For people involved with the distribution of medically underwritten insurance products, stories about hacking of big corporate databases may seem a little bit like reports of a few cases of Ebola cropping up on some distant continent.
Too bad for those folks, but you have appointments to remember and sales quotas to meet.
When Anthem Inc. (NYSE:ANTM) announced last Wednesday that it had detected an intrusion into one of its major databases, that was like seeing contagion control personnel in hazmat suits parking in your neighbor's driveway.
Anthem has teams of compliance lawyers to understand the privacy and data security provisions in the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH) Act, which was part of the American Recovery and Reinvestment Act of 2009. Anthem also has teams of information technology specialists to apply its knowledge of HIPAA and the HITECH Act.
You may have to rely on whatever help insurers and technology vendors are giving you, along with the wise counsel of the techie sister-in-law who helped you set up your WiFi network.
Meanwhile, hacked health records can sell for more than $10 each, and sometimes for as much as $1,300 each.
Insurers may have insulated you from the hazards of holding anything that HIPAA defines as "protected health information" (PHI) by re-working its underwriting procedures. If not, you could find that performing a task as simple as asking prospects and clients to fill out a simple screening questionnaire could expose you to unexpected risks.
To learn more about HIPAA PHI risks, read on.
Learn additional strategies on cyber-security and identity access management at the 19th annual America's Claims Event, June 17-19 in Austin. Click Here for more information & use Code PC360AE & Save $100.
1. For HIPAA privacy and data security purposes, you're probably a "business associate."
The Centers for Medicare & Medicaid Services (CMS), an arm of the U.S. Department of Health and Human Services (HHS), has created a 10-page packet to help organizations determine whether they are "covered entities" for HIPAA purposes.
Most health plans are covered entities, and CMS has been getting serious about applying HIPAA privacy rules to health plans.
Some companies that look like something other than health plans may be covered entities in some situations. In other situations, they and their affiliates may act as "business associates," or entities that use PHI and have to meet roughly the same privacy and data security requirements that health plans must meet.
In theory, a business associate that violated the HIPAA rules could face a civil penalty of up to $50,000 per violation. An associate found guilty of willful neglect and a failure to address a problem promptly could face a civil penalty of as much as $1.5 million per violation.
2. The HHS Office of Civil Rights could be starting "Phase 2″ audits any day.
CMS and HHS have applied the PHI rules to business associates since 2003, but, in practice, the HIPAA compliance enforcement body, the HHS Office for Civil Rights (OCR), has focused "Phase 1″ audits on covered entities, not business associates.
OCR officials began getting official approvals for the paperwork they would need to conduct "Phase 2″ audits, or audits of insurance agents and other business associates, about a year ago.
OCR officials decided to wait until they had set up an information submission Web portal to start the audits, but HIPAA compliance specialists say the Phase 2 audits could begin at any time.
See also: Phase 2 HIPAA audits
Want to continue reading?
Become a Free PropertyCasualty360 Digital Reader
Your access to unlimited PropertyCasualty360 content isn’t changing.
Once you are an ALM digital member, you’ll receive:
- Breaking insurance news and analysis, on-site and via our newsletters and custom alerts
- Weekly Insurance Speak podcast featuring exclusive interviews with industry leaders
- Educational webcasts, white papers, and ebooks from industry thought leaders
- Critical converage of the employee benefits and financial advisory markets on our other ALM sites, BenefitsPRO and ThinkAdvisor
Already have an account? Sign In Now
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
Allison Bell
Allison Bell, a senior reporter at ThinkAdvisor and BenefitsPRO, previously was an associate editor at National Underwriter Life & Health. She has a bachelor's degree in economics from Washington University in St. Louis and a master's degree in journalism from the Medill School of Journalism at Northwestern University. She can be reached through X at @Think_Allison.
