HIPAA (health insurance portability and accountability act)
Excluded from HIPAA Privacy Rules • Benefits excluded from the HIPAA Privacy Rules are: • Accident-only coverage • Disability Insurance • Worker’s compensation • Liability Insurance • Life Insurance • Leave and Sick Programs • Information gathered for OSHA regulations (Occupational Health and Safety Administration)
What is considered Protected Health Information (PHI)? • For information to be PHI, it must: • Relate to the past, present, and future physical or mental health condition, the provision of health care, or the payment for health care • Identify, or could reasonably be used to identify, the individual • The Privacy Regulations cover PHI that is transmitted or maintained in any form or medium (e.g., electronic, paper, fax, voice mail and oral communications)
Examples of PHI • Names • Social Security Numbers • E-mail Addresses • Date of Birth • License Plate Number • Geographic Subdivisions (street address) • Telephone Numbers • Any unique characteristic or code which will link an individual to their health information
Examples of how you will use PHI • To enroll employees into the NAF HBP (Aetna and HMO plans) • To review an Explanation of Benefits form to help an employee receive payment • To examine data in a spreadsheet for overseeing the NAF HBP • To review a claims appeal • To examine a provider billing
Minimum Necessary Standard • When you use or disclose PHI, always use the minimal number of unique identifiers or the minimal amount of health information necessary to complete the job or tasking. • Example: • When discussing an EOB with Aetna, do not use the employee name or any unique identifier which could link the medical information to the employee (especially over the phone in a public area).
When to obtain an individual’s authorization to use PHI • Anytime PHI is used outside of TPO, authorized employees must obtain a signed Authorization Form from the individual before releasing only the requested information • Example: • The spouse of your employee requests a copy of the employee's PHI from his/her personnel file. The authorized employee in your office can not provide the health-related information to the spouse unless the employee signs an Authorization Form releasing the information.
When is an Authorization Form not required? • Public health activities related to disease prevention • To report victims of abuse, neglect or domestic violence • For audits, legal investigations or law enforcement purposes • To avert a serious threat to health and safety • As authorized by state workers’ compensation laws. • When the information has been de-identified and does not link or identify an individual to their health information
Ways to Secure PHI • Lock, Shred, Destroy, Secure, & Monitor • Lock computer stations, cabinets, disks/files that contain PHI when not in use • Shred documents containing PHI before disposing • Secure your emails using password encryption • Use the Minimal Necessary Standard when transmitting PHI through e-mail for TPO purposes • Monitor the fax machine if receiving PHI, Do not leave voicemail messages with PHI, or share PHI if non-authorized employees are present
Training • Who should take the training? • Anyone that has access to PHI (including access to PeopleSoft, OPFs, leave donations, FMLA, and workman’s compensation records) • Members of Human Resources, Benefits, HRMS, and Workman’s Compensation • Training: http://crossroads/MRG/Pages/HIPAA.aspx • Read training, take quiz, & submit to HR • HR should grade, record training in PeopleSoft, and provide a Certificate for the Employee & OPF • HR should submit scores & completion date to Carolyn Woodson via Email • Recertified and reported annually (in April)
Additional Information • Health and Human Services • http://www.hhs.gov/ocr/hipaa • Department of Labor • http://www.dol.gov/ • HIPAA Procedures Guideline • For more information contact Carolyn Woodson • WoodsonCC@usmc-mccs.org • 703-432-0420 • Fax: 703-432-0436