HIPAA Privacy Awareness Training

Protecting Individual Health Information

HIPAA Privacy Rule

 Objectives And Agenda

 Overview HIPAA Privacy Rule

 Explain implications to and within our
organization
 Identify what you need to do differently

HIPAA Privacy Rule

 Part 1
Overview Of Privacy Rule

Protecting Individual Health Information

 Privacy Rule … A Quick Glance

 Part of Health Insurance Portability and

Accountability Act of 1996—HIPAA
 Effective April 14, 2003 for larger employers
and April 14, 2004 for smaller employers
 What it does:
 Limits sharing of confidential health information, called
Protected Health Information (PHI)
 Restricts employers from using PHI in employment
decisions
 Requires employers to establish and follow certain
procedures
4

HIPAA Privacy Rule

 What Is PHI?

 Protected Health Information is:

 Employee or plan participant health information that
• Identifies individuals (or could be used to identify
them)
• Relates to past, present, or future health care
condition, provision of care, or payment for care
 Created or received by employer, health plan, or other
Covered Entity
 PHI can be electronic, paper, or verbal

HIPAA Privacy Rule

 Examples Of PHI

 Examples of PHI include:

 Medical bills from hospital
 Diagnostic information
 Other doctor/patient information that is part of the
health plan record
 E-mails from vendors that discuss the health condition
of an employee or employee’s dependent

Important! If you use PHI now (for example

to help employees with claim denials), you
will need to make changes to conform with
our new policies!

HIPAA Privacy Rule

 What The Privacy Rule Does Not Cover

 Generally, information that is part of employment

records is not PHI
 Examples—Health information used in these processes
is generally not PHI:
• Pre-employment physicals/substance abuse
screenings
• FMLA leaves for serious health conditions

• ADA accommodations

• Work Restrictions

• Employees calling in sick

Information gathered in “employer role” is part of
employment file and is NOT PHI.

HIPAA Privacy Rule

 Which Health Plans Are Covered?

 Plans Covered by the Privacy Rule

 Medical Plan
 Dental Plan
 Health Care Flexible Spending Account
 Employee Assistance Program (EAP)

 Also  Not Covered

 HMOs
 Health insurance issuers
 Medicare and other
government programs
 Long-term care policies
 Disability
 Life insurance
 Workers’ Compensation

HIPAA Privacy Rule

 Part 2
Complying With The Privacy Rule

Protecting Individual Health Information

 The Changing Flow Of Information

PHI Before
April 14 Supervisor
Facility
Managers
File Clerk

Claims
Administrator
Doctor

Anyone in HR
Hospital

Any Insurance
Company

10

HIPAA Privacy Rule

 The Changing Flow Of Information

PHI After April 14 Supervisor

File Clerk PHI-Designated HR

Staff Member

Providers:
• Doctors Facilities
• Hospitals Managers

Any Insurance Anyone in Human

Company Business Associates Resources
with signed agreements

11

HIPAA Privacy Rule

 The PHI Box
• Health Plan: PHI from the health
Those “In The Box” May plan can only be shared with
Share PHI With Each Other those in the box
• Providers: Doctors, hospitals,
Health Clearing- clinics, etc.
Plan house
• Clearinghouse: Data
Provider management firms that code
provider bills

• PHI can be shared with others who we retain for plan administration and
who agree in writing to comply with the Privacy Rule
• Employee/participant must authorize any “non-routine” use

If you are not in the box or have an agreement with the Plan
Sponsor or the Provider, you cannot have access to PHI
without written authorization from the employee
12

HIPAA Privacy Rule

 Who Is Responsible For Compliance?

 All management
 Only PHI-designated Human Resources staff
members can access and process PHI
 Managers must adhere to policies and
procedures and defer to PHI-designated staff

13

HIPAA Privacy Rule

 Example

 An employee has a problem with a medical plan

claim and goes to a manager at a location
 In the past, the manager may have contacted an outside
administer to get clarification
 Under the new procedures, the manager defers the
employee to PHI-designated Human Resources staff
member for assistance

14

HIPAA Privacy Rule

 What If The Plan Does Not Comply?

 The Privacy Rule is enforced by U.S. Department

of Health and Human Services (HHS)
 HHS can impose both civil and criminal penalties
on the Covered Entities for noncompliance
 Civil penalties—$100 fine per violation,
up to $25,000 per person/year
 Criminal penalties—Up to $250,000
fine and 10 years in prison

Important! Employees may file complaint

with HHS for wrongful disclosure.

15

HIPAA Privacy Rule

 New Procedures

 Appointed Privacy Officer to:

 Develop and implement Privacy Rule compliance
policies and procedures
 Monitor and ensure the college’s compliance
 Designated certain Human Resources staff
members to be the only individuals responsible
for PHI processing, record retention and
management
 Play it Safe!
 Always refer employees to a PHI-designated staff
member if you have any issues involving the covered
plans

16

HIPAA Privacy Rule

 Our Privacy Officer

 Employee Plans - Linda Laughlin, Associate HR

Director

 Student Plan - Administrative Assistant/ Student

Insurance Specialist, Wellness Center

17

HIPAA Privacy Rule

 New Procedures

 Created a “firewall” to separate health plan

information from other employee data
 Took steps to safeguard PHI
 Keep PHI out of sight
 Don’t discuss PHI in public
 Watch who is e-mailed PHI
 Fax with care

18

HIPAA Privacy Rule

 How Are Managers Affected?

 Managers/Supervisors
 Must understand and comply with Privacy Rule
 Must understand which plans are covered
• For example, Privacy Rule does not affect other
policies, such as FMLA or Workers’ Compensation
 Know when and how to contact Privacy Officer or
other designated staff

Important! Managers and Supervisors must be

aware of Privacy Rule and how to comply.!

19

HIPAA Privacy Rule

 How Are Managers Affected?

 Examples—Unless authorized, managers and

supervisors may not:
 Discuss specific health care claims with the carrier
 Discuss the cost or details of claims with anyone
 Use PHI for employment-related actions (hiring, firing,
promoting)

Important! Only certain Human Resources staff

members may use/disclose PHI. Even then, the
employee must sign a specific authorization
for any “non-routine” use or disclosure.

20

HIPAA Privacy Rule

 Part 3
Overview of Employee Rights

Protecting Individual Health Information

 Privacy Rights Notice

 Employees/participants must receive a Notice of

Privacy Rights
 Summarizes rights to access/control PHI
 Your Privacy Notice will describe your rights under the
Privacy Rule

22

HIPAA Privacy Rule

 Employee Rights

 Right to inspect and copy PHI

 Must request in writing
 Request can be denied for certain reasons
 Right to amend PHI
 Health plan has 60 days to act on request
 Right to request list of PHI disclosures
 Except for treatment, payment of medical expenses or
normal operation of the plan
 Plan only needs to disclose last six years of PHI and not
earlier than April 14, 2004
 Must be in writing and specify details

23

HIPAA Privacy Rule

 Employee Rights (cont’d)

 Right to limit disclosure

• Except for treatment, payment of medical expenses or
normal operation of the plan
 Right to file complaints
 Written complaints to HHS
 Follow our established process for handling complaints
 We MAY NOT penalize or retaliate against employees
who file complaints

24

HIPAA Privacy Rule

 HIPAA Scenarios
Scenario #1
Employee-Based Disclosure
John and Fred are peers, both working in production for a
widget manufacturing company. They are having coffee in the
break room, when John tells Fred, “I just found out I have
cancer, and I’m pretty worried about keeping my job if I have to
take time off to have treatment.” Later, Fred tells a co-worker
(in confidence), who passes it on to his supervisor and several
other employees of the company.

Was John’s right to privacy violated? Does he have a cause of action

against the employer or health plan? Why or Why not? What are the
proper steps to be taken?
Now that the supervisor knows, what should he or she do with the
information?
25

HIPAA Privacy Rule

 HIPAA Scenarios

Scenario #2
Birth Announcement

The Paper Company typically sends out a broadcast

announcement to all employees whenever a new baby is born to
one of their employees. Vital statistics are given, including name,
gender, and weight of the baby, along with health status (such as
“Mom and baby are doing fine,” or “Baby is still in the hospital
due to low birth weight, but Mom is home and doing well”).

Is disclosure of the birth Protected Health Information under HIPAA?

Why or why not?
What about the status of Mom’s and Baby’s health?

26

HIPAA Privacy Rule

 HIPAA Scenarios
Scenario #3
FMLA-Leave Based Disclosure
Patty’s assistant, Maria, tells her in confidence that she needs
to take several weeks off to take care of her mother, who has been
diagnosed with a serious health condition. Patty verbally grants
Maria’s request for time off. While Maria is on leave, Patty begins
passing work to other employees in the department, asking them to
help out. She innocently discloses information about the reason for
Maria’s leave to employees who question the reason for the added
workload.

What should Patty have done first in this situation?

Is Maria’s mother’s health situation protected? Why or why not?
What should/shouldn’t Patty tell other employees about Maria’s situation?
When the Privacy Official is made aware of the situation, what should
he/she do?
27

HIPAA Privacy Rule

 HIPAA Scenarios
Scenario #4
Vendor Disclosure
White Widgets provides employees with medical coverage
under a self-insured health plan. Claims are paid by Fred’s TPA.
Mary, a claims examiner for Fred’s TPA is processing claims when she
sees that Jeff, a key employee of White Widgets, is being treated for
HIV. She is best friends with Joan, who works for Jeff in his office. At
dinner that evening, she asks Joan how Jeff is doing since he has
undergone treatment. Joan was unaware of the situation and had no
need to know for plan operation purposes. The next day, she informed
Jeff and Human Resources that confidentiality has been violated.

What should the Privacy Official of White Widgets do?

What are the TPA’s responsibilities in light of the breach of privacy?
What are the potential penalties that could be assessed against the Plan, the
Privacy Official, and/or the TPA?
28

HIPAA Privacy Rule

 HIPAA Scenarios
Scenario #5
“Innocent” Disclosure
Barb works in Human Resources. Tom calls Barb and tells
her that he needs help with a claim issue. She has Tom sign an
authorization form allowing her to have access to Personal Health
Information for the purpose of resolving the claim.
Barb forwards the request to the Health insurance carrier and
then talks with the claims supervisor. She is able to resolve the
problem for Tom, but accidentally leaves her notes out in plain view on
her desk when she leaves for the evening.
While waiting for a meeting with Barb’s manager, plant
manager Joe sits at Barb’s desk, and he reads the information about
Tom’s ability to perform based on that health information, and tells
her where he got the information.
What should Barb’s manager do in this situation?
What should the Privacy Official do?
29

HIPAA Privacy Rule

 HIPAA Scenarios
Scenario #6
Intentional Disclosure for Gain
Joe’s TPA pays claims for 1,000 employers, covering 150,000
employees in the state of Minnesota. They have been losing market
share and need to boister their revenues. They have been approached
by a company that manufactures a product aimed at treatment of a
specific health condition, and sell to that company a list of subscribers
who have had treatment for that condition. Those subscribers receive
phone calls and mailings form the manufacturer, attempting to sell
their product.

Are the individual employer-sponsored plans liable for this disclosure by

their business associate (Joe’s TPA)?
What are the penalties for this type of disclosure?
What should the Privacy Official do when he/she is made aware of this
violation of privacy standards?
30

HIPAA Privacy Rule

 HIPAA Scenario Summary
Scenario1
-Privacy not violated voluntarily disclosed information.
-Does not have cause of action.
-Supervisor should talk with HR and Privacy Officer.

Scenario 2
-Could be under HIPAA if the information came from the health
plan.
-Employee has to request to disclose the information and should
provide a disclaimer.

Scenario 3
-Contact HR. Not a protected health situation. (Patty should have
contacted HR before authorizing leave.)
-Privacy Officer should educate.

31

HIPAA Privacy Rule

 HIPAA Scenario Summary
Scenario 4
-Privacy Officer should contact TPA supervisor, review BAA agreement
with TPA, implement established sanctions against Mary.
-TPA must disclose breach to plan.
-TPA may face civil penalties and individual(s) involved could face
criminal penalties and the contract could be terminated.

Scenario 5
- Document the disclosure and educate Barb and manager.
- Reinforce education.

Scenario 6
-Employer plan is not responsible if it has Business Associate Agreement
in place (Depending on “indemnification” provision of BAA.)
-TPA may face civil penalties and the individual(s) involved could face
criminal penalties.
- Report the violation to HHS.
32

HIPAA Privacy Rule

 It’s Important To Know That…

This presentation provides an overview of the HIPAA Privacy Rule and

broadly describes how this regulation will affect how the college handles
employee health information from our health care plans. This information is not
intended to provide all of the details of the HIPAA Privacy Rule or of the
college’s policies and procedures.

This presentation also does not constitute legal advice. If there is any
discrepancy between the provisions of the HIPAA Privacy Rule and the material
in this presentation, the terms of the HIPAA Privacy Rule will govern in all
cases.

33

HIPAA Privacy Rule