Agents, brokers and other insurance and benefits advisors want to try to keep state insurance regulators from piling state data security rules on top of existing federal health data security standards.
Marcy Buckner, a vice president at the Washington-based National Association of Health Underwriters, says insurance regulators should exclude entities already subject to the Health Insurance Portability and Accountability Act of 1996 and a related law, the Health Information Technology for Economic and Clinical Health Act of 2009, if they set new rules.
Related: Hey: Yes, the NAIC is talking to you
Buckner asks regulators to avoid making producers comply with two, potentially conflicting sets of data security standards in a letter sent to the Kansas City, Missouri-based National Association of Insurance Commissioners.
The NAIC is a group for state insurance regulators. An NAIC task force has been developing an Insurance Data Security Model Law, and it recently asked for public comments on a model draft. The task force has published a collection of comments on the draft on its section of the NAIC’s website.
States may need to set rules for entities not subject to the HIPAA and HITECH requirements, Buckner writes.
In the health insurance industry, “our members are already following federal law in regard to provisions protecting their clients’ data, and subjecting those already regulated by HIPAA privacy and HITECH requirements to state requirements that are written to supersede these federal laws would be confusing and ill-conceived,” Buckner writes.
Bob Ridgeway of the Washington-based America’s Health Insurance Plans and Paul Brown of the Chicago-based Blue Cross Blue Shield Association asked the NAIC to think about HIPAA in a joint letter. They note that the NAIC already includes standards based on HIPAA and HITECH requirements in the information technology section in its Examiners Handbook.