1

As a Florida KidCare community partner families entrust you to not only help them navigate the Florida KidCare system but to keep the information they share with you confidential and safe. 2

HIPAA, the H ealth I nsurance P ortability and A ccountability A ct, was finalized August This act was created to ensure comprehensive health insurance privacy and security regulations. 3

1. HIPAA requires that privacy and security be built into the policies and practices of healthcare providers and health plans. 2. HIPAA sets standards for the electronic transmission of patient health, administrative, and financial information. 4

HIPAA sets limits on the type of information permitted for disclosure. Thus Florida KidCare requires a properly completed Florida Healthy Kids Release of Information (ROI) form be on file prior to the release of any account related personal health information (PHI) to third party entities. 5

Florida KidCare uses the ROI form to determine who is authorized to access account information. A ROI form should be voluntarily completed by the applicant parent or guardian. One ROI must be properly completed and on file for each enrollee (child) prior to disclosure. Making sure to initial where indicated. ROI form is available in English, Spanish and Creole. 6

Within limits, HIPAA allows for the free flow of PHI for treatment, payment and health care operations. This is why the ROI is so important. 7

All Florida KidCare applicants or enrollees have the right to privacy and to keep information about themselves from being disclosed. Florida KidCare uses the ROI form to determine who is authorized to access account information. 8

Florida KidCare staff are limited to the type of information they are allowed to disclose to third parties. Such as: Full disclosure – All account information provided Minimum disclosure – Information needed to resolve a family’s concerns is provided Limited disclosure – Confirmation of coverage, and Dates of coverage, and Name of child’s health & dental plan, Amount of premium being paid are provided No disclosure - No information is provided without a completed ROI on file. 9

With the successful completion of the HIPAA training, contracted Florida Healthy Kids Corporation community partners assisting families apply for Florida KidCare may be given “minimum disclosure” to family account information without a ROI. 10

Under new legislation a non-applicant parent can have limited disclosure to Florida KidCare account information. In other words, a non-applicant parent can contact Florida KidCare (with the child’s information such as DOB and SSN) and are able to receive the following types of account information without a ROI on file: Confirmation of coverage Dates of coverage Name of child’s health & dental plan Amount of premium being paid 11

Name Address Phone Number Social Security Number Date of Birth Premium Payment Relatives Address Health/Dental Plan # Employer Account Number 12

Patients seeking treatment from a health care provider must get a “Notice of Privacy Practices” from their provider. Florida KidCare sends out a notice of privacy practices to all new enrollees and every 3 years to current enrollees. 13

Covered healthcare organizations must have appropriate technical and administrative safeguards in place to protect patient information such as: All community partners assisting families apply for Florida KidCare must receive HIPAA training and successfully pass the Florida KidCare HIPAA compliance test. 14

Every covered healthcare organization must have a HIPAA Compliance Officer. Merrio Tornillo acts as the HIPAA officer for FHKC, you can reach her at (850)

To ensure an applicant or enrollee’s privacy, certain security safeguards must be in place to: Protect information from accidental or intentional disclosure to unauthorized persons, and Protect information from alteration, destruction, or loss. 16

Who Do I Contact When An Applicant or Enrollee’s Rights Are Violated? Contact the HIPAA Compliance Officer of the organization that violated the privacy regulation. File a federal complaint to the United States Department of Health and Human Services Office of Civil Rights. 17

Community partners who fail to comply with HIPAA policies and procedures risk the discontinuation of their FHKC contract. 18

HIPAA calls for severe civil and criminal penalties for non-compliance, including: Fines up to $25,000 for multiple violations of the same types of information in a calendar year Fines up to $250,000 and/or imprisonment up to 10 years for knowingly misusing individually identifiable health information 19

You must comply with HIPAA because as a community partner you may receive PHI electronically such as: Florida KidCare eligibility determinations Florida KidCare premium amounts Florida KidCare enrollment information 20

To maintain HIPAA security you must : Prevent unauthorized access and disclosure Prevent loss of information Secure electronic information Secure paper records Overheard Conversations Be careful what you discuss among staff both inside and outside of the office 21

Information Left in Public View All paper files must be collected and stored or shredded every day To prevent unauthorized disclosures Florida KidCare staff will: Always check the credentials of a requester Always check a client’s authorization Report incidents to your organization’s HIPAA Compliance Officer 22

Use encryption when sending an e- mail with PHI. Check with your IT Department on how to encrypt your correspondence. Do not copy others on an with PHI without written consent from the client 23

For additional information about HIPAA visit the U.S. Department of Health and Human Services at: 24