400 likes | 502 Views
Protecting Enrollees’ Health Information under HIPAA. Presented by the Michigan Department of Civil Service Employee Benefits Division. Today You Will Learn…. Basics about the Health Insurance Portability and Accountability Act of 1996 (HIPAA)
E N D
Protecting Enrollees’ Health Information under HIPAA Presented by the Michigan Department of Civil Service Employee Benefits Division
Today You Will Learn… • Basics about the Health Insurance Portability and Accountability Act of 1996 (HIPAA) • How HIPAA affects working with enrollment and eligibility information for state health plans: • Health, Dental, Vision and Flexible Spending • HIPAA does not apply to life insurance, worker’s comp, and LTD plans. • How to comply with HIPAA when you use and disclose health plan information
Goals of HIPAA For Individuals • To control and protect their own health information through new rights For Health Care Entities • To protect health information, limit its use, and punish improper use
Who does HIPAA apply to? • HIPAA governs health care providers, clearinghouses, and group health plans. • HIPAA does not apply to employers directly, but affects them indirectly as sponsors of group health plans.
Protected Health Information (PHI) Is: • Information related to past, present, or future physical or mental health, provision of health care, or payment for health care to an individual • Information created or received by a health plan, provider, insurer, or employer • Information whether oral or in any recorded form (HRMN data, enrollment forms, faxes, e-mails, conversations, phone calls)
Protected Health Information • Is health information that provides a reasonable basis to connect the information with the individual • Data of Employee #102234 is still PHI since you can connect #102234 back to that employee.
State Health Plan PHI relates to enrollment and eligibility: • Enrollment forms • HRMN data on insurance coverage and payroll deductions • Complaints about coverage and claim disputes • Communications from enrollees about health care and coverage
HIPAA RegulatesUse & Disclosure of PHI Use:Working with Protected Health Information (PHI) within your Office and the Employee Benefits Division (EBD). Disclosure:Releasing PHI outside your Office & the EBD.
All PHI use and disclosure must be authorized!!! • The default rule for PHI under HIPAA is not to use or disclose it unless authorized.
But, you can use or disclose PHI… • For necessary enrollment, eligibility, payroll, and plan operation duties • To an enrollee, personal representative, or person authorized by the enrollee to receive the information • When authorized by the Privacy Official
The Golden Rule of HIPAA “Treat the health information of others as we would want others to treat health information about us.” Don’t step on anyone's toes! “Dancing the HIPAA Polka!”
Penalties for Noncompliance Enrollees can file complaints with the Privacy Official or the Department of Health and Human Services.The federal government can fine any person $100 for each violation, for up to $25,000 a year.Violations may lead to discipline, fines up to $250,000, and criminal penalties up to 10 years in prison.
HIPAA and Your Office • What does not change? • What changes need to be made? • What issues are referred to the EBD or Privacy Official?
Other Health Infoin Your Office • Medical information received by your Office in its role as employer is covered by other laws, but not by HIPAA. • ADA Requests • FMLA Requests • Drug testing results • Workers Comp and LTD • You still must respect privacy requirements created by other laws when handling this information.
Changes to Procedures • Retention requirements • Training requirements • Use and disclosure of PHI • Enrollee rights
Retention of PHI • HIPAA requires designated PHI from after April 14, 2003 to be retained and retrievable for 6 years. • HRMN data is archived electronically. • All other health plan PHI you handle must be retained in a HIPAA Folder for the enrollee.
HIPAA Folder Contents • Enrollment forms and supporting documents (birth certificates, etc.) • Use and disclosure authorization forms • Requests by enrollees to exercise enumerated HIPAA rights • Documents establishing the authority of personal representatives receiving PHI. • Proof of HIPAA training attendance for relevant staff. • Documents the EBD asks to be included
HR Staff Training • HR staff who can directly access PHI must have HIPAA training by April 14, 2003. • If policies change, new training will follow. • You must retain proof of HIPAA training, through a signed acknowledgment form available from the EBD website.
Confidentiality Agreement for Employees with Limited Access • Other employees with limited or incidental access to PHI (payroll staff, IT staff, etc.), must sign a HIPAA confidentiality agreement agreeing not to improperly use and disclose PHI. This certification is available on the EBD website.
When You Can Use PHI (Internally) • To perform necessary plan administration duties, including sharing information with the EBD • To change enrollment, eligibility, and deduction information in HRMN • To another executive department when an employee transfers
When You CanDisclose PHI (Externally) • If an enrollee seeks their own PHI • If a personal representative (guardian, medical power of attorney holder, etc.) who proves identity and legal authority seeks an enrollee’s PHI • If another party is validly authorized by the enrollee to receive the PHI • If authorized by the Privacy Official
Disclosures Pursuant to Court Orders • If required by a valid court subpoena or order, you must disclose as ordered. No enrollee authorization is required. • You mustsend an e-mail or letter to the Privacy Official detailing the name and employee number of the enrollee, disclosure date, name and address of the recipient, a brief description of the PHI disclosed and the reason for the disclosure. • You must keep copies of the court order in the enrollee’s HIPAA Folder.
Authorization Form • For disclosures based on an authorization form, the enrollee must completely fill out and sign the standard authorization form or: • If our standard form is not used, you must contact the Privacy Official to confirm the validity of the authorization. • You could offer to provide the enrollee with the PHI to give to the other party.
Disclosure Procedures • Reasonably confirm recipients’ identity • Place a copy of personal representative recipients’ proof of authority in enrollees’ HIPAA folders • When disclosing based on court orders, authorization forms or, Privacy Official’s authorizations, place a copy of the document in enrollees’ HIPAA Folders • Contact the Privacy Official if unsure
Contact with Insurance Carriers • You may continue to contact carriers to resolve issues regarding enrollees’ enrollment and eligibility discrepancies. • Any complaints over claim disputes must be referred to the insurance company. If an enrollee has exhausted all remedies and review mechanisms offered by the insurance company, you may refer the enrollee to the EBD.
Use & Disclosure Questions? • Contact the Privacy Official with the Employee Benefits Division for authorization • Address: Michigan Department of Civil Service, Privacy Official, 400 South Pine Street, P.O. Box 30002, Lansing, MI 48909 • Phone: (517) 373-7977 or (800) 505-5011 Fax: (517) 373-3174 E-mail: MDCS-HIPAA@michigan.gov
Security Measures Do Do Not • Log out of HRMN and all programs when leaving your workstation • Lock cabinets containing PHI • Put PHI away in storage when you are not working with it anymore • Leave your computer unattended with visible PHI • Leave file cabinets containing PHI unattended and unlocked • Leave PHI out on your desk unattended
Health Plan Duties Firewall • You cannot give an enrollee’s PHI to supervisors or co-workers who ask for it without authorization by the enrollee. • You must protect PHI and only use it for plan administrative functions. • HIPAA prohibits using PHI for employment related decisions.
Relationships Privacy Official Anyone Else HRMN Employee Benefits Division HR Employee Authorized Person
Notice of Privacy Practices • EBD is sending to current enrollees now. • Your office must give to new hires after 3/29/03. • When an enrollee requests a copy, you must also provide one – available on EBD section of www.mi.gov/mdcs
Enrollee Right of Access • HIPAA requires that PHI in designated record sets be given to individuals. • Enrollment/Eligibility data in HRMN • Benefit denial and appeal documents • When asked, produce all documents in the enrollee’s HIPAA folder and HRMN benefit summary data (ZB107, BN51, etc.) • If an enrollee wants benefit claim or appeal information instruct the enrollee to make a written request to the Privacy Official
Enrollee Right to Amend PHI • As before, your Office can add enrollment data, new dependents, and life events when appropriate. • If you cannot perform a requested amendment (ineligible, outside open enrollment, etc.) you must provide a written denial that includes the following language: • If you believe this decision is incorrect, you may file a written appeal to the Employee Benefits Division that explains why the decision is incorrect and includes all necessary documentation. Appeals must be mailed to Employee Benefits Division, Department of Civil Service, P.O. Box 30002, Lansing, MI 48909. If you believe your HIPAA rights have been violated by this decision, you may file a HIPAA Privacy Complaint Form (CS-1782) with the EBD Privacy Official at the same address.
Enrollee Right to Request Restrictions and Audits • Enrollees may request limitations on how their PHI is shared or request confidential communications of their PHI. • Enrollees may request an audit listing certain disclosures of their PHI that have been made. • All these requests must be made in writing by the enrollee to the Privacy Official.
Enrollee Rights toPrivacy Complaints • Our HIPAA Procedures will allow enrollees to file privacy complaints with the Privacy Official. • The Privacy Official will investigate to determine if a violation occurred. • Employees who violate these procedures will face appropriate discipline.
Test Your Understanding • A supervisor e-mails asking for a list of the health plans a subordinate is enrolled in. What portion of the subordinate’s PHI can you disclose? • None. Supervisors and others outside Your Office are not authorized to use and disclose PHI without a valid authorization.
Test Your Understanding • A person flashing a badge demands disclosure of PHI for a criminal investigation. Do you disclose? • Maybe. HIPAA does provide for disclosures for national security, law enforcement, and other specific purposes. You must contact the Privacy Official to ensure that proper procedures are followed and proper documents are maintained. If there is a court order, you can disclose but must notice the Privacy Official of the disclosure.
Test Your Understanding • An attorney calls and asks for PHI to help in an employee grievance. Do you disclose? • No. If the attorney has a valid authorization, you may. If there is a court order for the information, you must give the Privacy Official notice, as required in the Procedures for Disclosures Pursuant to Court Orders. • Remember that disclosing information to a willing enrollee is one solution to avoid some of these procedural requirements.
Test Your Understanding • Allstate calls asking for confirmation of an employee’s LTD coverage. Does HIPAA prevent you from disclosing this info? • No. HIPAA protects information related to health plan enrollment. LTD is not a health plan under HIPAA. If the request sought LTD and PHI related to state health plans, HIPAA would prohibit the unauthorized disclosure of data about the health plans.
Questions? • What if…………….? • How about………? • What happens when ……. ? • Who do I call about ……..?
Top Ten Ways to Comply with HIPAA Letterman 10.Only authorized personnel can directly access PHI 9. Use PHI only when related to plan administration 8. Disclose PHI to enrollees, to personal representatives, or as provided in proper authorization forms 7. Follow court orders to disclose PHI, but notice the EBD 6. Don’t otherwise disclose unless the Privacy Official OKs 5. Give new enrollees and those who ask privacy notices 4. Issue written denials to requested PHI changes that explain the denial and include the required notice 3. Promptly refer all PHI restriction, confidentiality, and accounting requests to the Privacy Official. 2. Keep HIPAA documents for six years in HIPAA Folders 1. Call the Privacy Official if you are unsure!