Assurant Employee Benefits

Site Map | Contact Us

HIPAA Privacy
Questions and Answers

 

What is HIPAA?

HIPAA stands for Health Insurance Portability and Accountability Act. It is a federal statute that was enacted in 1996. While there are many parts of HIPAA, the ones that concern us are 1) Privacy, 2) Electronic Transactions and Code Sets and 3) Security.

The privacy rule was enacted to give individuals more control over their health information, to set boundaries on the use and disclosure of health information and to establish safeguards to protect the information.

The electronic transactions and code sets requirements were enacted with the objective of creating a uniform system where all electronic data interchange that is performed in the health care industry is done in a standard format, thereby leading to a reduction of costs in the industry.

The security regulation proposes standards for the security of individual health information in the electronic format. Currently, these regulations are not final and there is no compliance date.

Top of page

What does Assurant Employee Benefits have to do because of HIPAA?

Under HIPAA, Assurant Employee Benefits has to do many things. Below are a few of the major tasks.

  1. We have to make certain that any electronic data interchanges done in conjunction with our dental business is done in the standard electronic format. We have purchased a translator that will help us comply with this requirement. This requirement primarily affects the following systems: Fastrak, ClaimFacts, GroupFacts, Online Advantage and COMPASS.

  2. We have to implement new processes and procedures so that we can provide our dental insureds greater access to their individual information.

  3. We have to implement new tracking processes so that we can easily know when and to whom we disclose a dental insured’s information.

  4. We have to inform all our dental insureds of the new processes and procedures we have in place as well as their rights under HIPAA to access their personal information.

  5. We have to implement a new training program so that everyone is familiar with the new policies and procedures that are being put in place.

This list is not exhaustive and there are many other requirements. However, this should give you a general idea of what is happening with respect to the HIPAA project and what is coming in the future.

Top of page

When does all this have to be done?

The electronic transactions and code set requirements need to be in place by October 16, 2003. The rest of the tasks, excluding any electronic security tasks, need to be completed by April 14, 2003.

Top of page

How is Assurant Employee Benefits accomplishing these tasks?

We have recruited a very knowledgeable group of employees from various areas of the company to work on this project. Teams were created and the project tasks have been divided among the teams. The teams are working very hard to make certain that Assurant Employee Benefits is HIPAA-compliant by the required dates.

Top of page

Will Assurant Employee Benefits be HIPAA-compliant by the compliance dates?

Yes. We are making every effort to be HIPAA-compliant for privacy by April 14, 2003 and for the electronic standard requirements by October 16, 2003.

Top of page

Did Assurant Employee Benefits file for an extension to comply with the Electronic Transactions and Code Sets requirements?

Yes. In order to give us another year to comply with the electronic transactions and code set requirements, we filed an extension with the Department of Health and Human Services. This extension was filed on behalf of Assurant Employee Benefits and all the prepaid companies.

Top of page

Does HIPAA apply to our entire business?

No. HIPAA applies only to our dental (insured, self-funded, individual and prepaid), medical and vision products. It does not apply to our disability and life coverages. This means that, for the most part, it is business as usual on our disability and life side of the house. On the other hand, there will be some changes to how our dental area does business.

Top of page

What is PHI?

PHI stands for protected health information. Protected health information is any information, written or oral, which we have about our dental or medical insureds that identifies or can reasonably be used to identify them. Under HIPAA we are responsible for making certain that our dental and medical insureds’ PHI is only used and disclosed in a certain way.

Top of page

Who else has to comply with this law?

HIPAA applies to what is referred to as covered entities. Covered entities are health care providers, health plans and health care clearinghouses.

A health care provider is a provider of medical or dental services or someone who furnishes medical or health care services or supplies. This includes doctors, dentists, pharmacies and nursing homes, among others.

A health plan is an individual or group health plan that provides or pays the cost of medical or dental care and includes an employee welfare plan covered by ERISA, health and dental insurers and HMOs. This means that many of our groups, whether self-funded or fully insured, needs to be HIPAA-compliant.

A health care clearinghouse is an entity that processes or facilitates the processing of health or dental information received from another entity in a non-standard format into standard data elements or a standard transaction, or vice versa. This includes billing services and repricing entities.

Top of page

What is a business associate?

A business associate is a person or organization outside of Assurant Employee Benefits that performs functions or activities on our behalf involving the exchange of personal health information. This includes our brokers and TPAs. Policyholders and health care providers are not business associates.

Top of page

Does this mean we can no longer share information with our brokers and/or TPAs?

No. We can continue to share enrollment, disenrollment, and eligibility information with our brokers and TPAs if they have signed an agreement containing HIPAA business associate language.

Top of page

What is a trading partner?

Any entity with whom we engage in electronic transactions.

Top of page

What is an electronic transaction?

The exchange of information between two parties to carry out financial or administrative activities related to our dental business. In includes the following:

  1. Dental care claims

  2. Dental care payment and remittance advice

  3. Coordination of benefits

  4. Dental care claim status

  5. Enrollment and disenrollment in a dental plan

  6. Eligibility for a dental plan

  7. Dental plan premium payments

  8. Referral certification and authorization

  9. First report of injury

  10. Claims attachments

Top of page

What is a designated record set and why are people requesting it?

Under HIPAA, an individual can request that we provide them a copy of their designated record set. A designated record set consists of those documents and records that we use to make decisions about an individual. They include those records kept by our business associates and can consist of such things as phone records and e-mails.

Top of page


When will we begin sending business associate agreements/amendments to our brokers and TPAs?

For those brokers and TPAs who began doing business with us after October 16, 2003, they will receive a business associate agreement prior to April 14, 2003. Any broker or TPA who was with us prior to October 16, 2003 will receive a business associate agreement/amendment by the end of this year. Included in this mailing will be a copy of our HIPAA Notice of Privacy Practices.

Top of page

Are we signing business associate agreements with our policyholders?

No. Included in the regulations was a discussion about whether insurance companies needed to enter into business associate arrangements with their policyholders. According to the regulators, "Where a group health plan purchases insurance or coverage from a health insurance issuer or HMO, the provision of insurance by the health insurance issuer or HMO to the group health plan does not make the issuer a business associate. In such case, the activities of the health insurance issuer or HMO are on their own behalf and not on the behalf of the group health plan."However, we will be entering into business associate agreements with our dental Administrative Services Only clients because in that relationship we are not acting as the insurer but rather as the administrator of a self-funded dental plan.

Top of page

Are we signing business associate agreement with dental providers?

No. Similar to the discussion about policyholders the regulators also indicated that "Business associate contracts or other arrangements are only required for those cases in which the covered entity is disclosing information to someone or some organization that will use the information on behalf of the covered entity . . . For example, when a health care provider discloses protected health information to health plans for payment purposes, no business associate relationship is established."

Top of page

Are we sending HIPAA privacy notices and if so, when?

We are sending privacy notices to all our dental policyholders, group and individual, by the end of March, 2003. We are sending one copy of the notice to each group and requesting that they copy and distribute it to their employees insured under our dental policy. Assurant Employee Benefits Online Advantage (FBOA) customers will receive an e-mail telling them where they can access the notice. The notice is posted on the Internet site for those who want an electronic version.  This privacy notice applies to our insured dental plans.  It does not apply to dental plans that are self-funded by the employer.

Top of page

Are we going to continue to send GLB Privacy Notices?

Our responsibilities under Gramm-Leach Bliley (GLB) do not change because of HIPAA. Under GLB we will continue to send annual notices to our policyholders. HIPAA also requires that we send notices; however, the timing is less frequent. Under HIPAA we are only required to send a notice by April 14, 2003 and thereafter, every three years, to send a short reminder to our insureds that they are entitled to a copy of our HIPAA privacy notice. For more information regarding GLB please review our GLB Questions and Answers.

Top of page

Who do I contact if I have a question about HIPAA?

Contact the Privacy Office at privacyoffice.AEB@assurant.com or contact the Privacy Officer at 816.881.8835.

Top of page