HIPAA for Insurance Brokers
An insurance broker may be subject to HIPAA if the broker is a business associate. HIPAA for insurance brokers is discussed below.
What is HIPAA for Insurance Brokers?
HIPAA for insurance brokers involves HIPAA compliance with those insurance brokers who are business associates. The nature of the insurance sold by the insurance broker may dictate whether the broker is a business associate.
Health insurance plans are considered to be covered entities if those plans provide for the costs of medical care. Covered entity health plans include public and private plans offered through health insurers, health maintenance organizations, Medicare, Medicaid or Medicare prescription drug plans, and most group health plans, whether insured or self-insured.
Other examples of covered entities include dental plans, vision plans, and health flexible spending accounts (FSAs).
In contrast, disability plans that provide for income replacement, life insurance plans, and workers’ compensation plans, are not covered entities.
In addition, an employer that sponsors a group health plan is not a covered entity; rather, the group health plan that the employer sponsors is considered a covered entity. Employers are obligated, however, not to misuse protected health information (PHI) they obtain from the group health plan for employment-related actions (i.e., termination, demotion). This obligation is imposed by federal civil rights laws, including the Americans with Disabilities Act (ADA), the Family and Medical Leave Act (FMLA), and Title VII of the Civil Rights Act of 1964, as amended (Title VII).
An insurance broker that performs services for one of the above-mentioned covered entities is considered a business associate of that covered entity (and is therefore subject to the HIPAA rules and regulations) if the services perform the use or disclosure of PHI or electronic protected health information (ePHI, which is PHI in electronic form). Insurance broker business associate functions involving the use of PHI or ePHI and may include so called “intermediary” functions.
If an intermediary creates, receives, maintains, or transmits PHI on behalf of (as an intermediary for) the insurer or plan, the intermediary is regarded as a business associate of the insurer. In such case, the intermediary is subject to HIPAA, and should enter into a business associate agreement with the insurer.
As a practical matter, brokers should continuously evaluate their relationship with the plan sponsor, group health plan, or insurer to determine whether the broker’s services for any of these entities will involve or implicate the use or disclosure of PHI of a covered entity or business associate. If the broker’s services involve or necessitate use or disclosure of PHI of a covered entity or business associate to or by a broker, the broker should enter into the appropriate business associate agreement.
