Independent insurance agents have built their reputations serving customers, but now they're being asked to not only serve customers, but to protect their personal information.As individuals become increasingly vigilant about the privacy and security of their health and personal information, the onus has fallen on independent agents and brokers to safeguard this information, according to a new report by Agents Council for Technology (ACT).
In its report, titled "Safeguarding Non-Public Personal Information," ACT, a group affiliated with the Independent Insurance Agents & Brokers of America (IIABA), Alexandria, Va., states that agents must become more diligent in how they protect customers' information.
"For a long time, agents protected information in an ad-hoc way, but with agency management systems now connected to the Internet, there is far greater exposure: A larger number of external parties can steal information if given the chance," says Jeffrey Yates, executive director for ACT.
"Agents have always been careful in the way they handle customer information, but they need to have an active process in place."
Message received
Independent agents agree it's in their best interests to improve their privacy/security policies for client information and information pertaining to their own employees.
"We've been able to implement a multi-faceted compliance strategy to fulfill the various legal requirements we face, and to heighten the protection of our clients' and employees' personal information in this increasingly electronic world where our systems are connected to the outside world through the Internet," states Chris Ball, a principal of InSource Inc., a Miami, Fla.-based insurance agency.
Serving as the chairman of the ACT group that developed the report, Ball adds that the objective of the report was "to familiarize agents and brokers with these privacy issues and to get them started with a compliance plan."
ACT has placed privacy and security at the top of its priority list for its member agents. The reason: A host of new privacy laws and regulations, such as the Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley, and the Fair Credit Reporting Act, as well as a growing number of state laws, all feature mandates governing security and privacy.
Primary objective
ACT's primary objective in developing the report was to provide a baseline of recommendations (see "Will Agents ACT On Recommendations?" page 14) that agencies could use as a roadmap for their own data privacy and security strategies.
During the past year, ACT culled insights from many agencies to ensure support for the recommendations. Yates remarks that one agency shared details of its processes to establish a security policy, while a second agency provided information on the ways to train staff in safeguarding information.
"All the various ACT stakeholders submitted input in what was a broad cross-section of agencies," Yates says.
While the report does feature ambitious recommendations-such as the appointment of privacy and security officers-Yates emphasizes that agencies can implement internal measures resourcefully by: adopting appropriate policies and procedures; restricting access to only those employees who need to see information; training employees in policies and procedures; auditing compliance and correcting instances of non-compliance; and documenting all of these steps. Such activities can be performed cost-effectively, which would be particularly crucial for smaller agencies that might lack the wherewithal to appoint privacy and security officers.
"An individual responsible for privacy or security at an agency might be someone who over time has become a student of these issues-it doesn't necessarily mean going out and hiring a chief privacy officer," Yates explains. "Conceivably, this person might wear several hats at the agency-one of which is overseeing a privacy or security policy."
The report notes that agencies face both internal and external threats to data privacy and security. The report recommends that agents safeguard information internally by restricting the distribution of passwords. It also recommends instructing staffers to log off their PCs if they leave for lunch.
As for external threats such as e-mail transmissions, individuals could be prohibited from sending e-mails to a third party if the e-mail contains sensitive medical information, unless encryption is in place on both sides, Yates explains.
Various options
The ACT report is linked to a companion publication, "ACT HIPAA and Privacy Supplement." The supplement provides more detailed explanation of these issues. It also contains sample workflows for an employee benefits department to highlight the procedures that may be impacted by the new HIPAA privacy rule.
The supplement also includes a comprehensive legal memorandum on the new HIPAA rule called "Frequently Asked Questions and Answers" that was developed specifically for independent agencies and brokers by IIABA.
The report also contains a sample "HIPAA Employee Compliance Training Memo" that provides a starting point for agencies to develop their own memo. Such a training memo would enable agencies to heighten their employees' awareness of needed HIPAA policies and safeguards.
All these steps are paramount because if an agency were audited by a government entity regarding a HIPAA or other privacy violation, the federal government would require that the agency has acted to protect the privacy of personal information, states Yates.
"The recommendations, along with the linked supplement, will hopefully assist agents avoid disaster if faced with a privacy or security issue," he says.
"As it stands now, most agencies are at the ground floor in establishing a higher degree of adoption for these policies, beyond the ad-hoc measures," says Yates.
"This year, many more will attain a higher level of overall compliance."
