Several health insurance organizations say requiring the same producer to comply with both HIPAA data security rules and a new set of state data security rules would be overkill. (Image: Thinkstock)

Agents, brokers and other insurance and benefits advisors want to try to keep state insurance regulators from piling state data security rules on top of existing federal health data security standards.

Marcy Buckner, a vice president at the Washington-based National Association of Health Underwriters, says insurance regulators should exclude entities already subject to the Health Insurance Portability and Accountability Act of 1996 and a related law, the Health Information Technology for Economic and Clinical Health Act of 2009, if they set new rules.

Related: Hey: Yes, the NAIC is talking to you

Buckner asks regulators to avoid making producers comply with two, potentially conflicting sets of data security standards in a letter sent to the Kansas City, Missouri-based National Association of Insurance Commissioners.

The NAIC is a group for state insurance regulators. An NAIC task force has been developing an Insurance Data Security Model Law, and it recently asked for public comments on a model draft. The task force has published a collection of comments on the draft on its section of the NAIC’s website.

States may need to set rules for entities not subject to the HIPAA and HITECH requirements, Buckner writes.

In the health insurance industry, “our members are already following federal law in regard to provisions protecting their clients’ data, and subjecting those already regulated by HIPAA privacy and HITECH requirements to state requirements that are written to supersede these federal laws would be confusing and ill-conceived,” Buckner writes.

Bob Ridgeway of the Washington-based America’s Health Insurance Plans and Paul Brown of the Chicago-based Blue Cross Blue Shield Association asked the NAIC to think about HIPAA in a joint letter. They note that the NAIC already includes standards based on HIPAA and HITECH requirements in the information technology section in its Examiners Handbook.

“Examiners reviewing the IT protections of a HIPAA/HITECH covered entity should be able to easily determine whether it is HIPAA-compliant,” Ridgeway and Brown write.

Thomas Considine, the chief executive officer of the Manasquan, New Jersey-based National Conference of Insurance Legislators, say NAIC model drafters need to think about other types of conflicts, too.

Over 70 of the 99 state legislative bodies combine insurance with other financial industries, such as banking and financial services, and that’s a sign that any new data security standards need to cover a range of related industries, Considine writes.

“NCOIL believes that limiting a Data Security Model Law to the insurance industry only, when the other financial services industries also deal with very sensitive personal information that invites hacking and merits special protection, will ultimately invite conflict of laws within the states themselves,” Considine writes. “Indeed, we believe such an approach could have the effect of inviting federal legislative intervention.” 

Related:

Health insurers sail into cyber marshmallow zone

NAIC sets cybersecurity regulatory principles

Have you followed us on Facebook?