HIPAA Regulations for Brokers

"HIPAA" stands for The Health Insurance Portability and Accountability Act of 1996. The law consists of several parts, including a section that addresses portability of insurance coverage, which is designed to help protect health insurance coverage for workers and their families when they change or lose their jobs. That part of HIPAA was effective in 1996, and CIGNA HealthCare implemented it at that time.

The more recent regulations pertain to another part of the law, known as "Administrative Simplification." The Administrative Simplification provisions are designed to reduce the administrative costs of providing and paying for health care by standardizing electronic transactions and code sets. Administrative Simplification also contains requirements to protect the privacy and security of Protected Health Information (PHI) and will provide for national identifiers for providers, employers and health plans in the future.

Health plans (including insurers and self-funded group health plans), health care clearinghouses and health care providers who engage in electronic transactions are covered by the Administrative Simplification requirements of HIPAA. These are known as "covered entities." To a lesser degree, employers and business associates of covered entities are also affected.

The regulations for employer identifiers have recently been published, and we expect to implement them by the required date in 2004.

CIGNA HealthCare supports our members' right to privacy, as well as the administrative efficiencies that can result from the implementation of standard data formats. We were ready, tested and compliant by the HIPAA effective dates of April 14, 2003, and October 16, 2003. We are currently working toward the HIPAA Security Rule compliance date of April 20, 2005.

Privacy-Implemented April 14, 2003

The Privacy Rule, which took effect April 14, 2003, requires that covered entities establish policies and procedures to protect certain individually identifiable health information referred to as Protected Health Information (PHI), that is stored or transmitted in any form or medium: electronic, paper or oral. The regulations allow the use and disclosure of PHI without authorization for the purposes of treatment, payment or administration of the health-benefits plan. However, most other uses or disclosures, such as marketing a product or service, require written authorization from each individual involved. The Privacy regulations also extend certain rights to individuals, such as the right to access and request amendments to their PHI and to receive notices describing how their PHI is used and disclosed.

Electronic Transactions and Code Set Standards-Implemented October 16, 2003

This regulation requires that providers, group health plans, and health care clearinghouses use industry-wide standard formats and coding for common electronic interfaces and transactions. Employers may choose to adopt federal standards for transmitting data for premium and eligibility transactions.

This regulation was originally scheduled to go into effect in October 2002. However, through the enactment of the Administrative Simplification Compliance Act, President Bush granted an extension to October 2003 for covered entities that file for it. CIGNA HealthCare filed for this extension on behalf of itself and its group health plan customers.

CIGNA HealthCare supports our members' right to privacy, as well as the administrative efficiencies that can result from the implementation of standard data formats. We were ready, tested and compliant by the HIPAA effective dates of April 14, 2003, and October 16, 2003.

Security Rule-Implementation In Progress

The Security Rule was finalized on February 20, 2003 with a compliance date of April 20, 2005. The Security Rule requires providers, group health plans, and health care clearinghouses to ensure the confidentiality, integrity and availability of electronic protected health information. The Rule identifies administrative, physical and technical safeguards that must be implemented.

CIGNA has had an information protection practice in place since 1999. Many of the components of the CIGNA program (for example: information protection policy, training and awareness, governance, incident response, continuity planning) are also components of the HIPAA Security Rule.

In August 2003, CIGNA began assessing its policies, procedures, and physical as well as technical controls for HIPAA Security Rule compliance. This assessment has been completed and we are currently in the process of making the appropriate changes necessary for compliance with the HIPAA Security Rule. In addition, we are updating our Business Associate Agreements to include the provisions required by the Rule.

Please contact us if you have questions about our Privacy Rules and Producer Business Associate Agreements.