Provider Enrollment and Ongoing Responsibilities : Documentation

Confidentiality and Proper Disposal of Records

ForwardHealth supports member rights regarding the confidentiality of health care and other related records, including an applicant or member's billing information or medical claim records. An applicant or member has a right to have this information safeguarded, and the provider is obligated to protect that right. Use or disclosure of any information concerning an applicant or member (including an applicant or member's billing information or medical claim records) for any purpose not connected with program administration is prohibited unless authorized by the applicant or member (program administration includes contacts with third-party payers that are necessary for pursuing third-party payment and the release of information as ordered by the court).

Federal HIPAA Privacy and Security regulations establish requirements regarding the confidentiality and proper disposal of health care and related records containing PHI. These requirements apply to all providers (who are considered "covered entities") and their business associates who create, retain, and dispose of such records.

For providers and their business partners who are not subject to HIPAA, Wisconsin confidentiality laws have similar requirements pertaining to proper disposal of health care and related records.

HIPAA Privacy and Security Regulations

Definition of Protected Health Information

As defined in the HIPAA privacy and security regulations, PHI is protected health information (including demographic information) that:

• Is created, received, maintained, or transmitted in any form or media.
• Relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the payment for the provision of health care to an individual.
• Identifies the individual or provides a reasonable basis to believe that it can be used to identify the individual.

A member's name combined with their member identification number or Social Security number is an example of PHI.

Requirements Regarding "Unsecured" Protected Health Information

Title XIII of the American Recovery and Reinvestment Act of 2009 (also known as the HITECH Act) included a provision that significantly expanded the scope, penalties, and compliance challenges of HIPAA. This provision imposes new requirements on covered entities and their business associates to notify patients, the federal government, and the media of breaches of "unsecured" PHI (refer to 45 C.F.R. Parts 160 and 164 and § 13402 of the HITECH Act).

Unsecured PHI is PHI that has not been rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of physical destruction approved by the U.S. HHS. According to HHS, destruction is the only acceptable method for rendering PHI unusable, unreadable, or indecipherable.

As defined by federal law, unsecured PHI includes information in any medium, not just electronic data.

Actions Required for Proper Disposal of Records

To secure PHI, providers and their business associates are required to use one of the following destruction methods approved by the HHS:

• Paper, film, labels, or other hard copy media should be shredded or destroyed such that the PHI cannot be read or otherwise reconstructed.
• Electronic media should be cleared, purged, or destroyed such that the PHI cannot be retrieved according to National Institute of Standards and Technology Special Publication 800-88, Guidelines for Media Sanitization, which can be found on the NIST website.

For more information regarding securing PHI, providers may refer to Health Information Privacy on the HHS website.

Wisconsin Confidentiality Laws

Wis. Stat. § 134.97 requires providers and their business partners who are not subject to HIPAA regulations to comply with Wisconsin confidentiality laws pertaining to the disposal of health care and related records containing PHI.

Wis. Stat. § 146.836 specifies that the requirements apply to "all patient health care records, including those on which written, drawn, printed, spoken, visual, electromagnetic or digital information is recorded or preserved, regardless of physical form or characteristics." Paper and electronic records are subject to Wisconsin confidentiality laws.

"Personally Identifiable Data" Protected

According to Wis. Stat. § 134.97(1)(e), the types of records protected are those containing "personally identifiable data."

As defined by the law, personally identifiable data is information about an individual's medical condition that is not considered to be public knowledge. This may include account numbers, customer numbers, and account balances.

Actions Required for Proper Disposal of Records

Health care and related records containing personally identifiable data must be disposed of in such a manner that no unauthorized person can access the personal information. For the period of time between a record's disposal and its destruction, providers and their business partners are required to take actions that they reasonably believe will ensure that no unauthorized person will have access to the personally identifiable data contained in the record.

Businesses Affected

Wis. Stat.§§ 134.97 and 134.98, governing the proper disposal of health care and related records, apply to medical businesses as well as financial institutions and tax preparation businesses. For the purposes of these requirements, a medical business is any for-profit or nonprofit organization or enterprise that possesses information — other than personnel records — relating to a person's physical or mental health, medical history, or medical treatment. Medical businesses include sole proprietorships, partnerships, firms, business trusts, joint ventures, syndicates, corporations, limited liability companies, or associates.

Continuing Responsibilities for All Providers After Ending Participation

Ending participation in a ForwardHealth program does not end a provider's responsibility to protect the confidentiality of health care and related records containing PHI.

Providers who no longer participate in a ForwardHealth program are responsible for ensuring that they and their business associates/partners continue to comply with all federal and state laws regarding protecting the confidentiality of members' PHI. Once record retention requirements expire, records must be disposed of in such a manner that they cannot be reconstructed — according to federal and state regulations — in order to avoid penalties.

All ForwardHealth providers and their business associates/partners who cease practice or go out of business should ensure that they have policies and procedures in place to protect all health care and related records from any unauthorized disclosure and use.

Penalties for Violations

Any covered entity provider or provider's business associate who violates federal HIPAA regulations regarding the confidentiality and proper disposal of health care and related records may be subject to criminal and/or civil penalties, including any or all of the following:

• Fines up to $1.5 million per calendar year
• Jail time
• Federal HHS Office of Civil Rights enforcement actions

For entities not subject to HIPAA, Wis. Stat. § 34.97(4) imposes penalties for violations of confidentiality laws. Any provider or provider's business partner who violates Wisconsin confidentiality laws may be subject to fines up to $1,000 per incident or occurrence.

For more specific information on the penalties for violations related to members' health care records, providers should refer to § 13410(d) of the HITECH Act, which amends 42 USC § 1320d-5, and Wis. Stat. §§ 134.97(3), (4) and 146.84.