Protecting Enrollees

1
Protecting Enrollees Health Information under
HIPAA
Presented by the Michigan Department of Civil
Service Employee Benefits Division
2
Today You Will Learn

• Basics about the Health Insurance Portability and
  Accountability Act of 1996 (HIPAA)
• How HIPAA affects working with enrollment and
  eligibility information for state health plans
• Health, Dental, Vision and Flexible Spending
• HIPAA does not apply to life insurance, workers
  comp, and LTD plans.
• How to comply with HIPAA when you use and
  disclose health plan information

3
Goals of HIPAA

• For Individuals
• To control and protect their own health
  information through new rights
• For Health Care Entities
• To protect health information, limit its use, and
  punish improper use

4
Who does HIPAA apply to?

• HIPAA governs health care providers,
  clearinghouses, and group health plans.
• HIPAA does not apply to employers directly, but
  affects them indirectly as sponsors of group
  health plans.

5
Protected Health Information (PHI) Is

• Information related to past, present, or future
  physical or mental health, provision of health
  care, or payment for health care to an individual
• Information created or received by a health plan,
  provider, insurer, or employer
• Information whether oral or in any recorded form
  (HRMN data, enrollment forms, faxes, e-mails,
  conversations, phone calls)

6
Protected Health Information

• Is health information that provides a reasonable
  basis to connect the information with the
  individual
• Data of Employee 102234 is still PHI since you
  can connect 102234 back to that employee.

7
State Health Plan PHI relates to enrollment and
eligibility

• Enrollment forms
• HRMN data on insurance coverage and payroll
  deductions
• Complaints about coverage and claim disputes
• Communications from enrollees about health care
  and coverage

8
HIPAA RegulatesUse Disclosure of PHI
UseWorking with Protected Health Information
(PHI) within your Office and the Employee
Benefits Division (EBD).
DisclosureReleasing PHI outside your Office
the EBD.
9
All PHI use and disclosure must be authorized!!!

• The default rule for PHI under HIPAA is not to
  use or disclose it unless authorized.

10
But, you can use or disclose PHI

• For necessary enrollment, eligibility, payroll,
  and plan operation duties
• To an enrollee, personal representative, or
  person authorized by the enrollee to receive the
  information
• When authorized by the Privacy Official

11
The Golden Rule of HIPAA
Dancing the HIPAA Polka!

• Treat the health information of others as we
  would want others to treat health information
  about us.
• Dont step on anyone's toes!

12
Penalties for Noncompliance
Enrollees can file complaints with the Privacy
Official or the Department of Health and Human
Services.The federal government can fine any
person 100 for each violation, for up to 25,000
a year. Violations may lead to discipline,
fines up to 250,000, and criminal penalties up
to 10 years in prison.
13
HIPAA and Your Office

• What does not change?
• What changes need to be made?
• What issues are referred to the EBD or
  Privacy Official?

14
Other Health Infoin Your Office

• Medical information received by your Office in
  its role as employer is covered by other laws,
  but not by HIPAA.
• ADA Requests
• FMLA Requests
• Drug testing results
• Workers Comp and LTD
• You still must respect privacy requirements
  created by other laws when handling this
  information.

15
Changes to Procedures

• Retention requirements
• Training requirements
• Use and disclosure of PHI
• Enrollee rights

16
Retention of PHI

• HIPAA requires designated PHI from after April
  14, 2003 to be retained and retrievable for 6
  years.
• HRMN data is archived electronically.
• All other health plan PHI you handle must be
  retained in a HIPAA Folder for the enrollee.

17
HIPAA Folder Contents

• Enrollment forms and supporting documents (birth
  certificates, etc.)
• Use and disclosure authorization forms
• Requests by enrollees to exercise enumerated
  HIPAA rights
• Documents establishing the authority of personal
  representatives receiving PHI.
• Proof of HIPAA training attendance for relevant
  staff.
• Documents the EBD asks to be included

18
HR Staff Training

• HR staff who can directly access PHI must have
  HIPAA training by April 14, 2003.
• If policies change, new training will follow.
• You must retain proof of HIPAA training, through
  a signed acknowledgment form available from the
  EBD website.

19
Confidentiality Agreement for Employees with
Limited Access

• Other employees with limited or incidental access
  to PHI (payroll staff, IT staff, etc.), must sign
  a HIPAA confidentiality agreement agreeing not to
  improperly use and disclose PHI. This
  certification is available on the EBD website.

20
When You Can Use PHI (Internally)

• To perform necessary plan administration duties,
  including sharing information with the EBD
• To change enrollment, eligibility, and deduction
  information in HRMN
• To another executive department when an employee
  transfers

21
When You Can Disclose PHI (Externally)

• If an enrollee seeks their own PHI
• If a personal representative (guardian, medical
  power of attorney holder, etc.) who proves
  identity and legal authority seeks an enrollees
  PHI
• If another party is validly authorized by the
  enrollee to receive the PHI
• If authorized by the Privacy Official

22
Disclosures Pursuant to Court Orders

• If required by a valid court subpoena or order,
  you must disclose as ordered. No enrollee
  authorization is required.
• You must send an e-mail or letter to the Privacy
  Official detailing the name and employee number
  of the enrollee, disclosure date, name and
  address of the recipient, a brief description of
  the PHI disclosed and the reason for the
  disclosure.
• You must keep copies of the court order in the
  enrollees HIPAA Folder.

23
Authorization Form

• For disclosures based on an authorization form,
  the enrollee must completely fill out and sign
  the standard authorization form or
• If our standard form is not used, you must
  contact the Privacy Official to confirm the
  validity of the authorization.
• You could offer to provide the enrollee with the
  PHI to give to the other party.

24
Disclosure Procedures

1. Reasonably confirm recipients identity
2. Place a copy of personal representative
   recipients proof of authority in enrollees
   HIPAA folders
3. When disclosing based on court orders,
   authorization forms or, Privacy Officials
   authorizations, place a copy of the document in
   enrollees HIPAA Folders
4. Contact the Privacy Official if unsure

25
Contact with Insurance Carriers

• You may continue to contact carriers to resolve
  issues regarding enrollees enrollment and
  eligibility discrepancies.
• Any complaints over claim disputes must be
  referred to the insurance company. If an
  enrollee has exhausted all remedies and review
  mechanisms offered by the insurance company, you
  may refer the enrollee to the EBD.

26
Use Disclosure Questions?

• Contact the Privacy Official with the Employee
  Benefits Division for authorization
• Address Michigan Department of Civil Service,
  Privacy Official, 400 South Pine Street, P.O. Box
  30002, Lansing, MI 48909
• Phone (517) 373-7977 or (800) 505-5011
• Fax (517) 373-3174
• E-mail MDCS-HIPAA_at_michigan.gov

27
Security Measures
Do Not
Do

• Log out of HRMN and all programs when leaving
  your workstation
• Lock cabinets containing PHI
• Put PHI away in storage when you are not working
  with it anymore

• Leave your computer unattended with visible PHI
• Leave file cabinets containing PHI unattended and
  unlocked
• Leave PHI out on your desk unattended

28
Health Plan Duties Firewall

• You cannot give an enrollees PHI to supervisors
  or co-workers who ask for it without
  authorization by the enrollee.
• You must protect PHI and only use it for plan
  administrative functions.
• HIPAA prohibits using PHI for employment related
  decisions.

29
Relationships
Privacy Official
Anyone Else
HRMN
Employee Benefits Division
HR
Employee
Authorized Person
30
Notice of Privacy Practices

• EBD is sending to current enrollees now.
• Your office must give to new hires after 3/29/03.
• When an enrollee requests a copy, you must also
  provide one available on EBD section of
  www.mi.gov/mdcs

31
Enrollee Right of Access

• HIPAA requires that PHI in designated record sets
  be given to individuals.
• Enrollment/Eligibility data in HRMN
• Benefit denial and appeal documents
• When asked, produce all documents in the
  enrollees HIPAA folder and HRMN benefit summary
  data (ZB107, BN51, etc.)
• If an enrollee wants benefit claim or appeal
  information instruct the enrollee to make a
  written request to the Privacy Official

32
Enrollee Right to Amend PHI

• As before, your Office can add enrollment data,
  new dependents, and life events when appropriate.
• If you cannot perform a requested amendment
  (ineligible, outside open enrollment, etc.) you
  must provide a written denial that includes the
  following language
• If you believe this decision is incorrect, you
  may file a written appeal to the Employee
  Benefits Division that explains why the decision
  is incorrect and includes all necessary
  documentation. Appeals must be mailed to
  Employee Benefits Division, Department of Civil
  Service, P.O. Box 30002, Lansing, MI 48909. If
  you believe your HIPAA rights have been violated
  by this decision, you may file a HIPAA Privacy
  Complaint Form (CS-1782) with the EBD Privacy
  Official at the same address.

33
Enrollee Right to Request Restrictions and Audits

• Enrollees may request limitations on how their
  PHI is shared or request confidential
  communications of their PHI.
• Enrollees may request an audit listing certain
  disclosures of their PHI that have been made.
• All these requests must be made in writing by the
  enrollee to the Privacy Official.

34
Enrollee Rights toPrivacy Complaints

• Our HIPAA Procedures will allow enrollees to file
  privacy complaints with the Privacy Official.
• The Privacy Official will investigate to
  determine if a violation occurred.
• Employees who violate these procedures will face
  appropriate discipline.

35
Test Your Understanding

• A supervisor e-mails asking for a list of the
  health plans a subordinate is enrolled in. What
  portion of the subordinates PHI can you
  disclose?
• None. Supervisors and others outside Your Office
  are not authorized to use and disclose PHI
  without a valid authorization.

36
Test Your Understanding

• A person flashing a badge demands disclosure of
  PHI for a criminal investigation. Do you
  disclose?
• Maybe. HIPAA does provide for disclosures for
  national security, law enforcement, and other
  specific purposes. You must contact the Privacy
  Official to ensure that proper procedures are
  followed and proper documents are maintained. If
  there is a court order, you can disclose but must
  notice the Privacy Official of the disclosure.

37
Test Your Understanding

• An attorney calls and asks for PHI to help in an
  employee grievance. Do you disclose?
• No. If the attorney has a valid authorization,
  you may. If there is a court order for the
  information, you must give the Privacy Official
  notice, as required in the Procedures for
  Disclosures Pursuant to Court Orders.
• Remember that disclosing information to a willing
  enrollee is one solution to avoid some of these
  procedural requirements.

38
Test Your Understanding

• Allstate calls asking for confirmation of an
  employees LTD coverage. Does HIPAA prevent you
  from disclosing this info?
• No. HIPAA protects information related to health
  plan enrollment. LTD is not a health plan under
  HIPAA. If the request sought LTD and PHI related
  to state health plans, HIPAA would prohibit the
  unauthorized disclosure of data about the health
  plans.

39
Questions?

• What if.?
• How about?
• What happens when . ?
• Who do I call about ..?

40
Top Ten Ways to Comply with HIPAA
Letterman

• 10. Only authorized personnel can directly access
  PHI
• 9. Use PHI only when related to plan
  administration
• 8. Disclose PHI to enrollees, to personal
  representatives, or as provided in proper
  authorization forms
• 7. Follow court orders to disclose PHI, but
  notice the EBD
• 6. Dont otherwise disclose unless the Privacy
  Official OKs
• 5. Give new enrollees and those who ask privacy
  notices
• 4. Issue written denials to requested PHI
  changes that explain the denial and include the
  required notice
• 3. Promptly refer all PHI restriction,
  confidentiality, and accounting requests to the
  Privacy Official.
• 2. Keep HIPAA documents for six years in HIPAA
  Folders
• 1. Call the Privacy Official if you are unsure!