Member Privacy and Confidentiality
Carisk is committed to requiring that all of its staff and agents protect the confidentiality of Member information and records. We focus on insuring that all data and information received and used by Carisk is kept and utilized with confidentiality and security.
Member-identifiable, or protected health information (PHI) includes data such as name, social security number, Member number, address, telephone number, and date of birth. Carisk considers this data to be confidential. This data is used for verifying eligibility, managing benefits, coordinating care, paying claims, reporting quality assurance, determining practitioner performance, and complying with health care regulations.
Carisk has several policies in place to protect Member-identifiable information and ensure privacy for our Members and subscribers. If you would like a complete copy of the Carisk Privacy, Security and Confidentiality Policy and Procedure, or additional information regarding this, please call Carisk at 1.855.541.5300. The following items are covered under these policies.
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA)
Under HIPAA rules, covered entities are generally permitted to use or disclose protected health information (PHI):
- To the individual or his/her authorized personal representative (this is required when the individual makes a formal request for access (per 45 CFR 164.524, 528);
- For treatment, payment or other health care operations, without any specific legal permission, or in compliance with an optional consent (per 45 CFR 164.506);
- For other purposes, in compliance with an authorization (per 45 CFR 164.508) or other agreement (per 45 CFR 164.510);
- For research, provided an Internal Review Board (IRB) IRB or Privacy Board has approved a waiver of authorization (per 45 CFR 164.514);
- In compliance with uses and disclosures permitted for law enforcement, for judicial or administrative proceedings, for public health activities or health system oversight, and other purposes identified in 45 CFR 164.512;
- To avert a serious, imminent threat to public health or safety (45 CFR 164.514);
- To the Secretary of DHHS for investigations of complaints or general compliance reviews (this is required when DHHS makes a formal request (per 45 CFR 160.306, 308);
- For fundraising or marketing, as limited by 45 CFR 164.514; or
- When the PHI has been adequately identified (per 45 CFR 164.514).
With some exceptions (e.g., related to information exchanged between/among providers for treatment), such uses and disclosures must adhere to a minimum necessary standard.
If you would like a complete copy of the Carisk Privacy, Security and Confidentiality Policy and Procedure, or additional information regarding this, please call Carisk at 1.855.541.5300. For more information about the Health Insurance Portability and Accountability Act (HIPAA), visit the HIPAA information website at www.hhs.gov/ocr/privacy.
ROUTINE USES AND DISCLOSURES OF PROTECTED HEALTH INFORMATION
Carisk is responsible for managing behavioral health and substance use benefits. In order to carry out these responsibilities, we receive and use information about the individuals who are eligible to receive these benefits. When an eligible individual uses his or her behavioral health benefits, we usually need to obtain and use additional information about that individual to do our job.
Carisk uses information about Members and their dependents (if applicable) for treatment, payment, and health care operations, such as enabling us to verify eligibility for services; authorize treatment; pay claims; coordinate care; resolve inquiries, complaints and appeals; improve the care and service rendered by Carisk and its network of practitioners and facilities; and meet regulatory requirements and accreditation standards.
If we use information for reasons other than treatment, payment, and health care operations, we will change or remove any portions of the information that could allow someone to identify the Member or his/her dependent or we will contact the Member or his/her legal representative to ask for written authorization to use the information. Members may contact the Carisk Chief Privacy Officer at any time to find out how their PHI is being used to manage their behavioral health benefits. Members may also contact the Privacy Officer if they feel their PHI is incorrect or requires additional explanation.
Use of Authorizations
Carisk obtains special authorization to disclose protected health information (PHI). The following individuals can, in most cases, give authorization for the disclosure of PHI:
- An adult Member
- The natural or adoptive parents of a minor Member on behalf of the minor
- A legally-authorized representative of a Member
Members have the right to authorize or deny the release of PHI beyond uses for treatment, payment, or health care operations.
MEMBER ACCESS TO PROTECTED HEALTH INFORMATION (PHI)
Members have the right to inspect and obtain a copy of PHI/Member-identifiable information in a Designated Record Set that is in Carisk’s possession. In general, the Designated Record Set includes the following:
- Member demographic and insurance information.
- Claims explanation of benefits.
- Authorizations of care.
- Clinical event documentation.
- Utilization management records.
Members must make requests to inspect and obtain a copy of the Designated Record Set in writing to the Carisk Privacy Officer.
Carisk may deny a Member access to the Designated Record Set without providing the individual an opportunity for review in the following circumstances:
- Information that is gathered for use in a civil, criminal, or administrative proceeding.
- Information that was provided to Carisk by someone under a promise of confidentiality.
- Carisk may deny Members access to all or part of a designated record set, when a licensed health care professional has determined that harm would be caused to the Member or others if access to the information was granted.
- Members may request a review of the denial of access.
CARISK PROTOCOL OF ORAL, WRITTEN, AND ELECTRONIC PERSONAL HEALTH INFORMATION (PHI)
Carisk has an array of security provisions to protect PHI and confidential data and information.
Carisk’s Agents, Contractors, Employees, and Staff may not discuss PHI or confidential data and information in any area where individuals who do not have the right to know about the information, may overhear it.
- Printouts with PHI are secured in locked file cabinets in locked file rooms, accessible only to the staff members who need to see them. Faxed information is sent out with a cover sheet that has a confidentiality notice, and mailed information is marked “Confidential.” When not hand-carried and personally delivered to the recipient, printouts containing PHI and confidential data and information must be placed in a sealed envelope marked “Confidential.”
- Computer files with this information are kept on computers that are password-protected. These files are only available to those staff members who need to have access to them. Data sent electronically (through e-mail) is encrypted or coded and password-protected, and the e-mail message contains a confidentiality notice.
- Any information that is no longer required for business purposes is destroyed. Printouts are shredded, computer files are permanently erased, and computer media is destroyed.
Practitioners keep medical records for Members in their offices; therefore, they are required by Carisk to have privacy, security, and confidentiality practices in effect to keep PHI secure. In a practitioner’s office, PHI can be found in medical records, appointment books, correspondence, lab results, billing records, and treatment records. This information must be stored in locked cabinets or in a locked area, and computer files should be password-protected. Information submitted electronically must be encrypted or coded, and bear a prominent confidentiality statement. Faxed information should be sent out with a cover sheet that has a confidentiality notice, and mailed information should be marked “Confidential”.
PROTECTION OF INFORMATION DISCLOSED TO PLAN SPONSORS OR EMPLOYERS
Carisk does not share protected health information with employers without specific consent of the subscriber, Member, or the Member’s legal representative. If Carisk must release Member-identifiable data or information to an employer (self-insured or fully insured), we require that the employer agree in writing to protect all data and information from being used in any decisions affecting the Member, and that the employer allows Members to access and/or amend their PHI. Summarized data without PHI will be provided to the employers, if possible.