When HIPAA Applies to Insurance Agents
The Health Insurance Portability and Accountability Act is not just for hospitals and doctors. Insurance agents who handle health-related information as part of their work can fall under HIPAA requirements, depending on the type of insurance they sell and how they interact with client data. If you sell health insurance, Medicare supplements, long-term care insurance, or life insurance products that require medical underwriting, you are likely handling protected health information and need to understand your obligations.
HIPAA designates three types of covered entities: health plans, health care clearinghouses, and health care providers who transmit information electronically. Insurance carriers that offer health coverage are covered entities. Agents who act on behalf of those carriers or who access PHI through their work may be classified as business associates, which brings its own set of HIPAA requirements.
Even agents who sell life insurance encounter medical information regularly. Life insurance applications routinely ask about medical history, current medications, height and weight, and whether the applicant has been treated for specific conditions. This is protected health information, and how you handle it matters.
What Counts as Protected Health Information
Protected health information is any individually identifiable health information that relates to a person's past, present, or future physical or mental health condition, the provision of health care, or payment for health care. In practical terms for insurance agents, this includes medical history on insurance applications, prescription drug lists, physician statements, paramedical exam results, lab results from underwriting, and any notes you keep about a client's health conditions.
PHI is not limited to formal medical records. If a client tells you during a phone call that they were diagnosed with diabetes last year and you write that in your notes, those notes now contain PHI. If you email a carrier underwriter with details about a client's health history, that email contains PHI. The format does not matter. Paper, electronic, and verbal information all qualify.
Common Violations Agents Do Not Realize They Are Committing
Many HIPAA violations in insurance happen not from malice but from carelessness or ignorance. Here are situations that create real compliance risk.
Discussing a client's medical information in an open office where other clients or non-authorized staff can overhear is a violation. If you are on the phone with an underwriter discussing a client's health history and another client is sitting in your lobby, you have a problem.
Sending unencrypted emails containing medical information is one of the most common violations. If you email a client's lab results or medical history to a carrier using standard email without encryption, you are transmitting PHI over an insecure channel. Many agents do this daily without realizing the risk.
Leaving paper applications with medical information on your desk, in your car, or in an unlocked filing cabinet creates exposure. PHI must be stored securely, whether it is in paper or electronic form. Shredding documents containing PHI when they are no longer needed is required, not optional.
Sharing client medical information with colleagues who do not have a legitimate need to know is another common issue. If you are discussing a case with another agent in your office who is not involved in that client's account, you should not be sharing their health details.
Electronic Records and Digital Security
The HIPAA Security Rule specifically addresses electronic PHI and requires administrative, physical, and technical safeguards. For insurance agents, this means your computer systems, email, cloud storage, and any digital tools that contain client health information must meet minimum security standards.
At a minimum, you should use strong passwords on all devices and accounts that access PHI. Enable two-factor authentication wherever available. Use encrypted email when transmitting PHI, or use secure carrier portals instead of email. Ensure your CRM or client management system has appropriate access controls so only authorized users can view health information. Keep your software and operating systems updated to protect against known vulnerabilities.
If you use a laptop or tablet in the field, enable full-disk encryption and set an automatic screen lock. If a device containing PHI is lost or stolen, you may have a reportable breach on your hands. Encryption is the single most effective safeguard because encrypted data that is lost or stolen is generally not considered a breach under HIPAA.
What You Should and Should Not Do
Do collect only the minimum necessary health information required for the transaction. If a carrier application asks for specific medical details, provide what is asked. Do not gather additional health information beyond what is needed.
Do store PHI securely, whether in locked filing cabinets for paper or encrypted digital systems for electronic records. Do dispose of PHI properly through shredding or secure digital deletion when it is no longer needed for business purposes.
Do not discuss client health information in public spaces, waiting areas, or anywhere unauthorized individuals could overhear. Do not text client medical information using standard SMS, which is not encrypted or secure. Do not leave medical documents visible on your desk, printer, or fax machine.
Do not share login credentials for systems that contain PHI. Each user should have their own credentials with appropriate access levels. Do not store PHI on personal devices or in personal cloud accounts that are not part of your agency's secured systems.
Breach Notification Requirements
If a breach of unsecured PHI occurs, HIPAA requires notification to affected individuals, the Department of Health and Human Services, and in some cases the media. The notification must happen without unreasonable delay and no later than 60 days after discovery of the breach.
For insurance agents, a breach could be as simple as sending an email with medical information to the wrong recipient, losing a laptop with unencrypted client files, or having a filing cabinet broken into. If you believe a breach has occurred, report it immediately to your agency's compliance officer and the carrier involved. Do not try to handle it quietly. Failing to report a breach compounds the violation significantly.
Protecting Your Practice
The best protection is building HIPAA-compliant habits into your daily workflow from the start. Use secure communication channels for anything containing health information. Keep your workspace clean and your files locked. Train any staff who handle client information on basic HIPAA requirements. Document your policies and procedures so you can demonstrate compliance if questioned.
Closd provides a secure, centralized platform for managing client information, including the sensitive data that comes with insurance applications. When your client records, notes, and documents live in one system with proper access controls, you reduce the risk of PHI ending up in unsecured locations. Explore the platform at getclosdai.com.
Disclaimer: This article is for informational purposes only and does not constitute legal or compliance advice. HIPAA requirements are complex and enforcement varies. Consult a qualified compliance professional or attorney for guidance specific to your practice.