Does HIPAA apply to health insurance exchanges?


Adding to the list of uncertainty surrounding health insurance exchanges is how they intersect with the Health Insurance Portability and Accountability Act (HIPAA) privacy and security laws.

Exchanges themselves aren't covered by HIPAA, but insurers must follow the law's privacy and security requirements when operating within an exchange. Plus, they must comply with any privacy and security conditions that the exchanges themselves establish. And making matters even murkier, many insurers will be participating in multiple state-run exchanges and, therefore, must adhere to myriad privacy and security requirements, according to the Report on Patient Privacy.

So far, there doesn't seem to be a one-size-fits-all solution to this HIPAA quandary. The Department of Health & Human Services can't just apply HIPAA to all exchanges because the information shared in these marketplaces isn't directly addressed under HIPAA, and privacy and security safeguards "need to be tailored to the information flows," Kate Black, staff counsel for the Center for Democracy & Technology (CDT), told the Report on Patient Privacy.

One difference between information governed under HIPAA and the exchanges is demographics, such as patients' immigration and incarceration status, Black said. Exchanges also will access information from a federal Data Services Hub, which collects personal information from many federal agencies into one system and then connects that data with states' computer systems. "The information it collects and processes will include tax information from the IRS and verifying Social Security numbers," she added.

Insurers, however, could benefit if HHS decides they're not beholden under HIPAA when operating within exchanges. For example, the exchange rule, which was published in March, established smaller financial penalties for privacy and security violations than HIPAA. And the exchange rule doesn't require insurers notify any regulatory agency of a potential security or privacy breach. Nor does it mandate that they issue notices of privacy practices for health plans sold on the exchanges.

If HHS does extend HIPAA to all activities within exchanges, insurers may be in for some hefty fines for violating the law. HHS levied a $4.3 million fine on healthcare provider Cignet Health and a $1.5 million fine against Blue Cross Blue Shield of Tennessee for failing to comply with HIPAA, FierceHealthPayer previously reported.

To learn more:
- read the Report on Patient Privacy article

Related Articles:
Take HIPAA seriously--or pay the penalty
Blue Cross spends $18.5M on HIPAA violation
Health Net pays $55K fine for data breach involving 1.5M people
Connecticut AG investigates WellPoint data breach, fines Health Net $250K