HIPAA Privacy & PHI & firewalls between health plan other bene

[alexa]

We are a large employer (not in the healthcare industry) in 50 states that self-insures it medical plan and also has about a dozen HMO's in some states. We outsource the administration to UHC for the self-insured part of our medical plan.

The problem I am having is trying to determine what is considered PHI (protected health information) internally that falls outside of TPO (treatment, payment or healthcare operations)

Would anyone have a good list?

Also in our HR dept. we separate our health benefits administration group from the group that handles FMLA and other employment based issues. Our workers comp(although headquartered in a separate state reports into headquarters) & LTD functions are part of benefits health admin in corporate

We have employees(HR reps) in the field who may come into play with PHI on a day-to-day basis

It seems to me at first glance that this may be monumental companywide

I read that workers' comp is exempt from the privacy rules? What about disability plan administration and FMLA? I also understand that "firewalls " must be in place between anyone who handles PHI for the health plan and other benefits/employment administration. Does anyone have any good recommendations here?

Our FMLA group from time to time may have interaction with our helath benefits admin group and the same for our disability administrators (they actually report into Benefits Admin as well)

We get involve dquite a bit in helping ees try to resolve claims/payment issues -does this fall under the "payment" exclusion?

Thanks for any and all insights

[Steve72]

A covered entity (in this case, the health plan) can disclose PHI without consent or authorization to an agency responsible for administering workers comp, or to the party responsible for payment. However, disclosure to these entities is limited in scope. Use of PHI for disability benefits or FMLA is significantly more problematic, as is employer involvement in the adjudication of claims. Setting up training for employees, as well as creating a HIPAA compliant "paper trail" is recommended.

[alexa]

Not to seem dense, what is a HIPAA compliant paper trail

Thanks

Alexa

[Steve72]

Sorry. HIPAA requires certain documents (consents or authorizations) for most disclosures by a covered entity other than treatment, payment or healthcare operations. By paper trail, I just mean ensuring that the proper documents are in place for the necessary business disclosures.

IMHO, HIPAA (at least the privacy side) is primarily an administrative issue. Most current business activities can continue so long as the proper paperwork is in place. The primary difficulty is determining the current usage of information within the company to ensure that nothing slips through the cracks, and educating the workforce; both to show the necessity of certain disclosures, and to ensure the proper treatment of PHI by those employees who access it.

I've emailed you my contact information. Feel free to contact me offline.