April 2003 1

Privacy, Confidentiality and YOU!

Putting the pieces together

HIPAA

April 2003 2

HIPAA Overview HIPAA is an abbreviation for Health

Insurance Portability and Accountability Act of 1996.

Two of HIPAA’s main goals are to: Make health insurance more portable

when persons changed employers, and Make the health care system more

accountable for costs and try to reduce waste and fraud.

April 2003 3

HIPAA Overview HIPAA has four associated regulations or

"rules":1. Standardized formats for all electronic data

(computer-to-computer) information exchanges (EDI) referred to as the "transactions standard"

2. Standardized "identifiers" for health providers and health plans

3. Information system security standards4. Privacy standards also referred to as the

“HIPAA Privacy Rule”

April 2003 4

The Privacy Rule

limits how protected health information(PHI) is shared,

prevents employers from using PHI in employment decisions, and

requires employers and covered entities to establish safeguards for handling PHI.

April 2003 5

Protected Health Information

Identifies people very specifically;

can be electronic, paper or verbal; and

must relate to a person’s health condition, care, or payment for care.

 

April 2003 6

Protected Health Information

The Privacy Rule is the first comprehensive federal protection regulation

implemented to safeguard private health information. The Rule creates national standards to protect the medical records

and other personal health information of individuals.

April 2003 7

The Privacy Rule limits both the use and disclosure of PHI.

“Use” refers to what is done with PHI inside an entity’s organization.

“Disclosure” means that PHI is given out to an external entity for use.

Use and Disclosure

April 2003 8

Covered Entities Health Plans Health Care Clearinghouses Health Care Providers

Employer’s are not covered entities but have a responsibility to protect the health information of the health

plan members

April 2003 9

Covered Entities-Health Plans GROUP HEALTH

PLAN HEALTH INSURANCE

ISSUER MEDICARE MEDICAID LONG TERM CARE

PLAN MULTIPLE EMPLOYER

PLAN

APPROVED STATE CHILD HEALTH CARE PLAN

VETERANS PLAN FEHBP MEDICARE PLUS

CHOICE PLANS OTHER INDIVIDUAL

OR GROUP PLANS

April 2003 10

Covered Entities-Health Plans Medical Reimbursement Accounts Wellness Programs Employee Assistance Programs

(EAP) that provide direct counseling services

Mental Health and substance abuse programs

April 2003 11

Covered Entities-Health Plans

Life AD&D

Disability Worker’s

Compensation

The following do not qualify as group health plans

and are not subject to HIPAA

April 2003 12

Health Plan for State and Local Employees

Health Plan State Health Plan The Local Choice Program OHB Representatives of the Health Plan

Agencies and Local Employers Benefit Administrator (Employer

Representative) Plan Members

April 2003 13

OHB’s Responsibilities

Adopt written privacy policies Train employees involved in

handling protected information Designate a privacy officer

responsible for ensuring the procedures are followed

Establish a grievance process

April 2003 14

OHB may use or disclose Protected Health Information(PHI) : For treatment, payment, or health

care operations (TPO), without the individual’s authorization;

For non-routine purposes only with the individual’s authorization; or

To the individual involved.

OHB’s Responsibilities

April 2003 15

Treatment includes the coordination and management of an individual’s health care.

Payment includes coverage, eligibility, COB and utilization reviews.

Operation includes underwriting, rating, audits and most disease management programs.

TPO

April 2003 16

Protected Health Information

Some Acceptable uses of PHI for OHB personnel:

Helping employees with claims Case management Billing Underwriting/premium rating Legal, auditing or actuarial services Fraud/abuse detection

April 2003 17

Benefit Administrator Responsibilities

Assist With Claim and Eligibility Problems Members, Family, Personal

Representatives, Close Friend Prove They Have Prior/First Hand

Knowledge of Treatment or Claim No Authorization Required Minimum Necessary Requirements

Apply

April 2003 18

Minimum Necessary Rule

Minimum necessary means that you only

disclose the specific PHI that is necessary to

satisfy a particular need or request.

April 2003 19

Benefit Administrator Responsibilities

Assistance with an Appeal Provide Adequate “Safeguards” for

Member’s PHI Provide a copy of the Notice of Privacy

Practices to all new hires upon enrollment in the health plan

All other requests involving PHI should be referred to OHB’s Privacy Officer.

April 2003 20

Individual Authorization Authorization is a document

that gives permission to use or disclose specific PHI for a non-routine purpose.

April 2003 21

Protected Health Information

Some Non-Acceptable uses of PHI:

Using health plan data to suspend employee for substance abuse

Using health plan data (without employee authorization) to confirm need for FMLA

April 2003 22

Protected Health Information

Some Non-Acceptable uses of PHI: Openly discussing or providing individual health

plan information with employees not designated to handle PHI (i.e., discussing individual claims expenses at management meetings, or providing representatives with medical plan data to resolve grievances) without employee authorization

April 2003 23

Protected Health Information

The following would not be considered PHI

FMLA or sick leave requests Substance abuse screening results Pre-employment physicals or fitness for duty

results Workers’ Compensation claims Disability Plan claims, ADA accommodations

or disability retirements

April 2003 24

Protected Health Information

Generally, “employment records” are not considered PHI.

PHI records should be kept totally separate from employment

records  

April 2003 25

Member’s Rights Right to inspect and copy Right to amend Right to an accounting of disclosures Right to request restrictions Right to request confidential

communications Right to a copy of the notice

April 2003 26

Member’s Rights

Employees or plan participant can always

request their own information or authorize

release of their PHI to others on their behalf.

April 2003 27

Member’s Rights

Employees or participants who feel that their rights have been violated may file a complaint in writing.

The Privacy Rule states that employees may not be retaliated against for filing a complaint.

 

April 2003 28

Practical Tips for Safeguarding PHI

Don’t leave confidential data unattended or visible to passersby

Be careful with faxed claims data

April 2003 29

Practical Tips for Safeguarding PHI

Close all employee/member information at workstations following the completion of an inquiry

Shred - never recycle - anything containing PHI

April 2003 30

Practical Tips for Safeguarding PHI

Secure all daily work in locked drawers and/or cabinets

Protect secured areas - never loan your key

April 2003 31

Practical Tips for Safeguarding PHI

Oral communication Speak quietly when discussing an

employee’s PHI in public areas Avoid the use of names or other

identifying information in conversations whenever possible

Designate "quiet areas" for PHI exchange (i.e., in private office or conference room with door closed)

April 2003 32

Practical Tips for Safeguarding PHI

Copying and printing Sensitive information should not be

sent to remote printers or photocopiers where access is uncontrolled and the sender is not present to keep track of the output

Do not dispose of PHI in open wastebaskets or recycle containers; instead shred or otherwise destroy before discarding

April 2003 33

Practical Tips for Safeguarding PHI

Telephone use Conversations regarding PHI should be

conducted where they cannot be overheard, if at all possible (i.e., in private offices or conference rooms with door closed)

The other person's identity should be confirmed

Only names and callback numbers should be left on answering machines and voicemail systems if a called party cannot be reached

Sensitive information should never be left on the answering machine or voicemail device

April 2003 34

Practical Tips for Safeguarding PHI

Facsimile (fax) use is not considered an "electronic transmission" under HIPAA and the Privacy Rule does not address facsimile transmission directly. Still, faxing practices for PHI must be compatible with the HIPAA privacy regulations. Tips include:

Place the fax machine(s) you will use to transmit PHI in a secure location (or be sure that someone designated to handle PHI is present during the fax transmission to ensure PHI is secure during transmission)

April 2003 35

Practical Tips for Safeguarding PHI

Fax Machines (con’t) Do not send PHI to unattended fax

machines, or where the physical security of the receiving system is unknown

Send faxes about PHI only to known locations, where the physical security and monitoring practices of the receiving fax machine are known

April 2003 36

Practical Tips for Safeguarding PHI

Fax Machines (con’t) Rely on preprogrammed (and tested) fax

numbers set on the sending machine, to reduce dialing errors

Include a "confidentiality request" that information sent to an incorrect destination be destroyed, and requesting notification to the sender of such errors 

April 2003 37

Practical Tips for Safeguarding PHI

E-mail Use Avoid using e-mail for exchange of PHI;

however, HIPAA does not ban the practice. It is safer to convey information over the phone than via unencrypted email

If electronic mail is used to disclose PHI, copies of the messages should be kept as part of the records retention process

Include a "confidentiality request" that information sent to an incorrect destination be destroyed, and requesting notification to the sender of such errors

April 2003 38

Practical Tips for Safeguarding PHI

“Confidentiality Statement”: “The documents accompanying this transmission contain confidential health information that is legally privileged. This information is intended only for the use of the individuals or entities listed above. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or action taken in reliance on the contents of these documents is strictly prohibited. If you have received this information in error, please notify the sender immediately and arrange for the return or destruction of these documents.”

 

April 2003 39

Federal Enforcer Department of Health and

Human Services (HHS), Office of Civil Rights enforces the HIPAA Privacy Rules

April 2003 40

Penalties Civil Penalties –

$100 per incident up to $25,000 per person, per year, per standard

Federal criminal penalties – Knowingly and improperly disclosing

information; up to $50,000 and one year in prison;

Obtaining information under false pretenses; up to $100,000 and five years in prison

Obtaining protected information with the intent to sell, transfer or use for commercial advantage, personal gain or malicious harm; up to $250,000 and 10 years in prison

April 2003 41

Quick RefresherWhat law established the Privacy Rule?

a. ERISAb. HIPAAc. Privacy Act of 2003d. Taft-Hartley

b. HIPAA

When does the Privacy Rule take effect?a. April 14, 2003b. April 15, 2004c. January 1, 2004

a. April 14, 2003

April 2003 42

Quick Refresher

The Privacy rule is intended to:a. Prevent inappropriate use of certain employee health informationb. Give employees greater control their health recordsc. Restrict employers from using PHI in

making employment decisionsd. All of the above

d. All of the above

April 2003 43

Quick RefresherA Business Associate is a Covered Entity

a. Trueb. False

Which of these is not a health plan under the Privacy Rule?

a. Long term disability (LTD) planb. Health care FSAc. Vision pland. HMO

b. False

a. Long term disability (LTD) plan

April 2003 44

Quick Refresher Penalties for not complying with the Privacy Rule include:

a. Big finesb. Jail timec. Fines for not complying with State/other laws d. All of the above

Who enforces the Privacy Rule?a. HCFAb. DOLc. ERISAd. HHS

d. All of the above

d. HHS

April 2003 45

Quick RefresherIf a firewall has been created, PHI can be used against an

employee in employment decisionsa. Trueb. False

b. False

The Privacy Rule allows the Company to share PHI with anyone in the Companya. Trueb. False

b. False

April 2003 46

Quick RefresherA health plan may use/disclose PHI without employee authorization for

which of the followinga. Case managementb. To determine payment to health care

providersc. To ensure claims are paid appropriatelyd. All of the above

d. All of the above

Employees must complete written authorization to access their own health informationa. Trueb. False

b. False

April 2003 47

Quick RefresherAn employee authorization is valid only if it includes specific

detailsa. Trueb. False

a. True

The Company may take PHI from the health plan and use it to administer other plans/policies, such as medical leaves

a. Trueb. False b. False

April 2003 48

This presentation provides an overview of the HIPAA Privacy Rule and broadly describes how this regulation will affect how the Employer handles employee health information from the health care plans. This information is not intended to provide all of the details of the HIPAA Privacy Rule or the Office of Health Benefits’ policies and procedures.