The 1996 enactment of the Federal Health Insurance Portabilityand Accountability Act (HIPAA), coupled with the passage of theHealth Information Technology for Economic and Clinical Health Act(HITECH) as part of the 2009 American Reinvestment and RecoveryAct, has transformed how health information is handled. HIPAAtightened security, established protected health information,defined the "authorized entity" requirement and created strictguidelines regarding how much of a patient's medical record can beviewed by the authorized entity.

The challenge for organizations is to stay abreast of the mostcurrent rules and regulations while developing an efficient meansto access, extrapolate and disseminate protected healthinformation. How does this relate to the insurance industry? Sincethere may be a medical record portion to the various claims files,establishing HIPAA best practices for an organization's claimshandling process increases consistency and provides staff withclear, concise directions on HIPAA policies and procedures.

Here are the 10 most important things to know when dealing withconfidential claimant health information.

Checklist to protect confidential healthinformation

1. Validating requests & authorizations.Create an established and consistent set of standards to evaluateand validate an authorization. These standards should ensure thatthe information in the request corresponds with the authorization(i.e., signatures, date of accident, etc.) Make sure to compare andvalidate that all signatures in the file, on the request, and onthe authorization match.

2. To release or not to release? Proprietaryinformation and non-disclosure agreements are critical toprotecting a company's own risk. Be sure to screen any documents orinformation being released from the claims file and have measures,such as non-disclosure statements, in place with third parties.Some documents that are typically unauthorized for release include:police reports, attorney-client privileged correspondence andinternal communications.

3. Quality control processes must be defined anddocumented. Develop a defined and documented workflow andprotocol for the claims data review process. Protocols shouldcarefully outline the steps for reviewing protected healthinformation to ensure it meets the requirements of theauthorization. Use trackable delivery methods to ensureaccountability that claims information was received by theauthorized requestor.

4. Who owns the process? Identify the internalparties who will lead the process, develop and document workflows,protocols, and oversee these policies. Be sure that all policiesare clearly communicated with adjusters and staff and updated asnecessary.

5. Hybrid records and integration. Integrate andconsolidate multiple systems where current claims files are managedand stored. Leverage technology to transition hybrid recordsets.

6. Training. Conduct initial training, spottraining and ongoing training to stay current on new regulationsand policies. This includes understanding HIPAA and HITECH. Howwill this be applied within the organization and what are theorganization's standards and philosophy of how data from claimsfiles is shared? How are employees sharing and deploying thatinformation within the organization?

7. Managing the complexities of tracking requests.Track how claims information is shared outside of the organization.It is imperative to monitor the turnaround time for all requests.Reporting should have the capability to electronically track thelife cycle of each request.

8. Reporting. Tracking turnaround time oncompleting requests and supporting claims management processes is amust to ensure the staff is abiding by the organization'sstandards. Improving turnaround time can significantly increaseefficiency in managing claims.

9. Establish security standards. The organizationmust have physical, procedural, and electronic safeguards in placeto ensure the security behind the claims management and datarequest processes.

   |

   • Physical safeguards — What are the physical measures theorganization has in place to manage, monitor and protect claimsdata and information?

   • Procedural safeguards — What are the procedural checklists,documentation, standards of procedures, protocols, and workflowdocumentation in place to safeguard the processes and claimsinformation? Be sure to implement a protocol for security incidentreports. It is important to know how to escalate and address claimsinformation that was improperly shared and how to manage thatescalation process.

   • Electronic safeguards — The IT "must haves and must knows" asthey relate to claims files and sharing information with thirdparties.

10. Prioritizing requests. Does the staff know howto prioritize requests? Requests for copies of claims files areinherent in the claims management process. How are you ensuringthey are compliant and timely? It is imperative to pay carefulattention to subpoena deadlines, internal requests (i.e.,arbitration, litigation, and subrogation) and external requests(i.e., attorney, adverse carriers, third parties).

Approximately 30 percent of data breaches are due to personnelerrors. By establishing specific guidelines and procedures,training employees and developing security standards, companies canreduce the risk of incorrectly releasing confidential informationand creating a liability situation.

Fig Gungor has been the chief executive officer of ClaimFoxfor the past 11 years. She is responsible for the strategicdirection of the company, leads new business development, andoversees several national and regional accounts.