Protect your clients' information--or else

Q: There are reports in the news all the time about privacy issues, identity theft, etc. Do any related laws affect me as a LTC insurance producer?

A: The answer is a resounding yes. In addition to existing federal and state laws imposing privacy and confidentiality standards, such as HIPAA, a new law directly impacting LTC agents went into effect recently. Its name is the HITECH Act (the Health Information Technology for Economic and Clinical Health Act).

To learn about the act, I spoke to Steve Serfass and Jessica Goebeler, attorneys with the law firm of Drinker Biddle & Reath LLP.

• Basically, it means that agents have an obligation to protect their clients' protected health information. If we don't, we can be fined a substantial amount of money.
• The act's purpose is to prevent breaches, either intentional or unintentional, of unsecured PHI.
• There are penalties if you don't comply with the act's requirements. These range from $100 per violation for someone who had no knowledge of his PHI breach to $50,000 per violation for someone who willfully engaged in a PHI breach and didn't correct the breach.
• Even an inadvertent disclosure of protected information can result in significant civil and/or criminal penalties. The act looks at you as someone who has been entrusted with private information about your customers, and it establishes fairly high standards that you must live by in regard to how you use and disclose your clients' PHI.
• An example of a breach is if you, being already bound by the act, discuss a client's PHI with a non-work friend. Regardless of whether your action was intentional or unintentional, you must notify the insurance carrier of the breach.
• Another scenario is if you accidentally send an e-mail containing a client's PHI to your entire office instead of to the appropriate co-worker. If you notify the entire office of the mistake and everyone deletes the e-mail, it would not be considered an unsecured breach, and you wouldn't have to do anything further according to HIPAA and the HITECH Act.
• What does this mean on a practical, day-to-day basis? Among a host of other protections, Serfass and Goebeler suggest that you (1) limit access to PHI to as few people as reasonably possible, and (2) lock your computer when you're away for extended periods of time as well as delete e-mails containing PHI.
• If there is a breach, you must notify the insurance carrier no later than 60 days following the discovery, including, if known, the identity of the individual(s) whose privacy has been breached.