Health Advocate HIPAA Privacy Information

Overview HIPAA was originally enacted by Congress in 1996, but some of the legislation did not go into effect until 2006. HIPAA affects almost every part of our job duties at Health Advocate. There are two main titles under HIPAA: Title I deals mostly with health insurance coverage when an employee changes or loses a job. Title II addresses privacy regulations and national standards. HITECH Act The Health Information Technology for Economic and Clinical Health Act (HITECH) is part of the American Recovery and Reinvestment Act of 2009 (ARRA). Because this legislation anticipates a massive expansion in the exchange of electronic protected health information (ePHI), HITECH also widens the scope of privacy and security protections available under HIPAA. Enforcement of the HITECH Act began on February 17, 2010. The Final Rules were released in January 2013 and are effective September 2013.

Title II: What You Need to Know Title II of HIPAA defines numerous offenses relating to healthcare and sets civil and criminal penalties for them. It also creates several programs to control fraud and abuse within the healthcare system. Title II has many sections. The three sections that are important to Health Advocate are Administrative Simplification Privacy Security

Title II: Privacy In 2003, the new privacy regulations went into effect. The regulations limit how Protected Health Information (PHI) can be used, when it can be released, to whom it can be released and how it must be stored. Protected Health Information (PHI): PHI is individually identifiable health information that is transmitted by, or maintained in, electronic media or any other form or medium. This information must relate to the past, present, or future physical or mental health, or condition of an individual; provision of healthcare to an individual; or payment for the provision of healthcare to an individual. If the information identifies or provides a reasonable basis to believe it can be used to identify an individual, it is considered individually identifiable health information.

Title II: Privacy Compliance . . . To comply with HIPAA regulations, Health Advocate limits authorized access to personally identifiable confidential healthcare information to persons having a “need to know” that information. Different states have different penalties for knowingly disclosing a member’s private health information without the written consent of the member or his or her authorized representative. Violators could face criminal charges and/or civil penalties ranging from $100 per violation with a maximum of $25,000 per year, to the maximum penalty of $50,000 per occurrence and $1.5 million per year.

Title II: Privacy Compliance . . . To comply with HIPAA, Health Advocate is required to obtain written permission from the member or their personal representative to access their PHI from the carriers and providers. Health Advocate must also have written permission to release any PHI to other parties (e.g. providers). Health Advocate may not discuss a member’s case with their spouse, their mother, their secretary, their HR representative, or any other party without written consent from the member.

Title II: Privacy Compliance . . . Release of Information (ROI) Authorization Form The member gives written permission for Health Advocate to work on the member’s behalf by signing our Release of Information (ROI) authorization form. In order to protect the member’s privacy and remain compliant with HIPAA guidelines: Only the member with the issue (patient) or the patient’s personal representative (PR) may sign the ROI authorization form giving us permission to work on the patient’s behalf. A personal representative is a person who has the legal authority to act on behalf of an individual. If the PR is completing and signing the ROI authorization form, she or he must also send Health Advocate a copy of the signed and notarized power of attorney. If the patient is a minor child, the parent or legal guardian must sign the release form giving Health Advocate permission to work on the patient’s behalf.

Title II: Privacy Compliance . . . Release of Information (ROI) Authorization Form . . . Only one signature is needed on the ROI. If the patient is giving permission, they sign and date the first Signature line. If the PR, parent or legal guardian is giving permission for Health Advocate to work on the patient’s behalf, the PR, parent or legal guardian signs and dates the second Signature line. Note: Unless the patient’s spouse or administrative assistant is the patient’s personal representative, they may NOT sign the ROI authorization form for the patient. They do not have the legal authority to give Health Advocate permission to work on the patient’s behalf. If the patient wants to authorize Health Advocate to release information about his or her issue to another person (for example, a spouse or an administrative assistant), the patient, PR, parent or legal guardian must sign the form and write on the form the name of the individual who has permission to receive the information, that individual’s relationship to the patient and that Health Advocate has permission to release information to that individual.  The ROI authorization form must specify whether the permission is valid for the present issue only or if it is global for anything relating to the patient for the maximum one year period.

Title II: Privacy Compliance . . . Note: Under the Final Rules, “PHI of a Decedent maybe disclosed to a family member or other person involved in their care in resolving their final affairs.”

Title II: Privacy Compliance . . . Written authorization to obtain information is needed in all claims cases, issues when Health Advocate will be discussing health history with a provider or insurance carrier, such as   Obtaining medical records on behalf of a member Claims issues Pre-service authorizations Pre-service denials Appeals cases Care/case management Rx cases where we need to work with the provider and the insurance carrier to get an issue resolved

Title II: Privacy Compliance Provider Calls If a provider contacts Health Advocate about a member who has our services but who has not contacted us yet, we cannot start a case for this member since we have not received the member’s authorization. We can suggest that the physician or provider have the member contact us directly. Only then can we actively get involved.