

Power Point Presentation by Marissa Gordon-Nguyen, HHS

Action Items List for Employers

AICPA Scope of Regulation

January 2013 HHS Summary

Manning Morris & Martin LLP – HIPAA/BA article

PIA Suggested HHS HIPAA Information/Education Resources