Many people and entities that conduct business with health insurance carriers are subject to newly effective federal regulations that expand the privacy and security requirements of HIPAA. Failure to comply could result in civil or criminal liability and large monetary penalties.
HIPAA, the Health Insurance Portability and Accountability Act of 1996, imposed privacy and security standards for individuals' protected health information ("PHI") in the possession of healthcare providers, health plans and others ("Covered Entities"), including health insurance carriers. The Health Information Technology for Economic and Clinical Health Act (the "HITECH Act"), adopted as part of the 2009 federal stimulus bill, imposes new requirements on entities that conduct business with Covered Entities.
Under HIPAA, any person or entity that handles individuals' PHI as part of its business activities is considered a "Business Associate" of the Covered Entity from which, or on behalf of which, it obtains the PHI, whether or not it or the Covered Entity acknowledges that fact. Therefore, service providers to Covered Entities, including insurance agents and brokers, claims adjusters, third-party administrators and utilization review agents, are required to enter into "Business Associate Agreements" with the Covered Entities with which they work. These agreements set forth the obligations of the Business Associate to protect PHI, and in many cases provide for contractual liability to the Covered Entity in the event of a data security breach or other violation of HIPAA by the Business Associate. However, many Business Associates have not entered into Business Associate Agreements, either due to lack of awareness of their obligation to do so, or because under HIPAA they had no direct liability to the federal government for HIPAA violations. Effective February 17, 2010, the HITECH Act imposes expanded data privacy and security obligations on Business Associates, giving them potential direct civil and/or criminal liability to the federal government for their data breaches and other violations of HITECH. HITECH also applies to entities that deal only with other Business Associates, rather than directly with a Covered Entity, if they come into possession of PHI. HITECH's provisions include detailed notification requirements that must be followed by a Business Associate that suffers a data breach.
Monetary penalties for data breaches and other violations of HITECH can be substantial -- in the millions of dollars. Potential penalties are highest when the basic requirements of HITECH, including the need for a Business Associate Agreement, have not been met. Any entity that comes into possession of PHI (even temporarily or indirectly) in connection with the services it provides to other entities must ensure that it is acting in compliance with the requirements of HIPAA and the HITECH Act.