Protecting Enrollees’ Health Information under HIPAA Presented by the Michigan Department of Civil Service Employee Benefits Division Employee Benefits Division

Today You Will Learn… Basics about the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Basics about the Health Insurance Portability and Accountability Act of 1996 (HIPAA) How HIPAA affects working with enrollment and eligibility information for state health plans: How HIPAA affects working with enrollment and eligibility information for state health plans: – Health, Dental, Vision and Flexible Spending – HIPAA does not apply to life insurance, worker’s comp, and LTD plans. How to comply with HIPAA when you use and disclose health plan information How to comply with HIPAA when you use and disclose health plan information

Goals of HIPAA For Individuals To control and protect their own health information through new rights To control and protect their own health information through new rights For Health Care Entities To protect health information, limit its use, and punish improper use To protect health information, limit its use, and punish improper use

Who does HIPAA apply to? HIPAA governs health care providers, clearinghouses, and group health plans. HIPAA governs health care providers, clearinghouses, and group health plans. HIPAA does not apply to employers directly, but affects them indirectly as sponsors of group health plans. HIPAA does not apply to employers directly, but affects them indirectly as sponsors of group health plans.

Protected Health Information (PHI) Is: Information related to past, present, or future physical or mental health, provision of health care, or payment for health care to an individual Information related to past, present, or future physical or mental health, provision of health care, or payment for health care to an individual Information created or received by a health plan, provider, insurer, or employer Information created or received by a health plan, provider, insurer, or employer Information whether oral or in any recorded form (HRMN data, enrollment forms, faxes, s, conversations, phone calls) Information whether oral or in any recorded form (HRMN data, enrollment forms, faxes, s, conversations, phone calls)

Protected Health Information Is health information that provides a reasonable basis to connect the information with the individual Is health information that provides a reasonable basis to connect the information with the individual Data of Employee # is still PHI since you can connect # back to that employee. Data of Employee # is still PHI since you can connect # back to that employee.

State Health Plan PHI relates to enrollment and eligibility: Enrollment forms Enrollment forms HRMN data on insurance coverage and payroll deductions HRMN data on insurance coverage and payroll deductions Complaints about coverage and claim disputes Complaints about coverage and claim disputes Communications from enrollees about health care and coverage Communications from enrollees about health care and coverage

Use: Working with Protected Health Information (PHI) within your Office and the Employee Benefits Division (EBD). HIPAA Regulates Use & Disclosure of PHI Disclosure: Releasing PHI outside your Office & the EBD.

All PHI use and disclosure must be authorized!!! The default rule for PHI under HIPAA is not to use or disclose it unless authorized. The default rule for PHI under HIPAA is not to use or disclose it unless authorized.

But, you can use or disclose PHI… For necessary enrollment, eligibility, payroll, and plan operation duties For necessary enrollment, eligibility, payroll, and plan operation duties To an enrollee, personal representative, or person authorized by the enrollee to receive the information To an enrollee, personal representative, or person authorized by the enrollee to receive the information When authorized by the Privacy Official When authorized by the Privacy Official

The Golden Rule of HIPAA “Treat the health information of others as we would want others to treat health information about us.” Don’t step on anyone's toes! “Dancing the HIPAA Polka!”

Penalties for Noncompliance Enrollees can file complaints with the Privacy Official or the Department of Health and Human Services. The federal government can fine any person $100 for each violation, for up to $25,000 a year. Violations may lead to discipline, fines up to $250,000, and criminal penalties up to 10 years in prison.

HIPAA and Your Office What does not change? What does not change? What changes need to be made? What changes need to be made? What issues are referred to the EBD or Privacy Official? What issues are referred to the EBD or Privacy Official?

Other Health Info in Your Office Medical information received by your Office in its role as employer is covered by other laws, but not by HIPAA. Medical information received by your Office in its role as employer is covered by other laws, but not by HIPAA. – ADA Requests – FMLA Requests – Drug testing results – Workers Comp and LTD You still must respect privacy requirements created by other laws when handling this information. You still must respect privacy requirements created by other laws when handling this information.

Changes to Procedures Retention requirements Retention requirements Training requirements Training requirements Use and disclosure of PHI Use and disclosure of PHI Enrollee rights Enrollee rights

Retention of PHI HIPAA requires designated PHI from after April 14, 2003 to be retained and retrievable for 6 years. HIPAA requires designated PHI from after April 14, 2003 to be retained and retrievable for 6 years. HRMN data is archived electronically. HRMN data is archived electronically. All other health plan PHI you handle must be retained in a HIPAA Folder for the enrollee. All other health plan PHI you handle must be retained in a HIPAA Folder for the enrollee.

HIPAA Folder Contents Enrollment forms and supporting documents (birth certificates, etc.) Enrollment forms and supporting documents (birth certificates, etc.) Use and disclosure authorization forms Use and disclosure authorization forms Requests by enrollees to exercise enumerated HIPAA rights Requests by enrollees to exercise enumerated HIPAA rights Documents establishing the authority of personal representatives receiving PHI. Documents establishing the authority of personal representatives receiving PHI. Proof of HIPAA training attendance for relevant staff. Proof of HIPAA training attendance for relevant staff. Documents the EBD asks to be included Documents the EBD asks to be included

HR Staff Training HR staff who can directly access PHI must have HIPAA training by April 14, HR staff who can directly access PHI must have HIPAA training by April 14, If policies change, new training will follow. If policies change, new training will follow. You must retain proof of HIPAA training, through a signed acknowledgment form available from the EBD website. You must retain proof of HIPAA training, through a signed acknowledgment form available from the EBD website.

Confidentiality Agreement for Employees with Limited Access Other employees with limited or incidental access to PHI (payroll staff, IT staff, etc.), must sign a HIPAA confidentiality agreement agreeing not to improperly use and disclose PHI. This certification is available on the EBD website. Other employees with limited or incidental access to PHI (payroll staff, IT staff, etc.), must sign a HIPAA confidentiality agreement agreeing not to improperly use and disclose PHI. This certification is available on the EBD website.

When You Can Use PHI (Internally) To perform necessary plan administration duties, including sharing information with the EBD To perform necessary plan administration duties, including sharing information with the EBD To change enrollment, eligibility, and deduction information in HRMN To change enrollment, eligibility, and deduction information in HRMN To another executive department when an employee transfers To another executive department when an employee transfers

When You Can Disclose PHI (Externally) If an enrollee seeks their own PHI If an enrollee seeks their own PHI If a personal representative (guardian, medical power of attorney holder, etc.) who proves identity and legal authority seeks an enrollee’s PHI If a personal representative (guardian, medical power of attorney holder, etc.) who proves identity and legal authority seeks an enrollee’s PHI If another party is validly authorized by the enrollee to receive the PHI If another party is validly authorized by the enrollee to receive the PHI If authorized by the Privacy Official If authorized by the Privacy Official

Disclosures Pursuant to Court Orders If required by a valid court subpoena or order, you must disclose as ordered. No enrollee authorization is required. If required by a valid court subpoena or order, you must disclose as ordered. No enrollee authorization is required. You must send an or letter to the Privacy Official detailing the name and employee number of the enrollee, disclosure date, name and address of the recipient, a brief description of the PHI disclosed and the reason for the disclosure. You must send an or letter to the Privacy Official detailing the name and employee number of the enrollee, disclosure date, name and address of the recipient, a brief description of the PHI disclosed and the reason for the disclosure. You must keep copies of the court order in the enrollee’s HIPAA Folder. You must keep copies of the court order in the enrollee’s HIPAA Folder.

Authorization Form For disclosures based on an authorization form, the enrollee must completely fill out and sign the standard authorization form or: For disclosures based on an authorization form, the enrollee must completely fill out and sign the standard authorization form or: If our standard form is not used, you must contact the Privacy Official to confirm the validity of the authorization. If our standard form is not used, you must contact the Privacy Official to confirm the validity of the authorization. You could offer to provide the enrollee with the PHI to give to the other party. You could offer to provide the enrollee with the PHI to give to the other party.

Disclosure Procedures 1.Reasonably confirm recipients’ identity 2.Place a copy of personal representative recipients’ proof of authority in enrollees’ HIPAA folders 3.When disclosing based on court orders, authorization forms or, Privacy Official’s authorizations, place a copy of the document in enrollees’ HIPAA Folders 4.Contact the Privacy Official if unsure

Contact with Insurance Carriers You may continue to contact carriers to resolve issues regarding enrollees’ enrollment and eligibility discrepancies. You may continue to contact carriers to resolve issues regarding enrollees’ enrollment and eligibility discrepancies. Any complaints over claim disputes must be referred to the insurance company. If an enrollee has exhausted all remedies and review mechanisms offered by the insurance company, you may refer the enrollee to the EBD. Any complaints over claim disputes must be referred to the insurance company. If an enrollee has exhausted all remedies and review mechanisms offered by the insurance company, you may refer the enrollee to the EBD.

Use & Disclosure Questions? Contact the Privacy Official with the Employee Benefits Division for authorization Contact the Privacy Official with the Employee Benefits Division for authorization Address: Michigan Department of Civil Service, Privacy Official, 400 South Pine Street, P.O. Box 30002, Lansing, MI Address: Michigan Department of Civil Service, Privacy Official, 400 South Pine Street, P.O. Box 30002, Lansing, MI Phone: (517) or (800) Phone: (517) or (800) Fax: (517) Fax: (517)

Security Measures Log out of HRMN and all programs when leaving your workstation Log out of HRMN and all programs when leaving your workstation Lock cabinets containing PHI Lock cabinets containing PHI Put PHI away in storage when you are not working with it anymore Put PHI away in storage when you are not working with it anymore Leave your computer unattended with visible PHI Leave your computer unattended with visible PHI Leave file cabinets containing PHI unattended and unlocked Leave file cabinets containing PHI unattended and unlocked Leave PHI out on your desk unattended Leave PHI out on your desk unattended Do Not Do

Health Plan Duties Firewall You cannot give an enrollee’s PHI to supervisors or co-workers who ask for it without authorization by the enrollee. You cannot give an enrollee’s PHI to supervisors or co-workers who ask for it without authorization by the enrollee. You must protect PHI and only use it for plan administrative functions. You must protect PHI and only use it for plan administrative functions. HIPAA prohibits using PHI for employment related decisions. HIPAA prohibits using PHI for employment related decisions.

Relationships HR HRMN Employee Authorized Person Employee Benefits Division Anyone Else Privacy Official

Notice of Privacy Practices EBD is sending to current enrollees now. EBD is sending to current enrollees now. Your office must give to new hires after 3/29/03. Your office must give to new hires after 3/29/03. When an enrollee requests a copy, you must also provide one – available on EBD section of When an enrollee requests a copy, you must also provide one – available on EBD section of

Enrollee Right of Access HIPAA requires that PHI in designated record sets be given to individuals. HIPAA requires that PHI in designated record sets be given to individuals. 1. Enrollment/Eligibility data in HRMN 2. Benefit denial and appeal documents When asked, produce all documents in the enrollee’s HIPAA folder and HRMN benefit summary data (ZB107, BN51, etc.) When asked, produce all documents in the enrollee’s HIPAA folder and HRMN benefit summary data (ZB107, BN51, etc.) If an enrollee wants benefit claim or appeal information instruct the enrollee to make a written request to the Privacy Official If an enrollee wants benefit claim or appeal information instruct the enrollee to make a written request to the Privacy Official

Enrollee Right to Amend PHI As before, your Office can add enrollment data, new dependents, and life events when appropriate. As before, your Office can add enrollment data, new dependents, and life events when appropriate. If you cannot perform a requested amendment (ineligible, outside open enrollment, etc.) you must provide a written denial that includes the following language: If you cannot perform a requested amendment (ineligible, outside open enrollment, etc.) you must provide a written denial that includes the following language: – If you believe this decision is incorrect, you may file a written appeal to the Employee Benefits Division that explains why the decision is incorrect and includes all necessary documentation. Appeals must be mailed to Employee Benefits Division, Department of Civil Service, P.O. Box 30002, Lansing, MI If you believe your HIPAA rights have been violated by this decision, you may file a HIPAA Privacy Complaint Form (CS- 1782) with the EBD Privacy Official at the same address.

Enrollee Right to Request Restrictions and Audits Enrollees may request limitations on how their PHI is shared or request confidential communications of their PHI. Enrollees may request limitations on how their PHI is shared or request confidential communications of their PHI. Enrollees may request an audit listing certain disclosures of their PHI that have been made. Enrollees may request an audit listing certain disclosures of their PHI that have been made. All these requests must be made in writing by the enrollee to the Privacy Official. All these requests must be made in writing by the enrollee to the Privacy Official.

Enrollee Rights to Privacy Complaints Our HIPAA Procedures will allow enrollees to file privacy complaints with the Privacy Official. Our HIPAA Procedures will allow enrollees to file privacy complaints with the Privacy Official. The Privacy Official will investigate to determine if a violation occurred. The Privacy Official will investigate to determine if a violation occurred. Employees who violate these procedures will face appropriate discipline. Employees who violate these procedures will face appropriate discipline.

Test Your Understanding A supervisor s asking for a list of the health plans a subordinate is enrolled in. What portion of the subordinate’s PHI can you disclose? A supervisor s asking for a list of the health plans a subordinate is enrolled in. What portion of the subordinate’s PHI can you disclose? None. Supervisors and others outside Your Office are not authorized to use and disclose PHI without a valid authorization. None. Supervisors and others outside Your Office are not authorized to use and disclose PHI without a valid authorization.

Test Your Understanding A person flashing a badge demands disclosure of PHI for a criminal investigation. Do you disclose? A person flashing a badge demands disclosure of PHI for a criminal investigation. Do you disclose? Maybe. HIPAA does provide for disclosures for national security, law enforcement, and other specific purposes. You must contact the Privacy Official to ensure that proper procedures are followed and proper documents are maintained. If there is a court order, you can disclose but must notice the Privacy Official of the disclosure. Maybe. HIPAA does provide for disclosures for national security, law enforcement, and other specific purposes. You must contact the Privacy Official to ensure that proper procedures are followed and proper documents are maintained. If there is a court order, you can disclose but must notice the Privacy Official of the disclosure.

Test Your Understanding An attorney calls and asks for PHI to help in an employee grievance. Do you disclose? An attorney calls and asks for PHI to help in an employee grievance. Do you disclose? No. If the attorney has a valid authorization, you may. If there is a court order for the information, you must give the Privacy Official notice, as required in the Procedures for Disclosures Pursuant to Court Orders. No. If the attorney has a valid authorization, you may. If there is a court order for the information, you must give the Privacy Official notice, as required in the Procedures for Disclosures Pursuant to Court Orders. Remember that disclosing information to a willing enrollee is one solution to avoid some of these procedural requirements. Remember that disclosing information to a willing enrollee is one solution to avoid some of these procedural requirements.

Test Your Understanding Allstate calls asking for confirmation of an employee’s LTD coverage. Does HIPAA prevent you from disclosing this info? Allstate calls asking for confirmation of an employee’s LTD coverage. Does HIPAA prevent you from disclosing this info? No. HIPAA protects information related to health plan enrollment. LTD is not a health plan under HIPAA. If the request sought LTD and PHI related to state health plans, HIPAA would prohibit the unauthorized disclosure of data about the health plans. No. HIPAA protects information related to health plan enrollment. LTD is not a health plan under HIPAA. If the request sought LTD and PHI related to state health plans, HIPAA would prohibit the unauthorized disclosure of data about the health plans.

Questions? What if…………….? What if…………….? How about………? How about………? What happens when ……. ? What happens when ……. ? Who do I call about ……..? Who do I call about ……..?

Top Ten Ways to Comply with HIPAA 10. Only authorized personnel can directly access PHI 9. Use PHI only when related to plan administration 9. Use PHI only when related to plan administration 8. Disclose PHI to enrollees, to personal representatives, or as provided in proper authorization forms 8. Disclose PHI to enrollees, to personal representatives, or as provided in proper authorization forms 7. Follow court orders to disclose PHI, but notice the EBD 7. Follow court orders to disclose PHI, but notice the EBD 6. Don’t otherwise disclose unless the Privacy Official OKs 6. Don’t otherwise disclose unless the Privacy Official OKs 5. Give new enrollees and those who ask privacy notices 5. Give new enrollees and those who ask privacy notices 4. Issue written denials to requested PHI changes that explain the denial and include the required notice 4. Issue written denials to requested PHI changes that explain the denial and include the required notice 3. Promptly refer all PHI restriction, confidentiality, and accounting requests to the Privacy Official. 3. Promptly refer all PHI restriction, confidentiality, and accounting requests to the Privacy Official. 2. Keep HIPAA documents for six years in HIPAA Folders 2. Keep HIPAA documents for six years in HIPAA Folders 1. Call the Privacy Official if you are unsure! 1. Call the Privacy Official if you are unsure! Letterman