<img src="https://ws.zoominfo.com/pixel/kZxG1sNctrruFoZSPoVD" width="1" height="1" style="display: none;">

Does HIPAA apply to the risk and insurance industry?

Does HIPPA apply to the risk and insurance industry?It has been 16 years since HIPAA legislation was signed into law by President Clinton. In early 2010, the HITECH act was enacted, expanding on the original HIPAA regulations. While these regulations may appear on the surface to apply only to the health and medical industries, the risk and insurance industry may in fact be subject to HIPAA legislation.

The word “insurance” figures prominently into HIPAA’s full name: the Health Insurance Portability and Accountability Act. This fact alone initially led me to think that HIPAA must have some implications for our industry. At the most fundamental level, we should be asking ourselves this important question: “Does federal legislation define third-party administrators, providers of risk and insurance technology applications, and others in our industry as ‘covered entities’?”

Helpfully, the U.S. Department of Health and Human Services, responsible for managing HIPAA and HITECH legislation, provides online information to assist organizations in determining if HIPAA applies to them.

Upon reviewing the HHS guidance, it seems clear to me that TPAs, technology vendors and most others in our industry do indeed fall under the HIPAA/HITECH Acts. The laws are broad in coverage and yet very specific in the areas of privacy and technology. Yet, in my relatively brief time in this industry (four years now), it seems that most folks believe there is an exemption, or “call out” for risk and insurance management. I have researched this extensively and even consulted with external firms that deal with HIPAA/HITECH, and I have found no such exceptions.

So what does this all mean?

  1. We need to evaluate our businesses and see if and how HIPAA/HITECH applies to us;
  2. We need to review our vendors/partners and ensure that they have a similar understanding of HIPAA/HITECH legislation and how it applies to them in practice. Depending on the outcomes of such reviews, it may even be necessary to put business associate agreements in place where they don’'t exist today;
  3. Perform gap analysis to see if our organizations are actually compliant with HIPAA/HITECH; and
  4. Engage organizations like URAC for HIPAA accreditation.

Bottom line, if the U.S. federal government enacts laws designed to protect the privacy and security of individual personal and medical information, we should follow such regulations across all industries to provide the protections for the entire lifecycle of the data—regardless of how the data is used or the location in which it is stored or processed. HIPAA/HITECH has critical implications for the risk and insurance management industry; organizations need to take notice and then act to get aligned quickly. Otherwise, they avoid exposing information and causing a data breach or other HIPAA violation.

David Black is the CISO for Aon eSolutions, the leading global provider of web-enabled integrated risk management tools and resources. David is responsible for Aon eSolutions strategy and approach to IT risks as well execution of initiatives for protection of all Aon eSolutions products and services as well as the corporate environment.

Connect with David: Email | LinkedIn

RMIS Guide

Dec 3, 2012

 | Originally posted on 

Subscribe by Email