HIPAA Privacy Rule Compliance Training for YSU April 9, 2014

What is HIPAA?  Health Insurance Portability and Accountability Act (HIPAA), enacted in 1996  Federal law designed to give patients control over all Protected Health Information (PHI) that might be shared between health care providers and other covered entities  Ensure confidentiality of PHI

What is PHI? (Protected Health Information)  “Individually identifiable health information” in any form - paper, electronic, or oral  Relates to the physical or mental health condition of an individual  Identifies or can be used to identify an individual (e.g., name, address, birth date, Social Security number, account number)  Is in the possession of or has been created by covered entities

Examples of PHI  Health care claims  Health care payment and remittance advice  Coordination of benefits  Health care claim status  Enrollment or disenrollment in a health plan  Eligibility for a health plan  Health plan premium payments  Referral certification and authorization

What is the HIPAA Privacy Rule?  Provides federal protection for PHI held by covered entities and Business Associates  Gives patients rights over determining who can look at and receive their health information  Applies to all forms of protected health information – electronic, written, or oral

Who Must Comply? Health Plans  Health insurance companies - HMOs, Medicaid, Medicare, and employer-sponsored health plans Health Care Providers  Doctors, clinics, hospitals, pharmacies, dentists  Electronic billing to insurance Health Care Clearinghouses  Process nonstandard health information (e.g., billing services)

What is the HIPAA Security Rule?  Specifies a series of administrative, physical and technical safeguards to use to assure confidentiality, integrity, and availability of electronic PHI

Employer has 2 Roles If the Employer is the Plan Sponsor of a self-insured plan it has two different roles:  Employer  Plan Sponsor

Employer Role HIPAA Privacy Rule does not apply when:  Doctor’s information is needed for determining FMLA or an ADA Accommodation  Doctor’s release to return to work  Workers Compensation injury  OHSA logs  Wellness programs  Health insurance

Plan Sponsor Role HIPAA Privacy Rules does apply when:  Employer participates in the administration of a group health plan  Is involved in the decision-making process

Plan Sponsor Responsibilities  Designate a privacy officer  Provide written PHI procedures  Limit use and disclosures of PHI to the “minimum necessary” to accomplish the intended purpose  Require business associates to ensure confidentiality with written contracts/agreements

Employees’ Rights Employers acting in a plan sponsor role may not share employee PHI without written authorization unless it is shared:  With the employee  For treatment/care coordination  To pay for employee health care services.

Employees’ Rights (cont.) Employees have a right to:  A copy of their medical records  Restrict who can obtain their PHI  Change incorrect information in their medical records  A report of when and why PHI was used  File complaints

HIPAA Privacy Violations  Civil penalties - $100 per violation  Maximum civil penalties of $25,000 per year, per person, per standard  Criminal penalties - $50,000 to $250,000 and imprisonment  Additional penalties under state law  Lawsuits

Summary  Medical information maintained by employers is not always considered PHI  Employer must determine where the information was obtained and whether the information is maintained under the role of employer or plan sponsor of a group health plan  Regardless of the role, employers should carefully handle all employee medical information