HIPAA FAQ

What is HIPAA?

HIPAA stands for the Health Insurance Portability and Accountability Act of 1996 and requires us to implement processes with respect to protected health information as well as inform individuals about how we protect their information.

How will HIPAA change my job?

HIPAA may not change your job significantly, but we will all be trained on what we need to know so that we can be sure that we are protecting health information against unauthorized use.

Who has to be "HIPAA compliant?"

By April 14, 2003, all health care providers and payers across the nation will have trained their staff and will have implemented policies and procedures designed to provide uniform privacy rights.

Who is responsible for patient privacy?

Each one of us.

What is confidential information?

Confidential information is any health information or billing information that can be linked to an individual. If you know that John Jones was a patient and received treatment for a broken leg, this is confidential information. If you know that John Jones has Blue Cross insurance and was billed $5,000 for treatment for his broken leg, this is confidential information. If you know that during 2001, 185 patients were treated in the emergency department for ear infections, that is not confidential information because it does not identify the specific patients or list any identifiers such as birth date, medical record number, etc.

What can I do today to protect a person's confidentiality?

A good HIPAA privacy exercise is to put yourself in your person's shoes. As an individual, how would you like your caregivers to protect your personal health information? If you can limit who sees or hears health information, you'll be taking the first steps to ensuring our commitment to protecting health information.

Who can I talk to if I have a question about patient privacy or confidentiality?

If you have a question or concern about HIPAA privacy, contact Human Resources at 386-822-8710.

What does the HIPAA Privacy Rule do?

Most health plans and health care providers that are covered by the new Rule must comply with the new requirements by April 14, 2003.

The HIPAA Privacy Rule for the first time creates national standards to protect individuals' medical records and other personal health information.

  • It gives patients more control over their health information.
  • It sets boundaries on the use and release of health records.
  • It establishes appropriate safeguards that health care providers and others must achieve to protect the privacy of health information.
  • It holds violators accountable, with civil and criminal penalties that can be imposed if they violate patients' privacy rights.
  • And it strikes a balance when public responsibility supports disclosure of some forms of data, for example, to protect public health.

For patients:

  • It means being able to make informed choices when seeking care and reimbursement for care based on how personal health information may be used.
  • It enables patients to find out how their information may be used, and about certain disclosures of their information that have been made.
  • It generally limits release of information to the minimum reasonably needed for the purpose of the disclosure.
  • It generally gives patients the right to examine and obtain a copy of their own health records and request corrections.
  • It empowers individuals to control certain uses and disclosures of their health information.

What is the difference between "consent" and "authorization" under the HIPAA Privacy Rule?

The Privacy Rule permits, but does not require, a covered entity voluntarily to obtain patient consent for uses and disclosures of protected health information for treatment, payment, and health care operations. Covered entities that do so have complete discretion to design a process that best suits their needs.

By contrast, an "authorization" is required by the Privacy Rule for uses and disclosures of protected health information not otherwise allowed by the Rule. Where the Privacy Rule requires patient authorization, voluntary consent is not sufficient to permit a use or disclosure of protected health information unless it also satisfies the requirements of a valid authorization. An authorization is a detailed document that gives covered entities permission to use protected health information for specified purposes, which are generally other than treatment, payment, or health care operations, or to disclose protected health information to a third party specified by the individual. An authorization must specify a number of elements, including a description of the protected health information to be used and disclosed, the person authorized to make the use or disclosure, the person to whom the covered entity may make the disclosure, an expiration date, and, in some cases, the purpose for which the information may be used or disclosed. With limited exceptions, covered entities may not condition treatment or coverage on the individual providing an authorization.

Must an Authorization include an expiration date?

The Privacy Rule requires that an Authorization contain either an expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure. For example, an Authorization may expire "one year from the date the Authorization is signed," "upon the minor's age of majority," or "upon termination of enrollment in the health plan." An Authorization remains valid until its expiration date or event, unless effectively revoked in writing by the individual before that date or event. The fact that the expiration date on an Authorization may exceed a time period established by State law does not invalidate the Authorization under the Privacy Rule, but a more restrictive State law would control how long the Authorization is effective.

Does an individual have a right under the HIPAA Privacy Rule to restrict the protected health information his or her health care provider discloses for workers' compensation purposes?

Individuals do not have a right under the Privacy Rule at 45 CFR 164.522(a) to request that a covered entity restrict a disclosure of protected health information about them for workers' compensation purposes when that disclosure is required by law or authorized by, and necessary to comply with, a workers' compensation or similar law. See 45 CFR 164.522(a) and 164.512(a) and (l).

Won't the HIPAA Privacy Rule's minimum necessary standard impede the ability of workers' compensation insurers, State administrative agencies, and employers to obtain the health information needed to pay injured or ill workers the benefits guaranteed them under State workers' compensation system?

No. The Privacy Rule is not intended to impede the flow of health information to those who need it to process or adjudicate claims, or coordinate care, for injured or ill workers under workers' compensation systems. The minimum necessary standard generally requires covered entities to make reasonable efforts to limit uses and disclosures of, as well as requests for, protected health information to the minimum necessary to accomplish the intended purpose. For disclosures of protected health information made for workers' compensation purposes under 45 CFR 164.512(l), the minimum necessary standard permits covered entities to disclose information to the full extent authorized by State or other law. In addition, where protected health information is requested by a State workers' compensation or other public official for such purposes, covered entities are permitted reasonably to rely on the official's representations that the information requested is the minimum necessary for the intended purpose. See 45 CFR 164.514(d)(3)(iii)(A).

For disclosures of protected health information for payment purposes, covered entities may disclose the type and amount of information necessary to receive payment for any health care provided to an injured or ill worker.

The minimum necessary standard does not apply to disclosures that are required by State or other law or made pursuant to the individual's authorization.

My State law says I may disclose records, relating to the treatment I provided to an injured worker, to a workers' compensation insurer for purposes of determining the amount of or entitlement to payment under the workers' compensation system. Am I allowed to share this information under the HIPAA Privacy Rule?

Yes. A covered entity is permitted to disclose an individual's protected health information as necessary to comply with and to the full extent authorized by workers' compensation law. See 45 CFR 164.512(l).

Does the HIPAA Privacy Rule permit a health care provider to disclose an injured or ill worker's protected health information without his or her authorization when requested for purposes of adjudicating the individual's workers' compensation claim?

Covered entities are permitted to disclose protected health information for such purposes as authorized by, and to the extent necessary to comply with, workers' compensation law. See 45 CFR 164.512(l). In addition, the Privacy Rule generally permits covered entities to disclose protected health information in the course of any judicial or administrative proceeding in response to a court order, subpoena, or other lawful process. See 45 CFR 164.512(e)

Is Stetson University subject to the federal HIPAA legislation?

Stetson University has is a hybrid entity in which certain health plans fall under HIPAA regulation as well as the Student Health Clinic are covered by the new HIPAA rules and regulations. The HIPAA rules pertain to privacy and security of "protected health information" or PHI. Practices that explain the new regulations. Students and employees who visit the Student Health Clinic here on campus will receive a slightly different notice.

What does PHI really mean?

The "P" in PHI means that Stetson University must protect and maintain certain privacy standards related to individually identifiable health information. The "H" for health generally means medical or dental records, but can also refer to the kind of health insurance coverage that an employee chooses. For example, the fact that Susie Smith is a Stetson employee with family coverage and the BCBS Premium Plan would be considered "PHI". Any health related information that identifies one individual and is obtained at our clinic or from our insurance programs for medical, dental, vision, and prescription drugs, as well as health care Flexible Spending Account and Employee Assistance Program would be covered under HIPAA. Information under the Workers' Compensation laws or the Family Medical Leave Act are not covered under HIPAA.

I am a Stetson University faculty or staff member. I have a medical insurance claims question that I want my spouse to assist me with. How do the HIPAA regulations impact me?

HIPAA laws require that the Office of Human Resources not discuss your personal health information with anyone else unless you have approved it. Generally this means that if you tell us in person to speak with your spouse about your claims issue, we will be happy to. If you call or email us, we may ask for you to fill out and give to us an Authorization to Release Information that tells us what information you want discussed and to whom we can discuss it with. All of the HIPAA related forms are on the Office of Human Resources web site at www.stetson.edu/hr or can be picked up from our office.

What about a claims issue on my son or daughter? My 2-year old can't give me permission to talk with the HR Office about his tonsillectomy.

That is correct. A parent or legal guardian of a minor child (under age 13 for health information) is automatically considered to be that child's Personal Representative and the Office of Human Resources will be happy to assist you with any claims issue.

I filled out a written Authorization to Release Information so my spouse can talk to HR. Do I need to do another one if I have another claims issue in the future?

Yes, HIPAA regulations require that the Office of Human Resources will need your permission to speak with anyone about each claims issue or question. We know this is somewhat bothersome, but the regulations were designed to protect each individual from information being released without his or her permission. In the case of an emergency, public health risk, or a request from law enforcement, the HR office will disclose information without a written approval from you.

What kind of medical information does Stetson University maintain on me?

In general, the Office of Human Resources retains the benefit enrollment forms that you fill out as a new employee or during annual open enrollment. Most health related information is in summary form for billing purposes. The Office of Human Resources can use your PHI for 3 purposes - treatment, payment or operations. The Student Health Clinic keeps personal and confidential medical files that no one on campus can see.

Can I email the campus about a prayer request for one of my employees who is in the hospital? What about at a group meeting or staff chapel?

HIPAA officials are not going to fine you for a prayer request but many employees do not want their personal health condition discussed. We would encourage everyone to be especially careful of what information you put into an email.

My colleague has a cast on her leg. Can I ask how she is doing?

Of course. HIPAA regulations do not impede free speech.

Can I talk to one of the staff employees that I supervise about his absences or his request to leave early for a doctor appointment?

Yes, you can. HIPAA rules specifically do not cover the employment relationship. The sick leave and FMLA policies in the handbook are still in effect. What you should not do is give specifics to the rest of your department about the reasons why the employee is absent.

Example: Don't say, "Jen won't be in her office today because she says the dust from the new carpet aggravates her allergies."

Example: Do say, "Jen has a medical condition, so we are letting her work the phones today instead of having her work in her office."

Are there others on campus that might have access to my PHI?

All employees with access to PHI have been identified and will have special training to ensure they understand and comply with regulations. We want to make sure that your private health information is kept confidential in every way possible.

I am still a bit confused about HIPAA. Who should I contact?

The Office of Human Resources website at www.stetson.edu/hr will have the HIPAA policies and forms and a number of links related to HIPAA that you can review.