HIPAA Privacy Training and PHI

[Guest bobark]

Suppose a company is large enough that it has a Benefit Department and there is very little overlap with Human Resources.

The Benefit Staff are clearly regarded as in receipt of PHI and have been trained and are obviously involved as to payment and operations - and assisting in obtaining treatment at times.

Human Resources at office locations could be asked some general questions - "is this a covered procedure" or "what is the basic percentage of reimbursement";" am I eligible to drop/add coverage if ...";"where do we file";etc.

They may also get specific questions such as "How do I fill out this form"; or "can you interpret this EOB I just got"; or "Is Dr. Jones in the network; etc.

Finally, they might get infomation on "fitness for duty" or requests for medical leave, etc.

But the key is about the only thing an HR representative has clear access to that is PHI is payroll information related to deductions. All other dealings with an employee are because they were asked by the employee for assistance.

After all that build-up, the short question is whether the fact that the "employer" is not subject to HIPAA Privacy means the HR's are not "agents of the plan" and so HIPAA Privacy does not apply to them - notwithstanding that company policies on privacy of employee information certainly does and notwithstanding that the Benefits Dept employees are "in the box."

[Steve72]

The employer must determine which of its employees need access to PHI to perform their job duties. Information related to enrollment and eligibility is not PHI when held by an employer. Similarly, general benefits related questions (are chiropractic services covered?) are not PHI.

If an individual employee discloses his or her own information to a non-HIPAA component of the employer (e.g., the HR department in your example), the information has been disclosed to the employer (a non-covered entity) in a permissible manner and is no longer subject to HIPAA.

Note, however, that this is an area that is just begging for a lawsuit based on the misunderstanding of the employee. If the empoyer wishes to keep HR employees out of the HIPAA box, this should be clearly communicated to all employees (as well as being described in the plan amendment). Note also that removing these employees from the HIPAA box means they will be unable to access PHI from sources other than the participant (e.g., they will not be able to contact an insurance company or TPA to clarify an EOB question).

HIPAA privacy will apply to any employee who accesses PHI as part of his or her job function. The employer should describe these individuals and the functions they perform in the plan amendment.

[Guest bobark]

Thanks, Steve

I pretty much agree.

I guess I am very much wanting to take the position that the VEBA that sponsors the health plan has certain employees with direct plan responsibilities and that the many supervisors or the location HR's are not in the "plan universe."

If a participant wanting help on an EOB question sends the HR an email which is forwarded to the TPA or if a joint phone call is made, I would think that takes the situation out of the HIPAA arena for the HR. And if the request is forwarded to Benefits and we run with it, but leave the HR out of the response ( except separately to notify them we "took care of it"), again I think HR is HIPAA-clear.

Our employee handbook contains a statement indicating that certain employees or supervisors may be in receipt of confidential medical information and that they are not permitted to share such privileged information with friends, family, or coworkers except as specifically authorized.

I just hate to start feeling that HIPAA privacy relating to the health plan is violated when birth announcements and updates on hospitalized employees are promulgated when the health plan had nothing to do with this even though I am emphasizing to everyone that they better at least get permission from the employee or close family. Five thousand people do not need to know that Susan had premature twins and Mom is doing great, but one of the twins is not out of the woods yet. But when Susan's husband says she really wants her office to know and visit and pray and send cards, etc. I genuinely do not feel the health plan itself should be opened up to HIPAA sanctions if later on some supervisor fails to give Susan a job transfer because she has "little ones with health problems."

But Devil's Advocating myself. if it is felt HR at least is "in the box", is there likely any sense that their formal training need not be complete by 4/15/03 ( Assume a $6m+ plan) if the PHI they do come in contact with is strictly due to the particpant's own disclosure to them given the company's privacy/confidentiality rules.

[Steve72]

>>>I just hate to start feeling that HIPAA privacy relating to the health plan is violated when birth announcements and updates on hospitalized employees are promulgated when the health plan had nothing to do with this<<<

I feel comfortable that you are safe here. As long as individuals are not disseminating information that was received through plan roles, there are no HIPAA implications from the employer standpoint.

>>>Our employee handbook contains a statement indicating that certain employees or supervisors may be in receipt of confidential medical information and that they are not permitted to share such privileged information with friends, family, or coworkers except as specifically authorized. <<<

If this provision is to apply to all HR personnel, you may want to consider changing the word "authorized" toavoid the impression that you are talking about a HIPAA authorization.

[PhilB]

What about incidental access to non-enrollment related PHI? An example: An employer maintains its own customer service center to respond to claim inquiries. This component of the employer is considered a covered entity (or rather, the employer is a hybrid entity) and the CSRs answer questions related to enrollment, deductions, claims, problems, etc. The Info Technology department has employees who perform maintenance on software applications used by the CSRs to resolve IT problems, upgrade, etc. The IT staff may inadvertently view PHI in the course of helping a CSR with a system issue. The IT staff sign confidentiality agreements. How are these roles viewed by HIPAA?

[Steve72]

Train 'em.

These people (as well as internal audit, or other individuals who may come into contact with HIPAA information in the regular course of their duties) should be brought into the HIPAA box. This means training the individuals and describing their duties in the NOPP and amendment. The confidentiality agreement will likely be insufficient.

[PhilB]

Thanks Steve, I was afraid you'd say that.

Related to the original question posted on this thread, I attended the National Conference on the HIPAA Privacy Rule a few weeks ago presented by HHS.

One of the issues they addressed specifically was the role of Union Representatives. Susan McAndrew, JD - Sr. health Information Privacy Policy Specialist at HHS said that Union Reps may disclose or have PHI communicated to them by a payer without requiring an individual authorization under the 'informal provisions" of 164.510(B). So it seems that HHS' stance was similar to what you communicated relative to an HR rep who may only be involved in plan administrative functions such as forwarding enrollment info, answering general questions, etc. But I also took this to mean that these people were not specifically required to be trained under HIPAA (though as a best practice it may not be a bad idea - it just wouldn't have to be completed by April 14). Thoughts?

[Jbentz]

I agree with Steve, train'em.

I can tell you from personal experience that the training has been a huge benefit to me due to the questions and "what ifs" i recieved from my HR crew.

I would do flow charting of the PHI and if the Union reps are major players, i would train them before April 14th.

Judith

[PhilB]

"Major players" is a somewhat subjective term and a bit difficult to gauge. I believe that they get occassional questions, but most of the time they refer the employee to the payor. i would estimate at my company that it would not approach even 10% of their total duties as compared with other labor relations activities. Of course, there is the grievance process also, where benefit issues potentially could come into play.................

[Jbentz]

You are correct, "major players" is not the best to use. My HR department quantified it for all employees, using a simple scale of 1-4. 1 - they employee uses PHI everyday. 4 - never have direct contact with PHI. We also flow charted all the PHI to see who used the information. We now know who we have to train and to what level. We also have great documention for minimum necessary guidelines and for consistent training decisions.

[Steve72]

I think consistency is the most important thing to have. If you have individuals who have an established need to use PHI, train them. If they do not have this need, institiute policies that state that they should not use PHI.