1 / 33

HIPAA Privacy Awareness Training

HIPAA Privacy Awareness Training. Protecting Individual Health Information. Objectives And Agenda. Overview HIPAA Privacy Rule Explain implications to and within our organization Identify what you need to do differently. Part 1 Overview Of Privacy Rule. Privacy Rule … A Quick Glance.

griffin-albert
Download Presentation

HIPAA Privacy Awareness Training

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. HIPAA Privacy Awareness Training Protecting Individual Health Information HIPAA Privacy Rule

  2. Objectives And Agenda • Overview HIPAA Privacy Rule • Explain implications to and within our organization • Identify what you need to do differently HIPAA Privacy Rule

  3. Part 1Overview Of Privacy Rule

  4. Privacy Rule … A Quick Glance • Part of Health Insurance Portability and Accountability Act of 1996—HIPAA • Effective April 14, 2003 for larger employers and April 14, 2004 for smaller employers • What it does: • Limits sharing of confidential health information, called Protected Health Information (PHI) • Restricts employers from using PHI in employment decisions • Requires employers to establish and follow certain procedures HIPAA Privacy Rule

  5. What Is PHI? • Protected Health Information is: • Employee or plan participant health information that • Identifies individuals (or could be used to identify them) • Relates to past, present, or future health care condition, provision of care, or payment for care • Created or received by employer, health plan, or other Covered Entity • PHI can be electronic, paper, or verbal HIPAA Privacy Rule

  6. Examples Of PHI • Examples of PHI include: • Medical bills from hospital • Diagnostic information • Other doctor/patient information that is part of the health plan record • E-mails from vendors that discuss the health condition of an employee or employee’s dependent Important! If you use PHI now (for example to help employees with claim denials), you will need to make changes to conform with our new policies! HIPAA Privacy Rule

  7. What The Privacy Rule Does Not Cover • Generally, information that is part of employment records is not PHI • Examples—Health information used in these processes is generally not PHI: • Pre-employment physicals/substance abuse screenings • FMLA leaves for serious health conditions • ADA accommodations • Work Restrictions • Employees calling in sick Information gathered in “employer role” is part of employment file and is NOT PHI. HIPAA Privacy Rule

  8. Plans Covered by the Privacy Rule Medical Plan Dental Plan Health Care Flexible Spending Account Employee Assistance Program (EAP) Not Covered Disability Life insurance Workers’ Compensation Which Health Plans Are Covered? • Also • HMOs • Health insurance issuers • Medicare and other government programs • Long-term care policies HIPAA Privacy Rule

  9. Part 2Complying With The Privacy Rule

  10. The Changing Flow Of Information PHI Before April 14 Supervisor Facility Managers File Clerk Claims Administrator Doctor Anyone in HR Hospital Any Insurance Company HIPAA Privacy Rule

  11. The Changing Flow Of Information PHI After April 14 Supervisor File Clerk PHI-Designated HR Staff Member • Providers: • Doctors • Hospitals Facilities Managers Any Insurance Company Anyone in Human Resources Business Associates with signed agreements HIPAA Privacy Rule

  12. Clearing-house Health Plan Provider The PHI Box • Health Plan: PHI from the health plan can only be shared with those in the box • Providers: Doctors, hospitals, clinics, etc. • Clearinghouse: Data management firms that code provider bills Those “In The Box” May Share PHI With Each Other • PHI can be shared with others who we retain for plan administration and who agree in writing to comply with the Privacy Rule • Employee/participant must authorize any “non-routine” use If you are not in the box or have an agreement with the Plan Sponsor or the Provider, you cannot have access to PHI without written authorization from the employee HIPAA Privacy Rule

  13. Who Is Responsible For Compliance? • All management • Only PHI-designated Human Resources staff members can access and process PHI • Managers must adhere to policies and procedures and defer to PHI-designated staff HIPAA Privacy Rule

  14. Example • An employee has a problem with a medical plan claim and goes to a manager at a location • In the past, the manager may have contacted an outside administer to get clarification • Under the new procedures, the manager defers the employee to PHI-designated Human Resources staff member for assistance HIPAA Privacy Rule

  15. What If The Plan Does Not Comply? • The Privacy Rule is enforced by U.S. Department of Health and Human Services (HHS) • HHS can impose both civil and criminal penalties on the Covered Entities for noncompliance • Civil penalties—$100 fine per violation, up to $25,000 per person/year • Criminal penalties—Up to $250,000 fine and 10 years in prison Important! Employees may file complaint with HHS for wrongful disclosure. HIPAA Privacy Rule

  16. New Procedures • Appointed Privacy Officer to: • Develop and implement Privacy Rule compliance policies and procedures • Monitor and ensure the college’s compliance • Designated certain Human Resources staff members to be the only individuals responsible for PHI processing, record retention and management • Play it Safe! • Always refer employees to a PHI-designated staff member if you have any issues involving the covered plans HIPAA Privacy Rule

  17. Our Privacy Officer • Employee Plans - Linda Laughlin, Associate HR Director • Student Plan - Administrative Assistant/ Student Insurance Specialist, Wellness Center HIPAA Privacy Rule

  18. New Procedures • Created a “firewall” to separate health plan information from other employee data • Took steps to safeguard PHI • Keep PHI out of sight • Don’t discuss PHI in public • Watch who is e-mailed PHI • Fax with care HIPAA Privacy Rule

  19. How Are Managers Affected? • Managers/Supervisors • Must understand and comply with Privacy Rule • Must understand which plans are covered • For example, Privacy Rule does not affect other policies, such as FMLA or Workers’ Compensation • Know when and how to contact Privacy Officer or other designated staff Important! Managers and Supervisors must be aware of Privacy Rule and how to comply.! HIPAA Privacy Rule

  20. How Are Managers Affected? • Examples—Unless authorized, managers and supervisors may not: • Discuss specific health care claims with the carrier • Discuss the cost or details of claims with anyone • Use PHI for employment-related actions (hiring, firing, promoting) Important! Only certain Human Resources staff members may use/disclose PHI. Even then, the employee must sign a specific authorization for any “non-routine” use or disclosure. HIPAA Privacy Rule

  21. Part 3Overview of Employee Rights

  22. Privacy Rights Notice • Employees/participants must receive a Notice of Privacy Rights • Summarizes rights to access/control PHI • Your Privacy Notice will describe your rights under the Privacy Rule HIPAA Privacy Rule

  23. Employee Rights • Right to inspect and copy PHI • Must request in writing • Request can be denied for certain reasons • Right to amend PHI • Health plan has 60 days to act on request • Right to request list of PHI disclosures • Except for treatment, payment of medical expenses or normal operation of the plan • Plan only needs to disclose last six years of PHI and not earlier than April 14, 2004 • Must be in writing and specify details HIPAA Privacy Rule

  24. Employee Rights (cont’d) • Right to limit disclosure • Except for treatment, payment of medical expenses or normal operation of the plan • Right to file complaints • Written complaints to HHS • Follow our established process for handling complaints • We MAY NOT penalize or retaliate against employees who file complaints HIPAA Privacy Rule

  25. HIPAA Scenarios Scenario #1 Employee-Based Disclosure John and Fred are peers, both working in production for a widget manufacturing company. They are having coffee in the break room, when John tells Fred, “I just found out I have cancer, and I’m pretty worried about keeping my job if I have to take time off to have treatment.” Later, Fred tells a co-worker (in confidence), who passes it on to his supervisor and several other employees of the company. Was John’s right to privacy violated? Does he have a cause of action against the employer or health plan? Why or Why not? What are the proper steps to be taken? Now that the supervisor knows, what should he or she do with the information? HIPAA Privacy Rule

  26. HIPAA Scenarios Scenario #2 Birth Announcement The Paper Company typically sends out a broadcast announcement to all employees whenever a new baby is born to one of their employees. Vital statistics are given, including name, gender, and weight of the baby, along with health status (such as “Mom and baby are doing fine,” or “Baby is still in the hospital due to low birth weight, but Mom is home and doing well”). Is disclosure of the birth Protected Health Information under HIPAA? Why or why not? What about the status of Mom’s and Baby’s health? HIPAA Privacy Rule

  27. HIPAA Scenarios Scenario #3 FMLA-Leave Based Disclosure Patty’s assistant, Maria, tells her in confidence that she needs to take several weeks off to take care of her mother, who has been diagnosed with a serious health condition. Patty verbally grants Maria’s request for time off. While Maria is on leave, Patty begins passing work to other employees in the department, asking them to help out. She innocently discloses information about the reason for Maria’s leave to employees who question the reason for the added workload. What should Patty have done first in this situation? Is Maria’s mother’s health situation protected? Why or why not? What should/shouldn’t Patty tell other employees about Maria’s situation? When the Privacy Official is made aware of the situation, what should he/she do? HIPAA Privacy Rule

  28. HIPAA Scenarios Scenario #4 Vendor Disclosure White Widgets provides employees with medical coverage under a self-insured health plan. Claims are paid by Fred’s TPA. Mary, a claims examiner for Fred’s TPA is processing claims when she sees that Jeff, a key employee of White Widgets, is being treated for HIV. She is best friends with Joan, who works for Jeff in his office. At dinner that evening, she asks Joan how Jeff is doing since he has undergone treatment. Joan was unaware of the situation and had no need to know for plan operation purposes. The next day, she informed Jeff and Human Resources that confidentiality has been violated. What should the Privacy Official of White Widgets do? What are the TPA’s responsibilities in light of the breach of privacy? What are the potential penalties that could be assessed against the Plan, the Privacy Official, and/or the TPA? HIPAA Privacy Rule

  29. HIPAA Scenarios Scenario #5 “Innocent” Disclosure Barb works in Human Resources. Tom calls Barb and tells her that he needs help with a claim issue. She has Tom sign an authorization form allowing her to have access to Personal Health Information for the purpose of resolving the claim. Barb forwards the request to the Health insurance carrier and then talks with the claims supervisor. She is able to resolve the problem for Tom, but accidentally leaves her notes out in plain view on her desk when she leaves for the evening. While waiting for a meeting with Barb’s manager, plant manager Joe sits at Barb’s desk, and he reads the information about Tom’s ability to perform based on that health information, and tells her where he got the information. What should Barb’s manager do in this situation? What should the Privacy Official do? HIPAA Privacy Rule

  30. HIPAA Scenarios Scenario #6 Intentional Disclosure for Gain Joe’s TPA pays claims for 1,000 employers, covering 150,000 employees in the state of Minnesota. They have been losing market share and need to boister their revenues. They have been approached by a company that manufactures a product aimed at treatment of a specific health condition, and sell to that company a list of subscribers who have had treatment for that condition. Those subscribers receive phone calls and mailings form the manufacturer, attempting to sell their product. Are the individual employer-sponsored plans liable for this disclosure by their business associate (Joe’s TPA)? What are the penalties for this type of disclosure? What should the Privacy Official do when he/she is made aware of this violation of privacy standards? HIPAA Privacy Rule

  31. HIPAA Scenario Summary Scenario1-Privacy not violated voluntarily disclosed information. -Does not have cause of action.-Supervisor should talk with HR and Privacy Officer. Scenario2-Could be under HIPAA if the information came from the health plan.-Employee has to request to disclose the information and should provide a disclaimer. Scenario 3-Contact HR. Not a protected health situation. (Patty should have contacted HR before authorizing leave.)-Privacy Officer should educate. HIPAA Privacy Rule

  32. HIPAA Scenario Summary Scenario 4-Privacy Officer should contact TPA supervisor, review BAA agreement with TPA, implement established sanctions against Mary.-TPA must disclose breach to plan. -TPA may face civil penalties and individual(s) involved could face criminal penalties and the contract could be terminated. Scenario 5- Document the disclosure and educate Barb and manager.- Reinforce education. Scenario 6-Employer plan is not responsible if it has Business Associate Agreement in place (Depending on “indemnification” provision of BAA.) -TPA may face civil penalties and the individual(s) involved could face criminal penalties.- Report the violation to HHS. HIPAA Privacy Rule

  33. This presentation provides an overview of the HIPAA Privacy Rule and broadly describes how this regulation will affect how the college handles employee health information from our health care plans. This information is not intended to provide all of the details of the HIPAA Privacy Rule or of the college’s policies and procedures. This presentation also does not constitute legal advice. If there is any discrepancy between the provisions of the HIPAA Privacy Rule and the material in this presentation, the terms of the HIPAA Privacy Rule will govern in all cases. It’s Important To Know That… HIPAA Privacy Rule

More Related