Expand All | Collapse All

HIPAA Overview

Answer: The Health Insurance Portability and Accountability Act (HIPAA) of 1996 was designed to streamline all areas of the health care industry and to provide additional rights and protections to participants in health plans. The law incorporates a variety of provisions that under the Portability or Administrative Simplification requirements.

  • Portability deals with protecting the health insurance coverage of workers and their families when they change or lose their jobs. If you need more information or need proof of coverage under a CareFirst health plan, call Member Services, using the phone number on the back of your old ID card.
  • Administrative Simplification relates to compliance with the Privacy, Transactions and Code Sets, and Security regulations.

The advantages of HIPAA include:

  • Standardizing many administrative tasks in the health care industry
  • Reducing overall health care costs
  • Providing greater protection from fraudulent billing practices
  • Protecting individual's protected health information
  • Giving members more access to their own health information as well as the ability to limit the use and disclosure of this information.
  • Improving medical care through better data exchange between providers and payers.

For more information on the administrative requirements of HIPAA, see:

Security Standards
Unique Identifiers

Answer: A covered entity must comply with the HIPAA regulations and is defined as:

  • health plans
  • health care clearinghouses
  • health care providers who transmit any standard transactions in electronic form covered by the regulations

Answer: A business associate is a person or entity that performs a function on behalf of a covered entity and who sends, receives or processes Protected Health Information (PHI). Under HIPAA, a covered entity must have a written contract with a business associate prior to disclosing protected health information to a business associate and also when the business associate creates or receives protected health information on behalf of the covered entity.



Expand All | Collapse All

Expand All | Collapse All


Answer: CareFirst spent several years preparing for the April 14, 2003 compliance date for HIPAA privacy. In November 2001, CareFirst conducted a privacy assessment to analyze how and where PHI flows within the organization as well as externally, to business associates. Using the information from the assessment, the HIPAA Team worked with business areas to develop or refine policies and processes to safeguard PHI. Role-based access requirements that limit access to PHI are also being implemented.

In addition, CareFirst has:

  • Created an operational Privacy Office
  • Issued Notice of Privacy Practices to members
  • Conducted Privacy training of the work force
  • Created mandated Privacy policies
  • Conducted targeted training, based on Privacy policies and procedures
  • Executed business associate agreements
  • Educated providers, brokers and accounts through presentations, materials, CareFirst and CareFirst BlueChoice publications and our website
  • Posted Privacy forms to the website.

Answer: The Privacy regulation supports CareFirst's commitment to keeping individuals' information confidential. Under the regulation, new member rights were created, which include accessing and amending health information as well as filing complaints about privacy-related issues. In addition, CareFirst, like all covered entities, must provide members with a copy of the Notice of Privacy Practices, which explains how CareFirst uses and discloses protected health information, and what the new individual rights are for individuals.

Answer: Most providers are required to comply with the Privacy regulation. A provider is a "covered entity" if they conduct any of the mandated standard transactions. Each provider practice is managed differently and it is important to assess the regulation's impact on each office. Providers may want to:

  • Review the regulation and consult with legal counsel.
  • Appoint an individual to be your HIPAA expert and designate that person as your Privacy Officer.
  • Determine how protected health information (PHI) flows through your organization.
  • Identify and modify any existing policies and practices to ensure they are HIPAA compliant.
  • Execute Business Associate Agreements with appropriate vendors
  • Train their office staff.
  • Discuss HIPAA with your vendors to make sure they are making appropriate changes to accommodate these regulations.

Recognizing the diverse work environments of providers, the Privacy regulation allows providers the flexibility to develop processes and procedures that fit best within their work environment.

Answer: Employer-sponsored group health plans and other plan sponsors of group health plans should:

  • Review the HIPAA regulations.
  • Determine what PHI is needed to administer the health plan and who in the employer organization or plan sponsor will have access to this information under the HIPAA regulations.
  • Appoint an individual as the HIPAA expert, and designate that person as your Privacy Officer.
  • Plan sponsors should amend their Plan Documents in accordance with how they use or disclose the protected health information.
  • Group health plans are covered entities, and will have many of the same obligations as insurers, including signing Business Associate Agreements with vendors who provide services on your behalf and use protected health information. It is important to secure legal counsel or HIPAA expertise to make sure you have the right policies and procedures in place.
  • Train staff as needed.

Please refer to the HIPAA Booklet, HIPAA and Group Health Plans , for more information on your relationship with CareFirst BlueCross BlueShield under HIPAA.

Answer: Brokers and agents will notice some changes in our administrative processes that may limit the amount and type of information that we can share. In general, eligibility, enrollment and premium billing information regarding a member the broker or agent represents can be shared without an authorization from the member or a signed Business Associate agreement. However, there are situations that require a signed authorization from the member or a signed Business Associate agreement. We must have the appropriate documentation on file before we can share protected health information. Brokers and agents should contact their CareFirst representative with specific inquiries.

Expand All | Collapse All

Expand All | Collapse All


Answer: The Security Regulation was finalized in February 2003. CareFirst first began addressing the proposed regulations in July 2001. We have now implemented a comprehensive security program that mirrors best practices in the health care industry, making CareFirst compliant with the HIPAA Security regulations. Efforts will continue to maintain the comprehensive security program in order to continue meeting HIPAA compliance.

Answer: Yes

Answer: Yes. Entity Authentication is the process of determining whether someone/something is who/what they claim to be before allowing computer access. Private and public computer networks (including the Internet) commonly authenticate through the use of login ID's and passwords. CareFirst also uses this method.

Answer: Yes, CareFirst conducts regular vulnerability and penetration tests of our applications and network.

Answer: Security tests are conducted by performing Vulnerability and Risk Assessments. These assessments have been and will continue to be performed on a periodic basis.

Vulnerability is a security exposure in an operating system, software or application. Vulnerability Assessments scan IT infrastructure and evaluate administrative policies, processes and procedures to ascertain existence of vulnerabilities in the current environment identifying system and/or administrative weaknesses. Vulnerability testing could be a manual audit of a vendor-supplied system or an automated scanning tool. A penetration test is one form of a vulnerability assessment.

Risk is the potential that a vulnerability can be exploited and the resulting impact of that exploitation. Risks Assessments evaluate each vulnerability found during a Vulnerability Assessment and determine the potential for exploitation and its impact.

Answer: CareFirst has a Disaster Recovery/Business Continuity policy and procedure. CareFirst performs test exercises several times a year. Our plan includes emergency access procedures that offer the same level of PHI protection as occurs under normal operating conditions.

Answer: The term "chain of trust agreement" identified in the original Security Regulation no longer exists. In order to be consistent with the Privacy Regulation, the final Security Regulation changed the term to "business associate agreement." In compliance with the Privacy Regulation, business associate agreements are obtained with subcontractors and business partners. The agreement contains all the necessary provisions to meet the Privacy Regulation security requirements and has been further revised to meet the Security Regulation provisions.

Answer: As a condition of employment, all new associates and contractors are required to complete security awareness training as part of new associate orientation. Security Awareness training is mandatory each year thereafter. In addition, periodic security reminders are sent to all workforce members throughout the year.

Answer: Processes and procedures have been developed for all CareFirst facilities to assist with the protection of unauthorized access and to protect the facility from natural and environmental disasters. The procedures vary, based on the facilities location, type of equipment and stored data.

Expand All | Collapse All

Expand All | Collapse All

Transaction and Code Sets

Answer: Yes. In September 2002, CareFirst filed for a one-year extension to the Transactions and Code Sets (TCS) regulation. On October 16, 2003, CareFirst become compliant with the regulations and will continue to review its policies to maintain HIPAA compliance.

Answer: We have completed a HIPAA transactions assessment, defined business and system requirements and implemented the required changes. CareFirst has tested the transmission of certain standard transactions.
CareFirst must comply with nine standard transactions. These transactions are electronic communications either sent by CareFirst or received from other covered entities. Our Information Technology (IT) and Business Process teams worked with each transaction to ensure CareFirst compliance with the regulation.

Electronic submitters for Maryland and D.C. members should send electronic claims to CareFirst via WebMD, at CareFirst's expense.

Answer: If you are interested in testing with CareFirst, please contact us at hipaa.partner@carefirst.com

Expand All | Collapse All