Transcript HIPAA Privacy Rule - Youngstown State University

HIPAA Privacy Rule
Compliance Training for YSU
April 9, 2014
What is HIPAA?



Health Insurance Portability and Accountability
Act (HIPAA), enacted in 1996
Federal law designed to give patients control
over all Protected Health Information (PHI) that
might be shared between health care providers
and other covered entities
Ensure confidentiality of PHI
What is PHI?
(Protected Health Information)

“Individually identifiable health information” in any form
- paper, electronic, or oral

Relates to the physical or mental health condition of an
individual

Identifies or can be used to identify an individual (e.g.,
name, address, birth date, Social Security number, account
number)

Is in the possession of or has been created by covered
entities
Examples of PHI








Health care claims
Health care payment and remittance advice
Coordination of benefits
Health care claim status
Enrollment or disenrollment in a health plan
Eligibility for a health plan
Health plan premium payments
Referral certification and authorization
What is the HIPAA Privacy Rule?



Provides federal protection for PHI held by
covered entities and Business Associates
Gives patients rights over determining who can
look at and receive their health information
Applies to all forms of protected health
information – electronic, written, or oral
Who Must Comply?
Health Plans
 Health insurance companies - HMOs, Medicaid,
Medicare, and employer-sponsored health plans
Health Care Providers
 Doctors, clinics, hospitals, pharmacies, dentists
 Electronic billing to insurance
Health Care Clearinghouses
 Process nonstandard health information (e.g., billing
services)
What is the HIPAA Security Rule?

Specifies a series of administrative, physical and
technical safeguards to use to assure
confidentiality, integrity, and availability of
electronic PHI
Employer has 2 Roles
If the Employer is the Plan Sponsor of a self-insured
plan it has two different roles:
Employer
Plan Sponsor


Employer Role
HIPAA Privacy Rule does not apply when:






Doctor’s information is needed for determining
FMLA or an ADA Accommodation
Doctor’s release to return to work
Workers Compensation injury
OHSA logs
Wellness programs
Health insurance
Plan Sponsor Role
HIPAA Privacy Rules does apply when:


Employer participates in the administration of a group
health plan
Is involved in the decision-making process
Plan Sponsor Responsibilities




Designate a privacy officer
Provide written PHI procedures
Limit use and disclosures of PHI to the “minimum
necessary” to accomplish the intended purpose
Require business associates to ensure confidentiality
with written contracts/agreements
Employees’ Rights
Employers acting in a plan sponsor role may not share
employee PHI without written authorization unless it
is shared:
 With the employee
 For treatment/care coordination
 To pay for employee health care services.
Employees’ Rights
(cont.)
Employees have a right to:
 A copy of their medical records
 Restrict who can obtain their PHI
 Change incorrect information in their medical
records
 A report of when and why PHI was used
 File complaints
HIPAA Privacy Violations





Civil penalties - $100 per violation
Maximum civil penalties of $25,000 per year, per
person, per standard
Criminal penalties - $50,000 to $250,000 and
imprisonment
Additional penalties under state law
Lawsuits
Summary



Medical information maintained by employers is
not always considered PHI
Employer must determine where the
information was obtained and whether the
information is maintained under the role of
employer or plan sponsor of a group health plan
Regardless of the role, employers should
carefully handle all employee medical information