Presentation on theme: "HIPAA Health Insurance Portability and Accountability Act of 1996"— Presentation transcript:
1HIPAA Health Insurance Portability and Accountability Act of 1996 Sales Agent Training
2HIPAAFederal Regulation issued by Department of Health and Human Services (HHS), Standards for Privacy of Individually Identifiable Health InformationEffective April 14, 2003Designed to protect an individual’s information from being improperly used or disclosed to unauthorized entities or individualsEnforced by the Office for Civil Rights
3Health Information Technology for Economic and Clinical Health Act (HITECH) American Recovery and Reinvestment Act of 2009 (ARRA) and Health Information Technology for Clinical and Economic Health Act (HITECH)Added new marketing and fundraising restrictions and prohibition on sale of PHISet higher standards and penalties for Business Associates (BA’s)Increased penalties for HIPAA violationsAdded data breach notification requirements
4Who is covered by HIPAA?Covered Entities and their Business Associates (BAs)BAs are entities that perform functions or provide services to PUP and create, use or have access to a PUP Member’s PHIPUP is a Covered EntityFMOs/sales agencies are PUP’s BAsNote: Under HITECH, BAs are held to same standards as Covered Entities.
5Business Associates (BAs) Entities that perform a function on PUP’s behalf, or provide a service to PUP and create, use or have access to a PUP member’s PHIBAs must comply with the HIPAA Privacy and Security RuleBAs must protect the PHI that PUP provides or the PHI they create/collectBAs must sign a HIPAA BA AgreementBAs must provide HIPAA training to their own employees, agents and subcontractorsBAs must report data breaches to PUPBAs are subject to civil and criminal penalties
6HIPAA Privacy & Security Officers HIPAA requires PUP to appoint a HIPAA Privacy and Security Officer to:ensure that PUP complies with the HIPAA Privacy and Security Ruleensure PUP has safeguards in place to prevent members’ PHI (including ePHI) from inadvertent uses and disclosures.PUP’s HIPAA Privacy Officer is: Lakesia MosleyPUP’s HIPAA Security Officer is: Satya Tottappillil
7Member Rights under HIPAA HIPAA gives patients a right to:File a Privacy complaintAccess to their recordsAsk for an Amendment to their recordsSpecial Restriction on disclosure/use of PHIAccounting of Disclosure of their PHI (to whom we disclosed their PHI)*If you receive any of these requests, immediately forward these requests to PUP’s Privacy Officer.
8Protected Health Information (PHI) Any information (e.g., information on an enrollment application) PUP collects from a member that is transmitted or maintained in any form (verbally, electronically or paper).Relates to the past, present or future physical or mental health or condition of an individualIdentifies the individualExamples of PHI: Member’s name, address, telephone number, address, policy number, HIC number, date of birth, etc.
9Disclosures of PHIIf a member asks you for claims, enrollment, prior authorization, etc. information, orIf someone other than member (e.g., member’s son or neighbor) asks for information about the memberAsk them to call PUP’s Member Services at 1-(866)
10Fax Transmissions Fax machines may be used to transmit and receive PHI Best Practices to safeguard PHI:Pre-program destination numbers to reduce potential errors in misdialingConfirm the accuracy of the fax number before pressing start/sendPrint a confirmation page for each fax transmissionInclude a completed fax cover page with every faxDo not let faxes sit at a shared fax machine unattended
11Emails All emails must be encrypted. Practice Safe Email Do not open, forward, or reply to suspicious sDo not open suspicious attachments or click on unknown website addressesNEVER provide your username and password to an requestDelete spam and empty the “Deleted Items” folder
12Proper Disposal of PHI Best practices for disposing of PHI: Paper: shredding, burning, pulping, or pulverizing the records so that PHI is rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructedAll documents containing PHI must be shredded
13Equipment SecurityDo Not leave your laptop, iPad or phone in your automobileUSB memory sticks must be encryptedLaptops, iPads, phones must be guarded at all timesNever share Company equipment with family or friendsLock your portable device with an access code.Report loss or theft of equipment immediately to PUP
14Password Security Use a Str0ng Pa55w0rd Don’t use familiar dates, names, dictionary words.Use symbols, numbers, caps (think vanity plate) “1-hat3-Mean-pe0pl3”Don’t share passwords or use the same password across applicationsChange your passwords often
15Remote Access Security When using your home/shared PC, you must:Have up-to-date security patches and anti-virus softwareNot share passwordsLog off computer when not in useRestart a shared PC (i.e. at a hotel/conference)Be careful of “Public” networksWatch for shoulder surfingNever download ePHI
16A Data Breach is…An impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the PHI such that the use or disclosure poses a significant risk of financial, reputational, or other harm to the affected individual.
17Breach NotificationCovered Entities must notify each person whose unsecured PHI is disclosed in a breach ASAP/within 60 days If an inadvertent data breach involves >500 Members, PUP has to notify the media and report to HHS If an inadvertent data breach involves <500 Members, PUP has to file an annual report with HHS
18Breach StatisticsOver 450 breach incidents listed on HHS website. Most involve theft or loss of laptops and portable devices.
19Reporting a Privacy Violation or Potential Breach PUP’s policy requires all PUP employees and BA’s to report all privacy violations and potential breaches to the PUP Privacy Officer immediately.
20Federal SanctionsTier A (offenders did not realize they violated the Act)Minimum per violation: $100Maximum per calendar year: $25,000Tier B (violations due to “reasonable cause”)Minimum per violation: $1,000Maximum per calendar year: $50,000Tier C (violations due to willful neglect but the company corrected)Minimum per violation: $10,000Maximum per calendar year: $250,000Tier D (violations due to willful neglect and the company did not correct)Minimum per violation: $50,000Maximum per calendar year: $1.5 million
21State SanctionsHITECH also gave states the authority to sue companies for HIPAA violationsConnecticut Attorney-General sued Health Net of Connecticut in 2009 after it lost a computer disk drive with PHI of 446,000 members and delayed notifying members for 6 months
22Recent CasesMarch 2012: Blue Cross Blue Shield of Tennessee fined $1.5 million for 57 unencrypted computer hard drives stolen from a leased facility. The drives contained PHI for over 1 million individuals.January 2012: Georgia Health Sciences University had to notify 513 patients of a laptop theft that contained PHI. The laptop was not secured in accordance with HITECH.April 2011: Mass. General Hospital paid $1 million because an employee took work home and left documents on a subway train that included billing and medical records of 192 patients.
24Scenario 1I faxed an Enrollment Application to the wrong fax number. What should I do?Immediately report the incident to PUP’s Privacy Officer.Via telephone:Office: extCell:Via
25Scenario 2I had some completed applications in my car and my car was stolen. Who should I report this to?Immediately report the incident to the PUP Privacy Officer (and the police). Office: ext Cell: Via
26Scenario 3I received a phone call from a member’s daughter requesting a copy of her mother’s claim. What should I do?Give the daughter PUP’s Member Services Department telephone number to call (866)
27Scenario 4I use my iPad and laptop to store PUP member information and they were stolen. What should I do?Immediately report the incident to the PUP Privacy Officer. Via telephone: Office: ext Cell: Via