Purpose for Policy Health Insurance Shop, Inc. places a high value on the privacy of its clients (“Clients”) and the expectation that information regarding Clients remains confidential and is made available only to persons who have a legitimate right to know.  In addition, Health Insurance Shop, Inc. is contractually obligated to comply with the privacy provisions of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).  Health Insurance Shop, Inc. recognizes that all employees and temporary workers (“Employees”), as well as outside contractors, have an ethical and legal obligation to keep certain information about Clients confidential and to protect and safeguard this information against tampering and unauthorized use or disclosure.

  1. Overview

This privacy policy concerns protected health information (“PHI”).  PHI, as defined by federal law, means any individually identifiable health information of a Client, including, but not limited to: social security number, name, address, birth date, age, telephone number, subscriber number, policy number, e-mail address, fax number, medical records and genetic information.  Furthermore, in compliance with the Affordable Care Act (ACA), this policy concerns protected personal identifying information (“PII”) in the same regard.   PHI and/ PII is not confined to written materials, facsimiles, or hard copy, but also includes information derived from any source, including, but not limited to: E-mail, computer data, data stored on electronic media, disks, or personal digital assistants (PDA), verbal communications or recordings, and visual observation.

  1. Procedures

The following section outlines the basic procedures necessary to comply with this policy.   Disclosure of Information

  • An Employee may access, discuss, use, and disclose PHI and/or PII only for Health Insurance Shop, Inc. business as it relates to that employee’s specific job functions and/or responsibilities.
  • Employees may disclose PHI and/or PII only to those who have a legitimate, Health Insurance Shop, Inc.-related business need to know or who have prior written authorization.  PHI and/or PII about a Client may only be shared for purposes of claims payment or healthcare operations.
  • PHI and/or PII must never be the subject of casual conversation either inside or outside of the workplace.  PHI and/or PII must not be discussed in lobbies, stairwells, elevators, restrooms, hallways, or any other public area where conversation could be easily overheard by visitors and Employees who do not have a need to know.
  • Only “Minimally Necessary” PHI and/or PII may be disclosed.  “Minimally Necessary” means only that amount of PHI and/or PII necessary to accomplish the intended purpose of the use or disclosure.

Access to Information

  • PHI and/or PII may only be accessed if related to specific job functions and responsibilities.
  • Casual reading of PHI and/or PII is not permitted.
  • Employees with legitimate access to PHI and/or PII will protect this information from casual or unauthorized access.

  Security of PHI and PII

  • Employees may remove PHI and/or PII from the facility only as it relates to specific job functions and/or responsibilities.  It is the responsibility of each Employee to protect and safeguard all such information.
  • Copies of PHI are to be destroyed after use by shredding or otherwise destroying PHI and/or PII in paper records so that the PHI and/ or PII is rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed prior to it being placed in a dumpster or other trash receptacle, maintaining PHI and/or PII for disposal in a secure area and using a disposal vendor as a business associate to pick up and shred or otherwise destroy the PHI and/or PII in justifiable cases, based on the size and the type of the covered entity, and the nature of the PHI and/or PII, depositing PHI and/or PII in locked dumpsters that are accessible only by authorized persons, such as appropriate refuse workers.
  • Employees are encouraged to review PHI and/or PII in a secure area and are responsible for records that are checked out to them.  It is the responsibility of the Employee to protect and safeguard all records that are removed from the secure areas.

Breach of Confidentiality

  • Any Employee who believes he/she has observed a breach of confidentiality is encouraged to address the person directly.  If this is not an option, your direct manager or the Chief Privacy Officer should be notified.
  • Employees found to be in violation of this policy may be subject to disciplinary action, up to, and including termination and/or legal action.  PHI and/ or PII are protected by federal and state laws and regulations that define civil and criminal penalties for violations of confidentiality.
  • Health Insurance Shop, Inc. will periodically conduct unscheduled audits to ensure compliance with this policy.

  Safeguarding PHI & PII

  • In order to maintain confidentiality, any item containing PHI  and/or PII must be discarded according to the standards identified below:

ITEM

Paper

Electronic

EXAMPLES

Medical records, applications, census files, or any other paper-based document containing PHI and/or PII

Disks, e-mails, files, etc.

WHERE / HOW DISCARDED

Original hardcopies should be shredded or segregated in a secure location for destruction. Electronic copies stored in the Health Insurance Shop, Inc. Document Management System will be password protected using encryption procedures.

Disks should be destroyed or re-formatted. E-mails and electronic files should be purged from the system after use. Employees needing assistance in disposing of electronic files should contact a member of our IT staff.

 

  • Employees must not leave any PHI and/or PPI on fax machines, printers, or copies.
  • Employees are to clean their workspace of PHI and/or PII at the end of their work day.
  • Employees must exercise caution and discretion when leaving voicemail messages containing PHI and/or PII.
  • Employees are to escort visitors through work areas.
  • Employees must exercise caution and discretion when E-mailing PHI and/or PII internally within Health Insurance Shop, Inc.
  • Employees must use 128-bit encryption software when E-mailing PHI and/or PII outside of Health Insurance Shop, Inc.
  • Employees must not store PHI and/or PII on PDAs.
  • Employees must secure all hardcopy mail containing PHI and/ or PII.
  • Employee workstations will be programmed to auto-lock after 30 minutes of inactivity.
  • Employees should refrain from loading PHI and/or PII on pooled laptops.  Information stored on laptops will be routinely purged.