HIPAA Health Insurance Portability and Accountability Act of 1996 - PowerPoint PPT Presentation

1 / 29
About This Presentation

HIPAA Health Insurance Portability and Accountability Act of 1996


HIPAA Health Insurance Portability and Accountability Act of 1996 2012 Sales Agent Training HIPAA Federal Regulation issued by Department of Health and Human Services ... – PowerPoint PPT presentation

Number of Views:422
Avg rating:3.0/5.0
Slides: 30
Provided by: Jacquelin103


Transcript and Presenter's Notes

Title: HIPAA Health Insurance Portability and Accountability Act of 1996

HIPAAHealth Insurance Portability and
Accountability Act of 1996
  • 2012 Sales Agent Training

  • Federal Regulation issued by Department of Health
    and Human Services (HHS), Standards for Privacy
    of Individually Identifiable Health Information
  • Effective April 14, 2003
  • Designed to protect an individuals information
    from being improperly used or disclosed to
    unauthorized entities or individuals
  • Enforced by the Office for Civil Rights

Updates to HIPAA
  • American Recovery and Reinvestment Act of 2009
    (ARRA) and Health Information Technology for
    Clinical and Economic Health Act (HITECH)
  • Added new marketing and fundraising restrictions
    and prohibition on sale of PHI
  • Set higher standards and penalties for Business
    Associates (BAs)
  • Increased penalties for HIPAA violations
  • Added data breach notification requirements

Who is covered by HIPAA?
  • Covered Entities and their Business Associates
  • BAs are entities that perform functions or
    provide services to PUP and create, use or have
    access to a PUP Members PHI
  • PUP is a Covered Entity
  • FMOs/sales agencies are PUPs BAs
  • Note Under HITECH, BAs are held to same
    standards as Covered Entities.

Business Associates (BAs)
  • BAs must comply with the HIPAA Privacy and
    Security Rule
  • BAs must protect the PHI that PUP provides or the
    PHI they create/collect
  • BAs must sign a HIPAA BA Agreement
  • BAs must provide HIPAA training to their own
    employees, agents and subcontractors
  • BAs must report data breaches to PUP
  • BAs are subject to civil and criminal penalties

HIPAA Privacy Security Officers
  • HIPAA requires PUP to appoint a HIPAA Privacy and
    Security Officer to
  • ensure that PUP complies with the HIPAA Privacy
    and Security Rule
  • ensure PUP has safeguards in place to prevent
    members PHI (including ePHI) from inadvertent
    uses and disclosures.
  • PUPs HIPAA Privacy Officer is Teresa (Terry)
  • PUPs HIPAA Security Officer is William (Bill)

Member Rights under HIPAA
  • Individuals have the following rights under
  • To file a Privacy complaint
  • To request Access to their records
  • To request an Amendment to their records
  • To request a Restriction on the use and/or
    disclosure of their PHI
  • To request an Accounting of Disclosure of their
    PHI (to whom we disclosed their PHI)
  • If you receive any of these requests,
    immediately forward these requests to PUPs
    Privacy Officer.

Protected Health Information (PHI)
  • Any information (e.g., information on an
    enrollment application) PUP collects from a
    member that is transmitted or maintained in any
    form (verbally, electronically or paper).
  • Relates to the past, present or future physical
    or mental health or condition of an individual
  • Identifies the individual
  • Examples of PHI Members name, address,
    telephone number, e-mail address, policy number,
    HIC number, date of birth, etc.

Disclosures of PHI
  • If a member asks you for claims, enrollment,
    prior authorization, etc. information, or
  • If someone other than member (e.g., members son
    or neighbor) asks for information about the
  • Ask them to call PUPs Member Services at 1-(866)

Fax Transmissions
  • Fax machines may be used to transmit and receive
  • Best Practices to safeguard PHI
  • Pre-program destination numbers to reduce
    potential errors in misdialing
  • Confirm the accuracy of the fax number before
    pressing start/send
  • Print a confirmation page for each fax
  • Include a completed fax cover page with every fax
  • Do not let faxes sit at a shared fax machine

  • All emails must be encrypted.
  • Practice Safe Email
  • Do not open, forward, or reply to suspicious
  • Do not open suspicious email attachments or click
    on unknown website addresses
  • NEVER provide your username and password to an
    email request
  • Delete spam and empty the Deleted Items folder

Proper Disposal of PHI
  • Best practices for disposing of PHI
  • Paper shredding, burning, pulping, or
    pulverizing the records so that PHI is rendered
    essentially unreadable, indecipherable, and
    otherwise cannot be reconstructed
  • All documents containing PHI must be shredded

Equipment Security
  1. Do Not leave your laptop, iPad or phone in your
  2. USB memory sticks must be encrypted
  3. Laptops, iPads, phones must be guarded at all
  4. Never share Company equipment with family or
  5. Lock your portable device with an access code.
  6. Report loss or theft of equipment immediately to

Password Security
  1. Use a Str0ng Pa55w0rd
  2. Dont use familiar dates, names, dictionary
  3. Use symbols, numbers, caps (think vanity plate)
  4. Dont share passwords or use the same password
    across applications
  5. Change your passwords often

Remote Access Security
  • When using your home/shared PC, you must
  • Have up-to-date security patches and anti-virus
  • Not share passwords
  • Log off computer when not in use
  • Restart a shared PC (i.e. at a hotel/conference)
  • Be careful of Public networks
  • Watch for shoulder surfing
  • Never download ePHI

A Data Breach is
  • An impermissible use or disclosure under the
    Privacy Rule that compromises the security or
    privacy of the PHI such that the use or
    disclosure poses a significant risk of financial,
    reputational, or other harm to the affected

Breach Notification
  • Covered Entities must notify each person whose
    unsecured PHI is disclosed in a breach
    ASAP/within 60 days
  • If an inadvertent data breach involves gt500
    Members, PUP has to notify the media and report
    to HHS
  • If an inadvertent data breach involves lt500
    Members, PUP has to file an annual report with

Breach Statistics
  • Over 450 breach incidents listed on HHS website.
    Most involve theft or loss of laptops and
    portable devices.
  • http//www.hhs.gov/ocr/privacy/hipaa/administrati

Reporting a Privacy Violation or Potential Breach
  • PUPs policy requires all PUP employees and BAs
    to report all privacy violations and potential
    breaches to the PUP Privacy Officer immediately.

Federal Sanctions
  • Tier A (offenders did not realize they violated
    the Act)
  • Minimum per violation 100
  • Maximum per calendar year 25,000
  • Tier B (violations due to reasonable cause)
  • Minimum per violation 1,000
  • Maximum per calendar year 50,000
  • Tier C (violations due to willful neglect but the
    company corrected)
  • Minimum per violation 10,000
  • Maximum per calendar year 250,000
  • Tier D (violations due to willful neglect and the
    company did not correct)
  • Minimum per violation 50,000
  • Maximum per calendar year 1.5 million

State Sanctions
  • HITECH also gave states the authority to sue
    companies for HIPAA violations
  • Connecticut Attorney-General sued Health Net of
    Connecticut in 2009 after it lost a computer disk
    drive with PHI of 446,000 members and delayed
    notifying members for 6 months

Recent Cases
  • March 2012 Blue Cross Blue Shield of Tennessee
    fined 1.5 million for 57 unencrypted computer
    hard drives stolen from a leased facility. The
    drives contained PHI for over 1 million
  • January 2012 Georgia Health Sciences University
    had to notify 513 patients of a laptop theft that
    contained PHI. The laptop was not secured in
    accordance with HITECH.
  • April 2011 Mass. General Hospital paid 1
    million because an employee took work home and
    left documents on a subway train that included
    billing and medical records of 192 patients.

Reporting HIPAA Violations
  • Tel HIPAA Privacy Officer 321-460-1861
  • Email compliance_at_pupcorp.com
  • To report anonymously to PUP Hotline
  • 1 -866-461-5705

Scenario 1
  • I faxed an Enrollment Application to the wrong
    fax number.
  • What should I do?
  • Immediately report the incident to PUPs Privacy
  • via telephone (321) 460-1861
  • via email compliance_at_pupcorp.com

Scenario 2
  • I had some completed applications in my car and
    my car was stolen. Who should I report this to?
  • Immediately report the incident to the PUP
    Privacy Officer (and the police).
  • via telephone (321) 460-1861
  • via email compliance_at_pupcorp.com

Scenario 3
  • I received a phone call from a members daughter
    requesting a copy of her mothers claim.
  • What should I do?
  • Give the daughter PUPs Member Services
    Department telephone number to call
  • (866) 571-0693.

Scenario 4
  • I use my iPad and laptop to store PUP member
    information and they were stolen.
  • What should I do?
  • Immediately report the incident to the PUP
    Privacy Officer.
  • via telephone (321) 460-1861
  • via email compliance_at_pupcorp.com

  • Teresa Wong
  • HIPAA Privacy/Compliance Officer
  • 321-460-1861 (Direct line)
  • 407-620-2458 (Cell)
  • 407-226-1901 (Fax)

  • http//www.hhs.gov/hipaafaq/ (DHHS FAQs)
  • http//www.cms.hhs.gov/HIPAAGenInfo (CMS FAQs)
  • http//www.hhs.gov/ocr/hipaa (Office for Civil
  • Office for Civil Rights, DHHS toll free number
  • www.ahima.org (American Health Information
    Management Association)
Write a Comment
User Comments (0)
About PowerShow.com