1. HIPAA Health Insurance Portability and Accountability Act of 1996
Sales Agent Training

2. HIPAA
Federal Regulation issued by Department of Health and Human Services (HHS), Standards for Privacy of Individually Identifiable Health Information
Effective April 14, 2003
Designed to protect an individual’s information from being improperly used or disclosed to unauthorized entities or individuals
Enforced by the Office for Civil Rights

3. Health Information Technology for Economic and Clinical Health Act (HITECH)
American Recovery and Reinvestment Act of 2009 (ARRA) and Health Information Technology for Clinical and Economic Health Act (HITECH)
Added new marketing and fundraising restrictions and prohibition on sale of PHI
Set higher standards and penalties for Business Associates (BA’s)
Increased penalties for HIPAA violations
Added data breach notification requirements

4. Who is covered by HIPAA?
Covered Entities and their Business Associates (BAs)
BAs are entities that perform functions or provide services to PUP and create, use or have access to a PUP Member’s PHI
PUP is a Covered Entity
FMOs/sales agencies are PUP’s BAs
Note: Under HITECH, BAs are held to same standards as Covered Entities.

5. Business Associates (BAs)
Entities that perform a function on PUP’s behalf, or provide a service to PUP and create, use or have access to a PUP member’s PHI
BAs must comply with the HIPAA Privacy and Security Rule
BAs must protect the PHI that PUP provides or the PHI they create/collect
BAs must sign a HIPAA BA Agreement
BAs must provide HIPAA training to their own employees, agents and subcontractors
BAs must report data breaches to PUP
BAs are subject to civil and criminal penalties

6. HIPAA Privacy & Security Officers
HIPAA requires PUP to appoint a HIPAA Privacy and Security Officer to:
ensure that PUP complies with the HIPAA Privacy and Security Rule
ensure PUP has safeguards in place to prevent members’ PHI (including ePHI) from inadvertent uses and disclosures.
PUP’s HIPAA Privacy Officer is: Lakesia Mosley
PUP’s HIPAA Security Officer is: Satya Tottappillil

7. Member Rights under HIPAA
HIPAA gives patients a right to:
File a Privacy complaint
Access to their records
Ask for an Amendment to their records
Special Restriction on disclosure/use of PHI
Accounting of Disclosure of their PHI (to whom we disclosed their PHI)
*If you receive any of these requests, immediately forward these requests to PUP’s Privacy Officer.

8. Protected Health Information (PHI)
Any information (e.g., information on an enrollment application) PUP collects from a member that is transmitted or maintained in any form (verbally, electronically or paper).
Relates to the past, present or future physical or mental health or condition of an individual
Identifies the individual
Examples of PHI: Member’s name, address, telephone number, address, policy number, HIC number, date of birth, etc.

9. Disclosures of PHI
If a member asks you for claims, enrollment, prior authorization, etc. information, or
If someone other than member (e.g., member’s son or neighbor) asks for information about the member
Ask them to call PUP’s Member Services at 1-(866)

10. Fax Transmissions Fax machines may be used to transmit and receive PHI
Best Practices to safeguard PHI:
Pre-program destination numbers to reduce potential errors in misdialing
Confirm the accuracy of the fax number before pressing start/send
Print a confirmation page for each fax transmission
Include a completed fax cover page with every fax
Do not let faxes sit at a shared fax machine unattended

11. Emails All emails must be encrypted. Practice Safe Email
Do not open, forward, or reply to suspicious s
Do not open suspicious attachments or click on unknown website addresses
NEVER provide your username and password to an request
Delete spam and empty the “Deleted Items” folder

12. Proper Disposal of PHI Best practices for disposing of PHI:
Paper: shredding, burning, pulping, or pulverizing the records so that PHI is rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed
All documents containing PHI must be shredded

13. Equipment Security
Do Not leave your laptop, iPad or phone in your automobile
USB memory sticks must be encrypted
Laptops, iPads, phones must be guarded at all times
Never share Company equipment with family or friends
Lock your portable device with an access code.
Report loss or theft of equipment immediately to PUP

14. Password Security Use a Str0ng Pa55w0rd
Don’t use familiar dates, names, dictionary words.
Use symbols, numbers, caps (think vanity plate) “1-hat3-Mean-pe0pl3”
Don’t share passwords or use the same password across applications
Change your passwords often

15. Remote Access Security
When using your home/shared PC, you must:
Have up-to-date security patches and anti-virus software
Not share passwords
Log off computer when not in use
Restart a shared PC (i.e. at a hotel/conference)
Be careful of “Public” networks
Watch for shoulder surfing
Never download ePHI

16. A Data Breach is…
An impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the PHI such that the use or disclosure poses a significant risk of financial, reputational, or other harm to the affected individual.

17. Breach Notification
Covered Entities must notify each person whose unsecured PHI is disclosed in a breach ASAP/within 60 days If an inadvertent data breach involves >500 Members, PUP has to notify the media and report to HHS If an inadvertent data breach involves <500 Members, PUP has to file an annual report with HHS

18. Breach Statistics
Over 450 breach incidents listed on HHS website. Most involve theft or loss of laptops and portable devices.

19. Reporting a Privacy Violation or Potential Breach
PUP’s policy requires all PUP employees and BA’s to report all privacy violations and potential breaches to the PUP Privacy Officer immediately.

20. Federal Sanctions
Tier A (offenders did not realize they violated the Act)
Minimum per violation: $100
Maximum per calendar year: $25,000
Tier B (violations due to “reasonable cause”)
Minimum per violation: $1,000
Maximum per calendar year: $50,000
Tier C (violations due to willful neglect but the company corrected)
Minimum per violation: $10,000
Maximum per calendar year: $250,000
Tier D (violations due to willful neglect and the company did not correct)
Minimum per violation: $50,000
Maximum per calendar year: $1.5 million

21. State Sanctions
HITECH also gave states the authority to sue companies for HIPAA violations
Connecticut Attorney-General sued Health Net of Connecticut in 2009 after it lost a computer disk drive with PHI of 446,000 members and delayed notifying members for 6 months

22. Recent Cases
March 2012: Blue Cross Blue Shield of Tennessee fined $1.5 million for 57 unencrypted computer hard drives stolen from a leased facility. The drives contained PHI for over 1 million individuals.
January 2012: Georgia Health Sciences University had to notify 513 patients of a laptop theft that contained PHI. The laptop was not secured in accordance with HITECH.
April 2011: Mass. General Hospital paid $1 million because an employee took work home and left documents on a subway train that included billing and medical records of 192 patients.

23. Reporting HIPAA Violations
HIPAA Privacy Officer: Lakesia Mosley
Via Telephone:
Office: ext
Cell:
Via
To report anonymously to PUP Hotline:

24. Scenario 1
I faxed an Enrollment Application to the wrong fax number. What should I do?
Immediately report the incident to PUP’s Privacy Officer.
Via telephone:
Office: ext
Cell:
Via

25. Scenario 2
I had some completed applications in my car and my car was stolen. Who should I report this to?
Immediately report the incident to the PUP Privacy Officer (and the police). Office: ext Cell: Via

26. Scenario 3
I received a phone call from a member’s daughter requesting a copy of her mother’s claim. What should I do?
Give the daughter PUP’s Member Services Department telephone number to call (866)

27. Scenario 4
I use my iPad and laptop to store PUP member information and they were stolen. What should I do?
Immediately report the incident to the PUP Privacy Officer. Via telephone: Office: ext Cell: Via

28. Acting Compliance Officer
Questions?
Lakesia Mosley
HIPAA Privacy Officer
Acting Compliance Officer
ext (Office)
(Cell)
(Fax)

29. Resources http://www.hhs.gov/hipaafaq/ (DHHS FAQs)
(CMS FAQs)
(Office for Civil Rights)
Office for Civil Rights, DHHS toll free number
(American Health Information Management Association)