This was a question from one of our clients this past week. They sell Medicare Advantage policies and, as a prerequisite to selling these policies, are required to go through AHIP’s marketing certification for MA policies. By going through this Medicare training and signing an agreement with the carrier, are they HIPAA compliant?
Sorry, no. Medicare Advantage training doesn’t make you HIPAA compliant.
AHIP Certification gets you ready to sell Medicare Advantage policies. The training is related to CMS’s marketing requirements for the types of policies you are going to sell. There is very little (if any) privacy and security training and policies and procedures creation that goes with AHIP.
But I agreed to adopt the Privacy and Security Policies that the MA carrier provided – Does that meet HIPAA requirements? Yes, those Policies do meet a portion of the requirements to be compliant with HIPAA Privacy and Security Rules. Almost every broker and agent takes the carriers template, signs off on the document, and promptly files it away – never to be seen again. This means that you have clearly stated that you are a business associate of your carrier and are responsible for maintaining compliance. But, just signing that you adopt their policies does not meet the HIPAA requirements. And you don’t know there is an issue until there is an issue.
How many out there actually went step-by-step through this agreement and really implemented a thorough HIPAA Compliance program? Not very many. In David Smith’s many years as a benefit consultant, he says, “90% of people haven’t done anything, and don’t realize the risks they are taking.” By signing this document from your carrier, you have take on a whole host of commitments that you need to be aware of.
One thing that stuck out when I looked at a Humana Privacy template (which I assume is pretty standard across all carriers) was they clearly state that you have to either purchase or implement your own training program on HIPAA. This is very important! Your employees are the weakest link in the proverbial chain. You can have the best encryption money can buy, and a mistake by a careless employee can ruin it all for you. HIPAA isn’t very clear as to how often you need to retrain your employees, but the best business practice is be proactive and retrain annually. You may have new hires, people forget things, etc.
Have you actually implemented HIPAA compliant Security standards? There have been some pretty significant changes with HIPAA as described in the 2013 Omnibus Ruling. Here are a few. All ePHI now must be encrypted in transit, at rest and in storage. Are you encrypting all emails that contain PHI? Are you encrypting your backups? Do you encrypt your computers? You need to have policies that clearly state these practices, and you have to implement them or, I’m sorry to say, you aren’t HIPAA compliant.
HIPAA should be at the top of everyone’s list these days. There have been some huge fines passed down from HHS. More importantly, in the insurance business, your reputation is something you’ve carefully cultivated. Your clients are your friends, sometimes they’re your family, and nobody wants to make the phone call saying, “I sent your personal information to the wrong person; or my computer was stolen and your personal information was not encrypted like the government required me to do. As a result, you could be at risk for identity theft.” Who is going to invite you into their home to talk to them about their insurance options with this blight on your record? This can quickly destroy a business. HIPAA compliance isn’t fun, and can be a financial burden, but these regulations are here to protect you and your business. If you take advantage of the training and compliance that is out there, you are protecting your clients and your business… sounds much better than just satisfying a Federal Requirement, right?
