1. April 20031 Privacy, Confidentiality and YOU! Putting the pieces together HIPAA

2. April 20032 HIPAA Overview HIPAA is an abbreviation for Health Insurance Portability and Accountability Act of 1996. Two of HIPAAs main goals are to: Make health insurance more portable when persons changed employers, and Make the health care system more accountable for costs and try to reduce waste and fraud.

3. April 20033 HIPAA Overview HIPAA has four associated regulations or "rules": 1. Standardized formats for all electronic data (computer-to-computer) information exchanges (EDI) referred to as the "transactions standard" 2. Standardized "identifiers" for health providers and health plans 3. Information system security standards 4. Privacy standards also referred to as the HIPAA Privacy Rule

4. April 20034 The Privacy Rule limits how protected health information(PHI) is shared, prevents employers from using PHI in employment decisions, and requires employers and covered entities to establish safeguards for handling PHI.

5. April 20035 Protected Health Information Identifies people very specifically; can be electronic, paper or verbal; and must relate to a persons health condition, care, or payment for care.

6. April 20036 Protected Health Information The Privacy Rule is the first comprehensive federal protection regulation implemented to safeguard private health information. The Rule creates national standards to protect the medical records and other personal health information of individuals.

7. April 20037 The Privacy Rule limits both the use and disclosure of PHI. Use refers to what is done with PHI inside an entitys organization. Disclosure means that PHI is given out to an external entity for use. Use and Disclosure

8. April 20038 Covered Entities Health Plans Health Care Clearinghouses Health Care Providers Employers are not covered entities but have a responsibility to protect the health information of the health plan members

9. April 20039 Covered Entities-Health Plans GROUP HEALTH PLAN HEALTH INSURANCE ISSUER MEDICARE MEDICAID LONG TERM CARE PLAN MULTIPLE EMPLOYER PLAN APPROVED STATE CHILD HEALTH CARE PLAN VETERANS PLAN FEHBP MEDICARE PLUS CHOICE PLANS OTHER INDIVIDUAL OR GROUP PLANS

10. April 200310 Covered Entities-Health Plans Medical Reimbursement Accounts Wellness Programs Employee Assistance Programs (EAP) that provide direct counseling services Mental Health and substance abuse programs

11. April 200311 Covered Entities-Health Plans Life AD&D Disability Workers Compensation The following do not qualify as group health plans and are not subject to HIPAA

12. April 200312 Health Plan for State and Local Employees Health Plan State Health Plan The Local Choice Program OHB Representatives of the Health Plan Agencies and Local Employers Benefit Administrator (Employer Representative) Plan Members

13. April 200313 OHBs Responsibilities Adopt written privacy policies Train employees involved in handling protected information Designate a privacy officer responsible for ensuring the procedures are followed Establish a grievance process

14. April 200314 OHB may use or disclose Protected Health Information(PHI) : For treatment, payment, or health care operations (TPO), without the individuals authorization; For non-routine purposes only with the individuals authorization; or To the individual involved. OHBs Responsibilities

15. April 200315 Treatment includes the coordination and management of an individuals health care. Payment includes coverage, eligibility, COB and utilization reviews. Operation includes underwriting, rating, audits and most disease management programs. TPO

16. April 200316 Protected Health Information Some Acceptable uses of PHI for OHB personnel: Helping employees with claims Case management Billing Underwriting/premium rating Legal, auditing or actuarial services Fraud/abuse detection

17. April 200317 Benefit Administrator Responsibilities Assist With Claim and Eligibility Problems Members, Family, Personal Representatives, Close Friend Prove They Have Prior/First Hand Knowledge of Treatment or Claim No Authorization Required Minimum Necessary Requirements Apply

18. April 200318 Minimum Necessary Rule Minimum necessary means that you only disclose the specific PHI that is necessary to satisfy a particular need or request.

19. April 200319 Benefit Administrator Responsibilities Assistance with an Appeal Provide Adequate Safeguards for Members PHI Provide a copy of the Notice of Privacy Practices to all new hires upon enrollment in the health plan All other requests involving PHI should be referred to OHBs Privacy Officer.

20. April 200320 Individual Authorization Authorization is a document that gives permission to use or disclose specific PHI for a non-routine purpose.

21. April 200321 Protected Health Information Some Non-Acceptable uses of PHI: Using health plan data to suspend employee for substance abuse Using health plan data (without employee authorization) to confirm need for FMLA

22. April 200322 Protected Health Information Some Non-Acceptable uses of PHI: Openly discussing or providing individual health plan information with employees not designated to handle PHI (i.e., discussing individual claims expenses at management meetings, or providing representatives with medical plan data to resolve grievances) without employee authorization

23. April 200323 Protected Health Information The following would not be considered PHI FMLA or sick leave requests Substance abuse screening results Pre-employment physicals or fitness for duty results Workers Compensation claims Disability Plan claims, ADA accommodations or disability retirements

24. April 200324 Protected Health Information Generally, employment records are not considered PHI. PHI records should be kept totally separate from employment records

25. April 200325 Members Rights Right to inspect and copy Right to amend Right to an accounting of disclosures Right to request restrictions Right to request confidential communications Right to a copy of the notice

26. April 200326 Members Rights Employees or plan participant can always request their own information or authorize release of their PHI to others on their behalf.

27. April 200327 Members Rights Employees or participants who feel that their rights have been violated may file a complaint in writing. The Privacy Rule states that employees may not be retaliated against for filing a complaint.

28. April 200328 Practical Tips for Safeguarding PHI Dont leave confidential data unattended or visible to passersby Be careful with faxed claims data

29. April 200329 Practical Tips for Safeguarding PHI Close all employee/member information at workstations following the completion of an inquiry Shred - never recycle - anything containing PHI

30. April 200330 Practical Tips for Safeguarding PHI Secure all daily work in locked drawers and/or cabinets Protect secured areas - never loan your key

31. April 200331 Practical Tips for Safeguarding PHI Oral communication Speak quietly when discussing an employees PHI in public areas Avoid the use of names or other identifying information in conversations whenever possible Designate "quiet areas" for PHI exchange (i.e., in private office or conference room with door closed)

32. April 200332 Practical Tips for Safeguarding PHI Copying and printing Sensitive information should not be sent to remote printers or photocopiers where access is uncontrolled and the sender is not present to keep track of the output Do not dispose of PHI in open wastebaskets or recycle containers; instead shred or otherwise destroy before discarding

33. April 200333 Practical Tips for Safeguarding PHI Telephone use Conversations regarding PHI should be conducted where they cannot be overheard, if at all possible (i.e., in private offices or conference rooms with door closed) The other person's identity should be confirmed Only names and callback numbers should be left on answering machines and voicemail systems if a called party cannot be reached Sensitive information should never be left on the answering machine or voicemail device

34. April 200334 Practical Tips for Safeguarding PHI Facsimile (fax) use is not considered an "electronic transmission" under HIPAA and the Privacy Rule does not address facsimile transmission directly. Still, faxing practices for PHI must be compatible with the HIPAA privacy regulations. Tips include: Place the fax machine(s) you will use to transmit PHI in a secure location (or be sure that someone designated to handle PHI is present during the fax transmission to ensure PHI is secure during transmission)

35. April 200335 Practical Tips for Safeguarding PHI Fax Machines (cont) Do not send PHI to unattended fax machines, or where the physical security of the receiving system is unknown Send faxes about PHI only to known locations, where the physical security and monitoring practices of the receiving fax machine are known

36. April 200336 Practical Tips for Safeguarding PHI Fax Machines (cont) Rely on preprogrammed (and tested) fax numbers set on the sending machine, to reduce dialing errors Include a "confidentiality request" that information sent to an incorrect destination be destroyed, and requesting notification to the sender of such errors

37. April 200337 Practical Tips for Safeguarding PHI E-mail Use Avoid using e-mail for exchange of PHI; however, HIPAA does not ban the practice. It is safer to convey information over the phone than via unencrypted email If electronic mail is used to disclose PHI, copies of the messages should be kept as part of the records retention process Include a "confidentiality request" that information sent to an incorrect destination be destroyed, and requesting notification to the sender of such errors

38. April 200338 Practical Tips for Safeguarding PHI Confidentiality Statement: The documents accompanying this transmission contain confidential health information that is legally privileged. This information is intended only for the use of the individuals or entities listed above. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or action taken in reliance on the contents of these documents is strictly prohibited. If you have received this information in error, please notify the sender immediately and arrange for the return or destruction of these documents.

39. April 200339 Federal Enforcer Department of Health and Human Services (HHS), Office of Civil Rights enforces the HIPAA Privacy Rules

40. April 200340 Penalties Civil Penalties – $100 per incident up to $25,000 per person, per year, per standard Federal criminal penalties – Knowingly and improperly disclosing information; up to $50,000 and one year in prison; Obtaining information under false pretenses; up to $100,000 and five years in prison Obtaining protected information with the intent to sell, transfer or use for commercial advantage, personal gain or malicious harm; up to $250,000 and 10 years in prison

41. April 200341 Quick Refresher What law established the Privacy Rule? a. ERISA b. HIPAA c. Privacy Act of 2003 d. Taft-Hartley b. HIPAA When does the Privacy Rule take effect? a.April 14, 2003 b.April 15, 2004 c.January 1, 2004 a. April 14, 2003

42. April 200342 Quick Refresher The Privacy rule is intended to: a. Prevent inappropriate use of certain employee health information b. Give employees greater control their health records c. Restrict employers from using PHI in making employment decisions d.All of the above

43. April 200343 Quick Refresher A Business Associate is a Covered Entity a.True b.False Which of these is not a health plan under the Privacy Rule? a. Long term disability (LTD) plan b. Health care FSA c. Vision plan d. HMO b. False a. Long term disability (LTD) plan

44. April 200344 Quick Refresher Penalties for not complying with the Privacy Rule include: a. Big fines b. Jail time c. Fines for not complying with State/other laws d. All of the above Who enforces the Privacy Rule? a. HCFA b. DOL c. ERISA d. HHS d. All of the above d. HHS

45. April 200345 Quick Refresher If a firewall has been created, PHI can be used against an employee in employment decisions a. True b. False The Privacy Rule allows the Company to share PHI with anyone in the Company a. True b. False

46. April 200346 Quick Refresher A health plan may use/disclose PHI without employee authorization for which of the following a. Case management b. To determine payment to health care providers c. To ensure claims are paid appropriately d. All of the above Employees must complete written authorization to access their own health information a. True b. False

47. April 200347 Quick Refresher An employee authorization is valid only if it includes specific details a. True b. False a. True The Company may take PHI from the health plan and use it to administer other plans/policies, such as medical leaves a. True b. False

48. April 200348 This presentation provides an overview of the HIPAA Privacy Rule and broadly describes how this regulation will affect how the Employer handles employee health information from the health care plans. This information is not intended to provide all of the details of the HIPAA Privacy Rule or the Office of Health Benefits policies and procedures.