HIPAAHealth Insurance Portability and

Accountability Act of 1996

Sales Agent Training

HIPAA

• Federal Regulation issued by Department of Health and Human Services (HHS), Standards for Privacy of Individually Identifiable Health Information

• Effective April 14, 2003• Designed to protect an individual’s information

from being improperly used or disclosed to unauthorized entities or individuals

• Enforced by the Office for Civil Rights

Health Information Technology for Economic and Clinical Health Act (HITECH)• American Recovery and Reinvestment Act of 2009

(ARRA) and Health Information Technology for Clinical and Economic Health Act (HITECH)

• Added new marketing and fundraising restrictions and prohibition on sale of PHI

• Set higher standards and penalties for Business Associates (BA’s)

• Increased penalties for HIPAA violations• Added data breach notification requirements

Who is covered by HIPAA?

• Covered Entities and their Business Associates (BAs)

• BAs are entities that perform functions or provide services to PUP and create, use or have access to a PUP Member’s PHI

• PUP is a Covered Entity• FMOs/sales agencies are PUP’s BAs

Note: Under HITECH, BAs are held to same standards as Covered Entities.

Business Associates (BAs)• Entities that perform a function on PUP’s behalf,

or provide a service to PUP and create, use or have access to a PUP member’s PHI

• BAs must comply with the HIPAA Privacy and Security Rule

• BAs must protect the PHI that PUP provides or the PHI they create/collect

• BAs must sign a HIPAA BA Agreement • BAs must provide HIPAA training to their own

employees, agents and subcontractors• BAs must report data breaches to PUP• BAs are subject to civil and criminal penalties

HIPAA Privacy & Security Officers• HIPAA requires PUP to appoint a HIPAA Privacy

and Security Officer to:• ensure that PUP complies with the HIPAA Privacy

and Security Rule• ensure PUP has safeguards in place to prevent

members’ PHI (including ePHI) from inadvertent uses and disclosures.

• PUP’s HIPAA Privacy Officer is: Lakesia Mosley

• PUP’s HIPAA Security Officer is: Satya Tottappillil

Member Rights under HIPAA• HIPAA gives patients a right to:

• File a Privacy complaint• Access to their records• Ask for an Amendment to their records• Special Restriction on disclosure/use of PHI• Accounting of Disclosure of their PHI (to whom

we disclosed their PHI)

*If you receive any of these requests, immediately forward these requests to PUP’s Privacy Officer.

Protected Health Information (PHI)• Any information (e.g., information on an enrollment

application) PUP collects from a member that is transmitted or maintained in any form (verbally, electronically or paper).• Relates to the past, present or future physical or

mental health or condition of an individual• Identifies the individual

• Examples of PHI: Member’s name, address, telephone number, e-mail address, policy number, HIC number, date of birth, etc.

Disclosures of PHI

•If a member asks you for claims, enrollment, prior authorization, etc. information, or•If someone other than member (e.g., member’s son or neighbor) asks for information about the member

Ask them to call PUP’s Member Services at 1-(866) 571-0693.

Fax Transmissions• Fax machines may be used to transmit and

receive PHI • Best Practices to safeguard PHI:

• Pre-program destination numbers to reduce potential errors in misdialing

• Confirm the accuracy of the fax number before pressing start/send

• Print a confirmation page for each fax transmission• Include a completed fax cover page with every fax • Do not let faxes sit at a shared fax machine

unattended

Emails

• All emails must be encrypted. • Practice Safe Email• Do not open, forward, or reply to suspicious

emails• Do not open suspicious email attachments

or click on unknown website addresses• NEVER provide your username and

password to an email request• Delete spam and empty the “Deleted

Items” folder

Proper Disposal of PHI

• Best practices for disposing of PHI:– Paper: shredding, burning, pulping, or

pulverizing the records so that PHI is rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed

* All documents containing PHI must be shredded

Equipment Security

1. Do Not leave your laptop, iPad or phone in your automobile

2. USB memory sticks must be encrypted3. Laptops, iPads, phones must be guarded at all

times 4. Never share Company equipment with family or

friends5. Lock your portable device with an access code. 6. Report loss or theft of equipment immediately to

PUP

Password Security

1. Use a Str0ng Pa55w0rd2. Don’t use familiar dates, names,

dictionary words.3. Use symbols, numbers, caps (think vanity

plate) “1-hat3-Mean-pe0pl3”4. Don’t share passwords or use the same

password across applications5. Change your passwords often

Remote Access Security

When using your home/shared PC, you must:1. Have up-to-date security patches and anti-

virus software2. Not share passwords3. Log off computer when not in use4. Restart a shared PC (i.e. at a

hotel/conference)5. Be careful of “Public” networks6. Watch for shoulder surfing7. Never download ePHI

A Data Breach is…

An impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the PHI such that the use or disclosure poses a significant risk of financial, reputational, or other harm to the affected individual.

Breach Notification

Covered Entities must notify each person whose unsecured PHI is disclosed in a breach ASAP/within 60 days

If an inadvertent data breach involves >500 Members, PUP has to notify the media and report to HHS

If an inadvertent data breach involves <500 Members, PUP has to file an annual report with HHS

Breach Statistics

Over 450 breach incidents listed on HHS website. Most involve theft or loss of laptops and portable devices. http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

Reporting a Privacy Violation or Potential Breach

PUP’s policy requires all PUP employees and BA’s to report all privacy violations and potential breaches to the PUP Privacy Officer immediately.

Federal Sanctions Tier A (offenders did not realize they violated the Act)• Minimum per violation: $100• Maximum per calendar year: $25,000Tier B (violations due to “reasonable cause”)• Minimum per violation: $1,000• Maximum per calendar year: $50,000Tier C (violations due to willful neglect but the company corrected)• Minimum per violation: $10,000• Maximum per calendar year: $250,000Tier D (violations due to willful neglect and the company did not

correct)• Minimum per violation: $50,000• Maximum per calendar year: $1.5 million

State Sanctions

• HITECH also gave states the authority to sue companies for HIPAA violations

• Connecticut Attorney-General sued Health Net of Connecticut in 2009 after it lost a computer disk drive with PHI of 446,000 members and delayed notifying members for 6 months

Recent Cases• March 2012: Blue Cross Blue Shield of Tennessee

fined $1.5 million for 57 unencrypted computer hard drives stolen from a leased facility. The drives contained PHI for over 1 million individuals.

• January 2012: Georgia Health Sciences University had to notify 513 patients of a laptop theft that contained PHI. The laptop was not secured in accordance with HITECH.

• April 2011: Mass. General Hospital paid $1 million because an employee took work home and left documents on a subway train that included billing and medical records of 192 patients.

Reporting HIPAA Violations

HIPAA Privacy Officer: Lakesia Mosley Via Telephone:Office: 407-209-1010 ext. 12107Cell: 407-495-7494

Via Email: compliance@pupcorp.com

To report anonymously to PUP Hotline: 1 -866-461-5705

Scenario 1I faxed an Enrollment Application to the wrong fax number. What should I do?Immediately report the incident to PUP’s Privacy Officer.

Via telephone: Office: 407-209-1010 ext. 12107

Cell: 407-495-7494 Via email: compliance@pupcorp.com

Scenario 2

I had some completed applications in my car and my car was stolen. Who should I report this to?

Immediately report the incident to the PUP Privacy Officer (and the police).

Office: 407-209-1010 ext. 12107 Cell: 407-495-7494Via email: compliance@pupcorp.com

Scenario 3I received a phone call from a member’s daughter requesting a copy of her mother’s claim. What should I do?

Give the daughter PUP’s Member Services Department telephone number to call (866) 571-0693.

Scenario 4I use my iPad and laptop to store PUP member information and they were stolen.What should I do?Immediately report the incident to the PUP Privacy Officer.Via telephone: Office: 407-209-1010 ext. 12107 Cell: 407-495-7494Via email: compliance@pupcorp.com

Questions?

Lakesia MosleyHIPAA Privacy Officer

Acting Compliance Officer407-209-1010 ext. 12107 (Office)

407-495-7494 (Cell) 407-226-1951 (Fax)

Resources

• http://www.hhs.gov/hipaafaq/ (DHHS FAQs)

• http://www.cms.hhs.gov/HIPAAGenInfo (CMS FAQs)

• http://www.hhs.gov/ocr/hipaa (Office for Civil Rights)

• Office for Civil Rights, DHHS toll free number 800-368-1019

• www.ahima.org (American Health Information Management Association)