HOME      
HIPAA Overview
Participant Questions from “Are You Compliant? New HIPAA Privacy and Security Requirements” Webinar

May 10, 2010

General

  1. Does Simplified Training conduct audits and provide consulting to organizations regarding HIPAA compliance?
  2. Where can you find the "information for computer science master degrees"?
  3. Where can we get copies of these BA notices and ones to give clients?
  4. When can we expect to receive the package form Simplified Training Solutions?
  5. Have you heard of the Red Flag rules and if you do the training for that and are compliant with the Red Flag rules does that cover HITECH HIPPA?
  6. Is there any type of checklist to ensure that our agency is compliant?
  7. How do we get the package that provides a sample Notice of Privacy Practices we might use with our clients?
  8. Please give examples of violations that have been frequent.
  9. Is there a sample Notice of Privacy policies?
  10. Does your package meet CA requirements?

Business Associates

  1. Should a business associate agreement be signed existing clients or only new clients?
  2. Do we need to have our carriers sign a BAA back to us?
  3. Does the term "Business Associate" cover other professions that have access to medical information of patients - such as accountants working for or with physicians or tax accountants preparing returns and seeing medical expenses for certain treatments, etc.?
  4. What would be the rule for turning documents over to a shredding service company?
  5. Is there an individual health client Business Associate agreement for agents to use, or is the Business Associate agreement only needed for group clients?
  6. Does a Business Associate (an agent) need to report a breach to HHS or should it be reported to the carrier (a covered entity) and the covered entity report to HHS?

Policies and Procedures

  1. Would PHI include information including on an employee census such as name, gender, DOB, and coverage status only? (No health, treatment, or payment info included).
  2. We have to get our clients sign a Business Associate Agreement?
  3. We are getting a lot of conflicting information in this area. You say a P&C agency need not comply; yet a DOB is considered PHI by many interpretations. Something as simple as a driver's listing going to a P&C agency would be PHI. Would the employer not have liability for release of PHI even though it is not necessarily a health plan?
  4. Again on the conflicting interpretations we have a multitude of varying ideas on things such as BAA's and the necessity of Privacy notices.
  5. To a group, are we covered if we provide Notice of Privacy Practices to the group administrator, or does notice need to be provided to each and every eligible employee?
  6. Does the notice need to go to each eligible employee in a group, or to the group administrator to distribute to employees?
  7. In terms of notice, are we required to send one to each individual employee in a group plan or just the employer?
  8. Are we expected to do an In/log outside of the client record-similar to what we do for logging checks etc for securities by FINRA?
  9. As an agent selling health plans, are we supposed to mail a "privacy notice" to our clients?Who is responsible if the PHI information is improperly released?
  10. Who is responsible if the PHI information is improperly released?
  11. As agents are we required to keep a log of PHI on all accounts and where we sent it? For example, If we obtain a health application from a employer with health information on it and we then fax, mail or email this application do we have to maintain a log that states who we sent it to and how? Example PHI on Joe Smith who works for ABC Company faxed to BCBS at 666-666-6666 on 3-1-10.
  12. I'm a sole proprietor. I have a receptionist who answers my phones. She only answers my phones and has no access to my office nor my computer. Knowing this:
    a) Which documents should I have my client/s sign?
    b) What type of manual (rules for protecting PHI) should I retain in my office in the event of an audit?

Life insurance, long term care, and other insurance products

  1. Would a long term care agency have to go back and send this document to all current policyholders we've ever sold to?
  2. Our agency only sells long-term care policies. Are we still required to do these requirements you speak about? Does the information in an application need to be encrypted?
  3. Will this also apply to Life and Annuity sales? I sell very little health insurance.
  4. We are a General Agent. Our clients are insurance agents. Would we need to execute a BA with our agents? They don't seem to meet the definition.
  5. Sounds like we all need to increase our E & O insurance Coverage?
  6. What about health statements acquired for Life and Disability policies?
  7. Is taking life insurance applications an example of PHI?
  8. Is a life policy with a LTC rider an example of PHI?
  9. If I am sending a scanned copy of a master app. to an insurance company, is it required I encrypt the file?
  10. How does the HIPPA regulation affect Long Term Care plans?
  11. How do these regulations apply to voluntary benefits clients?
  12. Do these requirements apply to property and casualty agencies?
  13. Do these new rules apply to life policies?
  14. Are self funded health plan clients subject to compliance audits? Fully insured?
  15. Are LTCi plans considered health plans?

Transmission and encryption

  1. When you say transmitting does that mean emailing the carriers Health applications to them? Or faxing them? How does faxing applications with health information pertain to this law? Some carriers have it go to computer files directly, but many still have actual fax machines, available for viewing by anyone that walks by. How can this be resolved under the new rule?
  2. To what extent will emails and information on smart phones be affected?
  3. Is there a way to encrypt emails sent by outlook? If not what suggestions do you have for emailing in PHI i.e. when we submit enrollment forms?
  4. IE and Google say that they have 128 bit encryption. Does that mean we are safe to send our info via email on these types of technologies?
  5. How do you handle PHI via fax?
  6. Can you recommend companies that offer encryption software for my hard-drives and email? I have a small 2 person / 2 computer office with no PHI info available on a website.
  7. Can notice of privacy policies be provided to clients via email?

General

1) Does Simplified Training conduct audits and provide consulting to organizations regarding HIPAA compliance?
A: If you are interested in assistance, please contact David C. Smith, author of the HIPAA Privacy/Security and HITECH Tool Kit for Agents, Brokers and Consultants™ at davidcurtissmith@yahoo.com.

2) Where can you find the "information for computer science master degrees"?
A: This link will help.

http://csrc.nist.gov/publications/nistpubs/800-88/NISTSP800-88_rev1.pdf

3) Where can we get copies of these BA notices and ones to give clients?
A: Simplified Training Solutions’ HIPAA Privacy/Security and HITECH Compliance Toolkit offers two different BA notices. To view/order, please visit www.simplifiedtraining.com or call 1 (800) 344-6381.

4) When can we expect to receive the package form Simplified Training solutions?
A: Once you have ordered the CD version, it is shipped via UPS Ground and takes 2-5 business days. The download version is available as soon as you have made the purchase.

5) Have you heard of the Red Flag rules and if you do the training for that and are compliant with the Red Flag rules does that cover HITECH HIPPA?
A: Red Flag rules come out of the Federal Trade Commission and because of that is an entirely different set of rules. The key thing to be aware of with the Red Flag rules is they only apply in situations where you’re doing a partial payment and you need to verify the information of the individual who is paying you. There’s been a lot of miscommunication to agents that says we are parties that have to comply with Red Flag rules. In the situation where an agency is doing self-pay collections from individuals, say with auto insurance or homeowners insurance—in those situations they would have to comply with Red Flag rules. But most, if not all, health insurance companies will bill and collect premiums directly, so there is no requirement. Red Flags rules and HITECH HIPAA are separate requirements and do not overlap. Simplified Training Solutions is more than willing to work with anyone that has questions about Red Flag rules.

6) Is there any type of checklist to ensure that our agency is compliant?
A: Please see the Tool Kit.

7) How do we get the package that provides a sample Notice of Privacy Practices we might use with our clients?
A: Contact Simplified Training Solutions about getting the sample NPP. www.simplifiedtraining.com 1.800.344.6381

8) Please give examples of violations that have been frequent.

A: HHS Posts List of Covered Entities Reporting Breaches of Protected Health Information Affecting More than 500 Individuals

February 22, 2010

Today OCR has posted on its website a list of the covered entities that have reported breaches of unsecured protected health information affecting more than 500 individuals. By posting this information on the OCR website, OCR has met its HITECH Act obligation, which required HHS make this information public by posting it on an HHS website.

Section 164.408 of the breach notification interim final rule, which implements section 13402(e)(3) of the HITECH Act, became effective on September 23, 2009. This section requires covered entities to provide notification of breaches of unsecured protected health information directly to the Secretary of HHS. Breaches that affected 500 or more individuals must be reported to HHS within 60 days, and covered entities must provide this notification via the online form on the OCR website.

HHS is obligated, pursuant to section 13402(e)(4) of the HITECH Act, to post on its website a list of the covered entities that have reported breaches affecting more than 500 individuals. The list of the covered entities that have reported such breaches, along with other relevant information about each breach, is available at http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/postedbreaches.html. OCR verifies all information with the covered entity reporting the breach prior to posting. OCR will continue to update this page as we receive new reports of breaches of unsecured protected health information.

9) Is there a sample Notice of Privacy policies?
A: Simplified Training Solutions’ HIPAA Privacy/Security and HITECH Compliance Toolkit includes a sample Notice of Privacy Practices.

10) Does your package meet CA requirements?
A: This package meets federal requirements. We recommend you submit it to CA counsel for evaluation.

BACK TO TOP

 

 

Business Associates

1) Should a business associate agreement be signed existing clients or only new clients?
A: A BAA should be signed for existing clients that renew and new clients going forward.

2) Do we need to have our carriers sign a BAA back to us?
A: No. The carriers are Covered Entities and already have this obligation.

3) Does the term "Business Associate" cover other professions that have access to medical information of patients - such as accountants working for or with physicians or tax accountants preparing returns and seeing medical expenses for certain treatments, etc.?
A: Yes, absolutely. Anyone who touches protected health information—they all need to sign.

4) What would be the rule for turning documents over to a shredding service company?
A: The shredding company must sign a Business Associate Agreement. The agreement with the shredding company should include that they assume liability and indemnify you if there is a breach once the records are in their possession.

5) Is there an individual health client Business Associate agreement for agents to use, or is the Business Associate agreement only needed for group clients?
A: Only the group client needs to be sent a BA agreement. The individual is not a covered entity, but the employer with the group policy is a covered entity.

6) Does a Business Associate (an agent) need to report a breach to HHS or should it be reported to the carrier (a covered entity) and the covered entity report to HHS?
A: Business Associates are required by law to report breaches to HHS. The agent/agency may also have contractual commitments to report the breach to the carrier. Some carriers will provide guidance on whether the event is a breach and will assist the agent in the breach compliance process. In the end the Business Associate who is
responsible for a breach must make sure the breach is properly reported to HHS, that the required notification of clients occurs, and pay all fines and serve time if the breach is determined to be a felony. All BAs need to know the law and the correct steps to follow if there is a breach since under HITECH, they are fully regulated by HHS like covered entities.

BACK TO TOP

 

 

Policies and Procedures

1) Would PHI include information including on an employee census such as name, gender, DOB, and coverage status only? (No health, treatment, or payment info included).
A: No. Health information must be with these identifiers.

2) We have to get our clients sign a Business Associate Agreement?
A: They must be sent an agreement and it is a good practice to have it signed.

3) We are getting a lot of conflicting information in this area. You say a P&C agency need not comply; yet a DOB is considered PHI by many interpretations. Something as simple as a driver's listing going to a P&C agency would be PHI. Would the employer not have liability for release of PHI even though it is not necessarily a health plan?
A: PHI is very specifically defined as a means of identifying person and health information about that person. A driver’s license does not include PHI.

HIPAA does not regulate the following:

Short-term and long-term disability
Accidental Death & Dismemberment
Life Insurance
Worker’s Compensation
Americans with Disabilities Act
Fitness-for-duty Exams (DOT or OSHA exams)
Drug testing
Work-life benefits (on-site clinics; fitness center)
Family Medical Leave Act (FMLA)
Auto medical insurance

 

4) Again on the conflicting interpretations we have a multitude of varying ideas on things such as BAA's and the necessity of Privacy notices.
A: You need to give a Business Associates Agreement to every client. You also need a BAA with any third party that has access to your operations or with whom you might share PHI that is not otherwise a Covered Entity or is already a Business Associate. You also need to give a Privacy Notice to all of your clients on an annual basis as required by the Gramm-Leach-Bliley Act for whom you provide health, dental, vision or long-term care coverage.

 

5) To a group, are we covered if we provide Notice of Privacy Practices to the group administrator, or does notice need to be provided to each and every eligible employee?
A: Since the group is the client, the NPP only needs to go the group and not each and every employee.

 

6) Does the notice need to go to each eligible employee in a group, or to the group administrator to distribute to employees?
A: Since the group is the client, the NPP only needs to go the group administrator. The group administrator then needs to distribute the information to employees.

7) In terms of notice, are we required to send one to each individual employee in a group plan or just the employer?
A: Since the group is the client, the NPP only needs to go the group administrator. The group administrator then needs to distribute the information to employees.

8) Are we expected to do an In/log outside of the client record-similar to what we do for logging checks etc for securities by FINRA?
A: No, as long as the information that you’re getting is easily re-accessible—you need to be able to put your hands back on it easily. You would need to keep a log any time that info is going outside of your control for a purpose other than payment, treatment or health care operation. And so, it’s a good business practice to track it and to know that you’ve gotten it and who you’ve disclosed it to, but as far as disclosure log, or input/output—only when you are concerned about it being outside of the treatment, payment, health care operation exceptions.

9) As an agent selling health plans, are we supposed to mail a "privacy notice" to our clients?
A: Yes. This should be done on an annual basis as part of a renewal process.

10) Who is responsible if the PHI information is improperly released?
A: The party who is in possession of the information when it is lost, stolen, or improperly released.

11) As agents are we required to keep a log of PHI on all accounts and where we sent it? For example, If we obtain a health application from a employer with health information on it and we then fax, mail or email this application do we have to maintain a log that states who we sent it to and how? Example PHI on Joe Smith who works for ABC Company faxed to BCBS at 666-666-6666 on 3-1-10.
A: No, they do not need to keep that kind of log under the current regulations because of the fact the app being emailed, faxed or mailed was for HEALTH CARE OPERATIONS. The only log of disclosures they need to make are when they have a disclosure for a purpose OTHER THAN payment, treatment or health care operations.

 

12) I'm a sole proprietor. I have a receptionist who answers my phones. She only answers my phones and has no access to my office nor my computer. Knowing this:
I) Which documents should I have my client/s sign?
II) What type of manual (rules for protecting PHI) should I retain in my office in the event of an audit?
A:
I) Your group clients should not have to sign anything, other than naming you as a business associate.
II) The draft policies and procedures should provide a sufficient guide for compliance in the event of an audit.

BACK TO TOP

 

 

Life insurance, long term care, and other insurance products

1) Would a long term care agency have to go back and send this document to all current policyholders we've ever sold to?
A: No. Current clients if they have a change in their policy and new clients need to receive a Notice of Privacy Practices.

2) Our agency only sells long-term care policies. Are we still required to do these requirements you speak about? Does the information in an application need to be encrypted?
A: Yes. You must protect the information on an application by encrypting the transmission for current clients if they have a change in their policy and new clients.

3) Will this also apply to Life and Annuity sales? I sell very little health insurance.
A: It does not apply to Life and Annuity sales. “Very little health insurance” is still subject to the requirements.

4) We are a General Agent. Our clients are insurance agents. Would we need to execute a BA with our agents? They don't seem to meet the definition.
A: If as a general agent, you are acting on behalf of the insurance company and you are receiving or transmitting PHI to or from an agent under you or an insurance company, you more than likely have been named as a business associate. If the carriers have not already named those individuals as business associates, then you need to name them as business associates to avoid any potential liability for their mistakes.

5) Sounds like we all need to increase our E & O insurance Coverage?
A: First you need to check that your E&O coverage does not have exceptions for privacy matters. The level depends on your situation. You may want to increase your 3/3 coverage to 5/5. You should carry at least $1-$2 million of coverage.

6) What about health statements acquired for Life and Disability policies?
A: Life and DI are NOT subject to the requirements

7) Is taking life insurance applications an example of PHI?
A: No

8) Is a life policy with a LTC rider an example of PHI?
A: Yes it is if there is a LTC rider.

9) If I am sending a scanned copy of a master app. to an insurance company, is it required I encrypt the file?
A: Yes


10) How does the HIPPA regulation affect Long Term Care plans?
A: LTC plans are subject to the requirements


11) How do these regulations apply to voluntary benefits clients?
A: If they are health (including LTC) products, they’re covered.

12) Do these requirements apply to property and casualty agencies?
A: No

13) Do these new rules apply to life policies?
A: No, they do not—they only apply to health plans. Life insurance and disability are specifically excluded from HIPAA privacy regulations.

14) Are self funded health plan clients subject to compliance audits? Fully insured?
A: Self-funded plans are undoubtedly subject to compliance audits because they are covered entities. As for fully insured, that’s still a little bit out there—in the past there was a distinction between “hands on” and “hands off” that would allow some employers who were small and fully insured to avoid having to do too much to comply as long as they didn’t have any PHI. That distinction has largely gone away, so it is my belief that more than likely you’re going to see DOL compliance audits include HIPAA privacy-related pieces or a straight HHS audit that would be HIPAA privacy compliant that would apply to any employer sponsoring a health plan.

15) Are LTCi plans considered health plans?
A: Yes

BACK TO TOP

 

 

Transmission and encryption

1) When you say transmitting does that mean emailing the carriers Health applications to them? Or faxing them? How does faxing applications with health information pertain to this law? Some carriers have it go to computer files directly, but many still have actual fax machines, available for viewing by anyone that walks by. How can this be resolved under the new rule?

A: If you email an application it is considered a transmission. Also if either the out bound or the recipient is using a fax server, this also is considered a transmission and must be encrypted. If you are faxing to another fax machine the document is encrypted. A phone call in advance of the fax can verify that the appropriate person will be available to collect the faxed documents from the machine and that the documents will not sit on the machine and possibly be viewed by someone who is not authorized to read the application.

We recommend a cover sheet that requests notification to the sender if the wrong fax number has been dialed. The following statements should be added to your fax cover sheets.

Confidential Health Information Enclosed.

Health care information is personal and sensitive. It is being faxed to you after appropriate authorization from the patient or under circumstances that do not require patient authorization. You, the recipient, are obligated to maintain this information in a safe, secure and confidential manner. Re-disclosure

without additional patient consent or authorization or as permitted by law is prohibited. Unauthorized re-disclosure or failure to maintain the confidentiality of this information could subject you to penalties under Federal and/or State law.

Confidentiality Statement

The information contained in this facsimile transmission is privileged and confidential and is intended only for the use of the recipient listed above. If you are neither the intended recipient or the employee or agent of the intended recipient responsible for the delivery of this information, you are hereby notified that the disclosure, copying, use or distribution of this information is strictly prohibited. If you have received this transmission in error, please notify us immediately by telephone to arrange for the return of the transmitted documents to us or to verify their destruction.

Please contact NAME at PHONE NUMBER to verify receipt of this Fax or to report problems with the transmission.

2) To what extent will emails and information on smart phones be affected?
A: Any PHI transmission from a smart phone needs to be encrypted. For some smart phones, encryption is built in and needs to be activated.

3) Is there a way to encrypt emails sent by outlook? If not what suggestions do you have for emailing in PHI i.e. when we submit enrollment forms?

A: Yes there is. There is a basic tutorial on how to encrypt using Outlook in the Simplified Training package.


4) IE and Google say that they have 128 bit encryption. Does that mean we are safe to send our info via email on these types of technologies?
A: If it truly is 128 encryption, then yes.


5) How do you handle PHI via fax?
A: If you are using an electronic image, then that is considered a PHI and it needs to be encrypted. So, a lot of the e-fax, FaxPress, etc type communications that use a fax server to distribute a communication to someone’s email account fall under that category. If you are using a “true” fax machine where it takes a physical copy and transmits it to a physical fax machine where someone will be picking up a hard copy of the document—a paper to paper transaction—then you don’t have anything to worry about. See question 11 for a recommended statement to add to your fax cover page.

6) Can you recommend companies that offer encryption software for my hard-drives and email? I have a small 2 person / 2 computer office with no PHI info available on a website.
A: NAIFA Member Benefits is looking into this—we will keep you updated!

7) Can notice of privacy policies be provided to clients via email?
A: Yes provided the client has email as does not request a paper copy.