HIPAA implications for health insurance companies arise because most health insurers are HIPAA Covered Entities as health plans and are required to comply with the HIPAA Privacy Rule, the HIPAA Security Rule for electronic protected health information, the HIPAA Breach Notification Rule, and HIPAA Administrative Simplification standards for electronic transactions, code sets, and identifiers, with enforceable duties for policies, workforce training, safeguards, documentation, and oversight of vendors that handle protected health information.
Under the HIPAA Privacy Rule, a health plan may use and disclose protected health information for payment and healthcare operations, and may disclose protected health information for treatment activities in permitted circumstances, while other uses and disclosures require a HIPAA permission or a valid HIPAA authorization. The HIPAA Minimum Necessary Rule applies to most payment and healthcare operations activities, requiring procedures and access controls that limit protected health information to the purpose of the use, disclosure, or request. Health plans must support individual rights such as access to protected health information in a designated record set, requests for amendment, an accounting of disclosures when required, requests for confidential communications when applicable, and complaint intake and nonretaliation controls. Health plans must provide a Notice of Privacy Practices where required and maintain privacy policies, procedures, sanctions, and mitigation processes for impermissible uses or disclosures.
When a health plan creates, receives, maintains, or transmits electronic protected health information, the HIPAA Security Rule requires administrative safeguards, physical safeguards, and technical safeguards. Compliance activities include a documented risk analysis, risk management actions, workforce security, information access management, security awareness and training, security incident procedures, contingency planning, and evaluation of the security program. Technical safeguards include access controls, audit controls, integrity controls, person or entity authentication, and transmission security. Physical safeguards include facility access controls, workstation security, and device and media controls for the handling, disposal, and reuse of electronic media.
Health plans are also responsible for vendor governance and breach response. A health plan must have a written business associate agreement in place before a Business Associate creates, receives, maintains, or transmits protected health information on the plan’s behalf, and the agreement must restrict permitted uses and disclosures and require safeguards and breach reporting. Under the HIPAA Breach Notification Rule, a health plan must evaluate impermissible uses or disclosures of unsecured protected health information and provide required notices to affected individuals and required reporting to the U.S. Department of Health and Human Services within applicable deadlines. Health plans that conduct covered electronic transactions must use adopted standards for those transactions and adopted code sets and identifiers when required, and must maintain operational controls that support compliant claims, eligibility, remittance, enrollment, and related transaction workflows.