Think you’re off the HIPAA hook because your firm doesn’t write medical? Think again.
Effective Sept. 23, the new HIPAA Omnibus Rule will tighten regulations for independent agencies and brokerage firms when it comes to security for personal health information.
But even if an agency doesn’t write health insurance, it can’t afford to tune out when someone mentions HIPAA compliance. According to Bill Larson, president of consulting firm Profit Protection Risk Management Consultants, HIPAA compliance procedures are crucial for all agencies that need to tighten up their general privacy systems.
“Most data breach policies will incorporate HIPAA compliance ideas,” says Larson, who works with insurance agencies and employers to help them implement data privacy security and compliance programs. “That’s huge. Whether it’s personal identifiable information [PII] or personal health information [PHI], the agent really has to have their act together.”
Judi Newman, president and owner of agency management consulting firm Phaze II Consulting, Inc., agrees. She notes the distinct similarities between compliance requirements for PII and PHI—the latter of which is the main focus of HIPAA.
“You go through some of the same steps,” says Newman, who has been tackling HIPAA prep work for 10 years. “You can leave out HIPAA and HITECH and health and you’re coming up with the same kind of requirements. It’s to the extent that if you’re in compliance with HIPAA, you’re in compliance with pretty much every other federal law and data breach notification state law.”
Although the HIPAA Omnibus Rule has recently moved privacy and security to the forefront of agents’ minds, assessing and managing privacy and security risks is an ongoing area of critical concern for any agency that maintains personal information about customers and employees. As the Federal Trade Commission (FTC) continues to increase enforcement activity for privacy regulations, companies must have an effective and compliant plan in place for dealing with security breaches.
And the risk for a security breach is real, regardless of the size and type of business. “In general, agencies say, ‘I’m not going to have a data breach. No big deal,’” Larson says. “But there are so many places where an employee can email or fax information to the wrong spot. Everybody’s got a laptop, we all have our smartphones. That whole area is involved in data breach.”
Notification of a data breach can trigger an FTC investigation into a company’s privacy and information security practices, which could potentially cost years of valuable time as well as millions of dollars in legal and consulting fees if the agency’s ducks aren’t in a row.
Worse, the FTC won’t be the only source of consequences. A data breach can wreak havoc on the individuals affected, leaving them vulnerable to not only identity theft but hackers and thieves who sell personal information for financial gain. In that way, agencies that fail to set up their security systems in a compliant manner create “a potential unlimited liability exposure,” Larson says.
According to Newman, the beauty of HIPAA compliance is that it has gone to “such extremes” when it comes to publishing precise requirements for data breach notification compliance. Between annual auditing and security procedures, business associate and vendor confidentiality agreements, and privacy notice policies and practices, meeting HIPAA compliance requirements braces an agency for just about every related law out there.
That’s particularly important since in addition to a long list of stringent federal laws, 47 states also have their own unique legal conditions agencies must meet when it comes to protecting personal information.
“When you start going through all these privacy laws, it comes back down to having policies and procedures for how you’re handling everything,” Newman says. “We’re focusing on taking the whole picture and saying, ‘you may not sell health insurance, but don’t think you’re off the hook.’”
Both Larson and Newman acknowledge that most agents have their clients’ best interest at heart. But when it comes to securing important data in an age of sophisticated digital information systems, good intentions simply aren’t enough of a safeguard.
“Generally everyone who works at an insurance agency knows that the information they handle is confidential,” Newman says. “They’re not calling the local society column editor and saying ‘Guess who’s filing for bankruptcy?’ That’s not the issue. The issue is who else can get that information.”
Jacquelyn Connelly is IA assistant editor.