Skip Ribbon Commands
Skip to main content
OTHER PAGE

What HIPAA Means to You and Your Clients

Author: Judi Newman

Increasingly, we are receiving inquiries from agents wondering about the impact of HIPAA on their operations. Well, if you thought Gramm-Leach-Bliley was a pain, in the words of Al Jolson, you ain't seen nothin' yet. Although we're only a few months away from implementation, very few agents understand what HIPAA means to them and their clients, and how serious the penalties can be for noncompliance.

 

Note: The following article provides an overview of HIPAA and its possible implications for agents. The views expressed are those of the author and do not necessarily reflect the views or interpretations of IIABA. As with any law, in order to ensure proper, legal compliance, we encourage you to consult with appropriate qualified counsel before implementing HIPAA regulations in your operations.

IMPORTANT:  IIABA has developed an Executive Summary of the Privacy Rule Implementing HIPAA’s Privacy Requirements, and a Memorandum on Final HIPAA Privacy Regulations which was written by our outside counsel. IIABA members may access them by going to www.independentagent.com and clicking on the "Legal Advocacy" menu item on the left.


HIPAA: National Standards for Transactions, Security and Privacy

Beginning April 14, 2003, health plans will be required to comply with the privacy rules of the Health Insurance Portability & Accountability Act of 1996 (HIPAA). For many employers and virtually all health care organizations, these rules create significant requirements and limitations in the way that health information is maintained and transferred.

No doubt everyone has heard about HIPAA. The August 21, 1996 signing of this legislation by President Clinton represented the first major health reform legislation signed into law since Medicare in 1965. Now HIPAA is all of that and more. What impact has this law had on business, insurance companies and the public? Read on!

Remember Y2K? Many businesses spent a lot of money upgrading and in some cases just outright selecting new computers and printers and servers as well as system software. Everybody went to bed on December 31, 1999 wondering what debacles they would awaken to on January 1, 2000. For the most part, it was just another New Year's Day with parades, football games and good fun.

When HIPAA, the Health Insurance Portability and Accountability Act of 1996, was enacted, it was hailed as the solution for some health insurance problems like guaranteed renewal of coverage, continued coverage for pre-existing conditions, long term care provisions that would not impact Medicare, and privacy, to name a few of the issues that had long plagued the American public. Little did anyone realize that when it actually came time to meet all of the compliance dates and implement the required standards, the estimated cost could well exceed five times the cost of Y2K.

Now you are probably wondering, "How can this possibly have any impact on our agency?" The most recent actions with HIPAA involve regulations designed to protect the handling of protected health information. Let's take a look at the highlights of HIPAA for a better understanding of the intent of the act and where it is leading us today.

Just in case you think this doesn't apply to you or your agency, can you afford the fines for non-compliance with the standards, or how about a violation of the Privacy Rule? Make make sure you are not required to comply with HIPAA before you decide that this has nothing to do with you or your agency. You may be surprised to learn that the civil and criminal fines for non-compliance can be very expensive:

  $100 fine per day for each unmet standard. (Up to $25,000 per person, per year, per standard.)

  $50,000 fine plus one year in prison for knowing violations involving improper disclosure of health information.

  $100,000 fine plus five years in prison for obtaining or disclosing health information under false pretenses.

  $250,000 fine plus ten years in prison for using obtaining health information with the intent to sell, transfer or use it for commercial advantage, for personal gain, or with malicious intent.

Do we have your attention yet?

 

Background

On August 21, 1996, President Clinton signed HIPAA into law. The Health Insurance Portability and Accountability Act of 1996 included important new protections for an estimated 25 million Americans (approximately 1 in 10) who move from one job to another, who are self-employed, or who have pre-existing medical conditions. The legislation, which was jointly sponsored by Sen. Edward Kennedy (D-Mass.) and Sen. Nancy Kassebaum (R-Kan.), was approved virtually unanimously by the House and Senate. It was designed to improve the availability of health insurance to working families and their children.

Key Provisions

Guaranteed Access for Small Business
Small businesses (50 or fewer employees) are guaranteed access to health insurance. No insurer can exclude an employee or a family member from coverage based on health status.

Guaranteed Renewal of Insurance
Once an insurer sells a policy to any individual or group, they are required to renew coverage regardless of the health status of any member of a group.

Guaranteed Access for Individuals
People who lose their group coverage (for example, because of loss of employment or change of jobs to a firm without insurance) will be guaranteed access to coverage in the individual market, or states may develop alternative programs to assure that comparable coverage is available to these people. The coverage will be available without regard to health status, and renewal will be guaranteed.

Pre-existing Conditions
Workers covered by group insurance policies cannot be excluded from coverage for more than 12 months due to a pre-existing medical condition. Such limits can only be placed on conditions treated or diagnosed within the six months prior to their enrollment in an insurance plan. Insurers cannot impose new pre-existing condition exclusions for workers with previous coverage.

Self-employed Individuals
The current tax deduction for insurance costs of self-employed individuals was gradually increased from 30 percent in 1996 to 100 percent in 2002 with new 2001 tax laws.

Medical Savings Accounts
From January 1, 1997, to January 1, 2000, firms with 50 or fewer employees and self-employed individuals were able to enroll in a qualified high deductible health plan and establish tax-favored medical savings accounts, or MSAs. At the present time MSAs are still available.

Fraud and Abuse Control
A new health care fraud and abuse control program was created and coordinated by the Department of Health and Human Services (HHS) Office of the Inspector General and the Department of Justice. Funds for this program have been appropriated from the Medicare Hospital Insurance (HI) trust fund which:

  Established the Medicare Integrity Program to be funded through appropriations from the HI trust fund;

  Required exclusion from Medicare and Medicaid for felony convictions related to health care fraud or controlled substances;

  Created a program encouraging Medicare beneficiaries to report fraud and abuse and offer suggestions to improve efficiency of the Medicare program, and provides for payment to beneficiaries in certain cases;

  Required issuance of advisory opinions, additional safe harbors, and fraud alerts regarding the anti-kickback statute;

  Created a new exception to the anti-kickback statute for certain risk-sharing organizations;

  Expanded conditions under which civil monetary penalties and intermediate sanctions can be imposed on HMOs participating in Medicare;

  Established a data base of final adverse actions taken against health care providers; and

  Made knowing and willful transfer of assets to gain Medicaid eligibility subject to criminal penalties.

Long-Term Care Insurance
Minimum federal consumer protection and marketing requirements were established for tax-qualified long-term care insurance policies, including a requirement that insurers start benefit payments when a policyholder cannot perform at least two "activities of daily living" (e.g., bathing, eating, toileting, transferring, dressing, and incontinence). Subject to certain limitations, they clarified that long-term care insurance premium payments and unreimbursed long-term care services costs are tax deductible as a medical expense, and benefits received under a long-term care insurance contract are excludable from taxable income. Employer sponsored long-term care insurance receives the same tax treatment as health insurance. Non tax-qualified long-term care policies can still be purchased depending upon the needs of the individual.

Medigap Insurance
The notice requirements for health insurance policies that pay benefits without regard to Medicare coverage or other insurance coverage were revised. Long-term care policies are permitted to coordinate with Medicare and other coverage and disclose any duplication of benefits.

Accelerated Benefits and Viatical Insurance Settlements
A person who is within 24 months of death can have a portion of their death benefit of a life insurance policy prepaid by the issuing insurance company tax-free. Such a person also is allowed to sell his or her life insurance to a viatical settlement company tax-free. A chronically ill individual can sell their life insurance and any long-term care insurance rider tax-free; the proceeds of such a sale must be spent on long-term care.

Health Information Privacy
If Congress does not enact privacy legislation within three years, health care providers, health plans, and health care clearinghouses will be required to follow privacy regulations promulgated by HHS for individually identifiable electronic health information. (Refer to S.1360, Medical Records Confidentiality Act of 1995, a bill to ensure personal privacy with respect to medical records and health care-related information, and for other purposes.) Since Congress did not enact the required privacy legislation within three years of HIPAA’s passage, health care providers, health plans, and health care clearinghouses will be required to follow the Privacy Rule under Title II of HIPAA which is the Administrative Simplification Regulations.

Administrative Simplification
All health care providers and health plans that engage in electronic administrative and financial transactions must use a single set of national standards and identifiers. Electronic health information systems must meet security standards. This should result in more cost-effective electronic claims processing and coordination of benefits.

What's Next?

When HIPAA was signed into law, Title I, which covered issues like portability of coverage and pre-existing conditions, were complied with as stated. Title II, the Administrative Simplification Regulations are now at the forefront. Today, health plans, insurance companies, agents, TPAs, hospitals, pharmacies, doctors and other health care entities use a wide variety of systems to process and track health care bills and other information. Hospitals and doctor's offices treat patients who have many different types of health insurance and must spend time and money ensuring that each claim contains the format, codes and other details required by each insurer. Similarly, health plans spend time and money to ensure their systems can handle transactions from various health care providers and clearinghouses.

Where Does the Insurance Agent Fit In?

By now, you are probably wondering where all this is headed for insurance agencies. There are at least three specific areas where, if insurance agents and brokers are involved in any or all of these practices, they might be a "covered entity" and must be in compliance with the HIPAA Privacy Rules:

  Selling health insurance directly to an individual;
  Selling a group health insurance plan to a business owner; and
  Involvement by the agent in setting up or managing a self insured plan (TPA).

If you have any of these types of activities in your agency you are required to comply with the HIPAA Privacy Rules. It appears that the insurance agent/broker might be considered a "covered entity" (CE) and a "business associate." There is a difference, depending on their role in the transaction and clarification should be a priority.

Employers that provide health benefits for their employee, have also created an "Employee Health Plan." Under HIPAA, "Health Plans" (but NOT the employers themselves) are CE's and must use and disclose PHI according to the same HIPAA mandates as any other CE. As a "covered entity" you will need to create your own Notice of Privacy Practices and develop a business associate agreement which will need to be signed by everyone with whom you do business. And you will need to appoint a Chief Privacy Official. This is just for starters.

A "Business Associate" is a person who acts in a capacity other than as a member of the workforce of a covered entity to assist in functions or activities involving the use of individually identifiable health information. As a business associate, you must safeguard "protected health information” (PHI) and respect the individual's rights in the rule. But you won't be forced to implement all the requirements of a "covered entity."

This is a good time to review your agency's position in the health insurance business. It may be time to send Uncle Joe and his health insurance policy to another agent if that is the only health policy you have on the books. On the other hand, if you have been paying attention to the "experts" you might have started and grown an employee benefits department, in which case you have some work to do on HIPAA compliance.

Administrative Simplification Regulation

Administrative Simplification is referred to as the "accountability" part of HIPAA. The Privacy Rule provisions relating to privacy became effective April 14, 2001, but the compliance deadline is not until April 14, 2003. Small entities, plans with less than $5 million in receipts, will have until April 14, 2004 to be fully compliant.

The Administrative Simplification Regulation has three major purposes: (1) to protect and enhance the rights of consumers by providing them access to their health information and controlling the inappropriate use of that information; (2) to improve the quality of health care in the U.S. by restoring trust in the health care system among consumers, health care professionals, and the multitude of organizations and individuals committed to the delivery of care; and (3) to improve the efficiency and effectiveness of health care delivery by creating a national framework for health privacy protection that builds on efforts by states, health systems, and individual organizations and individuals.

The Administrative Simplification also includes HIPAA’s Standards for Electronic Transmission, a separate set of regulations that mandate adoption of HHS-prescribed code sets by entities that exchange PHI in electronic format. It also requires the implementation of standard transaction code sets and identifiers (TCI). The purpose of these regulations is to standardize the collection and transmission of information between covered entities to gain efficiencies in the healthcare system. The compliance date for adoption was October 16, 2002, with a one year extension granted upon application. Small plans and those with extensions have until October 16, 2003 to comply.

Security and privacy standards can promote higher quality care by assuring consumers that their personal health information will be protected from inappropriate uses and disclosures. In addition, uniform national standards will allegedly save billions of dollars each year for health care businesses by lowering the costs of developing and maintaining software and reducing the time and expense needed to handle health care transactions.

The federal privacy regulation empowers patients by guaranteeing them access to their medical records, giving them more control over how their protected health information is used and disclosed, and providing a clear avenue of recourse if their medical privacy is compromised. The rule will protect medical records and other personal health information maintained by certain health care providers, hospitals, health plans, health insurers and health care clearinghouses.

Electronic Transaction Standards

In August 2000, HHS issued final electronic transaction standards to streamline the processing of health care claims, reduce the volume of paperwork and provide better service for providers, insurers and patients. The new standards establish standard data content, codes and formats for submitting electronic claims and other administrative health care transactions. By promoting the greater use of electronic transactions and the elimination of inefficient paper forms, these standards are expected to provide a net savings to the health care industry of $29.9 billion over 10 years. All health care providers will be able to use the electronic format to bill for their services, and all health plans will be required to accept these standard electronic claims, referral authorizations and other transactions.

Employer Identifier

In May 2002, HHS issued a final rule to standardize the identifying numbers assigned to employers in the health care industry by using the existing Employer Identification Number (EIN), which is assigned and maintained by the Internal Revenue Service. Businesses that pay wages to employees already have an EIN. Currently, health plans and providers may use different ID numbers for a single employer in their transactions, increasing the time and cost for routine activities such as health plan enrollments and health plan premium payments. Most covered entities must comply with the EIN standard by July 30, 2004. (Small health plans have an additional year to comply.)

Enforcement

HHS Secretary Tommy G. Thompson announced, on October 15, 2002, that the Centers for Medicare & Medicaid Services (CMS) will be responsible for enforcing the HIPAA transaction and code set standards. "HIPAA administrative simplification is going to streamline and standardize the electronic filing and processing of health insurance claims, save money and provide better service for providers, insurers and patients," Thompson said.

"To accomplish this will require an enforcement operation that will assure compliance and provide support for those who file and process health care claims and other transactions," Thompson said. "CMS is the agency best able to do this."

CMS will continue to enforce the insurance portability requirements of HIPAA. The HHS Office for Civil Rights (OCR) will enforce the HIPAA privacy standards. CMS and OCR will work together on outreach and enforcement and on issues that touch on the responsibilities of both organizations, such as application of security standards or exception determinations.

Compliance Schedule

HIPAA requires that most health plans, clearing houses, and those providers that conduct certain transactions electronically to be compliant with the Standards for Electronic Transmission HIPAA transactions standards by October 16, 2002, unless they file on or before October 15 for a one-year extension. Those who are not compliant and have not filed for the extension may be subject to statutory penalties. (The law gives certain small health plans-firms with receipts under $5 million until October 16, 2003 to comply.)

Enforcement activities will focus on obtaining voluntary compliance through technical assistance. The process will be primarily complaint driven and will consist of progressive steps that will provide opportunities to demonstrate compliance or submit a corrective action plan.

In general, the law requires covered entities to be in compliance with each set of standards within two years following adoption. The following outlines the compliance schedule:

Transaction Standards: October 16, 2002, except for small health plans, which have until October 16, 2003 to be in compliance. (For the electronic transaction rule only, Congress in 2001 enacted legislation allowing a one-year extension for most covered entities provided that they submit a plan for achieving compliance. As a result, covered entities that qualify filed for the extension will have until October 16, 2003 to meet the electronic transaction standards.)

Privacy Regulations: April 14, 2003 except for small health plans which have until April 14, 2004.

Summary

Security and privacy standards can promote higher quality care by assuring consumers that their personal health information will be protected from inappropriate uses and disclosures. In addition, uniform national standards will save billions of dollars each year for health care businesses by lowering the costs of developing and maintaining software and reducing the time and expense needed to handle health care transactions.

The Administrative Simplification Regulation empowers patients by guaranteeing them access to their medical records, giving them more control over how their protected health information is used and disclosed, and providing a clear avenue of recourse if their medical privacy is compromised. The Privacy Rule will protect medical records and other personal health information maintained by certain health care providers, hospitals, health plans, health insurers and health care clearinghouses.

HIPAA and its regulations have three major purposes: (1) to protect and enhance the rights of consumers by providing them access to their health information and controlling the inappropriate use of that information; (2) to improve the quality of health care in the U.S. by restoring trust in the health care system among consumers, health care professionals, and the multitude of organizations and individuals committed to the delivery of care; and (3) to improve the efficiency and effectiveness of health care delivery by creating a national framework for health privacy protection that builds on efforts by states, health systems, and individual organizations and individuals.

Security and privacy standards can promote higher quality care by assuring consumers that their personal health information will be protected from inappropriate uses and disclosures. In addition, uniform national standards will save billions of dollars each year for health care businesses by lowering the costs of developing and maintaining software and reducing the time and expense needed to handle health care transactions.

The Privacy Rule empowers patients by guaranteeing them access to their medical records, giving them more control over how their protected health information is used and disclosed, and providing a clear avenue of recourse if their medical privacy is compromised. The Privacy Rule will protect medical records and other personal health information maintained by certain health care providers, hospitals, health plans, health insurers and health care clearinghouses.

ADDITIONAL RESOURCES ON HIPAA
In conducting the research for this article, there are more than 75,000 pages of legislation in the National Register on HIPAA. Boiling it down to just over 3,000 words leaves out many of the details. Additional information can be found at the following websites:

HIPAA Statute and Regulations
  http://www.hhs.gov/ocr/privacy/hipaa/administrative/index.html

HIPAA  Health Privacy Research
  https://www.cdt.org/issue/health-privacy/

Security Advisory & Resource Links
  http://www.timberlinetechnologies.com/advisory.html
  http://www.timberlinetechnologies.com/tech.html

HHS HIPAA Information, FAQs & Forms
  http://www.hhs.gov/ocr/hipaa/
  http://www.hhs.gov/ocr/privacy/familyhealthhistoryfaqs.pdf

Other sites of interest:
  http://www.ahla.org
  http://www.aha.org
  http://www.amia.org
  http://www.ashrm.org
  http://www.cpri.org
  http://www.hhs.gov/ocr/privacy/hipaa/enforcement
  http://wpc-edi.com/
  http://www.hippa-compliance.com
  http://insurance.about.com/  (enter HIPAA in the search box)

 

By Judith H. Newman, President of Phaze II Consulting, Inc. Judi has worked on site with over 500 agents across the nation on a variety of consulting projects. Phaze II Consulting, Inc. is the owner of the Master Agency Manager, designed to be the most complete and easy to use agency management resource available today. The Master Agency Manager is a must have tool for anyone interested in the insurance agency business.

Phaze II Consulting, Inc. provides consulting services to independent insurance agencies in matters of management issues, operations, planning, valuations and customized projects for individual clients. Phaze II Consulting, Inc. is available to assist you in understanding your responsibilities under HIPAA and GLB (Gramm, Leach, Bliley) and meeting compliance for your agency. Please contact Judi Newman at 800-638-0657 for additional information.

Copyright 2002 by Phaze II Consulting, Inc. Used with permission.

image 
 
​127 South Peyton Street
Alexandria VA 22314
​phone: 800.221.7917
fax: 703.683.7556
email: info@iiaba.net

Follow Us!


​Empowering Trusted Choice®
Independent Insurance Agents.