This post is part of a series sponsored by AgentSync.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) may be one of the most common health insurance laws, not only by insurance professionals, but in the everyday lives of most Americans. Learn a little more about what it is, what it does (and does not do) and how it affects the insurance industry.
Please read our privacy statement
Quickly! Mention a healthcare law that everyone knows, but that no one really knows. If you guessed HIPAA, congratulations, you win! For ordinary citizens, HIPAA references appear at every doctor’s visit and, more recently, if a company dares to require proof of covid-19 vaccine status for entry or service. More on that later, but spoiler warning: A company that requires proof of vaccination to enter, or provide services, does not violate HIPAA.
You would find it difficult to find an American adult who has not heard of HIPAA, or who does not know that it has anything to do with medical integrity. But the collective knowledge of this 500-page care team ends there. And for most people, it’s okay. But if you work in insurance, you may be one of the few who really needs to understand HIPAA more than just superficially. Again, HIPAA is so specific to health insurance and health information that it also does not apply universally across the insurance world.
What is HIPAA?
Literally it is the Health Insurance Portability and Accountability Act of 1996. This law, signed in 1996 by President Clinton, was the first law to address the integrity of health care information. Although electronic medical records barely existed in 1996, HIPAA was forward-thinking and included references to digitization in the field of healthcare and health insurance that would not come for several years.
HIPAA gave American citizens the right to expect a certain degree of privacy around that information, especially when it comes to health insurance. It also gave us the right to access our private health information, even if it is easier said than done most of the time.
In plain English:
- Your personal health information is considered private and thus “protected” by law.
- Some units (including doctor’s surgeries, hospitals and health insurance companies) are covered by the privacy rule.
- You also have the right to understand and control how your protected health information is used, including who it is shared with.
What does HIPAA do?
Simply put, HIPAA required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. The law gave responsibility for compliance to the Department of Health and Human Services’ (HHS) civil rights office.
HIPAA also provided valid reasons for when protected health information used by a covered entity may be shared or disclosed. The final law was over 500 pages, so this is obviously, and necessarily, a very abbreviated version of the law! If you are a bigger insurance nerd than us, you are welcome to read the full legal text here!
If HIPAA is central or tangential to your work, remember that this is a summary, not legal guidance or due diligence. If you need legal advice, contact a lawyer.
What does HIPAA not do?
The short answer is “a lot”. As you have learned by now, HIPAA applies to a very specific set of covered devices. A restaurant or bar is not a covered unit. An airline is not a covered entity. Thus, private companies that ask customers to disclose their COVID-19 vaccination status to enter or to be served are not subject to HIPAA and do not violate it.
In addition, HIPAA does not cover:
- “Protected health information employment records maintained by a covered entity in their capacity as employers and education and certain other records covered by, or defined in, the Family Educational Rights and Privacy Act, 20 USC §1232g.”
- Deidentified health information, when medical information is completely separated from personally identifiable information about the person it came from. For example, a large list of ages, heights and body weights would not be protected if there is no name, address, social security number or other identifying information that would link health data to a specific person.
Who must follow HIPAA?
HIPAA created standard definitions for types of companies and entities covered by its privacy rule. These include:
- Healthcare providers
- Health plans (including Medicare, Medicaid, long-term care and others – with a few exceptions)
- Medical centers
- Business partners (defined as a person or organization other than an employee of a covered entity that uses protected health information to perform services for a covered entity)
That’s basically it. So again, these would mean that you have to spend for these processes. Your neighbor’s bar or restaurant is not subject to HIPAA either. Your local grocery store, movie theater, and location (most likely!) Are not covered by HIPAA.
If, and only if, you are one of the above entities or a “business partner” of one, you and your company are required to comply with HIPAA.
Why is HIPAA important?
Patient integrity is something that most of us agree is an important right. Before 1996, however, this was not necessarily the case. It was certainly not guaranteed or legally enforced.
Why HIPAA is important for healthcare and the health insurance industry
Although 1996 is hardly what we think of as the “digital age” nowadays, HIPAA was truly forward-looking for its time. It introduced some very important concepts that would be the key when the industry went from paper journals to electronic journals.
HIPAA standardized how health data must be collected and protected, and implemented a nationally recognized set of codes and identifiers. Much like the transition to structured data in other industries, the HIPAA requirements helped the healthcare industry move towards a digital future where health information is shared between patients, doctors, clinics, insurance companies and other entities on a daily basis with an emphasis on integrity.
Why HIPAA is important for patients
For patients, HIPAA is particularly important. All the more so as medical records have moved into the digital age, making them vulnerable to information security breaches. Prior to the adoption of HIPAA, it is likely that “covered entities” did not often intentionally expose personal patient information in an unscrupulous manner, but there was no guarantee (there were no government sanctions either).
HIPAA was the first law of its kind to create rules regarding the storage and sharing of personal health information. It prescribes a strict standard of information security controls for all organizations that handle such information. Plus, with laws in place, there are actual consequences for non-compliance.
HIPAA also allowed patients to take more control over their healthcare by allowing them to access their medical records in order to become more informed about diagnoses and treatments, seek additional medical input from various providers or even check their medical records by mistake. Prior to HIPAA, healthcare organizations and health insurance companies were not required to comply with any patient’s request for access to their own medical records.
How does HIPAA affect the insurance industry?
For many real estate and accident insurance companies, agents, brokers and other insurance companies, it really does not. For the vast majority of the insurance industry – those who do not work with life, health, accidents, disabilities or related products – HIPAA does not apply.
For the dual-licensed producers, for health and life insurance companies, and for all insurance professionals who come into contact with protected health information when doing business, HIPAA is a problem and a law that requires compliance.
HIPAA can also influence employers who sponsor health insurance for their employees. This means that this is something that brokers of employee benefits must also pay attention to and warn their customers about.
In the quarter of a century since HIPAA was first signed into law, it has become a fairly well-known name (as healthcare laws go!) But that does not mean it is simple or easy to understand. If you are in the health insurance industry, HIPAA is just one of many rules of the insurance industry that you need to be aware of and make sure to follow. And you should get expert advice when you do.
Although AgentSync can not help you there, we can definitely keep compliance on track for your non-HIPAA needs, such as manufacturer introduction and lifecycle management. See AgentSync in action today.