hipaa privacy policies · wship privacy training april 1, 2003 1 prepared by: people making...

WSHIP Privacy Training April 1, 2003 1

Prepared By:

People Making Technology Work ™

HIPAA PRIVACY POLICIES


Prepared By:


Setting a Standard forPrivacy

• HIPAA• Standards for the Privacy of

Individually IdentifiableHealth Information

• Federal and State Regulations• Case Law• Accreditation and

Certification Standards• Professional Standards of

Practice

HIPAA has put a spotlight on privacy, but it is not a new issue for us orfor others in the healthcare industry – maintaining the confidentiality ofpatient information has always been important. Many sources, includingFederal and state regulations and accreditation standards (like NCQA orSAS 70), address privacy by requiring applicable organizations to havepolicies in place to protect confidentiality and secure health records fromloss, destruction, and unauthorized use.

There are standards within HIPAA, however, which require us to put inplace new policies and processes. As we begin the implementation ofthese processes, we want to increase your awareness, provide youprofessional guidance and remind you that we are all bound by theWSHIP Privacy and Security Policies which require us to promote andprotect the confidentiality and security of health information and healthrecords of our enrollees.


Prepared By:


Relationships with Others

• Agreements required withBusiness Associatesubcontractors

• Confidentiality Statementsrequired from others

• All players subject to thesame privacy rules

• Compliance monitored bythe Privacy Director

In fulfilling our requirements as a Health Plan, WSHIP may subcontractwith others and/or use vendors. Any subcontractor who will have access topatient data in order to fulfill their functions is considered a BusinessAssociate. They must be subject to all the same requirements andrestrictions as WSHIP. Examples of a Business Associate subcontractorwould include

• ACS – Enrollment and Claims administration

• AHH – Utilization Management and Case Management

• Merck Medco – Pharmacy Benefit Services

The Privacy Director is responsible for monitoring compliance andensuring that all required Business Associate contracts and that they agreeto keep information confidential.


Prepared By:


What Must Be KeptConfidential?

PHI:Protected Health

Information

What must be kept confidential?

PHI

The HIPAA Privacy Rule defines the type of information that must be keptprivate by categorizing it as “Protected Health Information,” or PHI forshort.

Healthcare organizations must have policies in place that address thehandling, maintenance and privacy of PHI.

What is PHI?


Prepared By:


Understanding PHI

Claims, Premiums,Authorizations,

Databases,Correspondence

• Information that isindividuallyidentifiable

• Demographics• Any form or medium

– Oral or Written– Electronic– Formal or Informal

PHI is any and all information about an individual’s physical or mentalhealth that identifies the individual, or from which there is a reason tobelieve the information could identify them. This includes any type ofinformation found in the our records, such as nursing notes, diagnoses,claims correspondence and so forth.

PHI also includes demographic information such as name, address, phoneand fax numbers, e-mail address, date of birth, social security number,relatives’ names, photographs, – any type of information that could identifythe individual.


Prepared By:


Use of PHI

• Sharing, application,utilization, examination,or analysis of PHI withinthe organization

• Allowable uses includeonly what is required forTreatment, Payment orHealthcare Operations orRequired by Law

The terms “use” and “disclosure” are important in understanding how toappropriately protect an individual’s privacy, yet get your job done. Theseterms are frequently used in the HIPAA Privacy Rule, policies andprocedures, and the day-to-day business of WSHIP

First, let’s look at the term “use.” Simply, “use” refers to how confidentialpatient information (PHI) is used within an organization to facilitatetreatment of the patient, fulfill the billing and payment functions, andsupport required operational needs of the health plan.


Prepared By:


Disclosure of PHI

• The release, transfer, access,or divulging of PHI to anoutside person or entity

• When responding to a request,validate the requester andensure it is an allowable use

(“TPO”)• Authentication and

Authorization may be required

Disclosure relates to how you communicate protected health information toan outside person or entity. Whether the information is released orally,transferred via fax, accessed through the computer system, or otherwisedivulged, discretion must be used when disclosing information. Thereceiving party must be authorized and have a need to know or receive thePHI.

Customer Service and Operations staff have been trained to authenticate orvalidate the requester and their business purpose. Whenever possible, referrequests for a disclosure to the Customer Service Department.


Prepared By:


Minimum Necessary

• What can I access?– Information you

“need to know” to doyour job

• Does it apply in everysituation?– Treatment– Patient– Use and Disclosure

Accessing, using, or disclosing PHI on a need to know basis to get yourjob, or a specific task, done is an important concept under HIPAA knownas “minimum necessary.” Physical and technical mechanisms such aslocking file cabinets, passwords on applications and locked facilities limitaccess to information as do policies for the release of information.

Does the minimum necessary standard apply in every situation? No – theminimum necessary standard does not apply to providers or familymembers directly involved in treatment. It also does not apply to thepatient – they can have access to their protected health information. And itdoes not apply to a HIPAA standard transaction in which you have tocomplete all required fields.The minimum necessary standard applies to all other aspects of Use andDisclosure for Payment or Healthcare operations.


Prepared By:


How Do I Handle…

…Another member of the workforce or familymember inquiring into a patient’s conditionor treatment?– Determine if it is necessary to WSHIP’s TPO– Is it required to do their job or to treat the patient?– Keep it confidential

You may encounter a situation where another member of the workforceasks you about a patient’s condition or treatment. Can you disclose theconfidential information?

First, consider the reason—are they part of the professional team treatingthe individual or providing advice or consultation? If yes, they may haveaccess to all PHI. Are they a billing clerk asking for information to do theirjob? If yes, you can disclose information needed for their job.

If the information is not needed for the person to do their job or fortreatment purposes, the confidential information should not be disclosed tothem without a compelling reason.


Prepared By:


Other Limits on Disclosure

• Underwriting and Pre-Enrollment Information

• Plan Sponsors or Employers• Brokers and Agents• Marketing• Fundraising• Research Activities• Meeting Materials

Policy 2.1, Allowable Use and Disclosure, outlines specific limitation onUse and Disclosure. Many activities that may have seemed okay yesterday,are not allowable under HIPAA.


Prepared By:


Individual Rights

- Access their records- Amend their records- Obtain Accounting of disclosures- Request a restriction on the use of

their PHI- Request any communications be

sent to a confidential location- Submit a formal complaint

…An individual has a right to:

In addition to addressing general privacy concerns, HIPAA givesindividuals an array of privacy rights and more control over how theirconfidential information is used and disclosed. Let’s look at a couple ofscenarios you may encounter and discuss how they are handled.


Prepared By:


How Do I Handle...

…A request to obtain an accounting of disclosuresor access to records?

• Route requests to trainedCustomer Service Reps

• Once notified of anapproved request, ACSwill coordinate entirerecord set and generatecorrespondence

Individuals may request from their Healthplan, an accounting of disclosuresfor all PHI released (except for Treatment, Payment, or HealthcareOperations) for a six year period. The Healthplan must provide this – at nocost to the Member.

ACS will be providing the infrastructure to respond to these requests andwill be pulling together the entire WSHIP record set from our delegatedentities including ACS, Merck Medco and AHH.


Prepared By:


How Do I Handle…

…An individual asking for restrictions or specialhandling of records?

• Route requests to trainedCustomer Service Reps

• All requests must bereceived in writing

• Do not discuss what we“can” agree to

ACS will also handle all requests for restrictions or special handling. Itis important that we let them do this. Under the law, any approvedrequest must be upheld by the Health plan and each of its subcontractors.As a WSHIP Representative, you may, on occasion get contacted bymembers. If, in talking to a member on the phone, you imply that we willagree to something, we must do so. This could put us in a position ofagreeing to uphold a restriction that cannot be upheld due to systemlimitations or because it would restrict the member’s access to benefits.

ACS has strict guidelines under which they will approve or deny requestsfor restriction or confidential communications. They will handle allmember communications.


Prepared By:


How Do I Handle...

…An Individual wishing to file a complaint?

• Route immediately totrained Representatives

• All complaints must bereceived in writing

• Respect the individual’srights

• Refer them to the PrivacyNotice

Again, refer this type of member contact to trained ACS staff. Civil orcriminal liabilities could be imposed for violations of the HIPAA Privacyregulations. ACS has specific guidelines for handling complaints so as tomitigate the impact to the organization and ensure compliance with theserules.

WSHIP’s Privacy Notice outlines specific steps to file a complaint.


Prepared By:


Privacy Musts…

• Protect the Privacy ofPHI using processes thatsupport both Physicaland Technicalsafeguards to restrictaccess

• Refer requests fordisclosure to trainedindividuals

With all of these specific requirements, it is a must for us to simplify inorder to avoid becoming a target.

We must do everything we can to makes sure that we are protecting theprivacy of patient data, to make sure we are operating within the limitationof the law and, when required, to make sure that our actions are consistentwith policy as it relates to administering patient rights or responding toquestions regarding patient privacy.

The safest way to do that is to allow those who are specifically trained tohandle these issues do so.


Prepared By:


What Happens If…

…a privacy policy isviolated?– Responsibility to Report– Incident Reporting Form– Report to the Privacy

Director– No Retaliation– Consistent Sanctions applied

Let’s say the worst-case scenario happens and a privacy policy has beenviolated. Now what? Each healthcare organization is required to developtheir own sanctions for violating a privacy policy or breachingconfidentiality.

A member also has the right to file a complaint within the organizationand with the Federal Office of Civil Rights.

WSHIP may not retaliate against any member, employee or representativefor reporting a violation. It must, however, act immediately to document,respond and mitigate any harmful effects to the subject member.

Reports of any violation or complaint should be submitted directly to thePrivacy Director.


Prepared By:


Physical Security

• Support building access controls andvisitor control policies

• Provide for secure record storage• Return or destroy materials that are

no longer needed

Physical Security parameters may be simple, but should be appropriate tothe information you have at your location. If you have retained any PHI,you must make sure that it is appropriate secured and/or return it ti ACS fordestruction.


Prepared By:


“Privacy-Friendly” Practices

• Shred or destroy PHI – donot discard

• Secure Printer, Fax andCopy machine locations

• Keep patient information(conversations, reports,etc.) out of public areas

• Clear your desktop of PHI

There are everyday things you can do that will help protect patientprivacy.

Make sure paper, documents, reports, and the like containing patientinformation are shredded or destroyed in some way when throwing it inthe garbage. This will help to ensure that confidential information is notinadvertently seen by unauthorized individuals. Discs or CDs may also beshredded. If your shredder cannot handle this heavy materials, returnthese items to ACS for destruction.

If fax and copy machines are used to send or copy PHI, make sure theyare located away from public areas or from staff who does not have a“need to know”. Regularly clear the fax, printer and your desktop of PHI.If it is not currently in use, it should be stored in a secure location.

And always consider where you are talking about confidential information.Are you in a public area where others can hear? Whether you are talkingto a patient or family or with other staff members, try to keep yourconversations from being overheard.


Prepared By:


Transmission of PHI

• Do not use E-mail to transmit PHI. E-mails areeasily intercepted.

• Attachments or file transfers must use a secureconnection or be encrypted

• FAX is a secure transmission• De-identify whenever possible


Prepared By:


Technical Security

• Maintain access tosystems only on aneed to know basis

• Position Monitor to“conceal not reveal”

• Store data in a securelocation – not “c”drive or an unsecureddiskette

Your desktop computer must also be considered when evaluating security.If you have access to applications that you do not use or do not need, takesteps to have your access terminated to avoid any potential liability.

Position you monitor to reduce the likelihood of unauthorized partiesviewing confidential information on the screen. And consider the securityof where you store information. In spite of any passwords, information onthe “c” drive is available to most anybody. Information is safer whenstored to a secure network or even to a CD or disc that is stored in asecured container.


Prepared By:


Passwords

• Use a screen saver• Logoff for extended

periods of inactivity• Keep passwords secure

– Unique log-on– 8 Characters– Letters, numbers &

special characters– Don’t share or post

If you do have access to applications that hold PHI, be sure you are usinga strong password as defined in our password policy 4.6. In addition, youshould use a password protected screen saver to “lock out” the computer ifyou are away for a period of time.


Prepared By:


Additional Concerns for At-Home Workers

• Transport PHI in asecure manner

• Minimize exposure tofamily & friends

• Individual systemsettings

• Secure access to systemsand networks

• Firewall?

These same standards apply to at home workers and occasional users thataccess patient data from home. Do not be casual about security in yourhome and work to reduce unnecessary disclosure to those without abusiness need to know.


Prepared By:


Privacy SME’s

• Subject MatterExperts

• Professionalconcern forprotectingpatient privacy

• Know yourPrivacy Director

• Seek advice

Protect &

Serve

When you have a question or concern related to privacy, do not be afraid toseek professional advice. Our Privacy Director is ethically bound to protectpatient privacy and can be a resource on confidentiality, use and disclosureissues. As members of various professional organizations, she has access toa number of professional resources to assist with implementation of HIPAAand management of confidentiality issues.

Thank you for your time.

Beth Kranda

Privacy Director

Washington State Health Insurance Pool

317-614-2139

[email protected]

hipaa privacy policies · wship privacy training april 1, 2003 1 prepared by: people making...

Documents