The Health Insurance Portability and Accountability Act of 1996 (HIPAA) may be one of the most commonly referenced health insurance laws, not just by insurance professionals, but in the everyday lives of most Americans. Learn a bit more about what it is, what it does (and doesn’t do), and how it impacts the insurance industry.
Please read our notice of privacy practices
Quick! Name a healthcare law that everyone knows of, but no one really knows. If you guessed HIPAA, congratulations, you win! For everyday citizens, HIPAA references pop up at each and every doctor’s office visit and, more recently, if a business dares to require proof of COVID-19 vaccine status for entry or service. More on that later, but spoiler alert: A business requiring proof of vaccination to enter, or provide services, does not violate HIPAA.
You’d be hard pressed to find an American adult who hasn’t heard of HIPAA, or who doesn’t know it has something to do with medical privacy. But the collective knowledge of this 500-page healthcare law ends there. And for most people, that’s OK. But if you work in insurance, you might be one of the few who truly needs to understand HIPAA more than just superficially. Then again, HIPAA is so specific to health insurance and health information that it doesn’t apply universally across the insurance world, either.
What is HIPAA?
Literally, it’s the Health Insurance Portability and Accountability Act of 1996. This law, signed in 1996 by President Clinton, was the first law to address the privacy of health and healthcare information. Despite the fact that electronic medical records barely existed in 1996, HIPAA was forward-thinking and included references to digitization in the medical and health insurance field that wouldn’t come for years.
HIPAA gave U.S. citizens the right to expect some degree of privacy surrounding that information, particularly when it comes to health insurance. It also gave us the right to access our private health information, even if that’s easier said than done most of the time.
A large part of the entire HIPAA law is what’s known as the HIPAA Privacy Rule. According to the CDC’s website, “The Privacy Rule standards address the use and disclosure of individuals’ health information (known as “protected health information”) by entities subject to the Privacy Rule. These individuals and organizations are called “covered entities.” The Privacy Rule also contains standards for individuals’ rights to understand and control how their health information is used.”
In plain English:
- Your personal health information is considered private, and thus “protected” by the law.
- Certain entities (doctor’s offices, hospitals, and health insurance companies, among others) are subject to the Privacy Rule.
- You also have the right to understand and control how your protected health information is used, including who it’s shared with.
What does HIPAA do?
Simply put, HIPAA required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. The law gave responsibility for enforcement to the Department of Health and Human Services (HHS)’s Office for Civil Rights.
HIPAA also laid out valid reasons for when protected health information used by any covered entity may be shared or disclosed. The final law was over 500 pages, so this is obviously, and necessarily, a very abridged version of the law! If you’re a bigger insurance nerd than we are, you’re welcome to read the full text of the law here!
Also, if HIPAA is central or tangential to your work, keep in mind this is a condensed overview, not legal guidance or due diligence. If you need legal advice, consult an attorney.
What does HIPAA not do?
The short answer is, “a lot.” As you’ve learned by now, HIPAA applies to a very specific set of covered entities. A restaurant or bar is not a covered entity. An airline is not a covered entity. Thus, private businesses that ask patrons to disclose their COVID-19 vaccination status in order to enter or to be served are not subject to HIPAA and are not in violation of it.
In addition HIPAA also does not cover:
- “Protected health information employment records that a covered entity maintains in its capacity as an employer and education and certain other records subject to, or defined in, the Family Educational Rights and Privacy Act, 20 U.S.C. §1232g.”
- De-identified health information, when medical information is completely separated from personally identifiable details about the human it came from. For example, a large list of ages, heights, and body weights would not be protected if there’s no name, address, Social Security number, or other identifying information that would link the health data with a specific person.
Who’s required to follow HIPAA?
HIPAA created standard definitions for types of businesses and entities that are subject to its privacy rule. These include:
- Healthcare providers
- Health plans (including Medicare, Medicaid, long-term care, and others–with a few exceptions)
- Healthcare clearinghouses
- Business associates (defined as a person or organization other than an employee of a covered entity who is using protected health information to perform services for a covered entity)
That’s basically it. So again, your uncle is not subject to HIPAA at a family dinner. Your neighbor’s bar or restaurant is also not subject to HIPAA. Your local grocery store, movie theater, and place of employment (most likely!) are not subject to HIPAA.
If, and only if, you’re one of the above entities or a “business associate” of one, are you and your company required to comply with HIPAA.
Why is HIPAA important?
Patient privacy is something most of us would agree is an important right. Prior to 1996, however, this wasn’t necessarily the case. It certainly wasn’t guaranteed or legally enforced.
Why HIPAA is important for the healthcare and health insurance industry
Even though 1996 is hardly what we think of as “the digital age” these days, HIPAA was truly forward-thinking for its time. It introduced some very important concepts that would be key as the industry moved from paper records to electronic health records.
HIPAA standardized how health data must be collected and protected, and enforced a nationally recognized set of codes and identifiers. Much like the move to structured data in other industries, HIPAA requirements assisted the healthcare industry in moving toward a digital future where health information is shared between patients, doctors, clinics, insurance companies, and other entities on a daily basis with an emphasis on privacy.
Why HIPAA is important for patients
For patients, HIPAA is particularly significant. All the more so as medical records have moved into the digital age, making them subject to information security breaches. Prior to the enactment of HIPAA, it’s likely that “covered entities” weren’t often intentionally exposing personal patient information in unscrupulous ways, but there was no guarantee (nor were there government-enforced penalties).
HIPAA was the first law of its kind to create rules surrounding the storage and sharing of personal health information. It mandated a strict standard of information security controls for any organizations dealing with such information. Plus, with laws in place, there are actual consequences for noncompliance.
HIPAA also empowered patients to take more control over their healthcare by allowing them to access their records for the purpose of being more informed about diagnoses and treatments, seeking additional medical input from different providers, or even checking their records for mistakes. Before HIPAA, healthcare organizations and health insurance companies were not required to comply with any patient’s request to access their own medical records.
How does HIPAA impact the insurance industry?
For many property and casualty insurance carriers, agents, brokers, and other insurance businesses, it really doesn’t. For the vast majority of the insurance industry – those who don’t deal with life, health, accident, disability, or related products – HIPAA doesn’t apply.
For those producers who are dually licensed, for insurance carriers that deal in health and life, and for any insurance professionals who come into contact with protected health information in the course of doing business, HIPAA is a concern and a law that requires compliance.
HIPAA can also impact employers who sponsor health insurance coverage for their employees. This means it’s something employee benefit brokers need to also pay attention to and alert their clients about.
In the quarter century since HIPAA was first signed into law, it’s become a fairly household name (as healthcare laws go!) but that doesn’t mean it’s simple or easy to understand. If you’re in the health insurance business, HIPAA is just one of many insurance industry regulations you have to pay attention to and be sure to comply with. And you should get expert counsel in doing so.
While AgentSync can’t help you there, we can definitely keep compliance on track for your non-HIPAA needs, such as producer onboarding and lifecycle management. See AgentSync in action today.