april 20031 privacy, confidentiality and you! putting the pieces together hipaa
TRANSCRIPT
April 2003 1
Privacy, Confidentiality and YOU!
Putting the pieces together
HIPAA
April 2003 2
HIPAA Overview HIPAA is an abbreviation for Health
Insurance Portability and Accountability Act of 1996.
Two of HIPAA’s main goals are to: Make health insurance more portable
when persons changed employers, and Make the health care system more
accountable for costs and try to reduce waste and fraud.
April 2003 3
HIPAA Overview HIPAA has four associated regulations or
"rules":1. Standardized formats for all electronic data
(computer-to-computer) information exchanges (EDI) referred to as the "transactions standard"
2. Standardized "identifiers" for health providers and health plans
3. Information system security standards4. Privacy standards also referred to as the
“HIPAA Privacy Rule”
April 2003 4
The Privacy Rule
limits how protected health information(PHI) is shared,
prevents employers from using PHI in employment decisions, and
requires employers and covered entities to establish safeguards for handling PHI.
April 2003 5
Protected Health Information
Identifies people very specifically;
can be electronic, paper or verbal; and
must relate to a person’s health condition, care, or payment for care.
April 2003 6
Protected Health Information
The Privacy Rule is the first comprehensive federal protection regulation
implemented to safeguard private health information. The Rule creates national standards to protect the medical records
and other personal health information of individuals.
April 2003 7
The Privacy Rule limits both the use and disclosure of PHI.
“Use” refers to what is done with PHI inside an entity’s organization.
“Disclosure” means that PHI is given out to an external entity for use.
Use and Disclosure
April 2003 8
Covered Entities Health Plans Health Care Clearinghouses Health Care Providers
Employer’s are not covered entities but have a responsibility to protect the health information of the health
plan members
April 2003 9
Covered Entities-Health Plans GROUP HEALTH
PLAN HEALTH INSURANCE
ISSUER MEDICARE MEDICAID LONG TERM CARE
PLAN MULTIPLE EMPLOYER
PLAN
APPROVED STATE CHILD HEALTH CARE PLAN
VETERANS PLAN FEHBP MEDICARE PLUS
CHOICE PLANS OTHER INDIVIDUAL
OR GROUP PLANS
April 2003 10
Covered Entities-Health Plans Medical Reimbursement Accounts Wellness Programs Employee Assistance Programs
(EAP) that provide direct counseling services
Mental Health and substance abuse programs
April 2003 11
Covered Entities-Health Plans
Life AD&D
Disability Worker’s
Compensation
The following do not qualify as group health plans
and are not subject to HIPAA
April 2003 12
Health Plan for State and Local Employees
Health Plan State Health Plan The Local Choice Program OHB Representatives of the Health Plan
Agencies and Local Employers Benefit Administrator (Employer
Representative) Plan Members
April 2003 13
OHB’s Responsibilities
Adopt written privacy policies Train employees involved in
handling protected information Designate a privacy officer
responsible for ensuring the procedures are followed
Establish a grievance process
April 2003 14
OHB may use or disclose Protected Health Information(PHI) : For treatment, payment, or health
care operations (TPO), without the individual’s authorization;
For non-routine purposes only with the individual’s authorization; or
To the individual involved.
OHB’s Responsibilities
April 2003 15
Treatment includes the coordination and management of an individual’s health care.
Payment includes coverage, eligibility, COB and utilization reviews.
Operation includes underwriting, rating, audits and most disease management programs.
TPO
April 2003 16
Protected Health Information
Some Acceptable uses of PHI for OHB personnel:
Helping employees with claims Case management Billing Underwriting/premium rating Legal, auditing or actuarial services Fraud/abuse detection
April 2003 17
Benefit Administrator Responsibilities
Assist With Claim and Eligibility Problems Members, Family, Personal
Representatives, Close Friend Prove They Have Prior/First Hand
Knowledge of Treatment or Claim No Authorization Required Minimum Necessary Requirements
Apply
April 2003 18
Minimum Necessary Rule
Minimum necessary means that you only
disclose the specific PHI that is necessary to
satisfy a particular need or request.
April 2003 19
Benefit Administrator Responsibilities
Assistance with an Appeal Provide Adequate “Safeguards” for
Member’s PHI Provide a copy of the Notice of Privacy
Practices to all new hires upon enrollment in the health plan
All other requests involving PHI should be referred to OHB’s Privacy Officer.
April 2003 20
Individual Authorization Authorization is a document
that gives permission to use or disclose specific PHI for a non-routine purpose.
April 2003 21
Protected Health Information
Some Non-Acceptable uses of PHI:
Using health plan data to suspend employee for substance abuse
Using health plan data (without employee authorization) to confirm need for FMLA
April 2003 22
Protected Health Information
Some Non-Acceptable uses of PHI: Openly discussing or providing individual health
plan information with employees not designated to handle PHI (i.e., discussing individual claims expenses at management meetings, or providing representatives with medical plan data to resolve grievances) without employee authorization
April 2003 23
Protected Health Information
The following would not be considered PHI
FMLA or sick leave requests Substance abuse screening results Pre-employment physicals or fitness for duty
results Workers’ Compensation claims Disability Plan claims, ADA accommodations
or disability retirements
April 2003 24
Protected Health Information
Generally, “employment records” are not considered PHI.
PHI records should be kept totally separate from employment
records
April 2003 25
Member’s Rights Right to inspect and copy Right to amend Right to an accounting of disclosures Right to request restrictions Right to request confidential
communications Right to a copy of the notice
April 2003 26
Member’s Rights
Employees or plan participant can always
request their own information or authorize
release of their PHI to others on their behalf.
April 2003 27
Member’s Rights
Employees or participants who feel that their rights have been violated may file a complaint in writing.
The Privacy Rule states that employees may not be retaliated against for filing a complaint.
April 2003 28
Practical Tips for Safeguarding PHI
Don’t leave confidential data unattended or visible to passersby
Be careful with faxed claims data
April 2003 29
Practical Tips for Safeguarding PHI
Close all employee/member information at workstations following the completion of an inquiry
Shred - never recycle - anything containing PHI
April 2003 30
Practical Tips for Safeguarding PHI
Secure all daily work in locked drawers and/or cabinets
Protect secured areas - never loan your key
April 2003 31
Practical Tips for Safeguarding PHI
Oral communication Speak quietly when discussing an
employee’s PHI in public areas Avoid the use of names or other
identifying information in conversations whenever possible
Designate "quiet areas" for PHI exchange (i.e., in private office or conference room with door closed)
April 2003 32
Practical Tips for Safeguarding PHI
Copying and printing Sensitive information should not be
sent to remote printers or photocopiers where access is uncontrolled and the sender is not present to keep track of the output
Do not dispose of PHI in open wastebaskets or recycle containers; instead shred or otherwise destroy before discarding
April 2003 33
Practical Tips for Safeguarding PHI
Telephone use Conversations regarding PHI should be
conducted where they cannot be overheard, if at all possible (i.e., in private offices or conference rooms with door closed)
The other person's identity should be confirmed
Only names and callback numbers should be left on answering machines and voicemail systems if a called party cannot be reached
Sensitive information should never be left on the answering machine or voicemail device
April 2003 34
Practical Tips for Safeguarding PHI
Facsimile (fax) use is not considered an "electronic transmission" under HIPAA and the Privacy Rule does not address facsimile transmission directly. Still, faxing practices for PHI must be compatible with the HIPAA privacy regulations. Tips include:
Place the fax machine(s) you will use to transmit PHI in a secure location (or be sure that someone designated to handle PHI is present during the fax transmission to ensure PHI is secure during transmission)
April 2003 35
Practical Tips for Safeguarding PHI
Fax Machines (con’t) Do not send PHI to unattended fax
machines, or where the physical security of the receiving system is unknown
Send faxes about PHI only to known locations, where the physical security and monitoring practices of the receiving fax machine are known
April 2003 36
Practical Tips for Safeguarding PHI
Fax Machines (con’t) Rely on preprogrammed (and tested) fax
numbers set on the sending machine, to reduce dialing errors
Include a "confidentiality request" that information sent to an incorrect destination be destroyed, and requesting notification to the sender of such errors
April 2003 37
Practical Tips for Safeguarding PHI
E-mail Use Avoid using e-mail for exchange of PHI;
however, HIPAA does not ban the practice. It is safer to convey information over the phone than via unencrypted email
If electronic mail is used to disclose PHI, copies of the messages should be kept as part of the records retention process
Include a "confidentiality request" that information sent to an incorrect destination be destroyed, and requesting notification to the sender of such errors
April 2003 38
Practical Tips for Safeguarding PHI
“Confidentiality Statement”: “The documents accompanying this transmission contain confidential health information that is legally privileged. This information is intended only for the use of the individuals or entities listed above. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or action taken in reliance on the contents of these documents is strictly prohibited. If you have received this information in error, please notify the sender immediately and arrange for the return or destruction of these documents.”
April 2003 39
Federal Enforcer Department of Health and
Human Services (HHS), Office of Civil Rights enforces the HIPAA Privacy Rules
April 2003 40
Penalties Civil Penalties –
$100 per incident up to $25,000 per person, per year, per standard
Federal criminal penalties – Knowingly and improperly disclosing
information; up to $50,000 and one year in prison;
Obtaining information under false pretenses; up to $100,000 and five years in prison
Obtaining protected information with the intent to sell, transfer or use for commercial advantage, personal gain or malicious harm; up to $250,000 and 10 years in prison
April 2003 41
Quick RefresherWhat law established the Privacy Rule?
a. ERISAb. HIPAAc. Privacy Act of 2003d. Taft-Hartley
b. HIPAA
When does the Privacy Rule take effect?a. April 14, 2003b. April 15, 2004c. January 1, 2004
a. April 14, 2003
April 2003 42
Quick Refresher
The Privacy rule is intended to:a. Prevent inappropriate use of certain employee health informationb. Give employees greater control their health recordsc. Restrict employers from using PHI in
making employment decisionsd. All of the above
d. All of the above
April 2003 43
Quick RefresherA Business Associate is a Covered Entity
a. Trueb. False
Which of these is not a health plan under the Privacy Rule?
a. Long term disability (LTD) planb. Health care FSAc. Vision pland. HMO
b. False
a. Long term disability (LTD) plan
April 2003 44
Quick Refresher Penalties for not complying with the Privacy Rule include:
a. Big finesb. Jail timec. Fines for not complying with State/other laws d. All of the above
Who enforces the Privacy Rule?a. HCFAb. DOLc. ERISAd. HHS
d. All of the above
d. HHS
April 2003 45
Quick RefresherIf a firewall has been created, PHI can be used against an
employee in employment decisionsa. Trueb. False
b. False
The Privacy Rule allows the Company to share PHI with anyone in the Companya. Trueb. False
b. False
April 2003 46
Quick RefresherA health plan may use/disclose PHI without employee authorization for
which of the followinga. Case managementb. To determine payment to health care
providersc. To ensure claims are paid appropriatelyd. All of the above
d. All of the above
Employees must complete written authorization to access their own health informationa. Trueb. False
b. False
April 2003 47
Quick RefresherAn employee authorization is valid only if it includes specific
detailsa. Trueb. False
a. True
The Company may take PHI from the health plan and use it to administer other plans/policies, such as medical leaves
a. Trueb. False b. False
April 2003 48
This presentation provides an overview of the HIPAA Privacy Rule and broadly describes how this regulation will affect how the Employer handles employee health information from the health care plans. This information is not intended to provide all of the details of the HIPAA Privacy Rule or the Office of Health Benefits’ policies and procedures.