By Fred Bean, CLU, AHIA EduCall chair

The final countdown to Health Insurance Portability and Accountability Act (HIPAA) privacy compliance has begun. Are you familiar with the new rules that go into effect April 15, 2003 for large-group plans and April 15, 2004 for small-group plans?

Although compliance efforts may seem complex and time-consuming, it is important to understand the new regulations and how it affects you and your clients. The Association of Health Insurance Advisors (AHIA) presented the EduCall “Understanding HIPAA Privacy Regulations” to answer agents’ basic questions; here are some highlights of what was discussed to bring you up to speed.

You are obligated to provide notice to all your group plans, based on their Graham-Leach-Bliley obligations, now those notices have to be HIPAA compliant. —Scott Sinder, Esq. Collier Shannon and Scott

What is not included
Scott Sinder, Esq., of Collier Shannon and Scott, and Jill Hengy, claims and customer service project manager with Brokerage Concepts, Inc., were the featured speakers. Sinder began his discussion with what agents do not have to be worried about. “Certain things are not covered by the act. Those include what is referred to in the act as accepted benefits. Accepted benefits are essentially things that aren’t primarily about providing health coverage. They’re things like life insurance products, disability products and workers’ compensation policies. All of those are exempt under the act, which means any information that is collected or maintained in conjunction with providing such benefits is not covered by the acts’ obligations,” said Sinder.

He did caution participants that “regardless of whether you are a quote/unquote covered entity [as defined by the privacy regulation], a business associate or acting in conjunction with an insurance company as their employee, the same types of obligations are going to apply. The only question is: Who is, at the end of the day, responsible for the nature of the compliance?” Sinder goes on to reply to his own question that it is everyone’s duty. “These obligations extend not just to people providing health benefits like insurers or employee benefits plans, but they also extend to the providers themselves--hospitals, physicians, people like that,” he said.

Self-funded vs. fully funded plans
Hengy’s expertise in the discussion included self-funded plans vs. fully funded plans. “Under a fully insured carrier, the carrier must distribute the privacy notice to all insured covered under the plan. For the self-funded group, the client needs to distribute the privacy notice for the self-funded cases at the time of enrollment,” she said.

Hengy advised participants that “any contract needs to be addressed and it’s important that you make sure that that happens as an agent. I also recommend you … keep a record of those signed contracts for reference. If your client wants you to receive or send PHI [personal health information], make sure that your name is on that business associate agreement.”

Sinder disagreed with this practice by cautioning that although “this may be good advice for most agents or brokers, you have to keep in mind that you may accrue certain liabilities and legal responsibilities with respect to those agreements. You need to be careful in deciding how you’re going to address this with your clients, so you don’t change the nature of the relationship inadvertently, that you do it consciously and that you take other steps that you need to take to protect yourself.”

The call was an information-packed hour, and at the end of the discussion, Sinder gave his parting advice: “Just be aware of the fact that these obligations are out there and if you’re handling this information you have to be sure that you’re doing it in accordance with the rules. You are obligated to provide notice to all your group plans, based on their Graham-Leach-Bliley obligations, now those notices have to be HIPAA compliant. In the guide [available to AHIA members on the website], we keep mentioning there is a HIPAA compliant GLBA notice that can be used to satisfy this obligation, and it really will not be that onerous once you get up to speed on it.”

Hengy closed her comments with a reminder that although the content of the call was privacy, “…another aspect of HIPAA is that … you make sure that the organizations or the companies that you are working with are EDI [electronic data interchange] compliant and EDI ready.”

For more insight from these speakers on what HIPAA privacy regulations say about covered entities, business-associate definitions, consent and more, you may purchase this EduCall on tape or CD from AHIA. To order (AHIA members receive a discount), call 703-770-8200 or send an email to ahia@naifa.org to request an order form.

Links:

• AHIA HIPAA privacy memo and sample text (password and username required)
  
• HHS sample business associate contract
  
• HHS website
  
• Centers for Medicare and Medicaid
  
• To submit a question or view answers to previously asked questions concerning the Transactions and Code Set standards

Web Exclusive Articles

Learning the Lesson of Persistence

Anyone Can Do It

Enhancing Your Image

An Alternative to Equity Split Dollar

Building Customer Engagement

The Seven Habits of a Highly Effective Top of the Table Producer

Top     LEGAL NOTICES     Contact Webmaster    

Change/Renew NAIFA Membership     Get Advisor Today: Join NAIFA

© Advisor Today 2003. All Rights Reserved.