It’s important to train all staff in a multi-line agency on HIPAA Compliance
There is a great deal of crossover within a multi-line agencies. Cross-selling group or individual health insurance and other benefits, between personal lines and key commercial lines clients, has been one of the best ways to preserve a long-term relationship. To do this well, there’s going to have to be some exchange of often confidential information between different teams. Plus, the reality that there is often little to no physical or electronic separation between team members means that you need to worry about having your bases completely covered in case of an unintentional breach. Simply said: It’s very important that all parties are properly trained on these regulations — one of many reasons a multi-line agency will often require all staff to be trained on HIPAA.
Protecting PHI, NPPI and PII
Across your agency, you may have multiple agents that will have access to or come in contact with Protected Health Information (PHI), Non-Public Personal Information (NPPI) and Personally Identifiable Information (PII). In our experience, agents handling long-term care, vision, Medicare, dental and health insurances are reluctant to refer clients to agents who sell life, auto, home, commercial liability, 401(k), and Workers’ Comp if these agents are not properly trained on their responsibilities to safeguard clients’ Protected Health Information (PHI).
Gramm-Leach-Bliley (GLB) is an entirely separate federal law (from HIPAA) that dictates what insurance agents can do with personally identifiable information collected from or about consumers, or resulting from a transaction with consumers. This is commonly called Non-Public Personal Information (NPPI). Insurance agents are prohibited from disclosing NPPI as defined in GLB to nonaffiliated third parties without notifying the client or providing an opportunity for the client to opt out.
Non-health related insurances are considered financial products and are regulated by the privacy and security obligations of GLB. Many of these privacy and security concerns overlap when it comes to PHI, NPPI and PII. Everyone within your agency, whether they are working on health insurance or not, has to understand and appreciate the need for privacy of all the client information you handle.
For those of you selling products in the Federal Marketplaces (FFM), there are major concerns when it comes to privacy. Personally Identifiable Information (PII), is defined as information that can be used to distinguish or trace an individual’s identity. Information qualifies as PII in the Marketplaces when used alone or combined with other personal or identifying information linked or linkable to a specific individual. For example, a name, date and place of birth, Mother’s maiden name, an IP address, and or biometric records are some examples of PII. This is the broadest definition of individual information to date, and it is important to remember that it is not limited to only health information. PII includes financial information as well.
Marketing means that an agent encourages individuals to use a product or service. HIPAA, GLB and ACA have very different marketing guidelines. Under HIPAA, agents may use an individual’s PHI for marketing purposes only in face-to-face meetings and to identify clients to whom they want to give promotional gifts of nominal value. The agent may use PHI to market or handle issues related to the health insurance product itself, including marketing to different carriers. For any other uses of PHI, the agent must receive prior written authorization from the client.
GLB marketing guidelines allow an agency to shop for the best price on life insurance or other coverages with a variety of carriers, with a proper agreement in place, and a Notice of Privacy Practices given to the client. An agency is able to take NPPI and disclose it to third parties without additional authorizations.
According to Marketplace rules, you are prohibited from cross marketing to a SHOP client, even if you have written permission from the client to market, or you are in a face-to-face meeting. This is an important distinction from HIPAA where you can cross market in face-to-face meetings, or if you have a signed agreement from the client. You could be fined or prohibited from selling into the SHOP or FFM if you are found to be in violation of these cross marketing rules. It is permissible to leave a list of other services, and tell the client to call if they are interested.
HIPAA, GLB and ACA require you to protect personal information about your clients, adopt policies and procedures, provide privacy notices to your clients on a yearly basis, and ensure your staff understands their responsibilities. Most of these requirements for HIPAA, GLB and the ACA can be fulfilled with the same set of documents, which are part of the Total HIPAA compliance documents and training.
Smart multi-line agencies will take advantage of meeting federal requirements with one combined effort. Meeting these compliance requirements gives your organization a good reputation because it is clear you’re dedicated to taking all the steps possible in order to protect your clients’ information.