The 1996 enactment of the Federal Health Insurance Portability and Accountability Act (HIPAA), coupled with the passage of the Health Information Technology for Economic and Clinical Health Act (HITECH) as part of the 2009 American Reinvestment and Recovery Act, has transformed how health information is handled. HIPAA tightened security, established protected health information, defined the "authorized entity" requirement and created strict guidelines regarding how much of a patient's medical record can be viewed by the authorized entity.

The challenge for organizations is to stay abreast of the most current rules and regulations while developing an efficient means to access, extrapolate and disseminate protected health information. How does this relate to the insurance industry? Since there may be a medical record portion to the various claims files, establishing HIPAA best practices for an organization's claims handling process increases consistency and provides staff with clear, concise directions on HIPAA policies and procedures.

Here are the 10 most important things to know when dealing with confidential claimant health information.

Checklist to protect confidential health information

  1. Validating requests & authorizations. Create an established and consistent set of standards to evaluate and validate an authorization. These standards should ensure that the information in the request corresponds with the authorization (i.e., signatures, date of accident, etc.) Make sure to compare and validate that all signatures in the file, on the request, and on the authorization match.

  2. To release or not to release? Proprietary information and non-disclosure agreements are critical to protecting a company's own risk. Be sure to screen any documents or information being released from the claims file and have measures, such as non-disclosure statements, in place with third parties. Some documents that are typically unauthorized for release include: police reports, attorney-client privileged correspondence and internal communications.

  3. Quality control processes must be defined and documented. Develop a defined and documented workflow and protocol for the claims data review process. Protocols should carefully outline the steps for reviewing protected health information to ensure it meets the requirements of the authorization. Use trackable delivery methods to ensure accountability that claims information was received by the authorized requestor.

  4. Who owns the process? Identify the internal parties who will lead the process, develop and document workflows, protocols, and oversee these policies. Be sure that all policies are clearly communicated with adjusters and staff and updated as necessary.

  5. Hybrid records and integration. Integrate and consolidate multiple systems where current claims files are managed and stored. Leverage technology to transition hybrid record sets.

  6. Training. Conduct initial training, spot training and ongoing training to stay current on new regulations and policies. This includes understanding HIPAA and HITECH. How will this be applied within the organization and what are the organization's standards and philosophy of how data from claims files is shared? How are employees sharing and deploying that information within the organization?

  7. Managing the complexities of tracking requests. Track how claims information is shared outside of the organization. It is imperative to monitor the turnaround time for all requests. Reporting should have the capability to electronically track the life cycle of each request.

  8. Reporting. Tracking turnaround time on completing requests and supporting claims management processes is a must to ensure the staff is abiding by the organization's standards. Improving turnaround time can significantly increase efficiency in managing claims.

  9. Establish security standards. The organization must have physical, procedural, and electronic safeguards in place to ensure the security behind the claims management and data request processes.

    • Physical safeguards — What are the physical measures the organization has in place to manage, monitor and protect claims data and information?

    • Procedural safeguards — What are the procedural checklists, documentation, standards of procedures, protocols, and workflow documentation in place to safeguard the processes and claims information? Be sure to implement a protocol for security incident reports. It is important to know how to escalate and address claims information that was improperly shared and how to manage that escalation process.

    • Electronic safeguards — The IT "must haves and must knows" as they relate to claims files and sharing information with third parties.

  10. Prioritizing requests. Does the staff know how to prioritize requests? Requests for copies of claims files are inherent in the claims management process. How are you ensuring they are compliant and timely? It is imperative to pay careful attention to subpoena deadlines, internal requests (i.e., arbitration, litigation, and subrogation) and external requests (i.e., attorney, adverse carriers, third parties).

Approximately 30 percent of data breaches are due to personnel errors. By establishing specific guidelines and procedures, training employees and developing security standards, companies can reduce the risk of incorrectly releasing confidential information and creating a liability situation.

Fig Gungor has been the chief executive officer of ClaimFox for the past 11 years. She is responsible for the strategic direction of the company, leads new business development, and oversees several national and regional accounts.

NOT FOR REPRINT

© Arc, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to TMSalesOperations@arc-network.com. For more information visit Asset & Logo Licensing.