HIPAA Privacy

  • What is HIPAA?

    HIPAA is the Health Insurance Portability & Accountability Act of 1996, Public Law 104-191, passed August 21, 1996. 

    HIPAA was enacted for four main purposes:  1)  Portability and availability of health care, 2)  Nondiscrimination based upon health related status, 3)  Medicare and Medicaid fraud and abuse, and 4)  Administrative simplification regarding electronic transmission of health care information.

    Concerns over privacy issues in the administrative simplification rules led the Department of Health and Human Services to release final privacy rules that went into effect for Saint Paul Public Schools health plans on April 14, 2003.

    The final privacy rules regarding administrative simplification require:

    • More efficient healthcare delivery through standardized electronic data interchange, and
    • Increased and standardized protection of the confidentiality and security of health data.

     

    Who must comply with HIPAA?

    All health plans (medical, dental and Section 125 medical reimbursement accounts) are covered entities under the HIPAA regulations and must comply with the privacy and security regulations of HIPAA. 

    An employer sponsored health plan, not the employer itself, is a HIPAA Covered Entity.  In its role of plan sponsor and plan administrator, employers must deal with a variety of HIPAA privacy requirements.  The Privacy requirements are different depending upon whether the health plan is fully funded or self-insured.

    The responsibility for HIPAA compliance for fully funded health plans lies with the health insurance carrier.  The responsibility for HIPAA compliance for self-insured health plans lies with the employer because the employer is the plan sponsor and plan administrator.  Saint Paul Public Schools is fully funded for the medical plan through HealthPartners.  Therefore, HealthPartners must comply with HIPAA regulations that pertain to our medical plan. 

    Saint Paul Public Schools is the plan sponsor and administrator of two self-funded plans: the dental insurance plan and the Section 125 Medical Reimbursement Account.  Therefore, Saint Paul Public Schools must comply with HIPAA regulations that pertain to our self-funded health plans.

    What is HIPAAs purpose?

    To ensure consistent treatment of patients medical data by every healthcare provider in the United States and to protect against unauthorized disclosure of private information.   An individuals private medical data is called Protected Health Information (PHI).

    What is considered PHI?

    Protected Health Information is anything that can be used to identify a member including:

    • Your health history
    • Your medical records
    • Your name, address and date of birth
    • Your marital status
    • Sex
    • Social Security Number
    • Information regarding your dependents
    • Other similar information that relates to past, present or future medical care

    How does Saint Paul Public Schools guard my PHI?

    Only PHI necessary to conduct business with our healthcare providers is kept at Saint Paul Public Schools.   The PHI is kept in individual medical files separate from personnel files in locked file cabinets.  Access to the locked medical files is restricted to authorized Human Resource personnel only.   Release of PHI is restricted to the healthcare provider, third-party administrator, or employee only.  Some exceptions regarding release of PHI apply under the law.

    It is permissible under HIPAA to transmit or share data that has been de-identified.  That means that all references to a specific, identifiable person have been removed from all communications.   Saint Paul Schools only receives claims data from healthcare providers that has been de-identified.

    What are some examples of situations where PHI may be disclosed?

    • Non-routine disclosures may be made to:    
    • The health plan sponsor for payment or other claims purposes
    • Organ donation and tissue transplant entities, if you are an organ or tissue donor
    • The military if you are a member of the armed services
    • Workers compensation carriers
    • Public health agencies
    • Law enforcement personnel in response to legal requirements
    • Coroners, medical examiners, funeral director
    • Legal representative in response to a court order or other legal proceeding
    • National security and intelligence agencies as authorized by law
    • Correctional institutions if you are an inmate

    What type of communication is impacted by HIPAA privacy rules?

    HIPAA impacts all forms of communication about protected health information.   Examples include:     

    • Electronic Protected health information is protected against hackers through the security provisions
    • Written Patient information is protected by requiring adequate security of medical records
    • Oral Individuals are protected against casual conversations about their treatment or payment history between office staff within earshot of others
    • Fax Members are protected against administrators inadvertently sending a fax to the wrong location, thereby compromising their private information

     

    What are my rights with respect to accessing my own PHI?

    You have the right to access your PHI by making written request to the Privacy Officer.  You may request restrictions on certain uses and disclosures of PHI, but Saint Paul Schools is not required to agree to the restrictions.  You have the right to amend your PHI.  You have the right to receive an accounting of non-routine disclosures of protected health information.

    If you feel that your rights under HIPAA have been violated, you have the right to file a formal, written complaint with the Privacy Officer at Saint Paul Public Schools, or with the Department of Health & Human Services, Office of Civil Rights.   

     HIPAA privacy notice