hipaa privacy awareness training
DESCRIPTION
HIPAA Privacy Awareness Training. Protecting Individual Health Information. Objectives And Agenda. Overview HIPAA Privacy Rule Explain implications to and within our organization Identify what you need to do differently. Part 1 Overview Of Privacy Rule. Privacy Rule … A Quick Glance. - PowerPoint PPT PresentationTRANSCRIPT
1
HIPAA Privacy Rule
HIPAA Privacy Awareness TrainingProtecting Individual Health Information
2
HIPAA Privacy Rule
Objectives And Agenda
Overview HIPAA Privacy Rule Explain implications to and within our
organization Identify what you need to do differently
Protecting Individual Health Information
Part 1Overview Of Privacy Rule
4
HIPAA Privacy Rule
Privacy Rule … A Quick Glance
Part of Health Insurance Portability and Accountability Act of 1996—HIPAA
Effective April 14, 2003 for larger employers and April 14, 2004 for smaller employers
What it does: Limits sharing of confidential health information, called
Protected Health Information (PHI) Restricts employers from using PHI in employment
decisions Requires employers to establish and follow certain
procedures
5
HIPAA Privacy Rule
What Is PHI?
Protected Health Information is: Employee or plan participant health information that
• Identifies individuals (or could be used to identify them)
• Relates to past, present, or future health care condition, provision of care, or payment for care
Created or received by employer, health plan, or other Covered Entity
PHI can be electronic, paper, or verbal
6
HIPAA Privacy Rule
Examples Of PHI
Examples of PHI include: Medical bills from hospital Diagnostic information Other doctor/patient information that is part of the
health plan record E-mails from vendors that discuss the health condition
of an employee or employee’s dependent
Important! If you use PHI now (for example to help employees with claim denials), you will need to make changes to conform with
our new policies!
7
HIPAA Privacy Rule
What The Privacy Rule Does Not Cover
Generally, information that is part of employment records is not PHI Examples—Health information used in these processes
is generally not PHI:• Pre-employment physicals/substance abuse
screenings• FMLA leaves for serious health conditions• ADA accommodations• Work Restrictions• Employees calling in sick
Information gathered in “employer role” is part of employment file and is NOT PHI.
8
HIPAA Privacy Rule
Which Health Plans Are Covered?
Plans Covered by the Privacy Rule Medical Plan Dental Plan Health Care Flexible Spending Account Employee Assistance Program (EAP)
Not Covered Disability Life insurance Workers’ Compensation
Not Covered Disability Life insurance Workers’ Compensation
Also HMOs Health insurance issuers Medicare and other
government programs Long-term care policies
Protecting Individual Health Information
Part 2Complying With The Privacy Rule
10
HIPAA Privacy Rule
Claims Administrator
Anyone in HR
Supervisor
File Clerk
Doctor
Any Insurance Company
Hospital
PHI Before April 14
The Changing Flow Of Information
Facility Managers
11
HIPAA Privacy Rule
The Changing Flow Of Information
Anyone in Human Resources
Supervisor
File Clerk
Business Associates with signed agreements
PHI-Designated HR Staff Member
Any Insurance Company
PHI After April 14
Facilities Managers
Providers:• Doctors• Hospitals
12
HIPAA Privacy Rule
The PHI Box
Those “In The Box” May Share PHI With Each Other
Health Plan
Provider
Clearing-house
• Health Plan: PHI from the health plan can only be shared with those in the box
• Providers: Doctors, hospitals, clinics, etc.
• Clearinghouse: Data management firms that code provider bills
• PHI can be shared with others who we retain for plan administration and who agree in writing to comply with the Privacy Rule
• Employee/participant must authorize any “non-routine” use
If you are not in the box or have an agreement with the Plan Sponsor or the Provider, you cannot have access to PHI
without written authorization from the employee
13
HIPAA Privacy Rule
Who Is Responsible For Compliance?
All management Only PHI-designated Human Resources staff
members can access and process PHI Managers must adhere to policies and
procedures and defer to PHI-designated staff
14
HIPAA Privacy Rule
Example
An employee has a problem with a medical plan claim and goes to a manager at a location In the past, the manager may have contacted an outside
administer to get clarification Under the new procedures, the manager defers the
employee to PHI-designated Human Resources staff member for assistance
15
HIPAA Privacy Rule
What If The Plan Does Not Comply?
The Privacy Rule is enforced by U.S. Department of Health and Human Services (HHS)
HHS can impose both civil and criminal penalties on the Covered Entities for noncompliance Civil penalties—$100 fine per violation,
up to $25,000 per person/year Criminal penalties—Up to $250,000
fine and 10 years in prison
Important! Employees may file complaint with HHS for wrongful disclosure.
16
HIPAA Privacy Rule
New Procedures
Appointed Privacy Officer to: Develop and implement Privacy Rule compliance
policies and procedures Monitor and ensure the college’s compliance
Designated certain Human Resources staff members to be the only individuals responsible for PHI processing, record retention and management
Play it Safe! Always refer employees to a PHI-designated staff
member if you have any issues involving the covered plans
17
HIPAA Privacy Rule
Our Privacy Officer
Employee Plans - Linda Laughlin, Associate HR Director
Student Plan - Administrative Assistant/ Student Insurance Specialist, Wellness Center
18
HIPAA Privacy Rule
New Procedures
Created a “firewall” to separate health plan information from other employee data
Took steps to safeguard PHI Keep PHI out of sight Don’t discuss PHI in public Watch who is e-mailed PHI Fax with care
19
HIPAA Privacy Rule
How Are Managers Affected?
Managers/Supervisors Must understand and comply with Privacy Rule Must understand which plans are covered
• For example, Privacy Rule does not affect other policies, such as FMLA or Workers’ Compensation
Know when and how to contact Privacy Officer or other designated staff
Important! Managers and Supervisors must be aware of Privacy Rule and how to comply.!
20
HIPAA Privacy Rule
How Are Managers Affected?
Examples—Unless authorized, managers and supervisors may not: Discuss specific health care claims with the carrier Discuss the cost or details of claims with anyone Use PHI for employment-related actions (hiring, firing,
promoting)
Important! Only certain Human Resources staff members may use/disclose PHI. Even then, the
employee must sign a specific authorization for any “non-routine” use or disclosure.
Protecting Individual Health Information
Part 3Overview of Employee Rights
22
HIPAA Privacy Rule
Privacy Rights Notice
Employees/participants must receive a Notice of Privacy Rights Summarizes rights to access/control PHI Your Privacy Notice will describe your rights under the
Privacy Rule
23
HIPAA Privacy Rule
Employee Rights
Right to inspect and copy PHI Must request in writing Request can be denied for certain reasons
Right to amend PHI Health plan has 60 days to act on request
Right to request list of PHI disclosures Except for treatment, payment of medical expenses or
normal operation of the plan Plan only needs to disclose last six years of PHI and not
earlier than April 14, 2004 Must be in writing and specify details
24
HIPAA Privacy Rule
Employee Rights (cont’d)
Right to limit disclosure• Except for treatment, payment of medical expenses or
normal operation of the plan Right to file complaints
Written complaints to HHS Follow our established process for handling complaints We MAY NOT penalize or retaliate against employees
who file complaints
25
HIPAA Privacy Rule
HIPAA Scenarios
Scenario #1Employee-Based Disclosure
John and Fred are peers, both working in production for a widget manufacturing company. They are having coffee in the break room, when John tells Fred, “I just found out I have cancer, and I’m pretty worried about keeping my job if I have to take time off to have treatment.” Later, Fred tells a co-worker (in confidence), who passes it on to his supervisor and several other employees of the company.
Was John’s right to privacy violated? Does he have a cause of action against the employer or health plan? Why or Why not? What are the proper steps to be taken?Now that the supervisor knows, what should he or she do with the information?
26
HIPAA Privacy Rule
HIPAA Scenarios
Scenario #2Birth Announcement
The Paper Company typically sends out a broadcast announcement to all employees whenever a new baby is born to one of their employees. Vital statistics are given, including name, gender, and weight of the baby, along with health status (such as “Mom and baby are doing fine,” or “Baby is still in the hospital due to low birth weight, but Mom is home and doing well”).
Is disclosure of the birth Protected Health Information under HIPAA? Why or why not?What about the status of Mom’s and Baby’s health?
27
HIPAA Privacy Rule
HIPAA Scenarios
Scenario #3FMLA-Leave Based Disclosure
Patty’s assistant, Maria, tells her in confidence that she needs to take several weeks off to take care of her mother, who has been diagnosed with a serious health condition. Patty verbally grants Maria’s request for time off. While Maria is on leave, Patty begins passing work to other employees in the department, asking them to help out. She innocently discloses information about the reason for Maria’s leave to employees who question the reason for the added workload.
What should Patty have done first in this situation?Is Maria’s mother’s health situation protected? Why or why not?What should/shouldn’t Patty tell other employees about Maria’s situation?When the Privacy Official is made aware of the situation, what should he/she do?
28
HIPAA Privacy Rule
HIPAA Scenarios
Scenario #4Vendor Disclosure
White Widgets provides employees with medical coverage under a self-insured health plan. Claims are paid by Fred’s TPA.Mary, a claims examiner for Fred’s TPA is processing claims when she sees that Jeff, a key employee of White Widgets, is being treated for HIV. She is best friends with Joan, who works for Jeff in his office. At dinner that evening, she asks Joan how Jeff is doing since he has undergone treatment. Joan was unaware of the situation and had no need to know for plan operation purposes. The next day, she informed Jeff and Human Resources that confidentiality has been violated.
What should the Privacy Official of White Widgets do?What are the TPA’s responsibilities in light of the breach of privacy?What are the potential penalties that could be assessed against the Plan, the Privacy Official, and/or the TPA?
29
HIPAA Privacy Rule
HIPAA ScenariosScenario #5“Innocent” Disclosure
Barb works in Human Resources. Tom calls Barb and tells her that he needs help with a claim issue. She has Tom sign an authorization form allowing her to have access to Personal Health Information for the purpose of resolving the claim.
Barb forwards the request to the Health insurance carrier and then talks with the claims supervisor. She is able to resolve the problem for Tom, but accidentally leaves her notes out in plain view on her desk when she leaves for the evening.
While waiting for a meeting with Barb’s manager, plant manager Joe sits at Barb’s desk, and he reads the information about Tom’s ability to perform based on that health information, and tells her where he got the information.What should Barb’s manager do in this situation?What should the Privacy Official do?
30
HIPAA Privacy Rule
HIPAA Scenarios
Scenario #6Intentional Disclosure for Gain
Joe’s TPA pays claims for 1,000 employers, covering 150,000 employees in the state of Minnesota. They have been losing market share and need to boister their revenues. They have been approached by a company that manufactures a product aimed at treatment of a specific health condition, and sell to that company a list of subscribers who have had treatment for that condition. Those subscribers receive phone calls and mailings form the manufacturer, attempting to sell their product.
Are the individual employer-sponsored plans liable for this disclosure by their business associate (Joe’s TPA)?What are the penalties for this type of disclosure?What should the Privacy Official do when he/she is made aware of this violation of privacy standards?
31
HIPAA Privacy Rule
HIPAA Scenario Summary
Scenario1 -Privacy not violated voluntarily disclosed information. -Does not have cause of action.-Supervisor should talk with HR and Privacy Officer.
Scenario 2-Could be under HIPAA if the information came from the health plan.-Employee has to request to disclose the information and should provide a disclaimer.
Scenario 3-Contact HR. Not a protected health situation. (Patty should have contacted HR before authorizing leave.)-Privacy Officer should educate.
32
HIPAA Privacy Rule
HIPAA Scenario SummaryScenario 4-Privacy Officer should contact TPA supervisor, review BAA agreement with TPA, implement established sanctions against Mary.-TPA must disclose breach to plan. -TPA may face civil penalties and individual(s) involved could face criminal penalties and the contract could be terminated.
Scenario 5- Document the disclosure and educate Barb and manager.- Reinforce education.
Scenario 6-Employer plan is not responsible if it has Business Associate Agreement in place (Depending on “indemnification” provision of BAA.) -TPA may face civil penalties and the individual(s) involved could face criminal penalties.- Report the violation to HHS.
33
HIPAA Privacy Rule
It’s Important To Know That…
This presentation provides an overview of the HIPAA Privacy Rule and broadly describes how this regulation will affect how the college handles employee health information from our health care plans. This information is not intended to provide all of the details of the HIPAA Privacy Rule or of the college’s policies and procedures.
This presentation also does not constitute legal advice. If there is any discrepancy between the provisions of the HIPAA Privacy Rule and the material in this presentation, the terms of the HIPAA Privacy Rule will govern in all cases.