As business associates of covered entities, Medicare sales agents must fully comply with HIPAA’s Privacy and Security rules. By nature of the business, some personal information must be exchanged for things like plan enrollment. HIPAA makes sure your client’s data stays safe and is only accessible by people with explicit permission.

Privacy vs. Security

HIPAA guidelines fall into two broad categories: Privacy and Security. Both address procedures for protecting the insured’s data, with one major difference. The Privacy Rule applies to all communication forms – electronic, written, and oral – while the Security Rule is specific to how to manage electronic health information. You are obligated to comply fully with both the Privacy and Security Rules.

The Privacy Rule

The Privacy Rule requires all covered entities to be responsible for safeguarding Personally Identifiable Information (PII) as Protected Health Information (PHI). This includes defining who can use, disclose, or access it. It also includes basic information  like a person’s name, address, birthday, and Social Security number.

The Security Rule

The Security Rule refers to how to safeguard Electronic Protected Health Information (e-PHI) against inappropriate alteration or destruction and unauthorized use or access.

Any hardware or software you use to store and transfer e-PHI must have sufficient administrative, technical, and physical protections in place.

  • Administrative: Access should only be granted to certain people based on their specific role, and you should maintain the “minimum necessary” standard
  • Technical: Your computers must be capable of keeping information confidential and secure (e.g., strong passwords and encryption software); protecting against potential threats
  • Physical: Whether you keep files in a locked room or password-protected on a computer, they should not be accessible by unauthorized individuals

Working with Protected Information

Whether working in an office, or from home, you must protect PHI in all forms, including written, electronic, or spoken.

Paper: Agents often handle a high volume of paper applications with enrollees’ PHI or PII. Be sure to keep paperwork separate and don’t try to work on multiple applications at the same time. There could be an issue if you send the wrong document to someone who isn’t authorized to see that person’s information. Keep all documents with PHI secure and out of view. Documents with PHI that need to be disposed of should be shredded or placed in a secure disposal bin.

Laptops: Stolen laptops are a common issue that can lead to significant problems. The best practice is to encrypt all electronic devices containing PHI or PII with full-disc encryption and pre-boot authentication. Windows comes standard with BitLocker and MacOS has FileVault to meet these needs. Do not share your passwords with anyone and make sure your passwords are strong.

Storage: When possible, do not store PHI or PII on mobile devices or flash drives. Taking a picture with PHI or PII on a cell phone can lead to issues if it’s not properly managed.

Email: Typos are a frequent problem. When sending emails, double-check the recipients to make sure your email client didn’t auto-populate the wrong name. Sending an email to the wrong person may qualify as a breach which needs to be reported. Never send PHI via unsecured email or internet services.

Phone: Do not give PHI or PII to a third party over the phone without the insured’s consent, or unless explicitly allowed by your agreement with the covered entity. Do not leave voicemails with PHI unless given the insured’s consent to do so.

If a HIPAA Breach Occurs

It is important to know what is considered a breach and how to report it.

A breach is defined as a use or disclosure of protected health information not permitted by the HIPAA Privacy Rule that compromises the security or privacy of protected health information. If a breach occurs, you are required to notify the Covered Entity for whom you are providing a service within sixty days, and the covered entity must notify the affected individual within 60 days. Notice should include the nature of the information that was disclosed and advice about that steps that individual should take to protect themselves from potential loss. Failure to report a breach can result in substantial penalties.

PTT Financial equips medical sales agents with tools to help them comply with HIPAA requirements. Do you need support to ensure you are compliant? See why smart Medicare agents join PTT Financial.