4105 Summary of HIPAA Medical Privacy
The Health Insurance Portability and Accountability Act (HIPAA) contains laws that protect the privacy of health information. The Union Public School District (“the district”) offers participation in its self-insured health plan (“group health plan”) to its employees, retirees, Board of Education members, COBRA participants, and qualifying dependents.
This Board policy is a summary of the district’s HIPAA Policies and Procedures manual maintained in the Human Resources Department. The complete HIPAA Policy and Procedures manual can be accessed at www.unionps.org by selecting “Careers” from the homepage menu, and then “Policies and Contracts.” A copy of the complete HIPAA Policy and Procedures manual can be obtained by contacting the district’s Human Resources Department. Hereafter in this summary policy, all references to the “policy” will refer to BOTH this summary policy and the HIPAA Policy and Procedures manual. If any portion of this summary policy is in conflict with the HIPAA Policy and Procedures manual, the language of the HIPAA Policy and Procedures manual will prevail.
This policy describes how protected health information may be used or disclosed by the district’s group health plan to carry out payment, health care operations, and for other purposes that are permitted or required by law. This policy also sets out the district’s legal obligations concerning protected health information and describes plan participants’ rights to access and control protected health information.
When used in this policy, “policy holder” means the employee, Board member, retiree, or individual being billed for COBRA participation, with whom the right of participation in the group health plan originates. “Plan participant” means any individual enrolled in the group health plan. “The district” shall refer to the district, when acting on behalf of the group health plan.
Protected health information (PHI) is individually identifiable health information, including demographic information, collected from a plan participant or created or received by a health care provider, a health plan, the district (when functioning on behalf of the group health plan), or a health care clearinghouse and that relates to: (1) a plan participant’s past, present, or future physical or mental health or condition; (2) the provision of health care to a plan participant; or (3) the past, present, or future payment for the provision of health care for a plan participant.
This policy has been written to be consistent with what is known as the “HIPAA Privacy Rule,” and any of the terms not defined in this policy should have the same meaning as they have in the HIPAA Privacy Rule.
Additional Details in the Notice of Privacy Practices
This policy is consistent with the district’s Notice of Privacy Practices, which initially became effective April 14, 2004. The district’s Notice of Privacy Practices contains additional details about the district’s responsibilities and the plan participant’s rights and is provided to new policy holders and to all policy holders annually. The district’s Notice of Privacy Practices may also be obtained at any time during regular business hours by contacting the benefits office of the Human Resources Department of Union Public Schools.
THE DISTRICT’S RESPONSIBILITIES
The district is required by law to maintain the privacy of PHI. The district is obligated to provide the policy holder with a copy of the Notice of Privacy Practices of the district’s legal duties and of the district’s privacy practices with respect to PHI, and the district must abide by the terms of the Notice. The district reserves the right to change the provisions of the Notice and make new provisions effective for all PHI the district maintains. If the district makes a material change to the Notice, the district will mail a revised Notice to the address that the district has on record for the policy holder.
Primary Uses and Disclosures of Protected Health
Payment and Health Care Operations: The district has the right to use and disclose PHI for all activities that are included within the definitions of “payment” and “health care operations” as set out in 45 C.F.R. § 164.501 (this provision is a part of the HIPAA Privacy Rule).
Payment: The district will use or disclose PHI to pay claims for services and to obtain stop loss reimbursements or to otherwise fulfill responsibilities for coverage and providing benefits.
Health Care Operations: The district will use or disclose PHI to support the district’s business functions. These functions include, but are not limited to, quality assessment and improvement, reviewing provider performance, licensing, stop loss underwriting, business planning, and business development.
Business Associates: The district contracts with individuals and entities (Business Associates) to perform various functions on the district’s behalf or to provide certain types of services. To perform these functions or to provide the services, the district’s Business Associates will receive, create, maintain, use, or disclose PHI, but only after the district requires the Business Associates to agree in writing to contract terms designed to appropriately safeguard plan participant information
Other Covered Entities: The district may use or disclose PHI to assist health care providers in connection with their treatment or payment activities, or to assist other covered entities in connection with payment activities and certain health care operations.
Plan Sponsor: PHI is available to the district plan sponsor of the Group Health Plan for purposes of plan administration or pursuant to an authorization request signed by the plan participant.
Others Involved in Health Care: Using the district’s best judgment, the district may make PHI known to a plan participant’s family member, other relative, close personal friend, or other personal representative that the plan participant identifies. Such a use will be based on how involved the person is in the plan participant’s care, or payment that relates to the plan participant’s care. The district may release information to parents or guardians, if allowed by law.
Required by Law: The district may use or disclose PHI to the extent that law requires the use or disclosure. Other Potential Uses of PHI:
A. Public health activities;
B. Health oversight activities;
C. Abuse or neglect, when required by official investigation;
D. Legal proceedings;
E. Law enforcement;
F. Coroners, medical examiners, funeral directors, and organ donation, when required;
G. Research, under approved perimeters that protect PHI;
H. To prevent a serious threat to health or safety;
I. Military activity and national security, protective services;
J. Inmates, when required by law enforcement or correctional institution;
K. Workers’ compensation;
L. U.S. Department of Health and Human Services;
M. Disaster relief effort
Disclosures to the Plan Participant
The district is required by law to disclose to the plan participant most of his/her PHI in a “designated record set” when the plan participant requests access to this information. Generally, a “designated record set” contains medical and billing records, as well as other records that are used to make decisions about the plan participant’s health care benefits. The district also is required to provide, upon the plan participant’s request, an accounting of most disclosures of PHI that are for reasons other than payment and health care operations and are not disclosed through a signed authorization.
District Personnel Who May Work with PHI as Part of Their Job Functions
District personnel who may work with PHI as part of their job functions include the Human Resources Department’s benefits office staff, the Executive Director of Human Resources, the Director of Human Resources, the Benefits Supervisor/Manager, Benefits Specialist, Benefits Representative, other staff within the Human Resources Department (such as the file clerk who files for the benefits office), and members of the district’s group health plan committee including the Superintendent, the CFO, and the district’s insurance consultant.
Other personnel who may come in contact with limited aspects of PHI include payroll, accounting, other Finance Division staff, and IT staff. For example, the HIPAA Privacy Rule considers information regarding whether or not an employee has enrolled in the group health plan to be PHI; the payroll staff, in order to take health insurance premium deductions from employee paychecks, will see information regarding whether or not an employee has enrolled in the group health plan. Accounting staff may be involved in such functions as reconciling billing and/ or bank statements and/or collecting premiums for retiree coverage. In their roles maintaining district computers, security software, data repositories, e-mail accounts, etc., IT personnel may encounter PHI.
Other Uses and disclosures of PHI
Other uses and disclosures of PHI that are not described above will be made only with the plan participant’s
written authorization. If the plan participant provides the district with such an authorization, he/she may revoke the authorization in writing, and this revocation will be effective for future uses and disclosures of PHI. However, the revocation will not be effective for information that the district may already have used or disclosed, relying on the authorization.
Notice Requirements
The district will meet all notice requirements of the HIPAA Privacy Rule, and will obtain agreement from its Business Associates to meet all notice requirements, if PHI is released outside of, or in contradiction to, the HIPAA Privacy Regulations. Under specific circumstances, notice may be required to be given to the plan participant, the Department of Health and Human Services, and/or the media.
Potential Impact of State Law
The HIPAA Privacy Regulations generally do not “preempt” (or take precedence over) state privacy or other applicable laws that provide individuals greater privacy protections. As a result, to the extent state law applies, the privacy laws of a particular state, or other federal laws, rather than the HIPAA Privacy Regulations, might impose a privacy standard under which the district will be required to operate.
Workers’ Compensation Exempt from HIPAA
Medical information related to workers’ compensation claims is exempt from HIPAA regulations and may be accessed by the district.
Other District Responsibilities
Minimum Disclosure: The district uses or discloses PHI only as permitted by the HIPAA Privacy Rule and in accordance with state or other law. The district will make reasonable efforts to ensure that it uses, discloses, or requests only the minimum necessary information. The minimum necessary requirement does not apply to disclosures for treatment purposes or when the district shares the plan participant’s own information with the plan participant. The requirement does not apply for uses and disclosures when the plan participant has given authorization* for the use or disclosure. The requirement does not apply for uses and disclosures as required by law or to uses and disclosures as required for compliance with the HIPAA Privacy Rule.
Training: The district provides HIPAA training to employees to promote understanding of the rights and responsibilities under this policy. Additionally, as necessary and appropriate, the district provides training to staff members regarding the policies and procedures to protect PHI while they are carrying out their job functions. The district has the discretion to determine the nature and method of training necessary to ensure that staff members appropriately protect the privacy of plan participants’ records.
Safeguards: To protect the privacy of the PHI of plan participants, the district has in place appropriate administrative and physical safeguards in accordance with the HIPAA Privacy Rule. The Information Technology Department will assure technological safeguards are in place in compliance with the HIPAA Privacy Rule.
Sanctions: The district has and applies appropriate sanctions against any member of the district’s staff who fails to comply with the requirements of the HIPAA Privacy Rule or the district’s policies and practices regarding HIPAA.
Mitigation: As necessary, the district will mitigate, to the extent possible, any harmful effect that the district may become aware of regarding the district’s use or disclosure or its business associate’s use or disclosure of PHI in violation of the policies or procedures or the requirements of the HIPAA Privacy Rule.
Documentation: The district meets the HIPAA Privacy Rule’s requirements regarding documentation and has appropriate practices in place regarding required documentation.
RIGHTS OF THE PLAN PARTICIPANT
Right to Request a Restriction
The plan participant has a right to request a restriction regarding the PHI the district uses or discloses for payment or health care operations.
The district is not required to agree to any restriction that a plan participant may request. If the district does agree to the restriction, the district will comply with the restriction unless the information is needed to provide emergency treatment.
The plan participant may request a restriction by submitting that requested restriction in writing* to the Executive Director of Human Resources, Union Public Schools, 8506 E. 61st Street, Tulsa OK 74133-1926.
In the request, the plan participant should state: (1) the information the plan participant wants to limit; and (2) how the plan participant wants to limit the use and/or disclosure of the information*.
Right to Request Confidential Communications
If a plan participant believes that a disclosure of all or part of his/her PHI may endanger him/her, he/she may request that the district communicate with him/her regarding his/her information in an alternative manner or at an alternative location. For example, the plan participant may ask that the district only contact him/her at his/her work address or via work e-mail.
The plan participant may request a restriction in writing* to the Executive Director of Human Resources, 8506 E. 61st Street, Tulsa OK 74133-1926.
In the request, the plan participant should tell the district: (1) that he/she wants the district to communicate his/her PHI with him/her in an alternative manner or at an alternative location; and (2) that the disclosure of all or part of the PHI in a manner inconsistent with these instructions would put him/her in danger*.
Right to Inspect and Copy
A plan participant has the right to inspect and copy his/her PHI that is contained in a “designated record set.” Generally, a “designated record set” contains medical and billing records, as well as other records that are used to make decisions about health care benefits. However, the plan participant may not inspect or copy psychotherapy notes or certain other information that may be contained in a designated record set.
To inspect and copy PHI that is contained in a designated record set, the plan participant must submit his/her written request* to the Executive Director of Human Resources at the address listed in this policy. If the plan participant requests a copy of the information, the district may charge a fee for the costs of copying, mailing, or supplies associated with the request.
The district may deny a plan participant’s request to inspect and copy PHI in certain limited circumstances.
Right to Amend
If a plan participant believes that his/her PHI is incorrect or incomplete, he/she may request that the district amend its information. The plan participant may request that the district amend information by sending the request in writing* to the Executive Director of Human Resources, Union Public Schools, 8506 E. 61st Street, Tulsa OK 74133-1926. Additionally, the request should include the reason the amendment is necessary.
In certain cases, the district may deny the request for an amendment.
Right of an Accounting
The plan participant has a right to an accounting of certain disclosures of PHI that are for reasons other than treatment, payment, or health care operations. An accounting will include the date(s) of the disclosure, to whom the district made the disclosure, a brief description of the information disclosed, and the purpose for the disclosure. No accounting of disclosures is required for disclosures made pursuant to a signed authorization by the plan participant or his/her personal representative. The plan participant should know that most disclosures of PHI will be for purposes of payment or health care operations and, therefore, will not be subject to the right to an accounting. There also are other exceptions to this right.
The plan participant may request an accounting by submitting the request in writing* to the Executive Director of Human Resources, Union Public Schools, 8506 E. 61st Street, Tulsa OK 74133-1926.
Right to a Paper Copy of the Notice of Privacy Practices
The plan participant has the right to a paper copy of the Notice of Privacy Practices, even if he/she has agreed to accept the notice electronically. Annually, policy holders will be given directions to access an electronic copy of the Notice of Privacy Practices or will be provided the notice in paper format. Any plan participant wishing to receive a paper copy of the Notice of Privacy Practices should contact the Benefits Office, Union Public Schools, 8506 E. 61st Street, Tulsa OK 74133-1926.
Note Regarding Applicability of Rights
Some rights listed above may not apply (or may apply only in certain circumstances) to certain plan participants. For example, a plan participant who is a minor may not (except under the circumstances of legal action that would change parental or guardian rights) restrict access to his/her PHI from his/her parent/legal guardian. Other limitations of rights may occur when legally applicable.
* A form for this purpose is available online in the HIPAA Policy and Procedures Manual. To receive a hard copy, contact the district’s benefits office.
COMPLAINTS
The Executive Director of Human Resources has been designated as the district’s privacy officer. If a plan participant believes that there has been a violation by the district of his/her privacy rights under HIPAA, the plan participant may file a complaint in writing to the Executive Director of Human Resources, Union Public Schools, 8506 E. 61st Street, Tulsa OK 74133-1926.
The full complaint procedure process is available online in the HIPAA Policy and Procedures Manual. To receive a hard copy, contact the district’s benefits office.
The Executive Director of Technology has been designated as the district’s HIPAA security officer. Concerns related to technological security of district PHI should be directed to the Executive Director of Technology, Union Public Schools, 8506 E. 61st Street, Tulsa OK 74133-1926.
Investigation of Complaints
The privacy officer or his/her designee will conduct an investigation of complaints brought pursuant to this policy.
If a violation of this policy is confirmed, the privacy officer will take appropriate action(s), when deemed necessary by the privacy officer, based upon the results of the investigation. Such action may include the following: (1) employee disciplinary action, up to and including termination of employment; (2) changes in procedures, practices, or operations that will prevent recurrence (to the extent possible); (3) actions taken to mitigate adverse effects of a prohibited use or disclosure; and/or (4) other measures deemed necessary based upon the circumstances of the violation.
U.S. Department of Health and Human Services
A plan participant may file a complaint with the Secretary of the U.S. Department of Health and Human Services. Complaints filed directly with the Secretary must: (1) be in writing; (2) contain the name of the entity against which the complaint is lodged; (3) describe the relevant problems; and (4) be filed within 180 days of the time the plan participant became or should have become aware of the problem.
Retaliation Prohibited
The district prohibits retaliation against an individual who makes a complaint under this policy. Any individual who believes he/she has experienced retaliation for bringing a complaint under this policy should submit his/ her retaliation concerns in writing to the privacy officer or to the Superintendent of Union Public Schools. Any employee found to have retaliated against an individual for bringing a complaint under this policy, will be subject to disciplinary action up to and including termination of employment.
QUESTIONS ABOUT THIS POLICY
Questions about this policy should be directed to the Executive Director of Human Resources, Union Public Schools, 8506 E. 61st Street, Tulsa OK 74133-1926.
Adopted 1/18/10
Revised 11/8/10
Revised 12/12/11
Revised 12/8/14
Revised 12/11/17