We are – everyday.As part of our underwriting and case management services, we request, review and forward medical records to the underwriters at our carrier partners to negotiate the best offers on behalf of our advisers. All DMI team members who have access to health records are HIPAA Certified. We take this very seriously as should you. If you are requesting medical records for your clients – are you following the HIPAA requirements to protect your client’s Protected Health Information (PHI)? Have you and your staff taken a HIPAA training course?
As is the case with any federal regulation, HIPAA can be rather complicated and is often misunderstood. Many advisors I have spoken with believe it simply means you must have a signed HIPAA authorization before obtaining a person’s medical records. It is more complicated than that and has serious consequences for failure to comply. The Office of Civil Rights is the enforcement agency that oversees all HIPAA infractions.
It is important to understand the overall purpose of the regulation and to have a process in place or team like DMI to handle matters relating to clients’ Protected Health Information (PHI) and compliance with HIPAA.
To give some history, before HIPAA was implemented, the government established privacy regulations relating to the protection of “Personally Identifiable Information” or PII.
PII is defined as “information which can be used to distinguish or trace an individual's identity, such as their name, Social Security number (SSN), biometric records, etc. alone or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc...”1Common Examples of PII are2:
- Social Security number (SSN)
- Date of birth (DOB)
- Mother’s maiden name
- Financial records
- Email address
- Driver’s license number
- Passport number
- Health information
As part of the government’s ongoing attempts to regulate the protection of peoples Personally Identifiable Information (PII), in 1996 HIPAA - the Health Insurance Portability and Accountability Act was enacted. The Health and Human Services website summarizes it as:
“A major goal of the Privacy Rule is to assure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public's health and well being.”3
HIPAA has 2 key components – Privacy and Security.
HIPAA Privacy – Requires safeguards be in place to ensure protected health information is not compromised.
HIPAA Security – Specific to protected health information that is in electronic form
If you haven’t taken the time to put procedures in place for you and your staff, you are taking an unnecessary risk. There are simple ways to ensure compliance with HIPAA and protecting your clients and employees PII. Here are just a few:
- Make sure you have a file cabinet or desk drawer that locks. Do not leave medical records or any documents containing PII out on your desk
- Have a locked shredding box (we outsource to ensure proper disposal of PHI and PII documents)
- Fax or mail medical records. Do not email unless you have encryption software
Privacy and the protection of your clients Protected Health Information and Personally Identifiable Information should be at the forefront of your practice every day. To learn more about HIPAA and how best to protect your clients’ PHI, visit the Health and Human Services website http://www.hhs.gov/hipaa/for-professionals/index.html or call me to learn what procedures and training requirements DMI has in place to ensure the privacy and security of your clients’ protected health information.
- OMB Memorandum M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information.