1. Protecting PHI & PII 12/30/2017 6:45 AM
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

2. What are PHI & PII? PHI: Protected Health Information
Identified individual + health information = PHI
Health information = the fact that someone is applying for coverage and/or enrolled in a particular plan.
PII: Personally Identifiable Information
Individual’s first or last name in combination with one or more of the following:
Social Security Number, Driver’s License #, State ID card #, Account #, Credit/Debit Card # in combination with any required security code, access code, or password that would permit access to an individual’s financial account.

3. HIPAA Privacy & Security
HIPAA: Health Insurance Portability and Accountability Act
HIPAA Privacy Rule – dictates use & sharing of PHI/PII
HIPAA Security Rule – dictates how PHI should be maintained, used, transmitted, and disclosed electronically.
If member information is disclosed to an unintended recipient, the carrier’s Privacy Office may have to:
Notify the member
Post the disclosure on the Health and Human Services (HHS) website
Notify the media
Additionally, individuals may be criminally liable for intentional disclosures
If you become aware of inappropriate PHI/PII disclosure, it must be reported within 24 hours of discovery.
PHI/PII can be in any form: oral; written; or electronic.

4. Examples of PHI/PII Disclosures
Leaving hard copy documents behind at a marketing/sales activity
Faxing documents with PHI to an incorrect fax number
Mailing documents with PHI to an incorrect address
Lost/stolen hard copy documents (Enrollment Applications)
Stolen unencrypted computers
Sending an with PHI to an incorrect address

5. How to Report a Security Breach
Immediately notify the carrier’s Privacy Office & the Berwick Compliance Department
Report thefts to local law enforcement.
Do not investigate. Wait for further instructions from the carrier’s Privacy Office.
Retain all documents.

6. PHI/PII Guidelines
Carry only the minimum amount of hard copy documents to complete the day’s activities.
Keep documents with you at all times – don’t leave them in your car!
Store documents in a locked briefcase when in transit.
Do not discuss client information in public areas, including restaurants and elevators.
Ensure all laptops and/or portable devices that might contain PHI/PII are protected by encryption software.
Always use a fax cover sheet with a HIPAA privacy statement when faxing PHI/PII.

7. Protecting Electronic Information
All electronic devices that contain PHI/PII must be protected in accordance with the following standards:
Full disk (user data, OS, temporary files, erased files)
Advanced Encryption Standard (AES) 256-bit
Pre-boot authentication
See your local electronics retailer for specific programs appropriate for your machine/device.
See your mobile phone service provider for information on how to encrypt your cell phone. It may be as easy as changing a few settings!

8. Protecting Hard Copy Information
Store documents containing PHI or confidential information in a locked file cabinet.
Retain only the minimum necessary documents to conduct your business or that are required based on retention regulations and/or policies.
Shred any document containing PHI or confidential information prior to disposing.
Do not share your file cabinet keys or passwords with family or friends.
Printing Stations – At end of day, printing stations should be reviewed to ensure documents containing confidential information or PHI do not remain there.
Destruction - Confidential documents and/or PHI that are not utilized must be disposed of in a locked destruction bin or shredded daily.

9. General Best Practices
Do not store PHI on mobile devices or flash drives. This includes taking pictures of Medicare ID cards.
When disposing of equipment that may contain PHI or confidential information, it must be overwritten, demagnetized or destroyed. This includes copiers, fax machines and laptops.
Don’t text identifying or confidential information.
Keep laptops, notebooks, tablet computers and documents with you at all times – never leave them in your car.
Be careful with discussions in public areas. Never discuss PHI in public places.
When confirming appointments, take note of your surroundings before repeating back any address or other personal information.
If using a laptop, take care that your screen and work is not viewable by others. Consider using a privacy screen.

10. Call: 888-745-2320 compliance@berwickinsurance.com
Questions?
Call: