1 / 48

April 2003

April 2003. 2. HIPAA Overview . HIPAA is an abbreviation for Health Insurance Portability and Accountability Act of 1996. Two of HIPAA's main goals are to:Make health insurance more portable when persons changed employers, andMake the health care system more accountable for costs and try to reduc

aricin
Download Presentation

April 2003

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


    1. April 2003 1

    2. April 2003 2 HIPAA Overview HIPAA is an abbreviation for Health Insurance Portability and Accountability Act of 1996. Two of HIPAA’s main goals are to: Make health insurance more portable when persons changed employers, and Make the health care system more accountable for costs and try to reduce waste and fraud.

    3. April 2003 3 HIPAA Overview HIPAA has four associated regulations or "rules": Standardized formats for all electronic data (computer-to-computer) information exchanges (EDI) referred to as the "transactions standard" Standardized "identifiers" for health providers and health plans Information system security standards Privacy standards also referred to as the “HIPAA Privacy Rule”

    4. April 2003 4 The Privacy Rule limits how protected health information(PHI) is shared, prevents employers from using PHI in employment decisions, and requires employers and covered entities to establish safeguards for handling PHI.

    5. April 2003 5 Protected Health Information Identifies people very specifically; can be electronic, paper or verbal; and must relate to a person’s health condition, care, or payment for care.   Any information relating to : An individual’s past, present or future physical or mental condition Provision of health care to an individual Payment for health care to an individual that identifies an individual, or there is reasonable basis to believe it can be used to identify an individual. This individually identifiable health information can be in any form (including electronic, written or oral communications) Includes Medical Records, Claim Payments and Bills, EOB’s, Conversations. Can be created or received by a covered entity or employer. Employers usually do not “create” PHI, but may receive and/or maintain PHI when assisting employee’s with claim resolutions.Any information relating to : An individual’s past, present or future physical or mental condition Provision of health care to an individual Payment for health care to an individual that identifies an individual, or there is reasonable basis to believe it can be used to identify an individual. This individually identifiable health information can be in any form (including electronic, written or oral communications) Includes Medical Records, Claim Payments and Bills, EOB’s, Conversations. Can be created or received by a covered entity or employer. Employers usually do not “create” PHI, but may receive and/or maintain PHI when assisting employee’s with claim resolutions.

    6. April 2003 6 Protected Health Information The Privacy Rule is the first comprehensive federal protection regulation implemented to safeguard private health information. The Rule creates national standards to protect the medical records and other personal health information of individuals.

    7. April 2003 7 The Privacy Rule limits both the use and disclosure of PHI. “Use” refers to what is done with PHI inside an entity’s organization. “Disclosure” means that PHI is given out to an external entity for use.

    8. April 2003 8 Covered Entities Health Plans Health Care Clearinghouses Health Care Providers Employer’s are not covered entities but have a responsibility to protect the health information of the health plan members Covered entities are subject to the HIPAA Privacy Rule. Covered entities under the Privacy Rule include: Health Plans, Health Care Providers and Health Care Clearinghouses. HIPAA Definition of Group Health Plan: “a plan of, or contributed to by, an employer or employee organization to provide health care to the employees, former employees, the employer, other associated or formerly associated with the employer in a business relationship, or their families” The Office of Health Benefits Programs falls into the category of “health plan” so we are subject to the HIPAA regulations. If an employer does not create, receive or maintain protected health information, they are not subject to the HIPAA privacy rules. Employer Benefits Offices that assist employees with claim problems receive/maintain protected health information and therefore have a responsibility to safeguard the information in it’s possession. Covered entities are subject to the HIPAA Privacy Rule. Covered entities under the Privacy Rule include: Health Plans, Health Care Providers and Health Care Clearinghouses. HIPAA Definition of Group Health Plan: “a plan of, or contributed to by, an employer or employee organization to provide health care to the employees, former employees, the employer, other associated or formerly associated with the employer in a business relationship, or their families” The Office of Health Benefits Programs falls into the category of “health plan” so we are subject to the HIPAA regulations. If an employer does not create, receive or maintain protected health information, they are not subject to the HIPAA privacy rules. Employer Benefits Offices that assist employees with claim problems receive/maintain protected health information and therefore have a responsibility to safeguard the information in it’s possession.

    9. April 2003 9 Covered Entities-Health Plans GROUP HEALTH PLAN HEALTH INSURANCE ISSUER MEDICARE MEDICAID LONG TERM CARE PLAN MULTIPLE EMPLOYER PLAN APPROVED STATE CHILD HEALTH CARE PLAN VETERANS PLAN FEHBP MEDICARE PLUS CHOICE PLANS OTHER INDIVIDUAL OR GROUP PLANS Examples of Health Plans include: GROUP HEALTH PLAN (OHB) HEALTH INSURANCE ISSUER (KAISER) LONG TERM CARE PLAN (AETNA) APPROVED STATE CHILD HEALTH CARE PLAN (FAMIS) Examples of Health Plans include: GROUP HEALTH PLAN (OHB) HEALTH INSURANCE ISSUER (KAISER) LONG TERM CARE PLAN (AETNA) APPROVED STATE CHILD HEALTH CARE PLAN (FAMIS)

    10. April 2003 10 Covered Entities-Health Plans Medical Reimbursement Accounts Wellness Programs Employee Assistance Programs (EAP) that provide direct counseling services Mental Health and substance abuse programs Other plans/programs that meet the HIPAA definition of “Health Plan”, include CommonHealth. Other plans/programs that meet the HIPAA definition of “Health Plan”, include CommonHealth.

    11. April 2003 11 Covered Entities-Health Plans Life AD&D Disability Worker’s Compensation

    12. April 2003 12 Health Plan for State and Local Employees Health Plan State Health Plan The Local Choice Program OHB Representatives of the Health Plan Agencies and Local Employers Benefit Administrator (Employer Representative) Plan Members The parties who may have access to PHI and therefore are involved in the administration/application of the Privacy Rule include: The Health Plan which consists of: The State Health Plan The TLC Program and The staff members of the Office of Health Benefits Employers: State Agencies and Local Employer Groups Including the Benefits Administrators who assist the employees and member in claim resolutions Plan MembersThe parties who may have access to PHI and therefore are involved in the administration/application of the Privacy Rule include: The Health Plan which consists of: The State Health Plan The TLC Program and The staff members of the Office of Health Benefits Employers: State Agencies and Local Employer Groups Including the Benefits Administrators who assist the employees and member in claim resolutions Plan Members

    13. April 2003 13 OHB’s Responsibilities Adopt written privacy policies Train employees involved in handling protected information Designate a privacy officer responsible for ensuring the procedures are followed Establish a grievance process The Office of Health Benefits has responsibilities required by the Privacy Rule. They include adopting written privacy policies, training employees involved in handling protected information,designating a privacy officer responsible for ensuring the procedures are followed and establishing a grievance process. They have to be sure agreements are in place with the contractors, monitor the member’s rights under the Privacy Rule. The Office of Health Benefits has responsibilities required by the Privacy Rule. They include adopting written privacy policies, training employees involved in handling protected information,designating a privacy officer responsible for ensuring the procedures are followed and establishing a grievance process. They have to be sure agreements are in place with the contractors, monitor the member’s rights under the Privacy Rule.

    14. April 2003 14 OHB may use or disclose Protected Health Information(PHI) : For treatment, payment, or health care operations (TPO), without the individual’s authorization; For non-routine purposes only with the individual’s authorization; or To the individual involved. The HIPAA Privacy Rule was designed to control the ways a person's personal health information is used or given out to others.The HIPAA Privacy Rule was designed to control the ways a person's personal health information is used or given out to others.

    15. April 2003 15 Treatment includes the coordination and management of an individual’s health care. Payment includes coverage, eligibility, COB and utilization reviews. Operation includes underwriting, rating, audits and most disease management programs. You can use or disclose information without an employee authorization for TPO: Treatment – for example, if an employee is unconscious, PHI can be provided to a doctor for treatment purposes Payment – to ensure that claims for health care treatment are paid according to plan terms Health Plan Operations – to make sure health plans operate efficiently (PHI may be used or disclosed for such things as quality assessments, audits, actuarial studies, fraud/abuse detection, underwriting, and premium ratings)   Health information may not be used for purposes not related to health care treatment, payment or operation (TPO) unless explicit authorization is obtained from the individual. You can use or disclose information without an employee authorization for TPO: Treatment – for example, if an employee is unconscious, PHI can be provided to a doctor for treatment purposes Payment – to ensure that claims for health care treatment are paid according to plan terms Health Plan Operations – to make sure health plans operate efficiently (PHI may be used or disclosed for such things as quality assessments, audits, actuarial studies, fraud/abuse detection, underwriting, and premium ratings)   Health information may not be used for purposes not related to health care treatment, payment or operation (TPO) unless explicit authorization is obtained from the individual.

    16. April 2003 16 Protected Health Information Some Acceptable uses of PHI for OHB personnel: Helping employees with claims Case management Billing Underwriting/premium rating Legal, auditing or actuarial services Fraud/abuse detection

    17. April 2003 17 Benefit Administrator Responsibilities Assist With Claim and Eligibility Problems Members, Family, Personal Representatives, Close Friend Prove They Have Prior/First Hand Knowledge of Treatment or Claim No Authorization Required Minimum Necessary Requirements Apply BA’s can still assist employees with claim and eligibility issues. Requests for assistance can be made by the member, a family member, a personal representative of the member, or a close friend of the member. The person making the request has to demonstrate some prior or first-hand knowledge of the treatment or claim in question. For example, name of the provider, date of service, copy of the EOB. The BA does not need written authorization in this case, but plan should limit the information disclosed to the “minimum necessary” rule. BA’s can still assist employees with claim and eligibility issues. Requests for assistance can be made by the member, a family member, a personal representative of the member, or a close friend of the member. The person making the request has to demonstrate some prior or first-hand knowledge of the treatment or claim in question. For example, name of the provider, date of service, copy of the EOB. The BA does not need written authorization in this case, but plan should limit the information disclosed to the “minimum necessary” rule.

    18. April 2003 18 Minimum Necessary Rule Minimum necessary means that you only disclose the specific PHI that is necessary to satisfy a particular need or request. Only the minimum amount of information necessary to accomplish the intended purpose can be disclosed, no more or no less. (Exception: Disclosures to health care providers for treatment purposes.) Only the minimum amount of information necessary to accomplish the intended purpose can be disclosed, no more or no less. (Exception: Disclosures to health care providers for treatment purposes.)

    19. April 2003 19 Benefit Administrator Responsibilities Assistance with an Appeal Provide Adequate “Safeguards” for Member’s PHI Provide a copy of the Notice of Privacy Practices to all new hires upon enrollment in the health plan All other requests involving PHI should be referred to OHB’s Privacy Officer.

    20. April 2003 20 Individual Authorization Authorization is a document that gives permission to use or disclose specific PHI for a non-routine purpose. Some non-routine purposes would be employment decisions, eligibility or underwriting decisions for a non-health plan. Authorizations must Describe the information to be used or disclosed Name the health plan making the use or disclosure State to whom disclosure may be made Cite an expiration date or event State the revocation rights Be signed and dated by the individual Authorizations must indicate the information disclosed may be subject to re-disclosure by the receiver and would be no longer protected by the HIPAA rules Some non-routine purposes would be employment decisions, eligibility or underwriting decisions for a non-health plan. Authorizations must Describe the information to be used or disclosed Name the health plan making the use or disclosure State to whom disclosure may be made Cite an expiration date or event State the revocation rights Be signed and dated by the individual Authorizations must indicate the information disclosed may be subject to re-disclosure by the receiver and would be no longer protected by the HIPAA rules

    21. April 2003 21 Protected Health Information Some Non-Acceptable uses of PHI: Using health plan data to suspend employee for substance abuse Using health plan data (without employee authorization) to confirm need for FMLA

    22. April 2003 22 Protected Health Information Some Non-Acceptable uses of PHI: Openly discussing or providing individual health plan information with employees not designated to handle PHI (i.e., discussing individual claims expenses at management meetings, or providing representatives with medical plan data to resolve grievances) without employee authorization

    23. April 2003 23 Protected Health Information The following would not be considered PHI FMLA or sick leave requests Substance abuse screening results Pre-employment physicals or fitness for duty results Workers’ Compensation claims Disability Plan claims, ADA accommodations or disability retirements Information that does not qualify as PHI includes the information used to process: FMLA or sick leave requests Substance abuse screening results Pre-employment physicals or fitness for duty results Workers’ Compensation claims Disability Plan claims, ADA accommodations or disability retirements    Information that does not qualify as PHI includes the information used to process: FMLA or sick leave requests Substance abuse screening results Pre-employment physicals or fitness for duty results Workers’ Compensation claims Disability Plan claims, ADA accommodations or disability retirements    

    24. April 2003 24 Protected Health Information Generally, “employment records” are not considered PHI. PHI records should be kept totally separate from employment records   PHI should not be combined with the health information that’s normally kept in personnel files. It should be kept totally separate. And PHI that’s kept separate from our personnel files should not be used to make employment decisions or to address absenteeism issues. There should be a clear separation of the information used for employment based decisions and PHI received/maintained from the Plan.PHI should not be combined with the health information that’s normally kept in personnel files. It should be kept totally separate. And PHI that’s kept separate from our personnel files should not be used to make employment decisions or to address absenteeism issues. There should be a clear separation of the information used for employment based decisions and PHI received/maintained from the Plan.

    25. April 2003 25 Member’s Rights Right to inspect and copy Right to amend Right to an accounting of disclosures Right to request restrictions Right to request confidential communications Right to a copy of the notice Right to inspect and copy medical information on file. Plan (or TPA) can charge a fee for the service. Right to amend any errors. Amendment request should be directed to the originator of the medical information. Right to an accounting of disclosures for non-routine purposes. Right to request restrictions*. The plan has the right to deny any restriction request. Right to request confidential communications. Right to a copy of the notice. All employee should have received a copy of the Notice of Privacy Practices during April from the Agency/Employer’s Benefits Office. Right to inspect and copy medical information on file. Plan (or TPA) can charge a fee for the service. Right to amend any errors. Amendment request should be directed to the originator of the medical information. Right to an accounting of disclosures for non-routine purposes. Right to request restrictions*. The plan has the right to deny any restriction request. Right to request confidential communications. Right to a copy of the notice. All employee should have received a copy of the Notice of Privacy Practices during April from the Agency/Employer’s Benefits Office.

    26. April 2003 26 Member’s Rights Employees or plan participant can always request their own information or authorize release of their PHI to others on their behalf.

    27. April 2003 27 Member’s Rights Employees or participants who feel that their rights have been violated may file a complaint in writing. The Privacy Rule states that employees may not be retaliated against for filing a complaint.   If a member feels that their rights under HIPAA Privacy have been violated, the can file a complaint in writingIf a member feels that their rights under HIPAA Privacy have been violated, the can file a complaint in writing

    28. April 2003 28 Practical Tips for Safeguarding PHI Don’t leave confidential data unattended or visible to passersby Be careful with faxed claims data

    29. April 2003 29 Practical Tips for Safeguarding PHI Close all employee/member information at workstations following the completion of an inquiry Shred - never recycle - anything containing PHI

    30. April 2003 30 Practical Tips for Safeguarding PHI Secure all daily work in locked drawers and/or cabinets Protect secured areas - never loan your key

    31. April 2003 31 Practical Tips for Safeguarding PHI Oral communication Speak quietly when discussing an employee’s PHI in public areas Avoid the use of names or other identifying information in conversations whenever possible Designate "quiet areas" for PHI exchange (i.e., in private office or conference room with door closed)

    32. April 2003 32 Practical Tips for Safeguarding PHI Copying and printing Sensitive information should not be sent to remote printers or photocopiers where access is uncontrolled and the sender is not present to keep track of the output Do not dispose of PHI in open wastebaskets or recycle containers; instead shred or otherwise destroy before discarding

    33. April 2003 33 Practical Tips for Safeguarding PHI Telephone use Conversations regarding PHI should be conducted where they cannot be overheard, if at all possible (i.e., in private offices or conference rooms with door closed) The other person's identity should be confirmed Only names and callback numbers should be left on answering machines and voicemail systems if a called party cannot be reached Sensitive information should never be left on the answering machine or voicemail device

    34. April 2003 34 Practical Tips for Safeguarding PHI Facsimile (fax) use is not considered an "electronic transmission" under HIPAA and the Privacy Rule does not address facsimile transmission directly. Still, faxing practices for PHI must be compatible with the HIPAA privacy regulations. Tips include: Place the fax machine(s) you will use to transmit PHI in a secure location (or be sure that someone designated to handle PHI is present during the fax transmission to ensure PHI is secure during transmission)

    35. April 2003 35 Practical Tips for Safeguarding PHI Fax Machines (con’t) Do not send PHI to unattended fax machines, or where the physical security of the receiving system is unknown Send faxes about PHI only to known locations, where the physical security and monitoring practices of the receiving fax machine are known

    36. April 2003 36 Practical Tips for Safeguarding PHI Fax Machines (con’t) Rely on preprogrammed (and tested) fax numbers set on the sending machine, to reduce dialing errors Include a "confidentiality request" that information sent to an incorrect destination be destroyed, and requesting notification to the sender of such errors 

    37. April 2003 37 Practical Tips for Safeguarding PHI E-mail Use Avoid using e-mail for exchange of PHI; however, HIPAA does not ban the practice. It is safer to convey information over the phone than via unencrypted email If electronic mail is used to disclose PHI, copies of the messages should be kept as part of the records retention process Include a "confidentiality request" that information sent to an incorrect destination be destroyed, and requesting notification to the sender of such errors

    38. April 2003 38 Practical Tips for Safeguarding PHI “Confidentiality Statement”: “The documents accompanying this transmission contain confidential health information that is legally privileged. This information is intended only for the use of the individuals or entities listed above. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or action taken in reliance on the contents of these documents is strictly prohibited. If you have received this information in error, please notify the sender immediately and arrange for the return or destruction of these documents.”   “Confidentiality Statement” should be used on both the fax and e-mail transmissions “Confidentiality Statement” should be used on both the fax and e-mail transmissions

    39. April 2003 39 Federal Enforcer Department of Health and Human Services (HHS), Office of Civil Rights enforces the HIPAA Privacy Rules

    40. April 2003 40 Penalties Civil Penalties – $100 per incident up to $25,000 per person, per year, per standard Federal criminal penalties – Knowingly and improperly disclosing information; up to $50,000 and one year in prison; Obtaining information under false pretenses; up to $100,000 and five years in prison Obtaining protected information with the intent to sell, transfer or use for commercial advantage, personal gain or malicious harm; up to $250,000 and 10 years in prison

    41. April 2003 41 Quick Refresher What law established the Privacy Rule? a. ERISA b. HIPAA c. Privacy Act of 2003 d. Taft-Hartley

    42. April 2003 42 Quick Refresher The Privacy rule is intended to: a. Prevent inappropriate use of certain employee health information b. Give employees greater control their health records c. Restrict employers from using PHI in making employment decisions d. All of the above

    43. April 2003 43 Quick Refresher A Business Associate is a Covered Entity a. True b. False Only health plans, health care providers and clearinghouses meet the HIPAA definition of a covered entity. Only health plans, health care providers and clearinghouses meet the HIPAA definition of a covered entity.

    44. April 2003 44 Quick Refresher Penalties for not complying with the Privacy Rule include: a. Big fines b. Jail time c. Fines for not complying with State/other laws d. All of the above

    45. April 2003 45 Quick Refresher If a firewall has been created, PHI can be used against an employee in employment decisions a. True b. False PHI should never be used in employment decisions. Firewalls should be designed to prevent access to PHI by persons designated to make employment decisions. Only designated personnel within the Company should have access to PHIPHI should never be used in employment decisions. Firewalls should be designed to prevent access to PHI by persons designated to make employment decisions. Only designated personnel within the Company should have access to PHI

    46. April 2003 46 Quick Refresher A health plan may use/disclose PHI without employee authorization for which of the following a. Case management b. To determine payment to health care providers c. To ensure claims are paid appropriately d. All of the above All of the above would be considered under TPO, treatment, payment and/or operationAll of the above would be considered under TPO, treatment, payment and/or operation

    47. April 2003 47 Quick Refresher An employee authorization is valid only if it includes specific details a. True b. False

    48. April 2003 48 This presentation provides an overview of the HIPAA Privacy Rule and broadly describes how this regulation will affect how the Employer handles employee health information from the health care plans. This information is not intended to provide all of the details of the HIPAA Privacy Rule or the Office of Health Benefits’ policies and procedures.

More Related