THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) EMPLOYEE TRAINING MANUAL



Similar documents
HIPAA PRIVACY AND EDI RULES

HIPAA Privacy Summary for Fully-insured Employer Groups

The Health and Benefit Trust Fund of the International Union of Operating Engineers Local Union No A-94B, AFL-CIO. Notice of Privacy Practices

HIPAA Privacy Summary for Self-insured Employer Groups

AVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE

Notice of Privacy Practices. Human Resources Division Employees Benefits Section

HIPAA. HIPAA and Group Health Plans

Department of Health and Human Services Policy ADMN 004, Attachment A

SDC-League Health Fund

PHI- Protected Health Information

HIPAA Privacy For our Group Customers and Business Partners

Guidelines Relating to Implementation of the Privacy Regulations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA)

NOTICE OF HIPAA PRIVACY AND SECURITY PRACTICES

8.03 Health Insurance Portability and Accountability Act (HIPAA)

HIPAA POLICIES & PROCEDURES AND ADMINISTRATIVE FORMS TABLE OF CONTENTS

HIPAA NOTICE OF PRIVACY PRACTICES

Graphic Communications National Health and Welfare Fund. Notice of Privacy Practices

Schindler Elevator Corporation

Use or Disclosure of PHI

VALPARAISO UNIVERSITY NOTICE OF PRIVACY PRACTICES. Health, Dental and Vision Benefits Health Care Reimbursement Account

Connecticut Carpenters Health Fund Privacy Notice

Gaston County HIPAA Manual

Connecticut Pipe Trades Health Fund Privacy Notice Restatement

SOUTHLAKE DERMATOLOGY 1170 N. Carroll Ave. Southlake, TX Main Fax

NORTHSTAR DERMATOLOGY, PA NOTICE OF PRIVACY PRACTICES

State of Florida Employees' Group Health Insurance Privacy Notice

SCHOOL DISTRICT OF BLACK RIVER FALLS HIPAA PRIVACY AND SECURITY POLICY

Metropolitan Living, LLC 151 W. Burnsville Parkway, Suite 101 Burnsville, MN Ph: (952) Fax: (651)

Salt Lake Community College Employee Health Care Benefits Plan Notice of Privacy Practices

HIPAA Employee Training Guide. Revision Date: April 11, 2015

Compliance HIPAA Training. Steve M. McCarty, Esq. General Counsel Sound Physicians

HIPAA. Privacy and Security Frequently Asked Questions for Employers. Gallagher Benefit Services, Inc.

RUTGERS POLICY. Policy Name: Standards for Privacy of Individually Identifiable Health Information

NOTICE OF PRIVACY PRACTICES for the HARVARD UNIVERSITY MEDICAL, DENTAL, VISION AND MEDICAL REIMBURSEMENT PLANS

HIPAA Security Manual Administrative Security/Omnibus Rule

The HIPAA Privacy Rule: Overview and Impact

State of Nevada Public Employees Benefits Program. Master Plan Document for the HIPAA Privacy and Security Requirements for PEBP Health Benefits

SARASOTA COUNTY GOVERNMENT EMPLOYEE MEDICAL BENEFIT PLAN HIPAA PRIVACY POLICY

Health Insurance Portability and Accountability Act (HIPAA)

Executive Memorandum No. 27

HIPAA and Privacy Policy Training

The Basics of HIPAA Privacy and Security and HITECH

APPLETREE PEDIATRICS, PA NOTICE OF PRIVACY PRACTICES

American Guild of Musical Artists ( AGMA ) Health Fund Privacy Notice. Plan A and Plan B

Pacific Medical Centers HIPAA Training for Residents, Fellows and Others

Whitefish School District. PERSONNEL 5510 page 1 of 5 HIPAA

HIPAA INFORMATION FOR METLIFE GROUP DENTAL and/or VISION INSURANCE CUSTOMERS

Frequently Asked Questions About the Privacy Rule Under HIPAA

HIPAA Compliance for Employers. What is HIPAA? Common HIPAA Misperception. The Penalties. Chapter I HIPAA Overview. The Privacy Regulations Why?

HIPAA Privacy & Security Rules

HIPAA Policies and Procedures

HIPAA PRIVACY AND SECURITY STANDARDS CITY COMPLIANCE

HIPAA Privacy Overview

HIPAA Policy, Protection, and Pitfalls ARTHUR J. GALLAGHER & CO. BUSINESS WITHOUT BARRIERS

DALLAS ALLERGY & ASTHMA CENTER

HIPAA Privacy Manual

Health Insurance Portability and Accountability Policy 1.8.4

Member s Name First M.I. Last Dependent s Name (if enrolling in Medicare) First M.I. Last

APPENDIX 1: Frequently Asked Questions

STATE OF NEVADA DEPARTMENT OF HEALTH AND HUMAN SERVICES BUSINESS ASSOCIATE ADDENDUM

SCHOOL DISTRICT OF BLACK RIVER FALLS HIPAA PRIVACY AND SECURITY POLICY

ELKIN & ASSOCIATES, LLC. HIPAA Privacy Policy and Procedures INTRODUCTION

HIPAA-ACKNOWLEDGEMENT OF RECEIPT Notice of Privacy Practices

INSTRUCTION SHEET REGARDING NOTICE OF PRIVACY PRACTICES

HIPAA Privacy Overview

Annual Compliance Training. HITECH/HIPAA Refresher

HIPAA PRIVACY AND SECURITY AWARENESS. Covering Kids and Families of Indiana April 10, 2014

HIPAA PRIVACY AND SECURITY AWARENESS

Manual for Community Care Network Providers

TJ RAI, M.D. THERAPY MEDICATION WELLNESS PRIVACY POLICY STATEMENT

Population Health Management Program Notice of Privacy Practices

The California State University

City of Pittsburgh Operating Policies. Policy: HIPAA Privacy Policies Original Date: 1/2005 and Procedures Revised Date: 3/22/2010

NOTICE OF PRIVACY PRACTICES OF THE GROUP HEALTH PLANS SPONSORED BY ACT, INC.

HIPAA NOTICE TO PATIENTS

Notice of Privacy Practices

Genworth Life Insurance Company Genworth Life Insurance Company of New York NOTICE OF PRIVACY PRACTICES

BUSINESS ASSOCIATE AGREEMENT

Health Information Privacy Refresher Training. March 2013

NOTICE OF PRIVACY PRACTICES

HIPAA Auditing Tool. Department: Site Location: Visit Date:

CMA BUSINESS ASSOCIATE AGREEMENT WITH CMA MEMBERS

HIPAA Compliance Manual

Compliance Program and HIPAA Training For First Tier, Downstream and Related Entities

Health Insurance Portability and Accountability Act. Policies and Procedures Compliance Manual. Human Resources. Ferris State University

HIPAA Compliance Review

Harris County - Texas HIPAA Notice of Privacy Practices

Louisiana Department of Health and Hospitals Basic HIPAA Privacy Training: Policies and Procedures

EXHIBIT C BUSINESS ASSOCIATE AGREEMENT

In order to adjudicate an appeal, OPM requires claimants or their authorized representatives to submit the following information:

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) TERMS AND CONDITIONS FOR BUSINESS ASSOCIATES

NOTICE OF PRIVACY POLICY. Effective:, 2013

HIPAA Compliance Annual Mandatory Education

HIPAA BUSINESS ASSOCIATE AGREEMENT

ADMINISTRATIVE REQUIREMENTS OF HIPAA

FREE 30-Day Trial. Inside your HealthXnet FREE 30-Day Trial package you ll find two documents:

NOTICE OF PRIVACY PRACTICES Walter Chiropractic Clinic, 5219 Peters Creek Rd Ste 5, Roanoke VA 24019

Plan Sponsor Guide HIPAA Privacy Rule

HIPAA Omnibus Notice of Privacy Practices Effective Date: March 03, 2012 Revised on: July 1, 2015

Effective April 14, 2003

Transcription:

THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) EMPLOYEE TRAINING MANUAL What is HIPAA? Comprehensive federal legislation regarding health insurance which is comprised of four key areas: Portability Protects health insurance coverage for workers and their families when they change or lose their jobs Prevents discrimination against employee and their families due to preexisting medical conditions Privacy Provides the first comprehensive federal protection for the privacy of an individual s health information Gives individuals more control over their health information, and it sets boundaries on the use and disclosure of their health information Security Establishes safeguards that must be achieved to protect the privacy of protected health information Holds violators accountable with civil and criminal penalties that can be imposed if they violate an individual s privacy rights. Electronic Transactions Standardizes electronic health care transactions

Does HIPAA apply to the School Board of Polk County, Florida and what are the effective dates? The School Board of Polk County must comply with the Privacy, Security and Electornic Transactions requirements of HIPAA by the following dates: Privacy April 14, 2003 Security April 21, 2005 Electronic Transactions October 16, 2003 HIPAA Terms Covered Entity mean those entities who are subject to HIPAA: Health Plans Includes HMOs, health insurers (which includes dental and vision insurers and prepaid dental plans), self-insured group health plans, Medicare, and Medicaid. Health are Clearing Houses An entity that processes health information from a health care provider to a payer. Health Care Providers ONLY those health care providers that transmit Health Information electronically. Protected Health Information (PHI) PHI is made up of 2 components Health Information and Individually Identifiable Health Information: Health Information information that relates to the past, present, or future physical or mental health of the individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care. Individually Identifiable Health Information information that is a subset of Health Information, and is information that can be used to identify the individual Business Associate Is a person, or entity, that acts on behalf of a Covered Entity or provides services to the Covered Entity, and who has acces to a Subscriber s or Member s Protected Health Information (PHI). Treatment, Payment and Healthcare Operations (TPO) Uses and Disclosures by a Covered Entity of a Member s PHI for the purposes of treatment, payment or healthcare operations do not require authorization from the Member. Examples of items that fall under TPO are: - Processing and payment of claims - Communications with providers about a Member - Processing grievances and appeals - QI activities - Credentialing and peer review activities - Underwriting - Business management and general administrative activities

De-Identified PHI that does not identify the Member, and there is no reasonable basis to believe such information can be used to identify the Member. In order to be deidentified all identifiers, including but not limited to name, address, social security number, phone number, birth date, fax number, e-mail address, etc., must be removed. A Brief Look at Electronic Transactions The following functions are subject to the standardized electronic formats and codes set requirements: Claims (inc. submission, COB, payment, EOB) Status/inquiry Referrals Authorizations Enrollment/Disenrollment Premium Payments Eligibility Billing Covered Entities must be able to accept and send electronic transactions in the standard HIPAA compliant format. Cannot refuse transaction sent in standard format If the plan currently conducts a HIPAA business function, it must be able to use the standard transaction for that function. Privacy Permitted Uses and Disclosures Privacy rules apply to all forms of PHI Electronic, paper, and verbal PHI may only be used or disclosed without the member s permission under the following circumstances: Directly to the individual for which the PHI pertains; Treatment, Payment or Healthcare operations (TPO) Other purposes allow by law All other uses or disclosures require the individual s written authorization OR must be de-identified. Disclosures must be limited to the amount of PHI reasonably necessary to achieve the purpose of the disclosure ( minimum necessary )

Exceptions - To the provider - To the individual for which the PHI pertains - Disclosures required by law Disclosures of an individual s PHI may be made to the individual s family and friends without a written authorization from the individual, IF: Verbal or written consent is obtained from the individual OR The individual has been given the opportunity to object to the disclosure and does not do so OR It can be reasonably inferred from the circumstances, based upon professional judgment that the individual does not object to the disclosure. The amount and type of PHI disclosed to such family and friends must be limited to the PHI directly relevant to such person s involvement with the individual s health care of payment related to the individual s health care. Disclosures to Employer and Group Plans Depending upon the Group s request for PHI, the group may have to first provide a written authorization from the member or a certification. Summary Information - De-identified information that summarizes claims history, claims expenses, or type of claims experience by individuals for whom the plan sponsor has provided health benefits under a group health plan for purposes of obtaining premium bids, modifying, amending or terminating the plan. - Summary Information does not require an authorization from the member or a certification. Plan Administration Functions - PHI disclosed for Plan Administration Functions requires a Certification from the Plan Sponsor. - HIPAA defines Plan Administration Functions to include quality assurance, claims processing, auditing, monitoring that is performed by the Plan Sponsor. It does not include employment-related functions or functions in connection with other benefits or other benefit plans. - Contact the Privacy Officer if you get a request for information based upon a Certification, prior to releasing any information.

All Other Requests for PHI From the Group - All other requests for PHI may ONLY be released upon prior written authorization of the member. - For example, groups/group benefits administrators who wish to advocate on behalf of the member in claims disputes, benefits disputes, or grievances or appeals MUST first have written authorization from the member. NOTE: These rules DO NOT apply to information regarding enrollment, disenrollment, premium payments, or participation. Member Authorization Under certain circumstances, written authorization from the Member must be received before the Member s PHI can be disclosed. A member authorization form that meets all of the HIPAA required elements is acceptable. Authorization forms MUST be completed in their entirety and MUST be signed by the Member. If the form is not completed or not signed, it must be rejected and no information disclosed. Use or disclosure of PHI for Marketing Purposes A Member s PHI may be used, or disclosed, for marketing purposes without permission from the Member when the marketing is in the form of: A face to face communication; or A promotional gift of nominal value Any other marketing communication that uses or discloses a Member s PHI must have written authorization from the Member. HIPAA defines marketing as A communication about a product or service that encourages recipients of the communication to purchase, or use the product; or An arrangement between the Covered Entity and any other entity whereby the Covered Entity discloses PHI in exchange for remuneration so that the other entity may make a communication to the individual that encourages the recipient to purchase or use their product.

The following types of communications are not considered to be marketing Products or services included in the member s benefit plan Participating providers Enhancements to the member s benefit plan Added value benefits Communications related to treatment Case management, disease management, wellness programs, prescription refill reminders, appointment notifications Requests for Reports Containing PHI Reports containing PHI may only be released as follows: Employer and Group Plans - Same requirements as Disclosures to Employer and Group Plans before PHI can be released in report format - Exception: reports regarding enrollment, disenrollment, participation, and payment of premium Business Associates - May be released without authorization from the Member Agents/Brokers - If for the group, same requirements as Disclosures to Employer and Group Plans - If for own use, such as a commission report, may be released without authorization from the member. - Providers - May be released without authorization from the Member Others - Check with Privacy Officer before releasing Members Rights Members have the following rights under HIPAA: Right to request restrictions Right to receive confidential communications Right to inspect and copy Right to amend their health information Right to receive an accounting of disclosures Right to obtain a paper copy of the Notice of Privacy Practices at any time

Phone Call Verification It is critical that callers be identified with reasonable certainty before any PHI is disclosed over the phone. The following process MUST be used to identify the caller Ask the call all of the following questions - Name of subscriber - Member/certificate number - Address, including street, city, state and zip code - Home or work phone number If all of the responses match the member information, you may assist the caller (note: friends and family may receive information, but they may NOT make changes to the account unless they are also on the account of have written authorization from the member.) Member s Legal Representative Same process as above, except the caller must fax or mail appropriate proof of representation (such as Power-of-Attorney or Guardianship documents) Agent or Broker on behalf of the Member Ask the caller for his/her agent/broker number Ask the agent/broker the four questions above if at least 2 of the responses match the member information, you may assist the agent/broker. Agent or Broker on Behalf of the Group for the Member These type of calls require authorization from the Member (except for issues regarding enrollment, disenrollment, premium, or participation) Ask for the following information - Agent/Broker number - Ask the four questions above at least 2 of the responses must match the member information - Have agent/broker fax or mail the authorization form - Once proper authorization is received, then member s PHI may be released to agent/broker

Faxes Faxing PHI When sending a fax that contains PHI: - Confirm the fax number with the recipient and call to notify the recipient that the fax was sent - Request a verbal verification from the recipient that the fax was received - In the event of a misdirected fax, make sure that it is returned or destroyed - Try to limit the faxing of PHI to urgent situations - Include a fax cover page that includes recipients name, phone and fax number, date and time of fax, number of pages transmitted, and the following warning at the bottom: IMPORT WARNING: This message is intended for the use of the person or entity to which it is addressed and may contain information that is privileged and confidential, the disclosure of which is governed by applicable law. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this information is STRICTLY PROHIBITED. If you have received this message in error, please notify the sender immediately and destroy the related message. When receiving a fax that contains PHI: - Try to have the sender send the fax to a fax machine in a low traffic area that is less accessible to those who are not authorized to view PHI - Schedule with the sender so that you may promptly retrieve the fax upon arrival - Place faxes that contain PHI in a secure location, do not leave on a counter in full view of passersby - As with all PHI, handle and store in a secure manner Workstations clean desk rule at the end of each workday files, records and other documents that contain PHI may NOT be left out on the desk or out in the open. Place in drawers or bins, preferably those that lock. file, don t pile keep files, records and other documents that contain PHI in drawers or file folders when not in use. If you are going to be away from your desk for less than 15 minutes, at a minimum flip PHI over so blank side is showing more than 15 minutes, put away in drawer or file folder. CD s diskettes, magnetic tapes, etc. that contain PHI or other confidential information must be properly stored or destroyed when no longer needed. Simply

deleting information may not be enough to ensure that information cannot be retrieved and improperly disclosed. Electronic media must be mutilated before throwing in the trash. Paper trash containing PHI must be shredded. School Board of Polk County, Florida Privacy Officer - Where to go on the Web for more information on HIPAA: Department of Health & Human Services: http://aspe.hhs.gov/admnsimp/ Office for Civil Rights: http://www.hhs.gov/ocr/hipaa Centers for Medicare and Medicaid Services: http://www.cms.gov/hipaa Phoenix Health Systems (HIPAA Advisory): http://www.hipaadvisory.com Bricker & Eckler and the Ohio Hospital Assoc. HIPAA Privacy Joint Information Center: http://www.bricker.com/attserv/practice/hcare/hipaa/

HIPAA TRAINING AND COMPLIANCE ACKNOWLEDGEMENT I,, hereby acknowledge that I have received and read the School Board of Polk County, Florida HIPAA Training Manual on. (date) I acknowledge that I have been made aware of the School Board of Polk County HIPAA Policies and Procedures, and that it is my responsibility to read and understand such policies and procedures. Further, I understand that as a condition of my employment with School Board of Polk County, I shall perform my duties in a manner that is consistent with these policies and procedures. I also understand that it is my responsibility to immediately report any violations or suspected violations of the School Board of Polk County HIPAA policies and procedures directly to the School Board of Polk County Privacy Officer. I further understand that my failure to report my own violations or violations that I have witnessed or have knowledge of may result in disciplinary action taken against me. I understand that the School Board of Polk County will not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against employees who: 1) file a complaint with the Secretary of the Department of Health and Human Services; 2) testify, assist, or participate in an investigation, compliance review, proceeding, or hearing under the HIPAA Privacy rules, provided the person has a good faith belief that the practice is unlawful, and the manner of the opposition is reasonable and does not involve disclosure of Protected Health Information (PHI) in violation of the HIPAA Privacy rules. Signature Date Printed Name

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information