Home Logo


HIPAA Solutions

 

HIPAA Responsibilities www.agent77.com *

(Please feel free to contact Summit Financial Group for access to cost effective HIPAA compliance toolkit-call 1-800-475-0991)

  • HIPAA provides individuals with a reasonable right to privacy, not an absolute right to secrecy.
  • HIPAA enforcement will be complaint driven. That means members and employees have the right to report violations to the Office of Civil Rights, and then the reports will generate an investigation.
  • HIPAA compliance represents an excellent defense against frivolous wrongful termination suits. HIPAA Privacy and Security are fast becoming the de-facto standard of protection for health information against which the actions of plans and employers will be judged.
  • An employer's fully insured health plan is indeed a "Covered Entity". Which means:
    • It is necessary for the employer to have a signed Business Associate Agreement with any person or organization that performs a function or activity on behalf of a covered entity (the employer's health plan) and has access to or uses PHI in conducting these functions or activities.
    • If you store any electronic health data about your plan members, you may need to implement a significant portion of the Security regulations. Including:
      • Personnel security policies including personnel screening, individual passwords, and a procedure for terminating access when an employee leaves and a sanctions policy for violations.
      • Facility security and maintenance policies.
      • Workstation policies, i.e. a security assessment, workstation use policies, encryption and virus protection.
      • Backup and disaster recovery policies.
      • Designating a Security Officer who is responsible for implementing and maintaining your HIPAA Security measures.

 

  • An organized approach to Security has four phases:
  • Assess -Determine what you are interested in protecting and what you currently have in place to help.
  • Protect -Design methods to meet the goals determined in the Assess phase.
  • Detect/Remedy -If a breach of security occurs, you need to be able to know that so you can figure out how to fill the gap and prevent future problems.
  • Maintain -Continue to monitor your security approach when you have new things to protect or when new threats present themselves.

Transactions: You as the employer are responsible for ensuring that your group insurance carrier or HMO handles transactions properly according to the HIPAA Transactions Standards. To do that, get a statement about their compliance activities in writing and follow to ensure that they do what they say they are going to do in this regard. Types of Regulated Transactions include:

  • Claims or encounter information
  • Eligibility
  • Health care payment and remittance advice
  • Health claims status
  • Referral authorization
  • Coordination of benefits
  • Health claims attachments
  • First report of injury

Privacy: Health data should only be used for the purposes it was obtained, unless a person authorizes a release of their information for some other reason.

  • As a level 1 plan, you don't see much information about an individual's health coverage. However, even the limited amount you see could be misused, including a person's family status—which should be protected. Family status can indicate how much they pay for health care, which can be used to determine how much they work. This discriminates against those who choose to provide health care coverage for their family since employers may be more willing to hire someone if they are single rather than carrying the expense of family coverage.
  • Oral Conversations: Verbal communication must be kept as private as possible when you are assisting members or speaking with a carrier about a member's problem. HIPAA does protect all forms of PHI including verbal communication. Additionally, you are prohibited from disclosing protected health information to anyone who does not have a need to know under HIPAA. In other words, what you find out during a conversation with a member or the carrier needs to remain private unless it is being used for treatment, payment or operations, even if the information is just received verbally.
  • Make sure that everyday office procedures and routines do not unnecessarily expose member information to outside view.
  • There are State Privacy Laws to contend with also. Some States have privacy laws which are more restrictive than HIPAA and in such instances the State Law applies.

Protected Health Information - PHI (Individually Identifiable Health Information-IIHI)

 

  • IIHI in any form or medium including electronic, written or oral, that is received or maintained by a covered entity.
  • This includes name, address, SS #, or phone numbers, whether or not they are combined with treatment-related information such as dates of service or diagnosis codes. All premium-related and claim information that identifies an individual is PHI.
  • Guarding this information from unauthorized or non-essential access or use is the core of HIPAA's Privacy rules.

If you are a Level 1 plan your Carrier or HMO is doing the following for you:

  • Designating a Privacy Officer
  • Distributing a Notice of Privacy Practices
  • Creating and Maintaining HIPAA Privacy related policies, procedures and forms.
  • This includes at least six rights granting individuals more control over their health information. These include the right to:
    • View and get a copy of their medical record.
    • Amend their medical record.
    • Request a restriction on the disclosure of their medical record.
    • Request all communications from the provider or health plan be made at an alternate location or by alternate means.
    • Receive an accounting of certain types of disclosures - typically these are disclosures for public health, law enforcement or workers compensation.
    • File a grievance both with the health plan and with the department of Health and Human Services.

Authorization forms for release of information. Get copies of your carrier's forms.

When do I have to Comply?

If your plan has less than $5 million in claims or premiums, you have to comply by:

  • October 16, 2003        for Transactions
  • April 14, 2004            for Privacy
  • April 21, 2006            for Security

 

If you don't comply the HIPAA law carries the following serious penalties:

 

  • $100 per incident, up to $25,000 per standard, per year, in civil penalties for Privacy standard violations.
  • Federal criminal penalties for the intentional misuse of protected health information up to $250,000 and 10 years in prison.

*Please note that the information being provided is strictly a courtesy. When you link to any of the websites provided, you are leaving this site. Neither Summit Financial Group nor Summit Consolidated Inc. makes any representation as to the completeness or accuracy of information provided at these sites. Summit Financial Group and Summit Consolidated assume no liability for any direct or indirect technical or system issues or any consequences arising out of your access to or use of a third-party site. When you access one of these sites, you are leaving Summit Financial Group's website and assume total responsibility and risk for your use of the sites to which you link.

 
Copyright © 2005, Summit Financial Group Toll-Free: 1.800.475.0991