The word insurance figures prominently into HIPAAs full name: the Health Insurance Portability and Accountability Act. This fact alone initially led me to think that HIPAA must have some implications for our industry. At the most fundamental level, we should be asking ourselves this important question: Does federal legislation define third-party administrators, providers of risk and insurance technology applications, and others in our industry as covered entities?
Helpfully, the U.S. Department of Health and Human Services, responsible for managing HIPAA and HITECH legislation, provides online information to assist organizations in determining if HIPAA applies to them.
Upon reviewing the HHS guidance, it seems clear to me that TPAs, technology vendors and most others in our industry do indeed fall under the HIPAA/HITECH Acts. The laws are broad in coverage and yet very specific in the areas of privacy and technology. Yet, in my relatively brief time in this industry (four years now), it seems that most folks believe there is an exemption, or call out for risk and insurance management. I have researched this extensively and even consulted with external firms that deal with HIPAA/HITECH, and I have found no such exceptions.
So what does this all mean?
Bottom line, if the U.S. federal government enacts laws designed to protect the privacy and security of individual personal and medical information, we should follow such regulations across all industries to provide the protections for the entire lifecycle of the dataregardless of how the data is used or the location in which it is stored or processed. HIPAA/HITECH has critical implications for the risk and insurance management industry; organizations need to take notice and then act to get aligned quickly. Otherwise, they avoid exposing information and causing a data breach or other HIPAA violation.