Keystone First – CHIP's Commitment to HIPAA Compliance

Keystone First – CHIP is committed to protecting the privacy of Enrollees’ health information, and to complying with applicable federal and state laws that protect the privacy and security of an Enrollee’s health information. Consistent with this commitment, Keystone First – CHIP has established basic requirements for the use or disclosure of Enrollees’ protected health information (PHI).

Federal Health Insurance Portability and Accountability Act (HIPAA) privacy regulations do not require health plans to obtain an Enrollee’s written consent or authorization prior to using, disclosing, or requesting PHI for purposes of treatment, payment or health care operations (TPO). Nor do federal privacy regulations require that providers of health care services obtain their patients’ consent or authorization before disclosing PHI to health plans for payment purposes, or for certain operational activities of the health plan, such as quality assurance.

In addition, PHI may be disclosed by a health plan for a number of other purposes without the member’s authorization. For instance, PHI may be disclosed when the health plan is required by law to do so.

Unless a disclosure is specifically permitted by HIPAA, a member must sign an authorization form before Keystone First – CHIP may use or disclose the Enrollee’s PHI. An example of a disclosure that requires a specific authorization is the disclosure of a Keystone First – CHIP Enrollee’s PHI for marketing purposes.

In these situations in which an authorization is required, Keystone First – CHIP will make sure that a signed Enrollee (or personal representative) authorization has been obtained. Authorizations must:

  • Authorize disclosure of PHI
  • State the purpose for which the information is sought
  • Authorize the use of the information for the stated purpose

Keystone First – CHIP policies, in compliance with federal and state privacy regulations, permit members to have access to their PHI, to receive copies of it, and to request that certain such information be amended. However, this applies only to information that is stored in designated record sets. Designated record sets are records that contain PHI and that are used to make decisions about individual members. The following are examples of Keystone First – CHIP designated record sets:

  • Claims
  • Adjudication records
  • Claim payment records
  • Grievances and appeals relating to claim payment, eligibility for benefits, or enrollment decisions about individual Enrollees
  • Enrollment and eligibility forms and records
  • Medical management records
  • Utilization management (medical and pharmacy) records
  • Care coordination records
  • Case management records
  • Disease management records

Keystone First – CHIP has adopted a number of internal safeguards to prevent the unauthorized use, alteration, or disclosure of PHI orally, in writing, or transferred electronically throughout the company. These safeguards include administrative procedures, physical protections, and technology security solutions.

Keystone First – CHIP will continue to maintain adequate administrative, technical, and physical safeguards to protect the privacy of PHI from unauthorized use or disclosure, whether intentional or unintentional, and from theft and unauthorized alteration. Safeguards are also utilized to effectively reduce the likelihood of use or disclosure of PHI that is unintended and incidental to a use or disclosure in accordance with Keystone First – CHIP policies and procedures.

Keystone First – CHIP associates are subject to disciplinary action for violation of policies and procedures. Violations that jeopardize the privacy or security of PHI are particularly serious. This seriousness will be reflected in the nature of the disciplinary action, up to and including termination of employment.