Primary Agent | August 2010
never regulated it, producers in the state are still required by federal law to develop one.
Q. What should be included? A. A written information security program details the measures your agency takes to protect customers’ information, including: w Identifying and determining the likelihood of threats, w Defining administrative procedures, office security and computer systems security and w Assessing the sufficiency of those safeguards.
Q. How do I get started? A. IA&B has you covered. Complete a Web-based riskassessment survey, and you’ll earn a customized program to keep on file. The only things left to do? Training your staff to implement the program, and monitoring your agency operations to adjust the program as necessary.
stringent information security program to comply with HIPAA’s new HITECH Security Rule. Read more in the security standards section on page 18.
is considered a covered entity, i.e. is an employer with a fully insured or self-insured health insurance plan for his or her own employees.
Q. How do I know if I’m a
It’s common knowledge that the Health Insurance Portability and Accountability Act (HIPAA) guards personally identifiable health information. (Under HIPAA, it’s called protected health information, or PHI.) What’s not so well known is that HIPAA requirements recently expanded to further affect producers. The bottom line: As of September 2009, affected producers must comply with detailed notification procedures if PHI – whether it’s electronic, written or spoken – is breached. Specifically, producers are on the HIPAA hook if they are considered a business associate of a covered entity (defined as a healthcare provider, health insurance plan or health insurance clearinghouse). Of course, HIPAA obligations also can be triggered if the producer
A. Chances are, if you sell health insurance or group benefits, you’re a business associate. While a business associate isn’t a member of the covered entity’s workforce, he “performs functions or activities on behalf of covered entities that involve the creation or receipt of protected health information.”
Q. What’s this businessassociate agreement I’ve heard about?
A. Put simply, the agreement establishes safeguards to protect health information. It also stipulates that business associates and their vendors (and their vendors’ vendors, etc.) enter into contracts when sharing protected information. And since the
Create your information security program: Pennsylvania – www.iabgroup.com/pa/ privacy_requirements Maryland – www.iabgroup.com/md/ privacy_requirements Delaware – www.iabgroup.com/de/ privacy_requirements Note: If you sell Health insurance (even just one policy), you’ll need a more
[ 17 ]
Digital copiers: the weak link An unexpected source of data breach is that seemingly innocuous office copier. Digital copiers store a copy of every document that is copied, scanned or e-mailed. And that could mean trouble when the copier leaves your office. CBS News last spring ran a story about digital copiers that were purchased or leased and then replaced or discarded without wiping the hard drive. Personally identifiable information, including social security numbers and protected health information, were available within hours of purchase on the second-hand market. The lesson: Make sure the hard drive is wiped before leased digital copiers leave the premises. And before replacing owned copiers, contact the manufacturer to secure or remove the hard drive before you dispose of the equipment. Last but not least, make these processes part of your information security program.