PRIVACY & SECURITY 

Included in the Health Insurance Portability and Accountability Act (HIPAA) were rules regarding privacy and security.  These rules were created to address concerns regarding the disclosure of members' health information.  It established "ground rules" for covered entities and their business associates, such as Med-Pay, to be followed to help mitigate inadvertent disclosures.

We respect our customers' right to have our commitment to the protection of their Private Health Information (PHI) expressed.  As a health claims administrator, our core business functions rely on eceipt and collection of applicable information in order to appropriately serve you and process benefit determinations and payments.  This policy statement has been prepared to address the safeguards we have put in place to protect the PHI received at Med-Pay.

Information We Collect to Perform Core Business Functions
1.  We receive basic demographic information on you and covered family members from you or your Plan Sponsor, as appropriate.  Among the information collected:  name, social security number, address, date of birth, and coverage information.
2.  We receive information on health care treatment you and covered family members have received when you submit claims or when claims are submitted on your behalf.

What Types of Business Functions Require This Information?
We need the information we collect about you to process claims under your employer's group health plan.  In this capacity, information may, for example, also be used for rating and underwriting risk or for performing related managed care functions.

How That Information Is Shared
Outside of the performance of our core business functions, we will only share PHI:
1.  When required by law.
2.  When in connection with a fraud investigation.
3.  When compelled by a court order.
4.  To another affiliated entity such as a stoploss carrier, case management company, disease management company or auditing firm.  In this event, personally identifying information is protected to the fullest extent possible and confidentiality agreements are obtained from these organizations so that they are bound to follow the same protections and limitations attached to the data as we provide.

We specifically will not share personally identifiable information in the following circumstances:
1.  For marketing purposes.
2.  To your employer, outside of limited representatives designated as having the authority to receive that information and never in connection with employment related decisions.  Release of informaton to an employer is limited  to only minimally necessary PHI and again, the representative would be statutorily bound to follow the same protections and limitations that are attached by the HIPAA rules.
3.  To other unaffiliated entities, without your specific written consent.

Your Right to Access Your PHI
You have the right to access, inspect and copy your own health information and the right to supplement that information.  You have the right to request us to restrict the use and disclosure of your PHI.

Other Safeguards
Our comitment to you also includes:
1.  We will provide appropriate privacy safeguards for the use and disclosure of the PHI shared with us.
2.  We will maintain technical, physical and administrative privacy and security safeguards for the storage, use and disclosure of PHI.
3.  We will always limit use and disclsoure to the minimum necessary to meet core business needs.
4.  We restrict the use and disclosure of PHI to those Med-Pay employees that need the information in the performance of their duties.
5.  We train these employees in the appropriate use and disclosure of PHI, instill accountability for decisions regarding use and disclosure of PHI, and implement appropriate sanctions for violations.
6.  We require confidentiality agreements with any business associate who receives PHI from us to ensure that information is used solely for the intended contractual purpose and to obtain their stated agreement to protect information in accordance with the HIPAA statute.

Policy Changes
We may change this policy from time to time to comply with our understanding of state and federal laws and to provide the best service possible to our clients and their associates.  Any change in our policy will be made available.

If you have any questions about this information, you may call or write us.

MED-PAY, INC.
Suite 300, 1650 E. Battlefield Road, Springfield, Missouri 65804
417.886.6886  or  800.777.9087

* The Security Standards require implementation of safeguards to protect electronic PHI from unauthorized access, alteration, deletion, and transmission.

* The Privacy Standards require implementation of standards on how PHI should be controlled by way of uses and disclosures.

* Thus, the Security Standards are a subset of the Privacy Standards created to protect electronic PHI.

As an Example…

If you are addressing an issue on whether or not Entity A can share an Excel file with Entity B, which contains PHI, the Privacy Rule applies in that the sharing of the PHI would fall under uses and disclosures. However, being that the Excel file is in electronic format, the Security rule also applies so as to address the security and integrity of the file’s electronic transmission between Entity A and Entity B through email, FTP, or any electronic means.

If, on the other hand, the Excel file was processed into a printed document, the Privacy Rule would still apply regarding uses and disclosures, but the Security Rule would not apply.

Back