Transcript Introduction to HIPAA

For
Florida KidCare
Community
Partners
September
2009
1
2
As a Florida KidCare community partner
families entrust you to not only help them
navigate the Florida KidCare system but
to keep the information they share with
you confidential and safe.
3
HIPAA, the Health Insurance Portability
and Accountability Act, was finalized
August 2002. This act was created to
ensure comprehensive health insurance
privacy and security regulations.
4
HIPAA requires that privacy and security
be built into the policies and practices
of healthcare providers and health
plans.
2. HIPAA sets standards for the electronic
transmission of patient health,
administrative, and financial
information.
1.
5
HIPAA
sets limits on the type of
information permitted for disclosure.
Thus Florida KidCare requires a properly
completed Florida Healthy Kids Release
of Information (ROI) form be on file prior
to the release of any account related
personal health information (PHI) to
third party entities.
FLORIDA HEALTHY KIDS CORPORATION (FHKC) AUTHORIZATION TO RELEASE INFORMATION
ONLY the person listed as Parent 1 or Parent 2 on the Florida KidCare Application currently in effect for the named Enrollee can sign this form
OR
If the Enrollee is eighteen (18) years of age or has had the disability of minority legally removed then ONLY the Enrollee can sign this form.
_________________________________________________ ________________ _____________________________
Enrollee’s Name: (last) (first) (initial)
(date of birth)
(Family Account Number)
__________________________________________________________________________________________________________
Address: (street) (city) (state) (zip)
(______)_________________ (______) __________________ (_____) _________________ _____________________________
Daytime Telephone
Evening Telephone
Cell Telephone
Email Address
I authorize FHKC to disclose and release Enrollee’s Protected Health Information (PHI) from Enrollee’s FHKC Record to the
following person or legal entity:
_______________________________________________________ (____)___________________ __________________________
Name of Releasee: Individual, Doctor, Hospital, Agency, etc.
Telephone
Email Address
___________________________________________________________________________________________________________
Address: (street) (city) (state) (zip)
NOTE: FHKC HAS NO MEDICAL RECORDS, BILLING OR CLAIMS INFORMATION
FHKC is authorized to disclose and release the following specific PHI from the Enrollee’s FHKC Records:
ONLY ITEMS CHECKED WILL BE RELEASED
_____ All Eligibility & Enrollment Records (Examples: Applications, correspondence, eligibility system screen prints and account
notes)
_____ Premium Amount & Due Date (Examples: Amount paid on Enrollee’s behalf, when paid, for what coverage months)
_____ Insurance Identifiers & Coverage Dates (Examples: Enrollee’s assigned health and dental plans, dates covered under plans)
OTHER, EXPLAIN: ___________________________________________________________________________________
INITIAL: _____ I DO _____ I DO NOT authorize FHKC to release or disclose any information pertaining to the Human Immunodeficiency Virus
(HIV) which is the causative agent of Acquired Immune Deficiency Syndrome (AIDS) including, but not limited to, specific laboratory tests, test results,
the diagnosis of AIDS or HIV or any related conditions and any and all medical records and clinical information relating to the evaluation, diagnosis and
treatment relating to HIV, AIDS or any related conditions.
INITIAL: _____ I DO _____ I DO NOT authorize FHKC to release or disclose any information, including but not limited to, the medical records and
clinical information pertaining to the assessment, evaluation, treatment and/or hospitalization related to mental health or psychiatric illnesses or
conditions.
INITIAL: _____ I DO _____ I DO NOT authorize FHKC to release or disclose any information, including but not limited to the medical records and
clinical information pertaining to the assessment, evaluation, treatment and/or hospitalization for any drug, alcohol or substance abuse or use.
FHKC is authorized to disclose and release the Enrollee’s PHI, as specified above, for the specific use(s) or purpose(s) of:
____ To assist Enrollee With KidCare Account
______ Legal
_____ At the Request of the Individual
____ Language Translation ____ Other________________________________________________________________________
This authorization will expire on ____________________________. If no date is specified, this authorization shall expire one (1) year
after the date it is signed.
I understand that THE SIGNING OF THIS FORM IS VOLUNTARY and:
▪ Once the person or entity named to receive the PHI is given that information by FHKC, that information may no longer be protected by
the federal Privacy Standards of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) in the hands of the person or
entity to whom I have authorized its release.
▪ I may revoke this authorization, at any time, upon the written request to FHKC’s Privacy Officer, except to the extent that action has been
taken in reliance of this authorization.
▪ I have the right to receive a copy of this authorization.
▪Treatment may not be conditioned on the signing of this authorization, and its signing is voluntary.
I have fully read and understand the nature of this Authorization and accept its terms. I authorize FHKC to disclose and release
the specific PHI, as indicated for the specific use(s) and purpose(s) listed.
________________________________________________________
Signature of Applicant Parent
OR Enrollee Signature (if no longer a minor)
__________________________________ _____________
Printed Name of Person Signing
Date
Florida KidCare uses the ROI
form to determine who is
authorized to access account
information.
A ROI form should be
voluntarily completed by the
applicant parent or guardian.
One ROI must be properly
completed and on file for
each enrollee (child) prior to
disclosure. Making sure to
initial where indicated.
ROI form is available in
English, Spanish and Creole.
6
7
Within
limits, HIPAA allows for the
free flow of PHI for treatment,
payment
and
health
care
operations. This is why the ROI is so
important.
8
All
Florida KidCare applicants or
enrollees have the right to privacy and
to keep information about themselves
from being disclosed.
Florida
KidCare uses the ROI form to
determine who is authorized to access
account information.
9
Florida KidCare staff are limited to the type of information
they are allowed to disclose to third parties. Such as:
Full disclosure – All account information provided
Minimum disclosure – Information needed to resolve a
family’s concerns is provided
Limited disclosure – Confirmation of coverage, and
Dates of coverage, and
Name of child’s health & dental plan,
Amount of premium being paid are
provided
No disclosure - No information is provided without a
completed ROI on file.
10
With the successful completion of the
HIPAA training, contracted Florida
Healthy Kids Corporation community
partners assisting families apply for Florida
KidCare may be given “minimum
disclosure” to family account information
without a ROI.
11
Under new legislation a non-applicant parent can
have limited disclosure to Florida KidCare account
information. In other words, a non-applicant parent
can contact Florida KidCare (with the child’s
information such as DOB and SSN) and are able to
receive the following types of account information
without a ROI on file:
Confirmation of coverage
Dates of coverage
Name of child’s health & dental plan
Amount of premium being paid
12
Name
Address
Phone
Number
Social Security Number
Date of Birth
Premium Payment
 Relatives
 E-mail Address
 Health/Dental Plan #
 Employer
 Account Number
13
 Patients
seeking treatment from a
health care provider must get a
“Notice of Privacy Practices” from
their provider.
 Florida KidCare sends out a notice of
privacy practices to all new
enrollees and every 3 years to
current enrollees.
14
Covered healthcare organizations must
have appropriate technical and
administrative safeguards in place to
protect patient information such as:
All community partners assisting
families apply for Florida KidCare must
receive HIPAA training and successfully
pass the Florida KidCare HIPAA
compliance test.
15

Every covered healthcare
organization must have a HIPAA
Compliance Officer. Merrio
Tornillo acts as the HIPAA officer
for FHKC, you can reach her at
(850) 701-6167.
16
•To
ensure an applicant or enrollee’s
privacy, certain security safeguards must
be in place to:
Protect information from accidental or
intentional disclosure to unauthorized
persons, and
Protect information from alteration,
destruction, or loss.
Who Do I Contact When An
Applicant or Enrollee’s Rights Are
Violated?
Contact
the HIPAA Compliance Officer of
the organization that violated the privacy
regulation.
File
a federal complaint to the United
States Department of Health and Human
Services Office of Civil Rights.
17
18
Community partners who fail to
comply with HIPAA policies and
procedures risk the discontinuation
of their FHKC contract.
19
HIPAA calls for severe civil and criminal
penalties for non-compliance, including:
Fines up to $25,000 for multiple
violations of the same types of
information in a calendar year
Fines up to $250,000 and/or
imprisonment up to 10 years for
knowingly misusing individually
identifiable health information
20
You must comply with HIPAA because as
a community partner you may receive
PHI electronically such as:
Florida KidCare eligibility
determinations
Florida KidCare premium amounts
Florida KidCare enrollment
information
21
To maintain HIPAA security you must:
 Prevent unauthorized access and disclosure
 Prevent loss of information
 Secure electronic information
 Secure paper records
Overheard Conversations
Be careful what you discuss among staff both
inside and outside of the office
22
•Information Left in Public View
 All paper files must be collected and
stored or shredded every day
•To
prevent unauthorized disclosures
Florida KidCare staff will:
 Always check the credentials of a
requester
 Always check a client’s authorization
 Report incidents to your organization’s
HIPAA Compliance Officer
23
Use
encryption when sending an email with PHI. Check with your IT
Department on how to encrypt your
correspondence.
Do not copy others on an e-mail
with PHI without written consent from
the client
24
For additional information about
HIPAA visit the U.S. Department of
Health and Human Services at:
http://www.hhs.gov/ocr/privacy/index.html