April Privacy, Confidentiality and YOU! Putting the pieces together HIPAA
April HIPAA Overview HIPAA is an abbreviation for Health Insurance Portability and Accountability Act of Two of HIPAAs main goals are to: Make health insurance more portable when persons changed employers, and Make the health care system more accountable for costs and try to reduce waste and fraud.
April HIPAA Overview HIPAA has four associated regulations or "rules": 1. Standardized formats for all electronic data (computer-to-computer) information exchanges (EDI) referred to as the "transactions standard" 2. Standardized "identifiers" for health providers and health plans 3. Information system security standards 4. Privacy standards also referred to as the HIPAA Privacy Rule
April The Privacy Rule limits how protected health information(PHI) is shared, prevents employers from using PHI in employment decisions, and requires employers and covered entities to establish safeguards for handling PHI.
April Protected Health Information Identifies people very specifically; can be electronic, paper or verbal; and must relate to a persons health condition, care, or payment for care.
April Protected Health Information The Privacy Rule is the first comprehensive federal protection regulation implemented to safeguard private health information. The Rule creates national standards to protect the medical records and other personal health information of individuals.
April The Privacy Rule limits both the use and disclosure of PHI. Use refers to what is done with PHI inside an entitys organization. Disclosure means that PHI is given out to an external entity for use. Use and Disclosure
April Covered Entities Health Plans Health Care Clearinghouses Health Care Providers Employers are not covered entities but have a responsibility to protect the health information of the health plan members
April Covered Entities-Health Plans GROUP HEALTH PLAN HEALTH INSURANCE ISSUER MEDICARE MEDICAID LONG TERM CARE PLAN MULTIPLE EMPLOYER PLAN APPROVED STATE CHILD HEALTH CARE PLAN VETERANS PLAN FEHBP MEDICARE PLUS CHOICE PLANS OTHER INDIVIDUAL OR GROUP PLANS
April Covered Entities-Health Plans Medical Reimbursement Accounts Wellness Programs Employee Assistance Programs (EAP) that provide direct counseling services Mental Health and substance abuse programs
April Covered Entities-Health Plans Life AD&D Disability Workers Compensation The following do not qualify as group health plans and are not subject to HIPAA
April Health Plan for State and Local Employees Health Plan State Health Plan The Local Choice Program OHB Representatives of the Health Plan Agencies and Local Employers Benefit Administrator (Employer Representative) Plan Members
April OHBs Responsibilities Adopt written privacy policies Train employees involved in handling protected information Designate a privacy officer responsible for ensuring the procedures are followed Establish a grievance process
April OHB may use or disclose Protected Health Information(PHI) : For treatment, payment, or health care operations (TPO), without the individuals authorization; For non-routine purposes only with the individuals authorization; or To the individual involved. OHBs Responsibilities
April Treatment includes the coordination and management of an individuals health care. Payment includes coverage, eligibility, COB and utilization reviews. Operation includes underwriting, rating, audits and most disease management programs. TPO
April Protected Health Information Some Acceptable uses of PHI for OHB personnel: Helping employees with claims Case management Billing Underwriting/premium rating Legal, auditing or actuarial services Fraud/abuse detection
April Benefit Administrator Responsibilities Assist With Claim and Eligibility Problems Members, Family, Personal Representatives, Close Friend Prove They Have Prior/First Hand Knowledge of Treatment or Claim No Authorization Required Minimum Necessary Requirements Apply
April Minimum Necessary Rule Minimum necessary means that you only disclose the specific PHI that is necessary to satisfy a particular need or request.
April Benefit Administrator Responsibilities Assistance with an Appeal Provide Adequate Safeguards for Members PHI Provide a copy of the Notice of Privacy Practices to all new hires upon enrollment in the health plan All other requests involving PHI should be referred to OHBs Privacy Officer.
April Individual Authorization Authorization is a document that gives permission to use or disclose specific PHI for a non-routine purpose.
April Protected Health Information Some Non-Acceptable uses of PHI: Using health plan data to suspend employee for substance abuse Using health plan data (without employee authorization) to confirm need for FMLA
April Protected Health Information Some Non-Acceptable uses of PHI: Openly discussing or providing individual health plan information with employees not designated to handle PHI (i.e., discussing individual claims expenses at management meetings, or providing representatives with medical plan data to resolve grievances) without employee authorization
April Protected Health Information The following would not be considered PHI FMLA or sick leave requests Substance abuse screening results Pre-employment physicals or fitness for duty results Workers Compensation claims Disability Plan claims, ADA accommodations or disability retirements
April Protected Health Information Generally, employment records are not considered PHI. PHI records should be kept totally separate from employment records
April Members Rights Right to inspect and copy Right to amend Right to an accounting of disclosures Right to request restrictions Right to request confidential communications Right to a copy of the notice
April Members Rights Employees or plan participant can always request their own information or authorize release of their PHI to others on their behalf.
April Members Rights Employees or participants who feel that their rights have been violated may file a complaint in writing. The Privacy Rule states that employees may not be retaliated against for filing a complaint.
April Practical Tips for Safeguarding PHI Dont leave confidential data unattended or visible to passersby Be careful with faxed claims data
April Practical Tips for Safeguarding PHI Close all employee/member information at workstations following the completion of an inquiry Shred - never recycle - anything containing PHI
April Practical Tips for Safeguarding PHI Secure all daily work in locked drawers and/or cabinets Protect secured areas - never loan your key
April Practical Tips for Safeguarding PHI Oral communication Speak quietly when discussing an employees PHI in public areas Avoid the use of names or other identifying information in conversations whenever possible Designate "quiet areas" for PHI exchange (i.e., in private office or conference room with door closed)
April Practical Tips for Safeguarding PHI Copying and printing Sensitive information should not be sent to remote printers or photocopiers where access is uncontrolled and the sender is not present to keep track of the output Do not dispose of PHI in open wastebaskets or recycle containers; instead shred or otherwise destroy before discarding
April Practical Tips for Safeguarding PHI Telephone use Conversations regarding PHI should be conducted where they cannot be overheard, if at all possible (i.e., in private offices or conference rooms with door closed) The other person's identity should be confirmed Only names and callback numbers should be left on answering machines and voic systems if a called party cannot be reached Sensitive information should never be left on the answering machine or voic device
April Practical Tips for Safeguarding PHI Facsimile (fax) use is not considered an "electronic transmission" under HIPAA and the Privacy Rule does not address facsimile transmission directly. Still, faxing practices for PHI must be compatible with the HIPAA privacy regulations. Tips include: Place the fax machine(s) you will use to transmit PHI in a secure location (or be sure that someone designated to handle PHI is present during the fax transmission to ensure PHI is secure during transmission)
April Practical Tips for Safeguarding PHI Fax Machines (cont) Do not send PHI to unattended fax machines, or where the physical security of the receiving system is unknown Send faxes about PHI only to known locations, where the physical security and monitoring practices of the receiving fax machine are known
April Practical Tips for Safeguarding PHI Fax Machines (cont) Rely on preprogrammed (and tested) fax numbers set on the sending machine, to reduce dialing errors Include a "confidentiality request" that information sent to an incorrect destination be destroyed, and requesting notification to the sender of such errors
April Practical Tips for Safeguarding PHI Use Avoid using for exchange of PHI; however, HIPAA does not ban the practice. It is safer to convey information over the phone than via unencrypted If electronic mail is used to disclose PHI, copies of the messages should be kept as part of the records retention process Include a "confidentiality request" that information sent to an incorrect destination be destroyed, and requesting notification to the sender of such errors
April Practical Tips for Safeguarding PHI Confidentiality Statement: The documents accompanying this transmission contain confidential health information that is legally privileged. This information is intended only for the use of the individuals or entities listed above. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or action taken in reliance on the contents of these documents is strictly prohibited. If you have received this information in error, please notify the sender immediately and arrange for the return or destruction of these documents.
April Federal Enforcer Department of Health and Human Services (HHS), Office of Civil Rights enforces the HIPAA Privacy Rules
April Penalties Civil Penalties – $100 per incident up to $25,000 per person, per year, per standard Federal criminal penalties – Knowingly and improperly disclosing information; up to $50,000 and one year in prison; Obtaining information under false pretenses; up to $100,000 and five years in prison Obtaining protected information with the intent to sell, transfer or use for commercial advantage, personal gain or malicious harm; up to $250,000 and 10 years in prison
April Quick Refresher What law established the Privacy Rule? a. ERISA b. HIPAA c. Privacy Act of 2003 d. Taft-Hartley b. HIPAA When does the Privacy Rule take effect? a.April 14, 2003 b.April 15, 2004 c.January 1, 2004 a. April 14, 2003
April Quick Refresher The Privacy rule is intended to: a. Prevent inappropriate use of certain employee health information b. Give employees greater control their health records c. Restrict employers from using PHI in making employment decisions d.All of the above
April Quick Refresher A Business Associate is a Covered Entity a.True b.False Which of these is not a health plan under the Privacy Rule? a. Long term disability (LTD) plan b. Health care FSA c. Vision plan d. HMO b. False a. Long term disability (LTD) plan
April Quick Refresher Penalties for not complying with the Privacy Rule include: a. Big fines b. Jail time c. Fines for not complying with State/other laws d. All of the above Who enforces the Privacy Rule? a. HCFA b. DOL c. ERISA d. HHS d. All of the above d. HHS
April Quick Refresher If a firewall has been created, PHI can be used against an employee in employment decisions a. True b. False The Privacy Rule allows the Company to share PHI with anyone in the Company a. True b. False
April Quick Refresher A health plan may use/disclose PHI without employee authorization for which of the following a. Case management b. To determine payment to health care providers c. To ensure claims are paid appropriately d. All of the above Employees must complete written authorization to access their own health information a. True b. False
April Quick Refresher An employee authorization is valid only if it includes specific details a. True b. False a. True The Company may take PHI from the health plan and use it to administer other plans/policies, such as medical leaves a. True b. False
April This presentation provides an overview of the HIPAA Privacy Rule and broadly describes how this regulation will affect how the Employer handles employee health information from the health care plans. This information is not intended to provide all of the details of the HIPAA Privacy Rule or the Office of Health Benefits policies and procedures.