One more HIPPA Question

LFernandes

Hi Everyone,

We conduct panelist studies for personal care products. When a panelist signs up for a study they complete a questionnaire which includes questions like medicine are you taking, are you pregnant, or have any chronic illnesses (yes/no answers) prior to picking up the sample product.

Should we be informing our panelists of their rights under HIPPA? Someone told one of our managers that we should be handing out the HIPPA information sheet. The only people who have access to the questionnaires are the study coordinators. I know that there are exclusions to the law. Would this be one of them?

Your thoughts and opinions please!

LFernandes

Don D

I'm baffled by the whole question. Others may be as well since there were no replies.

skyrocket

HIPAA applies ONLY to Health Plans and entities that work with health plans. Unless you are providing a service to someone's health plan, HIPAA does not apply.

You could be providing a service to a health plan if you are conducting a marketing service to health plan members.

To check whether or not you as an entity must comply with HIPAA see the "Covered Entity Flow Chart" at [url]http://cms.hhs.gov/hipaa/hipaa2/support/tools/decisionsupport/CoveredEntityFlowcharts.pdf[/url] .

It looks complicated - but will answer your question. Remember, it is not the fact that you handle personal medical information (as concerns HIPAA law) it is whether or not it is used in conjunction with the administration of a health benefit plan.

scottorr

Hi Skyrocket,

So far you have directed me to two great HIPAA websites/presentations. Do you know of another website/presentation which shows what I as a benefits administrator need to do? We are not a self insured plan and we have under $5,000,000 in receipts. We have sent out a privacy notice, have an authorization form and an authorization log. Is there anything else I need to do to be in compliance? Thanks!

skyrocket

Have you got 12 hours Scottor? That is a loaded question indeed. I just put together an "employer's guide" in conjunction with an ERISA benefits attorney. From that information, I will keep this simple...

Following are some of the requirements for HIPAA compliance. Though the compliance date is April 14, 2004, please allow adequate time for employee training and amending plan documents and Business Associate contracts.

1. Identify Protected Health Information (PHI) used and handled in your organization, who handles this information, the flow of PHI within the organization, and any gaps between current operations and HIPAA confidentiality requirements.
2. Identify benefit plans subject to Privacy Rules.
3. Create and distribute a Notice of Privacy Practices (NPP) that informs plan participants of the ways in which the Plan may use and disclose medical information about plan participants. It also describes the Plan’s obligations and the rights of plan participants regarding the use and disclosure of medical information.
4. Amend the ERISA Plan Document to reflect HIPAA Privacy rules and obligations.
5. Identify Business Associates that provide services to the benefit plan and obtain signed Business Associate Agreements from each entity. This agreement allows the Business Associate to use PHI on behalf of the Plan and outlines the Business Associates obligations on how they may use and disclose PHI.
6. Establish written Privacy Procedures that address training as well as security measures. Procedures must be implemented that minimize the risk of accidental disclosure of PHI. This could include identifying a location where all discussions of PHI can take place behind a closed door – minimizing the risk that such conversations can be overheard by others.
7. Appoint a Privacy Officer who is the contact person for all HIPAA-related issues.
8. Identify employees who handle PHI and train them in procedures required under HIPAA in maintaining PHI, using PHI, disclosing PHI and protecting PHI. Review employee personnel files in order to remove information and documents containing PHI. Such information and documents must be segregated from employee records and kept in a secured location with restricted access.
9. Only disclose PHI in accordance with Privacy rules and procedures established by the Plan (as identified on the NPP and Plan Document.)
10. Documentation and record-keeping – training procedures, PHI disclosures that must be documented on an “Accounting Log/Disclosure Log,” correspondence or communications about Privacy Rules, etc.

That is my outline of required procedures. Which, if any, are of interest? In reality, once you UNDERSTAND the law and what is and is not PHI, HIPAA is really VERY simple to administer. You just need to make sure the people handling PHI are well trained and select the Privacy Officer (probably YOU) carefully.

Ask away...

LFernandes

Thanks everyone.

>>>HIPAA applies ONLY to Health Plans and entities that work with health plans. Unless you are providing a service to someone's health plan, HIPAA does not apply. >>>

That's the way HIPPA was explained to me (above) so when they brought the whole question of panelist medical information to me, I had no idea. We aren't a health plan we are just using the information to screen panelists to see if they can safely use the product we are testing.

Thanks for all your help.

LFernandes

scottorr

Thank you soooooo much! No one I have spoken with so far has given me a straight answer. I had attended five trainings and everyone said something different. I am also working with two attorneies at this time and it seems as though I know more than they do. At this point I am only looking for a blessing from them that we are moving in the right direction. Thanks again for your help.

System

In the study, do you ask a name, address, phone number, age or anything that would identify the person? If you do, then it DOES fall under HIPAA. A simple statement of acknowledgment of what you are doing and what the study allows the individual is all that is needed. Have the participant sign the notification and file it in a secure place.

LFernandes

AAAHHHHH!!!x:'(

We ask name, address, date of birth - all that good stuff. So now it WOULD fall under HIPAA even if we aren't administering a health care plan???

skyrocket

[font size="1" color="#FF0000"]LAST EDITED ON 07-16-03 AT 07:27PM (CST)[/font][p]LFernandez:

Please don't let the confusion about HIPAA confuse you further. If you are not administering a health plan or are a health care provider the information you are asking IS NOT HIPAA.

I have noticed the number of questions asked here about "does this affect HIPAA?" Too many people do not understand this law and think it is something it is not. I strongly disagree with the message above that confused you for two reasons:

1. You appear to be an organization promoting a product that is not marketing through employers, employer groups or health plans. Just as an organization selling automobiles may do "consumer surveys" this is NOT HIPAA. I dont care that you may ask about allergies. You are not a health plan...

2. Employment records are not subject to HIPAA. No ifs, ands or buts, there.
This means that workers comp information, FMLA leave information are all NOT subject to HIPAA.

Sometimes, I seem to be fighting a losing battle on this HIPAA thing. Maybe other readers who are as familiar with HIPAA as I can weigh in on this so that I don't appear to be the lone proponent of this position...

SCOTTOR:
Well, a labor attorney is not likely to understand benefit law. For that you need a Benefit Attorney - trained in ERISA requirements. That is a difficult person to find. I am not surprised that you seem to know more than the attorneys you are using. If you want a straight answer, I am sure I can help. As I said, I have read the entire HIPAA law (booooooooring)... and I have written my own employer guidelines (reviewed in detail by my attorney). So I am confident that I know quite a lot about the minutia of HIPAA. If you have a question, I would be happy to help.

g

skyrocket

Here is another good website about HIPAA
[url]http://cms.hhs.gov/providers/edi/default.asp[/url]