“DADT” Won’t Work for Health insurers on HITECH

The health insurers collective approach to handling business associates (BA’s) like brokers and consultants and HIPAA HITECH is their own version of the military’s “don’t ask don’t tell ” (DADT) policy. It has failed the military and will fail the insurers as well.

It also creates a huge potential liability no risk manager would touch and even Lloyd’s would not insure.

Why do we say that?

Simple. In general the insurers have clearly designated their agents, brokers and consultants as BA’s and as such have set some expectations for themselves as covered entities to be sure that all their BA’s are compliant.

Their idea of that shows itself in 3 basic forms:

Unilaterally Amending producer agreements with language assuming HIPAA HITECH compliance for its owners. The agreements try to make it seem like if breaches occur the broker is on their own as liable for the problem.

Simple agreements that vaguely describe the laws changes and how they impact BA’s and require a signature or the broker will no longer be given access to their client’s PHI to service their accounts.

Detailed agreements that get into chapter and verse on the privacy and security rules that drown a reader in mind numbing detail so they either sign it or are forced to get their attorney involved to assess and negotiate it. Generally these agreements try to slip terms in regarding breaches, reporting and other terms that are more stringent than the laws themselves.

All of the above make massive assumptions and references to detailed legal code references and incorporate all their provisions into the agreement.

The insurers have no plans in place to audit any BA’s. Have made little or no attempt to educate or document their BA’s compliance. All they have done is file a way the forms and think that in case of any major issues their BA’s create they will skate away freely.

Wrong!

Remember the problem when you “ASSUME”? That is right you make  an A** of  U and ME. This is exactly what the carriers face once HHS and OCR start auditing and enforcing HIPAA HITECH.

I spoke with 3 privacy experts today about the insurers approach to this issue and how they are likely to be assessed in an audit or a serious breach investigation and all of them responded with virtually the same answers.

First – Covered Entitites (CE’s) like insurers are the parties ultimately accountable for any and all breaches of their own and any BA’s.

Second – If the insurer has done nothing to assure or audit compliance other than filing away BA agreements they put themselves at more risk in any breach case for higher penalties.

So the insurers collective approach to HIPAA HITECH while it varies some is consistent in its lack of education, follow up, management and assistance to BA’s to get compliant and keep everyone in line.

I can hardly wait for Secretary Sebelius or an Attorney General to start pulling on this string and unravelling the “don’t ask don’t tell” policies of major insurers while their profits are up 56% over 2008, 3 million people have lost their insurance, executive comp. will be skyrocketing and 39% rate increases continue to make the news.

I can see the Senate hearing where someone like John McCain asks a major insurer CEO:

” So you are telling me that you have 500,000 agents selling your product who are your BA’s and you have nothing but a signed piece of paper telling you they have complied with Federal law. You have done no follow ups, no audits and have nothing to document your HIPAA compliance in securing the personal health information of your xxx million insureds with your business associates who you are liable for under this long standing federal law?”

Doing more than the bare minimum to get all parties in compliance would be to an insurer’s benefit but now they will reap what they sow….

Advertisements
Explore posts in the same categories: brokers, Business, Employee Benefits, Healthcare, Healthcare Insurers, Healthcare Reform

Tags: , , , ,

You can comment below, or link to this permanent URL from your own site.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: