Primary Agent | August 2010
business associates – a term that includes most agencies with Health policies – must play by the same rules, specifically the Security Rule.
Member profile: The John Yurconic Agency tackles new HIPAA mandates
Curious if your agency is considered a business associate (or perhaps a covered entity)? Read the criteria in the previous section on databreach notification.
The mid-sized agency, which handles Life and Health as well as Property and Casualty, geared up for the change months in advance. They made modifications to their agency management software, restricted access to information and began utilizing limited data sets.
Q. What does the Security Rule entail?
A. Business associates must comply with the following: w Limit “the amount of protected health information they access, receive or process,” w Review security controls and add encryption where possible, w Develop an incidentresponse plan and w Train employees on how to handle health information and how to carry out the incidentresponse plan. What’s more, business associates are bound by a whistle-blower rule. If a covered entity isn’t compliant, they must terminate the contract or report the breach. (The rule goes both ways: Covered entities must address business associates’ security slip-ups.) The Security Rule is no joke. Business associates are now subject to the same civil and criminal penalties as covered entities.
John Yurconic, left, and Tom Thorne are up to speed on privacy compliance.
Much like Mother Nature did with snow, new federal regulations buried Health producers in privacy responsibilities last February. Obligations once reserved for covered entities (typically, insurance carriers) under HIPAA were expanded to encompass business associates (typically, agents), thanks to the Security Rule. Tom Thorne, of the Allentown, Pa.based John Yurconic Agency, knew a bit about HIPAA thanks to his background working for a health insurance carrier. So when he heard about the Security Rule, he jumped at the chance to help the agency prepare. “We were always very focused on protecting members’ privacy,” he says, “but this brought it up to a whole new level. We became directly accountable for the protection of information.”
[ 19 ]
“While some IT requirements may be expensive,” says Thorne of the agency’s adjustments, “as far as nuts and bolts and the cautious and proper procedures on releasing and managing data, it’s not expensive. It’s just common sense.” Ready by February 2010, the John Yurconic Agency was no doubt ahead of the game. And now, with the Security Rule firmly in place, agencies that have yet to comply must follow suit. “I know some agencies haven’t taken it seriously, but I urge them to be cautious with that,” he warns. “Enforcement is probably not something that will come up too often, but when it does, it could be catastrophic for a small agency.” Read more about security standards on page 18.