HIPAA Health Insurance Portability and Accountability Act of 1996 Sales Agent Training
HIPAA Federal Regulation issued by Department of Health and Human Services (HHS), Standards for Privacy of Individually Identifiable Health Information Effective April 14, 2003 Designed to protect an individual’s information from being improperly used or disclosed to unauthorized entities or individuals Enforced by the Office for Civil Rights
Health Information Technology for Economic and Clinical Health Act (HITECH) American Recovery and Reinvestment Act of 2009 (ARRA) and Health Information Technology for Clinical and Economic Health Act (HITECH) Added new marketing and fundraising restrictions and prohibition on sale of PHI Set higher standards and penalties for Business Associates (BA’s) Increased penalties for HIPAA violations Added data breach notification requirements
Who is covered by HIPAA? Covered Entities and their Business Associates (BAs) BAs are entities that perform functions or provide services to PUP and create, use or have access to a PUP Member’s PHI PUP is a Covered Entity FMOs/sales agencies are PUP’s BAs Note: Under HITECH, BAs are held to same standards as Covered Entities.
Business Associates (BAs) Entities that perform a function on PUP’s behalf, or provide a service to PUP and create, use or have access to a PUP member’s PHI BAs must comply with the HIPAA Privacy and Security Rule BAs must protect the PHI that PUP provides or the PHI they create/collect BAs must sign a HIPAA BA Agreement BAs must provide HIPAA training to their own employees, agents and subcontractors BAs must report data breaches to PUP BAs are subject to civil and criminal penalties
HIPAA Privacy & Security Officers HIPAA requires PUP to appoint a HIPAA Privacy and Security Officer to: ensure that PUP complies with the HIPAA Privacy and Security Rule ensure PUP has safeguards in place to prevent members’ PHI (including ePHI) from inadvertent uses and disclosures. PUP’s HIPAA Privacy Officer is: Lakesia Mosley PUP’s HIPAA Security Officer is: Satya Tottappillil
Member Rights under HIPAA HIPAA gives patients a right to: File a Privacy complaint Access to their records Ask for an Amendment to their records Special Restriction on disclosure/use of PHI Accounting of Disclosure of their PHI (to whom we disclosed their PHI) *If you receive any of these requests, immediately forward these requests to PUP’s Privacy Officer.
Protected Health Information (PHI) Any information (e.g., information on an enrollment application) PUP collects from a member that is transmitted or maintained in any form (verbally, electronically or paper). Relates to the past, present or future physical or mental health or condition of an individual Identifies the individual Examples of PHI: Member’s name, address, telephone number, e-mail address, policy number, HIC number, date of birth, etc.
Disclosures of PHI If a member asks you for claims, enrollment, prior authorization, etc. information, or If someone other than member (e.g., member’s son or neighbor) asks for information about the member Ask them to call PUP’s Member Services at 1-(866) 571-0693.
Fax Transmissions Fax machines may be used to transmit and receive PHI Best Practices to safeguard PHI: Pre-program destination numbers to reduce potential errors in misdialing Confirm the accuracy of the fax number before pressing start/send Print a confirmation page for each fax transmission Include a completed fax cover page with every fax Do not let faxes sit at a shared fax machine unattended
Emails All emails must be encrypted. Practice Safe Email Do not open, forward, or reply to suspicious emails Do not open suspicious email attachments or click on unknown website addresses NEVER provide your username and password to an email request Delete spam and empty the “Deleted Items” folder
Proper Disposal of PHI Best practices for disposing of PHI: Paper: shredding, burning, pulping, or pulverizing the records so that PHI is rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed All documents containing PHI must be shredded
Equipment Security Do Not leave your laptop, iPad or phone in your automobile USB memory sticks must be encrypted Laptops, iPads, phones must be guarded at all times Never share Company equipment with family or friends Lock your portable device with an access code. Report loss or theft of equipment immediately to PUP
Password Security Use a Str0ng Pa55w0rd Don’t use familiar dates, names, dictionary words. Use symbols, numbers, caps (think vanity plate) “1-hat3-Mean-pe0pl3” Don’t share passwords or use the same password across applications Change your passwords often
Remote Access Security When using your home/shared PC, you must: Have up-to-date security patches and anti-virus software Not share passwords Log off computer when not in use Restart a shared PC (i.e. at a hotel/conference) Be careful of “Public” networks Watch for shoulder surfing Never download ePHI
A Data Breach is… An impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the PHI such that the use or disclosure poses a significant risk of financial, reputational, or other harm to the affected individual.
Breach Notification Covered Entities must notify each person whose unsecured PHI is disclosed in a breach ASAP/within 60 days If an inadvertent data breach involves >500 Members, PUP has to notify the media and report to HHS If an inadvertent data breach involves <500 Members, PUP has to file an annual report with HHS
Breach Statistics Over 450 breach incidents listed on HHS website. Most involve theft or loss of laptops and portable devices. http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html
Reporting a Privacy Violation or Potential Breach PUP’s policy requires all PUP employees and BA’s to report all privacy violations and potential breaches to the PUP Privacy Officer immediately.
Federal Sanctions Tier A (offenders did not realize they violated the Act) Minimum per violation: $100 Maximum per calendar year: $25,000 Tier B (violations due to “reasonable cause”) Minimum per violation: $1,000 Maximum per calendar year: $50,000 Tier C (violations due to willful neglect but the company corrected) Minimum per violation: $10,000 Maximum per calendar year: $250,000 Tier D (violations due to willful neglect and the company did not correct) Minimum per violation: $50,000 Maximum per calendar year: $1.5 million
State Sanctions HITECH also gave states the authority to sue companies for HIPAA violations Connecticut Attorney-General sued Health Net of Connecticut in 2009 after it lost a computer disk drive with PHI of 446,000 members and delayed notifying members for 6 months
Recent Cases March 2012: Blue Cross Blue Shield of Tennessee fined $1.5 million for 57 unencrypted computer hard drives stolen from a leased facility. The drives contained PHI for over 1 million individuals. January 2012: Georgia Health Sciences University had to notify 513 patients of a laptop theft that contained PHI. The laptop was not secured in accordance with HITECH. April 2011: Mass. General Hospital paid $1 million because an employee took work home and left documents on a subway train that included billing and medical records of 192 patients.
Reporting HIPAA Violations HIPAA Privacy Officer: Lakesia Mosley Via Telephone: Office: 407-209-1010 ext. 12107 Cell: 407-495-7494 Via Email: compliance@pupcorp.com To report anonymously to PUP Hotline: 1 -866-461-5705
Scenario 1 I faxed an Enrollment Application to the wrong fax number. What should I do? Immediately report the incident to PUP’s Privacy Officer. Via telephone: Office: 407-209-1010 ext. 12107 Cell: 407-495-7494 Via email: compliance@pupcorp.com
Scenario 2 I had some completed applications in my car and my car was stolen. Who should I report this to? Immediately report the incident to the PUP Privacy Officer (and the police). Office: 407-209-1010 ext. 12107 Cell: 407-495-7494 Via email: compliance@pupcorp.com
Scenario 3 I received a phone call from a member’s daughter requesting a copy of her mother’s claim. What should I do? Give the daughter PUP’s Member Services Department telephone number to call (866) 571-0693.
Scenario 4 I use my iPad and laptop to store PUP member information and they were stolen. What should I do? Immediately report the incident to the PUP Privacy Officer. Via telephone: Office: 407-209-1010 ext. 12107 Cell: 407-495-7494 Via email: compliance@pupcorp.com
Acting Compliance Officer Questions? Lakesia Mosley HIPAA Privacy Officer Acting Compliance Officer 407-209-1010 ext. 12107 (Office) 407-495-7494 (Cell) 407-226-1951 (Fax)
Resources http://www.hhs.gov/hipaafaq/ (DHHS FAQs) http://www.cms.hhs.gov/HIPAAGenInfo (CMS FAQs) http://www.hhs.gov/ocr/hipaa (Office for Civil Rights) Office for Civil Rights, DHHS toll free number 800-368-1019 www.ahima.org (American Health Information Management Association)