HIPAA Privacy Awareness Training
Protecting Individual Health Information
1
HIPAA Privacy Rule
Objectives And Agenda
 Overview HIPAA Privacy Rule
 Explain implications to and within our
organization
 Identify what you need to do differently
2
HIPAA Privacy Rule
Part 1
Overview Of Privacy Rule
Protecting Individual Health Information
Privacy Rule … A Quick Glance
 Part of Health Insurance Portability and
Accountability Act of 1996—HIPAA
 Effective April 14, 2003 for larger employers
and April 14, 2004 for smaller employers
 What it does:
 Limits sharing of confidential health information, called
Protected Health Information (PHI)
 Restricts employers from using PHI in employment
decisions
 Requires employers to establish and follow certain
procedures
4
HIPAA Privacy Rule
What Is PHI?
 Protected Health Information is:
 Employee or plan participant health information that
• Identifies individuals (or could be used to identify
them)
• Relates to past, present, or future health care
condition, provision of care, or payment for care
 Created or received by employer, health plan, or other
Covered Entity
 PHI can be electronic, paper, or verbal
5
HIPAA Privacy Rule
Examples Of PHI
 Examples of PHI include:
 Medical bills from hospital
 Diagnostic information
 Other doctor/patient information that is part of the
health plan record
 E-mails from vendors that discuss the health condition
of an employee or employee’s dependent
Important! If you use PHI now (for example
to help employees with claim denials), you
will need to make changes to conform with
our new policies!
6
HIPAA Privacy Rule
What The Privacy Rule Does Not Cover
 Generally, information that is part of employment
records is not PHI

Examples—Health information used in these processes
is generally not PHI:
• Pre-employment physicals/substance abuse
screenings
• FMLA leaves for serious health conditions
• ADA accommodations
• Work Restrictions
• Employees calling in sick
Information gathered in “employer role” is part of
employment file and is NOT PHI.
7
HIPAA Privacy Rule
Which Health Plans Are Covered?
 Plans Covered by the Privacy Rule
 Medical Plan
 Dental Plan
 Health Care Flexible Spending Account
 Employee Assistance Program (EAP)
 Also
 HMOs
 Health insurance issuers
 Medicare and other
government programs
 Long-term care policies
 Not Covered
 Disability
 Life insurance
 Workers’ Compensation
8
HIPAA Privacy Rule
Part 2
Complying With The Privacy Rule
Protecting Individual Health Information
The Changing Flow Of Information
PHI Before
April 14
Supervisor
File Clerk
Facility
Managers
Claims
Administrator
Doctor
Anyone in HR
Hospital
Any Insurance
Company
10
HIPAA Privacy Rule
The Changing Flow Of Information
PHI After April 14
Supervisor
File Clerk
PHI-Designated HR
Staff Member
Providers:
• Doctors
• Hospitals
Any Insurance
Company
Facilities
Managers
Business Associates
with signed agreements
Anyone in Human
Resources
11
HIPAA Privacy Rule
The PHI Box
Those “In The Box” May
Share PHI With Each Other
Health Clearinghouse
Plan
Provider
• Health Plan: PHI from the health
plan can only be shared with
those in the box
• Providers: Doctors, hospitals,
clinics, etc.
• Clearinghouse: Data
management firms that code
provider bills
• PHI can be shared with others who we retain for plan administration and
who agree in writing to comply with the Privacy Rule
• Employee/participant must authorize any “non-routine” use
If you are not in the box or have an agreement with the Plan
Sponsor or the Provider, you cannot have access to PHI
without written authorization from the employee
12
HIPAA Privacy Rule
Who Is Responsible For Compliance?
 All management
 Only PHI-designated Human Resources staff
members can access and process PHI
 Managers must adhere to policies and
procedures and defer to PHI-designated staff
13
HIPAA Privacy Rule
Example
 An employee has a problem with a medical plan
claim and goes to a manager at a location


In the past, the manager may have contacted an outside
administer to get clarification
Under the new procedures, the manager defers the
employee to PHI-designated Human Resources staff
member for assistance
14
HIPAA Privacy Rule
What If The Plan Does Not Comply?
 The Privacy Rule is enforced by U.S. Department
of Health and Human Services (HHS)
 HHS can impose both civil and criminal penalties
on the Covered Entities for noncompliance


Civil penalties—$100 fine per violation,
up to $25,000 per person/year
Criminal penalties—Up to $250,000
fine and 10 years in prison
Important! Employees may file complaint
with HHS for wrongful disclosure.
15
HIPAA Privacy Rule
New Procedures
 Appointed Privacy Officer to:
 Develop and implement Privacy Rule compliance
policies and procedures
 Monitor and ensure the college’s compliance
 Designated certain Human Resources staff
members to be the only individuals responsible
for PHI processing, record retention and
management
 Play it Safe!

Always refer employees to a PHI-designated staff
member if you have any issues involving the covered
plans
16
HIPAA Privacy Rule
Our Privacy Officer
 Employee Plans - Linda Laughlin, Associate HR
Director
 Student Plan - Administrative Assistant/ Student
Insurance Specialist, Wellness Center
17
HIPAA Privacy Rule
New Procedures
 Created a “firewall” to separate health plan
information from other employee data
 Took steps to safeguard PHI

Keep PHI out of sight
 Don’t discuss PHI in public
 Watch who is e-mailed PHI
 Fax with care
18
HIPAA Privacy Rule
How Are Managers Affected?
 Managers/Supervisors
 Must understand and comply with Privacy Rule
 Must understand which plans are covered
• For example, Privacy Rule does not affect other
policies, such as FMLA or Workers’ Compensation
 Know when and how to contact Privacy Officer or
other designated staff
Important! Managers and Supervisors must be
aware of Privacy Rule and how to comply.!
19
HIPAA Privacy Rule
How Are Managers Affected?
 Examples—Unless authorized, managers and
supervisors may not:



Discuss specific health care claims with the carrier
Discuss the cost or details of claims with anyone
Use PHI for employment-related actions (hiring, firing,
promoting)
Important! Only certain Human Resources staff
members may use/disclose PHI. Even then, the
employee must sign a specific authorization
for any “non-routine” use or disclosure.
20
HIPAA Privacy Rule
Part 3
Overview of Employee Rights
Protecting Individual Health Information
Privacy Rights Notice
 Employees/participants must receive a Notice of
Privacy Rights


Summarizes rights to access/control PHI
Your Privacy Notice will describe your rights under the
Privacy Rule
22
HIPAA Privacy Rule
Employee Rights
 Right to inspect and copy PHI
 Must request in writing
 Request can be denied for certain reasons
 Right to amend PHI
 Health plan has 60 days to act on request
 Right to request list of PHI disclosures
 Except for treatment, payment of medical expenses or
normal operation of the plan
 Plan only needs to disclose last six years of PHI and not
earlier than April 14, 2004
 Must be in writing and specify details
23
HIPAA Privacy Rule
Employee Rights (cont’d)
 Right to limit disclosure
• Except for treatment, payment of medical expenses or
normal operation of the plan
 Right to file complaints



Written complaints to HHS
Follow our established process for handling complaints
We MAY NOT penalize or retaliate against employees
who file complaints
24
HIPAA Privacy Rule
HIPAA Scenarios
Scenario #1
Employee-Based Disclosure
John and Fred are peers, both working in production for a
widget manufacturing company. They are having coffee in the
break room, when John tells Fred, “I just found out I have
cancer, and I’m pretty worried about keeping my job if I have to
take time off to have treatment.” Later, Fred tells a co-worker
(in confidence), who passes it on to his supervisor and several
other employees of the company.
Was John’s right to privacy violated? Does he have a cause of action
against the employer or health plan? Why or Why not? What are the
proper steps to be taken?
Now that the supervisor knows, what should he or she do with the
information?
25
HIPAA Privacy Rule
HIPAA Scenarios
Scenario #2
Birth Announcement
The Paper Company typically sends out a broadcast
announcement to all employees whenever a new baby is born to
one of their employees. Vital statistics are given, including name,
gender, and weight of the baby, along with health status (such as
“Mom and baby are doing fine,” or “Baby is still in the hospital
due to low birth weight, but Mom is home and doing well”).
Is disclosure of the birth Protected Health Information under HIPAA?
Why or why not?
What about the status of Mom’s and Baby’s health?
26
HIPAA Privacy Rule
HIPAA Scenarios
Scenario #3
FMLA-Leave Based Disclosure
Patty’s assistant, Maria, tells her in confidence that she needs
to take several weeks off to take care of her mother, who has been
diagnosed with a serious health condition. Patty verbally grants
Maria’s request for time off. While Maria is on leave, Patty begins
passing work to other employees in the department, asking them to
help out. She innocently discloses information about the reason for
Maria’s leave to employees who question the reason for the added
workload.
What should Patty have done first in this situation?
Is Maria’s mother’s health situation protected? Why or why not?
What should/shouldn’t Patty tell other employees about Maria’s situation?
When the Privacy Official is made aware of the situation, what should
he/she do?
27
HIPAA Privacy Rule
HIPAA Scenarios
Scenario #4
Vendor Disclosure
White Widgets provides employees with medical coverage
under a self-insured health plan. Claims are paid by Fred’s TPA.
Mary, a claims examiner for Fred’s TPA is processing claims when she
sees that Jeff, a key employee of White Widgets, is being treated for
HIV. She is best friends with Joan, who works for Jeff in his office. At
dinner that evening, she asks Joan how Jeff is doing since he has
undergone treatment. Joan was unaware of the situation and had no
need to know for plan operation purposes. The next day, she informed
Jeff and Human Resources that confidentiality has been violated.
What should the Privacy Official of White Widgets do?
What are the TPA’s responsibilities in light of the breach of privacy?
What are the potential penalties that could be assessed against the Plan, the
Privacy Official, and/or the TPA?
28
HIPAA Privacy Rule
HIPAA Scenarios
Scenario #5
“Innocent” Disclosure
Barb works in Human Resources. Tom calls Barb and tells
her that he needs help with a claim issue. She has Tom sign an
authorization form allowing her to have access to Personal Health
Information for the purpose of resolving the claim.
Barb forwards the request to the Health insurance carrier and
then talks with the claims supervisor. She is able to resolve the
problem for Tom, but accidentally leaves her notes out in plain view on
her desk when she leaves for the evening.
While waiting for a meeting with Barb’s manager, plant
manager Joe sits at Barb’s desk, and he reads the information about
Tom’s ability to perform based on that health information, and tells
her where he got the information.
What should Barb’s manager do in this situation?
What should the Privacy Official do?
29
HIPAA Privacy Rule
HIPAA Scenarios
Scenario #6
Intentional Disclosure for Gain
Joe’s TPA pays claims for 1,000 employers, covering 150,000
employees in the state of Minnesota. They have been losing market
share and need to boister their revenues. They have been approached
by a company that manufactures a product aimed at treatment of a
specific health condition, and sell to that company a list of subscribers
who have had treatment for that condition. Those subscribers receive
phone calls and mailings form the manufacturer, attempting to sell
their product.
Are the individual employer-sponsored plans liable for this disclosure by
their business associate (Joe’s TPA)?
What are the penalties for this type of disclosure?
What should the Privacy Official do when he/she is made aware of this
violation of privacy standards?
30
HIPAA Privacy Rule
HIPAA Scenario Summary
Scenario1
-Privacy not violated voluntarily disclosed information.
-Does not have cause of action.
-Supervisor should talk with HR and Privacy Officer.
Scenario 2
-Could be under HIPAA if the information came from the health
plan.
-Employee has to request to disclose the information and should
provide a disclaimer.
Scenario 3
-Contact HR. Not a protected health situation. (Patty should have
contacted HR before authorizing leave.)
-Privacy Officer should educate.
31
HIPAA Privacy Rule
HIPAA Scenario Summary
Scenario 4
-Privacy Officer should contact TPA supervisor, review BAA agreement
with TPA, implement established sanctions against Mary.
-TPA must disclose breach to plan.
-TPA may face civil penalties and individual(s) involved could face
criminal penalties and the contract could be terminated.
Scenario 5
- Document the disclosure and educate Barb and manager.
- Reinforce education.
Scenario 6
-Employer plan is not responsible if it has Business Associate Agreement
in place (Depending on “indemnification” provision of BAA.)
-TPA may face civil penalties and the individual(s) involved could face
criminal penalties.
- Report the violation to HHS.
32
HIPAA Privacy Rule
It’s Important To Know That…
This presentation provides an overview of the HIPAA Privacy Rule and
broadly describes how this regulation will affect how the college handles
employee health information from our health care plans. This information is not
intended to provide all of the details of the HIPAA Privacy Rule or of the
college’s policies and procedures.
This presentation also does not constitute legal advice. If there is any
discrepancy between the provisions of the HIPAA Privacy Rule and the material
in this presentation, the terms of the HIPAA Privacy Rule will govern in all
cases.
33
HIPAA Privacy Rule