Q-1: What is HIPAA? Frequently Asked Questions About the Privacy Rule Under HIPAA A: HIPAA is the Health Insurance Portability and Accountability Act (passed by Congress in 1996). The Privacy Rule was issued by the U. S. Department of Health and Human Services. The Privacy Rule (45CFR Part 160 and Subparts A and E of 164) of HIPAA provides the first comprehensive Federal protection for the privacy of health information. Q-2: What does the HIPAA Privacy Rule do? A: The HIPAA Privacy rule creates national standards to protect individuals medical records and other protected health information. It gives individuals more control over their health information; it sets boundaries on use and disclosure of health records; and it establishes safeguards that covered entities must set up to protect information. Q-3: What is protected health information? A: Protected Health Information (PHI) is individually identifiable health information that is created or received by a provider, a health plan or insurer, a data clearinghouse, a health authority, employer, school or university. PHI can be maintained or transmitted in any form or medium. It relates to the past, present or future: condition of physical or mental health, health care provided; or payment for health care provided. PHI does not include summary health information or information that has been de-identified according to the standards for de-identification provided for in the HIPAA Privacy Rule. Q-4: What is a privacy notice and who is responsible for sending privacy notices? A: The Health Plan must provide you with this notice of its legal duties and privacy practices with respect to that Protected Health Information. The notice should describe: How the covered entity may use and disclose protected health information about an individual. The individual s rights with respect to the information, including a statement that the covered entity is required by law to maintain privacy of protected health information. Whom individuals can contact for further information about the covered entity s privacy policy. When the notice is effective
Pace University is responsible for providing privacy notices to all participants currently enrolled on or after April 14, 2003, in the Pace University Healthcare programs and Healthcare Flexible Spending Account. Participants enrolled in a medical HMO or Delta Dental will receive a privacy notice directly from the carrier. Q-5: What plans or programs at the University are not covered under HIPAA? A: The following plans or programs are not covered under HIPAA: Short term disability benefits Long term disability benefits Worker s Compensation Life Insurance Claims under the Dependent Care FSA that may arise because the spouse/domestic partner or child is ill or because the employee s spouse/domestic partner is physically or mentally unable to assist in caring for a dependent child or other family dependent. Requests for reasonable accommodations under the ADA Requests for family medical leave Any first aid or emergency services in cases of serious illness or injury occurring on Pace University s premises that are provided to employees while awaiting arrival of an ambulance or emergency medical assistance. Requests for certification of coverage of the employee or dependent Other lawful employment-related purposes (e.g., physical or mental inability to work on company premises, drug testing). Q-6: What can Pace University do now with PHI and how will that change after April 14, 2003? Any protected health information received by the Pace University Benefits Office or a member of Human Resources is, and shall continue to be, handled in a confidential manner. Additional measures are being taken to better secure such information. Although employees will not notice many of the new measures, one of them may require health plan members to sign an authorization allowing the University Benefits Office to assist in resolving health care or FSA claim issues on the member s behalf. Q-7 : When can PHI be used and disclosed without authorization? A: Protected Health Information (that is individually identifiable information held by the health plan) may be used or disclosed without authorization or consent only for the purposes of treatment, payment, healthcare operations or pursuant to requirements of law. Only the minimum necessary amount of PHI is permitted without written authorization from the plan participant or that person s authorized Personal Representative.
Q-8: Can you provide examples of treatment, payment and healthcare operations? Treatment generally means the provision, coordination, or management of health care and related services among health care providers or by a health care provider with a third party, consultation between health care providers regarding a patient, or the referral of a patient from one health care provider to another. Payment encompasses the various activities of health care providers to obtain payment or be reimbursed for their services and of a health plan to obtain premiums, to fulfill their coverage responsibilities and provide benefits under the plan, and to obtain or provide reimbursement for the provisions of health care. Examples of common payment activities include, but are not limited to: Determining eligibility or coverage under a plan and adjudicating claims; Billing and collection activities; Reviewing health care services for medical necessity, coverage, justification of charges, and the like; Utilization review activities. Health care operations are certain administrative, financial, legal and quality improvement activities that are necessary to run its business and to support the core functions of treatment and payment. Common activities include, but are not limited to: Underwriting and other activities related to the creation, renewal or replacement of a contract of health insurance or health benefits and securing or placing a contract for reinsurance of risk relating to health care claims; Conducting or arranging for medical review, legal and auditing services, including fraud and abuse detection and compliance programs; Business planning and development, such as conducting cost-management and planning analyses related to managing and operating the entity; and Business management and general administrative activities Q-9 Can the health plan use or disclose PHI for reasons other than treatment, payment or healthcare operations? A: No, not unless the use and disclosure is made in connection with a HIPAA Authorization or is required or permitted by the HIPAA Privacy Rule. Q-10: How are group health plans expected to determine what is the minimum necessary information that can be used, disclosed or requested for a particular purpose? A: The HIPAA Privacy Rule requires a health plan to make reasonable efforts to limit use, disclosure of, and requests for protected health information to the minimum necessary to accomplish the intended purpose. The minimum necessary standard requires health plans to evaluate their practices and enhance protections as needed to limit unnecessary or inappropriate access to protected health
information. It is intended to reflect and be consistent with, not override, professional judgment and standards. Q-11 Can my spouse/domestic partner be my personal representative? A: Yes, the employee and dependent spouse/domestic partner will be treated as each other s authorized personal representative unless and until a statement to the contrary is filed with the health plan. Q-12 Can a parent be a personal representative for dependent children? A: Parents can be personal representatives for dependent children under the age of 18. Parents are not authorized personal representatives of emancipated children (18 and over) except when the plan administrator or its delegates determines that the child is unable to make his or her own decisions, and unless and until a statement to contrary is filed with the health plan. Q-13: Must the HIPAA Privacy Rule s minimum necessary standard be applied to uses or disclosures that are authorized by an individual? A: No. Uses and disclosures that are authorized by the individual are exempt from the minimum necessary requirements. Q-14 Who do I complain to about violations to my Right to Privacy Protection? A: If you believe that your privacy rights have been violated, you may complain, in writing to the Director of University Benefits, Pace University, 235 Elm Road, Dow Hall, Room 102A, Briarcliff Manor, NY 10510. Complaints may also be made in writing to the Secretary of the US Department of Health and Human Services, Hubert Humphrey Building, 200 Independence Avenue SW, Washington DC 20201, within 180 days after you know or should have known about the act or omission that is the subject of your complaint. Neither the Health Plans nor the Employer will retaliate against you if you file any such complaint. Q-15 Are there penalties for not complying? A: Section 1176 provides that HHS will impose on any person who violates a provision of the Privacy Rule a penalty of up to $100 for each violation. This is capped at $25,000 per year, per violation of an identical requirement or prohibition. In addition, if a person obtains or releases protected health information under false pretenses, the penalty increases to a fine up to $100,000 and imprisonment of not more than five years. In addition, any Pace University employee authorized to handle PHI who intentionally or unintentionally violates any of the applicable policies or any procedures may be subject to disciplinary procedures up to and including termination. Q-16 Where can I receive more information about my rights under HIPAA?
A: You can contact any of the following for more information about your rights under HIPAA: University Benefits Office at (914) 923-2828 Human Resources web page, www.pace.edu/human-resources U.S. Department of Health and Human Services at www.hhs.gov