HIPAA Privacy Rule

HIPAA Privacy Rule
Compliance Training for YSU April 9, 2014

What is HIPAA? Health Insurance Portability and Accountability Act (HIPAA), enacted in 1996 Federal law designed to give patients control over all Protected Health Information (PHI) that might be shared between health care providers and other covered entities Ensure confidentiality of PHI

What is PHI?(Protected Health Information) “Individually identifiable health information” in any form - paper, electronic, or oral Relates to the physical or mental health condition of an individual Identifies or can be used to identify an individual (e.g., name, address, birth date, Social Security number, account number) Is in the possession of or has been created by covered entities

Examples of PHI Health care claims Health care payment and remittance advice Coordination of benefits Health care claim status Enrollment or disenrollment in a health plan Eligibility for a health plan Health plan premium payments Referral certification and authorization

What is the HIPAA Privacy Rule? Provides federal protection for PHI held by covered entities and Business Associates Gives patients rights over determining who can look at and receive their health information Applies to all forms of protected health information – electronic, written, or oral

Who Must Comply? Health Plans Health insurance companies - HMOs, Medicaid, Medicare, and employer-sponsored health plans Health Care Providers Doctors, clinics, hospitals, pharmacies, dentists Electronic billing to insurance Health Care Clearinghouses Process nonstandard health information (e.g., billing services)

What is the HIPAA Security Rule? Specifies a series of administrative, physical and technical safeguards to use to assure confidentiality, integrity, and availability of electronic PHI

Employer has 2 Roles If the Employer is the Plan Sponsor of a self-insured plan it has two different roles: Employer Plan Sponsor

Employer Role HIPAA Privacy Rule does not apply when: Doctor’s information is needed for determining FMLA or an ADA Accommodation Doctor’s release to return to work Workers Compensation injury OHSA logs Wellness programs Health insurance

Plan Sponsor Role HIPAA Privacy Rules does apply when: Employer participates in the administration of a group health plan Is involved in the decision-making process

Plan Sponsor Responsibilities Designate a privacy officer Provide written PHI procedures Limit use and disclosures of PHI to the “minimum necessary” to accomplish the intended purpose Require business associates to ensure confidentiality with written contracts/agreements

Employees’ Rights Employers acting in a plan sponsor role may not share employee PHI without written authorization unless it is shared: With the employee For treatment/care coordination To pay for employee health care services.

Employees’ Rights (cont.) Employees have a right to: A copy of their medical records Restrict who can obtain their PHI Change incorrect information in their medical records A report of when and why PHI was used File complaints

HIPAA Privacy Violations Civil penalties - $100 per violation Maximum civil penalties of $25,000 per year, per person, per standard Criminal penalties - $50,000 to $250,000 and imprisonment Additional penalties under state law Lawsuits

Summary Medical information maintained by employers is not always considered PHI Employer must determine where the information was obtained and whether the information is maintained under the role of employer or plan sponsor of a group health plan Regardless of the role, employers should carefully handle all employee medical information

HIPAA Privacy Rule