HIPAA Privacy Rules Will Cause Headaches For Brokers
Insurance brokers face a myriad of new recordkeeping and notification requirements arising from the recently issued health privacy rules that could affect their ability to service their clients, the Council of Insurance Agents and Brokers says.
“Our members are very concerned,” says Nicole Allen, director of government affairs for the Washington-based Council. “They dont know how the rules will affect their group health insurance business and their ability to shop policies and provide solutions.”
Joel Wood, Council senior vice president of government affairs, adds that while just about every industry lobbyist would like to see Congress pass some overarching rationalization of the different privacy rules, that doesnt seem to be in the cards.
When privacy is considered on Capitol Hill, he says, it is usually not with the idea of correcting unintended consequences. Rather, Wood says, any likely legislation would probably make things even more punitive.
The Council, he says, will work through the administrative process at the Department of Health and Human Services to try to get brokers as much relief as possible.
The problem, Allen says, is that the HHS privacy regulations, mandated by the Health Insurance Portability and Accountability Act, were not written with intermediaries in mind.
Moreover, she says, many of the practical problems with the regulations probably will not emerge until brokers have had to spend some time living under them.
Therefore, Allen says, it is not fully clear yet what type of clarification will be needed.
The HIPAA privacy regulations will not take effect until April 14, 2003, she says, but brokers need to begin working immediately on setting up compliance systems.
One issue facing brokers, she says, is an administrative requirement that all covered entities must designate someone to serve as a privacy compliance officer responsible for receiving complaints and inquiries about privacy policies and practices.
Currently, Allen says, most brokers do not designate anyone as the privacy compliance officer.
In addition, she notes, the regulations limit disclosure of information for certain legitimate purposes, such as claims and billing, to the “minimum necessary” to accomplish the purpose.
However, Allen says, the term “minimum necessary” is very fuzzy and brokers could face problems tracking claims.
Perhaps an even more significant issue facing brokers involves multiple recordkeeping, Allen says. The regulations exclude certain types of insurance–including workers compensation, life, disability, auto, property-casualty and most types of reinsurance–from its scope.
This forces brokers to set up two systems for health-related information, Allen says, one for health plans and another for these excluded lines.
Moreover, she says, this could put brokers in a conflicted position involving health information. Suppose, Allen says, that an individual who had a heart attack does not reveal this fact on an application for life or disability insurance.
The broker, she says, is barred from transferring the information from the HIPAA-covered line to the excluded lines. But what is the brokers fiduciary duty to the life or disability insurer if the broker knows that the application is false? Allen asks.
Segregating HIPAA-covered information from other health-related data will create conflicts for brokers, she says.
Allen says brokers will also have to comply with notice requirements under the HIPAA regulations that differ from those under the Gramm-Leach-Bliley Financial Modernization Act.
Brokers, she says, will have to keep in mind what type of notice is required for what purpose.
Allen says some type of harmonization of the different privacy requirements is needed. Insurance brokers, she says, help consumers by facilitating these transactions. Without some type of guidance, she says, brokers will have greater difficulty providing the services consumers expect and deserve.
John Greene, manager of regulatory affairs for the National Association of Health Underwriters, Arlington, Va., says NAHU members also have specific concerns about the HIPAA regulations.
For example, he asks, what happens when a broker sells the business?
Must the broker, Greene asks, send notice to all his or her clients about the sale of the business?
In addition, the HIPAA rules focus on two types of entities. One is a covered entity, which includes insurance companies, service firms and organizations licensed to engage in the business of insurance in a state and subject to state laws regulating insurance.
The other is a business associate, defined as a person or entity that performs functions, such as billing and claims administration, on behalf of a covered entity.
NAHU members, Greene says, are not covered entities, but they are not quite business associates, either.
Thus, he says, the question is: What are the responsibilities of NAHU members in terms of the consent requirements?
Greene says he has been in communication with HHS over these issues and hopes to receive some clarification.
Reproduced from National Underwriter Life & Health/Financial Services Edition, August 13, 2001. Copyright 2001 by The National Underwriter Company in the serial publication. All rights reserved.Copyright in this article as an independent work may be held by the author.