Aberdeen School District No. 58 adopts this policy regarding the protection of employee privacy rights in compliance with federal requirements under the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule.
DEFINITIONS
“Privacy Officer” means the superintendent or the superintendent’s designee.
“HHS Privacy Regulations” or “Privacy Rule” means the Standards for Privacy of Individually Identifiable Health Informationas defined at 45 C.F.R. Parts 160 and 164, Subparts A and E.
“Protected Health Information” or “PHI” has the same meaning as the term “protected health information” as defined in 45 U.S.C. Section 164.501, but is limited to any such information created or received by Business Associate from or on behalf of Covered Entity.
“Business Associate” means a person or organization not a part of the district’s work force that performs certain functions or activities, such as, but not limited to, claims processing, data analysis, and billing, on behalf of the district that involves the use or disclosure of individually identifiable health information.
“Covered Entity” means a district that acts as a “health plan,” including an employer-sponsored group health plan. Exceptions to this definition are those health plans with less than fifty (50) participants that are administered solely by the employer.
PRIVACY NOTICE
A notice of privacy practices regarding protected health information (PHI) and the use or disclosure that may be made of PHI will be provided annually to employees who are covered by the district’s health plan.
ACCESS TO PHI
Employees, or their personal representatives, have the right to inspect or copy their PHI. This right to access includes access to the information held by a Business Associate of the district. Requests to access PHI will be in writing and the Privacy Officer will respond within thirty (30) days of the request. If the PHI is not readily available on site, the Privacy Officer will have an additional sixty (60) days to respond. If the Privacy Officer is not able to respond within these time limits, a written notification will be provided to the individual making the request. Responses will be consistent with the requirements of the Privacy Rule.
RIGHT TO REQUEST AMENDMENT OF PHI
An individual has the right to request the amendment of his or her PHI. All such requests are required to be in writing and must provide a reason for the requested amendment. The Privacy Officer will act and respond within sixty (60) days of receipt of the request. If the request is denied, the following information will be provided:
1. The basis for denial.
2. How the person may submit a written statement disagreeing with the denial.
3. A statement that, if the individual does not submit a statement of disagreement, the individual may request that the district include the request for amendment and the denial in any future disclosures of the PHI at issue.
4. A description of how the individual may complain to the district, including contact information.
All requests and related documentation will be maintained for six (6) years.
RIGHT TO ACCOUNTING
An individual has the right to an accounting of disclosures of PHI made by the district, except disclosures made for payment, treatment, health care operations, disclosures to the subject individual, incidental disclosures, or disclosures made pursuant to a valid authorization. Such request must be in writing.
Accounting of disclosures will include:
1. The date of disclosure, name of the entity or person who received the PHI and a brief statement of the purpose, or a copy of the individual’s authorization or written request for disclosure.
2. For multiple disclosures of PHI to the same person or entity, the following may be provided in the accounting: the time of the first disclosure, a full accounting with all elements described above, the frequency period, periodicity or number of disclosures made during the accounting period, and the date of the last disclosure in the accounting period.
3. The first accounting within a 12-month period will be at no cost to the individual. A reasonable cost-based fee will be charged for all subsequent accountings of disclosures during the 12-month period.
RIGHT TO RESTRICT USE OR DISCLOSURE
An individual has the right to request in writing that the district restrict the use or disclosure of PHI for purposes of treatment, payment, or health care operations. The district will honor any restriction, except in the case of an emergency. Any agreement to restrict disclosure will be retained for a period of six (6) years from the date of its creation. Any termination of such restriction will be documented.
Individuals have the right to restrict the manner and method of communication regarding PHI. Reasonable requests as determined by the Privacy Officer will be accommodated. Such requests or agreements for confidential communication will be reduced to writing.
DISCLOSURES WITHOUT CONSENT/AUTHORIZATION
In compliance with the Privacy Rule, the district will disclose PHI upon request to the individual who is the subject of the PHI and to the Secretary of the U.S. Department of Health and Human Services.
At the discretion of the Privacy Officer, the district may disclose PHI for treatment, payment, and health care operations without a signed authorization from the subject individual and as otherwise may be permitted under the Privacy Rule.
Disclosures for worker’s compensation purposes are excluded from coverage by HIPAA and are covered by state law.
DISCLOSURE OF PHI WITH AUTHORIZATION
A signed authorization is required for disclosure of PHI unless an exception applies. The authorization must comply with the requirements of the Privacy Rule and the disclosure will be consistent with the terms of the authorization. The signed authorization form must be retained for six (6) years and the individual who signed the authorization must be given a copy.
AUTHORIZATION CONTENT
The authorization form will contain, at a minimum, the following:
1. The specific and meaningful description of the information.
2. The name or other specific identification of the person(s) or class of persons (such as a personal representative) authorized to make the requested use or disclosure.
3. The name or specific identification of the person(s) or class of persons to whom the district may make the requested use or disclosure.
4. An expiration date or event that relates to the individual or the use or disclosure purpose, but in no case will the expiration date be more than one (1) year after the date of the signature.
5. A statement of the individual’s right to revoke the authorization in writing and the procedure to do so.
6. A statement that any PHI used or disclosed based on the authorization may be subject to redisclosure by the recipient and may no longer be protected by the Privacy Rule.
7. A statement of the inability to condition treatment, payment, enrollment, or eligibility for benefits on the authorization.
8. The individual’s dated signature.
9. If an individual’s personal representative signs the authorization, a description of that representative’s authority to act on the individual’s behalf.
HEALTH INFORMATION FOR EMPLOYMENT PURPOSES
Health information regarding employees provided to the district as the employer for a specific employment purpose is not PHI and will be kept in the employee’s personnel record. PHI will not be made part of an employee’s personnel record without the signed authorization of the employee or personal representative, as required by the Privacy Rule.
PRIVACY OFFICER
The superintendent or designee is appointed as the Privacy Officer for the district. All complaints should be addressed to:
Superintendent of Schools
Aberdeen School District No.58
PO Box 610
Aberdeen, ID 83210
Phone: (208) 397-4113
Fax: (208) 397-4114
LEGAL REFERENCES:
PL 104-191
42 USC Section 1320d-2(d)
45 CFR Sections 160-164
ADOPTED: September 17, 2014
AMENDED: