| FAQ for Agencies |
Question
1:
What should my
agency do in order to meet the intent of HIPAA?
Question
2:
I am surprised
that more of my clients are not asking me about HIPAA privacy.
Question
3:
I provide health
benefits to my clients through another agent. I have not
signed a Business Associate Agreement from a carrier or
the MGA writing these policies. Am I affected by HIPAA?
Question
4:
When do I use a
Business Associate Agreement (BAA) and when do I use a confidentiality
agreement?
Question
5:
Do I need to send
a Notice of Privacy Practices (NPP) to the employees of
all my clients?
Question
6:
To whom do I need
to send a Gramm-Leach-Bliley NPP and to whom do I need to
send a HIPAA NPP? How often do I need to send these NPPs?
Question
7:
Some of my clients
have frequent change of employees. I don’t have a
current database of all the employees and I don’t
have their addresses. How can I communicate with them
directly?
Question
8:
What does it mean
when I sign a Business Associate Agreement (BAA) with a
carrier?
Question
9:
If a client decides
not to institute a HIPAA Privacy program, should I sign
a generic Business Associate Agreement and send it to them
as a way to protect my company if there is ever a complaint
filed.
Question
10:
Is a covered entity
liable for or required to monitor the actions of a BA?
Question
11:
Is a re-insurer
a Business Associate of a health plan?
Question
12:
Is a software
vendor a BA?
Question
13:
As an insurance
agent, I am not really that comfortable with my knowledge
of HIPAA. What is my legal responsibility if I try to help
or recommend materials to my clients?
Question
14:
Can an agent take calls from
employees and/or spouses to help them with claim issues without
a signed
authorization?
Question
15:
When does an agency need to get a signed
authorization form?
Question 16:
Can an agency or an employer post a Notice of Privacy
Practice in a common area for employees? |
|
Question
1:What should my agency do in order
to meet the intent of HIPAA?
A:One important step is to
communicate with each one of your group clients and tell
them
that HIPAA privacy affects them and that they need to be
in compliance no later than April 14, 2004. This communication
should be in writing and you should keep a copy of what you
mail out in case one of your “oh, this doesn’t
impact me” clients does not comply, and then the
enforcement action is brought against them for non-compliance
or a breach
of their HIPAA privacy obligations. |
BACK
TO TOP |
Question
2:I am surprised that more of my
clients are not asking me about HIPAA privacy.
A: Once a plan sponsor understands
the requirement, they will look to the agency providing
the
health benefits plan for help. In the mean time, very few
employers are even aware of their responsibility. You can
be the hero if you provide them help before the deadline.
After April 14, you will be in a damage control mode. Remember,
there are fines and penalties. |
|
Question
3:I provide health benefits to my
clients through another agent. I have not signed a
Business Associate Agreement from
a carrier or the MGA writing these policies. Am I affected
by HIPAA? Should either the carrier or the MGA request
I sign a
BAA?
A. No,
not necessarily. Depending on the MGA or General Agent’s
relationship to the insurer, you may be covered under their
Business Associate Agreement. My advice is that you need to
sign a Confidentiality Agreement with the MGA/General Agent
to ensure that the PHI you may have or receive from the carrier
is protected and maintained in accordance with the HIPAA privacy
standards. |
|
Question
4:When do I use a Business Associate
Agreement (BAA) and when do I use a confidentiality
agreement?
A: BAAs are for Covered Entities
and Confidentiality Agreements are for Business Associates
to
use with their subcontractors. If you are a health plan, provider,
insurer or, in most cases, an employer, they would name their
agent or Third-Party Administrator (“TPA”) as a
Business Associate. Agents use Confidentiality Agreements
with
their employees, any agents with whom the agency shares commissions,
or with contractors who have regular access to your office
such
as a shredding company or IT vendor. |
|
Question
5:Do I need to send a Notice of Privacy
Practices (NPP) to the employees of all my clients?
A: Yes, because the protected
health information you have is about your clients’ employees.
HIPAA privacy demands that the notice go to the employees
because that’s whose
health information that you, as an agent, will have or maintain. |
|
Question
6:To whom do I need to send a Gramm-Leach-Bliley
NPP and to whom do I need to send a HIPAA NPP? How
often do I
need to send these NPPs?
A: Gramm-Leach-Bliley requires
agents to deliver a Privacy Disclosure concerning Non-Public
Personal Information (“NPPI”) to an agent’s
clients, which for group products meant that the agent is
required only to provide a notice to the group administrator.
This needs to happen on annual basis. HIPAA privacy, however
requires that the NPP be distributed only once.
An effective solution is to issue a Notice of Privacy Practices
that contains both HIPAA Privacy and Gramm-Leach-Bliley NPPI
language. That covers the individual policyholder. A source
for this document is the HIPAA Tool Kit for Agencies™. |
|
Question
7: Some
of my clients have frequent change of employees. I don’t
have a current database of all the employees and I don’t
have their addresses. How can I communicate with them directly?
A:
There may not be an easy way to communicate with them directly
and you will have to rely on the employer to deliver some
communication. |
|
Question
8: What
does it mean when I sign a Business Associate Agreement
(BAA) with a carrier?
A: In short, you are agreeing
to fall under the wing of the carrier, which is a Covered
Entity, and you can therefore
receive PHI about your clients from the carrier with fewer
administrative burdens as a Business Associate (BA). Rather
than being explicitly
defined in the statute as a Covered Entity and therefore subject
to the civil and criminal penalties associated with HIPAA
privacy,
agents and brokers are allowed by the BA contract to receive
PHI from carriers and must protect it, once it is in their
possession.
Some insurers do not understand the simplicity of the BAA and
may still require you to obtain an authorization from the individual
before they’ll talk to you. This approach is overly cautious
given the intent of the Business Associate status. Nevertheless,
some insurers will require the authorization prior to discussions. |
|
Question
9: If
a client decides not to institute a HIPAA Privacy program,
should I sign a generic Business Associate Agreement
and send it to them as a way to protect my company if there
is ever a complaint filed.
A: If your client makes a
decision to not comply, even partially, with HIPAA privacy
for covered plans, then have their
heads checked out! You want to make sure that you’ve
given them notice of their obligations to comply with HIPAA
privacy
through some sort of letter so that if or when they get into
trouble for not complying, then you’ll have your readily
available defense showing that you informed them of the need
to comply and their obligations to do so, but they refused.
In the mean time, send them a signed Business Associate Agreement
and keep a copy of the document. |
|
Question
10: Is
a covered entity liable for or required to monitor the actions
of a BA?
A: It would appear that they
are. Recently there was a situation with a hospital in California
that had raised this
concern. The hospital contracted with a company to do medical
transcriptions of doctors’ notes and that company
hired three subcontractors to assist in this work. One
of the subcontractors,
located in Texas, hired a sub-subcontractor, based in India,
to assist in completing the work.
A dispute arose between the Texas subcontractor and the India
company concerning payment and the owner of the business in
India emailed the hospital administrator demanding assistance
with getting paid. The hospital refused, saying they had no
control over the Texas subcontractor. The response from India:
We have your patients’ PHI and if you don’t assist
us, we’ll post that information on the Internet for all
to see.
This has resulted in a bevy of new concerns among regulators
and covered entities, making downstream confidentiality protections
essential to any Business Associates’ contractual or business
relationships. |
|
Question
11: Is
a re-insurer a Business Associate of a health plan?
A: Under the terms of HIPAA
privacy, a re-insurer is not a Business Associate. |
|
Question
12: Is
a software vendor a BA?
A.
If it is a software vendor that you have simply purchased
a product from (i.e. Microsoft), then no.
However if you contract with a company to create or modify a
software program to meet your company’s specific needs
and they will have access to PHI, you will need to ensure that
there are good privacy protections in the contract to protect
that information from inappropriate use or disclosure. |
|
Question
13: As
an insurance agent, I am not really that comfortable with
my knowledge of HIPAA. What is my legal responsibility
if I try to help or recommend materials to my clients?
A: Make sure that you encourage
your clients to work with their legal counsel to ensure that
the documents reflects your particular group's needs and issues. |
|
Question
14: Can an agent take calls from
employees and/or spouses to help them with claim issues
without a signed
authorization?
A: Yes you can, provided that you have a BAA with the group and
you have clarified in the NPP sent to each employee that you
will accept these inquiries? |
|
Question
15: When does an agency
need to get a signed authorization form?
A: When the group is hands-off or there is no BAA in place. |
|
Question
16: Can an agency or an employer
post a Notice of Privacy Practice in a common area for employees?
A: No, they must deliver an NPP to each employee. They cannot post it
and satisfy the notice requirement. They could include in the paychecks as a
stuffer but there must be physical delivery of the notice to each employee. |
|
