HIPAA (Health Insurance Portability and Accountability Act)
U.S. federal law protecting the privacy and security of individually identifiable health information (PHI) held by covered entities and business associates.
Full Definition
HIPAA, enacted in 1996, establishes national standards for protecting Protected Health Information (PHI) held by "covered entities" (health plans, clearinghouses, providers) and their "business associates." For insurance lead generation, the practical question is whether the lead vendor or agent handles PHI. A consumer filling out a web form that asks about medications or diagnoses is not transmitting PHI under HIPAA unless a covered entity is involved. However, once an agent enrolls a client and handles claim-related data on behalf of a carrier, HIPAA applies. Many insurance CRMs offer HIPAA-compliant configurations (BAAs, encryption at rest, audit logs) for this reason. Violations carry civil penalties up to $1.9M per violation category per year and potential criminal penalties.
Example
An agent's CRM stores Medicare enrollment applications including diagnosis codes. Because the agent acts as a business associate of the MA carrier, the CRM vendor signs a Business Associate Agreement (BAA) and encrypts all records at rest.
Common Misconceptions
Most pre-enrollment insurance lead data is not PHI under HIPAA because no covered entity is involved. HIPAA typically attaches only after the consumer becomes a carrier's insured.
Related Terms
- CMS (Centers for Medicare & Medicaid Services) — The federal agency within HHS that administers Medicare, Medicaid, CHIP, and the federal ACA Marketplace — and sets binding rules for all three.
- MCMG (Medicare Communications & Marketing Guidelines) — The CMS rulebook that governs how Medicare Advantage and Part D plans, FMOs, TPMOs, and agents may market and communicate with beneficiaries.