protecting enrollees’ health information under hipaa presented by the michigan department of civil...
TRANSCRIPT
Protecting Enrollees’ Health Protecting Enrollees’ Health
Information under HIPAAInformation under HIPAA
Presented by the Presented by the Michigan Department of Civil ServiceMichigan Department of Civil Service
Employee Benefits DivisionEmployee Benefits Division
Today You Will Learn…Today You Will Learn…
Basics about the Health Insurance Portability Basics about the Health Insurance Portability and Accountability Act of 1996 (HIPAA)and Accountability Act of 1996 (HIPAA)
How HIPAA affects working with enrollment How HIPAA affects working with enrollment and eligibility information for state health plans:and eligibility information for state health plans:– Health, Dental, Vision and Flexible SpendingHealth, Dental, Vision and Flexible Spending– HIPAA HIPAA does notdoes not apply to life insurance, worker’s apply to life insurance, worker’s
comp, and LTD plans. comp, and LTD plans. How to comply with HIPAA when you use and How to comply with HIPAA when you use and
disclose health plan informationdisclose health plan information
Goals of HIPAAGoals of HIPAA
For IndividualsFor Individuals To control and protect their own health To control and protect their own health
information through new rightsinformation through new rights
For Health Care EntitiesFor Health Care Entities To protect health information, limit its To protect health information, limit its
use, and punish improper useuse, and punish improper use
Who does HIPAA apply to?Who does HIPAA apply to?
HIPAA governs health care HIPAA governs health care providers, clearinghouses, and providers, clearinghouses, and group health plans.group health plans.
HIPAA does not apply to HIPAA does not apply to employers employers directlydirectly, but affects , but affects them them indirectlyindirectly as sponsors of as sponsors of group health plans. group health plans.
Protected Health Protected Health Information (PHI) Is:Information (PHI) Is:
Information related to past, present, or Information related to past, present, or future physical or mental health, provision of future physical or mental health, provision of health care, or payment for health care to an health care, or payment for health care to an individualindividual
Information created or received by a health Information created or received by a health plan, provider, insurer, or employerplan, provider, insurer, or employer
Information whether oral or in any recorded Information whether oral or in any recorded form (HRMN data, enrollment forms, faxes, form (HRMN data, enrollment forms, faxes, e-mails, conversations, phone calls)e-mails, conversations, phone calls)
Protected Health Protected Health InformationInformation
Is health information that provides a Is health information that provides a reasonable basis to connect the reasonable basis to connect the information with the individualinformation with the individual
Data of Employee #102234 is still PHI since Data of Employee #102234 is still PHI since you can connect #102234 back to that you can connect #102234 back to that employee.employee.
State Health Plan PHI relates State Health Plan PHI relates to enrollment and eligibility:to enrollment and eligibility: Enrollment formsEnrollment forms HRMN data on insurance coverage HRMN data on insurance coverage
and payroll deductionsand payroll deductions Complaints about coverage and claim Complaints about coverage and claim
disputesdisputes Communications from enrollees about Communications from enrollees about
health care and coveragehealth care and coverage
Use:Use:Working with Protected Health Information Working with Protected Health Information (PHI) (PHI) withinwithin your Office and the Employee your Office and the Employee Benefits Division (EBD).Benefits Division (EBD).
HIPAA RegulatesHIPAA RegulatesUse & Disclosure of PHIUse & Disclosure of PHI
Disclosure:Disclosure:Releasing PHI Releasing PHI outsideoutside your Office & the EBD. your Office & the EBD.
All PHI use and disclosure All PHI use and disclosure must be authorized!!!must be authorized!!!
The default rule for PHI under HIPAA The default rule for PHI under HIPAA is not to use or disclose it unless is not to use or disclose it unless authorized.authorized.
But, you can use or disclose But, you can use or disclose PHI…PHI…
For necessary enrollment, For necessary enrollment, eligibility, payroll, and plan eligibility, payroll, and plan operation dutiesoperation duties
To an enrollee, personal To an enrollee, personal representative, or person representative, or person authorized by the enrollee to authorized by the enrollee to receive the informationreceive the information
When authorized by the When authorized by the Privacy OfficialPrivacy Official
The Golden Rule of HIPAAThe Golden Rule of HIPAA
““Treat the health Treat the health information of others information of others as we would want as we would want others to treat health others to treat health information about us.”information about us.”
Don’t step on anyone's toes!Don’t step on anyone's toes!
““Dancing the Dancing the HIPAA Polka!”HIPAA Polka!”
Penalties for Penalties for NoncomplianceNoncompliance
Enrollees can file complaints with the Privacy Official Enrollees can file complaints with the Privacy Official or the Department of Health and Human Services.or the Department of Health and Human Services.
The federal government can fine any person $100 for The federal government can fine any person $100 for each violation, for up to $25,000 a year. each violation, for up to $25,000 a year.
Violations may lead to discipline, fines up to $250,000, Violations may lead to discipline, fines up to $250,000, and criminal penalties up to 10 years in prison.and criminal penalties up to 10 years in prison.
HIPAA and Your OfficeHIPAA and Your Office
What does not change?What does not change?
What changes need to be made?What changes need to be made?
What issues are referred to the What issues are referred to the EBD or Privacy Official?EBD or Privacy Official?
Other Health InfoOther Health Infoin Your Officein Your Office
Medical information received by your Office Medical information received by your Office in its role as employer is covered by other in its role as employer is covered by other laws, but not by HIPAA. laws, but not by HIPAA. – ADA RequestsADA Requests– FMLA RequestsFMLA Requests– Drug testing resultsDrug testing results– Workers Comp and LTDWorkers Comp and LTD
You still must respect privacy requirements You still must respect privacy requirements created by other laws when handling this created by other laws when handling this information.information.
Changes to ProceduresChanges to Procedures
Retention requirements Retention requirements Training requirementsTraining requirements Use and disclosure of PHIUse and disclosure of PHI Enrollee rightsEnrollee rights
Retention of PHIRetention of PHI
HIPAA requires designated PHI from after HIPAA requires designated PHI from after April 14, 2003April 14, 2003 to be retained and to be retained and retrievable for 6 years.retrievable for 6 years.
HRMN data is archived electronically.HRMN data is archived electronically.
All other health plan PHI you handle must All other health plan PHI you handle must be retained in a HIPAA Folder for the be retained in a HIPAA Folder for the enrollee.enrollee.
HIPAA Folder ContentsHIPAA Folder Contents
Enrollment forms and supporting documents Enrollment forms and supporting documents (birth certificates, etc.)(birth certificates, etc.)
Use and disclosure authorization formsUse and disclosure authorization forms Requests by enrollees to exercise Requests by enrollees to exercise
enumerated HIPAA rightsenumerated HIPAA rights Documents establishing the authority of Documents establishing the authority of
personal representatives receiving PHI.personal representatives receiving PHI. Proof of HIPAA training attendance for Proof of HIPAA training attendance for
relevant staff.relevant staff. Documents the EBD asks to be includedDocuments the EBD asks to be included
HR Staff HR Staff TrainingTraining
HR staff who can directly access PHI must HR staff who can directly access PHI must have HIPAA training by have HIPAA training by April 14, 2003April 14, 2003..
If policies change, new training will follow.If policies change, new training will follow. You must retain proof of HIPAA training, You must retain proof of HIPAA training,
through a signed acknowledgment form through a signed acknowledgment form available from the EBD website. available from the EBD website.
Confidentiality Agreement for Confidentiality Agreement for Employees with Limited AccessEmployees with Limited Access
Other employees with limited or Other employees with limited or incidental access to PHI (payroll staff, incidental access to PHI (payroll staff, IT staff, etc.), must sign a HIPAA IT staff, etc.), must sign a HIPAA confidentiality agreement agreeing not confidentiality agreement agreeing not to improperly use and disclose PHI. to improperly use and disclose PHI. This certification is available on the This certification is available on the EBD website. EBD website.
When You CanWhen You Can Use PHI (Internally) Use PHI (Internally)
To perform necessary plan To perform necessary plan administration duties, including sharing administration duties, including sharing information with the EBDinformation with the EBD
To change enrollment, eligibility, and To change enrollment, eligibility, and deduction information in HRMNdeduction information in HRMN
To another executive department To another executive department when an employee transferswhen an employee transfers
When You CanWhen You Can Disclose PHI (Externally)Disclose PHI (Externally)
If an enrollee seeks their own PHI If an enrollee seeks their own PHI If a personal representative (guardian, If a personal representative (guardian,
medical power of attorney holder, etc.) medical power of attorney holder, etc.) who proves identity and legal authority who proves identity and legal authority seeks an enrollee’s PHIseeks an enrollee’s PHI
If another party is validly authorized by If another party is validly authorized by the enrollee to receive the PHIthe enrollee to receive the PHI
If authorized by the Privacy OfficialIf authorized by the Privacy Official
Disclosures Pursuant to Disclosures Pursuant to Court OrdersCourt Orders
If required by a valid court subpoena or If required by a valid court subpoena or order, you must disclose as ordered. No order, you must disclose as ordered. No enrollee authorization is required.enrollee authorization is required.
You You mustmust send an e-mail or letter to the send an e-mail or letter to the Privacy Official detailing the name and Privacy Official detailing the name and employee number of the enrollee, disclosure employee number of the enrollee, disclosure date, name and address of the recipient, a date, name and address of the recipient, a brief description of the PHI disclosed and brief description of the PHI disclosed and the reason for the disclosure.the reason for the disclosure.
You You mustmust keep copies of the court order in keep copies of the court order in the enrollee’s HIPAA Folder.the enrollee’s HIPAA Folder.
Authorization Authorization FormForm
For disclosures based on an authorization form, For disclosures based on an authorization form, the enrollee the enrollee mustmust completely fill out and sign the completely fill out and sign the standard authorization form or:standard authorization form or:
If our standard form is not used, you must contact If our standard form is not used, you must contact the Privacy Official to confirm the validity of the the Privacy Official to confirm the validity of the authorization.authorization.
You could offer to provide the enrollee with the PHI You could offer to provide the enrollee with the PHI to give to the other party.to give to the other party.
Disclosure Disclosure ProceduresProcedures
1.1. Reasonably confirm recipients’ identityReasonably confirm recipients’ identity
2.2. Place a copy of personal representative Place a copy of personal representative recipients’ proof of authority in recipients’ proof of authority in enrollees’ HIPAA foldersenrollees’ HIPAA folders
3.3. When disclosing based on court orders, When disclosing based on court orders, authorization forms or, Privacy Official’s authorization forms or, Privacy Official’s authorizations, place a copy of the authorizations, place a copy of the document in enrollees’ HIPAA Foldersdocument in enrollees’ HIPAA Folders
4.4. Contact the Privacy Official if unsureContact the Privacy Official if unsure
Contact with Insurance Contact with Insurance CarriersCarriers
You may continue to contact carriers to You may continue to contact carriers to resolve issues regarding enrollees’ resolve issues regarding enrollees’ enrollment and eligibility discrepancies.enrollment and eligibility discrepancies.
Any complaints over claim disputes must be Any complaints over claim disputes must be referred to the insurance company.referred to the insurance company. If an If an enrollee has exhausted all remedies and enrollee has exhausted all remedies and review mechanisms offered by the review mechanisms offered by the insurance company, you may refer the insurance company, you may refer the enrollee to the EBD. enrollee to the EBD.
Use & Disclosure Questions?Use & Disclosure Questions?
Contact the Privacy Official with the Contact the Privacy Official with the Employee Benefits Division for authorizationEmployee Benefits Division for authorization
AddressAddress: Michigan Department of Civil : Michigan Department of Civil Service, Privacy Official, 400 South Pine Service, Privacy Official, 400 South Pine Street, P.O. Box 30002, Lansing, MI 48909Street, P.O. Box 30002, Lansing, MI 48909
PhonePhone: (517) 373-7977 or (800) 505-5011: (517) 373-7977 or (800) 505-5011
FaxFax: (517) 373-3174: (517) 373-3174
E-mailE-mail: [email protected]: [email protected]
Security MeasuresSecurity Measures
Log out of HRMN Log out of HRMN and all programs and all programs when leaving your when leaving your workstationworkstation
Lock cabinets Lock cabinets containing PHI containing PHI
Put PHI away in Put PHI away in storage when you storage when you are not working with are not working with it anymoreit anymore
Leave your computer Leave your computer unattended with visible unattended with visible PHIPHI
Leave file cabinets Leave file cabinets containing PHI containing PHI unattended and unlockedunattended and unlocked
Leave PHI out on your Leave PHI out on your desk unattended desk unattended
Do NotDo NotDoDo
Health Plan Health Plan Duties Firewall Duties Firewall
You cannot give an enrollee’s PHI to You cannot give an enrollee’s PHI to supervisors or co-workers who ask for it supervisors or co-workers who ask for it without authorization by the enrollee.without authorization by the enrollee.
You must protect PHI and only use it for You must protect PHI and only use it for plan administrative functions.plan administrative functions.
HIPAA prohibits using PHI for employment HIPAA prohibits using PHI for employment related decisions.related decisions.
RelationshipsRelationships
HR
HRMN
EmployeeAuthorized Person
Employee Benefits Division
Anyone ElsePrivacy OfficialPrivacy Official
Notice of Privacy PracticesNotice of Privacy Practices
EBD is sending to current enrollees now.EBD is sending to current enrollees now.
Your office must give to new hires after Your office must give to new hires after 3/29/03.3/29/03.
When an enrollee requests a copy, you When an enrollee requests a copy, you must also provide one must also provide one –– available on EBD available on EBD section of www.mi.gov/mdcssection of www.mi.gov/mdcs
Enrollee Right of AccessEnrollee Right of Access
HIPAA requires that PHI in designated HIPAA requires that PHI in designated record sets be given to individuals.record sets be given to individuals.
1.1. Enrollment/Eligibility data in HRMNEnrollment/Eligibility data in HRMN2.2. Benefit denial and appeal documentsBenefit denial and appeal documents
When asked, produce all documents in the When asked, produce all documents in the enrollee’s HIPAA folder and HRMN benefit enrollee’s HIPAA folder and HRMN benefit summary data (ZB107, BN51, etc.)summary data (ZB107, BN51, etc.)
If an enrollee wants benefit claim or appeal If an enrollee wants benefit claim or appeal information instruct the enrollee to make a information instruct the enrollee to make a written request to the Privacy Officialwritten request to the Privacy Official
Enrollee Right to Amend PHIEnrollee Right to Amend PHI
As before, your Office can add enrollment As before, your Office can add enrollment data, new dependents, and life events when data, new dependents, and life events when appropriate.appropriate.
If you cannot perform a requested If you cannot perform a requested amendment (ineligible, outside open amendment (ineligible, outside open enrollment, etc.) you enrollment, etc.) you mustmust provide a written provide a written denial that denial that includesincludes the following language: the following language:– If you believe this decision is incorrect, you may file a written If you believe this decision is incorrect, you may file a written
appeal to the Employee Benefits Division that explains why the appeal to the Employee Benefits Division that explains why the decision is incorrect and includes all necessary documentation. decision is incorrect and includes all necessary documentation. Appeals must be mailed to Employee Benefits Division, Appeals must be mailed to Employee Benefits Division, Department of Civil Service, P.O. Box 30002, Lansing, MI Department of Civil Service, P.O. Box 30002, Lansing, MI 48909. If you believe your HIPAA rights have been violated by 48909. If you believe your HIPAA rights have been violated by this decision, you may file a HIPAA Privacy Complaint Form (CS-this decision, you may file a HIPAA Privacy Complaint Form (CS-1782) with the EBD Privacy Official at the same address.1782) with the EBD Privacy Official at the same address.
Enrollee Right to Request Enrollee Right to Request Restrictions and AuditsRestrictions and Audits
Enrollees may request limitations on how Enrollees may request limitations on how
their PHI is shared or request confidential their PHI is shared or request confidential
communications of their PHI. communications of their PHI.
Enrollees may request an audit listing certain Enrollees may request an audit listing certain
disclosures of their PHI that have been made. disclosures of their PHI that have been made.
All these requests must be made in writing by All these requests must be made in writing by
the enrollee to the Privacy Official.the enrollee to the Privacy Official.
Enrollee Rights toEnrollee Rights toPrivacy ComplaintsPrivacy Complaints
Our HIPAA Procedures will allow Our HIPAA Procedures will allow enrollees to file privacy complaints with enrollees to file privacy complaints with the Privacy Official.the Privacy Official.
The Privacy Official will investigate to The Privacy Official will investigate to determine if a violation occurred.determine if a violation occurred.
Employees who violate these Employees who violate these procedures will face appropriate procedures will face appropriate discipline.discipline.
Test Your UnderstandingTest Your Understanding
A supervisor e-mails asking for a list of A supervisor e-mails asking for a list of the health plans a subordinate is the health plans a subordinate is enrolled in. What portion of the enrolled in. What portion of the subordinate’s PHI can you disclose?subordinate’s PHI can you disclose?
None. Supervisors and others outside None. Supervisors and others outside Your Office are not authorized to use Your Office are not authorized to use and disclose PHI without a valid and disclose PHI without a valid authorization.authorization.
Test Your UnderstandingTest Your Understanding
A person flashing a badge demands A person flashing a badge demands disclosure of PHI for a criminal investigation. disclosure of PHI for a criminal investigation. Do you disclose? Do you disclose?
Maybe. HIPAA does provide for disclosures Maybe. HIPAA does provide for disclosures for national security, law enforcement, and for national security, law enforcement, and other specific purposes. You must contact other specific purposes. You must contact the Privacy Official to ensure that proper the Privacy Official to ensure that proper procedures are followed and proper procedures are followed and proper documents are maintained. If there is a documents are maintained. If there is a court order, you can disclose but must court order, you can disclose but must notice the Privacy Official of the disclosure.notice the Privacy Official of the disclosure.
Test Your UnderstandingTest Your Understanding
An attorney calls and asks for PHI to help in An attorney calls and asks for PHI to help in an employee grievance. Do you disclose?an employee grievance. Do you disclose?
No. If the attorney has a valid authorization, No. If the attorney has a valid authorization, you may. If there is a court order for the you may. If there is a court order for the information, you must give the Privacy information, you must give the Privacy Official notice, as required in the Procedures Official notice, as required in the Procedures for Disclosures Pursuant to Court Orders.for Disclosures Pursuant to Court Orders.
Remember that disclosing information to a Remember that disclosing information to a willing enrollee is one solution to avoid willing enrollee is one solution to avoid some of these procedural requirements.some of these procedural requirements.
Test Your UnderstandingTest Your Understanding
Allstate calls asking for confirmation of an Allstate calls asking for confirmation of an employee’s LTD coverage. Does HIPAA employee’s LTD coverage. Does HIPAA prevent you from disclosing this info?prevent you from disclosing this info?
No. HIPAA protects information related to No. HIPAA protects information related to health plan enrollment. LTD is not a health health plan enrollment. LTD is not a health plan under HIPAA. If the request sought plan under HIPAA. If the request sought LTD LTD andand PHI related to state health plans, PHI related to state health plans, HIPAA would prohibit the unauthorized HIPAA would prohibit the unauthorized disclosure of data about the health plans.disclosure of data about the health plans.
Questions?Questions?
What if…………….?What if…………….?
How about………?How about………?
What happens when ……. ?What happens when ……. ?
Who do I call about ……..?Who do I call about ……..?
Top Ten Ways to Top Ten Ways to Comply with HIPAAComply with HIPAA
10.10. Only authorized personnel can directly access PHIOnly authorized personnel can directly access PHI 9. Use PHI only when related to plan administration9. Use PHI only when related to plan administration 8. Disclose PHI to enrollees, to personal representatives, 8. Disclose PHI to enrollees, to personal representatives,
or as provided in proper authorization formsor as provided in proper authorization forms 7. Follow court orders to disclose PHI, but notice the EBD7. Follow court orders to disclose PHI, but notice the EBD 6. Don’t otherwise disclose unless the Privacy Official OKs6. Don’t otherwise disclose unless the Privacy Official OKs 5. Give new enrollees and those who ask privacy notices5. Give new enrollees and those who ask privacy notices 4. Issue written denials to requested PHI changes that 4. Issue written denials to requested PHI changes that
explain the denial and include the required noticeexplain the denial and include the required notice 3. Promptly refer all PHI restriction, confidentiality, and 3. Promptly refer all PHI restriction, confidentiality, and
accounting requests to the Privacy Official.accounting requests to the Privacy Official. 2. Keep HIPAA documents for six years in HIPAA Folders2. Keep HIPAA documents for six years in HIPAA Folders 1. 1. Call the Privacy Official if you are unsure!Call the Privacy Official if you are unsure!
LettermanLetterman