Introduction to Confidentiality & HIPAA . For Florida KidCare Community Partners September 2009. Confidentiality and the Florida KidCare Community Partner.
Florida KidCare Community Partners
As a Florida KidCare community partner families entrust you to not only help them navigate the Florida KidCare system but to keep the information they share with you confidential and safe.
HIPAA, the Health Insurance Portability and Accountability Act,was finalized August 2002. This act was created to ensure comprehensive health insurance privacy and security regulations.
HIPAA requires that privacy and security be built into the policies and practices of healthcare providers and health plans.
HIPAA sets standards for the electronic transmission of patient health, administrative, and financial information.
HIPAA sets limits on the type of information permitted for disclosure. Thus Florida KidCare requires a properly completed Florida Healthy Kids Release of Information (ROI) form be on file prior to the release of any account related personal health information (PHI) to third party entities.
Within limits, HIPAA allows for the free flow of PHI for treatment, payment and health care operations. This is why the ROI is so important.
All Florida KidCare applicants or enrollees have the right to privacy and to keep information about themselves from being disclosed.
Florida KidCare uses the ROI form to determine who is authorized to access account information.
Florida KidCare staff are limited to the type of information they are allowed to disclose to third parties. Such as:
Full disclosure – All account information provided
Minimum disclosure – Information needed to resolve a family’s concerns is provided
Limited disclosure – Confirmation of coverage, and
Dates of coverage, and
Name of child’s health & dental plan, Amount of premium being paid are provided
No disclosure - No information is provided without a completed ROI on file.
With the successful completion of the HIPAA training, contracted Florida Healthy Kids Corporation community partners assisting families apply for Florida KidCare may be given “minimum disclosure” to family account information without a ROI.
Under new legislation a non-applicant parent can have limited disclosure to Florida KidCare account information. In other words, a non-applicant parent can contact Florida KidCare (with the child’s information such as DOB and SSN) and are able to receive the following types of account information without a ROI on file:
Social Security Number
Date of Birth
Patients seeking treatment from a health care provider must get a “Notice of Privacy Practices” from their provider.
Florida KidCare sends out a notice of privacy practices to all new enrollees and every 3 years to current enrollees.
Covered healthcare organizations must have appropriate technical and administrative safeguards in place to protect patient information such as:
All community partners assisting families apply for Florida KidCare must receive HIPAA training and successfully pass the Florida KidCare HIPAA compliance test.
Every covered healthcare
organization must have a HIPAA
Compliance Officer. Merrio
Tornillo acts as the HIPAA officer
for FHKC, you can reach her at
To ensure an applicant or enrollee’s privacy, certain security safeguards must be in place to:
Protect information from accidental or intentional disclosure to unauthorized persons, and
Protect information from alteration, destruction, or loss.
Who Do I Contact When An Applicant or Enrollee’s Rights Are Violated?
Contact the HIPAA Compliance Officer of the organization that violated the privacy regulation.
File a federal complaint to the United States Department of Health and Human Services Office of Civil Rights.
Community partners who fail to comply with HIPAA policies and proceduresrisk the discontinuation of their FHKC contract.
HIPAA calls for severe civil and criminal penalties for non-compliance, including:
Fines up to $25,000 for multiple
violations of the same types of
information in a calendar year
Fines up to $250,000 and/or
imprisonment up to 10 years for
knowingly misusing individually
identifiable health information
You must comply with HIPAA because as a community partner you may receive PHI electronically such as:
Florida KidCare eligibility
Florida KidCare premium amounts
Florida KidCare enrollment information
To maintain HIPAA security you must:
Prevent unauthorized access and disclosure
Prevent loss of information
Secure electronic information
Secure paper records
Be careful what you discuss among staff both inside and outside of the office
Information Left in Public View
All paper files must be collected and stored or shredded every day
To prevent unauthorized disclosures Florida KidCare staff will:
Always check the credentials of a requester
Always check a client’s authorization
Report incidents to your organization’s HIPAA Compliance Officer
Use encryption when sending an e-mail with PHI. Check with your IT Department on how to encrypt your correspondence.
Do not copy others on an e-mail with PHI without written consent from the client
For additional information about HIPAA visit the U.S. Department of Health and Human Services at: http://www.hhs.gov/ocr/privacy/index.html