Health Insurance Portability and Accountability Act of 1996 (HIPPA)
- Allows individuals to keep health insurance when changing jobs
- Curbs employer denial of pre-existing conditions
- Establishes medical savings accounts
- Creates a uniformed standard for electronic transactions for claims processing
- Sets framework for protecting individual health information
Who must comply with HIPAA Privacy Rules?
- Health Plans
- Healthcare Providers
- Healthcare Clearinghouses
What is Protected Health Information (PHI?)
- Any information that relates to: the provision of healthcare to an individual; the past, present, future physical or mental health/condition; the past, present, future payment for the provision of healthcare to an individual
- AND it identifies the individual, or there is reasonable basis to believe that an individual could be identified.
- DHHS has defined 22 items (in the form of paper documents, computer files and/or verbal conversations) that can identify an individual, including:
Name
Address
Social Security Number
Date of Birth
Date of Service
Email Address
Telephone Number
Authorized uses of PHI
PHI can be used, disclosed, or requested if it is for treatment, payment, or healthcare operations.
Guidelines for discussing PHI
- Any use/disclosure of PHI must be of a business nature and must be kept to the minimum necessary
- Employees may use/disclose PHI to
-the member
-the member's immediate family member (spouse, children, parents)
-the provider
-another employee of the company
-an employee from an associated of contracted company
-an individual authorized by the member
Guidelines for Member Disclosure
Before any PHI can be discussed with the member, the member must provide his/her social security number and date of birth.
Guidelines for Member Authorized Individual
Before any PHI can be released to an individual that is not the member, or an immediate family member, company must have on file a power of attorney or written authorization form naming the individual as a member representative.
Guidelines for Discussion
- Speaker phones should only be used behind closed doors
- Be aware of your surroundings when discussing PHI
- Try not to talk about member PHI outside of work
- When speaking with employers, only enrollment/disenrollment information can be released without the member's authorization
Work Areas
Employees should be conscious of any PHI at desk.
- When not at desk - make sure PHI is not visible on computer monitor and conceal PHI documents at desk
- Remove all documents containing PHI from faxes, printers or copiers as soon as possible
Consequences for Non-Compliance
- Non-Compliance with Regulatory Requirements:
-$100 for each standard that is violated, with a maximum penalty of $25,000 per year, per standard; if all privacy standards are not followed, the maximum penalty could exceed $3,000,000,000 per year
- Wrongful Disclosure of Health Information
-knowing disclosure - fines up to $50,000 and/or 1 year in prison
-disclosure under false pretenses - fines up to $100,000 and/or 5 years in prison
-disclosure with the intent to sell, harm or use for profit - fines up to $250,000 and/or 10 years in prison
- Any wrongful disclosure that becomes known to the member will also likely result in civil monetary penalties as well
- Possible loss of accreditation (NCQA, JCAHO)
- DHHS audits/investigations and oversight
- Harms business interests (becomes public knowledge)
|
