ODS Privacy Rule Implementation

Many of the business practices at ODS will remain the same as a result of the Privacy Rule. We have been in the process of reviewing, revising and developing the policies and procedures to support the rule. The following is a synopsis of the changes:

Business Associate Agreements

We have done a complete review of the companies that do business on our behalf where the function performed requires Protected Health Information. As we engage other companies, a business associate agreement will be put in place at the time of initial contracting or at a time such that the arrangement involves the sharing of PHI.

Authorizations

We have developed a set of authorizations to support the requirements of the rule. These include:
· Authorization for ODS to Release Information
· Authorization for a Healthcare Provider/Entity to Release Information to ODS
· Authorization for the Release of Psychotherapy Notes
· Conditional Authorization—(primarily used in Individual Market)

Caller Authentication

We have always performed caller authentication (asking for specific information in order to feel certain that the caller is who they say they are). It is now more structured as a result of the Inquiry Tracking System (ITS). We have also implemented authentication for healthcare provider offices.

Supporting Additional Privacy Rights

· Request for an Accounting of Disclosures
· Request for the Amendment of Records
· Request for Restriction on the Use/Disclosure of Information
· Request for Confidential Communications
· Complaints of Privacy Violations

Where we have Business Associates who may receive requests from members regarding these additional rights, we have reviewed the policies and procedures for ensuring the additional privacy rights are supported.

Supporting Minimum Necessary Disclosure

We have an ongoing program to restrict application system access based on job function and ‘need to know’.

Privacy Training

Privacy training has been completed to each member of the ODS workforce. Departments such as Customer Service and Healthcare Services have more in-depth training in areas such as Caller Authentication, Information Sharing Practices and Authorizations. Privacy training will be an ongoing program for ODS.

Designation of a Privacy Office and Privacy Officer

We have established a Privacy Office as required by the rule. The designated Privacy Officer is Pat Van Dyke.

Safeguards to Protect the Privacy of Information

As ODS continues to upgrade systems, we choose technology that provides better security for member information. We have referred to the requisites of the Proposed Security Rule as we have enhanced systems. We are in the process of reviewing the Final Rule on Security and the requirements of that rule. We also provide administrative safeguards and have included Security training along with Privacy training. Security Training will be an ongoing program within ODS.

Notice of Privacy Practices

The Notice is effective on April 14, 2003. We will provide the Notice of Privacy Practices with member enrollment packets to ensure that all members have access to this document. The notice will also be available on our website.

Sanctions

The rule requires sanctions for members of the workforce who fail to comply with privacy policies. The sanctions vary from review and retraining to termination.