Looking for a Business Associate Agreement? Download our FREE starter template.
Total HIPAA Logo

Multi-Line Agencies and Privacy Requirements

It’s important to train all staff in a multi-line agency on HIPAA Compliance

There is a great deal of crossover within a multi-line agencies. Cross-selling group or individual health insurance and other benefits, between personal lines and key commercial lines clients, has been one of the best ways to preserve a long-term relationship. To do this well, there’s going to have to be some exchange of often confidential information between different teams. Plus, the reality that there is often little to no physical or electronic separation between team members means that you need to worry about having your bases completely covered in case of an unintentional breach. Simply said: It’s very important that all parties are properly trained on these regulations — one of many reasons a multi-line agency will often require all staff to be trained on HIPAA.

Protecting PHI, NPPI and PII

Across your agency, you may have multiple agents that will have access to or come in contact with Protected Health Information (PHI), Non-Public Personal Information (NPPI) and Personally Identifiable Information (PII). In our experience, agents handling long-term care, vision, Medicare, dental and health insurances are reluctant to refer clients to agents who sell life, auto, home, commercial liability, 401(k), and Workers’ Comp if these agents are not properly trained on their responsibilities to safeguard clients’ Protected Health Information (PHI).

Gramm-Leach-Bliley (GLB) is an entirely separate federal law (from HIPAA) that dictates what insurance agents can do with personally identifiable information collected from or about consumers, or resulting from a transaction with consumers. This is commonly called Non-Public Personal Information (NPPI). Insurance agents are prohibited from disclosing NPPI as defined in GLB to nonaffiliated third parties without notifying the client or providing an opportunity for the client to opt out.

Non-health related insurances are considered financial products and are regulated by the privacy and security obligations of GLB. Many of these privacy and security concerns overlap when it comes to PHI, NPPI and PII. Everyone within your agency, whether they are working on health insurance or not, has to understand and appreciate the need for privacy of all the client information you handle.

For those of you selling products in the Federal Marketplaces (FFM), there are major concerns when it comes to privacy. Personally Identifiable Information (PII), is defined as information that can be used to distinguish or trace an individual’s identity. Information qualifies as PII in the  Marketplaces when used alone or combined with other personal or identifying information linked or linkable to a specific individual. For example, a name, date and place of birth, Mother’s maiden name, an IP address, and or biometric records are some examples of PII. This is the broadest definition of individual information to date, and it is important to remember that it is not limited to only health information. PII includes financial information as well.

Marketing Guidelines

Marketing means that an agent encourages individuals to use a product or service. HIPAA, GLB and ACA have very different marketing guidelines. Under HIPAA, agents may use an individual’s PHI for marketing purposes only in face-to-face meetings and to identify clients to whom they want to give promotional gifts of nominal value. The agent may use PHI to market or handle issues related to the health insurance product itself, including marketing to different carriers. For any other uses of PHI, the agent must receive prior written authorization from the client.

GLB marketing guidelines allow an agency to shop for the best price on life insurance or other coverages with a variety of carriers, with a proper agreement in place, and a Notice of Privacy Practices given to the client. An agency is able to take NPPI and disclose it to third parties without additional authorizations.

According to Marketplace rules, you are prohibited from cross marketing to a SHOP client, even if you have written permission from the client to market, or you are in a face-to-face meeting. This is an important distinction from HIPAA where you can cross market in face-to-face meetings, or if you have a signed agreement from the client. You could be fined or prohibited from selling into the SHOP or FFM if you are found to be in violation of these cross marketing rules. It is permissible to leave a list of other services, and tell the client to call if they are interested.

HIPAA, GLB and ACA require you to protect personal information about your clients, adopt policies and procedures, provide privacy notices to your clients on a yearly basis, and ensure your staff understands their responsibilities. Most of these requirements for HIPAA, GLB and the ACA can be fulfilled with the same set of documents, which are part of the Total HIPAA (www.TotalHIPAA.com) compliance documents and training.

Smart multi-line agencies will take advantage of meeting federal requirements with one combined effort. Meeting these compliance requirements gives your organization a good reputation because it is clear you’re dedicated to taking all the steps possible in order to protect your clients’ information.

For more information on how to meet the compliance requirements, check out this video: HIPAA Prime

Sharing is caring!


Looking for a Business Associate Agreement?

Download our free template to get started on your path toward HIPAA compliance.

Download Now

Let's keep in touch

Stay up to date on the latest HIPAA news, plus receive tons of free tools and info.

Navigating HIPAA Compliance in 2023

Watch the recording of this webinar to learn more about how you can become and stay HIPAA compliant!


Related Posts

What is Access Control in terms of HIPAA?

What is Access Control in terms of HIPAA?

Access control, in terms of cybersecurity, refers to the practice of managing and regulating who can access specific resources, systems, or data within an organization's network or information...

Comparing HIPAA and NIST

Comparing HIPAA and NIST

In the ever-evolving landscape of data security and privacy, two key frameworks have emerged as significant players: HIPAA and NIST. Both emphasize the importance of safeguarding sensitive...

Save & Share Cart
Your Shopping Cart will be saved and you'll be given a link. You, or anyone with the link, can use it to retrieve your Cart at any time.
Back Save & Share Cart
Your Shopping Cart will be saved with Product pictures and information, and Cart Totals. Then send it to yourself, or a friend, with a link to retrieve it at any time.
Your cart email sent successfully :)