Keystone First's Commitment to HIPAA Compliance

Keystone First is committed to protecting the privacy of members’ health information, and to complying with applicable federal and state laws that protect the privacy and security of a member’s health information. Consistent with this commitment, Keystone First has established basic requirements for the use or disclosure of members’ protected health information (PHI).

Federal Health Insurance Portability and Accountability Act (HIPAA) privacy regulations do not require health plans to obtain a member’s written consent or authorization prior to using, disclosing, or requesting PHI for purposes of treatment, payment or health care operations (TPO). Nor do federal privacy regulations require that providers of health care services obtain their patients’ consent or authorization before disclosing PHI to health plans for payment purposes, or for certain operational activities of the health plan, such as quality assurance.

In addition, PHI may be disclosed by a health plan for a number of other purposes without the member’s authorization. For instance, PHI may be disclosed when the health plan is required by law to do so.

Unless a disclosure is specifically permitted by HIPAA, a member must sign an authorization form before Keystone First may use or disclose the member’s PHI. An example of a disclosure that requires a specific authorization is the disclosure of a Keystone First member’s PHI for marketing purposes.

In these situations in which an authorization is required, Keystone First will make sure that a signed member (or personal representative) authorization has been obtained. Authorizations must:

  • Authorize disclosure of PHI
  • State the purpose for which the information is sought
  • Authorize the use of the information for the stated purpose

Keystone First policies, in compliance with federal and state privacy regulations, permit members to have access to their PHI, to receive copies of it, and to request that certain such information be amended. However, this applies only to information that is stored in designated record sets. Designated record sets are records that contain PHI and that are used to make decisions about individual members. The following are examples of Keystone First designated record sets:

  • Claims
  • Adjudication records
  • Claim payment records
  • Grievances and appeals relating to claim payment, eligibility for benefits, or enrollment decisions about individual members
  • Enrollment and eligibility forms and records
  • Medical management records
  • Utilization management (medical and pharmacy) records
  • Care coordination records
  • Case management records
  • Disease management records

Keystone First has adopted a number of internal safeguards to prevent the unauthorized use, alteration, or disclosure of PHI orally, in writing, or transferred electronically throughout the company. These safeguards include administrative procedures, physical protections, and technology security solutions.

Keystone First will continue to maintain adequate administrative, technical and physical safeguards to protect the privacy of PHI from unauthorized use or disclosure, whether intentional or unintentional, and from theft and unauthorized alteration. Safeguards are also utilized to effectively reduce the likelihood of use or disclosure of PHI that is unintended and incidental to a use or disclosure in accordance with Keystone First policies and procedures.

Keystone First associates are subject to disciplinary action for violation of policies and procedures. Violations that jeopardize the privacy or security of PHI are particularly serious. This seriousness will be reflected in the nature of the disciplinary action, up to and including termination of employment.