Patient Confidentiality
What is Protected Health Information (PHI)?
PHI is information that is:
PHI is not limited to a member's clinical information. It includes any information that can identify the patient/member.
This applies to all members/patients, even deceased. Deceased members PHI is protected for 50 years after death.
What do I need to do on every call to check to be HIPAA compliant for a Customer Service Representative?
There must be 3 identifiers obtained on every phone call and if you are not speaking to the member, you must obtain the caller’s name and relationship to the member.
On all calls coming in we need to verify three HIPAA identifiers and confirm whom we are speaking with.
1. Member ID number (subscriber, and/or group number)
2. Member Name
3. Member Date of birth (DOB)
Can we speak with parents of 14-year-old if claim was prior to member reaching the age of when sensitive services were provided?
YES, if the services were provided prior to the child turning 14. Best Practice is to only share what is necessary to service the member/caller. In these cases, less is best on sensitive encounters even with the service being prior turning 14.
What is Vishing?
The fraudulent practice of making phone calls or leaving voice messages purporting to be from reputable companies in order to induce individuals to reveal personal information like bank details, credit card number, and obtain social security number.
What if I do not have verbal or written permission?
If there is not a written or we are not able to secure verbal permission, we will request the member call back or offer to a follow up on the caller's concerns.
True or False. An agent does not need to ask for HIPAA identifiers for a callback.
False - The agent still needs to ask for HIPAA identifiers even though it is a callback.
What does HIPAA stand for?
Health Insurance Portability and Accountability Act
Can a minor (14-17 years old) give verbal or written permission?
NEVER ask the minor to give verbal or written consent for us to release the above information if it one of the protected health encounters.
If the member or patient is a minor 14 to 17 years of age, and the services are not one of the protected items above, then you can disclose information to the parent or guardian identified as a contact in PEGA.
What is Phishing?
The fraudulent practice of sending emails or other messages purporting to be from a credible company to obtain passwords, credit/bank numbers, and other sensitive information.
When someone other than the member calls to set up and auto pay can we set that up or do we need the members approval?
Set up the autopay with whoever calls to complete this task. You do not need the member on the phone to do this. As with question #1, many time someone other than the member pays for the members coverage.
What in addition to the three identifiers is required to obtain to confirm the Member account is current?
We are required to follow this up with having the member confirm:
When leaving a message either with a family member or on a voicemail would the case number be a HIPAA infraction?
Yes, this would be a HIPAA violation. Per HIPAA an identifier can be any unique number, code, or characteristic that can be linked to an individual. The case number would be a unique number that can be linked to the member.
What does the HIPAA policy say about the minor dependent 14 to 17 years old?
If the patient is a minor 14 years to 17 years of age, you CANNOT disclose any information other than general member benefit information.
Benefits related to protect information may not be eligible to share for the following related coverage encounters:
Substance Abuse (alcohol and drug encounters)
How may a caller Identify a Vishing Scam?
Typically, you receive a phone call or a voice message asking for PHI or other confidential
information.
• Most often, the Vishers uses phrases like “this is urgent” “please verify” or “I need you to
provide information immediately”.
• Vishers tug at your heart strings in order to talk you into giving them information.
Does PHI apply to callers that are making payments?
We can collect payment from anyone. During the payment collection process, we are collecting information (three HIPAA identifiers) from the caller. We are not disclosing PHI.
True or False. HIPAA violations could result in fines up to $250,000 or imprisonment up to 10 years.
True
Do the agents need to confirm HIPAA (three identifiers and whom they are speaking with) on a caller wanting to make a payment and has no questions?
Yes, in this case collecting 3 identifiers is to be sure that you are attaching payment to the correct member. In this case this around quality and safety rather than privacy.
What information can I give the adult member calling?
If you are talking to the adult member, it is okay to release any information for that specific member or the dependent under the age of 18 if it is the subscriber and/or parent on the contract.
If the dependent is 14-17 years of age you can discuss everything but protect health information such as reproductive, substance abuse, or behavioral health encounters
If a staff member pressures me to perform a task that violates the privacy of a patient or member, what should I do?
Respectfully decline and report it to your supervisor, director, or VP.
Can members give authorization for an agent to leave a detail message on their voice mail? Do we need to confirm they member is the only one with access to the voicemail? Or is it best practice to inform the member we would leave a message for a call back.
Best practice is to inform the member that you would leave a message for a call back and not leave a detailed specific message.
When someone other than the member calls to make a payment on the account and they are using the members credit card should we take the payment or advise the member (credit card holder) would need to call back, self-serve or give permission for us to process the payment?
Take the payment from the person who calls to make the payment. Many times, a family member is making a payment for the actual member.
What year was HIPAA implemented?
1996
What if I have consent to talk to the subscriber on one of his adult dependents. Do we still need to identify member to ensure HIPPA compliance?
If we have consent, we still need to identify the HIPAA compliance question to identify we are speaking to the authorized person on behalf of the member. Make sure to ask the member permission to supply information to the caller.
True or False - Vishing is a phone fraud tactic?
True
If we do a call out to the number on file and cannot reach the member can the caller provide an alternate number to call for verbal from the member and then if so, can we update the phone number based off this in the system?
If the member confirms that the alternate number can be added to their profile, and states which number is the preferred contact number.