By Kayla Matthews, HealthIT writer and technology enthusiast, Tech Blog
Twitter: @ProductiBytes
The Health Insurance Portability and Accountability Act (HIPAA) is legislation that defines the privacy and security standards surrounding health information. There’s also a component of HIPAA called the privacy rule. It gives people rights regarding which parties can view or receive their health-related content.
Once a person understands these basics, they may become curious about the stipulations for HIPAA and insurance. There are typically a lot of questions about which parties or companies must follow HIPAA, and which are exempt.
HIPAA makes a distinction between covered and noncovered entities. A covered entity must follow HIPAA, but a noncovered one does not need to abide by it.
Does HIPAA Apply to Health Insurance?
HIPAA and its privacy rule consider health insurers and various related entities to be covered, which means it does apply to health insurance. Any company that sells health plans to cover the cost of care must comply with HIPAA. The same is true for health maintenance organizations (HMOs) and government-funded health coverage, like Medicaid and Medicare.
Health clearinghouses, which receive information in nonstandard formats and standardize it, are also bound by HIPAA. Since they take insurance claims from health care providers and pass them to insurance companies, it makes sense that HIPAA laws treat them the same as insurers.
What About HIPAA and Insurance Received Through Group Plans?
Things are a little less clear-cut for group insurance plans that a person gets through their employer. That’s because the coverage can either be fully insured or self-funded, and HIPAA requirements differ in each case.
An employer offers a fully insured health insurance plan to its employers when it pays a premium to a third-party insurer that administers coverage to the people in the group. A self-funded plan, also called a self-insured group plan, is when the employer collects money — either from employee or corporate contributions — and earmarks it in a trust fund to pay for health coverage.
If a company chooses a self-insured group plan, it administers it independently or pays a company to do it. A self-insured plan can be cheaper for employers and employees because the business doesn’t have to pay the potentially high rates charged by a third-party insurer. It can pass on the savings to employees by setting lower premiums for workers.
However, self-funded plans require employers to accept more risk, particularly if a catastrophic and costly health issue befalls a group participant. Additionally, self-insured plans typically fall under HIPAA. The only exemptions apply to companies that have self-funded and self-administered plans, plus less than 50 employees.
Fully funded group health plans are different because they often exempt an employer from most requirements of the Privacy Act. The health insurer an employer pays bears the responsibility to abide by HIPAA instead. A related thing to keep in mind is that HIPAA does not treat employers or group plan sponsors as covered entities. However, the Privacy Act does affect how the group health plan shares protected information with an employer.
Should a Life Insurance Company Follow HIPAA Standards?
Life insurance is somewhat of a mysterious topic to some people, often because they make assumptions and don’t verify their accuracy. For example, statistics indicate that many people don’t have enough life insurance coverage because they only hold group policies instead of individual ones. It’s better to have a group policy than none at all, but those often make people think they have more coverage than they do.
Another potentially surprising thing is that life insurance companies are noncovered entities. However, that doesn’t mean they ignore privacy entirely.
Many companies have privacy policies on their websites or mentioned in written documentation that spells out how a life insurer handles customer data. Also, if a life insurance company operates in the European Union, it must follow the particulars of the General Data Protection Regulation (GDPR).
Life insurance companies can still get some health information about their customers. For example, they can buy prescription drug histories and lab test results from outside parties. Although HIPAA does not apply to life insurers, people should not assume those companies will never see any of their medical data.
HIPAA and Insurance Specifics Worth Knowing
This overview should confirm that the information regarding how — or if — HIPAA applies to health and life insurance is not straightforward. People who handle health data for insurance reasons or otherwise should always make sure they understand HIPAA specifics and act accordingly.