826. HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT - Pg.
826. HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT
The district is committed to protecting medical information about employees and will use protected health information (PHI) to the extent of and in accordance with the uses and disclosures permitted by the Health Insurance Portability and Accountability Act (HIPAA) and other federal and state laws. The Board adopts this policy to ensure that the integrity and the confidentiality of PHI are safeguarded to the highest degree possible.
Business associate – a person or entity that provides certain functions, activities, or services for or to the school district, involving the use and/or disclosure of PHI.
Health Insurance Portability and Accountability Act (HIPAA) – a federal law that requires reasonable and appropriate administrative, technical, and physical safeguards to ensure the integrity and confidentiality of healthcare information to protect against reasonably foreseeable threats and hazards to the security or integrity of the information, and to protect against unauthorized uses or disclosure of the information.
Protected Health Information (PHI) – individually identifiable health information that is transmitted by electronic media; maintained in any electronic medium such as magnetic tape, disc, or optical file; or transmitted or maintained in any other form of medium, i.e., paper, voice, Internet, fax.
Consent for the Use of PHI
The district will make all reasonable efforts not to use or disclose more than the minimum amount of PHI necessary to accomplish the intended purpose of the use or disclosure.
The district will not use or disclose an employee’s PHI for any purpose without the properly documented consent or authorization of the employee, or his/her authorized representative, unless permitted or required to do so by federal and/or state law or regulation; unless an emergency exists; or unless the information has been sufficiently de-identified that the recipient would be unable to link the information to the employee.
Permitted Uses of PHI
The district may use PHI to the extent of and in accordance with the uses and disclosures permitted by HIPAA and other federal and state laws. Specifically, the district may use and disclose PHI for purposes related to health care treatment, payment for health care, and health care operations.
Protecting and Safeguarding PHI
The administration shall implement reasonable administrative, technical, and physical safeguards to protect PHI from any intentional or unintentional use or disclosure that is a violation of HIPAA regulations. Additionally, the administration shall take reasonable steps to limit the use and/or disclosure of and requests for PHI to the minimum necessary to accomplish the intended purpose.
The administration also shall establish and maintain procedures to receive and address employee requests regarding PHI and complaints of unauthorized use and/or disclosure. The administration will keep documentation regarding all requests and complaints.
Notice of Privacy Practices
The administration shall publish and distribute a notice of privacy practices that informs employees in plain language about the use and disclosure of PHI the district will make; employees’ rights concerning the use and disclosure; and limitations on the district in that it cannot use or disclose information in a manner not covered in the notice.
Employees’ Rights Regarding PHI
Employees have the following rights regarding PHI:
Contractual Assurances Protecting PHI
The administration will establish contractual assurances from all business associates to which PHI is disclosed to the effect that the information will be used only for the purposes for which they were engaged, will safeguard the information from misuse, and will help the district comply with its duties to provide employees with access to health information and a history of certain disclosures.
The administration shall provide adequate training and timely updates related to the policies and procedures for compliance with the HIPAA privacy standards for all current employees, new hires, agents and business associates handling PHI. Training content and participation will be documented and retained by the Privacy Officer.
All HIPAA related documentation and records will be kept in written and/or electronic form for a period of six (6) years from the date of creation or from the date when it last was in effect, whichever is later.
Violations of HIPAA and this Policy
The administration, employees, and agents of the school district shall comply with the standards set forth in this policy. Violation of the policy and unauthorized use and/or disclosure of PHI shall be grounds for disciplinary action, up to and including termination of employment, and violators may be subject to civil and criminal penalties.
Health Insurance Portability and Accountability Act of 1996 – 45 CFR, Part 164