 |
HIPAA Frequently Asked Questions
HIPAA refers to the Health Insurance Portability and Accountability Act ("HIPAA"). There are many provisions under HIPAA, including standardized electronic transactions, privacy and security. The business associates provision is a part of the privacy rule. In general, the privacy rule provide guidelines for safeguarding the use and disclosure of individually identifiable health information and place certain requirements on "covered entities" (such as CIGNA HealthCare) on the use and disclosure of "protected health information" ("PHI"). The HIPAA privacy rule prohibit covered entities from using or disclosing PHI except as authorized by the individual who is the subject of the information or as explicitly required or permitted by the regulations. When the use or disclosure of PHI is permitted, in most circumstances, only the minimum necessary amount of PHI needed to accomplish the intended purposes may be disclosed. What rights do individuals have under the HIPAA Privacy Rule? Under the HIPAA Privacy Rule, individuals have the right to:
Covered Entity means health plans, health clearinghouses, and health care providers who transmit any health information in electronic form in connection with a transaction. What is a "Business Associate"? Under the Privacy Rule, a "business associate" is a person or entity that performs or assists in the performance of a function or activity on behalf of a covered entity and uses PHI in the process of performing that function or activity. What is Protected Health Information (PHI)? Protected Health Information is any information that:
What is Summary Health Information? Summary Health Information is information on the claims history of covered individuals. Individually identifiable information is deleted from Summary Health Information, except this information can be aggregated at the five-digit ZIP code level. Employers may obtain Summary Health Information only for the purpose of changing or terminating their plan or obtaining bids. Do covered entities need to monitor their Business Associates? No, the Privacy Rule requires covered entities to enter into written contracts or other arrangements with business associates to require the business associate to protect the privacy of protected health information; but covered entities are not required to monitor or oversee the means by which their business associates carry out privacy safeguards or the extent to which the business associate abides by the privacy requirements of the contract. However, if a covered entity finds out about a material violation of the contract, it must act to end the violation and, if unsuccessful, terminate the contract with the business associates. If termination is not feasible, the covered entity must report the problem to the Secretary of Health and Human Services. Further, the business associates, under the terms of the agreement, are required to report to the covered entity any violation of the terms of the agreement of which it becomes aware. Is an entity that is acting as a third-party administrator to a group health plan a covered entity? No, providing services to or acting on behalf of a health plan does not transform a third-party administrator (TPA) into a covered entity. Generally, a TPA of a group health plan would be acting as a business associate of the group health plan. Brokers/consultants and brokerage agencies that act on behalf of CIGNA HealthCare are not considered part of that covered entity (CIGNA HealthCare); rather they are business associates of the covered entity. As a broker/consultant, am I subject to the HIPAA Privacy Rule? Covered entities are subject to the HIPAA Privacy Rule. Covered entities are defined as health plans, certain health care providers and health care clearinghouses. While brokers/consultants are not covered entities, they are indirectly affected by the law due to their business associate relationships with the covered entities. Covered entities are required to enter into business associate agreements with their business associates. Why do brokers/consultants need to sign the broker/consultant Business Associate Agreement? Under the HIPAA Privacy Rule, a covered entity (such as CIGNA HealthCare) must enter into a written agreement with its business associates (such as brokers/consultants) where the business associates promise to properly protect the use and disclosure of PHI received from the "covered entity" and to cooperate with the covered entity in accommodating the individual rights of the covered entity's members with respect to their PHI. With this agreement, CIGNA HealthCare may disclose PHI to its business associate or permit the use of PHI by the business associate with the satisfactory assurance from the business associate that the PHI will be properly protected. I (as a broker/consultant) already signed a Business Associate Agreement with my client (employer). Why do I need to sign another Business Associate Agreement with CIGNA HealthCare? A "business associate" is a person or entity that performs or assists in the performance of a function or activity on behalf of a covered entity and uses PHI in the process of performing that function or activity. If you are performing functions on behalf of employer groups, you may be contacted by the employer group health plan to discuss your business associate requirements. Your business relationship and business functions performed for that client are different from your business relationship with CIGNA HealthCare. The terms and conditions that govern the permitted uses and disclosures of PHI by different covered entities will be different; therefore, separate business associate agreements will be required. Please consult with your legal counsel to learn more about your obligations. Are brokers/consultants the only groups that are required to sign a Business Associate Agreement? No. Covered entities need to execute a business associate agreement with each of their business associates. Brokers/consultants are among other groups for which business associate agreements are required. Other examples of business associates include external auditors, third-party administrators, attorneys, accountants, claims reviewers, payment-processing vendors, and claims-entry vendors. What are the key elements of the CIGNA HealthCare broker/consultant Business Associate Agreement? The broker/consultant Business Associate Agreement:
Where do the brokers/consultants sign the document? The signature page is located on the last page (page 4) of the document. In addition, brokers/consultants are requested to provide information such as broker/consultant's TIN (Tax Identification Number) or SSN, business address, and e-mail address to allow for document filing and tracking purposes. Where can I (broker/consultant) obtain additional information on the Business Associate Agreement process and an electronic copy of the broker/consultant Business Associate Agreement? Brokers/consultants can review the HIPAA privacy compliance effort and download an electronic copy of the broker/consultant Business Associate Agreement. What is the submission process of the Business Associate Agreement document? Can the document be faxed? The signed broker/consultant Business Associate Agreement can be returned via U.S. postal mail to the broker/consultant Licensing and Contracting Department or by fax to the designated fax number, 860.687.9209. Faxing is preferred to accelerate the response time. Do I (broker/consultant) need to submit/fax all the pages of the Business Associate document? No. Brokers/consultants are requested to submit the last page (the signature page) of the document. The rest of the document is for your reference and record. I (broker/consultant) already have an agreement with CIGNA HealthCare; why do I need to sign another one? The current broker/consultant agreement does not contain HIPAA privacy elements as specified by the HIPAA Privacy Rule. The agreement has been amended to address these key components to meet the new requirements. Does the Business Associate Agreement received from CIGNA HealthCare apply to other carriers? No. The agreement sent from CIGNA HealthCare only recognizes the broker/consultant's relationship with CIGNA HealthCare. The broker/consultant should expect to receive a similar agreement from other health insurance carriers with whom he / she holds an appointment. Will the submission of the Business Associate Agreement affect commissions? No. The Business Associate Agreement only impacts your ability to receive PHI under the HIPAA Privacy Rule. If for any reason you request PHI in the future and a Business Associate Agreement is not on file, PHI will be withheld until you sign a Business Associate Agreement. When does CIGNA HealthCare need to execute the Business Associate Agreement? Brokers/consultants who were contracted with CIGNA HealthCare effective October 15, 2002, or after were required to enter into a Business Associate Agreement by April 14, 2003. Brokers/consultants who were contracted with CIGNA HealthCare effective before October 15, 2002, were required to enter into a Business Associate Agreement with us by April 14, 2004. Have all brokers/consultants been sent a Business Associate Agreement? No. Only those brokers/consultants (individuals/agencies) who currently have an executed broker/consultant Blanket Agreement and have active business with CIGNA HealthCare received a Business Associate Agreement. Therefore, the following groups did not receive Business Associate Agreements:
When should contracted brokers/consultants who do NOT have active business sign Business Associate Agreements? Brokers/consultants who are currently contracted but have NO business with CIGNA HealthCare have no immediate reason to sign a Business Associate Agreement. However, a Business Associate Agreement should be signed as soon as the broker/consultant places his/her first case with CIGNA HealthCare. Who should sign the Business Associate Agreement in the event an agency is the contracted entity? In all cases, there should be an individual within the agency who is licensed and appointed with CIGNA HealthCare. That person, or an officer of the agency, should sign the Business Associate Agreement. Are all brokers/consultants with the agency considered in HIPAA privacy compliance in the event the agency is the contracted entity and the Business Associate Agreement is properly executed? The agency is responsible for ensuring that all brokers/consultants who are affiliated with it and who are appointed with CIGNA HealthCare comply with the terms and conditions of the Business Associate Agreement. This does not include brokers/consultants who work for the agency but are NOT appointed with CIGNA HealthCare. Will all future brokers added to the agency after the execution of the Business Associate Agreement be in compliance or must the agency sign additional Business Associate Agreements as brokers are added? In cases where the agency is the contracted entity and a Business Associate Agreement has been executed, the Agency will be responsible for ensuring that all existing and new brokers to the agency comply with the terms and conditions of the Business Associate Agreement. There is no need to sign additional agreements. |
   Locate your doctor, hospital, dental and other care providers easily. Use our Provider Directory, or login to myCIGNA for your customized plan benefits information. |
| CIGNA | CIGNA Sites |
|