HIPAA Frequently Asked Questions

Expand All | Collapse All

HIPAA Overview

Q. What is HIPAA?

Answer: The Health Insurance Portability and Accountability Act (HIPAA) of 1996 was designed to streamline all areas of the health care industry and to provide additional rights and protections to participants in health plans. The law incorporates a variety of provisions that under the Portability or Administrative Simplification requirements.

  • Portability deals with protecting the health insurance coverage of workers and their families when they change or lose their jobs. If you need more information or need proof of coverage under a CareFirst health plan,call Member Services, using the phone number on the back of your old ID card.
  • Administrative Simplification relates to compliance with the Privacy, Transactions and Code Sets, and Security regulations.

The advantages of HIPAA include:

  • Standardizing many administrative tasks in the health care industry
  • Reducing overall health care costs
  • Providing greater protection from fraudulent billing practices
  • Protecting individual's protected health information
  • Giving members more access to their own health information as well as the ability to limit the use and disclosure of this information.
  • Improving medical care through better data exchange between providers and payers.

For more information on the administrative requirements of HIPAA, see:

Electronic Health Transaction Standards and Code Sets
Privacy Standards
Security Standards
Unique Identifiers

Q. Who is a covered entity?

Answer: A covered entity must comply with the HIPAA regulations and is defined as:

  • health plans
  • health care clearinghouses
  • health care providers who transmit any standard transactions in electronic form covered by the regulations

Q. What is a business associate?

Answer: A business associate is a person or entity that performs a function on behalf of a covered entity and who sends, receives or processes Protected Health Information (PHI). Under HIPAA, a covered entity must have a written contract with a business associate prior to disclosing protected health information to a business associate and also when the business associate creates or receives protected health information on behalf of the covered entity.

Q. Where can I get the latest information on HIPAA?


Q. Whom can I contact for more information about CareFirst's compliance?

Answer: For privacy-related inquiries and comments, contact us at privacy.office@carefirst.com

For inquiries related to standard transactions, contact us at hipaa.partner@carefirst.com

Expand All | Collapse All

Expand All | Collapse All


Q. What has CareFirst done to comply with the Privacy regulation ?

Answer: CareFirst spent several years preparing for the April 14, 2003 compliance date for HIPAA privacy. In November 2001, CareFirst conducted a privacy assessment to analyze how and where PHI flows within the organization as well as externally, to business associates. Using the information from the assessment, the HIPAA Team worked with business areas to develop or refine policies and processes to safeguard PHI. Role-based access requirements that limit access to PHI are also being implemented.

In addition, CareFirst has:

  • Created an operational Privacy Office
  • Issued Notice of Privacy Practices to members
  • Conducted Privacy training of the work force
  • Created mandated Privacy policies
  • Conducted targeted training, based on Privacy policies and procedures
  • Executed business associate agreements
  • Educated providers, brokers and accounts through presentations, materials,
  • CareFirst and CareFirst BlueChoice publications and the Web: www.carefirst.com
  • Posted Privacy forms to the Web site.

Q. How are members affected by the Privacy regulation ?

Answer: The Privacy regulation supports CareFirst's commitment to keeping individuals' information confidential. Under the regulation, new member rights were created, which include accessing and amending health information as well as filing complaints about privacy-related issues. In addition, CareFirst, like all covered entities, must provide members with a copy of the Notice of Privacy Practices, which explains how CareFirst uses and discloses protected health information, and what the new individual rights are for individuals.

Q. How are providers affected by the Privacy regulation ?

Answer: Most providers are required to comply with the Privacy regulation. A provider is a "covered entity" if they conduct any of the mandated standard transactions. Each provider practice is managed differently and it is important to assess the regulation's impact on each office. Providers may want to:

  • Review the regulation and consult with legal counsel.
  • Appoint an individual to be your HIPAA expert and designate that person as your Privacy Officer.
  • Determine how protected health information (PHI) flows through your organization.
  • Identify and modify any existing policies and practices to ensure they are HIPAA compliant.
  • Execute Business Associate Agreements with appropriate vendors
  • Train their office staff
  • Discuss HIPAA with your vendors to make sure they are making appropriate changes to accommodate these regulations.

Recognizing the diverse work environments of providers, the Privacy regulation allows providers the flexibility to develop processes and procedures that fit best within their work environment.

Q. How are employer-sponsored group health plans or other plan sponsors of group health plans affected by the Privacy regulation ?

Answer: Employer-sponsored group health plans and other plan sponsors of group health plans should:

  • Review the HIPAA regulations.
  • Determine what PHI is needed to administer the health plan and who in the employer organization or plan sponsor will have access to this information under the HIPAA regulations.
  • Appoint an individual as the HIPAA expert, and designate that person as your Privacy Officer.
  • Plan sponsors should amend their Plan Documents in accordance with how they use or disclose the protected health information.
  • Group health plans are covered entities, and will have many of the same obligations as insurers, including signing Business Associate Agreements with vendors who provide services on your behalf and use protected health information. It is important to secure legal counsel or HIPAA expertise to make sure you have the right policies and procedures in place.
  • Train staff as needed
  • View the latest article, Making Sense of the HIPAA Privacy Final Regulation for Employers, by Kirk Nahra, a partner with Wiley Rein & Fielding LLP in Washington, DC.

Please refer to the HIPAA Booklet, (PDF), for more information on your relationship with CareFirst BlueCross BlueShield under HIPAA.

Q. How are brokers and agents affected by the Privacy regulation ?

Answer: Brokers and agents will notice some changes in our administrative processes that may limit the amount and type of information that we can share. In general, eligibility, enrollment and premium billing information regarding a member the broker or agent represents can be shared without an authorization from the member or a signed Business Associate agreement. However, there are situations that require a signed authorization from the member or a signed Business Associate agreement. We must have the appropriate documentation on file before we can share protected health information. Brokers and agents should contact their CareFirst representative with specific inquiries.

Expand All | Collapse All

Expand All | Collapse All


Q. What is CareFirst doing to address the Security regulations ?

Answer: The Security Regulation was finalized in February 2003. CareFirst first began addressing the proposed regulations in July 2001. We have now implemented a comprehensive security program that mirrors best practices in the health care industry, making CareFirst compliant with the HIPAA Security regulations. Efforts will continue to maintain the comprehensive security program in order to continue meeting HIPAA compliance.

Q. Does CareFirst have Entity Authentication capability ?

Answer: Yes. Entity Authentication is the process of determining whether someone/something is who/what they claim to be before allowing computer access. Private and public computer networks (including the Internet) commonly authenticate through the use of login ID's and passwords. CareFirst also uses this method.

Q. When did CareFirst perform a penetration test ?

Answer: Penetration tests, an evaluation of network vulnerabilities, were performed in December 2001, and October 2002, and October 2004 as part of CareFirst's security assessment.

Q. How often are security tests conducted ?

Security tests are conducted by performing Vulnerability and Risk Assessments. These assessments have been and will continue to be performed on a periodic basis.

Vulnerability is a security exposure in an operating system, software or application. Vulnerability Assessments scan IT infrastructure and evaluate administrative policies, processes and procedures to ascertain existence of vulnerabilities in the current environment identifying system and/or administrative weaknesses. Vulnerability testing could be a manual audit of a vendor-supplied system or an automated scanning tool. A penetration test is one form of a vulnerability assessment.

Risk is the potential that a vulnerability can be exploited and the resulting impact of that exploitation. Risks Assessments evaluate each vulnerability found during a Vulnerability Assessment and determine the potential for exploitation and its impact.

Q. Does CareFirst have a contingency/disaster plan that provides for the protection of PHI in the event of an emergency ?

Answer: CareFirst has a Disaster Recovery/Business Continuity policy and procedure. CareFirst performs test exercises several times a year. Our plan includes emergency access procedures that offer the same level of PHI protection as occurs under normal operating conditions.

Q. Do you have chain-of-trust agreements with subcontractors and business partners ?

Answer: The term "chain of trust agreement" identified in the original Security Regulation no longer exists. In order to be consistent with the Privacy Regulation, the final Security Regulation changed the term to "business associate agreement." In compliance with the Privacy Regulation, business associate agreements are obtained with subcontractors and business partners. The agreement contains all the necessary provisions to meet the Privacy Regulation security requirements and has been further revised to meet the Security Regulation provisions.

Q. How often do you conduct security awareness training ?

Answer: Security Awareness Training was provided to all CareFirst associates as of April 2005. As a condition of employment, all new associates are now required to complete security awareness training as part of new associate orientation. In addition, periodic security reminders are sent to all associates throughout the year.

Q. Do you have documented physical security processes and procedures ?

Answer: Processes and procedures have been developed for all CareFirst facilities to assist with the protection of unauthorized access and to protect the facility from natural and environmental disasters. The procedures vary, based on the facilities location, type of equipment and stored data.

Expand All | Collapse All

Expand All | Collapse All

Transaction and Code Sets

Q. Is CareFirst compliant with the HIPAA Transactions and Code Sets (TCS) regulation ?

Answer: Yes. In September 2002, CareFirst filed for a one-year extension to the Transactions and Code Sets (TCS) regulation. On October 16, 2003, CareFirst become compliant with the regulations and will continue to review its policies to maintain HIPAA compliance.

Q. What has CareFirst done to address this regulation ?

Answer: We have completed a HIPAA transactions assessment, defined business and system requirements and implemented the required changes. CareFirst has tested the transmission of certain standard transactions.
CareFirst must comply with nine standard transactions. These transactions are electronic communications either sent by CareFirst or received from other covered entities. Our Information Technology (IT) and Business Process teams worked with each transaction to ensure CareFirst compliance with the regulation.

Electronic submitters for Maryland and D.C. members should send electronic claims to CareFirst via WebMD, at CareFirst's expense.

Q. Can I test HIPAA Electronic Data Interchange (EDI) Transactions with CareFirst ?

Answer: If you are interested in testing with CareFirst, please contact us at hipaa.partner@carefirst.com

Expand All | Collapse All