Policy 864: HIPAA Privacy Rule Compliance

PRIVACY RULE COMPLIANCE

The federal Privacy Rule of the Health Insurance Portability and Accountability Act (HIPAA) requires the district to adopt a policy protecting the privacy rights of its employees.

DEFINITIONS

For the purposes of this policy, the following definitions apply:

1. “Privacy Officer” shall mean the superintendent or the superintendent’s designee.

2. “HHS Privacy Regulations” or “Privacy Rule” shall mean the Standards for Privacy of Individually Identifiable Health Informationas defined at 45 C.F.R. Parts 160 and 164, Subparts A and E.

3. “Protected Health Information” or “PHI” shall have the same meaning as the term “protected health information” as defined in 45 U.S.C. Section 164.501, but is limited to any such information created or received by Business Associate from or on behalf of Covered Entity.

4. “Business Associate” shall mean a person or organization not a part of the district’s work force that performs certain functions or activities, such as, but not limited to, claims processing, data analysis, and billing, on behalf of the district that involves the use or disclosure of individually identifiable health information.

5. “Covered Entity” shall mean a district that acts as a “health plan,” including an employer-sponsored group health plan. Exceptions to this definition are those health plans with less than fifty (50) participants that are administered solely by the employer.

PRIVACY NOTICE

A notice of privacy practices regarding Protected Health Information (PHI) and the use or disclosure that may be made of PHI shall be provided annually to employees who are covered by the district’s health plan.

ACCESS TO PROTECTED HEALTH INFORMATION

Employees, or their personal representatives, have the right to inspect or copy their PHI. This right to access includes access to the information held by a Business Associate of the district. Requests to access PHI shall be in writing and the Privacy Officer shall respond within thirty (30) days of the request. If the PHI is not readily available on site, the Privacy Officer shall have an additional sixty (60) days to respond. If the Privacy Officer is not able to respond within these time limits, a written notification will be provided to the individual making the request. Responses shall be consistent with the requirements of the Privacy Rule.

RIGHT TO REQUEST AMENDMENT OF PHI

An individual has the right to request the amendment of his or her PHI. All such requests are required to be in writing and must provide a reason for the requested amendment. The Privacy Officer shall act and respond within sixty (60) days of receipt of the request. If the request is denied, the following information will be provided:

1. The basis for denial.

2. How the person may submit a written statement disagreeing with the denial.

3. A statement that, if the individual does not submit a statement of disagreement, the individual may request that the district include the request for amendment and the denial in any future disclosures of the PHI at issue.

4. A description of how the individual may complain to the district, including contact information.

All requests and related documentation shall be maintained for six (6) years.

RIGHT TO ACCOUNTING

An individual has the right to an accounting of disclosures of PHI made by the district, except disclosures made for payment, treatment, health care operations, disclosures to the subject individual, incidental disclosures, or disclosures made pursuant to a valid authorization. Such request must be in writing.

Accounting of disclosures shall include:

1. The date of disclosure, name of the entity or person who received the PHI and a brief statement of the purpose, or a copy of the individual’s authorization or written request for disclosure.

2. For multiple disclosures of PHI to the same person or entity, the following may be provided in the accounting: the time of the first disclosure, a full accounting with all elements described above, the frequency period, periodicity or number of disclosures made during the accounting period, and the date of the last disclosure in the accounting period.

3. The first accounting within a 12-month period will be at no cost to the individual. A reasonable cost-based fee will be charged for all subsequent accountings of disclosures during the 12-month period.

RIGHT TO RESTRICT USE OR DISCLOSURE

An individual has the right to request in writing that the district restrict the use or disclosure of PHI for purposes of treatment, payment, or health care operations. The district shall honor any restriction, except in the case of an emergency. Any agreement to restrict disclosure shall be retained for a period of six (6) years from the date of its creation. Any termination of such restriction shall be documented.

Individuals have the right to restrict the manner and method of communication regarding PHI. Reasonable requests as determined by the Privacy Officer will be accommodated. Such requests or agreements for confidential communication shall be reduced to writing.

DISCLOSURES WITHOUT CONSENT/AUTHORIZATION

In compliance with the Privacy Rule, the district shall disclose PHI upon request to the individual who is the subject of the PHI and to the Secretary of the U.S. Department of Health and Human Services.

At the discretion of the Privacy Officer, the district may disclose PHI for treatment, payment, and health care operations without a signed authorization from the subject individual and as otherwise may be permitted under the Privacy Rule.

Disclosures for worker’s compensation purposes are excluded from coverage by HIPAA and are covered by state law.

DISCLOSURE OF PHI WITH AUTHORIZATION

A signed authorization is required for disclosure of PHI unless an exception applies. The authorization must comply with the requirements of the Privacy Rule and the disclosure shall be consistent with the terms of the authorization. The signed authorization form must be retained for six (6) years and the individual who signed the authorization must be given a copy.

AUTHORIZATION CONTENT

The authorization form shall contain, at a minimum, the following:

1. The specific and meaningful description of the information.

2. The name or other specific identification of the person(s) or class of persons (such as a personal representative) authorized to make the requested use or disclosure.

3. The name or specific identification of the person(s) or class of persons to whom the district may make the requested use or disclosure.

4. An expiration date or event that relates to the individual or the use or disclosure purpose, but in no case shall the expiration date be more than one (1) year after the date of the signature.

5. A statement of the individual’s right to revoke the authorization in writing and the procedure to do so.

6. A statement that any PHI used or disclosed based on the authorization may be subject to redisclosure by the recipient and may no longer be protected by the Privacy Rule.

7. A statement of the inability to condition treatment, payment, enrollment, or eligibility for benefits on the authorization.

8. The individual’s dated signature.

9. If an individual’s personal representative signs the authorization, a description of that representative’s authority to act on the individual’s behalf.

HEALTH INFORMATION FOR EMPLOYMENT PURPOSES

Health information regarding employees provided to the district as the employer for a specific employment purpose is not PHI and will be kept in the employee’s personnel record. PHI will not be made part of an employee’s personnel record without the signed authorization of the employee or personal representative, as required by the Privacy Rule.

PRIVACY OFFICER

The superintendent or designee is appointed as the Privacy Officer/Contact Person for the district. All complaints should be forwarded to (address) and addressed to the attention of the Privacy Officer.

LEGAL REFERENCE:

PL 104-191

42 USC § 1320d-2(d)

45 CFR §§ 160-164

ADOPTED: November 17, 2004

AMENDED:

(Form)

(Business Associate Agreement)

Skip to content