American Administration Services Company
HIPPA Policy Statement Specimen
Example for American Administration Services Co. (AASC)
SUBJECT: Sample HIPPA Standard Procedures HIPAA Privacy Regulations
This standard practice outlines how AASC, business associate of <Your Company Name goes Here> has adopted appropriate safeguards regarding the use and disclosure of protected health information as defined by the Department of Health and Human Services under the Health Insurance Portability and
Accountability Act (HIPAA)
Protected Health Information: Encompasses substantially all “individually identifiable health information” which is transmitted or maintained by a health plan, regardless of its form. Identifiable health information is defined broadly to include any health information that relates to and individual’s physical or mental health or condition, including information related to the provision of health care.
1.01 Employees of AASC, business associate of <Your Company Name goes Here>, understand and agree to adhere to all policies governing the security and confidentiality of protected health information.
1.02 Reimbursement Claim Forms
Hard copies of all reimbursement claim forms are stored in a secure area while in the AASC office. Copies are shredded after digitally imaged into the AASC system.
1.03 Phone Conversations with Participant
To ensure that potential Protected Health Information is not divulged to an improper party, AASC will confirm the participant’s social security number and mailing address to recognize a participant or participant representative.
1.04 Changes in mailing address will not be accepted via phone conversation. Participant must request a mailing address change in writing via faxed or mailed form or an email to AASC.
1.05 Phone Conversations with Service Providers
Telephone calls to service providers will be limited to requests for information at the request of the participant and/or a signed release form.
1.06 Phone Conversations with <Your Company Name goes Here>
Telephone calls to <Your Company Name goes Here> will be limited to requests for that information which is considered enrollment information and is used for plan administration purposes only and not protected health information.
1.07 E-mail Correspondence
Notification emails sent to participants throughout the claim process do not include identifiable health information. Any additional email correspondence from AASC to a participant shall not include identifiable health information. AASC will not, however, be responsible for any transfer of confidential information via email originating from the participant.
1.08 Participant Activity Statements
AASC will not disclose participant activity statements to <Your Company Name goes Here>. Such statements contain protected health information and will be limited to participant requests only.
1.09 Rejection Letters/Mailed AASC Correspondence
All correspondence originating from AASC is mailed to the participant’s home address. Prior to mailing, each correspondence is audited to ensure correct identification of enclosures.
1.10 Rejection Reponses/Participant Correspondence
Hard copies of any employee correspondence are held in a secure area while in the AASC office. All documents are shredded after digitally imaged into the AASC system.
1.11 Reimbursement Checks and Direct Deposit Vouchers
All checks and vouchers contain protected health information in the form of participant or dependent name, identifiable services, and service dates. In order to protect this information, AASC maintains the following in-house check procedures:
Checks and vouchers mailed directly to participant home are sealed prior to mailing.
Checks and vouchers sent to <Your Company Name goes Here> instead of participant home addresses are sealed prior to mailing.
Voided checks and returned vouchers are manually shredded in the AASC office.
2.01 Internet Security
Participant account information accessed through the encrypted AASC interactive website (www.HRAplan.com) does not provide any information considered to be protected health information.
PIN numbers default to the last 4 digits of the employee’s social security number but participants are encouraged to change the PIN upon first login.
PIN numbers reports will no longer be released to <Your Company Name goes Here>.
3.01 Electronic Data Transfer Compliance
Standard format for Electronic Data Interchange between <Your Company Name goes Here> and AASC is not required.
All data transferred between <Your Company Name goes Here> and AASC is considered employment record and is not subject to standardized formatting. However, AASC does encourage all clients to submit electronic data in a secure manner. All correspondence originating from AASC is protected with a randomly assigned password.